Three members of the House Armed Services Committee unveiled a bipartisan measure late last week aimed at strengthening cybersecurity practices for the United States’ nuclear weapons system, and aim to advance that measure in legislation this week.
Reps. Salud Carbajal, D-Calif., Don Bacon, R-Neb., and Mike Gallagher, R-Wis., intend to push for the inclusion of this language in the June 21 mark-up of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2024.
The bipartisan proposal would set up a Cybersecurity Risk Inventory, Assessment, and Mitigation Working Group within the Department of Defense. The group would be required to prepare a comprehensive strategy for inventorying the range of National Nuclear Security Administration (NNSA) systems that are potentially at risk in the operational technology and nuclear weapons information technology environments, assessing the systems at risk, and implementing risk mitigation actions.
“There are some causes that may not seem worth Congress’ time at first glance. Closing gaps in the cybersecurity practices of our nation’s nuclear systems is not one of them,” said Rep. Carbajal in a June 15 statement. “I look forward to building support for our bipartisan amendment that can provide a straightforward pathway to ensuring we have no reason to doubt the security of our most dangerous weapon systems.”
The lawmakers cited a September 2022 report by the Government Accountability Office (GAO), which calls out NNSA on neglecting to fully implement cybersecurity practices in its digital environments.
“NNSA and its site contractors integrate information systems into nuclear weapons, automate manufacturing equipment, and rely on computer modeling to design weapons,” the September 22 report says. “However, cyber systems are targets of malicious actors. To protect against such threats, federal law and policies require that NNSA establish a program to manage cybersecurity risk.”
The report followed a request from the NDAA for FY 2020 to review NNSA’s cybersecurity practices and policies.
The GAO made nine recommendations to the agency, including that it implement an IT monitoring strategy; determine resources needed for operational technology efforts; create a nuclear weapons risk strategy; and enhance monitoring of contractor cybersecurity.
The House members’ proposal would ensure that the new working group develops and implements a strategy for meeting the recommendations of last year’s GAO report.
The Working Group would be required to brief the Congress within 120 days of the enactment of the proposed language and submit a completed strategy to the Armed Services committees by April 1, 2025.
“A ready and resilient nuclear force is critical to American deterrence. I am proud to co-sponsor this bipartisan effort to ensure that the systems keeping our nuclear forces capable are cyber secure – free from adversarial interference and prepared for action at all times,” Rep. Gallagher said.