The United States strengthens nuclear weapons systems

2 months ago · 0 comments

The U.S. Accounts Chamber said that the IT systems of U.S. nuclear weapons could become targets of cyberattacks.

According to a new report, the National Nuclear Security Administration (NNSA) and its contractors have increased their use of advanced computers and digital systems to:

integration of information systems into nuclear weapons;
automation of production equipment;
computer simulation in the development of weapons.

Therefore, NNSA needs to implement cybersecurity risk management as these systems can become targets of cyberattacks.

The United States Accounts Office (GAO) report notes that federal law and policy defines 6 methods for a cybersecurity management program:

assign cybersecurity roles and responsibilities;
develop a cybersecurity risk management strategy for the organization;
support the policies and plans of the cybersecurity program;
assess the cybersecurity risks of the entire organization;
assign controls to IT systems or programs;
to constantly monitor the risks in the organization.

According to the GAO, NNSA has not fully implemented cybersecurity practices in its operational technologies and nuclear weapons IT systems, and is still in the process of creating guidelines for contractors as the agency is still evaluating the resources needed to implement key practices and develop guidelines.

The report notes that in a traditional IT environment that includes weapons design computer systems, NNSA has fully implemented 4 out of 6 methods. And contractors have implemented only 3 methods. In particular, both the agency and its contractors have not fully implemented a continuous monitoring strategy, which does not allow them to have a complete picture of the state of cybersecurity.

Also, NNSA and its contractors use subcontractors, but subcontractors' cybersecurity oversight is inconsistent. Contractors are required to monitor the cybersecurity status of subcontractors (in accordance with the NNSA directive), but in practice, contractors have not exercised adequate control over cybersecurity. Moreover, 3 out of 7 contractors believe that they are not obliged to do this by contract. Therefore, subcontractors do not have adequate protection of confidential information.

The U.S. Accounts Office has developed 9 recommendations for the NNSA. Including:

implement a strategy for continuous monitoring of cybersecurity;
determine the resources required for operational processes;
delegate roles and responsibilities for risk management;
develop a nuclear risk strategy;
strengthen supervision and monitoring of subcontractor cybersecurity.