Unmonitored networks put US nuclear arsenal at risk, GAO finds

guirong hao/Getty Images

Edward Graham By Edward Graham,
Staff Reporter, Nextgov/FCW

By Edward Graham

|

A Government Accountability Office report found that the Energy Department cannot effectively monitor potential insider threats to U.S. nuclear security because department staff “have not identified the total number of DOE’s stand-alone classified networks.”

The Energy Department needs to take additional steps to prevent insider threats to the nation’s nuclear arsenal — including working to identify the total number of classified networks across the department to fully monitor users’ activity — according to a recent report from the Government Accountability Office.

GAO’s report — released on May 24 — reviewed the effectiveness of Energy’s Insider Threat Program, one of the department’s risk mitigation initiatives that is designed “to further protect against insider threats from employees, contractors and trusted visitors.” The study was requested in a House report accompanying the fiscal year 2022 National Defense Authorization Act. 

Despite the program being established in 2014, GAO said that multiple independent assessments conducted in the intervening years found that Energy “has not implemented seven required measures for its Insider Threat Program, even after independent reviewers made nearly 50 findings and recommendations to help DOE fully implement its program.” 

Four of these “unmet minimum standards” were previously identified in a March 2022 memo sent from the Office of the Director of National Intelligence to the Energy Secretary, while the remaining three “were found to be unmet through DOE’s Office of Enterprise Assessments’ review of DOE’s Insider Threat Program in 2021.”

GAO identified continuing concerns — first conveyed by ODNI — about Energy’s efforts related to “monitoring user activity on all classified networks.” The report noted that “minimum standards require that insider threat programs include the technical capability to monitor user activity on all classified networks,” but that the department’s Insider Threat Analysis and Referral Center “has not met full user activity monitoring coverage requirements on all classified networks.” 

While GAO said the department “has processes for addressing concerns on unmonitored classified networks should an event be detected by other means,” it noted that Energy officials “have not identified the total number of DOE’s stand-alone classified networks, which leaves them unaware of the extent to which the Insider Threat Program falls short of minimum standards for user activity monitoring.” 

The watchdog also highlighted Energy’s continued failure to produce an annual progress report on its various threat mitigation programs since 2017, which is meant to document “annual accomplishments, resources allocated, insider threat risks to the agency, recommendations and goals for program improvement and major impediments or challenges.”

Energy officials told GAO that an annual report had not been completed since last decade “because the program decided to wait until independent assessments of the Insider Threat Program were completed,” and because “program staff did not have access to classified materials while working remotely during the COVID-19 pandemic, which contributed to some of the delay in annual reporting.”

In its last annual report, Energy “reported experiencing about 250 unclassified insider threat-related security incidents in 2017,” with the department considering “about 100 of those incidents to be serious.” Most of these incidents “were unintentional,” according to the watchdog, and included “sending classified information over unclassified systems, leaving security areas unattended and not properly protecting classified information.”

Other unmet standards GAO identified in Energy’s Insider Threat Program included inconsistent insider threat awareness training for employees, the department’s inability to validate the completion of training “for all cleared employees and contractors,” the lack of “a formalized independent assessment element” for oversight compliance reviews and no established procedures for personnel accessing sensitive or protected data. 

The report also cited a failure to ensure staff associated with the program “were fully trained on legal issues, response actions, handling of data and records, civil liberties, privacy and investigative referral requirements.”

The watchdog faulted Energy for dividing “significant responsibilities” of the program between two offices, noting that “the program’s senior official resides within the security office, while operational control for insider threat incident analysis and response resides within the Office of Counterintelligence — a part of the organization with its own line of reporting to the Secretary of Energy.”

In addition to not fully integrating the program within one office, GAO said Energy “has not identified and assessed the human, financial and technical resources needed to fully implement its Insider Threat Program.”

“For example, DOE’s budget does not include dedicated funding for its contractor-run nuclear weapons production and research sites to carry out their responsibilities for implementing the program,” the report said. “Unless DOE identifies and assesses the resources needed to support the Insider Threat Program, it will be unable to fully ensure that components are equipped to respond to insider threat concerns, potentially creating vulnerabilities in the program.”

GAO made seven recommendations to Energy, including calling for the department “to track and report on actions it takes to address reviewers' findings and recommendations, to establish a process to better integrate program responsibilities and to assess resource needs for the program.” Energy agreed with all of the watchdog’s recommendations.

NEXT STORY: GAO identifies new infosec deficiencies in IRS system controls

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.