For years the U.S. department tasked with overseeing the nation’s thousands of nuclear weapons has failed to comply with an executive order and ignored warnings about protecting itself from “insider threats,” despite several high profile incidents of security lapses in recent years, a new watchdog report charges.


What You Need To Know

  • A report published on Wednesday said the Department of Energy has dragged its feet for over a decade establishing required measures to combat “fraud, espionage, and terrorist activity" in the U.S. nuclear weapons program
  • For years, the department has failed to comply with an executive order and ignored warnings about protecting itself from “insider threats,” despite several high profile incidents of security lapses in recent years, the new watchdog report charges

  • The report notes four incidents since 2010 of the U.S. nuclear program being exposed to theft of classified information, bribery, hacking, and the attempted sale of documents related to nuclear-powered submarines to a foreign countries

  • The U.S. had 3,750 nuclear weapons in circulation with another 2,000 awaiting dismantlement as of 2020, the last year that data was reported by the U.S. State Department

The Government Accountability Office, a nonpartisan federal agency that audits the government and answers to Congress, published a report on Wednesday saying the Department of Energy has dragged its feet for over a decade establishing required measures to combat “fraud, espionage, and terrorist activity.”

“Remember that fictional employee who stole dinosaur embryos from InGen?” tweeted Allison Bawden, the GAO’s director for nuclear security and the report’s author, referring to the film “Jurassic Park.” 

“Insider threats aren’t just for dinosaur parks — they’re also a risk for federal agencies,” she wrote. “To avoid being like InGen, DOE could better protect nuclear material & information by fully implementing its insider threat program. This includes training all employees & contractors to identify & report suspicious behavior & better monitoring networks for suspicious activity.”

The department’s implementation, or lack thereof, of insider threat protection measures was so poor, NASA pulled out of an agreement to work with them on the program three years early, the report says.

The report comes shortly after an Air National Guardsman was charged with leaking highly classified national security documents online. The guardsman was allowed to keep his top-secret security clearance for months after he began repeatedly being detected by his colleagues and superiors.

“The theft of nuclear material and the compromise of information could have devastating consequences,” the GAO said in its report. “Threats can come from external adversaries or from ‘insiders,’ including employees or visitors with trusted access.”

"The Department has a highly vetted workforce and maintains programs specifically designed to avoid or minimize insider threats while capitalizing on longstanding protection measures against misuse of critical stockpile assets and resources," a DOE spokesperson said in a statement. "We appreciate the GAO’s review and have taken a series of actions to further bolster the Department’s capabilities to effectively deter, detect, and mitigate insider threats throughout the nuclear enterprise."

In responses included within the report, a DOE official wrote the department has “full capability for minimizing insider risks to the nuclear enterprise," while agreeing to work on the GAO’s seven main recommendations.

Issued to the top Republican and Democrat on the House Committee on Armed Services, the report notes four incidents since 2010 of the U.S. nuclear program being exposed to theft of classified information, bribery, hacking, and the attempted sale of documents related to nuclear-powered submarines to a foreign countries.

The committee’s chairman, Rep. Mike Rogers, R-Ala., and ranking member, Rep. Adam Smith, D-Wa., did not immediately respond to questions about the report, the state of the country’s nuclear weapon security and whether they planned to call DOE officials to testify.

In 2017, the DOE reported about 250 insider threat security incidents, 100 of which they considered “serious” and several they considered to be malicious.

Then-President Barack Obama ordered all federal agencies to take on additional protections against insider threats after a 2011 incident when a U.S. Army intelligence analyst leaked classified information, the GAO said. Described as a “high-profile unauthorized disclosure” to WikiLeaks — a publisher of government leaks — the GAO’s description matches the case of former U.S. Army Private Chelsea Manning, who leaked thousands of documents to the website.

The executive order required agencies to “establish, implement, monitor, and report on the effectiveness of insider threat programs to protect national security information on computer networks,” according to the report. DOE established their program in 2014.

Since then, the DOE’s program has been assessed by four independent agencies, including NASA, the DOE’s Office of Enterprise Assessment, Carnegie Mellon University’s Insider Threat Center, and the federal government’s overarching National Insider Threat Task Force.

NASA ended their review of DOE’s policies in October 2021 and severed all ties in May 2022 “due to lack of information and responsiveness,” NASA officials told the GAO. The partnership was supposed to last until 2025.

NASA did not immediately return a request for comment.

The DOE has not implemented seven of the 26 “minimum standards” required by the presidential order, according to GAO auditors.

In March 2022, Director of National Intelligence Avril Haines detailed four of those unfulfilled standards in a memo to Energy Secretary Jennifer M. Granholm, including a lack of proper training for employees, no independent watchdog within its insider threat program, and leaving classified networks unmonitored.

The other three standards the DOE is not in compliance with were identified in a 2021 report by the department’s semi-independent Office of Enterprise Assessments and confirmed as ongoing by DOE officials to the GAO. The DOE said they have struggled to establish policies for access to sensitive or protected information, formally train workers on legal and civil liberty issues, and produce an annual report on its insider threat programs — something they haven’t done since 2017 and, even then, the GAO says that year’s report was incomplete.

In response, the DOE said a new report was being drafted and would be published on July 31, with a promise to publish new annual reports going forward.

One recommendation advised establishing a mechanism to keep track of external assessments, with the DOE agreeing to implement it by June 30 and issue quarterly reports on “corrective actions” they take to address issues identified. Other recommendations included consolidating insider threat programs under a single senior official, ensuring the DOE has consistent, department-wide insider threat policies, and properly allocating adequate resources to the effort.

The U.S. had 3,750 nuclear weapons in circulation with another 2,000 awaiting dismantlement as of 2020, the last year that data was reported by the U.S. State Department.