Give them good reason to comply

To see what the world of IT security has come to, let’s consider the University of California’s Los Alamos National Laboratory in New Mexico. At that facility, where much of the Manhattan Project was based, it’s clear that today’s exaggerated fears and ridiculous oversights have as much to do with IT as the reason why plans for defending Heathrow were recently found, in hard-copy form, by a road.

G Peter Nanos, director of the laboratory, has told the 12,000 employees at Los Alamos to stop work. The lab’s security lapses, he says, have brought “significant risk” to US national security. It had cut its removable storage disks holding classified data from 90,000 in 2003 to 40,000 this year, but to no avail. Two Zip disks from its weapons physics division went missing on 7 July. Just as dodgy, the authorities responsible didn’t know what had been lost, let alone whether Al Qaeda bomb-making capabilities had been enhanced as a result.

This isn’t the first time that Los Alamos has had security problems. In 1999, when former US Energy Secretary Bill Richardson saw what the Taiwanese-American Los Alamos staffer Wen Ho Lee had downloaded and taken home, he could only exclaim, “Holy shit!” After that, Lee, who had previously worked closely with the FBI to protect US nuclear secrets, was manacled and put in cramped solitary confinement for nine months. The FBI whipped up a national frenzy of anti-Chinese hatred by singling out Lee for briefcase-based home working, rather the dozens of other scientists doing the same. In the end, the FBI had to drop 59 counts of espionage against Lee, who got off with a judge’s apology simply by pleading guilty to the common – if largely overlooked – offence of copying classified documents without proper authorisation.

What do these incidents, old and new, tell us? Mr Nanos says he’ll go on firing “cowboys” until he gets full compliance with procedures all the time. But as any GP knows, patients don’t read what the medicine bottle says; people don’t read the IT manual; they don’t read the security rules at Los Alamos. And even if they do read, they forget.

Yet this is not a question of immutable human nature. Would scientists on the Manhattan Project have been so lax? Rightly or wrongly, at least Robert Oppenheimer and his colleagues had a sense of purpose that must have made each determined not to betray confidences.

Maybe pay and conditions at Los Alamos today encourage sloppiness. But it’s more likely that few people there know whom the nuclear war of the future is going to be fought against or, more importantly, why. In that kind of climate, injunctions to comply count for little.

IT directors, take note. If staff don’t know which way the enterprise is heading, it can hardly be a surprise if they head off themselves – with, or indeed without, that all-important data.