Nuclear security agency still in early stages of weapons cybersecurity, watchdog says
The National Nuclear Security Administration is just starting to identify the systems that could pose a risk to the cybersecurity of the nation’s nuclear weapons, a government watchdog said
The U.S. Government Accountability Office, in a Monday report, said it found the NNSA and its contractors are still in the early stages of inventorying the operational technology systems used in the production of nuclear weapons and the IT systems used within those weapons. The agency is also in the early stages of assessing and mitigating the risks those systems might pose, the report said.
The findings come after a September 2022 GAO report that found the agency didn’t have a cybersecurity risk management strategy for nuclear weapons IT systems. The new report focuses on the two areas where the most additional work was still needed: operational technologies and nuclear weapons IT.
Allison Bawden, a co-author of the report and a director of GAO’s Natural Resources and Environment team, said what the team behind the report found was “they’re really pretty early on in terms of identifying those system risks, so that they can develop appropriate risk mitigation strategies.”
Bawden described those two issues explored in the report as “substantially different.”
With operational technology, there could be tens of thousands of systems that need to be identified, Bawden said. Whereas in the nuclear weapons area, there isn’t a large amount of IT in existing current nuclear weapons designs and therefore is a more “manageable environment” from a system risk perspective, she said.
The Department of Energy, under which the NNSA sits, didn’t immediately respond to a request for comment on the findings.
The report found NNSA’s work on creating an inventory of operational technologies, which encompasses things like building safety systems, has “been limited in scope.” The agency has identified the systems “associated with the most critical capability at each site” and is conducting assessments, the report found.
Bawden said that process is “really going to need concerted attention going forward in order to get that inventorying process complete so that system risks are well understood and can be mitigated.”
On nuclear weapons IT, the agency had still yet to define the term as of May, the report said. The GAO said agency officials told them they will identify systems that fit that category once the term is formally defined.
While nuclear weapons IT is a more manageable risk environment right now, modern technologies could present new challenges, Bawden said.
As most of the systems are undergoing modernization, she said, “it could be feasible that additional components will be introduced into new systems designs that present cyber risks.”
