NNSA Principal Deputy Administrator Frank Rose's remarks for the Department of Energy Cyber Security Conference

Thank you, Ann, for that kind introduction.  It’s such a pleasure to work with you and your colleagues in the DOE Chief Information Officer’s Office. You have been fantastic partners.

It is great to be here with you this morning.  Today I would like to briefly discuss the NNSA’s vision for Information Technology and Cybersecurity.  In particular, I’d like to focus my remarks on three topics:

1) The international threat environment, and how nuclear, cyber, and other strategic issues are interrelated;

2) What NNSA is doing with regards to strengthening cybersecurity, in particular working with the Department of Energy to achieve success in this field; and

3) How NNSA is addressing constantly evolving challenges not only across our Nuclear Security Enterprise, but to help our foreign partners protect their networks.

These last two topics, I think, demonstrate why the theme for this year’s conference – “Collaborative Innovation and Collective Cyber Defense” – is timely and encapsulates lessons we’ve learned over the past two years.  For while I’m proud to represent NNSA and provide our perspective and vision on this critical subject, Administrator Hruby and I are keenly aware that NNSA is not an island, and that our success depends on collaborations with a broad array of partners within the Department, in the interagency, and around the world.

The Emerging Threat Environment

Let’s begin by quickly surveying the emerging threat conditions that are shaping our decisions about nuclear and cybersecurity.  As the U.S. Director for National Intelligence’s recent Annual Threat Assessment concluded:

"The United States and its allies will confront a complex and pivotal international security environment dominated by . . . strategic challenges [that] will intersect and interact in unpredictable ways, leading to mutually reinforcing effects that could challenge our ability to respond."

In addition to shared global challenges such as climate change, health security, narcotics trafficking, and terrorism, the D-N-I warns of an era of renewed nation-state conflict and strategic competition with great powers and rising regional powers. Indeed, prior to its invasion of Ukraine, Russia was already accelerating its nuclear modernization programs, especially in non-strategic weapons and delivery systems and novel, “exotic” weapons like an autonomous nuclear torpedo.  Although the United States and Russia were able to extend New START in early 2021 for another five years, Russia has since announced their purported suspension of implementation of the treaty. And Putin’s ominous statements, and those of other Russian officials, hinting at the potential use of nuclear weapons in Ukraine are dangerous and irresponsible.

Russia’s unprovoked invasion of Ukraine has also featured an unprecedented event in the history of warfare: ongoing hostilities around—and armed seizure of—operating civil nuclear power plants.  The risks associated with military activities around Ukraine’s nuclear facilities cannot be overstated, as they undercut safety, hinder the International Atomic Energy Agency’s ability to fulfill its safeguards mandate, and increase the risk of a nuclear accident or incident that could affect large numbers of people in Ukraine and neighboring states, with impacts felt around the world.  Russia’s military attacks and seizures of nuclear facilities in Ukraine severely undermine Moscow’s claim to be a responsible nuclear power, and has been strongly condemned by the international community.

At the same time, China is expanding its political and economic influence and is in the midst of the largest ever nuclear force expansion and arsenal diversification in its history.  It is building hundreds of new I-C-B-M silos and is increasing the number and types of nuclear weapons without transparency in either its doctrine or forces.  Moreover, Beijing has not shown any interest in engaging in either the strategic stability or arms control discussions expected of a responsible nuclear power, despite repeated attempts by the last several U.S. presidential administrations.  This opacity makes determining an effective strategy more difficult, both in terms of maintaining deterrence and in finding a way to integrate China into a future arms control and strategic stability framework.

Looking beyond these peer competitors, North Korea has expanded its nuclear weapons stockpile and range of delivery capabilities and has resumed I-C-B-M testing.  Meanwhile, Iran may or may not agree to the conditions necessary to return to the Joint Comprehensive Plan of Action while simultaneously expanding its nuclear program and failing to provide full disclosure on some nuclear matters to the International Atomic Energy Agency (or IAEA).

In addition to the challenges these nations pose for our decisions about nuclear deterrence and nonproliferation, Beijing, Moscow, Tehran, and Pyongyang have also demonstrated the capability and intent to advance their interests at the expense of the United States and its allies through malicious cyber operations.  From the massive theft of American intellectual property and military designs; to the NotPetya ransomware attacks; to the SolarWinds breach in 2020, these nations have sought to use cyber operations to undermine U.S. strategic advantages.

Although such cyberattacks are clearly not as deadly as a potential nuclear attack, they threaten U.S. and allied interests in two ways that relate to nuclear strategy and security.  First, like potential nuclear threats, cyberattacks allow potential adversaries to directly attack our strategic interests – and possibly the U.S. homeland through attacks on critical infrastructure – without first having to defeat the U.S. military.  Because America’s economy, our basic services, and our military power are highly integrated with the Internet, we are more vulnerable to disruption than less “connected” states.  This asymmetric vulnerability makes offensive cyber capabilities a cost-effect method for adversaries to threaten and attack U.S. targets with strategic effects.

Moreover, just as the increasingly rapid pace of technological advancements have lowered the bar to the proliferation of weapons of mass destruction, emerging technologies and low entry-costs for significant cyber capabilities enable non-state actors to threaten our infrastructure and transnational cyber criminals to fuel a virtual ecosystem that threatens to cause greater disruptions of critical services worldwide.

In the nuclear realm, this threat is particularly dangerous.  Iran and Russia have both shown a significant capability in compromising the Industrial Control Systems of various critical infrastructure systems.  Such an attack against a nuclear plant anywhere in the world could have catastrophic consequences.  Indeed, an intrusion on the early-warning satellites or command-and-control networks associated with the U.S. nuclear deterrent, or those of our adversaries – even if unintentional – could be misperceived as the start of a preemptive attack and trigger a potentially disastrous escalation cycle. 

Consequently, policymakers responsible for U.S. nuclear deterrence and nonproliferation programs must be highly attuned to the range of global cybersecurity threats.

NNSA and Cybersecurity

I lay this all out to make one point: Getting the cybersecurity issue right is vital to the long-term effectiveness of NNSA and the broader Nuclear Security Enterprise.  This issue has been a priority for Administrator Hruby and I since our confirmation hearings two years ago, and there is a lot being done in the cyber area across the Enterprise.

One of Administrator Hruby’s top priorities upon arriving at NNSA was to improve our cybersecurity and to have outside experts conduct an independent cybersecurity assessment.  We subsequently contracted with the Institute for Defense Analyses to conduct a review of NNSA’s cyber enterprise, to include our labs, plants, and sites.  IDA spent several months conducting interviews across the Enterprise and presented its findings in March 2022.  NNSA has begun addressing IDA’s recommendations by refocusing on how we recruit, develop, and retain a strong cyber workforce. Indeed, 87 percent of NNSA’s budget request for Cyber and I-T goes towards labor and workforce development.

In addition to investing in people, NNSA is investing in capabilities to address future cybersecurity challenges across the Nuclear Security Enterprise.  Our funding for Cyber and I-T has grown 42.3 percent from Fiscal Year 22 to Fiscal Year 24’s budget request. This funding goes towards strengthening our cyber infrastructure, cyber tools, and information technology by enabling us to implement a zero trust architecture strategy, secure industrial control systems, and support work at our partner laboratories, plants and sites.

Together with DOE elements such as the Office of the Chief Information Officer; the Office of Cybersecurity, Energy Security, and Emergency Response; and the Office of Science, NNSA is leveraging innovation to create new programs to address future cybersecurity challenges across the Nuclear Security Enterprise.

For example, we have created new programs to focus on the cybersecurity of operational technologies.  As NNSA’s weapons modernization efforts introduce new digital technologies and components to our nuclear stockpile, cybersecurity becomes a significant component of this work.  Consequently, we launched the Nuclear Weapon Digital Assurance Program to discover and address potential vulnerabilities and thereby enable risk-managed adoption of leading-edge technologies to meet emerging military requirements and reduce modernization schedules and costs.

Additionally, the Operational Technology Assurance (or O-T-A) program aims to bolster cyber and physical security across the Enterprise’s design and production facilities and addresses the increasingly complex and interconnected industrial control systems that automate mission-essential processes throughout the Enterprise.  As program managers and system operators adopt new technologies to improve operational efficiencies, they must be equipped to understand and address the additional cybersecurity risk posed by connecting operational technology to enterprise information technology systems and Internet of Things devices.  Thus, a robust guidebook and training program was developed and used to educate our workforce on how to identify and mitigate O-T-A risks.

Moreover, in alignment with the White House’s National Cybersecurity Policy, NNSA is reinforcing its current cyber infrastructure to ensure that it is both defensible and resilient from cyber threats.  Last year we executed “Imperial Armadillo,” the inaugural iteration of what will be an annual live and tabletop cybersecurity exercise to test and gauge the suitability of new technologies for NNSA’s current and future cybersecurity requirements. In collaboration with NNSA’s Office of Defense Programs, our Information Management/Cyber Operations team developed and directed the exercise with the cybersecurity components from Lawrence Livermore National Laboratory, Special Technologies Laboratory, and Savannah River National Laboratory. Imperial Armadillo’s outcomes have informed the deployment of solutions and tactics, techniques, and procedures to enhance cybersecurity and enable mission success.

To be honest, these programs only provide a brief snapshot of NNSA’s efforts to reinforce our cyber infrastructure to ensure it is defensible and resilient. If I attempted to review every initiative NNSA has launched with their DOE and interagency colleagues, I’d not only go over my allotted time into the next panel, I would probably make everyone late for lunch.

Helping International Partners

So I’d like to close on an optimistic note.  Despite the threats posed by other countries’ nuclear arsenals or malicious actors gaining access to nuclear or radioactive materials for potential terrorist attacks, these materials have many legitimate uses in agriculture, industry, and medicine.  And of course, nuclear energy offers one potential solution to the climate crisis by providing clean energy.   Indeed, when the I-A-E-A’s Director General Rafael Grossi spoke at the N-N-S-A, he noted that interest in nuclear technology has increased significantly in recent years and that as a result he may have hundreds of new facilities to inspect. 

At the same time, nuclear enterprises around the world are becoming more reliant on digitally networked technologies for safety, security, and emergency systems.  This introduces new vulnerabilities, and unsurprisingly, cybersecurity has become one of the most critical aspects of managing nuclear risks worldwide.  Consequently, NNSA is working to help foreign partners protect their networks against rapidly evolving threats to operational technologies at facilities housing nuclear and radioactive materials.  

For example, NNSA provides subject matter experts to help the IAEA develop a non-serial publication on cybersecurity for radioactive material facilities – “Information and Computer Activities Involving Radioactive Material” – and supports IAEA webinars on this publication.  We have also worked with the IAEA to develop courses such as the “Computer Security Fundamentals for Nuclear Security” course and the computer security “International Training Course,” which is the IAEA’s flagship two-week hands-on cybersecurity course.  Additionally, on behalf of the U.S. Government, NNSA leads the Insider Threat Mitigation international working group-steering committee with Belgium and ten other nations, which has identified cybersecurity as one of five threats requiring further exploration and mitigation.

Moving forward, these collaborations are only going to expand.  In Fiscal Year 23, NNSA’s Office of Defense Nuclear Nonproliferation (or D-N-N) plans to host nearly 100 cybersecurity events with more than 50 countries. These engagements – overseen by our Office of Global Material Security – aim to protect systems, networks, and core nuclear operations from digital attacks. They will aid the development of regulations to manage cyber risks while our partners build capacity in the civilian nuclear sector. DNN will also provide training to operators, site security officers, and vendors with the basics of what they need to know to develop and maintain an effective cybersecurity program to protect physical protection equipment.  

Working with global partners and the IAEA, DNN is advocating for the incorporation of both operational and information technology systems within cybersecurity regulatory frameworks that reflect U.S. experience and lessons learned.  DNN is enlisting the national laboratories to raise awareness and build our partners’ capacity, to include training on cybersecurity fundamentals, threat evaluation, and response.

In other words, there is a lot going on as we seek to apply breakthroughs in cybersecurity to our nuclear and national security missions, with the added benefit that securing nuclear facilities’ computer networks helps ensure the long-term viability of the commercial nuclear sector, which can play a crucial role in providing affordable, clean energy around the world. 

Conclusion – Partnerships and Collaboration

In the end, these programs are significant not only for their short-term benefits in mitigating digital threats to nuclear security, but also because they illustrate the importance of collaboration and innovation to successfully address our cybersecurity challenges and achieving our national security mission.

The simple reality is that when it comes to leveraging innovation to meet future challenges, N-N-S-A can’t do it alone.  Our success depends on our ability to collaborate with the rest of the Nuclear Security Enterprise and D-O-E.  Information sharing has long been recognized as being critical to successful cybersecurity, and we can’t be afraid to share information about our shortcomings, potential threats, or possible innovations with our partners. 

Similarly, in accordance with President Biden’s Executive Order on Improving the Nation’s Cybersecurity, we must also work hard to establish constructive relationships with our interagency partners and the private sector that can help us to protect and secure our digital systems and infrastructure.  Forging productive relationships with external collaborators allows new ideas to be created, refined, and developed.  Indeed, collaboration and innovation go hand-in-hand.

This is why this conference is so important, allowing us to come together to discuss the latest developments in cyber, innovation, and IT issues, and to identify new opportunities for collaboration and cooperation.

I am grateful to Ann for inviting me to participate, and I congratulate her and her team for bringing us together on such a vital topic for our Nation.

Thank you all for your dedication and for your service, and I hope you enjoy the rest of the conference.