The stupidest internal NIH memo ever – or why I can’t wait for the new administration

One of the great things about science is that it is open, international, and celebrates the free exchange of ideas. However, during the last 8 years we’ve seen some odd things at the National Institutes of Health – the premier governmental scientific institution in the world. The paranoia of the current administration has filtered down and contaminated day to day operations of what is essentially an academic health sciences campus.

For example, for some bizarre reason they decided to erect a 10 foot high iron fence around the entire campus:
i-52526dcc20f19ca4bf1fcda1370592de-NIH fence.jpg
And at the entrances every car is searched, every day. And why? What makes the NIH campus different from any other medical campus in the country? We all work with the same radioactive isotopes, etc. They have a higher level infectious disease research lab which if you were really worried about could be fenced in rather than fencing in the entire 300 acre campus. What is the reason for this excess of security?

I happen to think there is no good reason and that the NIH security is run by paranoid idiots. The best evidence I have of this is a recent memo I’ve obtained that was sent to Health and Human Services employees about foreign visitors from the Deputy Secretary. Here is the relevant section:

i-7946a972cb4ab6b390962193dc8cb05c-NIH memo.jpg

Really? Now if an NIH investigator wants to bring a foreign speaker in to give a talk, not only can they not plug in their thumbdrives in the lecture hall computer to upload their powerpoint for fear of espionage, but they have to be followed into the bathroom too? Could you imagine? You invite some bigwig foreign scientist – like say any of this year’s Nobel Laureates in medicine – and when they have to make a pit stop you’d be forced to follow them in the bathroom for fear they’ll steal our lucky charms.

I hope in the next administration the first thing they do is tear down that stupid fence and treat the NIH like any other academic medical campus, and find whoever wrote this stupid memo and fire them. This type of paranoid security obsessiveness is uneccessary and counterproductive to the free exchange of ideas science needs in order to be open, international and collaborative.


  1. And at the entrances every car is searched, every day.

    Going in or going out?

  2. Going in. Employees, visitors etc., all have to go through these search stations and you walk through metal detectors. It’s stupid.

  3. Quite. I used to work for a VA. We were searched every day as well. Particularly stupid given that essentially any employee could find far more dangerous equipment inside the building than outside it. Now if they’d searched us as we left to make sure we weren’t stealing the radioisotopes to build a dirty bomb or stealing scalpels to mug people on the street, that might have had some point*. But what were any of us going to bring into the building that was more dangerous than what was already there?

    *Quite apart from the question of why they were fools enough to hire people that they didn’t trust to handle radioactives, deadly biological and chemical substances, and sharp objects.

  4. I suspect that the roots of the problem actually go back a long time (but are no less a product of short sighted stupidity). I think the current problem relates to a more concerted effort by the Chinese government to do spying on the US, and a convenient way to do that is to deposit a resident bot that periodically phones home and sends useful information back to China.

    This is a problem because the folks at the NSA and the CIA didn’t want good encryption and good security in the hardware and software that US computer makers produced, or in the internet, so the “standards” are all crappy and can be circumvented.

    If all the hardware and software that was produced in the US was designed to be secure and was secure by default, then none of this would be a problem. But when computer security is considered a “weapon” and its use is restricted, the proliferation of unsecure networks is the obvious and predictable consequence.

  5. minimalist

    Security at the NIH would also cease to be a joke if they didn’t make laughably obvious security warnings a day or two in advance of Presidential visits.

    Sure, they think they’re being all circumspect when they make coy references to shutting down roads for some previously-unannounced “special event”, but everyone here knows it means “huge fleet of black Suburbans bringing the Preznit in to peer through some microscopes for a photo op.”

  6. I, for one, fear our Canadian Overlords…?

  7. It’s not worth the money to tear the fence down. But the clowns should definitely be removed.

  8. Daedalus, I would disagree on one main point though. I don’t agree that HHS – NIH/CDC/FDA etc., needs extensive computer security in the first place or that needs this kind of blanket security from those dastardly foreigners. These places don’t deal with national secrets or classified information – it’s not like access to a lecture podium or a typical NIH scientists computer will get you behind some imaginary governmental firewall that would give you access to state secrets. These guys are ordinary civilian scientists doing lab work and clinical research.

    We’re talking about a academic/medical campus that’s not really different from UVA or UCLA or any other medical facility. Just because it’s government doesn’t mean it needs such paranoid security policy against foreign visitors.

  9. That is utterly whackaloon.
    That said, I want to steal NIH’s lucky charms.

  10. Another gem brought to you by the current Administration and one bowed to by an NIH Acting Director

  11. As always, follow the money. First, see who got the contract to build the fence. Want to take bets on whether they are contributors to some congressperson? Second, the bigger money picture is the enormous amount of money wasted by the government on departments that garner big budgets that then must be justified. Why do you think firetrucks and a hazmat team show up and evacuate the high school when someone breaks a thermometer? To justify the staff and budget, and get even more staff and budget next year.

  12. There are probably 2 reasons for the “need” for security at NIH that I can think of. First to keep all the bioweapons research secret (which NIH should never be working on in the first place). Second to hide all purely political “science policies” such as that abortions cause cancer, BPA is a vitamin, and arsenic is a nutrient and that the anthrax vaccine is safe and effective.

    I think the fence is part of the plan to move bioweapons research onto the NIH campus. It is too “obvious” to do it at military installations, so they want to do it at the NIH.

  13. The solution to the media-embargo is so freakin’ simple, it would take a multimillion-dollar federal study to find it. Simply configure some lecture halls off-line. After use, the computers can be wiped-clean and re-loaded as needed; and they cannot infect other cpus in the meantime. (Of course, the cpus need to be off-limits to media that belong to NIH.)

    Aside from that, I visited Sandoz a long time ago. They were really serious about examining credentials at the entrance. I wondered about that since it was a research facility that did not stock large amounts of controlled substances. They told me they were concerned about P.E.T.A (and I don’t mean People Eating Tasty Animals).

  14. As Ronald Reagan so aptly put it. “Mr President, tear down this wall!”

    If you are looking for rational thought and/or logic from the federal government….just look at the financial mess.

    They could move the fence to the Mexican Border…looks better than most of the fence put up there. I like the points

  15. Why hasn’t anyone suggested impaling the security whackaloons on their own damn fence?

    Just asking …

  16. I’m fine with your rant about the bathroom escorts, and I’d even be fine if you went on about the byzantine process of procuring a NIH badge. But whining about a simple black fence is silly. You do realize that the NIH has a biosafety level 3 building on campus involved in anthrax research. Up until recently, every building within in the campus was swipe card access only, and that was a huge pain. Now with a secured perimeter, most buildings are open to anyone at any time.

  17. I think I’ll actually try to defend the fence. While I’d have probably opposed it while it was going up, there are some advantages. First to clear up one error. Every car is not searched. Only the cars of visitors are searched. If you have an active NIH ID, you just need to show your picture, scan the ID, and go right through. The new, visitors’ center makes this happen rather quickly.

    In general, I think the fence was built more to protect against an Oklahoma City type attack or other violence rather than theft of objects. This is true for all new federal government construction and many older places are retrofitted (the pace probably increased after 9/11).

    That said, from the theft security standpoint, let’s say there are 10 buildings on the site where they’d want to see the IDs of everyone before entering. You can set up the background check stations at every entrance to those buildings or at a single entrance point that usually takes less than 5 minutes for a pedestrian to get through. The single, secure entrance point is both hard to evade and makes life more open once you are on the campus. As a side effect, petty crime (equipment theft, bike theft, muggings, …) is almost non-existent on site. This not true for most of the more open campuses where I’ve worked.

    From the standpoint of people working on the campus (employees and visitors), there are almost no negatives to the fence. The only one is that, visitors always need to go to a single entrance. It’s annoying for locals who used to cut through the campus when walking and it probably cuts down some things like pickup sports games.

    That all said, the NIH (and the rest of the federal government) have probably gone overboard on some security issues. For example, there was serious talk of requiring all non-US citizens who work at NIH to have a special marking on their badges. This was rejected after significant pushback.
    As for computer security, much of it is an over-response to:
    When an unencrypted laptop with medical data including a congressman’s was stolen (note it was stolen offsite).
    Out of curiosity, can you give more details on the source of the memo you presented. Was it clear that it was about the NIH site and not other HHS buildings?

  18. Ah, I didn’t realize the NIH employees were exempt, my error.

    However, other university campuses have high BSL on campus and the answer is to secure the labs that need security rather than the entire campus. I guess I’m more sensitive to it because I remember growing up in Bethesda and being able to drive on campus, visit labs etc., and it didn’t feel like a military base. It’s more of an emotional reaction to the new hostile appearance of the campus when to me it was once an open and friendly academic center.

    The memo applied to all HHS facilities.

  19. It looks to me like the NIH is working very hard to meet the intent of the Export Administration Regulations (EAR), if not also the International Traffic in Arms Regulations (ITAR) which consider sharing of certain technical information, commodities, etc to be an “export” to the foreign national’s home country. To oversimplify — these are called deemed exports, and a license from the government is often required prior to the foreign national’s visit unless strict government-approved security measures are put in place first. Just a hunch that this is what all the security hoopla is about…

  20. Actually, NIHers do not *routinely* have to be searched when entering campus, but when the ‘threat level’ gets to mauve or whatever, *everyone* (every car) is searched. NIHers *can* be searched at any point, as well, they’re just mostly waved through when the threat level is only lavender or below. Check your petty theft stats with the campus police, you may be (unpleasantly) suprised…I would be surprised if there were a statistically significant decrease post fence. I was a bench scientist at an NIH off-campus site for 6 years, helped my boss move to campus and resigned. Those cavity searches are a *pain*.

  21. I have experienced the security at the NIH. One interesting thing is that right across the street at USU and the VA hospital you can basically drive right on the campus as long as you have an appointment.

    I think the problem with the NIH is it is a very visible US government site and as such is beleived to be a target for terrorist action. The searches are looking for two things, bombs and if any person is on a government “bad boy” list. The security is overwhelmingly biased toward preventing attacks on the NIH and not preventing people from stealing things. The rules against electronic devices are due to the possibility of electronic attack.

    The NIH does need to be protected due to its status as an important goverment site, but they are going a bit overboard.

  22. Actually, NIHers do not *routinely* have to be searched when entering campus, but when the ‘threat level’ gets to mauve or whatever, *everyone* (every car) is searched. NIHers *can* be searched at any point, as well, they’re just mostly waved through when the threat level is only lavender or below.

    Well that explains it. I had heard NIH employees complaining about being searched so I thought it was standard, but instead it’s just an intermittent inconvenience.

    I’ve also heard other NIH employees voice your beef that they’re making it so unpleasant to work on campus that it’s just not worth it.

  23. I really can’t imagine anyone leaving NIH because the fence makes an unpleasant work environment. The computer security is another issue. They are clamping things down to a ridiculous level. For example, they are slowly changing all government owned computers so that the end-users can’t have root access. This will make installing anything on laptops insanely complex. The other area of unpleasantness are the ethics/outside work rules. While these rules are important, they make it extremely hard to do any moonlighting relating to your professional work. Considering how many non-NIH academics do some form of consulting or simply have other universities pay to fly you out for a talk, this can get annoying.

  24. Nomen Nescio

    For example, they are slowly changing all government owned computers so that the end-users can’t have root access.

    excellent idea. try securing a large network without decreeing something similar, and see how hard it is to keep malware and spyware off the disks. the time you’ll spend just running around cleaning up nuisance infections is likely greater than the time and effort lost because of locking down root access.

    This will make installing anything on laptops insanely complex.

    no, it’ll make installing anything that needs root access insanely complex. the fact that the simplest, silliest, most pointless little MS Windows app seems to require — or think itself to require — such access, is part of the problem.

    and laptops need such controls more than desktops do — somebody with a legacy administrator password installs some downloaded software on their desktop, at least you know it’s passed through your firewall and virus checker first. a laptop? gods only know where the package Joe Random User just installed on his came from. if it turns out to be a botnet zombie, might be a week or more before the laptop gets back onto your network where your IDS can spot its phoning home and let you know you need to clean it off that disk.

  25. How are naturalised citizens dealt with? Is there some suspicion they harbour loyalties to the old country or does swearing an oath at the INS transform you a trustworthy American citizen?

  26. Nomen Nescio

    Sean, we get to be trustworthy American citizens in most things, but i’m honestly not sure how well we pass security clearance background checks.

  27. Every NIH employee now goes through a low level security clearance and that includes non-US citizens and naturalized citizens so, yes, they can pass them.

    Noomen Nescio, As for computer security, I understand the benefits of centralizing root passwords, but the plan is that not even local sys-admins will have them. They will be completely centralized. From what I understand, this will effect not only laptops, but research workstations where people regularly install analysis packages that require some level of root access and stimulus presentation/data collection systems where it’s not always possible to get enough timing control of a system without root access.

    I’m still suspicious of the original memo of this post. I’ve seen it nowhere except this page and it is unsourced. If it’s real, department-wide policy, you’d think it would be presented somewhere besides a few random emails.

  28. Nomen Nescio

    I understand the benefits of centralizing root passwords, but the plan is that not even local sys-admins will have them

    i’d bet that won’t last very long after implementation. locking down the root of any machine works well so long as that machine’s user has an administrator they can walk over and talk to, face to face; if it’s any much more troublesome than that to get things fixed, folks will start to either work around the security or complain until the policy is changed.

  29. On the issue of computer security, consider this: many people at NIH deal with private information, including grant information. Government tends to apply rules as a blanket rather than try to apply them where they really are needed, but you’d sure be pissed if your unpublished data from your RO1 renewal leaked out because someone ignored the rules.

    It annoys the heck out of me too, but that’s life at the NIH. Got to accept the good with the bad…

Leave a Reply

Your email address will not be published. Required fields are marked *