Los Alamos data leaks due to 'gross mis-management'

Remember CREM? That's Classified Removable Electronic Media, CDs/USB sticks/Zip disks to you and me, which went missing from the highly secret US Los Alamos National Laboratory. This was attributed to 'administrative errors and the past pervasive use of low-density magnetic and desktop systems.'

Previously hard drives and 200+ computers went missing. The place is as leaky as a sieve and as well run as, well, the (UK) Child Support Agency comes to mind. At the time of the CREM loss management said it would do better and aimed to move to a CREM-less environment by 2010.

It didn't do better and in what is referred to as the Crem De Meth incident in the whistle-blowing letter, nuclear weapons data on a USB stick ended up in a meth drug dealer's house in October, 2006.

The drug dealer was a former employee of KSL, a subcontractor with a Los Alamos contract. How he could walk out of one of the world's most secure nuclear weapons laboratories with highly secret information on USB memory sticks is near unbelievable.

It emerged that police found three memory sticks containing 408 separate classified documents and an additional 456 hard-copy pages of classified documents, including some classified as Secret-National Security Information (pertaining to intelligence) and Secret-Restricted Data (pertaining to nuclear weapons). It was only by chance that the drug raid turned up these documents – proving that the Los Alamos cyber-security problem is far from solved.

In November 2006 Los Alamos management started injecting glue into computer USB ports to prevent USB stick use.

Staff revolt

In these days of post 9-11 and Homeland Security in the USA the fact of this happening was surprising. Now a group of current and former Los Alamos employees, with a cumulative 100 years of Los Alamos experience, have written an open but anonymous letter to Congress calling on it to investigate persistently incompetent and self-serving management. Notwithstanding legislated whistleblower protection in the USA the writers fear vengeful management action against the current employees amongst them.

The writers identify repeated expensive, wasteful and fruitless re-organisations, chronic under-staffing, cronyism, and the systematic elimination of technical safety and outside oversight staff. They criticise a pilot system that allows the contractor running Los Alamos to oversee itself. They have no confidence whatsoever that data leaks won't re-occur and call on Congress to initiate a full investigation of the Los Alamos management.

Speaking on behalf of the US Project on government oversight (POGO) executive director Danielle Brian said: “It was ludicrous to think that the same contractors who couldn’t manage the lab for years would suddenly be able to manage the lab. When employees who have more than 100 years of combined experience decide to ask Congress to look into the problems you know you’ve got a real mess on your hands. I hope Congress heeds the employees’ call.”

What this sorry episode shows is that removable media in the hands of staff can be a profound security risk. That includes notebook computers (pace Nationwide). If your organisation makes regular use of removable media then the security of said media needs to be ensured. Injecting glue into USB ports is a short-term measure and doesn't cover CD and notebook vulnerabilities. Security management needs to have a reliable and workable scheme in place that closes up the holes in identified sieves in a cost-effective way. Los Alamos management didn't and has obviously alienated its staff on whom it depends to get work done.

(Read the whistle-blowing letter.)