Title: Nuclear Weapons Cybersecurity

Description: Nuclear weapons, along with other military weapon systems,
are increasingly relying on software and other information technology to
operate. But this increased reliance may make nuclear weapons and the
systems they rely on more vulnerable to cyberattacks. We learn more from
GAO's Allison Bawden, an expert on nuclear security. 

Related GAO Work: GAO-23-106309, Nuclear Weapons Cybersecurity: Status
of NNSA's Inventory and Risk Assessment Efforts for Certain Systems

Released: June 2023

[Allison Bawden:] NNSA's just at the beginning stages of identifying the
full range of systems at risk and assessing those risks well enough to
effectively mitigate them.

[Music]

[Holly Hobbs:] Hi, and welcome to GAO's Watchdog Report. Your source for
fact based nonpartisan news and information from the U.S. Government
Accountability Office. I'm your host, Holly Hobbs. Military weapons
systems, including nuclear weapons, are increasingly relying on software
and other information technology to operate. But this increased reliance
may make nuclear weapons and the systems they rely on more vulnerable to
cyberattacks. We'll learn more about these vulnerabilities and efforts
to protect nuclear weapons from GAO's Allison Bawden, an expert on
nuclear security. Thanks for joining us.

[Allison Bawden:] Thanks so much for having me, Holly.

[Holly Hobbs:] Allison, a cyberattack on a nuclear weapon sounds pretty
scary. What's the risk here? 

[Allison Bawden:] Really anyone with a reason could seek to attack the
cyber systems associated with the support for these weapons or the cyber
systems that are in the weapons themselves. This could include nation
state competitors or non-state actors, as well as insiders who become
compromised. And cyber threats also can include non-malicious human
accidents and errors. So, it's really essential that the National
Nuclear Security Administration (NNSA) be ready to address those
threats. Our work didn't attempt to estimate the likelihood of a
cyberattack of this type, but the consequences of such an attack could
be so significant to our national security or to public safety that in
practice, for kind of planning purposes, it's safest to treat the
likelihood of such an event as if it's 100%. 

[Holly Hobbs:] So, for our report, we looked at kind of two categories
or points of vulnerability with nuclear weapons--the operational
technology used to manufacture and monitor nuclear weapons, and then the
IT within the weapons themselves. Could you take us through those
vulnerabilities?

[Allison Bawden:] Sure. So as you said, operational technology, or we
often call it O.T., generally refers to the machines that contain IT
that are used to manufacture those weapon systems, as well as things
like industrial control systems for the buildings and facilities where
weapons components are produced and weapons are assembled. So O.T. can
represent sort of an indirect way for a cyber adversary to compromise
the nuclear stockpile or create havoc in the production processes by
interrupting production or raising questions about the integrity of
components. The United States government has really started paying
attention in recent years to O.T. issues, especially after the Colonial
Pipeline cyberattack about two years ago, which shut down vast portions
of the U.S. gasoline supply. But getting back to NNSA, developing
effective cybersecurity starts with visibility. And that means
understanding what you potentially have at risk. Unfortunately, what we
found is that while NNSA is working to understand all of the O.T.
systems it has, it does not yet have a full inventory of these systems. 

[Holly Hobbs:] And what about that second area of vulnerability--the
systems inside nuclear weapons or that interacts with them?

[Allison Bawden:] In reality, there is not a lot of IT in our current
weapons systems because their designs are fairly old. But there are
certain components that do need to be protected along with equipment and
systems containing IT that come into contact with weapons for diagnostic
or maintenance purposes. NNSA has started the process of inventorying
those systems, but hasn't yet completed that inventorying process
either, especially with respect to documenting specific risks. In
addition, most of the nuclear weapons in the stockpile are currently
undergoing modernization, and those modernization programs may require
the use of digital interfaces in order to meet the nuclear weapons with
their delivery systems that are designed and manufactured through the
Department of Defense, such as new missiles or aircraft. And these types
of modernized weapons may contain more digital components in the future,
creating new cyber risks. So NNSA is working to develop risk management
frameworks for these modernization programs, but that work is not yet
complete. 

[Holly Hobbs:] So, NNSA is aware of the challenges there. What actions
has it taken to better protect nuclear weapons?

[Allison Bawden:] Well, in the O.T. environment, NNSA has just begun its
process of identifying the systems to assess their risks and develop
mitigation plans. It's developing guidance to help with this
identification and assessment process. But completing this process is
going to take significant investment. And as we reported  it last
September, NNSA has not yet developed a resource case for this
investment. In the nuclear weapons IT environment, NNSA has taken steps
to assess risks to existing systems, but is really not yet finished
documenting those risks. And it's only just begun developing the needed
framework to apply to modernization programs that are currently ongoing.

{MUSIC}

[Holly Hobbs:] So, Allison just told us that while cyberattacks pose a
significant threat to nuclear weapons, the National Nuclear Security
Administration has only just begun taking steps to identify risks and
mitigation plans. So, Allison, what more do we think NNSA should be
doing to protect nuclear weapons?

[Allison Bawden:] Well, there are a few things that NNSA should be
doing. First, NNSA needs a more thorough inventory of the systems that
are vulnerable to cyber risks so that it can develop specific plans to
mitigate the risks that it identifies. In addition, NNSA needs to
complete its update to cybersecurity risk management requirements. This
update has been ongoing for many years now, but NNSA has not yet issued
those updated requirements, which makes it difficult to ensure risks are
being managed consistently and effectively. And finally, NNSA needs to
ensure it is effectively overseeing contractors in meeting their
cybersecurity requirements.

[Holly Hobbs:] And last question, what's the bottom line of this report?

[Allison Bawden:] The bottom line is that while NNSA recognizes these
cyber risks exist, it's just in the beginning stages of identifying the
full range of systems at risk, and assessing those risks well enough to
effectively mitigate them. Concerted attention and sufficient resources
are needed to get this foundational cybersecurity work completed.

[Holly Hobbs:] That was Allison Bawden talking about GAO's new report on
nuclear weapons cybersecurity. Thanks for your time.

[Allison Bawden:] Thank you so much.

[Holly Hobbs:] And thank you for listening to the Watchdog report. To
hear more podcasts, subscribe to us on Apple Podcasts, Spotify, or
wherever you listen and make sure to leave a rating and review to let
others know about the work we're doing. For more from the congressional
watchdog, the US Government Accountability Office, visit us at GAO.gov.