FBI uses computer forensics in case against Lee

By Shruti Dat'GCN StaffFBI agents say they used computer forensics to discover irrefutable evidence that Wen Ho Lee transferred 806M of classified information from a secure Los Alamos National Laboratory computer to an unsecured workstation.To support a Justice Department indictment that charges the former Energy Department physicist with 59 felony counts of mishandling classified information, the FBI said it also found evidence showing that Lee in 1993, 1994 and 1997 downloaded the data to 15 computer tapes.Nine of the IBM format 6150 115M tapes, which allegedly hold the blueprints for nuclear design capability, are missing, government officials testified last month at a detention hearing in Albuquerque, N.M.Lee, who sits in prison after having been denied bail, has pleaded not guilty to all charges. And though the Lee case has been at the center of a broader espionage investigation at Energy's labs, the U.S. Attorney for Albuquerque did not file any espionage charges against Lee.Some of Lee's fellow researchers contend that he is being singled out because the broader espionage investigation focuses on Chinese efforts to obtain U.S. nuclear secrets, and Lee is a U.S. citizen born in Taiwan.In the indictment, Justice attorneys allege that the transfer of classified files out of the X Division, which does top-secret thermonuclear weapons R&D at Los Alamos, first occurred in 1993. Lee began working for the division, also known as the Applied Physics Division, in 1981 as a code writer, specializing in shock wave mechanics, FBI special agent Robert Messemer testified at the hearing.Messemer is a foreign counterintelligence investigator. He was assigned to the case in April, a month after Energy fired Lee and raised the possibility that he had mishandled classified files.Messemer said Lee was able to access the classified data and move it around because he had Q clearance. Specifically, this level of security clearance gave him access to data defined as restricted in Title 42 of the Atomic Energy Act of 1954.Lab personnel with Q clearance can work in any of the four partitioned sections of the Los Alamos computing environment. These sections are known by color-coded names that relate to the nature of the data housed in each partition: open green, administrative blue, national-security yellow and secure red.At the lab, the act of moving files from a lower level to a higher level is called up-partitioning; the reverse practice is known as down-partitioning.The indictment charges that Lee down-partitioned classified files from the secure red environment to his personal directory on the lab's open green network.Mark Holscher, Lee's lead counsel, said at the hearing that Lee might have transferred the files in 'an attempt by a scientist to not have to open and close a safe every morning and night.' He also added that Lee had to use three passwords to secure the information.'It really does not matter how many levels you have if the system is open to the public,' testified Stephen Younger, Los Alamos' associate director for nuclear weapons. 'There is never, never a reason to down-partition a nuclear weapon source code to an unclassified partition.'Using File Transfer Protocol, Lee also sent the files, then marked as unclassified, to a Sun Microsystems Sparcstation 20 in the T-15 Division at Los Alamos, Messemer said.The two divisions have quite different physical security: The X Division is a high-security facility, fenced and protected by guards; some T-15 offices, including the one housing the workstation to which Lee allegedly sent the classified files, reside in a trailer on the Los Alamos campus. Employees working in the trailer had keys, but the doors were often left open 24 hours a day, Messemer testified.The Los Alamos employee who worked at the Sun workstation told the FBI that he was asked by Lee to teach him to download data on one of the lab's Cray supercomputers from the open green partition to a tape, Messemer said. Lee told the employee he was preparing a resume, Messemer added.The employee provided 'his unique log-on name, as well as his password on a piece of paper and left it for Dr. Lee's convenience,' Messemer testified. Messemer said Lee made the data transfers in the evenings and on weekends.FBI computer forensics information established that Lee downloaded 19 files during 1993 and 1994, Messemer said.The information consisted of four sets of code, which included primary and secondary code used to design weapons for the U.S. nuclear arsenal, Younger said.In 1997, Lee changed his pattern of down-partitioning data and downloaded information directly from his own workstation in the X Division offices, Messemer testified.On Dec. 23, 1998, the lab transferred Lee from the X Division to the unclassified T Division after discovering he had been down-partitioning classified materials, Younger said. The security breaches led to the surveillance and investigation of Lee's activities, Messemer said, and then ultimately to his firing.FBI agents in April found six computer tapes in Lee's T Division office. The notebook and the computer audit trail helped the FBI conclude that seven of the missing tapes contain nuclear source code and the remaining two contain data files needed for running the source code, Messemer testified.