Cyber Threats and Nuclear Weapons: Assessing Risks

Cyber Threats and Nuclear Weapons: Assessing Risks, Insights from Herbert Lin. The Diplomat By Mercy A. Kuo, December 20, 2021 Trans-Pacific View author Mercy Kuo regularly engages subject-matter experts, policy practitioners, and strategic thinkers across the globe for their diverse insights into U.S. Asia policy. This conversation with Dr. Herbert S. Lin – senior research scholar for cyber policy and security at the Center for International Security and Cooperation and Hank J. Holland Fellow in Cyber Policy and Security at the Hoover Institution, both at Stanford University, and author of newly published “Cyber Threats and Nuclear Weapons” (Stanford University Press, 2021) ̶ is the 301st in “The Trans-Pacific View Insight Series.”

Define key elements of the U.S. nuclear enterprise.

The nuclear enterprise consists of everything that touches nuclear weapons issues, including nuclear weapons design and stewardship; nuclear delivery systems (e.g., missiles, submarines, bombers); nuclear command, control, and communications (NC3); nuclear planning and decision-making; and nuclear operations. Information technologies (also known as computing and communications technologies) are critical for all of these elements of the nuclear enterprise.

Identify plausible cyber risk scenarios of the U.S. nuclear enterprise. irst, an adversary may conduct a deliberate cyberattack against some element(s) of the U.S. nuclear enterprise that could compromise the U.S. ability to use its nuclear weapons when appropriate (e.g., in retaliation). A report from the U.S. Government Accountability Office probed cyber vulnerabilities in U.S. weapons systems (including some nuclear systems), noting that the Department of Defense routinely finds mission-critical cyber vulnerabilities during operational testing of weapons systems that are under development, pointing out that “using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected.” Exploitation of such vulnerabilities could cripple nuclear weapons delivery systems on the ground or in flight.

The 2018 Nuclear Posture Review also identifies adversary offensive cyber capabilities as creating new challenges and potential vulnerabilities for U.S. NC3, calling out challenges to network defense, authentication, data integrity, and secure, assured, and reliable information flow. Compromises to NC3 could disconnect the National Command Authority from U.S. nuclear forces, fail to provide warning of incoming nuclear attack, or falsely signal the existence of a nuclear attack.

A second type of cyber risk arises from the integration of nuclear and nonnuclear capabilities, which is often enabled by computing and communications technology. Such integration likely raises the risk of inadvertent nuclear escalation in times of conflict. For example, integrating nuclear and conventional systems confers operational advantages in warfighting, and is also generally less expensive than acquiring separate nuclear and conventional systems. But such advantages trade off against an increased possibility that cyberattacks directed against a dual-purpose system for non-nuclear reasons could be interpreted by U.S. decision-makers as an attack on U.S. nuclear capabilities, especially if those cyberattacks are coming from another nuclear power. Thus, they may feel more pressure to escalate up the nuclear ladder.

A second scenario is based on the fact that cyberattacks and cyber espionage/intelligence gathering use the same penetration techniques and differ only in what they seek to accomplish. Thus, any given cyber penetration carries with it an unknown potential for attack, for intelligence gathering, or both. A cyber penetration from China or Russia detected in U.S. NC3 system could be part of a relatively benign attempt to gather intelligence, or it could be the start of a serious cyberattack that is intended to degrade NC3. But it is impossible for U.S. decision-makers to know China’s or Russia’s intention before we observe the actual results of the penetration. If the United States detects a cyber penetration of its NC3 during a crisis or during the initial phases of a kinetic conflict, U.S. decision-makers may jump to a worst-case assessment.

Analyze the capabilities of China and North Korea in generating cyber nuclear risks.

Chinese and North Korean capabilities to generate cyber risks to the U.S. nuclear enterprise are not known in the unclassified literature. However, it is known that Chinese offensive cyber capabilities are world-class, and North Korea’s capabilities are substantial, even if not necessarily on a par with China’s at every level and for every contingency.

Furthermore, certain operational scenarios involving China in particular implicate a number of dual-purpose systems. ……………. https://thediplomat.com/2021/12/cyber-threats-and-nuclear-weapons-assessing-risks/