nuclear-news

Apocalypse now? Cyber threats and nuclear weapons systems, European Leadership Network  Julia Berghofer |Policy Fellow and Project Manager for the YGLN,  10 May 19, It is accepted that all states are vulnerable to cyber threats. Yet, a majority of states have yet to develop coherent cyber strategies or implement sufficient preventive measures. Despite the increase in severe cyber incidents directed at national power plants, companies and nuclear-related military equipment, the threat of cyber interference in national nuclear weapons systems is not being properly tackled. With multinational nuclear supply chains and nuclear command and control systems at risk of being compromised, this must be urgently addressed.

The more complex, the more vulnerable

Governments and legislators are struggling to keep pace with the rapid development of cyber capabilities. As military systems become more technically complex it would be easy to assume that they are more secure. The opposite is true. Increased automation and connectivity increases vulnerabilities to cyber attacks. Measures such as air-gapping a system (ie. de-connecting it from the internet) can fall short. A recent US Government Accountability Office (GAO) report assessed the cyber security of US weapons systems and found “mission critical cyber vulnerabilities in nearly all weapons systems […] under development.“ While the report does not make reference to any specific system type, one can reasonably assume that nuclear weapons systems are vulnerable to cyber attacks.

Possible kinds of cyber attacks

Cyber attacks can take many forms. Activities range from cyber espionage, data theft, infiltration of nuclear command, control and communications (NC3), denial of service/distributed denial of service (DoS/DDoS) attacks, false alarms (jamming and spoofing), sabotage and physical damage. When directed against nuclear weapons systems, in the worst possible case this may escalate to a deliberate or inadvertent exchange of nuclear weapons.

Another area of concern is the supply chain, comprised of any hardware and software components belonging to the nuclear weapons system, including NC3, platforms, delivery systems and warheads. The supply chain usually includes a string of companies and providers located in different countries with varying cyber security standards, which means there is room for manipulation and sabotage. Take, for instance, a computer chip produced in country A. If a vulnerability were inserted at the production stage it could then be remotely activated at a later point when the chip is integrated into the military system of country B. If the attacker happened to be an “insider“ with unlimited access to a military site, compromising military equipment could be easier. This could be done for instance through an infected USB drive when security standards in a military facility happen to be low, leaving the victim of the attack unaware of the manipulation up until it is too late.

 Limited awareness of cyber risks to nuclear systems

There is a lack of awareness within the expert community and among decision-makers and a reluctance by states to implement measures such as common cyber security standards and the sharing of information on vulnerabilities. Among the nuclear weapons states, only in the United States have high-ranking officials, such as Gen. Robert Kehler (ret.) and Air Force Gen. John Hyten (STRATCOM), in two Senate Armed Service Committee hearings in 2013 and 2017 expressed their concerns about a potential cyber attack affecting the U.S. nuclear deterrent. One reason why decision-makers and governments are unwilling to take these steps could be that it seems too unrealistic or improbable a threat, merely belonging to the worlds of science fiction and doomsday scenarios. But there is no reason to assume that the warnings of the GAO, the U.S. 2017 Task Force on Cyber Deterrence or the Nuclear Threat Initiative (NTI) are exaggerated.

Certainly, there has not yet been a major cyber attack on a state-run nuclear weapons programme – at least none we have publicly heard of. But there are a string of examples of cyber interference in nuclear installations or parts of the supply chain related to them. These include: the Stuxnet attack in 2010 affecting over 15 Iranian nuclear facilities which slowed down the development of Iran’s alleged nuclear weapons programme; a massive cyber attack on Lockheed Martin in 2009 during which thousands of confidential files on the U.S. F35 Lightning II fighter aircraft were compromised by hackers (they were also able to see information such as the location of military aircraft in flight); the 2017 hacking of the THAAD missile defence system in South Korea; the 2009 Conficker Worm attack on the French Marine Nationale; a 2011 cyber espionage campaign on the French nuclear company Areva; and deep worries over the WannaCry virus possibly targeting parts of the UK Trident system in 2017.

What should decision-makers and policy-makers do?