Find a Security Clearance Job!

Intelligence


[DOCID: f:hr687.106]
From the House Reports Online via GPO Access
[wais.access.gpo.gov]
                                                 Union Calendar No. 386
106th Congress                                                   Report
                        HOUSE OF REPRESENTATIVES
 2d Session                                                     106-687
_______________________________________________________________________
          THE HOUSE PERMANENT SELECT COMMITTEE ON INTELLIGENCE
                               __________
                              R E P O R T
                                 of the
                             REDMOND PANEL
IMPROVING COUNTERINTELLIGENCE CAPABILITIES AT THE DEPARTMENT OF ENERGY 
  AND THE LOS ALAMOS, SANDIA, AND LAWRENCE LIVERMORE NATIONAL 
  LABORATORIES

 June 21, 2000.--Committed to the Committee of the Whole House on the 
              State of the Union and ordered to be printed
                               __________
                    U.S. GOVERNMENT PRINTING OFFICE
79-006                     WASHINGTON : 2000
                         LETTER OF TRANSMITTAL
                              ----------                              
                Permanent Select Committee on Intelligence,
                                     Washington, DC, June 21, 2000.
Hon. J. Dennis Hastert,
Speaker of the House,
U.S. Capitol, Washington, DC.
    Dear Mr. Speaker: Pursuant to the Rules of the House, I am 
pleased to transmit herewith a report submitted to the 
Permanent Select Committee on Intelligence of the House of 
Representatives by a team of investigators headed by the 
renowned expert in counterintelligence matters, Mr. Paul 
Redmond. The document is styled, "Report of the Redmond Panel: 
Improving Counterintelligence Capabilities at the Department of 
Energy and the Los Alamos, Sandia, and Lawrence Livermore 
National Laboratories." The Committee by majority vote earlier 
today authorized the filing of the report for purposes of 
printing.
            Sincerely yours,
                                            Porter J. Goss,
                                                          Chairman.
                                                 Union Calendar No. 386
106th Congress                                                   Report
                        HOUSE OF REPRESENTATIVES
 2d Session                                                     106-687
======================================================================
THE HOUSE PERMANENT SELECT COMMITTEE ON INTELLIGENCE REPORT OF THE 
  REDMOND PANEL "IMPROVING COUNTERINTELLIGENCE CAPABILITIES AT THE 
  DEPARTMENT OF ENERGY AND THE LOS ALAMOS, SANDIA, AND LAWRENCE LIVERMORE 
  NATIONAL LABORATORIES" FEBRUARY 2000
                                _______
 June 21, 2000.--Committed to the Committee of the Whole House on the 
              State of the Union and ordered to be printed
                                _______
    Mr. Goss, from the Permanent Select Committee on Intelligence, 
                        submitted the following
                              R E P O R T
                           Executive Summary
    In the wake of last year's reports by the Cox Committee \1\ 
on Chinese nuclear espionage and by the President's Foreign 
Intelligence Advisory Board (PFIAB) on security lapses at the 
Department of Energy's (DOE's) nuclear weapons laboratories, 
and in response to Presidential Decision Directive NSC 61 (PDD-
61),\2\ Secretary of Energy Bill Richardson embarked on a 
comprehensive reform of counterintelligence (CI) at DOE. This 
was accelerated and significantly refined in response to 
legislation proposed by Congress which, among other things, 
created the National Nuclear Security Agency (NNSA).
---------------------------------------------------------------------------
    \1\ The Cox Committee's formal name was the House Select Committee 
on U.S. National Security and Military/Commercial Concerns with the 
People's Republic of China.
    \2\ PDD-61 was issued on February 11, 1998 in response to reports 
from the General Accounting Office and from the Intelligence Community 
that derided CI and security at DOE and its constituent laboratories.
---------------------------------------------------------------------------
    The House Permanent Select Committee on Intelligence 
established a bipartisan investigative team in the first 
quarter of FY 2000 to examine the Department of Energy's plan 
to improve its counterintelligence posture at its headquarters 
in Washington and its three key weapons laboratories. The 
purpose of the examination was to review the status of reforms 
and to examine issues still unresolved or under consideration. 
The team was comprised of a majority staff member, a minority 
staff member, and a special staff consultant, Mr. Paul Redmond, 
one of America's leading experts in CI and a former head of CI 
at the Central Intelligence Agency (CIA).
    In general, the review determined that DOE has made a good 
but inconsistent start in improving its CI capabilities. The 
most progress has been made in building an operational CI 
capability to identify and neutralize insider penetrations. The 
two areas of greatest shortcoming, either of which could derail 
the whole CI program, are in CI awareness training and in 
gaining employee acceptance of the polygraph program.
    Among the specific findings and recommendations from the 
review are:
           The current director of CI at DOE is an 
        excellent choice for the job. Moreover, he has access 
        to and the support of the Secretary.
           DOE has failed to gain even a modicum of 
        acceptance of the polygraph program in the 
        laboratories. DOE must involve laboratory management in 
        deciding who will be polygraphed.
           DOE's efforts to improve CI awareness 
        training have failed dismally. In developing its CI 
        awareness training program, DOE should draw on the 
        positive experience of other U.S. government agencies, 
        in particular the CIA and National Security Agency 
        (NSA).
           DOE also faces a considerable challenge in 
        the area of cyber CI, that is, protecting classified 
        and sensitive computerized media databases and 
        communications from hostile penetration. This will 
        require significant investment in defenses and 
        countermeasures and require the assistance of other 
        federal agencies.
           DOE CI has established an excellent, well-
        staffed, and effective annual CI inspection program 
        that will serve to ensure the maintenance of CI 
        standards and continued improvements in the program.
           The "shock therapy" of suspending the 
        foreign visitor and assignment programs worked in 
        making the laboratories realize the degree to which 
        these programs, if not properly managed, can be a 
        counterintelligence threat. The CI components at the 
        laboratories now appear to be better involved in the 
        process of granting approvals for visits and assignees.
           Cooperation at each laboratory between CI 
        and security personnel is largely informal and 
        dependent upon personal relationships. DOE and the 
        laboratories must establish more formal mechanisms to 
        ensure effective communication, coordination, and, most 
        importantly, the sharing of information.
           The CI offices at the laboratories are 
        hampered by their not being cleared for access to 
        certain Special Access Programs (SAPs). Thus, the CI 
        components are unable to exercise CI oversight of these 
        activities. The Director of Central Intelligence (DCI) 
        should work with the DOE Secretary to remedy this 
        situation.
           DOE needs to establish contractual CI 
        performance standards for the laboratories against 
        which they can be judged and duly rewarded or 
        penalized.
           It should be noted that the Committee has 
        not adopted the Redmond Panel's position in favor of 
        the maintenance of the current centralization of all CI 
        authority at DOE for a short, transitional period.
Introduction and scope of investigation
    The scope of the team's investigation was to determine what 
has been done by the Department of Energy (DOE) and its key 
constituent nuclear weapons laboratories to improve 
counterintelligence (CI) policy and practices in the wake of 
the nuclear espionage investigation at Los Alamos National 
Laboratory. The team was limited to evaluating CI capabilities 
at the three principal nuclear weapons laboratories at Los 
Alamos, Sandia, and Lawrence Livermore, and at DOE 
Headquarters. The team was also to propose additional measures 
to improve CI at those facilities if, in the judgment of the 
team members, such measures were warranted.
    The team interviewed DOE officials in Washington, D.C., 
California, and New Mexico. It also interviewed contractor 
employees of DOE, including employees of the University of 
California and Lockheed-Martin, at the three nuclear weapons 
laboratories. In addition, the team interviewed numerous 
officials of the Federal Bureau of Investigation (FBI), both at 
FBI Headquarters and at FBI Field Offices in San Francisco, 
California and Albuquerque, New Mexico, and officials of the 
Central Intelligence Agency (CIA) and the National Security 
Agency (NSA).
    This report is not linked to DOE's own progress reports, 
which cite percentages of CI steps that DOE considers to be 
"implemented" at the three weapons laboratories. The team 
quickly determined that DOE used imprecise terms in describing 
the results of its self-evaluation. For example, the word 
"implemented" is commonly understood to mean that something 
has actually been accomplished, whereas DOE considers a CI 
directive as implemented when it has only been promulgated. For 
instance, in a September 1999 progress report, DOE claimed to 
have implemented the recommendation that lab CI offices contact 
all employees and contractors who have met with foreign 
nationals from sensitive countries. From its on-site visits the 
team determined that, although the laboratory CI offices are 
aware of the recommendation, they have yet to carry it out. The 
team thus does not believe that DOE's evaluative methodology is 
useful in assessing the true extent to which CI measures have 
been "implemented."
    Historical comment: In the course of interviewing numerous 
laboratory personnel, the team encountered a pervasive, but 
muted, sentiment that many of the CI and security problems at 
the laboratories were exacerbated, if not caused, by the 
policies of former Energy Secretary Hazel O'Leary. These 
policies included the redesign of laboratory identification 
badges that resulted in the intentional obscuring of 
distinctions between clearance levels, the collocation of Q-
cleared personnel with individuals who held lesser clearances, 
and the widespread use of "L" clearances--which still require 
only the most cursory background check for approval. One senior 
lab official opined that the L clearance program was "the 
worst idea in government--cursorily clearing people who didn't 
need access to Q material created new vulnerabilities."
    The team notes that DOE was not unique in de-emphasizing 
basic security procedures in the wake of the end of the Cold 
War. The State Department, for example, embarked on its now 
infamous "no escort" policy, the Defense Intelligence Agency 
issued "no escort" badges to Russian military intelligence 
officers, and even the Central Intelligence Agency 
precipitously abandoned its policy of aggressively recruiting 
Russian intelligence officers. The present and future 
Administrations must ensure that such laxity will never again 
be encouraged or tolerated.
DOE Office of Counterintelligence (DOE CI)
    Presidential Decision Directive NSC 61 (PDD 61), issued on 
February 11, 1998, provided for the establishment of a new DOE 
CI program that reports directly to the Secretary of Energy. In 
April 1998, DOE's CI office became operational. Under the 
guidance of the director of DOE CI, Mr. Edward Curran, the 
Department has made considerable progress towards establishing 
an effective CI operational capability at DOE Headquarters to 
do the analytical and investigative work necessary to identify 
and neutralize insider penetrations. It is the team's opinion 
that Mr. Curran is ideal for the CI director job because of his 
extensive CI experience at the FBI, his rotational assignment 
at the CIA, and his persistence and determination.
    Mr. Curran appears to have access to and the support of the 
Secretary of Energy, which is an essential ingredient to an 
effective CI program. Moreover, he is vigorously attempting to 
exert DOE CI authority and influence over the laboratories, 
which, while difficult to accomplish, is critical to the 
success of the new CI program. In the future, direct access to 
the Secretary and close working relations with other offices 
reporting directly to the Secretary, including the Offices of 
Security Affairs and Intelligence, will be crucial. In 
addition, DOE CI must establish and maintain a mutually 
supportive relationship with the Office of Independent 
Oversight and Performance Assurance, which performs inspections 
of DOE programs and policies. This office has an established 
record \3\ of detecting, documenting and reporting CI and 
security shortcomings at the laboratories. Regrettably, past 
findings of this office in the CI realm evidently were rarely 
acted upon. This office, which is philosophically attuned to CI 
and security issues, now has a good working relationship with 
DOE CI and has recently pointed out at least one CI cyber 
security \4\ vulnerability. In the future, the office will be a 
natural ally for DOE CI as it tries to assert authority, 
identify problems and implement new policies.
---------------------------------------------------------------------------
    \3\ In 1994, this office discovered a serious vulnerability at Los 
Alamos--there was no technical or policy impediment to the transfer of 
classified data from a classified to an unclassified computer system. 
This finding was apparently duly documented and reported to the 
requisite DOE offices and to Congress. Disturbingly, no remedial action 
was taken.
    \4\ Cyber security is meant to encompass security for all computer 
systems at DOE and the laboratories.
---------------------------------------------------------------------------
    Mr. Curran is hiring and, where necessary, training a good 
cadre of CI officers to perform investigations from DOE 
Headquarters. The CI components at the laboratories,\5\ 
moreover, seem well on the way towards adequate staffing. 
Laboratory interaction with the FBI appears to be effective, at 
both the management and CI component level. That said, 
laboratory CI offices will need to focus for the foreseeable 
future on (1) gaining the confidence of their laboratory 
colleagues; (2) crafting CI programs that fit the unique needs 
of each lab; and (3) conforming to DOE's requirements for more 
standardized approaches and procedures. The team appreciates 
that the job of reforming CI at DOE and the laboratories will 
require steadfast resolve on the part of Mr. Curran and his 
successors, continued support from the Secretary, and sustained 
resources from Congress.
---------------------------------------------------------------------------
    \5\ The term "laboratories" will hereinafter include Los Alamos, 
Sandia, and Lawrence Livermore National Laboratories only.
---------------------------------------------------------------------------
Congressionally mandated reorganization of DOE
    Mr. Curran believes that any authority he may have had in 
his new job as DOE's director of CI will be greatly diluted by 
the new structure established in the National Defense 
Authorization Act for Fiscal Year 2000. While the team will not 
attempt to evaluate the restructuring plan, Mr. Curran's views 
on the matter remain germane to the team's evaluation of how 
DOE Headquarters is approaching CI reform at the laboratories.
    Mr. Curran indicated to the team that his initial plan had 
been to place federal employees rather than contractors as the 
CI chief at each laboratory. This would, in his view, create a 
more disciplined line of authority necessary to counter the 
historical unresponsiveness of the laboratories to DOE 
Headquarters directives. Mr. Curran ultimately accepted the 
argument put forth by the laboratories, however, that 
laboratory employees, i.e., contractors, would be more 
acceptable locally and would thus be more effective.
    Mr. Curran believes that given the semi-autonomous status 
of new National Nuclear Security Agency (NNSA) under the 
statutory restructuring, he will have only a policy role and no 
actual authority over these contractors. In his January 1, 2000 
implementation plan, the Secretary proposed that the present 
director of DOE CI serve concurrently both in that capacity and 
as Chief of Defense Nuclear CI in the NNSA.
Separation of CI and security disciplines at the laboratory level
    The deliberate separation of CI and security disciplines at 
the laboratories, as advocated by DOE Headquarters senior 
management and as legislated by Congress could cause problems 
both at Headquarters and the laboratories. Management at each 
of the laboratories has sensibly placed CI and security where 
the expertise is. For instance, cyber security at all three 
laboratories resides under information management for 
organizational purposes. At Lawrence Livermore, the CI 
component resides under operations. Laboratory management and 
the CI chiefs appear satisfied with such arrangements. They 
uniformly indicated that security and CI are connected by what 
one Lawrence Livermore manager described as "multiple 
neurons" under such a rubric as an "Operational Security 
Group." This group ensures that each interested or responsible 
component is informed and involved as issues arise.
    Such claims notwithstanding, the team discovered that these 
"multiple-neuron-type" arrangements are not formalized in any 
meaningful way at any of the three laboratories. In each case, 
the communications arrangements appear to depend primarily on 
personal and working level relationships. It has been the sad 
experience in many espionage cases that only after the spy is 
uncovered, does it become clear that a plethora of 
counterintelligence indicators concerning various facets of the 
individual's life, performance, and behavior, had been known in 
different places by different individuals, but never 
effectively collated or holistically evaluated.
    DOE must ensure that the CI officers at the laboratories 
are part of a formal system set up locally to ensure that all 
relevant CI and security data information is collected, 
assembled, and analyzed by means that are not solely dependent 
on personal relationships. Otherwise, theretirement or transfer 
of one individual in the process could cause the whole system to break 
down. Without an effective organizational structure, there is no 
guarantee that all relevant data will become known to the CI office. 
The team is not satisfied that DOE and the laboratories have completely 
grasped this concept. Moreover, the DOE Operational Field offices at 
Albuquerque and Oakland continue to refuse to share relevant 
information from employee personnel files under their control with DOE 
CI or laboratory CI components. The team learned that DOE CI is not 
even informed by these three offices when an employee loses his or her 
security clearance. Therefore, the team recommends that DOE ensure that 
a formal communications process for CI information between and within 
the laboratories and between DOE Operational Field offices and CI 
personnel be established immediately.
CI inspection teams
    PDD-61 requires an annual inspection of DOE's CI program. 
DOE CI has hired and deployed a dozen retired FBI, CIA, and 
military intelligence officers to inspect the CI programs at 
the three weapons laboratories. This excellent initiative is 
already yielding promising results by identifying systemic 
problems and offering solutions. The inspection team consists 
of highly experienced individuals, who appear to be insulated 
from the politicization that can yield watered down findings. 
The team's effectiveness, however, will be largely dependent 
upon the frequency of its inspections. We recommend that DOE 
continue annual inspections as stipulated in PDD-61 and add 
follow-up inspections focusing on specific problem areas. The 
team judges that there is no DOE CI program that is more useful 
or efficient than this inspection regime. We recommend, 
therefore, that resources adequate to expand this inspection 
program be provided.
    The inspectors have reasonably noted that since they are 
just beginning their program, they should focus on establishing 
a baseline for assessing where the laboratory CI programs 
should be within a year or so. The reaction at the laboratories 
to these inspections has been generally favorable, with only 
minor complaints about repetitious questioning and an over-
reliance on the format of a standard FBI internal inspection 
that is not entirely appropriate for this effort. Some of the 
CI chiefs at the laboratories believe that the inspection 
teams, employing a narrow FBI focus, put too much emphasis on 
laboratory investigative capabilities and not enough on the 
information gathering, non-law enforcement role of the 
laboratory CI units. Also, the capability of the inspection 
teams in the difficult, arcane cyber area needs enhancement. 
Overall, however, this is a fine program. With some minor 
adjustments, it should become an effective instrument to ensure 
the continued improvement of CI at the laboratories.
Polygraph testing
    Polygraph testing for "covered" \6\ DOE and laboratory 
personnel was mandated by Congress, but DOE Headquarters 
reacted with poorly thought out and inconsistent directions to 
implement the requirement. As a result, laboratory personnel 
have a very negative attitude towards the polygraph. Moreover, 
since the polygraph is a highly visible part of the overall CI 
effort, the entire CI program has been negatively affected by 
this development. At the center of this problem is DOE's lack 
of success in explaining the importance and utility of the 
polygraph program. Further exacerbating this problem, DOE 
Headquarters personnel made little effort to consider the views 
of senior laboratory managers and have not involved them in the 
planning process for determining who will be polygraphed. In 
addition, DOE Headquarters efforts to meet with the laboratory 
employees to explain the polygraph program have been 
ineffective, if not counterproductive. To make matters even 
worse, DOE Headquarters, by vacillating and changing the policy 
over time, appeared inconsistent and unsure where the opposite 
is essential to instill confidence in the program parameters 
and professionalism.
---------------------------------------------------------------------------
    \6\ Section 3154 of the FY 2000 Defense Authorization Act defines 
"covered" persons as those involved in Special Access Programs, 
Personnel Security and Assurance Programs, Personnel Assurance 
Programs, and with access to Sensitive Compartmented Information.
---------------------------------------------------------------------------
    The attitude toward polygraphs at the laboratories runs the 
gamut from cautiously and rationally negative to emotionally 
and irrationally negative. Moreover, the attitudes of the lab 
directors themselves range from acknowledgement of the need 
(although uncertain as to how to implement it), to frank and 
open opposition. Scientists at Sandia prepared a scientific 
paper purporting to debunk the polygraph for a laboratory 
director's use in a Congressional hearing. Employees at 
Lawrence Livermore wear buttons reading "JUST SAY NO TO THE 
POLYGRAPH." Other laboratory employees expressed the sentiment 
"You trusted me to win the Cold War, now you don't?" The team 
heard such statements as, "The Country needs us more than we 
need them" and "The stock options of Silicon Valley beckon." 
Several expressed a belief that many scientists will quit and 
that DOE will not be able to maintain the stockpile stewardship 
program. Still more employees cited an Executive Order that 
exempted Presidential appointee and "Schedule C" employees 
from having to take the polygraph as outrageous and unfair.
    In addition to the emotional reactions, there are rational 
questions about the polygraph, such as, "What are they going 
to do with the inevitable number of people who do not pass?" 
The team shares this concern, and expects that there will be a 
significant number of so-called "false-positive" polygraph 
results that will have to be further examined. Another concern 
voiced to the team by numerous laboratory employees was that 
"No one has ever tried this before on this scale." The fact 
is that never before have so many "cleared" employees of a 
government organization had to have their clearances (and, 
thus, their livelihoods) threatened by the institution of the 
polygraph.
    Compounding the problem further is an attitude among many 
laboratory employees that they are indispensable and special, 
and thus, should be exempt from such demeaning and intrusive 
measures as the polygraph. Scientists do, in fact, represent a 
particular problem with regard to the administration of 
polygraphs. They are most comfortable when dealing with 
techniques that are scientifically precise and reliable. The 
polygraph, useful as it is as one of several tools in a CI 
regime, does not meet this standard. Accordingly, many 
scientists who have had no experience with it are skeptical of 
its utility.
    DOE's efforts at explaining the utility of the polygraph as 
part of a multi-faceted CI program have been ineffectual. 
Moreover, DOE Headquarters' response to resistance at the 
laboratories, as unreasonable as that resistance may be, has 
been dictatorial and preemptory. As one senior DOE official 
observed, on hearing the complaint by the laboratories that the 
polygraph will make it difficult to recruit and retain top 
scientists, "It is already difficult to recruit and retain 
scientists in this economy, so what's the difference?"
    In December 1999, the Secretary announced that DOE intends 
to reduce the number of employees subject to the polygraph to 
about eight hundred. This change, coupled with theelimination 
of the exclusion for senior political appointees, indicates that DOE 
Headquarters is trying to rectify the original overly broad and 
impractical scale of the polygraph program. Nonetheless, even this 
well-intentioned step has elicited skepticism. As one senior manager 
said, "What is to prevent some new Secretary from coming along and 
hitting us for not polygraphing all thirteen thousand laboratory 
employees?"
    The team judges that DOE Headquarters should do more to 
involve laboratory management in the process of selecting those 
individuals to be polygraphed. Senior laboratory managers know 
what secrets need protecting and, thus, could bring their 
knowledge to bear on this process. Including managers visibly 
will involve them with the program in the eyes of the 
workforce. This will both motivate and enable them to sell the 
program, and, one hopes, give the program more credibility. 
Their participation, moreover, would make them accountable.
    To this end, DOE must reinvigorate and revamp its effort to 
educate the workforce on how polygraphs, while not definitive 
in their results, are of significant utility in a broader 
comprehensive CI program. The polygraph is an essential element 
of the CI program and it will not work until it is accepted by 
those who are subject to it.
Counterintelligence awareness training
    There has been no discernable, effective effort from DOE 
Headquarters to establish and support an effective CI training 
and awareness program. Moreover, the team was unable to 
identify any real efforts on the part of DOE CI to improve upon 
existing DOE training and awareness practices for laboratory 
employees.
    No organization, governmental or private, can have 
effective CI without active, visible, and sustained support 
from management and active "buy-in" by the employees. It is 
not possible to do CI by diktat, or from a distance. In the 
words of one DOE officer, the CI program cannot be a success 
unless each employee "knows the requirements [of the program], 
his or her own responsibilities, and is trained to carry them 
out."
    Historically, the laboratories have--on their own 
initiative--sponsored CI and security lectures and briefings to 
supplement the annual security refresher required of each 
employee. The CI lecture series at Lawrence Livermore is an 
excellent program. Unfortunately, it has not been replicated by 
the CI offices at Sandia or Los Alamos, which instead 
sporadically arrange ad hoc presentations.
    Moreover, the annual security refresher, which these 
lectures supplement, is perfunctory and pro forma. It can 
consist of as little as a brief presentation on a personal 
computer followed by a short quiz to ensure that the employee 
has read the material. As a result, the refresher process is 
not taken seriously by the employees, especially since DOE 
Headquarters has dictated much of the content in the past 
without consulting the laboratories. The sample training 
materials examined by the team were bureaucratic, boring, 
turgid, and completely insufficient.
    The poor state of the training program is also reflected in 
the mistaken belief by CI officials in Washington that a 
training facility at Kirtland Air Force Base in Albuquerque, 
New Mexico, is assisting in developing CI teaching materials 
for DOE's next annual refresher. When contacted by the team, 
the facility indicated that it was playing no such role. 
Clearly, DOE CI has yet to turn its attention to improving CI 
training.
    In lieu of a department-wide program, the laboratories have 
taken some uncoordinated initiatives to meet some of their 
awareness training requirements, if only in response to the 
uproar caused by events at Los Alamos. Management at all three 
laboratories appears to have given some thought, at least, to 
what may be required. Managers have drawn an analogy between 
their successful occupational safety training and awareness 
program and how they are to make security and CI an 
accountable, integral part of each employee's daily work and 
professional mindset. At Sandia and Los Alamos, specifically, 
management recognizes that, as in safety management, it should 
give line managers specific roles and responsibilities for CI 
and security, and then hold them accountable. This would appear 
to be a constructive step.
                     The View from the Laboratories
    Laboratory management made the following comments regarding 
training and awareness:
           "Some of the awareness training material 
        received from Washington is so bad it is embarrassing. 
        Were it used, it would undermine the credibility of the 
        whole program."
           "We had to scramble to find speakers on the 
        subject [of CI during a lab-wide CI and security stand-
        down]."
           "One [CI] lecture given by an experienced 
        former FBI agent, tailored to the laboratory audience, 
        was a huge success. We need more of this sort of 
        thing."
           "There is no line budget item for training, 
        each speaker costs about $4,000, yet there is no 
        Headquarters-generated program."
           "DOE Headquarters' approach to training and 
        awareness has been form over substance, represented by 
        dictated programs and policies."
           "There is an acute need for `realistic' 
        awareness training, so people will realize the problem 
        did not go away with the Cold War and they are still 
        targets."
           "There are [laboratory] divisions standing 
        in line for tailored presentations."
           "Concrete examples, real [CI] incidents, 
        and their consequences are required to get people's 
        attention. They [the scientists] must be captured 
        intellectually."
    In the spring of 1999, the Secretary issued a series of 
short-notice security, CI, and cyber-related "stand-downs" at 
the laboratories. This was not well received by laboratory 
employees. Some characterized the stand-downs as a "frog 
marching exercise" that discredited the whole effort at 
improving CI by alienating significant parts of the workforce. 
An exception to this belief was at Los Alamos, where the stand-
downs were viewed as a "unifying" experience--presumably 
because of the siege mentality that existed there in the wake 
of the nuclear espionage allegations.
    The CI component at DOE Headquarters has a new training 
officer, and the office apparently intends to develop a program 
to support CI awareness and training at the laboratories. One 
starting point would be to follow the example of other 
successful CI training programs. CIA, in the aftermath of the 
Aldrich Ames espionage case, also instituted a very aggressive 
CI course and lecture program supplemented by an in-house 
television series. In addition, NSA has a long-standing, 
effective training and awareness program that the team examined 
at length prior to its field visits to the laboratories.
    It is instructive to consider the experiences of NSA, 
particularly in dealing with the parts of NSA populated with an 
accomplished collection of world-class mathematicians and 
cryptologists. This highly skilled workforce is very similar to 
that found at the laboratories. The key factor in NSA's success 
in the training and awareness area appears to be that its 
overall integrated security and CI program has been in 
existence for many years, and the mathematicians enter a 
culture where, from the very beginning of their employment, 
security, CI, and the polygraph are "givens" in their daily 
work. DOE is now starting virtually from scratch and would do 
well to learn from the positive experiences of agencies such as 
NSA.
    NSA has also had success with a program designating a 
security and CI referent for each significant component. This 
individual is not a security professional, but a regular 
employee of the component, one of whose additional duties 
involves dealing with security/CI issues. The referent, who 
receives some extra security and CI training, is partly rated 
on his performance in this role and is responsible for selling 
the CI program at the lowest bureaucratic level. This system, 
by all accounts, has been quite successful. Los Alamos has a 
large number of employees who are responsible for "security" 
in their units. Their role at Los Alamos could be expanded 
along the lines of the NSA model and could be adapted 
elsewhere. The team also notes that when it raised NSA's 
security/CI referent concept at each laboratory, there was 
widespread interest in it. Resources to enable the laboratories 
to institute a referent program along the lines of the NSA 
model should be provided.
    DOE Headquarters must do much more to support field 
training and awareness by establishing a comprehensive 
curriculum for use by the laboratories that is interesting and 
substantive enough to catch the attention of the difficult 
laboratory audience, and sufficiently flexible to allow 
individual CI directors to address the specific needs of each 
laboratory. In addition, DOE should establish a CI training 
course for managers. Like the successful occupational safety 
management training, this course should emphasize that CI is an 
integral part of each manager's job.
    Finally, Congress should support extensive CI training and 
awareness programs at DOE Headquarters and the laboratories. 
This should include providing funds specifically for this 
purpose in FY 2001 to ensure that training and awareness needs 
are met and that money is not diverted to other programs. 
Congress should carefully oversee the implementation of the 
program it funds to ensure that training and awareness becomes, 
and remains, a high priority for DOE.
Cyber CI
    DOE and the weapons laboratories face their biggest 
challenge in the area of cyber CI. The magnitude of the problem 
and the complexities of the issues are daunting. There are 
several thousand systems administrators at the laboratories who 
have very wide access. There are each day hundreds of thousands 
of internal e-mails at the laboratories and tens of thousands 
sent to external addresses. Additionally, there are extremely 
complicated issues of connectivity and systems architecture. 
The laboratories, wherein reside massive brainpower and 
experience in cyber matters, are beginning to address this 
challenge cooperatively and, in some cases, with the assistance 
of other U.S. Government agencies. Some laboratories have in 
place programs using "key words" to scan e-mail traffic for 
CI indicators, but it is too early to formulate any substantive 
judgments of their effectiveness.
    It is clear that DOE CI has not yet fully established its 
authority at DOE Headquarters and at the laboratories in the 
cyber area. The cyber component of DOE CI is trying to overcome 
legal obstacles centering largely on privacy issues related to 
the implementation of a pilot program to determine the size and 
difficulty of e-mail monitoring using sophisticated 
"visualization" software. There is another pilot program 
under development to detect cyber intrusions better. DOE CI is 
encountering bureaucratic resistance to establishing acceptable 
minimum standards. For instance, the laboratories are pressing 
for standards that are acceptable in a more open "academic" 
environment. Furthermore, a comprehensive intrusion incident 
reporting mechanism for the computer systems controlled by DOE 
information management offices and the laboratories is meeting 
resistance from DOE and laboratory personnel, who cite 
excessive reporting burdens.
    There has existed for years at the laboratories an entity 
called the Computer Incident Advisory Capability (CIAC) that 
was responsible for collecting and analyzing computer security 
incident data. The reporting to this organization has 
historically been voluntary, and anonymity was permitted to 
encourage the laboratories to be frank and forthcoming. More 
recently, the CIAC has begun to provide DOE Headquarters with 
intrusion incident summaries. The lack of specificity in these 
summaries, however, makes meaningful analysis impossible. DOE 
CI, with assistance and support from DOE management, needs to 
assert its authority in this matter.
    It appears that DOE CI is very well served by employing 
detailees from the FBI and NSA. These detailees bring a high-
level of expertise to the issue and some independence from 
DOE's bureaucracy. The practice of assigning them to play a 
leading role in the cyber CI component should be continued.
    The DOE CI component believes that it has an effective 
working relationship with DOE's Office of Independent Oversight 
and Performance Assurance. This office conducts "red team 
attacks" on the computer systems and has helped impose 
computer security standards at the laboratories. Clearly, the 
functions of DOE CI and this office are complementary, 
particularly in the cyber area. This close working relationship 
will be a key to improving overall cyber CI.
    In sum, DOE CI, faces in the cyber area, the same very 
difficult, complicated issues faced everywhere in the national 
security community. The individuals who create and run computer 
systems are, by training and motivation, inclined to promote 
the widest, fastest, most efficient dissemination and 
transmission of data; hence, the basic and pervasive mutual 
aversion between "Chief Information Officers" and the 
security/CI offices. The team believes that adequate resources 
should be provided for cyber security and CI, and that 
aggressive oversight should be exercised to ensure that 
effective programs are developed and implemented.
Foreign visits and assignments
    The team limited its examination of this issue to the role 
played by DOE CI and the laboratory CI offices in the visitor 
and assignments approval process, which would lead to the 
laboratory director seeking a "waiver" to the moratorium on 
foreign visits from sensitive countries. The team notes that 
Secretary Richardson announced in December 1999 that he might 
start seeking such waivers as permitted by the FY 2000 National 
Defense AuthorizationAct.\7\ All three laboratory CI chiefs 
stated that they now have an established, integrated role in the 
approval process leading to a laboratory director seeking a waiver to 
allow such a visit. For instance, the CI chief at Lawrence Livermore is 
one of four officers who must sign off before a request goes to the 
laboratory director for a decision to seek a waiver. The CI chief at 
Sandia is a member of the Foreign Visits and Assignments Team, which 
actually controls the approval process. These officials can thus bring 
to bear a CI perspective on any proposed visit, which the team believes 
to be a crucial function.
---------------------------------------------------------------------------
    \7\ Washington Post, December 3, 1999 "Energy Chief to Allow 
Foreign Scientist to Visit Labs."
---------------------------------------------------------------------------
    Obviously, the judgments made by the laboratory CI offices 
are only as good as data on which they are based. These data 
includes indices checks, which have often been slow in coming 
from other Federal agencies. The laboratory CI offices need to 
have access to broader-based intelligence information. This 
information, when integrated by the analysts in the CI offices, 
would give them a much improved basis on which to judge the CI 
threat that individual visitors and delegations might pose. 
Access to this information is problematic, and DOE CI needs to 
work with other relevant entities at DOE Headquarters--
particularly the Office of Intelligence--to arrange appropriate 
and efficient access in the field.
    In addition, there are two relevant databases. The Foreign 
Assignments Records Management System (FARMS) is unclassified 
and is maintained by DOE security. The Counterintelligence 
Analytical Research Data System (CARDS) is maintained by DOE CI 
and is an outstanding repository of classified data on 
prospective foreign visitors. Laboratory CI offices believe 
that they need a "bridge" between these databases so they can 
more effectively use the information they contain. In addition, 
it appears that the laboratories, which in some cases 
maintained their own databases, feel less confidence in the 
quality of DOE-maintained data, and their access has become 
more cumbersome. DOE CI needs to address these problems.
    Apparently, the legislatively imposed moratorium on foreign 
visits and assignment has had the desired effect of making DOE 
and the laboratories much more conscious of the CI threat posed 
by visits.\8\ Making the laboratory directors accountable has 
also had a salutary effect. It now remains for DOE CI and the 
laboratory CI offices to work together to make sure the CI role 
in the approval process is made as effective as possible by 
bringing to bear the maximum amount of data as efficiently as 
possible. There will also need to be more awareness training to 
sustain and better improve the presently enhanced levels of 
interest and attention.
---------------------------------------------------------------------------
    \8\ Evaluating the security aspects of the visits and assignments 
program is beyond the team's remit and is therefore not addressed 
herein.
---------------------------------------------------------------------------
CI knowledge of special access programs (SAPs) and other sensitive 
        projects
    The laboratories do a considerable amount of work for the 
Intelligence Community under the auspices of the "Work-for-
Others" program. This work, administered by DOE, is often 
highly sensitive and is administratively compartmented within 
SAPs, which require additional clearances. The laboratory 
employees who work on these SAPs or other projects technically 
fall under the CI jurisdiction of the laboratory CI office. The 
team discovered inconsistencies in this arrangement in two of 
the laboratories that could lead to potentially dangerous 
outcomes for CI if not corrected.
    At Lawrence Livermore, laboratory CI officials are not 
permitted to become involved in the "Work-for-Others" 
programs involving Intelligence Community SAPs. They are not 
substantively or administratively informed of any aspect of the 
programs. Given that one of the primary functions of the 
laboratory CI staff is to brief employees on CI threats and to 
inquire about CI incidents, the CI office at Lawrence Livermore 
is unable to perform fully this critically important function. 
Lawrence Livermore's CI chief advised that he learns of "Work 
for Others" activities only "by mistake" or "by accident." 
In some instances when he has tried to involve himself in 
issues related to "Work-for-Others" activities, he has been 
restrained by his senior management, which presumably is 
seeking to enforce Intelligence Community requirements. A 
similar situation prevails at Sandia, where it was evident that 
the CI component is often unaware of "Work-for-Others" 
activities.\9\
---------------------------------------------------------------------------
    \9\ Due to the communications arrangements between Los Alamos 
chiefs of intelligence, CI, and security, Los Alamos does not appear to 
have the same problem as the other two laboratories.
---------------------------------------------------------------------------
    The net result of this situation at Lawrence Livermore and 
Sandia is that no one appears to be examining CI issues 
involving personnel engaged in the most sensitive SAPs and 
other Intelligence Community projects without a formalized 
reporting mechanism, there is no guarantee that an employee 
will report a CI incident to the contracting intelligence 
agency. The contracting agency, may or may not, in turn, report 
the problem or issue to the DOE Office of Intelligence, DOE CI, 
or to FBI Headquarters. The team judges this to be an 
unacceptable process for the transmission of such critical CI 
information. DOE Headquarters should reach a formal agreement 
with the Intelligence Community to ensure that the laboratory 
CI offices are read into the SAPs at least at an administrative 
level so they can fulfill their CI responsibilities. The team 
also encourages the Community Management Staff (CMS), which has 
been tasked by the Director of Central Intelligence (DCI) to 
examine the protection of Intelligence Community equities by 
DOE and the laboratories, to work closely with DOE to resolve 
this issue of the lack of a formalized reporting mechanism.
Sensitive unclassified technical information (SUTI)
    DOE has instituted a new pseudo-classification for material 
that is deemed sensitive, but is technically unclassified. The 
team encountered significant confusion at the laboratories 
about what will actually be captured under the SUTI category, 
and laboratory managers expressed strong opposition to the 
whole concept. One principal argument was that scientists who 
work at the laboratories are already precluded from publishing 
much of their work because it is classified. The scientists 
often feel that much of what they must treat as classified is 
actually publicly available and being discussed by their non-
U.S. government peers around the world. Also, given that their 
scientific reputations are largely dependent upon what they 
publish and upon their interactions with their non-U.S. 
government peers, they feel that the SUTI category further 
prejudices their ability to earn scientific recognition. 
Moreover, laboratory employees pointed out to the team that the 
SUTI category is highly subjective, cannot be standardized in 
any fair way, and will necessarily compel them to look for work 
outside of government if it is strictly imposed.
    It appears that the DOE Headquarters policy on SUTI is 
evolving much like its policy on the polygraph, with similar 
misinformation, misunderstanding, and general confusion among 
those who will be affected by it. At Los Alamos, senior 
managers advised the team that SUTIwas no longer an issue 
because it had been replaced with a DOE list of sensitive subjects. It 
is interesting that Lawrence Livermore and Sandia were, at the same 
time, still laboring under the assumption that they would be subject to 
SUTI and were making decisions based upon this assumption.
    In the team's judgment, DOE should proceed very cautiously 
and openly on SUTI imposition--if it does so at all--so as to 
avoid repeating the internal public relations mistakes it made 
with the polygraph program. Moreover, it appears DOE has yet to 
address the significant legal implications associated with the 
promulgation and implementation of SUTI. This fact was 
acknowledged recently by DOE's General Counsel, who issued a 
notice stating that since "sensitive information" is neither 
defined in the National Defense Authorization Act for FY 2000, 
nor in DOE's existing regulations, DOE will not impose new 
statutory penalties associated with mishandling sensitive 
unclassified information. Therefore, until a clear and well 
thought out rationale and implementation plan has been 
formulated by DOE for SUTI--which must include engagement with 
laboratory management and personnel to be effective--the team 
believes that steps to implement SUTI regulations should not 
proceed.
Enforcement
    Each contract DOE has with the operators of the 
laboratories requires an annual appraisal of performance. In 
the past, these appraisals apparently included an ineffective 
pro forma consideration of security. It appears that neither 
DOE Headquarters nor DOE Field Offices, which are directly 
responsible for contract oversight, effectively enforced the 
terms of the contracts in this area. For example, the team was 
told that in some instances the University of California was 
not consciously aware of the fact that it was contractually 
responsible for certain security provisions, even though these 
were explicitly stated in the contract. The team recommends 
that DOE enforce existing security performance measures. 
Further, the team recommends that DOE incorporate measurable CI 
objectives and performance standards into each of its 
laboratory contracts. DOE could then use the previously 
mentioned CI audits, possibly combined with the findings of the 
Office of Independent Oversight and Performance Assurance, to 
evaluate the performance of the laboratories and impose 
penalties on the contractors for unacceptable performance.
    The team understands that DOE is working on language for 
contracts that will allow DOE to assess CI performance at the 
laboratories. The initiative represents an incentive for the 
laboratories to perform, and an opportunity to put in place 
measures to remedy past poor performance by the laboratories in 
this area. The team believes that Congress should support, 
encourage, and oversee the initiative, and ensure that DOE 
rigorously enforces the CI standards that it sets out in its 
contracts.
Conclusions
    Hostile intelligence threats to DOE and the laboratories 
will most likely come from problems with trusted employees, 
cyber penetrations, and visitors or assignees. DOE has made 
good progress toward establishing effective operational 
mechanisms to cope with the problems of identifying possible 
"insider" penetrations and of laying the groundwork for the 
FBI to investigate. DOE has also set up an excellent inspection 
system to ensure the continued efficacy of these mechanisms, 
but it is not yet clear that this system is being evenly 
applied across all CI and security programs.
    DOE has not effectively laid the groundwork for acceptance 
of the polygraph program, an obviously essential part of any CI 
effort to detect and deter espionage by employees. Moreover, 
DOE has failed to establish the absolutely key, complementary 
CI pillar--an effective training and awareness program.
    No CI program can succeed unless both the operational and 
training pillars are in place and supporting each other. 
Further, it is clear from decades of behavior, that the DOE and 
laboratory culture is profoundly antithetical toward CI and 
security. Unless changed, this entrenched attitude will doom 
any attempts at long-term improvements. Effective training and 
awareness programs are the only way to change this culture.
    DOE is just beginning to determine the magnitude of CI 
issues relating to the cyber threat, which includes e-mail and 
intrusions. The cyber component of DOE CI needs strong support 
at DOE Headquarters to establish suitable, minimum CI standards 
in systems controlled by DOE's information management units and 
the laboratories.
    Processes are now in place that should ensure that CI 
concerns will be factored into the waiver approval system for 
foreign visitors and assignments, questions of security in the 
approval process, however, were beyond the scope of this study.
    In spite of progress in some areas, statements from DOE 
Headquarters, to the effect that all is now well in the CI area 
are nonsense. Problems and deficiencies caused by decades of 
nonfeasance and neglect cannot be fixed overnight. Such 
statements serve only to strengthen the position of those at 
the laboratories who would wait out the effort to improve CI 
and thus make the job all that much harder. Our yardstick for 
assessing the CI program will be their future success in 
catching spies.
                                  



NEWSLETTER
Join the GlobalSecurity.org mailing list