The security contractor for Los Alamos National Laboratory sent sensitive information on nuclear materials over open, unsecured e-mail networks in January—a security failing ranked among the top of serious threats against national security interests or critical Department of Energy assets.
Several Los Alamos National Security officials apparently used open e-mail networks to share classified information pertaining to nuclear material in nuclear weapons on Jan. 19.
The incident was considered so serious that a senior departmental official was notified in the midst of a White House event.
The security infraction is rated IMI-1 (Impact Measurement Index 1), designating it not only as a "most serious" threat but also as reportable. But, on top of the security infraction, the National Nuclear Security Administration failed to inform the House Committee on Energy and Commerce. A source recently told eWEEK that the NNSA was constrained in talking about the incident because the material in question is classified.
Rep. John Dingell (D-Mich.), the committee chairman, sent a letter (PDF download) to Samuel Bodman, secretary of the U.S. Department of Energy, on June 14. In the letter, the clearly irked Dingell requested the details of this and other security incidents, and an explanation for why the NNSA failed to inform the committee during either of two hearings—on Jan. 30 and April 20—that reviewed ongoing security mismanagement at Los Alamos National Laboratory.
In fact, the committee was informed of the security incident from sources outside of NNSA, Dingell said in his letter. The committee had already been investigating the loss of 1,500 pages of classified documents discovered in October 2006.
On Oct. 17, while searching a trailer for drugs after responding to a domestic disturbance call, police recovered three USB thumb drives that supposedly contained nuclear data. The trailer belonged to a former subcontractor at the lab.
Later that month, Los Alamos tightened security procedures. A long list of those tighter procedures included instructions to ensure that the ability to download classified materials to unauthorized devices has been physically disabled to prohibit the use of unauthorized memory devices—iPod and other MP3 players, camera cards, FireWire, and other USB devices—in mixed media environments, and personally review cyber-security plans for work areas.
After the January e-mail incident was discovered, NNSA worked through Lawrence Livermore Labs to identify, recover and sanitize laptops and hardware used in the insecure communications.
Secretary of Energy Samuel Bodman on June 15 responded to the Committees letter about the January e-mail incident, confirming the use of unsecured e-mail to transmit sensitive information, but saying that he couldnt give out much more information than the barebones facts that the Committee has already disclosed.
Bodman did, however, call the incident a result of human error as opposed to a security system glitch.
"The incident was immediately recognized and reported, fully investigated and the responsible officials have reported that appropriate measures have been taken to address the situation," he wrote in the letter.
"While serious, the incident in question was the result of human error, not a failure of security systems. The Department makes every effort to minimize inadvertent human error, but we recognize that such errors may occur from time to time. Therefore, we have a robust system in place to report and investigate potential violations. In my opinion, this is a circumstance where those systems worked well."
The Los Alamos security group, as required by the NNSA, launched an investigation into the incident. It completed the investigation May 18.
The Committee on Energy and Commerce referred an inquiry to a committee on telecommunications, which had not yet responded by the time this article was posted.
Editors Note: This story was updated to include material from the DoEs response to the House Committee on Energy and Commerce and, based on information from an anonymous source, to correct the impression given by Dingells letter that the handling of nuclear information via e-mail was rated as being of the highest possible security concerns. The NNSA has levels within levels of threat ranking, the source said, and this incident was not at the very top of those levels.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.