U.S. nuclear secrets are at risk from insider attacks, owing to the Department of Energy’s (DOE’s) lack of security, according to the Government Accountability Office (GAO).
Allison Bawden, a GAO director for nuclear security, said the insider risk is illustrated by the 1993 movie “Jurassic Park,” when a disgruntled computer programmer tries to steal from his employer to solve his personal financial troubles.
“Remember that fictional employee who stole dinosaur embryos from InGen?” wrote Bawden on Twitter on Thursday, while sharing a link to the office’s report and a photo of the fictional programmer.
“Insider threats aren’t just for dinosaur parks - they’re also a risk for federal agencies,” she added. “For example, what if insiders wanted to steal the nation’s nuclear weapons and information?
“To avoid being like InGen, DOE could better protect nuclear material & information by fully implementing its insider threat program. This includes training all employees & contractors to identify & report suspicious behavior & better monitoring networks for suspicious activity.”
According to the report, the DOE established the insider threat program in 2014 but has not yet implemented “all required measures.”
“The DOE has not implemented seven required measures for its Insider Threat Program, even after independent reviewers made nearly 50 findings and recommendations to help DOE fully implement its program,” the report says.
The report warned that the DOE’s failure to fully implement all the measures could lead to “devastating consequences.”
“The theft of nuclear material and the compromise of information could have devastating consequences,” the report says.
“Threats can come from external adversaries or from ‘insiders,’ including employees or visitors with trusted access.”
“Such threats could have significant consequences for national security and could include unauthorized release of classified information; workplace violence; or improper access to sensitive nuclear weapons, material, and components,” the report adds.
The report pointed out that DOE’s employees, as as well those employed by the agency’s contractors, could be compromised and become insiders.
“As of 2022, DOE had over 13,000 federal employees, and its management and operating contractors and other contractors employed over 120,000 people, who, because of their authorized access to DOE facilities and networks, can be considered to be insiders,” the report says.
There were about 250 unclassified insider threat-related security incidents in 2017, the most recent data from DOE, according to the report. The incidents included sending classified information over unclassified systems, leaving security areas unattended, and not properly protecting classified information.
“DOE considered about 100 of those incidents to be serious,” the report says.
The report pointed to a 2017 criminal case, when Grigory Trosman was sentenced to 18 months in prison for accepting at least $469,287 in bribes in exchange for official acts he performed while at the DOE.
“From approximately 2002 through March 2014, Trosman used his official position in various capacities to assist co-conspirators and various companies to obtain access to federal research funding and contract work in Lithuania, Russia, and Ukraine,” the Department of Justice said in a press release.
A 2022 report by strategic intelligence firm Strider Technologies found that China has hired at least 162 researchers from Los Alamos National Laboratory (LANL) over the last 35 years. Many of these researchers went on to conduct military research for China, including deep-earth penetrating warheads, hypersonic missiles, and submarine programs.
At least one researcher hired by China previously held Top Secret security clearance at the DOE, according to the report.
In September 2020, a former LANL scientist was sentenced to probation and fined for lying about his participation in a Chinese state-sponsored recruitment program.
The report offered DOE seven recommendations for its insider threat program. In a written response included in the report, the DOE said it agreed with all the recommendations and provided plans to address them.