Nuclear security is no longer solely the frontier of armed guards and anti-aircraft cannons.
Instead, experts say, protecting nuclear assets will depend increasingly on the skills of programmers and cybersecurity experts as the world moves into the digital age.
This was the conclusion of last week’s International Conference on Computer Security in a Nuclear World, where an amalgam of computer experts, system engineers, scientists and policymakers gathered in Vienna as part of a global effort to bolster preparedness for technological threats in the nuclear era.
Hosted by the International Atomic Energy Agency, an organization dedicated to promoting nuclear safe practice and regulation, the conference drew more than 700 representatives from 92 member states and nearly 20 organizations. The largest delegation belonged to the National Nuclear Security Administration, the branch of the Department of Energy that is responsible for regulating nuclear reactors and safeguarding warheads.
“The enduring conference theme is that computer security is a necessary component in an effective and robust nuclear security regime,” said Jazi Eko Istiyanto, who orchestrated the conference. “Computer security and nuclear security must be a continual and holistic process.”
Cyber threats have increasingly come into the international spotlight in recent years, particularly as America continues to wage war in the Middle East and terrorist organizations such as the Islamic State, also known as ISIS, demonstrate technical savvy that eluded predecessors.
In 2010, Iran’s nuclear facility at Natanz was attacked by “Stuxnet,” a virus that targeted programs responsible for regulating mechanical operations. In the aftermath, the facility’s centrifuges, critical to the uranium enrichment process, saw a 30 percent decrease in efficiency.
Another incident occurred last December, when hackers penetrated the network defenses of Korea Hydro & Nuclear Power Co. and stole sensitive data. They used a simple strategy known as phishing, which involves sending volleys of spam emails containing malicious software to employees. The attackers later attempted to ransom the information, claiming that several terrorist organizations and governments had already offered to purchase it.
Although fingers have been pointed — some have asserted that the U.S. was behind the Stuxnet attack — the perpetrators have yet to be identified in either case.
In the wake of these incidents and as the threat of terrorism looms, the NNSA has taken steps to assure that the U.S. nuclear assets are not susceptible to cyber assault in the future.
“Whether it is the protection of critical infrastructure, special nuclear material or nuclear reactors, we all want to protect against cyber attacks, which could have significant impacts, not only at the point of origin but across the world,” said Wayne Jones, NNSA’s chief information officer.
Among the NNSA’s preventive measures is the International Training Course, or ITC, on the Physical Protection of Nuclear Materials and Nuclear Facilities, a joint NNSA and IAEA initiative to train the next generation of nuclear innovators. The program celebrated its 25th anniversary in May, when 43 students from 36 countries graduated from the class.
Despite its name, the ITC takes a well-rounded approach to the strategic defense of nuclear assets, including hands-on exercises, extensive classroom training, and courses that establish an expertise with technology and cybersecurity.
The importance of this sort training became evident at the opening of last week’s conference. The first demonstration consisted of a hypothetical security exercise in which a terrorist organization performs a dual cyber-physical assault and manages to bypass security, swiftly gaining access to nuclear material.
“The demonstration of a blended cyber-physical attack on the opening day of the conference provided a dramatic example of what we have to defend against,” Jones said. “In today’s technology-centric world, so much of physical security has elements in an IT system. However, to have good cyber security, we have to also be able to physically protect our cyber systems.”
Denis Flory, the head of the IAEA Department of Nuclear Safety and Security, agreed.
“When all 164 member states have finally trained their experts to the level offered by the ITC, the IAEA’s task will be greatly facilitated through the existence of a common basis for the further strengthening of nuclear security.”
Not all 164 member states have trained their experts to this extent, however. Even as the NNSA has prepared to protect U.S. assets, there is growing concern that countries like India and Pakistan are not taking sufficient measures in following suit.
According to the Nuclear Threat Initiative’s 2014 security report, which ranked the 25 countries that hold weapons-grade fissile material from most to least secure, India and Pakistan took 23rd and 22nd place, respectively.
These numbers, which indicate increased potential for breaches in security, are of major concern to other nuclear powers, who fear that terrorists might seize upon the opportunity to steal a nuclear device or the material required to construct one.
India and Pakistan possess warheads capable of wreaking havoc on an unprecedented scale. Experts predict that India’s most powerful nuclear weapons could create explosive yields of up to 500 kilotons, more than 30 times more powerful than the bomb that killed 80,000 people in Hiroshima at the end of World War II.
When asked if the NNSA planned on influencing the nations to expedite their security programs, Jones expressed a desire to foster cooperation rather than exert pressure.
“We are not involved in ‘influencing’ [other countries] as much as promoting best practices and sharing lessons learned,” he said. “Certainly, we are willing partners in assisting [India and Pakistan] in any way appropriate in their cybersecurity efforts.”
In a 2015 report, the watchdog group Bulletin of the Atomic Scientists moved the so-called Doomsday Clock, a measure of impending nuclear disaster, forward two minutes. According to the organization, we are now only three minutes to midnight.
“Global nuclear weapons modernizations and outsized nuclear weapons arsenals pose extraordinary and undeniable threats to the continued existence of humanity, and world leaders have failed to act with the speed or on the scale required to protect citizens from potential catastrophe,” the update claimed. “These failures of political leadership endanger every person on Earth.”