The Australia-United Kingdom-United States (AUKUS) trilateral agreement has real potential to be a force multiplier in securing the Indo-Pacific, adding to Australia’s arsenal a more lethal, conventionally armed, nuclear powered attack submarine capability, and combining all three nations’ technological advantages to further the partnership’s military edge.
The security issue hits close to home for our Australian allies, and it is the prime motivation for Australian participation in the AUKUS partnership. Scott Morrison, the Australian Prime Minister who helped usher in the creation of AUKUS, said that the partnership “will help ‘protect shared values and promote security and prosperity in the Indo-Pacific region.’” Australia’s concern over its increasing regional security challenges, coupled with its concern over the erosion of Australia’s technological advantage over its adversaries, were major drivers for the decision to take the leap into submarine nuclear propulsion. In arguing for the need to acquire nuclear submarines, “Morrison said Australia needs to have access to the most capable submarine technology available.”
While Pillar II addresses collaboration between the signatories on a number of named technologies, nuclear submarine technology forms “Pillar I” of AUKUS. The enduring primacy of U.S. and United Kingdom submarine technology is directly linked with the protections already in place for that technology as well as protections that may be required going forward.
In this context, information safeguards are not identical with export controls—the United States’ existing protections for nuclear submarine technology exceed export controls requirements. The ITAR and EAR controls are certainly at the front of the partner governments’ consciousnesses, but that body of law and regulation has to do with the legal authority to move technology across borders or to non-U.S. persons. Rather, premier submarine technology must also be protected from our adversaries by stringent information security protocols. In other words, how is the information managed once received? While both the ITAR and EAR address such issues, they do so at the 30,000-foot level when compared to the detail required in law for protecting information about United States nuclear propulsion technologies. These detailed protections are a key part of enabling AUKUS implementation.
The nuclear propulsion cognoscenti are few. Only six countries currently have nuclear powered warships: Russia, China, France, India, the United States, and the United Kingdom. The U.S. Naval Nuclear Propulsion Program (NNPP) has the longest and safest history of all of these nations and is the envy of all:
Since USS NAUTILUS (SSN 571) first signaled “UNDERWAY ON NUCLEAR POWER” . . . in 1955, our nuclear-powered ships have demonstrated their superiority in defending the country—from the Cold War to today’s unconventional threats, to advances that will ensure the dominance of American seapower well into the future.
Pillar I of AUKUS gives Australia the opportunity to join the elites of naval nuclear power. But as Marvel Comics creator Stan Lee’s modern proverb warns us, “With great power comes great responsibility.” Every modern power wants what Australia will soon have: safe, fast, rugged, and silent attack submarines without the limitations inherent in their diesel-electric counterparts. As the NNPP said, “Simply put, no other warfighting platform can match the stealth, endurance, mobility, and the mix of capabilities that [U.S.] SSNs bring to the battle.” It is for this reason that the U.S. Department of Energy (DOE) - Department of Defense (DoD) Classification Guide for the Naval Nuclear Propulsion Program (CG-RN-1) states, “Naval Nuclear Propulsion Program technology is among the most sensitive and valuable military technologies currently in use in the United States.”
Protecting this technology is a national security challenge that, while in compliance with U.S. export controls, is truly unique because the stakes are high. Were an adversary to obtain the means to produce such cutting-edge nuclear vessels, the U.S. and U.K. advantage, and Australia’s future advantage, would soon give way to technological advancement by near-peer adversaries, shifting the balance of power against the AUKUS allies.
In order to protect its technological advantage in this field, the U.S. has placed stringent controls on a category of information called Naval Nuclear Propulsion Information (NNPI). For purposes of AUKUS, NNPI is:
classified information and unclassified information concerning the design, arrangement, development, manufacture, testing, operation, administration, training, maintenance, or repair of the propulsion plants of naval nuclear-powered vessels and prototypes, including the associated shipboard and shore-based nuclear support facilities.
Australia currently has none of its own NNPI, but plans to use the technologies of its AUKUS Partners to develop the SSN-AUKUS class. Therefore, it is not surprising that Australia currently has no bespoke protections for NNPI other than its existing export control laws and its commitment in the AUKUS partnership that Australia shall protect its Partner Nations’ NNPI just as stringently as the originating Partner Nation protects its own NNPI. Further, the Australian bills drafted in support of AUKUS, such as the Australian Nuclear Power Safety Bill of 2023, do not directly reference information security restrictions for NNPI. Australia must therefore develop a plan to protect its partners’ NNPI to meet its AUKUS obligations.
When it comes to Australia protecting U.S. NNPI as stringently as the United States does, the devil will be in the details. In the United States, NNPI is a unique creature, and even the unclassified variety of NNPI is afforded some of the more stringent protections available. U.S. Nuclear Propulsion folklore tells of a national security need to protect the “secret sauce” that makes U.S. submarines and aircraft carriers so special, counterbalanced against the difficulty of finding a sufficient supply of qualified and trustworthy shipyard workers who can obtain and maintain clearances for classified information (and the expense and delay in getting those clearances for the entire shipyard). The historic compromise solution yielded a set of special requirements for the storage and transmission of NNPI, which set the most stringent protections available for Controlled Unclassified Information (CUI) in the United States. As anyone in the U.S. who has worked with NNPI will tell you, the protections applicable to NNPI are detailed, burdensome, expensive, and sometimes redundant. They will also tell you, however, that these protections are there for good reason: our maritime superiority is worth the candle.
There is a legal basis for these special requirements for U.S. NNPI, although it may be hard to research as a diligent search of both the United States Code and the Code of Federal Regulations yields no specific results concerning the protection of NNPI. In the United States, there is a category of CUI called “CUI Specified,” defined at 32 CFR 2002.4(r). NNPI falls into this category because another authorizing law contains its specific handling controls. The specific statutory authority for protecting NNPI is found at 50 U.S.C. § 2511, which codifies Executive Order 12344. E.O. 12344, in turn, gives the Director, NNPP, responsibility for “administration of the Naval Nuclear Propulsion Program, including oversight of program support in areas such as . . . security . . . [and] public information . . . .” Under this statutory authority, by way of the Executive Order, the NNPP issued OPNAVINST N9210.3, a 66-page detailed instruction that covers everything from the appropriate access of NNPI, to the information technology requirements for handling NNPI, to the appropriate and secure disposal of NNPI.
While this regulatory structure may seem to some like pro forma bureaucratic red tape, there is nothing further from the truth. Near-peer adversaries, such as China, have made significant investments in espionage using open sources from the Pentagon, its contractors, and others. Further, as it pertains to cyber security and information technology protections, both Russia and China are highly capable in the realm of cyber-espionage. Classified United States military technologies have been compromised due to cyber-espionage, including data on the Lockheed Martin Corporation F-22 Raptor, the F-35 Joint Strike Fighter, and the Boeing V-22 Osprey. Our adversaries want the military technology that we have, and they have succeeded in getting information on other U.S. military technologies. But, to the best of our knowledge, they have failed to do so with NNPI. That is no accident, but rather a result of the stringent protections which control NNPI’s use, physical and electronic storage and transfer, and disposition.
Further, the types of materials protected are subject to informed decisions. Because a nuclear engineer would know the information which an adversary could use to reverse-engineer aspects of U.S. nuclear technologies, the U.S. Navy relies on nuclear engineers to inform its information protection requirements present in its classification guide, the CG-RN-1. In this geopolitical climate, such caution is warranted.
NNPI protection is serious business. U.S law prohibits the unauthorized transfer of both classified and unclassified NNPI, and U.S. courts have imposed serious penalties for mishandling NNPI, including at least one prison sentence for the mishandling of unclassified NNPI.
To date, the Australian government appears not to have incorporated the basic substance of OPNAVINST N9210.3 requirements into its own laws, and neither has it referenced future information security regulations for the protection of NNPI. Under AUKUS, Australia arguably has an obligation to understand and implement the substance of OPNAVINST N9210.3. Those implementing AUKUS on the Australian side, as well as Australian businesses seeking to support the AUKUS mission, should be required to familiarize themselves with the provisions of OPNAVINST N9210.3 as a way to ensure that Australia fulfills its AUKUS obligation to afford U.S. NNPI just as much protection as it is afforded by the United States. Australian laws and regulations concerning NNPI must be forthcoming, and businesses operating in this vital sector should be aware of these requirements and their nuances as they roll out from Australian regulators. Australian companies competing for future work under AUKUS Pillar I, and those doing business with these companies, should also, at the very least, retain an IT professional to advise on the more complex protections required for electronically stored NNPI. That stated, even with the help of a reputable IT expert or legal counsel in the field, the requirements can be confusing and may necessitate consultation with the U.S. and/or Australian government officials charged with administering NNPI regulations.
Alternatively, Australian companies could consider a partnership or other contractual relationship with a U.S. company already familiar with NNPI protections to benefit from their expertise. Such diligence will serve to protect Australian citizens, the country’s investment, and its commercial stakeholders, today and well into the future.
Special Thanks to Dr. Patrick Quirk, Australian Catholic University Thomas More Law School, and Fred Shaheen, Gibraltar LLC, for their contributions to this article.
Note from the Editor: The Federalist Society takes no positions on particular legal and public policy matters. Any expressions of opinion are those of the author. We welcome responses to the views presented here. To join the debate, please email us at [email protected].