NA-2's Remarks to DOD/NNSA Software Assurance Meeting
National Nuclear Security Administration
September 13, 2023
minute read time
Delivered September 6, 2023
Thank you, Ed, for that kind introduction and for inviting me to participate in this quarter’s Software Assurance Community of Practice meeting.
I would also like to thank our colleagues from the Defense Department, the National Security Agency, NASA, Homeland Security, private sector partners from the defense industrial base and our national laboratories and M-and-O’s, and, of course, my Department of Energy and National Nuclear Security Administration colleagues, for taking the time to join us this morning, whether in person at Lawrence Livermore or virtually.
It’s an honor to be able to speak with you today on such an important subject, one in which multiple threats to our national security intersect. My “Bottom Line Up Front” is simple: Getting the software assurance challenge right is vital to the long-term effectiveness of NNSA and the broader Nuclear Security Enterprise, and this issue has been a priority for Administrator Hruby and I since our confirmation hearings two years ago.
Therefore, this morning I’d like to focus my remarks on three specific topics:
1) The international threat environment, and how nuclear, cyber, and other strategic issues are interrelated;
2) How cybersecurity and software assurance enable us to address these challenges; and
3) What NNSA is doing to recruit and retain the next generation of highly-skilled scientists, engineers, and information technology and cybersecurity professionals to ensure we not only are meeting these challenges in the next 3-to-5 years, but for the next generation.
The Emerging Threat Environment
Let’s begin by quickly surveying the emerging threat conditions that are shaping our decisions about nuclear and cybersecurity. As the U.S. Director for National Intelligence’s most recent Annual Threat Assessment concluded:
The United States and its allies will confront a complex and pivotal international security environment dominated by . . . strategic challenges [that] will intersect and interact in unpredictable ways, leading to mutually reinforcing effects that could challenge our ability to respond.
In addition to shared global challenges such as climate change, health security, narcotics trafficking, and terrorism, the D-N-I warns of an era of renewed nation-state conflict and strategic competition with great powers and rising regional powers. Indeed, prior to its invasion of Ukraine, Russia was already accelerating its nuclear modernization programs, especially in non-strategic weapons and delivery systems and novel, “exotic” weapons like an autonomous nuclear torpedo. Although the United States and Russia were able to extend New START in early 2021 for another five years, Russia has since announced their suspension of implementation of the treaty. And Putin’s ominous statements, and those of other Russian officials, hinting at the potential use of nuclear weapons in Ukraine are dangerous and irresponsible.
Russia’s unprovoked invasion of Ukraine has also featured an unprecedented event in the history of warfare: ongoing hostilities around—and armed seizure of—operating civil nuclear power plants. The risks associated with military activities around Ukraine’s nuclear facilities cannot be overstated, as they undercut safety, hinder the International Atomic Energy Agency’s ability to fulfill its safeguards mandate, and increase the risk of a nuclear accident or incident that could affect large numbers of people in Ukraine and neighboring states, with impacts felt around the world. Russia’s military attacks and seizures of nuclear facilities in Ukraine severely undermine Moscow’s claim to be a responsible nuclear power, and have been strongly condemned by the international community.
At the same time, China is expanding its political and economic influence and is in the midst of the largest ever nuclear force expansion and arsenal diversification in its history. It is building hundreds of new I-C-B-M silos and is increasing the number and types of nuclear weapons without transparency in either its doctrine or forces. Moreover, despite repeated attempts by the last several U.S. presidential administrations, Beijing has not shown any interest in engaging in either the strategic stability or arms control discussions expected of a responsible nuclear power. This opacity makes determining an effective strategy more difficult, both in terms of maintaining deterrence and in finding a way to integrate China into a future arms control and strategic stability framework.
Looking beyond these peer competitors, North Korea has expanded its nuclear weapons stockpile and range of delivery capabilities and has resumed I-C-B-M testing. Additionally, in stark contrast to the tenets of the Non-Proliferation Treaty, last year Kim Jong Un announced a new “Nuclear Forces Policy Law” that would permit Pyongyang to use nuclear weapons first against non-nuclear states.
And while Iran may or may not agree to the conditions necessary to return to the Joint Comprehensive Plan of Action, in the past five years it has expanded its nuclear program to operate more advanced centrifuges and enrich more uranium, including at levels closer to weapons grade.
In addition to the challenges these nations pose for our decisions about nuclear deterrence and nonproliferation, Beijing, Moscow, Tehran, and Pyongyang have also demonstrated the capability and intent to advance their interests at the expense of the United States and its allies through malicious cyber operations. From the massive theft of American intellectual property and military designs; to the NotPetya ransomware attacks; to the SolarWinds breach in 2020, these nations and their proxies have sought to use cyber operations to undermine U.S. strategic advantages.
Although such cyberattacks are clearly not as deadly as a potential nuclear attack, they threaten U.S. and allied interests in several ways that relate to nuclear strategy and security. First, like potential nuclear threats, cyberattacks allow potential adversaries to directly attack our strategic interests – and possibly the U.S. homeland through attacks on critical infrastructure – without first having to defeat the U.S. military. Because America’s economy, our basic services, and our military power are highly integrated with the Internet, we are more vulnerable to disruption than less “connected” states. This asymmetric vulnerability makes offensive cyber capabilities a cost-effective method for adversaries to threaten and attack U.S. targets with strategic effects.
Moreover, just as the increasingly rapid pace of technological advancements have lowered the bar to the proliferation of weapons of mass destruction, emerging technologies and low entry-costs for significant cyber capabilities enable non-state actors to threaten our infrastructure and transnational cyber criminals to fuel a virtual ecosystem that threatens to cause greater disruptions of critical services worldwide.
In the nuclear realm, this threat is particularly dangerous. Iran and Russia have both shown a significant capability in compromising the Industrial Control Systems of various critical infrastructure systems. Such an attack against a nuclear plant anywhere in the world could have catastrophic consequences.
In reality, however, potential adversaries do not need to directly attack the systems DoD depends upon to execute its nuclear deterrence mission to undermine our deterrent. According to the 2022 Nuclear Posture Review, the goals of U.S. nuclear forces are to:
- Deter all forms of strategic attack against the U.S. homeland or the territory of Allies and partners;
- Assure Allies and partners that the United States is willing and able to deter the range of strategic threats they face, and mitigate the risks they will assume in a crisis or conflict; and
- Achieve U.S. objectives if deterrence fails and the President concludes that the employment of nuclear weapons is necessary.
These goals can only be met if the President has full and complete confidence in the safety, security, and reliability of the U.S. nuclear weapons stockpile. Cyberattacks against the Nuclear Security Enterprise’s supply chain could undermine this confidence, and therefore have significant strategic effects in the event of an unfolding crisis or conflict.
Consequently, policymakers responsible for U.S. nuclear deterrence and nonproliferation programs must be highly attuned to the range of global cybersecurity threats.
NNSA, Cybersecurity, and Software Assurance
This is why one of Administrator Hruby’s top priorities upon arriving at NNSA was to improve our cybersecurity and to have outside experts conduct an independent cybersecurity assessment. We subsequently contracted with the Institute for Defense Analyses to conduct a review of NNSA’s cyber enterprise, to include our labs, plants, and sites. IDA spent several months conducting interviews across the Enterprise and presented its findings in March 2022.
NNSA has been addressing IDA’s recommendations and is investing in capabilities to address future cybersecurity challenges across the Nuclear Security Enterprise. Our funding for Cyber and I-T has grown 42.3 percent from Fiscal Year 22 to Fiscal Year 24’s budget request. This funding goes towards strengthening our cyber infrastructure, cyber tools, and information technology by enabling us to implement a zero-trust architecture strategy, secure industrial control systems, and support work at our partner laboratories, plants and sites.
Together with DOE elements such as the Office of the Chief Information Officer; the Office of Cybersecurity, Energy Security, and Emergency Response; and the Office of Science, NNSA is leveraging innovation to create new programs to address future cybersecurity challenges across the Nuclear Security Enterprise.
One of the most important of these is the Software Assurance Community of Practice’s work to bring together DoD and NNSA practitioners to develop, share, and promote software best practices and standards. Nuclear Enterprise Assurance ensures the Enterprise actively manages subversion risks to the nuclear weapons stockpile and associated design, production, and testing capabilities. In order to provide nuclear warheads that meet safety, security, and performance requirements, NNSA is currently executing five warhead modernization programs to enhance the margin against failure, increase safety, improve security, replace limited life components, address component obsolescence, and support the U.S. Department of Defense’s delivery platform modernization. These modernization efforts are introducing digital technologies and components to our stockpile. With that modernization comes new vulnerability characteristics and multiple new susceptible pathways that if compromised can produce unacceptable physical impacts to safety, the environment, weapon performance, and loss of capabilities.
Consequently, we launched the Nuclear Weapon Digital Assurance Program to discover and address potential vulnerabilities and thereby enable risk-managed adoption of leading-edge technologies to meet emerging military requirements and reduce modernization schedules and costs. Cybersecurity is a major component of this work along with supply chain management. NNSA has invested heavily to discover and address vulnerabilities, to educate our workforce, and to partner with DOE elements like CESER, the Office of Science, and our Energy counterparts.
And of course, the DOD-NNSA Software Assurance Community of Practice has been a key contributor to these vital efforts. In addition to these quarterly meetings and the workshops they enable, the Missile Defense Agency and N-S-A Center for Assured Software led the development of a set of classified “Indicators of Malicious Features” to improve software subversion discovery for the Enterprise. Shared development of software assurance Terms and Conditions contract language – which was done specifically for the NNSA – has improved assurance of purchased software and contracted software development. And the Enterprise has participated in a series of Malware Discovery Exercises developed to enable the NNSA to discover software subversion.
In the end, compromised software can cause unmitigated mission failure. Given the critical nature of NNSA’s mission, subverted software would be potentially catastrophic to our national security. Therefore, it is impossible to overstate the importance of technical collaboration between the organizations that comprise this community of practice, and the software assurance C-O-P’s contribution to NNSA’s Enterprise Assurance Workshop.
Developing the Future Cyber Workforce
In the end, the effectiveness and credibility of our nuclear deterrent is directly supported by our scientific and technological capabilities – to include the ability to keep the I-T systems that support them safe and secure – or more precisely, by the work performed everyday by the 50,000 scientists, engineers, I-T professionals, technicians, and support staff that comprise the N-N-S-A’s workforce. In fact, at my level as Deputy Administrator, cybersecurity is not really a technological challenge so much as a people challenge. Therefore, in addition to investments in technology, we also must make a commitment to investing in people, which is why 87 percent of NNSA’s budget request for Cyber and I-T goes towards labor and workforce development.
Yet even as the demanding global security environment noted above means N-N-S-A is facing our heaviest workload in decades, more than one-third of our workforce will be eligible for retirement over the next five years. Consequently, recruiting and retaining the next generation of highly-skilled scientists, engineers, and I-T and cybersecurity professionals is vital to our national security.
Although N-N-S-A is pursuing an aggressive hiring strategy with a goal of adding an estimated 4,000 – 6,000 employees annually across the Enterprise, this is particularly challenging in the field of I-T and cybersecurity. As most of you already know, there is a lot of competition out there for cyber talent, and the private sector can throw a lot of money at students graduating with computer engineering degrees from cybersecurity programs. Consequently, in addition to seeking innovative technology to defend our networks, we have to be innovative in how we recruit our future cyber workforce and find ways to make federal service attractive.
One possible solution to this challenge is to identify and cultivate the next generation of I-T and cybersecurity professionals. To further help develop, train, and recruit the Enterprise’s workforce of the future, last year NNSA funded over $100 million in grants and cooperative agreements with top universities across the country. As part of these efforts, N-N-S-A is participating in the Omni Technology Alliance internship program spearheaded by the D-O-E’s Office of Science. Additionally, N-N-S-A has significantly increased our outreach to, funding for, and partnerships with Minority Serving Institutions, such as Historically Black Colleges and Universities and Hispanic Serving Institutions. The Minority Serving Institutions Partnership Program (or M-S-I-P-P) is designed to build a sustainable STEM pipeline that prepares a diverse workforce of world class talent through strategic partnerships between M-S-I and the Nuclear Security Enterprise. M-S-I-P-P supports 10 consortia consisting of 38 M-S-I partners as well as N-N-S-A laboratories, production plants, and sites. The bottom line is that in a complicated world with complex threats to our national security and global stability, we cannot afford to leave any talent on the table.
Conclusion – Partnerships and Collaboration
In the end, these programs are significant not only for their short-term benefits in mitigating digital threats to nuclear security, but also because they illustrate the importance of collaboration and innovation to successfully address our cybersecurity challenges and achieving our national security mission.
The simple reality is that when it comes to leveraging innovation to meet future challenges, N-N-S-A can’t do it alone. While I’m proud to represent NNSA and provide our perspective and vision on this critical subject, Administrator Hruby and I are keenly aware that NNSA is not an island, and that our success depends on collaborations with a broad array of partners within the Department, in the interagency, and around the world.
Information sharing has long been recognized as being critical to successful cybersecurity, and we can’t be afraid to share information about our shortcomings, potential threats, or possible innovations with our partners.
Similarly, in accordance with President Biden’s Executive Order on Improving the Nation’s Cybersecurity, we must also work hard to establish constructive relationships with our interagency partners and the private sector that can help us to protect and secure our digital systems and infrastructure. Forging productive relationships with external collaborators allows new ideas to be created, refined, and developed. Indeed, collaboration and innovation go hand-in-hand.
This is why this meeting is so important, allowing us to come together to share and develop software assurance approaches, tools, expertise, and lessons learned.
I am grateful to Ed for inviting me to participate, and I congratulate him and his colleagues in the Office of the Under Secretary of Defense for Research and Engineering and the National Security Agency for their work co-chairing this community of practice.
Thank you all for your dedication and for your service, and I hope you enjoy the rest of the meeting.