Thursday, July 26, 2001
Subject: DOE Denial/Rebuttal

[Kurchatov staff now are] conducting information security certification of our modified KI-MACS system which is based on MS Windows NT 4.0, SQL Server 6.5 and 7.0, and which must be made operational with classified material accounting data as soon as we can. [The] urgency of putting this system into operation cannot be overestimated. 'Thanks' to Microsoft software flaws, we lost about 1.5 years in conducting the initial physical inventory for KI RRC and our partners from RF Navy, Murmansk Shipping Company with their nuclear ice-breakers and Mining-Chemical Combine at Zheleznogors (former Krasnoyarsk-26) with their plutonium production, where our KI-MACS system was installed and put into trial operation during the fall of 1999.

My comments on the DOE Denial/Rebutal are following:

 
DOE:
Subject: Nuclear materials accounting software
Importance: High

Bruce Blair's Op-Ed in the July 11, 2001 Washington Post contains several fundamental inaccuracies.

The "internal U.S. system for keeping track of all bomb-grade nuclear materials" does not have any "critical deficiencies." The accounting system used at the Kurchatov Institute in Moscow is not the same system that is used in DOE facilities, so there is no "analogous risk" of accounting error as Mr. Blair stated. It is true that KI has developed NM accounting system of its own design, which is known as the KI-MACS system. However, the operating environment for both KI-MACS and LANMAS-based DOE systems is the same: Microsoft Windows NT 4.0, and Microsoft SQL Server 6.5 or 7.0. The software flaw of Microsoft origin is incorporated into the operating environment (not into application software of KI-MACS or LANMAS-based systems,) and relates to a very specific feature of the SQL Server Database Management System (DBMS) ? retrieval of records from the Database that satisfy certain search criteria and have to be somehow ordered in the resulting set. In spite of all possible differences in designs of the KI-MACS and LANMAS-based systems, both (as well all other systems using any DBMS) must retrieve records from the Database in order to perform some evaluations and actions ? material balance, transfer, containerization, change of isotopic composition, and so on. If the number of retrieved records is less than [what] exists in the Database, as SQL Server randomly does, the results are always incorrect. If retrieved records must be modified in order to reflect some accounting actions, these modifications will not be performed for the records the SQL Server did not retrieve due to its software flaw.

[Summary]: DOE 'optimism' is not justified and "analogous risk" is to be carefully evaluated, taking into consideration the quantity of 'SELECT' with 'ORDER BY' Transact SQL statements in the LANMAS-based DOE accounting systems and expected frequency of their use under real operating conditions.

 
DOE: Los Alamos National Laboratory performed some initial research and development work for a nuclear material accountability system to be used at U.S. facilities, however, that development effort for domestic purposes was transferred to the Savannah River Site in 1996.

It is true. However, KI RRC cooperates in this area with LANL and has no contacts with the Savannah River Site.

 
DOE: LANL leveraged its initial development work to build a nuclear material accountability application system software for the MPC&A program in Russia.

The software designed by Kurchatov Institute to be used with that application system software was not intended for any United States nuclear material accounting systems application and is not in use at any United States facility.

U.S. nuclear material accountability systems are rigorously tested and have demonstrated capability for tracking all accountable nuclear materials.

See my comment above. In addition, … the problem is not an application software. The problem relates to operating environment formed by Microsoft software products.

 
DOE: On a periodic basis, physical inventories of nuclear materials are performed to provide assurance that no nuclear material has been diverted and that the accountability system accurately reflects the quantity, form, and location of nuclear material holdings.

In accordance with DOE regulations, "Guide to the Evaluation of Selected Materials Control and Accountability (MC&A) Detection Elements," (issued by the Office of Safeguards and Security, Office of Security Affairs, Office of Non-Proliferation and National Security, U.S. Department of Energy, May 1994) which (as stated in the Introduction) "is intended to assist in the implementation of performance requirements stated in Figure I-4 of DOE Order 5633.3A, 'Control and Accountability of Nuclear Materials' (2-12-93)," the following is stated in the Chapter 5 "Accounting Record Systems' (page 5-3):

"The goal, as applied to performance testing of accounting record systems, is to ensure that the following two conditions are met: The performance requirement is that the system shall accurately reflect identity and location for at least 99 percent of the items in a given MBA (Figure I-4 of the order). Items for which the record system fails to meet this requirement are referred to as 'defective'.

A sufficient number of items shall be tested to assure that on an annual basis the above performance requirement is met with 95 percent confidence for Category I and II items (paragraph I.4.c. of the Order)." The quote above means that DOE has no requirements to any computer-based accounting system to provide 100 percent assurance that accounting data once entered into computer-based Database are to be there for sure and for the life-span of any item to be accounted for.

Russian regulations related to operation of the current, very obsolete manual book-keeping system that we are going to supplement and, over time, [replace] by the computer-based systems, requires 100 precent assurance that accounting records are accurately reflecting an identity and general location for all items in a given facility.

It means that the current U.S. DOE regulations are not addressing the Microsoft software flaws, [as] a frequency of those has been evaluated as 0.001 per run of 'SELECT' with 'ORDER BY' statements.

[Summary:] The DOE statement referred above about 'physical inventories of nuclear materials ... to provide assurance' does not contain any answer on real status of data in the accounting Databases used by the U.S. DOE facilities.

 
DOE: The Department is confident that no files related to the accounting of nuclear materials have disappeared.

Such confidence may be justified by either the results of a careful analysis of the impact of Microsoft software flaw on currently operating computer-based accounting systems [costing in the range of $1 billion], or a misunderstanding of the events, or ... .

 
DOE: U.S. nuclear material accountability systems are compliant with stringent Department of Energy Cyber Security requirements that ensure appropriate protection against unauthorized access and disclosure.

'Internal' threats are the most difficult type of threats for nuclear material safety and security. The Microsoft software flaw we have detected in the security mechanism of SQL Server 7.0 creates a real and very serious threat to be taken into consideration in evaluation of a real level of information protection.

 
DOE: Russian issues - The Material Protection, Control, and Accounting (MPC&A) Program provided Kurchatov Institute and other Russian Institutes a simplified version of an accounting program that the Russian entities could adapt for individual site-specific applications.

The above-mentioned simplified version of accounting program was demonstrated in Kurchatov Institute. We are very thankful for familiarization with the said software product. However, a level of complexity of accounting procedures in Kurchatov and specific features of nuclear materials to be accounted for by Kurchatov are such that there are no opportunities to implement such a simplified system. The same is valid for many other Russian nuclear facilities.

 
DOE: The Kurchatov Institute Material Accounting System (KIMACS) accounting software was created primarily with Russian resources at Kurchatov Institute. The Kurchatov Institute announced last year that the KIMACS has been made fully operational, so there are no risks of data loss.

The above-mentioned announcement was published in a report presented to the INMM annual meeting in mid-July 2000, and was based on preliminary evaluation of the MS SQL Server 7.0. However, by July 26, 2000, after the INMM meeting, Kurchatov Institute specialists did detected a fatal errors in MS SQL Server 7.0 data security mechanism. Up to now, the modified KI-MACS is not yet certified to deal with confidential data. I hope that the information security certification of KI-MACS will be completed very soon. But, currently, KI-MACS is not operational. Therefore there is no risk of data loss.

 
DOE: Los Alamos has verified that the nuclear material accounting systems that use the Microsoft SQL server application software in the United States are not vulnerable to this error.

This is positive news. I had not heard about it before.

 
DOE: Once initially alerted to the problem, Los Alamos National Laboratory Technical Staff duplicated the problem found at Kurchatov and recommended to the Russians that they upgrade to a more recent version, which did not exhibit the same problem.

Kurchatov did manage to detect the same and even worse problems in MS SQL Server 7.0, which was recommended by Microsoft as error-free and upgraded.

 
DOE: LANL subsequently worked with Microsoft to show that a specific but rarely used sequence of commands were incompatible in both Russian and U.S. versions of the SQL Server 6.5 application software. Based on LANL's work, Microsoft subsequently acknowledged the error in an official error notice, SRX000403600845. According to Rumyantsev, his team developed software solutions to both the Version 6.5 and the Version 7.0 application software problems, and as of November 2000 the current version, KIMACS 5.0, is "completely recovered and may operate on both SQL Server 6.5 and 7.0 without any specific adjustments or tuning."

The KI-MACS system has been fully protected against known SQL Server 6.5 and 7.0 software flaws and at the moment is waiting for completion of the information security certification. Cooperation with LANL did permit us to understand the problems and develop ways to overcome them. LANL helped the Kurchatov Institute (KI) to evaluate a source of the problems. As a result of cooperative efforts and mutual trust, both KI and LANL learned a lot.

 
DOE: To our knowledge based on frequent interaction through the MPC&A program with colleagues at the Kurchatov Institute, there has been no nuclear information lost or any diversion of nuclear material due to the flaw identified by them. The error has not been reported at any other Russian sites where software is in normal operation.

Kurchatov was lucky to timely suspend operation of the KI site-wide KI-MACS system (Feb. 17, 2000). Manual verification of the Database did detect a number of 'damaged' accounting records - records with incorrect logical links which became 'invisible' to the application software. No diversion of materials occurred due to the said software problems. However, in the course of a simulation of 10-year operations of KI-MACS-based accounting system for the Russian Navy, a conclusion was made that a number of reactor core loads with highly enriched uranium would be 'lost' (become non-accessible) due to MS SQL Server software flaws. Information about detected Microsoft SQL Server software flaws was made available to LANL and all Russian nuclear enterprises concerned. It helped to prevent [negative] consequences.

 
DOE: The Department fully agrees with Mr. Blair's evaluation that nuclear cooperation is a two-way street, is paying off and deserves continuing support, but not for the reason he gives in the Op-Ed.

DOE is absolutely right in the first part of the statement above.

 
DOE Q&A

The following is a set of Q&A's put together by the Department of Energy to respond to the Blair Op-Ed. DOE's response to the questions is in Italics, followed by the response by the Kurchatov official.

 
1. Is Bruce Blair's Op-Ed in The Washington Post correct?

Not entirely. There was a flaw identified, but the situation has been rectified through close collaboration between DOE, LANL, the Kurchatov Institute and Microsoft.

Nobody is entirely correct.

The article implies that the U.S. Department of Energy accounting systems provided to Kurchatov Institute may have resulted in the loss of nuclear material information or - indirectly - the loss of nuclear material. This is not the case in Russia nor in the DOE complex.

It is not the case in Russia because there is no fully operational computer-based accounting system yet. The U.S case is a probable subject for careful investigation (see evaluations above).

The Material Protection, Control, and Accounting (MPC&A) Program provided the Kurchatov Institute and other Russian institutes a simplified version of an accounting program that the Russian entities could adapt for individual site-specific applications based on the type and amount of nuclear material to be tracked and the specific information about the material to be entered into the database. An error was found to occur in the Microsoft SQL Server application software when utilized with the Kurchatov Institute designed software, which Microsoft has acknowledged with an official error notice. This error only occurs when utilizing the specific Kurchatov Institute-designed software.

The KI-MACS system is a relatively complex, all-purpose accounting system. Its relative complexity helped to detect SQL Server software flaw. Nobody, except Kurchatov, was able to detect it before. However, all application software dealing with Databases must perform 'SELECT' statements, and some of those are to be accompanied by 'ORDER BY' statements. Therefore all application software dealing with MS SQL Server is vulnerable to the detected flaws.

The software designed by Kurchatov Institute was not intended for any United States application and is not in use at any United States facility. To our knowledge, there has been no Russian nuclear information lost or any diversion of Russian nuclear material due to the flaw identified by Kurchatov Institute. The error has not been reported to occur at any Russian site where the software is in normal operation.

It is true thanks to the timely detection of SQL Server software flaws.

 
2. Has any Russian information on nuclear material been lost?

To our knowledge based on frequent interaction through the MPC&A program with colleagues at the Kurchatov Institute, there has been no nuclear information lost or any diversion of nuclear material due to the flaw identified by them. The error has not been reported at any Russian site where software is in normal operation.

See my comments above.

 
3. Did the U.S. MPC&A Program provide faulty software?

The DOE Program did not provide Kurchatov Institute with faulty software. The Material Protection, Control, and Accounting (MPC&A) Program provided Kurchatov Institute and other Russian Institutes a simplified version of an accounting program that the Russian entities could adapt for individual site-specific applications based on the type and amount of nuclear material to be tracked and the specific information about the material to be entered into the database. The error occurs only when the Kurchatov version of the software was asked to handle extremely large volumes of material. This problem did not occur with other versions of the software.

See my comments above

BACK TO THE TOP    CDI ISSUE AREAS    CDI HOME