Physical security and cybersecurity go hand in hand
Los Alamos thefts show that you can’t separate physical security from cybersecurity
The National Nuclear Security Administration recently dressed down Los Alamos National Security LLC (LANS), the contractor responsible for security at the Los Alamos National Laboratory, for its apparent mishandling of computer thefts from the weapons lab.
NNSA noted that the lab “had made great strides in improving the robustness of cyber security implementation,” in a Feb. 3 memo released by the Project on Government Oversight, a private watchdog organization. But cyber security is not a standalone effort. “For example, on January 16, 2009, three computers were stolen from a LANS employee’s residence in Santa Fe,” the memo noted. “This incident has revealed several property management, accountability, incident reporting and cyber security concerns.”
The problem was that the theft was treated as a property management issue rather than a cyber security incident. And that was just the tip of the iceberg. “LANS has reported that 13 computers have been stolen or lost in the past 12 months, and that 67 computers are currently ‘missing.’ The magnitude of exposure and risk to the laboratory is at best unclear as little data on these losses has been collected or pursued given their treatment as property management issues as well.”
In the early days of computing physical and cyber security were one and the same. Mainframe computers were locked in computer rooms and accessed by hardwired dumb terminals. But as computers became smaller, smarter and more ubiquitous, property and data were dealt with separately and there traditionally has been little reintegration of physical and cyber security. Today, data in any form can be the most valuable asset in any organization, government or private, and the proliferation of devices on which it resides means that physical security is becoming as critical to protecting it as cyber security.
True, breaches caused by hackers can generate huge losses and big headlines. The recent hacking of Heartland Payment Systems Inc. potentially exposed data from hundreds of millions of online transactions a month for an untold number of compromised persons. But don’t ignore the physical risks. One of the largest government data breaches occurred with the 2006 theft of a Veterans Affairs laptop containing records of more than 26 million persons. That incident has cost the VA $20 million in a settling a class action suit.
Of the 31 publicly disclosed data breaches listed by the Privacy Rights Clearinghouse for January, 10 involved stolen or missing laptops, PCs or storage devices. There also were incidents of theft or improper disposal or paper records, including documents found in a filing cabinet sold by the U.S. Consulate in Jerusalem. And a New Zealand man bought a used MP3 player in Oklahoma that contained, among other things, 60 files containing records on U.S. soldiers.
If an organization, be it government or private sector, wants to protect itself, it not only needs good cyber security and good physical security, it needs to integrate the two. Ideally, the systems implementing controls and doing the monitoring should communicate with each other. This could be a challenge because it often means integrating legacy systems that might not work and play well together. In the absence of integrated systems, the staff and management of the two shops need to communicate with each other. A physical breach or loss should be examined for possible information security consequences, and vice versa.
Los Alamos National Security had this reality thrust upon it by the NNSA, which directed the contractor to treat any loss of computer equipment with data storage capacity as a cyber security concern. Adopting this policy before a theft occurs could help an agency avoid another type of unwanted data leak; the kind in which embarrassing incidents show up in newspapers and on Web sites.