Identifier
Created
Classification
Origin
03THEHAGUE2734
2003-10-31 06:23:00
UNCLASSIFIED
Embassy The Hague
Cable title:
CHEMICAL WEAPONS CONVENTION (CWC): FIRST MEETING
how-toThis record is a partial extract of the original cable. The full text of the original cable is not available.
UNCLAS THE HAGUE 002734
SIPDIS
STATE FOR AC/CB, NP/CBM, VC/CCB, L/ACV, IO/S
SECDEF FOR OSD/ISP
JOINT STAFF FOR DD PMA-A FOR WTC
COMMERCE FOR BIS (GOLDMAN)
NSC FOR CHUPA
WINPAC FOR LIEPMAN
E.O. 12958: N/A
TAGS: PARM PREL CWC
SUBJECT: CHEMICAL WEAPONS CONVENTION (CWC): FIRST MEETING
OF THE FOURTH SECURITY AUDIT TEAM
UNCLAS THE HAGUE 002734
SIPDIS
STATE FOR AC/CB, NP/CBM, VC/CCB, L/ACV, IO/S
SECDEF FOR OSD/ISP
JOINT STAFF FOR DD PMA-A FOR WTC
COMMERCE FOR BIS (GOLDMAN)
NSC FOR CHUPA
WINPAC FOR LIEPMAN
E.O. 12958: N/A
TAGS: PARM PREL CWC
SUBJECT: CHEMICAL WEAPONS CONVENTION (CWC): FIRST MEETING
OF THE FOURTH SECURITY AUDIT TEAM
1. This is CWC-114-03.
2. The OPCW Technical Secretariat (TS) convened a 16-17
October 2003 meeting of the fourth Security Audit Team
(SAT-IV) in The Hague, The Netherlands. SAT-IV is comprised
of representatives from Japan, France, The Netherlands, and
the U.S. Yonosuke Harada of Japan, who chaired SAT-III,
agreed to chair SAT-IV. The meeting was called at short
notice, ostensibly to finalize an audit charter, mandate, and
timetable. The team remains concerned that the TS may have
called the meeting in order to satisfy an Executive Council
requirement that it do so before the 20-24 October 2003
Conference of State Parties. The team was disappointed by
the TS' reluctance to discuss the mechanics of the upcoming
audit and was concerned about the TS claim that it will not
have the resources to support a security audit before October
2004.
3. OPCW Director General (DG) Rogelio Pfirter personally
welcomed the SAT-IV team on 17 October 2003, and agreed in
theory that the TS needs a baseline review of its Information
Technology (IT) infrastructure and operating environment.
The DG asked the team not to overwhelm his staff, and his
comments may have inadvertently postponed further
SAT-IV-related activities until fall 2004. The TS and SAT-IV
began work on a draft charter, mandate, and mutually agreed
timetable for future security audit activities. The team
will continue its joint drafting effort with the TS via
e-mail in the hope that once agreed, the team can schedule a
follow-on face-to-face meeting with TS personnel later this
calendar year. (Comment: As of 28 October 2003, the SAT-IV
had completed work on its drafts.)
4. The French and Japanese auditors both noted that TS
attitudes regarding IT security and auditing remain somewhat
cavalier and worrisome. In particular, the team was told by
Robert Simpson, Office of Confidentiality and Security (OCS),
that its current emphasis had shifted from IT to physical
security concerns. Comments by Jan Engles (Information
Security Systems),Robert Simpson (OCS),and Gregory Linden
(Information Support Branch) provided more questions than
answers regarding TS plans for deployment of its verification
database, electronic data exchange, and handling of
confidential data.
SIPDIS
5. OCS staff indicated that the TS' classified computer
network, known as the secure critical network (SCN),had been
certified to process confidential data by an earlier audit
team. SAT-IV viewed this as a misperception: the SCN has
never been formally evaluated for this specific role; what
had been certified was the electronic document management
system. Previous security audit teams have been unable to
evaluate the efficacy of the TS IT security lock-downs
because they have not been allowed to inspect the TS'
protocol for securing the declaration data submitted by State
Parties or the derivative data generated by the TS from the
declarations. The audit team also remains concerned that the
TS is proposing to transfer declarations scrubbed of
SIPDIS
sensitive material from the SCN to States Parties using
electronic data written on CD-ROMs.
6. Finally, an earlier audit team recommended that the TS
consolidate its stand-alone databases onto the SCN until the
TS was ready to implement its full relational database.
SIPDIS
According to the TS, the interim system is based on Microsoft
Access, which has a number of security deficiencies. Recent
audit teams have not been able to assess the level of
security used, although the audit team asked that the TS
provide it with database logs upon completion of the
migration.
7. SAT-IV assesses that a number of IT issues require a
candid and open dialogue and has sought to establish a
collegial working relationship with the TS. The team is
concerned that the continued TS reluctance to share
information with the team may be indicative of a more
systemic problem within the staff levels at the TS.
SOBEL
SIPDIS
STATE FOR AC/CB, NP/CBM, VC/CCB, L/ACV, IO/S
SECDEF FOR OSD/ISP
JOINT STAFF FOR DD PMA-A FOR WTC
COMMERCE FOR BIS (GOLDMAN)
NSC FOR CHUPA
WINPAC FOR LIEPMAN
E.O. 12958: N/A
TAGS: PARM PREL CWC
SUBJECT: CHEMICAL WEAPONS CONVENTION (CWC): FIRST MEETING
OF THE FOURTH SECURITY AUDIT TEAM
1. This is CWC-114-03.
2. The OPCW Technical Secretariat (TS) convened a 16-17
October 2003 meeting of the fourth Security Audit Team
(SAT-IV) in The Hague, The Netherlands. SAT-IV is comprised
of representatives from Japan, France, The Netherlands, and
the U.S. Yonosuke Harada of Japan, who chaired SAT-III,
agreed to chair SAT-IV. The meeting was called at short
notice, ostensibly to finalize an audit charter, mandate, and
timetable. The team remains concerned that the TS may have
called the meeting in order to satisfy an Executive Council
requirement that it do so before the 20-24 October 2003
Conference of State Parties. The team was disappointed by
the TS' reluctance to discuss the mechanics of the upcoming
audit and was concerned about the TS claim that it will not
have the resources to support a security audit before October
2004.
3. OPCW Director General (DG) Rogelio Pfirter personally
welcomed the SAT-IV team on 17 October 2003, and agreed in
theory that the TS needs a baseline review of its Information
Technology (IT) infrastructure and operating environment.
The DG asked the team not to overwhelm his staff, and his
comments may have inadvertently postponed further
SAT-IV-related activities until fall 2004. The TS and SAT-IV
began work on a draft charter, mandate, and mutually agreed
timetable for future security audit activities. The team
will continue its joint drafting effort with the TS via
e-mail in the hope that once agreed, the team can schedule a
follow-on face-to-face meeting with TS personnel later this
calendar year. (Comment: As of 28 October 2003, the SAT-IV
had completed work on its drafts.)
4. The French and Japanese auditors both noted that TS
attitudes regarding IT security and auditing remain somewhat
cavalier and worrisome. In particular, the team was told by
Robert Simpson, Office of Confidentiality and Security (OCS),
that its current emphasis had shifted from IT to physical
security concerns. Comments by Jan Engles (Information
Security Systems),Robert Simpson (OCS),and Gregory Linden
(Information Support Branch) provided more questions than
answers regarding TS plans for deployment of its verification
database, electronic data exchange, and handling of
confidential data.
SIPDIS
5. OCS staff indicated that the TS' classified computer
network, known as the secure critical network (SCN),had been
certified to process confidential data by an earlier audit
team. SAT-IV viewed this as a misperception: the SCN has
never been formally evaluated for this specific role; what
had been certified was the electronic document management
system. Previous security audit teams have been unable to
evaluate the efficacy of the TS IT security lock-downs
because they have not been allowed to inspect the TS'
protocol for securing the declaration data submitted by State
Parties or the derivative data generated by the TS from the
declarations. The audit team also remains concerned that the
TS is proposing to transfer declarations scrubbed of
SIPDIS
sensitive material from the SCN to States Parties using
electronic data written on CD-ROMs.
6. Finally, an earlier audit team recommended that the TS
consolidate its stand-alone databases onto the SCN until the
TS was ready to implement its full relational database.
SIPDIS
According to the TS, the interim system is based on Microsoft
Access, which has a number of security deficiencies. Recent
audit teams have not been able to assess the level of
security used, although the audit team asked that the TS
provide it with database logs upon completion of the
migration.
7. SAT-IV assesses that a number of IT issues require a
candid and open dialogue and has sought to establish a
collegial working relationship with the TS. The team is
concerned that the continued TS reluctance to share
information with the team may be indicative of a more
systemic problem within the staff levels at the TS.
SOBEL