Testimony of C. Bruce Tarter, Lawrence Livermore National Lab, on Weaknesses in Classified Information Security Controls at DOE's Nuclear Weapons Laboratories

OPENING REMARKS

Mr. Chairman and members of the Committee, I am the Director of the Lawrence Livermore National Laboratory (LLNL). Our Laboratory was founded in 1952 as a nuclear weapons laboratory, and national security continues to be our central mission.

The specific events that prompted these hearings are most regrettable. However, I welcome the opportunity to report to you the progress we are making to increase security at our Laboratory. My statements before this Committee during the past year provide a record of the many specific actions we have taken in this area. And, in January 2000, our Laboratory was visited by three members of the Subcommittee-Chairman Upton, Vice Chairman Burr, and Representative Cox-to see our security measures first hand and to discuss issues with senior managers as well as working nuclear weapons specialists in their workplace. We were very grateful for that opportunity. These prior interactions and my testimony today focus on three points:

· Progress. In December 1999, Livermore's security programs received an overall Satisfactory (Green) rating from DOE's Office of Independent Oversight and Performance Assurance. Since the Los Alamos incident, we have been expeditiously implementing enhanced protection measures-those directed by DOE Secretary Richardson and those taken on our own initiative.

· Commitment. Our national security mission and safeguards and security are inextricably linked, and we take both obligations very seriously. I am ultimately accountable for the Laboratory's performance and have made very clear to all employees, who have been specially trained in security measures, their individual and collective responsibilities.

· Challenges. An extensive security and counterintelligence infrastructure is in place. However, we continually have to adjust to new security threats and challenges, and those arising from rapid changes in information technologies warrant particular attention and investment.

IMPROVEMENTS TO INCREASE CONFIDENCE IN SECURITY

A Satisfactory (Green) Security Performance Rating. Throughout 1999, we worked expeditiously to address all issues that arose in self-evaluations or resulted from the May 1999 inspection by the DOE Office of Independent Oversight and Performance Assurance. In particular, we took steps this past year to upgrade each leg of our security triad-physical security, cyber security, and personnel security (including counterintelligence). Actions included steps to improve:

· The protection of Special Nuclear Materials (SNM), by executing an action plan to analyze, document, performance test, and enhance the Laboratory's comprehensive protection strategy. We also made numerous physical and procedural upgrades and increased the size of our Special Response Team.

· Procedures for Materials Control and Accountability, by demonstrating the ability to consistently meet SNM measurement and inventory requirements and resolve inventory differences in a timely manner.

· The physical security and protection of classified matter, by addressing performance issues in several of our vault-type rooms (VTR), upgrading classified parts storage areas, replacing non-GSA-approved repositories, and installing additional barriers to segregate L-cleared employees from Q-clearance-only areas.

· Cyber security, by implementing scheduled steps in a Nine Point Action Plan to better protect both unclassified and classified computer systems. For example, the installation of a firewall between the open and restricted portions of the unclassified network has increased protection against outsider threats. For the classified system, which is not connected to the outside world except through NSA-approved encryption, steps were taken to protect against "insider" threats: ensured physical incompatibility of removable media between classified and unclassified systems, logged access to centralized weapons data bases, rigorous new procedures for the transfer of unclassified data from classified computers, and additional internal firewalls to enforce stringent need-to-know separations.

· Counterintelligence, by adding staff to a Counterintelligence Program at Livermore that was established in 1986 and has been well integrated into the U.S. counterintelligence community for many years. Polygraph testing of identified classes of employees has also begun and we are committed to completing the necessary testing.

· Employee security awareness and training, through a comprehensive security awareness program that exceeds DOE mandatory requirements. In addition, all Laboratory staff participated in two two-day stand-downs of activity in 1999 for intensive training and to review their individual and collective responsibilities.

As an outgrowth of these efforts, we received an overall Satisfactory (Green) rating from the Office of Independent Oversight and Performance Assurance in their Follow-up Inspection in December 1999. We continue to make upgrades to strengthen all aspects of security, address identified issues-such as those that arose because of the Los Alamos incident-and deal with any perceived weaknesses.

LLNL Actions Following the Los Alamos Incident. Lawrence Livermore personnel also support emergency response activities such as the Nuclear Emergency Search Team (NEST). In conjunction with this responsibility, the Laboratory has classified hard drives and computers that are taken to the field to complete assignments as requested by DOE. Livermore officials were made aware of the security incident at Los Alamos as soon as their top management was informed. We conducted our own, parallel review at Livermore to assure that our emergency-response assets had not been compromised. All NEST data stored at the Laboratory was and is accounted for.

Beyond NEST, the incident raised broader issues about access to vaults and portable, highly-concentrated collections of sensitive data at Livermore. A working group was immediately chartered to review the Laboratory's classified data holdings, identify the locations of especially sensitive and portable collections of high concentrations of data, and recommend appropriate procedures to provide additional protection. This review has been completed and found that we were compliant with DOE requirements. Nonetheless, enhanced chain-of-custody controls and access procedures have been implemented at the identified locations.

Access control to vaults and vault-type rooms (VTR) at the Laboratory is managed in accordance with current DOE requirements. An access control list is maintained for each, and an area custodian uses the list to determine who may enter without an escort. We are upgrading our vault-access verification procedures in accordance with the Enhanced Protection Measures directed by DOE Secretary Richardson on 19 June 2000. In addition, the Laboratory has instituted a working group to address the effectiveness of our vault and VTR operations and management. They are in the process of identifying additional protection measures beyond those required by DOE that can further enhance security.

A Review of Classified Matter Protection and Control Procedures. Following the Los Alamos incident, the DOE Office of Independent Oversight and Performance Assurance conducted a review of the effectiveness of Classified Matter Protection and Control (CMPC) procedures at the Laboratory. The review focused on the protection of the most sensitive classified assets-weapons design information and use control information-within the Defense and Nuclear Technologies Directorate and Top Secret information. Key aspects of protection, including information generation, storage, marking, destruction, and control of access, were examined. Particular attention was devoted to the role of Laboratory management in ensuring that DOE policies related to control of classified matter are established and implemented.

The review was conducted from June 19 through June 21, 2000, and the results-as summarized in the draft report-were satisfactory. Particular mention is made of strong management attention to issues, including a proactive approach to emerging needs to enhance protection, attention to training programs, inclusion of security considerations in personnel performance evaluations, and pursuit of an enhanced security self-assessment program.

AN INSTITUTIONAL COMMITMENT TO SECURITY

Security and Science. Security and science are both central to Livermore's purpose and its operations. They are tightly coupled in our programmatic activities, and we are deeply committed to both. Through the Stockpile Stewardship Program, we further national security by applying advances in science and technology to maintain the nation's nuclear stockpile in the absence of nuclear testing. With less than 2% of the world's research and development being conducted at DOE national laboratories, many of the scientific advances that we adapt and apply to national security problems are made elsewhere. Hence, we interact with the broad science and technology community to be cognizant of major advances and to acquire needed special expertise. We also engage foreign nationals as part of our national security mission through participation in international efforts to prevent the spread of nuclear weapons, materials, and know-how.

Accomplishing our mission depends critically on these external interactions, and we must manage them in a way that protects sensitive information. It is a challenge, but not the "clash of cultures" that is so often portrayed. Since the Laboratory's founding, both security and science have been central to our "culture." The staff at Livermore take great pride in their scientific and technical accomplishments. They are also attracted to the Laboratory and are motivated by the opportunity to serve the nation. Few groups of people in the world are more painfully aware than Livermore employees what the loss of nuclear weapons secrets means to the security of the nation. Few groups are more concerned about the impact of the diffusion of information on proliferation. Few have been more at the forefront of initiatives to limit the spread of weapons of mass destruction and to develop capabilities to prepare the nation to deal with the threat of their use.

Security is not just our business, it is part of the way we operate, but so are outside technical interactions. Security and science are not incompatible objectives, but they require threat awareness, proper training, and vigilance.

Security Awareness and Training. As I have said, I am ultimately accountable for the Laboratory's security performance, and our success depends on the vigilance of everyone-from senior managers to individual employees. Increased vigilance is evidenced by a three-fold reduction in the number of security infractions that have occurred over the past year. All Livermore workers are aware of the "zero tolerance" policy for security violations that place nuclear secrets at risk. They rely on a comprehensive Safeguards and Security Awareness Program at the Laboratory to understand their responsibilities, proper procedures, and best practices. In addition to a series of DOE mandatory briefings-many of which are annual requirements-the Laboratory offers nearly a dozen additional programs, some of which train people for specialized security responsibilities. Each year, all employees are required to complete security refresher training, and those that do not or fail the follow-on test have their clearance suspended or lose it.

As an example of training, regardless of previous assignment, employees joining the Defense and Nuclear Technologies Directorate are required to be thoroughly instructed as to their responsibility for protecting classified matter as well as specific procedures used within the program to generate, use, store, transmit, and destroy classified material. Significant additional training is required for classified-document administrative specialists and custodians.

Laboratory-Wide Implementation of Security into Day-to-Day Activities. Our institutional commitment to security is reflected in the way that we centralize authority for key functions while distributing responsibilities for execution. For example, we established in 1991 a Classified Document Project Office (CDPO) to provide Laboratory-wide programmatic direction and oversight of classified document protection and control. Interfacing with all levels of Laboratory management, the CDPO ensures development of protection and control procedures, develops and implements training activities, performs self-assessments, and manages the Livermore Administrative Document System (LADS). LADS is a centralized computer system that provides modified accountability (tracking access to material rather than specific pieces of paper) for all classified documents at the Laboratory except those that are in Special Access Programs or are in Sensitive Compartmented Information Facilities, which have additional restrictive controls.

In the area of cyber security, the Laboratory has a Chief Information Officer (CIO). The CIO leads a Laboratory-wide Computer Security Council that reviews the Computer Security Program and approves computer security policies. Program products include policies and guidelines that locally implement DOE's Computer and Telecommunications Security Orders, templates to assist the development of system-specific security plans, and checklists and testing guidelines to support certification of classified computer systems. In addition, an individual in each directorate serves as the central point of contact for cyber security. These Directorate Cyber Security Officers, who meet regularly with the Computer Security Program, oversee and ensure uniformity of Cyber and Telecommunications Security implementation. This system of Cyber Security Officers has been in place for the last six years.

University of California Actions to Enhance Security. As the Laboratory has developed and continues to develop plans for and implemented changes to enhance confidence in security, we depend on outside review to help surface the best ideas and provide quality assurance. We have benefited considerably from the efforts of the University of California Office of the President. In addition to hiring a security expert, retired Air Force Colonel Terry Owens, to serve as UC Director for Safeguards and Security, the University formed a Laboratory Security Panel of the UC President's Council. It was able to attract highly respected counterintelligence and security experts to participate. The panel, chaired by retired Rear Admiral Thomas A. Brooks III, is helping us to identify potential security weaknesses and develop improvements. Just last April the panel conducted a high-level review of our computer security program.

The University's commitment to work with the DOE to improve security at the two laboratories is further demonstrated by the specific actions UC has taken since the Los Alamos incident. In addition, since early this year, UC and representatives from the laboratories have been pursuing an initiative to develop and implement an Integrated Safeguards and Security Management System (ISSM) at� both Livermore and Los Alamos national laboratories. This system, when in operation, will fully integrate security awareness, the principles of sound security practices, and the needed tools into the day-to-day performance of individuals and institutional activities.

CHALLENGES IN THE CONTROL OF CLASSIFIED INFORMATION

Accountability of Classified Materials. Accountability requirements for classified restricted data documents go back to the days of the Atomic Energy Commission. At first, these requirements included tracking and keeping precise inventory of specific pieces of paper by document and copy number. As copying machines multiplied the number of documents and copies, the inventory requirement was dropped in the late 1970's and then reinstated in the late 1980's. With changing missions and decreasing budgets, DOE aligned with the requirements of the NISPOM (National Industrial Security Program Operating Manual) and moved away from full accountability in 1992. Basically, it was concluded total accountability does not necessarily translate into total control and effective protection of the material in an age of copying machines and FAX machines. An unfortunate consequence of the change is that it created an overall environment in which the formality of handling classified information has been reduced.

In some areas-the handling of Top Secret documents and Sigma 14 and 15 weapons data-Livermore has continued to follow more stringent than DOE-required control procedures. Greater accountability and control of such materials system-wide may be warranted. Major concerns also arise because of the revolutionary changes that have occurred in information technologies. Accountability of pieces of paper is a far different issue than accountability of hard drives that can hold Gigabytes of data, roughly a thousand times more than the main memory of the Cray-1 computer, the Laboratory's most capable machine in the late 1970s. As recent events make it very clear, we need to enhance controls over and the accountability of portable, highly-concentrated collections of sensitive data. We are taking steps to do so.

The Need for Investments. Security upgrades do not come without cost. For example, at Livermore, resources devoted to our Computer Security Program increased from $1.3 million two years ago to $18.4 million this year. To implement the cyber security upgrades that we are expected to complete over the coming year without seriously eroding programmatic work, additional funds-beyond what was in the President's budget request-are needed. This is a DOE Defense Programs complex-wide issue that merits serious attention. Adequate funding must be complemented by a consistent set of policies and thoroughly vetted planning to make certain that costs and benefits are carefully weighed as we deliberate about new directives and revised procedures.

CLOSING REMARKS

I appreciate the opportunity to address the Committee on our efforts to increase security at our Laboratory and to enhance the control of classified information based on the painful lessons learned from the recent security incident at Los Alamos. As I have stressed, secure operations are vitally important to Livermore-they underpin all our research and development activities and protect some of our nation's most closely held secrets. We continue to upgrade physical security, cyber security, and our counterintelligence program to strengthen these areas, address new threats and concerns, and deal with any perceived weaknesses. Our efforts are made more challenging by rapid changes in information technologies and would benefit from an infusion of new investments-particularly directed at cyber security.

FAS | Government Secrecy | Congress ||| Index | Search | Join FAS

FAS | Government Secrecy | Congress ||| Index | Search | Join FAS