A DOE cybersecurity audit last week found very serious shortcomings in how we are managing our computers at Fermilab. Among other problems, the review team found unlocked doors leading to open computers on employees’ desks, easy access to system administrators’ accounts, passwords openly displayed and failure to respond quickly to virus alerts. Overall, we received a cybersecurity grade of “marginal.”
The world-class science at our laboratory requires world-class management of our computing resources. Moreover, we must do this within the context of the cybersecurity requirements of the federal government, including DOE, which provides those resources. As the audit showed us, addressing these findings will require a culture change at Fermilab. At a laboratory where we value creative thinking and individual points of view, we are accustomed to great personal latitude in the way we manage our computers. The realities of today’s cybersecurity environment mean that we will have to give up some of that individual latitude for the sake of the safety and efficiency of scientific operations.
I have directed Vicky White, Fermilab’s chief information officer, to take whatever steps are necessary to address the findings in this audit and to bring Fermilab cybersecurity up to the same standard of excellence we require for every other area of laboratory operations. With my full support, she will lead a campaign, “Tune IT Up,” that will involve every Fermilab employee and user in making changes to the way we manage computers. We will need to move quickly. Just like safety, cybersecurity is the responsibility of every person at the laboratory. Line managers are responsible for understanding and enforcing policies on computer security. System administrators must follow the requirements for configuration of the machines under their control. Each user is responsible for understanding and following the Fermilab Policy on Computing. Employees with higher levels of responsibility, for example those handling privacy information, must exercise a higher level of care handling the information under their control.
The Tune IT Up campaign will not be an exercise in assigning blame for past problems but a lab-wide effort to bring management of IT and cybersecurity standards at Fermilab to the level where they should be. A dedicated Web site will track progress, provide resources, and answer your questions. As a laboratory, we have repeatedly shown that we can meet very significant challenges when we all pull together. I am confident that we will meet this one as well.