Unmonitored networks put US nuclear arsenal at risk, GAO finds

The Energy Department needs to take additional steps to prevent insider threats to the nation’s nuclear arsenal — including working to identify the total number of classified networks across the department to fully monitor users’ activity — according to a recent report from the Government Accountability Office.

GAO’s report — released on May 24 — reviewed the effectiveness of Energy’s Insider Threat Program, one of the department’s risk mitigation initiatives that is designed “to further protect against insider threats from employees, contractors and trusted visitors.” The study was requested in a House report accompanying the fiscal year 2022 National Defense Authorization Act. 

Despite the program being established in 2014, GAO said that multiple independent assessments conducted in the intervening years found that Energy “has not implemented seven required measures for its Insider Threat Program, even after independent reviewers made nearly 50 findings and recommendations to help DOE fully implement its program.” 

Four of these “unmet minimum standards” were previously identified in a March 2022 memo sent from the Office of the Director of National Intelligence to the Energy Secretary, while the remaining three “were found to be unmet through DOE’s Office of Enterprise Assessments’ review of DOE’s Insider Threat Program in 2021.”

GAO identified continuing concerns — first conveyed by ODNI — about Energy’s efforts related to “monitoring user activity on all classified networks.” The report noted that “minimum standards require that insider threat programs include the technical capability to monitor user activity on all classified networks,” but that the department’s Insider Threat Analysis and Referral Center “has not met full user activity monitoring coverage requirements on all classified networks.” 

While GAO said the department “has processes for addressing concerns on unmonitored classified networks should an event be detected by other means,” it noted that Energy officials “have not identified the total number of DOE’s stand-alone classified networks, which leaves them unaware of the extent to which the Insider Threat Program falls short of minimum standards for user activity monitoring.” 

The watchdog also highlighted Energy’s continued failure to produce an annual progress report on its various threat mitigation programs since 2017, which is meant to document “annual accomplishments, resources allocated, insider threat risks to the agency, recommendations and goals for program improvement and major impediments or challenges.”

Energy officials told GAO that an annual report had not been completed since last decade “because the program decided to wait until independent assessments of the Insider Threat Program were completed,” and because “program staff did not have access to classified materials while working remotely during the COVID-19 pandemic, which contributed to some of the delay in annual reporting.”

In its last annual report, Energy “reported experiencing about 250 unclassified insider threat-related security incidents in 2017,” with the department considering “about 100 of those incidents to be serious.” Most of these incidents “were unintentional,” according to the watchdog, and included “sending classified information over unclassified systems, leaving security areas unattended and not properly protecting classified information.”

Other unmet standards GAO identified in Energy’s Insider Threat Program included inconsistent insider threat awareness training for employees, the department’s inability to validate the completion of training “for all cleared employees and contractors,” the lack of “a formalized independent assessment element” for oversight compliance reviews and no established procedures for personnel accessing sensitive or protected data. 

The report also cited a failure to ensure staff associated with the program “were fully trained on legal issues, response actions, handling of data and records, civil liberties, privacy and investigative referral requirements.”

The watchdog faulted Energy for dividing “significant responsibilities” of the program between two offices, noting that “the program’s senior official resides within the security office, while operational control for insider threat incident analysis and response resides within the Office of Counterintelligence — a part of the organization with its own line of reporting to the Secretary of Energy.”

In addition to not fully integrating the program within one office, GAO said Energy “has not identified and assessed the human, financial and technical resources needed to fully implement its Insider Threat Program.”

“For example, DOE’s budget does not include dedicated funding for its contractor-run nuclear weapons production and research sites to carry out their responsibilities for implementing the program,” the report said. “Unless DOE identifies and assesses the resources needed to support the Insider Threat Program, it will be unable to fully ensure that components are equipped to respond to insider threat concerns, potentially creating vulnerabilities in the program.”

GAO made seven recommendations to Energy, including calling for the department “to track and report on actions it takes to address reviewers' findings and recommendations, to establish a process to better integrate program responsibilities and to assess resource needs for the program.” Energy agreed with all of the watchdog’s recommendations.