An embarrassing loss of computer disks containing classified nuclear information at the Los Alamos National Laboratory highlights the need for companies and other organisations to have solid procedures in place to enforce all of their technology security policies, according to several security analysts.
The New Mexico-based laboratory this week announced that the US Department of Energy and the US Federal Bureau of Investigation have launched a joint inquiry into the disappearance of the two hard drives. Their loss was reported to the Department of Energy on June 1, several weeks after officials at Los Alamos first discovered that the drives were missing from one of the laboratory's most secure vaults.
The computer disks reportedly contained information on how to disarm Russian and American nuclear devices. Los Alamos workers realised they were unaccounted for after entering the secure storage area to move some of the disks kept there to an even safer location to protect them from wildfires that were raging in the area last month.
"This is an extremely serious matter, and we are taking swift actions to deal with it," said John Browne, the director of the Los Alamos laboratory, in a statement that accompanies the announcement of the inquiry into the missing disks.
Government and laboratory officials are conducting searches of computers, safes and storage containers in an effort to find the missing disks, and all workers who potentially could be involved in their disappearance are being asked to do a full accounting of materials, according to the laboratory.
The University of California, which manages the laboratory for the Energy Department, has launched a separate review of laboratory security management and practices, said university president Richard C. Atkinson in a separate statement, which is also posted on the Los Alamos website.
Ed Curran, director of the Energy Department's office of counterintelligence, said there currently "is no evidence that suggests espionage is involved in this incident".
Organisations such as Los Alamos usually have very tight policies regulating access to sensitive information, said Winn Schwartau, a security author and founder of the security consultancy Interpact in Florida. But the disappearance of the disks shows the importance of having formal enforcement procedures backing up the policies, he added.
"You can make all the security policies you want, but unless you have procedures in place to mandate those policies and to make sure they are being complied with, something will go wrong," Schwartau said. "And this applies to everyone that has proprietary information, whether they are government or corporations."
"Many times, companies have security policies which they tend to ignore," agreed Ira Winkler, an analyst at Internet Security Advisors Group in Maryland. For example, even when a company has tough access regulations for particular sites, it's not unusual for unauthorised visitors to get into sensitive areas "because people feel enforcing an access policy would hurt the other person", Winkler said.
"Sometimes, no matter what policies you have in place, security ultimately comes down to trust and human nature," said Eric Hemmendinger, an analyst at Aberdeen Group in Boston.