ANALYSIS: Keeping secrets harder in a cyber age

[InfoSec News <isn () C4I ORG>]

http://www.techserver.com/noframes/story/0,2294,500216757-500307651-501709927-0,00.html

By FRANCINE KIEFER, The Christian Science Monitor

WASHINGTON (June 16, 2000 12:02 a.m. EDT http://www.nandotimes.com) -
Keeping secrets in a cyber world could challenge even a superspy like
James Bond. In today's computer age, many of the nation's top secrets
about nuclear warheads can be squeezed into a pocket-size memory
device like the one lost recently at the Los Alamos National
Laboratory.

Congress is asking, "What's to be done?"

One possible answer: Go back to some old-fashioned methods, like
requiring nuclear scientists to check out classified computer
equipment much as you would check out a book at your local library.
Even such simple security measures are often met with resistance,
however.

"I think over time our government's going to have to change the way
they look at classified information in the cyber world," says Gen.
Eugene Habiger, director of security at the Department of Energy,
which oversees the nation's three nuclear labs.

Yet last December, the Department of Defense rebuffed a plan by the
Energy Department to strengthen nuclear weapons security by upgrading
some information to "top secret."

Had the plan been implemented, it's almost certain the two hard drives
that were recently lost at Los Alamos would have been upgraded to the
top-secret category. That would have required keeping records of who
took the hard drives, and when. Without that classification, 26 lab
employees had unregulated access to the vault where the hard drives
were kept.

According to a Department of Defense letter sent to Habiger, the
Pentagon shelved the DOE plan - known as the "higher fences
initiative" - for reasons of cost and practicality.

Steven Aftergood, who directs the Project for Government Secrecy at
the Federation of American Scientists, says: "The DOE has not been
entirely derelict. They realize that there are some things that need
to be protected with greater vigor and that effort has been
frustrated, largely by the Pentagon."

At a Senate hearing this week, officials from the Energy Department
and the Los Alamos lab were queried about why there is no sign-out,
sign-in system for dealing with highly sensitive equipment like the
hard drives.

John Browne, the director of the lab, cited the history of information
classification. At the end of the Bush administration, he said, the
idea was proposed to no longer track and account for information
classified as "secret restricted data" - the middle of three
government classifications. The most limited is "top secret," the
least restrictive "classified."

Under the proposal, access to secret information would still be
restricted to people with the proper clearances, but you would no
longer have to identify and track documents with a serial number. The
upshot is that these documents became easily transportable.

The lab originally fought the idea, which was carried out by the
Clinton administration, but finally implemented it in 1993. Because
the missing hard drives are classified as secret restricted data,
there was no sign-in requirement. They were, however, stored in a
vault in a restricted area subject to passwords and other clearances.

"Throughout the government, secret data is no longer accounted for in
this country, period," Mr. Browne said. "I don't care what agency you
go into, there is no accountability for secret data."

But many question why the lab didn't do more than was required, and
come up with its own internal accountability system if it objected to
the change. Stanley Busboom, director of security at Los Alamos, says
the lab was responding to a new era of openness about classified
information.

"The way it was posed was an openness initiative," he says. "In fact,
if you go back, you'll find a lot of parallel discussion over
classification. Too many secrets."

Another reason the lab didn't do more on its own is the bureaucratic
tendency to not deviate from official edicts. Busboom, who worked in
the Defense Department at the time of the accountability change,
recalls a specific decision to "follow the rule."

He notes that, had the higher-fences plan been adopted, the hard
drives would have been bumped up to top secret. That means serial
numbers would have been used, and officials would have to know the
location of the drives at all times.

Still, protecting sensitive information requires more than just
changing a classification. Experts note how difficult it is becoming
to track the voluminous amounts of information coming out of
government.

Indeed, in the December Defense Department letter to DOE's Habiger,
the Pentagon cited difficulties of upgrading secret information to top
secret.

"We anticipate that the costs of implementing such a program would be
substantial," wrote Arthur Money, assistant secretary of defense. He
said it would require building top-secret storage facilities and
buying more secure computer equipment.

Adding to the difficulty of ensuring secrecy in an electronic age is
the issue of mobility. The missing hard drives, for instance, are part
of a "tool kit" used by a special team at Los Alamos called the
Nuclear Emergency Search Team. The group's job is to dismantle or
disarm nuclear devices and deal with nuclear disasters.

Published reports indicate that the drives contain details about U.S.
and Russian nuclear weapons, as well as information about missiles
from China and France.

"The reason these particular devices are removable is because the
whole team's concept is mobility - going anywhere in the world," says
Busboom.

Daniel Gour, a security expert at the Center for Strategic and
International Studies, says top-secret classification for the drives
could render them "useless," if it means they couldn't be taken out
into the field.

In the wake of the missing-drives incident, pressure is mounting on
the Clinton administration to do more about protecting sensitive
information. Reacting to the latest breech, the Senate this week
confirmed the No. 2 official at the CIA to head a new nuclear-weapons
agency within DOE.

Other steps have already been taken. Since the alleged mishandling of
secrets by former Los Alamos scientist Wen Ho Lee, lab officials have
increased monitoring of e-mail and removed floppy disks from
computers.

Still, more needs to be done. "The conundrum underlying this whole
controversy is the failure of our security policies to adjust to the
electronic information environment," says Aftergood. "You can track
pieces of paper, and you can control Xerox machines. But you can't
track electrons."

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".