Twenty nations with significant atomic stockpiles or nuclear power plants have no government regulations requiring minimal protection of those facilities against cyberattacks, according to a study by the Nuclear Threat Initiative.
The findings build on growing concerns that a cyberattack could be the easiest and most effective way to take over a nuclear power plant and sabotage it, or to disable defenses that are used to protect nuclear material from theft. The countries on the list include Argentina, China, Egypt, Israel, Mexico and North Korea.
The survey, by one of the nation’s leading nuclear nonproliferation watchdogs, was based on a nation-by-nation review of basic, publicly available data, and some of the countries may claim they have classified protections in place. But the list is damning. The group looked, for example, at whether any cyberprotections are required by law or regulation at nuclear facilities, and whether cyberattacks are included in the assessments of potential threats to the security of those installations. One question asked whether there were mandated drills and tests to assess responses to a cyberassault, rather than just a physical attack on the facilities.
“Twenty countries failed on all the indicators,” said Page Stoutland, one of the authors of the report. Because of the secrecy surrounding military nuclear facilities, it was impossible to determine the levels of cyberprotection used to protect nuclear weapons in the nine countries known to possess them. The report also concludes that President Obama’s global initiative to sweep up loose nuclear material, which will be the subject of his third and final nuclear security summit meeting this March, has slowed substantially.
“There was great progress for six or so years,” said Sam Nunn, a former senator who spearheaded efforts to dismantle nuclear weaponry in the former Soviet republics after the fall of the Berlin Wall and who went on to become a founder of the Nuclear Threat Initiative. “But it has slowed down. It’s hard to keep this subject on the front burner.”
Mr. Nunn, 77, who left the Senate in 1997, blamed the increasing tensions with Russia for some of the slow progress. “When things are strained between the two big nuclear powers, which have 90 percent of the weapons and materials, it makes it harder” for other states to make the case for reducing their own stockpiles, he said in an interview. Mr. Nunn is best known for the Nunn-Lugar Act — sponsored with Senator Richard G. Lugar, an Indiana Republican who took Mr. Obama on tours through the former Soviet Union — which dismantled many of the weapons and nuclear facilities in former Soviet states.
Mr. Obama was an early adherent of Mr. Nunn’s advocacy for comprehensive programs to reduce the amount of nuclear material in the world, and by any measure his six-year effort to prevent nuclear terrorism has made major progress. Each summit meeting has forced countries to make progress on locking down or eliminating materials.
The Nuclear Threat Initiative, which publishes an annual index of nuclear security around the world, notes that a dozen countries have eliminated all weapons-usable nuclear materials since the summit meetings began. Many more have greatly improved the security surrounding lightly guarded materials, which are stored every place from hospitals to research reactors on university campuses.
But at the very moment that the black market in nuclear materials remains active, the report found that 24 nations still had more than 2.2 pounds of weapons-usable nuclear material, “much of it still too vulnerable to theft,” and many have just begun to think about their vulnerability to cyberthreats that could enable an attacker to sabotage a site without breaking through fences or risk setting off perimeter alarms.
The most famous cyberattack on a nuclear facility was done by the United States and Israel: the effort to destroy and disable nuclear centrifuges at the Natanz nuclear enrichment plant in Iran. That program, code-named Olympic Games, used a worm that was later named Stuxnet to knock the centrifuges out of operation. It did not release radioactive material into the atmosphere, but it was a vivid demonstration of the vulnerability of nuclear facilities to cyberattack. Iran had completely isolated the Natanz facility from the Internet, but the originators of the program found ways to insert it.
The lesson of Stuxnet, however, has apparently been lost on many nations that have yet to develop requirements that nuclear facilities have cyberprotections in place before they can operate. “Too many states require virtually no effective security measures at nuclear facilities to address the threat posed by hackers,” the study, in which the Economist Intelligence Unit also participated, concluded. Of the two dozen nations with weapons-usable material, nine got the maximum score for cyberindicators, and seven got a score of zero.
In 23 nations that possessed no weapons-usable materials, but had nuclear power plants or other nuclear facilities that contain fuel that could be converted to weapons use, 13 got a zero score. More than 80 percent of all nuclear stockpiles are classified as military material, meaning they are largely used in weapons programs, and all of those are outside international security review, including the guidelines issued by the International Atomic Energy Agency for the protection of civilian nuclear stocks.