Security Aspects and Concerns of Sandia National Laboratory

ABSTRACT

In today’s cyber world, individuals, organizations and even entire governments are exposed to

security threats from not only internal attackers and resources but from unknown external sources. These

attackers may not even be located in the same country as their target. Threats and attacks may not even

come from a human entity at all; in fact the owner of resource performing direct activity may not even be
Security Aspects and Concerns of Sandia National Laboratory

aware it is part of the operation at all. This creates a complex environment of having to protect oneself

from various angles and to participate in elaborate methodologies of counter measures, detection schemes

and finally non-uniform legal controls.

This paper examines the Sandia National Laboratory (SNL) and its roles, constraints, and

challenges associated with many aspects of cyber security and cyber attacks. One of the aspects which

will be highlighted in this paper is policy issues related to “attribution” during and after cyber crime

attacks.

Organization Description and Mission

SNL, with two primary locations located in Albuquerque, New Mexico and Livermore,

California, has been providing science-based technologies in support of national security since 1949.

“Our highest goal is to become the laboratory that the United States turns to first for innovative, science-

based systems engineering solutions to our nation’s most challenging national security problems that

2
Security Aspects and Concerns of Sandia National Laboratory

threaten peace and freedom for our nation and the globe” (Sandia.gov, pp. (Sandia Corp., 2011)) Though

SNL supports numerous research and development projects, they focus on five key areas: Nuclear

Weapons, Energy and Infrastructure Assurance, Nonproliferation, Defense Systems and Assessments, and

Homeland Security and Defense.

SNL originally focused primarily on just ordnance by helping to turn nuclear physics developed

by Los Alamos and modify them into deployable weapons. This led to their first official role by

maintaining a safe and secure facility as the stewards of our nuclear stockpiles. Over the past decades

past, their nuclear mission grew into areas where they now support weapon and surveillance technologies,

new methods to safeguard nuclear production, evaluation of the nuclear arsenal for the safety and

reliability and how all of these technologies can better protect our nation’s defenses.

The next area that they started to grow into is nonproliferation, which serves to combat

proliferation and terrorism threats. Since the threat of nuclear and biological terrorism has increased the

need for newer techniques and technologies to find these growing threats and help to reduce the impact

and need for these weapons has become more relevant. So working with the nuclear program branch the

nonproliferation project works with the government to offer protection aspects as well as better ways of

detecting this type of terrorism.

As data accumulated in the overarching aspects of the previous programs, SNL utilized those

areas and became a leader in defense systems and assessments. These defensive systems, that they have

become known for, include synthetic aperture radars, space-based infrared sensors, and nuclear

detonation detection. Helping to protect the nation’s critical security also allowed them to not just

develop defense systems or nuclear programs but also to evolve various science and engineering

technologies. These contributions have helped to mold areas of bioscience, microsystems, and pulsed

power electronics and bettered the communities that they support.

The final piece that they contribute to the defense of the nation is in its Homeland Security.

Though this area has numerous parts, they primarily focus on the physical defense of installations and

how potential threats would perceive these defensive measures and attempt to counter attack us. This area

3
Security Aspects and Concerns of Sandia National Laboratory

of SNL is the most important, when considering cyber security and dealing with innumerable attacks

which occur annually to their infrastructure.

One of their major contributions is from the program referred to as Information Design Assurance

Red Team (IDART). Red Team operations can play a vital role in verifying security aspects of a

company’s physical and technological infrastructure. “IDART, part of the Information Systems Analysis

Center at SNL, continues to perform leading edge assessments to help its customers acquire an

independent, objective view of their weaknesses from a range of adversaries’ perspectives.” (Sandia

Corp., 2009) SNL is using a lifecycle methodology in order to generate specific advisory reports which

define aspects to thwart security measures that might be used by attackers, see Figure 1.

Figure 1- The IDART Methodology (Sandia Corp., 2009)

“Adversary models include a spectrum of outsider and insider threats characterized by both

measurable capabilities, such as knowledge, access, and resources as well as intangibles such as risk

tolerance and motivation” (Sandia Corp., 2009). SNL Red Team has played a critical role in the

development of numerous other branches of teams located within civilian, government, and military

organizations. Because of this they have been able to develop and evolve that methodology and support

4
Security Aspects and Concerns of Sandia National Laboratory

all these various teams in order to create a more collaborative environment that leads to an overall more

secure system of physical and network infrastructures.

Threats

The nature and sensitivity of the work performed at SNL makes the site a target for a myriad of

foreign and domestic threats. Among the many functions performed by SNL, none ranks higher than their

primary mission of “ensuring the U.S. nuclear arsenal is safe, secure, reliable, and can fully support our

Nation's deterrence policy” (Sandia Corp, 2011). Despite the relatively unique and highly sensitive

mission of SNL, many of the threats posed against the organization are common to most organizations.

The element of impact is what sets the organization apart from most, in that a successful security incident,

cyber attack or cyber crime against SNL by an adversary could prove catastrophic not only to the

company, but to public safety and morale. In order to properly secure the potential targets of an attack,

the organization must identify the threats posed against those targets (Rich, et. al., 2005). In terms of

physical and cyber security, there is a significant amount of information and best practices openly

available which, when coupled with regulatory guidelines and legislation, provide a framework that an

organization can use to secure an operating environment. The degree to which an environment can be

secured will vary depending on available resources and the level of importance given to security among

the organizations other priorities. Despite an organization's best intentions and adequate planning, there

are threats that will remain wildcards. The threat posed by the trusted insider, or the Insider Threat, is

essentially an unknown variable which, according to Brenner, inflicts more damage to an organization

than an external threat (as cited in UMUC, 2010, p. 3).

The importance of, and emphasis for physical security at SNL and other nuclear facilities, can be

appreciated by those with even a basic understanding of nuclear power and weapons. The physical

security needs for a nuclear facility such as SNL are based on the analysis of threat assessments and a

design for physical safeguards based on the attributes and characteristics of adversaries and other

potential threats (IAEA, 2010). Unfortunately, the intertwining realms of cyber security and cyber crime

5
Security Aspects and Concerns of Sandia National Laboratory

are still subjects whose full understanding can elude even the devout security conscious due in part to the

relative ambiguity of the threats (Shaw, Ruby, Post, 1998). The typical security strategy relies on a

defense-in-depth methodology in which layers of security safeguards, including physical, work in concert

such that a failure or compromise at one layer does not constitute a catastrophic lapse in security for the

environment (as cited in Vacca, 2009, p. 233). A defense-in-depth strategy is predicated upon an

assumption that something or someone is attempting to make their way into some physical or logical

space that they are not authorized to be in. For a majority of the cyber security threats, this assumption is

sound, and therefore the strategies for defending against those threats although not infallible, are well

documented. The insider threats, however, present additional challenges as the level of research into

vulnerable insiders is disproportionate to that of technological threats (Shaw, Ruby, Post, 1998, p.2). The

insider threats to SNL could include employee theft, violence in the workplace, and theft of intellectual

property (UMUC, 2010, p. 3), and present great potential risk to the organization. As a revenue-based

corporation, and trusted agent of the federal government, an incident of violence or theft from an internal

threat could prove catastrophic to the company through loss of trust and customers, and could create a

level of concern or panic in the general public depending on the severity of the incident.

In a society that depends on technology and cyber space for much of our functionality, the

operations of an organization like SNL must account for the same dependency. From the development

and integration of updates to classified weapons systems to the corporate office automation systems, SNL

systems are an integral part of their operations (Sandia Corp., 2011). This same dependency, however,

presents additional challenges to detecting and protecting against cyber crimes such as theft or destruction

of intellectual and otherwise sensitive data. According to SNL's own research, the nature of the insider

threat is such that they will be more discrete than an external threat as they have more to lose, and will

therefore be more wary of being caught, than an anonymous outsider (Duran, Conrad, Conrad, Duggan &

Held, 2009). Aside from a blatant act of violence by an employee that might be more easily attributable,

a crime of theft of intellectual property can elude detection and monitoring capabilities, and especially

when executed under the guise of routine business. The insider seeking to steal data from SNL is not

6
Security Aspects and Concerns of Sandia National Laboratory

likely to attempt the removal of large amounts of hardcopy documents in a single instance by carting

them out the back door. What is more likely, studies have shown, is that an insider will print small

quantities of documents during regular working hours and remove them from the facility over long

periods of time (Giani, Berk, Cybenko, 2006). With the prevalence of technology in the workplace, the

likelihood that threats of theft and other cyber crimes has increased as an insider is able to remove large

amounts of data via thumb drives or other media storage devices such as mp3 players with relative ease.

Liability and Regulation

With the efficiencies brought about by the Internet, and technology made possible through

computer software and hardware, has come risk. There are now risks of unwanted and illegal access to or

use of information. These risks have created liability issues for companies. Companies and customers

alike can view liability from the same perspective - by determining what assets of theirs are at risk due to

transmitting and receiving information via the Internet, how they are at risk, and what could happen if

they are stolen (Bidgoli, 2006).

As is known, “SNL's mission is to meet national needs in five key areas: nuclear weapons, non-

proliferation and assessments, military technologies and applications, energy and infrastructure assurance,

and homeland security. As a government contractor for the U.S. Department of Energy's National

Nuclear Security Administration, Lockheed Martin operates SNL (Sandia Corp., 1997-2011). Therefore,

Lockheed Martin company data, secrets of the industries that they have/use in their operations, internal

operating procedures, and employee names and personal information could all be considered assets from

a cybersecurity standpoint. At SNL, there is liability for private industry (government contractor as well

as sub-contractors), and a federal government Department and Agency.

In 2003, SNL was a victim of a cyber attack, which has been dubbed “Titan Rain”, in which

sensitive software programming data was stolen, allegedly from China. This information could be

potentially damaging to the U.S. as it could have pertained to nuclear weaponry in some way, which

would make SNL seriously liable for damages if any were caused due to enemy knowledge and use of the

information. As an example of such a situation, after the World Trade Center bombing, the New York

7
Security Aspects and Concerns of Sandia National Laboratory

Supreme Court upheld a court decision that found the Port Authority of New York and New Jersey liable

for the bombing. “The court’s reasoning: The Port Authority was aware of the threat and did not take

reasonable steps to mitigate it” (Heritage Foundation, 2009). Such lawsuits have now caused many

companies to be very hesitant to “research, develop, and market anti-terrorism technologies” because of

risk of liability and “potentially devastating jury verdicts” (Heritage Foundation, 2009).

Fortunately, to help the nation’s businesses continue to fight terrorism, Congress passed the “Anti-

Terrorism by Fostering Effective Technologies (SAFETY) Act”, also known as ‘Subtitle G’ of The

Homeland Security Act of 2002. The SAFETY Act is a program provided by the Department of

Homeland Security, and it gives companies legal liability protection for their “Qualified Anti-Terrorism

Technologies”, which can be either products or services (DHS, n.d.). Lockheed Martin has designed

many systems and had them certified. Two of the systems that would be applicable to SNL’s work are

the “Risk Assessment Platform (RAP)” and the “Systems Engineering and Integration Services (SEIS) for

the Fixed and Mobile Defender™ Systems”. RAP “includes hardware, software and services for

implementing a system that captures and manages information for identifying potential terrorist threats.

Its analytical processes assess the terrorist risk relating to processes, events, people, or other entities in

near real-time. The Defender™ systems are designed to detect the presence of chemical, biological,

radiological/nuclear, and explosive (CBRNE) threats and warn appropriate personnel” (DHS, n.d.).

Since SNL manages different departments and trades, it must comply with Federal and State

operational regulations with respect to cybersecurity compliance. As a government contractor, it is also

committed to contractual obligations as well.

There are also laws to help protect SNL and others against cybercrime. The Federal Computer

Fraud and Abuse Statute, 18 U.S.C. 1030, protects computers connected to the Internet from hackers

(Congressional Research Service, 2010). Penalties stipulated in 18 U.S.C. 1030 range from

“imprisonment for not more than a year for simple cyberspace trespassing to a maximum of life

imprisonment when death results from intentional computer damage” (Congressional Research Service,

2010).

8
Security Aspects and Concerns of Sandia National Laboratory

Policy and Attribution

In the continuously evolving digital era, the security of information systems (cyber security) is a

topic that is increasingly demanding the time, fiscal resources, and collaborative intelligence of nations

across the globe. Largely, malicious hackers honing their ability to exploit vulnerabilities associated with

the hardware, software, and human components of these systems can be credited for cyber security’s

enhanced notoriety. The logic behind the widespread participation in the hacking community is that this is

one of very few crimes that can be blatantly committed without the guarantee of consequences.

Attribution, which Hunker et al. (2008) define as the act or process of “determining the identity or

location of an [cyber] attacker or an attacker’s intermediary”, can be an extremely difficult and time

consuming task that often yields little result because of spoofed IP addresses and botnets. In addition to

the technical difficulty associated with cyber attribution, and the inherent evasiveness of malicious

hackers, there are also legal or policy aspects that pose further complexity. One of the more dominating

aspects is privacy. Hunker et al. (2008) note that privacy (or inherent anonymity) is not only expected by

web users, but, along with many political and social freedoms, it is protected by rights in various free

countries; making it necessary to find an acceptable balance between privacy and attribution. Certain

bodies of law already contain statutes that either directly address or can be applied to a small portion of

cyber matters. However, some of these policies can be hindering to the full capability of attribution

technologies and practices. For example, the Intelligence Reform and Terrorism Act of 2004 (IRTPA)

states the duties of the Civil Liberties Protection Officer are as follows:

“ensure that the protection of civil liberties and privacy is appropriately incorporated in the policies

and procedures developed for and implemented by the Office of the Director of National Intelligence

and the elements of the intelligence community within the National Intelligence Program” (IRTPA,

2004).

Words like “appropriately” and the lack of overall clarity in this statute make it difficult to

determine the full requirements of the policy as well as difficult to enforce. The same act goes on to state

the mission of DHS (Department of Homeland Security) as follows:

9
Security Aspects and Concerns of Sandia National Laboratory

“ensure that the civil rights and civil liberties of persons are not diminished by efforts, activities, and

programs aimed at securing the homeland.” (IRTPA, 2004)

While the protection of rights and liberties such as privacy is certainly important, the full

capabilities of attribution are hindered by the necessity of compliance.

As policies continue to develop to address the issue of cyber security, liability will also have to be

considered. For instance, will the vendors that make exploitable software or owners of zombie computers

used in an attack be free of all liability in an attack? Moreover, because attribution can involve forensic

analysis, evidence preservation can also influence the development of policies (Hunker et al, 2008).

Determining the identity or location of an attack may surface the need to tamper with evidence. Policies

will therefore need to dictate which contexts or sought end results are acceptable reasons for attribution,

as well as the extent of allowable tampering in those instances (Hunker et al, 2008).

Perhaps the most difficult aspect of all policy matters pertaining to attribution involves the lack of

international coalescence. Because cyber attacks often cross various jurisdictional boundaries, some of

which may involve warring or competing countries, the necessary cooperation to overcome differences in

policy can be very difficult to overcome. Even when attacks only involve a single nation like the U.S.,

differences between policies that govern the public and private sector can nonetheless pose difficulty in

that there will be discrepancies in obligation, roles, and incentives for cooperation (Hunker et al., 2008).

SNL, whose business solutions tie into national security and critical infrastructure, is an agency

that cannot afford to be compromised; much less compromised without being able to trace a given attack

back to the culprit(s). With nuclear weapons being part of SNL’s output, and malware as sophisticated as

Stuxnet (which was used to target an Iranian nuclear plant) heightening the level of known threats, SNL

certainly needs to be able to impose every available attribution technique and technology in the event of a

compromise. The 6th title of The Intelligence Reform and Terrorism Act of 2004 states that DHS’s

mission is to “reduce terrorist attacks within the United States” and “reduce the vulnerability of the

United States to terrorism”. SNL’s involvement in Homeland security makes it equally responsible for

prevention of terrorism. In short, compliance to policies that protect privacy and other rights is certainly

10
Security Aspects and Concerns of Sandia National Laboratory

important; but as policies are further composed and developed to address continuously evolving threats,

some thought should be given to the exceptions that will be necessary to maintain national security and

critical infrastructure.

Conclusion

In conclusion we find that SNL has a long history providing services of a sensitive and critical

nature which contributes to the security and well being for our nation. Their mission critical objectives

depend on careful and methodical processes used in the collection and analysis of data used in

formulating many key infrastructure and defense mechanisms used by our nation. The protection of the

data itself is paramount in both allowing SNL to achieve its mission and ensure the security of vital and

classified intelligence information. Threats to SNL are far reaching however, primarily concerned with

11
Security Aspects and Concerns of Sandia National Laboratory

potential exposure from inside sources. This creates a great deal of need for the organization to expend

resources and energy on qualifying staff in order to reduce threats from the inside which could remove

information and provide it to anyone outside the confines of SNL with use of physical or electronic

means. Policies are therefore necessary to create an environment which makes resources accountable for

both productivity and specific security minded processes in handling SNL’s sensitive data.

As part of SNL’s security policy they have adopted processes to perform counter intelligence

schemes and methods which will aid in ensuring data and intellectual property protection. The U.S. legal

system had some deficiencies in the past which made it extremely challenging for organizations to take

this type of approach for fear of potential liabilities resulting from terrorist attacks. In the event the

organization was found to be incompetent or unauthorized to formulate such processes, they could be held

accountable for far reaching damages after an incident. New laws and U.S. policy have now softened

those liabilities somewhat and actually encouraged organizations like SNL to promote collaborative

security measures with Government and public interests included.

Finally, attribution for cyber criminal activity becomes extremely difficult particularly when the

sources of attacks are located in far remote locations. Furthermore, insider help is a greater concern for

SNL in that masking the identity of an attacker is much more probable if physical changes can be made to

mask the identity of the source of the attack. Attribution challenges go further when it comes to arrest

and prosecution. Because international policy on cyber crime is still in its infancy many incidents must be

handled on a case-by-case basis and may not have uniform rules between countries to allow for efficient

law enforcement. Secondly, the basic legal systems of countries vary in how they deal with crimes in

general and with cyber crime being relatively new these laws are quickly evolving. The evolution is

evident and will happen as countries find it important to protect their own information and resources as

their need for electronic communications and processing grows. However, until that time when the laws

are more balanced between countries, cyber criminals will find ways to use specific weak cyber laws in

certain countries to reduce to the possibility or even thwart prosecution from attacks all together.

12
Security Aspects and Concerns of Sandia National Laboratory

Because of the current state of the security technology and subsequent legal structure it is

important for organizations like SNL to continuously monitor and improve their security policies and

process to conform to applicable Government standards. They also must work hard to drive position in

global standardization of data protection and litigation measures in order to mitigate risks associated with

exposure to very sensitive and critical information.

References

Bidgoli, H. (Ed.). (2006). Handbook of information security: Volume 2. Hoboken, NJ: John Wiley &

Sons, Inc.

Congressional Research Service. (2010). Cybercrime: An Overview of the Federal Computer Fraud and

Abuse Statute and Related Federal Criminal Laws. Retrieved from https://www-hsdl-

org.ezproxy.umuc.edu/?view&doc=136098&coll=limited

DHS. n.d. SAFETY ACT: Designations/Certifications. Retrieved from https://www.safetyact.gov/

DHS. n.d. SAFETY ACT: Approved Product List. Retrieved from https://www.safetyact.gov/

Duran, F.A., Conrad, S.H., Conrad, G.N., Duggan, D.P., Held, E.B. (2009). Insider threats: building a

system for insider security. IEEE Security & Privacy. November/December. Retrieved from:

http://people.eecs.ku.edu/~saiedian/Teaching/Sp10/711/Readings/sys-insider-security.pdf

Giani, A., Berk, V.H., Cybenko, G. V. (2006). Data Exfltration and Covert Channels. Proc. SPIE Sensors,

and Command, Control, Communications, and Intelligence (C3I) Technologies for Homeland

Security and Homeland Defense. April. Retrieved from:

http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.89.5290&rep=rep1&type=pdf

13
Security Aspects and Concerns of Sandia National Laboratory

Heritage Foundation, The. (2009). The SAFETY Act: Obama cyber plans and the private sector.

Retrieved from https://www-hsdl org.ezproxy.umuc.edu/?view&doc=111083&coll=documents:

WebMemo

Hunker, J., Hutchinson, B., Marguilies, J. (2008). Role and challenges for sufficient cyber-attack

attribution. Retrieved on June 22, 2011 from http://www.thei3p.org/docs/

publications/whitepaper-attribution.pdf

IAEA (2011). Design basis threat. Retrieved from: http://www-ns.iaea.org/security/dbt.asp?s=4

The Intelligence Reform and Terrorism Prevention Act, 50 U.S.C. §§ 403-3d

The Intelligence Reform and Terrorism Prevention Act, 6 U.S.C. § 111(b)

Rich, E., Martinez-Moyano, I. J., Conrad, S., Cappelli, D. M., Moore, A. P., Shimeall, T. J. & Wiik, J.

(2005). Simulating insider cyber-threat risks: a model-based case and a case-based model.

Proceedings at International Conference of System Dynamics Society, 2005. Retrieved from:

https://www-hsdl-org.ezproxy.umuc.edu/?view&doc=94152&coll=i3p

Sandia Corp. (1997-2011). About Sandia. Retrieved from http://www.sandia.gov/about/index.html

Sandia Corp. (2009). Figure 1: The IDART Methodology. Retrieved from

http://www.idart.sandia.gov/methodology/IDART.html

Sandia Corp. (2009). Red Team Methodology. Retrieved from

http://www.idart.sandia.gov/methodology/index.html

Sandia Corp. (2009). The Information Design Assurance Red Team (IDART). Retrieved from

http://www.idart.sandia.gov/

14
Security Aspects and Concerns of Sandia National Laboratory

Sandia Corporation (2011). Mission areas: nuclear weapons. Retrieved from:

http://www.sandia.gov/mission/nuclear/index.html

Sandia Corp. (2011). Vision: Helping our nation secure a peaceful and free world through technology.

Retrieved from http://www.sandia.gov/about/vision/

Sandia’s national security missions (n.d.). Retrieved from http://sandia.gov/

Wheeler, D.A., Larsen, G.N. (2003) Techniques for cyber attack attribution. Retrieved from

http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA468859&

Shaw, E., Ruby, K. G., Post, J. M. (1998). The insider threat to information systems: the psychology of

the dangerous insider. Security Awareness Bulletin, No. 2-98. Retrieved from: http://www.pol-

psych.com/sab.pdf

UMUC. (2010). Module 4: human aspects. CSEC620 Online Classroom. Retrieved from:

http://tychousa11.umuc.edu/cgi-

bin/id/FlashSubmit/fs_link.pl?class=1106:CSEC620:9047&fs_project_id=346&xload&tmpl=CS

ECfixed&moduleSelected=csec620_04

Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan

Kaufmann.

15