Inadequate Cybersecurity at the Los Alamos Nuclear Lab

According to a report from the Government Accountability Office (GAO), the cybersecurity mechanisms implemented by the Los Alamos National Laboratory (LANL) on its computer network are insufficient. The GAO audit found that classified information is not properly organized and that the actions of some users on the network are not being recorded.

The Los Alamos National Laboratory is one of the largest scientific laboratories in the world that conduct research in a variety of fields including national security, renewable energy, nanotechnology, supercomputing or medicine. The laboratory is being run by an organization called Los Alamos National Security (LANS), and its work is overseen by the U.S. Department of Energy through its National Nuclear Security Administration (NNSA).

The Government Accountability Office (GAO) conducted its audit of the LANL cybersecurity strategy after the laboratory experienced several security incidents involving classified information. In February, we reported that according to a leaked internal memo, no less than 80 LANL computers were missing. Of these, 13 were confirmed as stolen, while the fate of the remaining 67 was unknown.

GAO recognized that the laboratory had made significant improvements in implementing a cybersecurity strategy, but points out that unless several remaining weaknesses are addressed, complete protection cannot be guaranteed. "These weaknesses include, among other things, (1) lack of an inventory of critical information stored on the classified computer network and (2) the inability to effectively monitor and maintain accountability for certain actions taken by individual users on the classified computer network," the agency notes in its report (PDF).

As a result of the audit, the office has recommended twelve actions to the Administrator for the National Nuclear Security Administration. Additionally, 21 recommendations to address specific weaknesses were made in a separate report that has been classified for security reasons. The NNSA agreed to most of GAO's findings, but noted that not enough time had passed since the laboratory's implementation of a previously issued Compliance Order to properly assess its sustainability capabilities.