Understanding and Managing Risk in Security Systems for the DOE Nuclear Weapons Complex: (Abbreviated Version) (2011)

In the U.S. Department of Energy (DOE), the National Nuclear Security Administration (NNSA)—a semi-autonomous agency—is responsible for securing fully and partially assembled nuclear weapons and significant quantities of special nuclear material (SNM). NNSA’s security mission includes protecting these weapons and materials, associated facilities, and other assets.

In the current budget-constrained environment, NNSA’s security system needs to be both effective and efficient. An effective NNSA security system would be robust, resilient, and adaptive. An efficient NNSA security system would operate at reasonable cost and impose minimal burdens on the organizations carrying out NNSA’s primary missions at its facilities.

Previous examinations of NNSA’s security (Mies 2005; GAO 2007a, b, 2010) have found that security at NNSA sites has been neither resilient nor adaptive. In addition, as a result of DOE’s³ security expansion in the wake of the attacks of September 11, 2001, until recently costs were escalating at unsustainable rates. At the same time, the increased security requirements have made many of the sites’ primary mission activities much more burdensome. DOE and NNSA recently issued a revised security policy, the Graded Security Protection (GSP) Policy, intended to address some of these concerns.

It is in this context that the U.S. Congress directed NNSA to ask the National Academies for advice on augmenting its security approach, particularly on the applicability of probabilistic risk assessment and other risk-based approaches to securing the complex. In carrying out its charge (see Appendix A), the committee has focused primarily on what actions DOE and NNSA could take to make their security approach more effective and efficient.

The committee has concluded that defining security risks more precisely (e.g., by using a probabilistic risk assessment approach) will not significantly improve NNSA’s security planning. This is primarily because there is no comprehensive analytical basis for defining the attack strategies an adversary might employ or the probabilities of success associated with them.

However, this does not mean that a rigorous assessment of security risk is not useful. Using structured thinking processes and techniques to characterize security risk could improve NNSA’s understanding of security vulnerabilities. In addition, understanding the risks and uncertainties associated with various security subsystems as well as the security system as a whole can inform and improve decisions, particularly in allocating limited resources, provided the techniques are used appropriately.

Still, there is no single comprehensive approach that can ensure an effective and efficient security system. In particular, risk methodologies cannot address cultural or organizational barriers to improved security, and no risk approach can determine how much DOE’s nuclear security program should cost. Decisions about how much risk can and should be accepted are the responsibility of the U.S. government and inherently rely on nontechnical considerations.

With these considerations in mind, in this report, the committee focuses on how NNSA could use risk-based analysis and other approaches to better inform decision making, particularly related to the following three key shortcomings associated with NNSA’s current nuclear security system that were identified by the committee:

1. The interactions and dependencies among security countermeasures;

2. The interactions between DOE/NNSA and other organizations responsible in part for preparing for or responding to an attack on NNSA facilities; and

3. The attack scenarios used to design, update, and test the security systems.

The committee judges that its recommendations regarding these shortcomings—in particular, that DOE adopt a “total systems approach” to security, described in detail in Chapters 3 and 4 of the full report—can help DOE better evaluate facility security systems and their vulnerabilities. However, the committee has refrained from outlining a specific methodology; it instead focused on general approaches and tools that could be used.

The committee’s major recommendations are described below and are discussed in detail in the body of the full version of the report.

A dissenting opinion from one committee member is included in the full version of the report. This opinion is largely consistent with the report’s findings and recommendations, but it emphasizes a need for a single entity with both the responsibility and authority to direct the security system.

Finally, the committee limits its scope to cyber security as it relates to the physical security of nuclear weapons and significant quantities of SNM. Neither this report nor the full report addresses the cyber security aspects of protecting classified information or documents. This interpretation of the committee’s scope was agreed on with the sponsor in September 2009.

In this section, the committee describes and briefly explains the key recommendations contained in the committee’s report. The committee’s work also resulted in a number of findings, that were judged to be too sensitive to reproduce in this abbreviated version. The findings are included in the full version of the report, entitled Understanding and Managing Risk in the DOE Nuclear Weapons Complex, which is exempt from public release under the Freedom of Information Act (FOIA), 5 U.S.C. § 552(b)(2).

RECOMMENDATION 3-1: The committee advises against the use of probabilistic risk assessment (PRA) in designing security for the DOE nuclear weapons complex at this time. However, the committee recommends the use of some tools and techniques traditionally associated with PRA to improve NNSA’s understanding of the full spectrum of risks to the complex.

RECOMMENDATION 3-2: NNSA should utilize relevant techniques traditionally associated with risk assessment to improve its understanding of risk—specifically including an analysis of the security system—along with creative scenario generation techniques and security best practices.

RECOMMENDATION 4-1: The committee recommends that DOE/NNSA generate a range of plausible and specific objectives that the site security system is intended to preclude, for use in scenario generation. An adversary perspective should be taken into account when generating these objectives.

RECOMMENDATION 4-2: The committee recommends that a comprehensive and plausible range of adversary capabilities, strategies, and tactics be considered in defining the threat to sites and designing security systems.

RECOMMENDATION 4-3: The committee recommends that DOE sites regularly track and evaluate the information available to an adversary and use this information to improve their understanding of the most likely ways an adversary might attack a given site or other operations, such as transportation.

RECOMMENDATION 4-4: The committee recommends that DOE sites supplement their current vulnerability assessment processes with creative scenario generation techniques.

RECOMMENDATION 4-5: The committee recommends that DOE Headquarters take on the responsibility of defining an overall deterrence strategy for the nuclear weapons complex, subject to evaluation by deterrence subject-matter experts.

RECOMMENDATION 5-1: The committee recommends that DOE focus its communication efforts aimed at Congress and the administration on risk management rather than on the risk to the nuclear weapons complex. This communication should draw on the total systems approach and scenario generation processes recommended by the committee.

RECOMMENDATION 5-2: The committee recommends that DOE take steps to ensure a more integrated and collaborative environment for functional responsibility for the security system at the headquarters level and in the field. A clearer and more expeditious process for accepting risk should be a priority goal.

It is clear that the threat that DOE requires its sites to defend against is formidable. The current security emphasis is out of balance. A redirection of focus and resources is indicated, but accomplishing such a major shift in approach will require leadership and a different model for security guidance, planning, and evaluation. The committee’s recommendations are intended to serve as a starting point for this change.

Of the recommendations listed above, three stand out in the committee’s view as its primary suggestions for how DOE/NNSA could effectively succeed in restructuring its security approach. These suggestions are primarily related to the lack of a total systems view associated with security at NNSA sites.

First, DOE/NNSA should seek to better integrate its security efforts. This would help to address potentially significant vulnerabilities. Second, NNSA and other outside security organizations that are responsible for some aspects of the security of the weapons complex do not appear to be well coordinated. Third, a broader suite of adversary scenarios should be developed.

Finally, the committee notes that any analysis is only an input to a decision maker who needs to make a subjective judgment regarding defense strategies, tactics, and investments. Despite the best plans, defenses, and training, the decision maker needs to be alert and prepared to react quickly and decisively to the unexpected. Thus, it is essential that all aspects of security associated with the DOE nuclear weapons complex —whether they are operated by DOE, by NNSA, or by another agency entirely—be well understood, well organized, well exercised, and well coordinated. Although this may not require changes in how NNSA’s security apparatus is organized, it is likely to require a change in approach and a change in mindset.