Are US Nuke Secrets Vulnerable to Cyberattack?

The Department of Energy’s internal watchdog has released a “very problematic” report about its cybersecurity practices.

Wikimedia Commons

Let our journalists help you make sense of the noise: Subscribe to the Mother Jones Daily newsletter and get a recap of news that matters.

The Department of Energy, which is responsible for safeguarding America’s nuclear weapons and secrets, has failed to tell law enforcement the details of when its computer systems have come under attack, “hindering investigations” into some of the 2,300 cybersecurity incidents the agency recorded between October 2009 and March 2012. This lack of timely and comprehensive cybersecurity reporting is putting the DOE’s “information systems and networks at increased risk,” according to a new investigation by the agency’s internal watchdog.

The findings are “very problematic,” says James Lewis, a senior cybersecurity expert at the Center for Strategic and International Studies, because “DOE sites are a primary target for espionage and have been successfully hacked in the past.”

While preparing the report, the DOE’s Office of Inspector General audited seven sites, including nuclear laboratories at Los Alamos and the Savannah River Site in South Carolina, and found that, of 223 incidents reported at DOE sites, 41 percent were not reported within established time frames. Another 10 incidents involving a loss of personally identifiable information (which affected 109 people) were reported late.

Joshua McConaha, a spokesman for the National Nuclear Security Administration (NNSA), the DOE entity responsible for the nation’s nuclear weapons stockpile, told Mother Jones that the cybersecurity incidents not involving identity theft “were normal computer issues such as viruses” that occur “on a regular basis.” But experts say that the report’s findings still don’t bode well for nuclear weapons security.

Steven Aftergood, the director of the Project on Government Secrecy at the Federation of American Scientists, says that while the weapons themselves weren’t at risk, “weapons-related information and facility security information could potentially be vulnerable.” It wouldn’t be the first time: In 2007, hackers believed to be from China launched a sophisticated cyberattack on several DOE laboratories in the United States. A spokesman for Los Alamos National Lab, which undertakes nuclear weapons design, told ABC News that “a significant amount of data was removed” from a small number of computers on the facility’s unclassified network. This is the same lab that had its director step down in 2003 after a scandal involving widespread theft and security lapses.

Kevin Roark, a spokesman for Los Alamos National Laboratory, denies that the lab is reporting cyberattacks incorrectly. He told Mother Jones that the audit listed “six incidents where they believed Los Alamos was late in its reporting,” none of which had to do with personal information being stolen. And according to Roark, “Los Alamos personnel have subsequently checked the six incidents, and determined that all were reported within the required time frame, but the information in the reports led the reporting authority to derive an inaccurate date and time.”

When asked to about the incidents and Roark’s response, a spokesman for the IG said that “the report speaks for itself and we have no additional comment.”

It’s well established that the NNSA faces regular cyberattacks—a spokesman for the agency told US News and World Report in March that if you count “security significant cyber security events,” the number of cyberattacks goes up to 10 million per day. (Experts told Mother Jones that the number changes depending on how you categorize different types of incidents.) The real question is whether NNSA and DOE can deal with the attacks. The DOE has recently taken steps like improving cybersecurity training for employees and addressing weaknesses at facilities, according to a separate report released by the inspector general last month.

“Cybersecurity is a work in progress, both inside and outside government.” Aftergood notes. ” One would like to think that the nuclear weapons infrastructure would be ahead of the curve, but apparently that is too much to expect.”

Left unanswered is the question of who’s to blame for the cyberattacks that the DOE seems to have so much trouble reporting correctly.

“It’s probably not Russia or China,” Lewis snipes. “They’ve already gotten everything.”

Zoom in on the map below to find the warheads near you as well as the nuclear labs that maintain the stockpile and develop the next generation of atomic weaponry. (For reference, we’ve also included the locations of the nation’s civilian nuclear power plants.)

View full-screen map

View Mother Jones: America’s Nuclear Facilities in a full-screen map

Sources: Bulletin of the Atomic Scientists and Federation of American Scientists (PDF), Office of the Deputy Assistant to the Secretary of Defense for Nuclear MattersNuclear Energy InstituteUnited States Nuclear Regulatory CommissionUnited States Navy.


Headshot of Editor in Chief of Mother Jones, Clara Jeffery

It sure feels that way to me, and here at Mother Jones, we’ve been thinking a lot about what journalism needs to do differently, and how we can have the biggest impact.

We kept coming back to one word: corruption. Democracy and the rule of law being undermined by those with wealth and power for their own gain. So we're launching an ambitious Mother Jones Corruption Project to do deep, time-intensive reporting on systemic corruption, and asking the MoJo community to help crowdfund it.

We aim to hire, build a team, and give them the time and space needed to understand how we got here and how we might get out. We want to dig into the forces and decisions that have allowed massive conflicts of interest, influence peddling, and win-at-all-costs politics to flourish.

It's unlike anything we've done, and we have seed funding to get started, but we're looking to raise $500,000 from readers by July when we'll be making key budgeting decisions—and the more resources we have by then, the deeper we can dig. If our plan sounds good to you, please help kickstart it with a tax-deductible donation today.

Thanks for reading—whether or not you can pitch in today, or ever, I'm glad you're with us.

Signed by Clara Jeffery

Clara Jeffery, Editor-in-Chief

payment methods

We Recommend