"Our goal is to make it easy and natural for employees to work securely," Chris Kemper, deputy director of Los Alamos' Computing, Communications and Networks division, told technology specialists from the public and private sectors during a conference sponsored by the National High Performance Computing & Communications Council. "We're trying to avoid the trap of having security overwhelm productivity."
Prompted in part by 1999 allegations that classified data was mishandled, Los Alamos officials have spent the past three years upgrading security at the 43-square mile site, which houses 15 nuclear facilities and employs 12,000 people.
For many of those employees, the new security measures have made life less complicated, according to Kemper. "I think productivity's actually gone up," he said. "People can do their jobs securely without worrying about as much of the details as they used to."
A new, centralized identity verification system, for example, has enabled authorized employees to enter restricted areas or access sensitive data more easily--and securely. Rather than having to memorize multiple secret codes, Los Alamos employees now only memorize one personal identification number (PIN), and punch that PIN code into their own battery-operated CryptoCard tokens that open doors by generating one-time, non-reusable passwords. If an employee's CryptoCard is stolen, it would only work if the thief also knows the employee's PIN code.
"That's really made a heck of a difference," Kemper said of the CryptoCard system.
Los Alamos officials also have made significant changes to offices that handle classified information. In response to concerns about "removable electronic media"--such as floppy disks that could be loaded with sensitive data and removed from the premises--employees working in classified environments now use "keyboard-video-mouse" technology.
"All that's in a user's office is literally a keyboard, a mouse and a monitor," Kemper said, explaining that all computer "peripherals," including hard drives, are locked in a vault that few people can access. "It's taken the pressure off their minds. At the end of the day, they don't have to verify that they've locked up their drives. They put their pencil down and go home."
Educating employees about the dangers of the Internet has been another key to reducing "insider threats," according to Kemper. He said many Los Alamos employees have used various programs to download music through the Web, not realizing that they could be weakening the laboratory's firewall or downloading "malicious code" hidden in seemingly innocuous files.
"Outsiders can transit our network in this situation," Kemper said. "You could search for Frank Sinatra music, and somebody else could search your machine."
Kemper said education campaigns have reduced the threat of "accidental insiders" over the past few years. But he acknowledged that protecting critical data from "malicious, determined" employees who would purposely compromise the lab's security is more difficult.
"Can a determined insider succeed? Probably," Kemper said. "I think that's true anywhere."