The National Nuclear Security Administration’s cybersecurity program is stable, improving, and has not faced any major incidents in recent years, the agency’s chief information officer told NS&D Monitor this week.
The cyber program is “very strong,” both at the agency’s headquarters in Washington, D.C., and at each of its sites around the country, Wayne Jones, NNSA CIO and associate administrator for information management, said in a telephone interview Wednesday.
“We have been lucky not to have any major incidents over the past couple years here at NNSA,” Jones said, attributing that in large part to the training the agency requires its personnel receive. This includes “annual training across the board with all of our employees,” Jones said, as well as boosting the awareness of personnel at NNSA facilities of malicious attacks.
Jones will speak about cybersecurity challenges next Thursday during the ExchangeMonitor Publications and Forums’ annual Nuclear Deterrence Summit in Washington, D.C.
The threat to government data is a long-recognized concern spanning all federal agencies, highlighted by the Obama administration’s acknowledgement in 2015 that hackers had obtained Social Security numbers and other personnel information for over 21 million people. The Government Accountability Office reported in May 2016 that cyberattacks on federal agencies rose by more than 1,300 percent from fiscal 2006 to fiscal 2015, from 5,503 to 77,183.
The NNSA’s data can be considered particularly sensitive, given the agency’s mandate to sustain the U.S. nuclear deterrent.
The ageny initiated its cybersecurity program in 2001 when it became a semiautonomous entity within DOE. The program, a component of the department’s broader cybersecurity offering, consists of a policy and procedures component and cyber operations component; the latter encompasses the NNSA’s Information Assurance Response Center (IARC), located in Las Vegas.
The IARC, a security and network operations center, monitors all activity passing through the nuclear enterprise’s computer firewall, including monitoring some DOE locations where NNSA functions take place. The center has roughly 70 employees – 68 from a support services contractor, and two federal personnel – who work alongside each individual agency facility to protect complex-wide information assets.
The agency’s various management and operations contractors are required to have a cyber program at each site – in particular the three nuclear weapons labs: Los Alamos, Sandia, and Lawrence Livermore. Each of those labs hosts a security operations center that works with the central IARC, Jones said.
In the event of an incident at an NNSA site, facility management would be required to file a report with the IARC, which would then notify agency headquarters. Personnel at the site would then likely resolve the incident on their own, provided that the system breach was local. If, however, the incident is spread across the complex, the NNSA would deploy an incident response team comprised of IARC and site personnel to isolate and resolve the threat and then report it back to headquarters.
NNSA headquarters would subsequently report back to the larger DOE Joint Cybersecurity Coordination Center, the main reporting element for the entirety of the department that feeds relevant information to senior leadership and other entities such as the Department of Homeland Security. “If there are changes we need to make to the [cybersecurity] program for this incident or similar types of incidents, then we go through the process of documenting that in our policy discussions, and then we put it out into operations,” Jones said.
Sandia spokesman Jim Danneskiold said by email Friday that the laboratory has over 400 experts in cybersecurity as well as other fields whose research is used in the development of cybersecurity solutions. “Sandia successfully responds to incidents that are commonly found in the general computing realm as well as very sophisticated attacks, and sees a significant number of suspicious activities daily,” he said.
Looking ahead, Jones said the NNSA’s greatest vulnerability may lie in areas it will explore in the future, such as cloud computing, or internet-hosted networks providing access to resources such as data storage. Government agencies are now looking into the cloud, he said: “We have to have a better understanding of how the cloud environment is going to help us do our mission better, as well as what threats that also will lay on the table.” For NNSA, this will include the use of and authority over private clouds for sensitive work.
The CIO also noted the NNSA has improved its cybersecurity program in recent years. “One of the biggest improvements that we’ve made in the program over the last couple years is the actual vendor community has gotten a lot better in delivering software applications to help us defend the networks,” he said.
As an example, the NNSA has rolled out to the entire nuclear enterprise the Splunk application, a tool that analyzes machine data across networks and servers to detect and respond to attacks. This software package has helped the DOE analyze threats, Jones said, and the NNSA has expanded its implementation of the software over the last few years.
“We have done a lot of work to get this program to where it is today. It’s pretty stable,” Jones said. “However, as you know, with many of the upcoming advances in technology, we are going to be doing some improvements in the program.”
Even so, he added, “the people in this organization work very hard to ensure that we are protecting the nation’s information, because it is some of the most sensitive information out there.”
