Shielding secrets in a Cyber Age
Los Alamos security leak suggests that US may have to return to old- fashioned tactics.
WASHINGTON — Keeping secrets in a cyber world could challenge even a superspy like James Bond.
In today's computer age, many of the nation's top secrets about nuclear warheads can be squeezed into a pocket-size memory device like the one lost recently at the Los Alamos National Laboratory.
Congress is asking, "What's to be done?"
One possible answer: Go back to some old-fashioned methods, like requiring nuclear scientists to check out classified computer equipment much as you would check out a book at your local library. Even such simple security measures are often met with resistance, however.
"I think over time our government's going to have to change the way they look at classified information in the cyber world," says Gen. Eugene Habiger, director of security at the Department of Energy that oversees the nation's three nuclear labs.
Yet last December, the Department of Defense rebuffed a plan by the Energy Department to strengthen nuclear weapons security by upgrading some information to "top secret."
Had the plan been implemented, it's almost certain the two hard drives that were recently lost at Los Alamos would have been upgraded to the top-secret category. That would have required that there be records of who took the hard drives, and when. Without that classification, 26 lab employees had unregulated access to the vault where the hard drives were kept.
According to a Department of Defense letter sent to Mr. Habiger, the Pentagon shelved the DOE plan - known as the "higher fences initiative" - for reasons of cost and practicality.
Steven Aftergood, who directs the Project for Government Secrecy at the Federation of American Scientists, says: "The DOE has not been entirely derelict. They realize that there are some things that need to be protected with greater vigor and that effort has been frustrated, largely by the Pentagon."
Will you sign in, please?
At a Senate hearing this week, officials from the Energy Department and the Los Alamos lab were queried about why there is no sign-out, sign-in system for dealing with highly sensitive equipment like the hard drives.
John Browne, the director of the lab, cited the history of information classification. At the end of the Bush administration, he said, the idea was proposed to no longer track and account for information classified as "secret restricted data" - the second of three government classifications. The most limited is "top secret," the least restrictive "classified."
Under the proposal, access to secret information would still be restricted to people with the proper clearances, but you would no longer have to identify and track documents with a serial number. The upshot is that these documents became easily transportable.
The lab originally fought the idea, which was carried out by the Clinton administration, but finally implemented it in 1993. Because the missing hard drives are classified as secret restricted data, there was no sign-in requirement. They were, however, stored in a vault in a restricted area subject to passwords and other clearances.
"Throughout the government, secret data is no longer accounted for in this country, period. I don't care what agency you go into, there is no accountability for secret data," Mr. Browne said.
But many question why the lab didn't do more than was required - come up with its own internal accountability system if it objected to the change. Stanley Busboom, director of security at Los Alamos, says the lab was responding to a new era of openness about classified information.
"The way it was posed was an openness initiative," he says. "In fact, if you go back, you'll find a lot of parallel discussion over classification. Too many secrets."
Another reason the lab didn't do more on its own is the bureaucratic tendency to not deviate from official edicts. Mr. Busboom, who worked in the Defense Department at the time of the accountability change, recalls a specific decision to "follow the rule."
He notes that, had the higher fences plan been adopted, the hard drives would have been bumped up to top secret. That means serial numbers would have been used, and officials would have to know the location of the drives at all times.
Still, protecting sensitive information requires more than just changing a classification. Experts note how difficult it is becoming to track the voluminous amounts of information coming out of government.
Indeed, in the December Defense Department letter to DOE's Habiger, the Pentagon cited difficulties of upgrading secret information to top secret. "We anticipate that the costs of implementing such a program would be substantial," wrote Arthur Money, assistant secretary of defense. He said it would require building top-secret storage facilities and buying more secure computer equipment.
Adding to the difficulty of ensuring secrecy in an electronic age is the issue of mobility. The missing hard drives, for instance, are part of a "tool kit" used by a special team at Los Alamos called the Nuclear Emergency Search Team. The group's job is to dismantle or disarm nuclear devices and deal with nuclear disasters.
Published reports indicate that the drives contain details about US and Russian nuclear weapons, as well as information about missiles from China and France.
"The reason these particular devices are removable is because the whole team's concept is mobility - going anywhere in the world," says Busboom.
Daniel Gour, a security expert at the Center for Strategic and International Studies, says top-secret classification for the drives could render them "useless," if it means they couldn't be taken out into the field.
In the wake of the missing-drives incident, pressure is mounting on the Clinton administration to do more about protecting sensitive information. Reacting to the latest breech, the US Senate this week confirmed the No. 2 man at the CIA to head a new nuclear weapons agency within DOE.
Other steps have already been taken. Since the alleged mishandling of secrets by former Los Alamos scientist Wen Ho Lee, lab officials have increased monitoring of e-mail and removed floppy disks from computers.
Still, more needs to be done. "The conundrum underlying this whole controversy is the failure of our security policies to adjust to the electronic information environment," says Aftergood. "You can track pieces of paper, and you can control Xerox machines. But you can't track electrons."
(c) Copyright 2000. The Christian Science Publishing Society