According to a new report from the Nuclear Threat Initiative (NTI), Cyber Nuclear Weapons Study Group, US nuclear weapons can’t be effectively protected against cyberattacks with technical means alone.
“Any system containing a digital component, including nuclear weapons, is vulnerable to cyber threats,” Page Stoutland, NTI’s vice president for scientific and technical affairs, said.
In a report about cyber threats to nuclear weapons security, just presented in Moscow and titled “Nuclear Weapons in a New Cyber Era,” NTI analysts warn that with the development and spread of digital technology, attacks in the information space are getting increasingly dangerous, making even the US defense systems vulnerable to cyberattacks. According to the report, which is based on the results of a 2013 survey conducted by the US Defense Department, the military command may face false warnings about an attack or lose confidence in their ability to control US forces and assets.
Losing control over power grids as a result of cyberattacks is a serious danger to nuclear weapons (Page Stoutland)
The most dangerous consequences of a cyberattack on a country’s system of nuclear deterrence are as follows: first, it can target the early warning system (EWS) and simulate a nuclear attack, which could prompt a very real retaliatory strike. Secondly, experts do not rule out the possibility of unauthorized use of nuclear weapons as a result of cyber and physical attacks disabling security measures. The authors of the report consider the possibility of a false order for the release of nuclear weapons resulting from a hacked control system less likely though. Thirdly, a cyberattack can disrupt the chain of command transmission and international communication channels. And last, but not least, this damage could be caused already during the production stage, if errors or malware are introduced into the software.
“Protection requires not only technical excellence, but also a new strategy that takes into account cyber threats that did not exist at the time when nuclear weapons were being developed.” (Page Stoutland)
The four worst post-cyberattack scenarios being considered by experts include attacks on early-warning systems (radar and satellites), security systems, communications, and production chains. According to the authors of the “Nuclear Weapons in a New Cyber Era” report, false information about a nuclear attack, as well as a disruption channels of communication as a result of cyberattacks could lead to a “retaliatory” or a preventive nuclear strike. Security and physical protection system hacks could result in the theft of nuclear weapons. Insertion of malware into manufactured parts undermines confidence in the predictability of nuclear deterrence. The authors warn that a loss of confidence in one’s ability to prevent an enemy nuclear attack with nuclear deterrence tools could have serious negative consequences for strategic stability.
“In 1980, the failure of a NORAD computer chip resulted in a false warning about an incoming nuclear attack.” (Page Stoutland)
Experts are convinced that because no improvements in cyber security will be enough to completely eliminate the threat, increasing the decision time would be the right way to go. This requires efficient systems and processes to either confirm or discard data from DSS and other sources. To increase decision-making time after information about a nuclear missile launch against the US has been received, the authors propose the following scenario: if the warning has been confirmed as accurate, and the source of the missile launch has been duly determined, the president orders a deferred retaliatory strike. The drawbacks of this approach, the report warns however, is delayed response, less headroom for maneuvering and overdependence of automation, as well as the risk of information about the order for a retaliatory strike leaking out, which itself could provoke a nuclear attack by the adversary.
“In 2010, US launch-control officers lost communication with a squadron of 50 nuclear-tipped intercontinental ballistic missiles for 45 minutes.” (report)
Another way of reducing the cyber threat would be to limit the use of cyber-attacks against nuclear weapons.
The authors advise the military and political leadership, as well as officials at a lower level, to realize full well that cyberattacks against nuclear systems are fraught with an unintentional catastrophe. Therefore, to avoid a disaster, they need to work out clear-cut rules of the game. Difficult as the verification of these rules may be, the experts still believe that the mere presence of such norms would prevent an escalation, as, according to them, suspicious would initially fall on non-state players, who never signed the agreement.
Obviously, these decisions are possible only in cooperation with other countries and with a great deal of mutual trust and concerted steps. Aware of this, the authors propose starting a discussion on cyber security, between Russia and the US, and between China and the US, against threats posed by such non-state players and third parties, who might initiate any of the abovementioned scenarios and be interested in their negative consequences.
From our partner International Affairs