CYBEREYE—Commentary

Physical security and cybersecurity go hand in hand

Los Alamos thefts show that you can’t separate physical security from cybersecurity

The National Nuclear Security Administration recently dressed down Los Alamos National Security LLC (LANS), the contractor responsible for security at the Los Alamos National Laboratory, for its apparent mishandling of computer thefts from the weapons lab.

NNSA noted that the lab “had made great strides in improving the robustness of cyber security implementation,” in a Feb. 3 memo  released by the Project on Government Oversight, a private watchdog organization. But cyber security is not a standalone effort. “For example, on January 16, 2009, three computers were stolen from a LANS employee’s residence in Santa Fe,” the memo noted. “This incident has revealed several property management, accountability, incident reporting and cyber security concerns.”

The problem was that the theft was treated as a property management issue rather than a cyber security incident. And that was just the tip of the iceberg. “LANS has reported that 13 computers have been stolen or lost in the past 12 months, and that 67 computers are currently ‘missing.’ The magnitude of exposure and risk to the laboratory is at best unclear as little data on these losses has been collected or pursued given their treatment as property management issues as well.”

In the early days of computing physical and cyber security were one and the same. Mainframe computers were locked in computer rooms and accessed by hardwired dumb terminals. But as computers became smaller, smarter and more ubiquitous, property and data were dealt with separately and there traditionally has been little reintegration of physical and cyber security. Today, data in any form can be the most valuable asset in any organization, government or private, and the proliferation of devices on which it resides means that physical security is becoming as critical to protecting it as cyber security.

True, breaches caused by hackers can generate huge losses and big headlines. The recent hacking of Heartland Payment Systems Inc. potentially exposed data from hundreds of millions of online transactions a month for an untold number of compromised persons. But don’t ignore the physical risks. One of the largest government data breaches occurred with the 2006 theft of a Veterans Affairs laptop containing records of more than 26 million persons. That incident has cost the VA $20 million in a settling a class action suit.

Of the 31 publicly disclosed data breaches listed by the Privacy Rights Clearinghouse for January, 10 involved stolen or missing laptops, PCs or storage devices. There also were incidents of theft or improper disposal or paper records, including documents found in a filing cabinet sold by the U.S. Consulate in Jerusalem. And a New Zealand man bought a used MP3 player in Oklahoma that contained, among other things, 60 files containing records on U.S. soldiers.

If an organization, be it government or private sector, wants to protect itself, it not only needs good cyber security and good physical security, it needs to integrate the two. Ideally, the systems implementing controls and doing the monitoring should communicate with each other. This could be a challenge because it often means integrating legacy systems that might not work and play well together. In the absence of integrated systems, the staff and management of the two shops need to communicate with each other. A physical breach or loss should be examined for possible information security consequences, and vice versa.

Los Alamos National Security had this reality thrust upon it by the NNSA, which directed the contractor to treat any loss of computer equipment with data storage capacity as a cyber security concern. Adopting this policy before a theft occurs could help an agency avoid another type of unwanted data leak; the kind in which embarrassing incidents show up in newspapers and on Web sites.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Wed, Feb 18, 2009 John Franks Alexandria, VA

Most companies enjoy “security” insofar as they haven’t been targeted, or had an employee make a human error with catastrophic exposure. Price Waterhouse Cooper and Carnegie-Mellon’s CyLab have recent surveys that show the senior executive class to be, basically, clueless regarding IT risk and its tie to overall enterprise (business) risk. Data breaches and thefts are due to a lagging business culture – absent new eCulture, breaches will, and continue to, increase. As CIO, I’m constantly seeking things that work, in hopes that good ideas make their way back to me - check your local library: A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium." It also helps outside agencies understand your values and practices. The author, David Scott, has an interview that is a great exposure: www.businessforum.com/DScott_02.html - The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action. In the realm of risk, unmanaged possibilities become probabilities – read the book BEFORE you suffer a bad outcome – or propagate one.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above