A call for a bit of sanity (Score 4, Informative)

I will grant that cybersecurity problems at national labs should be taken seriously. But there are at least 10,000 people doing at least part of their research at national labs, much of it inherently internet-based and hardly any of it has military applications. It is unreasonable to expect that no computers at a national lab will ever get hacked. Any computer that is connected to a network has a non-zero probability of getting hacked. I am doing my doctoral research at a national lab (Brookhaven) and have been in far too many meetings where we had to figure out how to work with security measures implemented in response to stories like this, which tend to paper over important details. The story says nothing about what information was actually acquired through the attack, for instance. And it neglected to mention that the "drug dealer" didn't actually have the USB stick with classified information, but rather lived with a person who worked at LANL and had illegally brought it home. He didn't even know he had anything classidied. (As usual, *people* are the weakest point in security, not computers.) As someone already commented, this is a Department of Energy Lab, not a "military" lab. Much, if not most, of the research at LANL is not classified. Just because someone at LANL got hacked does not mean classified information got hacked, nor does it mean that the computers that got hacked were remotely related to anything with the word "nuclear" in the subject. Among the measures which were proposed to remedy Brookhaven's "problems" with cybersecurity were banning all non-US citizens from logging in to any computer outside of BNL. There is a collider at BNL which has, overall, cost about $1B to build and run. This rule would have essentially stop this collider from running, costing the government about $1B, along with ending a promising scientific program. There were other rules proposed that we had to password-protect every computer - which is very dangerous if that computer controls an apparatus that operates at high voltage so someone who forgets or doesn't know the password can't turn it off. The slew of cyber-security updates imposed on BNL by DOE in response the the hysteria over cyber security caused me personally to lose two weeks of productivity because it was so hard to get into the computer clusters I needed to use for my research. There were about 1000 scientists affected by the same thing - we easily lost 20 person-years of labor, if not more. Even if you assume that everyone earned a grad student salary, that's $500,000. Overall, I have been in meetings which consumed about 40 hours of roughly 20 PhD scientists' time trying to figure out how to work around these rules. None of this includes the lost time because all of our computer experts were working on security instead of supporting the research goal of the lab. And what is at risk at Brookhaven? Data on relativistic heavy ion collisions. I personally think that if someone were really interested enough in our data to try to steal it, it would be a major development for the field. Oh man, and if they analyzed it - find those lambda baryons! - it would really decrease the work load in our collaboration. Please, take our data and analyze it for us! There's essentially no risk of permanent data loss because of multiple backups on various types of media in different geographical locations - you'd have to take out everything at once. The biggest real risk is that we would get hacked and turned into a porn server. Embarrassing, yes. Catastrophic? No. It happens to servers all the time. And indeed the one time I'm aware of BNL getting hacked, at least while I've been there, and all they did was sneak links to porn sites into an obscure webpage, not host porn on any BNL computers. (Which none of the stories mentioned... They all said BNL was hosting porn.) So what am I saying? 1. Simply because of the size and number of national labs, it is unreasonable to expect that national labs will never get hacked. 2. The response needs to be proportional to the risk. If the rules are too strict, this costs money, with no benefit.