Nukes: A Lesson From Russia

[InfoSec News <isn () c4i org>]

http://www.washingtonpost.com/wp-dyn/opinion/A44053-2001Jul10.html

By Bruce G. Blair
Wednesday, July 11, 2001; Page A19 

Although the United States spends nearly $1 billion every year to help
Russia protect its vast storehouse of nuclear weapons materials from
theft or sale on the black market, few Americans know how this aid
helps strengthen America's own nuclear safeguards.

Russian experts at the Kurchatov Institute, the renowned nuclear
research center in Moscow, recently found what appears to be a
critical deficiency in the internal U.S. system for keeping track of
all bomb-grade nuclear materials held by the Energy Department --
enough material for tens of thousands of nuclear bombs.

Kurchatov scientists discovered a fatal flaw in the Microsoft software
donated to them by the Los Alamos National Laboratory. This same
software has been the backbone of America's nuclear materials control
system for years. The Russians found that over time, as the computer
program is used, some files become invisible and inaccessible to the
nuclear accountants using the system, even though the data still exist
in netherworld of the database. Any insider who understood the
software could exploit this flaw by tracking the "disappeared" files
and then physically diverting, for a profit, the materials themselves.

After investigating the problem for many months, the Russians came to
believe that it posed a grave danger and suspended further use of the
software in Russia's accounting system. By their calculations, an
enormous amount of Russia's nuclear material -- the equivalent of many
thousands of nuclear bombs -- would disappear from their accounting
records if Russia were to use the flawed U.S. software program for 10
years.

Then, in early 2000, they did something they didn't have to do: They
warned the United States, believing that an analogous risk must exist
in the U.S. system. Although neither Los Alamos nor the U.S.
Department of Energy has publicly acknowledged the possibility that
innumerable files on American nuclear materials might have
disappeared, the Russian warning caused shock waves at the highest
levels of the Energy Department.

Unlike the Russians, who did not throw away their manual records of
their nuclear stockpile -- the infamous shoe box and hand-receipt
system that U.S. assistance was intended to supersede -- the United
States has long since discarded its old written records. To
reconstruct a reliably accurate accounting record, the Energy
Department may need to inspect all of America's nuclear materials -- a
huge task that could cost more than $1 billion and still might not
detect the diversion of some material, should it have occurred.

The importance of the goodwill and trust that had grown up between
American and Russian nuclear experts over years of working together in
this area is clear. When the Russian scientists first discovered the
computer flaw, the initial reaction in some high-level Moscow circles
was to suspect an American Trojan horse, a bug planted deliberately to
undermine Russian security. After complaints by their Russian
counterparts, scientists at Los Alamos suggested that the Russian
scientists instead use a later version of the same program. Kurchatov
then discovered the upgraded program not only contained the same bug
(though much less virulent) but also had a critical security flaw that
would allow easy access to the sensitive nuclear database by hackers
or unauthorized personnel.

But trust overrode suspicion. The Russians concluded that the glitches
were innocent errors, not devious traps. Thus, they feared the U.S.
database, unbeknown to Americans, was not only prone to lose track of
nuclear materials but was also accessible to unauthorized users.
Russia reported both problems to Los Alamos, which subsequently
verified the defects, as did Microsoft. Though a fix remains elusive,
Kurchatov scientists also have shared a partial repair they developed.

This Russian feedback may be causing American embarrassment -- U.S.
officials apparently have tried to muzzle the Russians and censor
their scientific papers on the fiasco -- but it surely represents a
high return on the American investment in Russian nuclear security.
The lesson is that nuclear cooperation is a two-way street, is paying
off and deserves continuing support.

The writer, a former Minuteman missile launch officer, is president of
the Center for Defense Information.




ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.