American Institute of Physics
SEARCH AIP
home contact us sitemap

FYI Number 84: July 19, 2002

Recommendations For Improving Security at DOE Labs

With the increased importance of security in these times, how does DOE ensure that security precautions do not adversely impact the research performed at the national labs? A commission charged with addressing this issue has found that in order to enhance security and continue to perform world-class science, DOE needs to reform many management policies. In its report to Energy Secretary Spencer Abraham, released by the Secretary on June 20, the Center for Strategic and International Studies' Commission on Science and Security presents its "overarching finding...that DOE's policies and practices risk undermining its security and compromising its science and technology programs."

Among its recommendations, the commission calls for a reaffirmation that fundamental research in general ought to be exempt from security regulations. "It is crucial to understand," the report states, "that classified work has come to depend on unclassified science and technology," and that necessary security precautions must "allow open, unclassified scientific interactions to flourish." The commission identified five fundamental barriers to increasing security without diminishing the quality of science at DOE labs. First, it found that "the Department's continuing management dysfunction impairs its ability to carry out its science and security missions." Second, it noted that trust and collaboration "between the science and the security and counterintelligence communities has been badly damaged and must be repaired." Third, the commission found that DOE has "no systemwide approach for assessing risks to its assets" and "no effective system for risk-based security management practices." Fourth, it found DOE's use of new security tools and technologies "woefully inadequate," and finally, it called for a higher priority on cyber security.

The report, "Science and Security in the 21st Century: A Report to the Secretary of Energy on the Department of Energy Laboratories," offers five major recommendations, each with many components. A brief synopsis follows, with selected quotes from the report:

RECOMMENDATION 1: CLARIFY LINES OF RESPONSIBILITY AND AUTHORITY. For reforms to be successful, the report states that DOE must "reduce excess layers of management and staff," clarify management and staff responsibilities, and designate a single point of responsibility for counterintelligence. It also recommends following the government-owned, contractor-operated (GOCO) management model and building an integrated, multiyear budget process.

RECOMMENDATION 2: INTEGRATE SCIENCE AND SECURITY. Laboratory directors must have full responsibility, authority, and accountability for science and security at their labs, while lab policies must be "performance based" and reflect the integration of security and science. Scientists at the labs "must be invested in carrying out their missions securely," and "DOE leadership must restore a climate of trust within the Department" by clarifying the security responsibilities of line management and making "security expectations for employees clear, logical, and appropriate to the task." The commission's recommendations include establishing groups of lab, field office and security personnel to develop security policies; DOE-wide conferences to discuss problems and best practices; and rotation of security and science professionals among DOE headquarters and the labs.

RECOMMENDATION 3: DEVELOP AND PRACTICE RISK-BASED SECURITY. "Risk-based security management is based on the premise that sensitive activities are not uniformly distributed throughout an organization and that assets representing a higher risk to national security require greater protection," the report explains. DOE should implement a risk-based approach to security, with each site developing individual risk assessments and management plans that would then be incorporated into an enterprise-wide safeguards and security plan. The Department should seek outside guidance in protecting its assets, and its counterintelligence program should invest in new tools, expand analytical capabilities, and improve cooperation and information access with the scientific community and across agency borders.

The commission suggests changes to several specific security practices: DOE should "issue a comprehensive statement...that authoritatively defines the zero-tolerance policy by leaving room for reasoned judgment, within the contest of maintaining rigorous security." It should "implement a polygraph policy comparable to that of the Department of Defense (polygraph examinations chiefly used as an investigative tool; sparingly as a screening tool when exceptional program security is needed.)." Policies dealing with sensitive unclassified information should be streamlined and simplified, and finally, DOE should "seek reissuance of President Reagan's National Security Decision Directive 189...to reaffirm that fundamental research is generally exempt from security regulations and that any controls can be imposed only through a formal process established by those regulations."

RECOMMENDATION 4: ADOPT NEW TOOLS AND TECHNIQUES. The commission states that "DOE must develop and invest in state-of- the-art technologies for personnel authentication, access control to cyber systems and facilities, and data fusion and analysis techniques," including the areas of biometrics and public key infrastructure. "By employing new technologies, DOE could strengthen positive identification of employees and visitors and significantly reduce cumbersome physical and cyber access requirements."

RECOMMENDATION 5: STRENGTHEN CYBER SECURITY. The report calls for strengthening the Chief Information Officer's responsibility for cyber security; establishing a high-level cyber security advisory panel, establishing procedures for measurement and oversight of cyber network performance; placing "a higher priority on the timely implementation of cyber security solutions that are already developed and [doing] more to evaluate emerging technologies being developed" outside of DOE.

The 19-member commission was chaired by former Deputy Secretary of Defense John Hamre. Its membership included former Presidential science advisor D. Allan Bromley, former DOD director of defense research and engineering Anita Jones, director emeritus of the Stanford Linear Accelerator Center Burton Richter, former CIA director William Webster, and the first Secretary of Energy (also former Secretary of Defense and CIA director) James Schlesinger. An executive summary of "Science and Security in the 21st Century" is available on the CSIS web site at http://www.csis.org; the entire 120-page report can also be ordered from this site.

In a press release, DOE reports that it has "begun to implement 39 of the 45 Commission recommendations, including recommendations involving integration of safeguards and security management across the Department, better coordination of science and counterintelligence programs and activities, and continued implementation of a new Departmental integrated, multi-year budget process."

Audrey T. Leath
Media and Government Relations Division
American Institute of Physics
fyi@aip.org
(301) 209-3094

Back to FYI Home