An unsecured nuclear weapons arsenal is the sort of thing that is likely to keep Americans up at night. Now, a new government report is raising the alarm.
The Government Accountability Office has issued a report, “Nuclear Weapons Cybersecurity: NNSA Should Fully Implement Foundational Cybersecurity Risk Management Practices,” that says the National Nuclear Security Administration (NNSA) has not implemented all of the recommended measures.
“The National Nuclear Security Administration (NNSA) is increasingly relying on advanced computers and integrating digital systems into weapons and manufacturing equipment. But, these systems could be hacked,” the report said. “Federal laws and policies suggest 6 key practices to set up a cybersecurity management program, such as assigning risk management responsibilities. However, NNSA and its contractors haven't fully implemented these practices.”
The six “foundational cybersecurity risk practices” are the following: “Identify and assign cybersecurity roles and responsibilities for risk management,” “Establish and maintain a cybersecurity risk management strategy for the organization,” “Document and maintain policies and plans for the cybersecurity program,” “Assess and update organization-wide cybersecurity risks,” “Designate controls that are available for information systems or programs to inherit,” and “Develop and maintain a strategy to monitor risks continuously across the organization.”
“Both NNSA and its contractors had not fully implemented a continuous monitoring strategy because their strategy documents were missing key recommended elements,” the report said. “Without such elements, NNSA and its contractors lack a full understanding of their cybersecurity posture and are limited in their ability to effectively respond to emerging cyber threats.”
There’s one strategy, per the report, that has not been fully implemented.
“NNSA has not developed a cyber risk management strategy to address nuclear weapons IT-specific threats. The absence of such a strategy likely constrains NNSA's awareness of and responses to such threats,” GAO said.
“An NNSA official proposed adding an evaluation of such oversight to its annual contractor performance evaluation process, but NNSA could not provide evidence that it had done so. These oversight gaps, at both the contractor and NNSA level, leave NNSA with little assurance that sensitive information held by subcontractors is effectively protected,” the report concluded.
The NNSA has since responded to the GAO report.
According to Defense Daily, the NNSA is reviewing the report and plans to “issue a final supplemental directive, titled Baseline Cybersecurity Program, by April 30.”
The NNSA’s business operations networks were affected by the 2020 SolarWinds hack.
“At this point, the investigation has found that the malware has been isolated to business networks only, and has not impacted the mission essential national security functions of the Department, including the National Nuclear Security Administration (NNSA),” the Department of Energy said at the time.
Stephen Silver, a technology writer for The National Interest, is a journalist, essayist and film critic, who is also a contributor to The Philadelphia Inquirer, Philly Voice, Philadelphia Weekly, the Jewish Telegraphic Agency, Living Life Fearless, Backstage magazine, Broad Street Review and Splice Today. The co-founder of the Philadelphia Film Critics Circle, Stephen lives in suburban Philadelphia with his wife and two sons. Follow him on Twitter at @StephenSilver.