In July 2020, Chatham House released the “Ensuring Cyber Resilience in NATO’s Command, Control and Communication Systems” information and analytical report. It covers a series of aspects, including the mutual dependence between NATO’s command, control and communication systems (NC3) for its conventional and nuclear capabilities, and the legal consequences of an attack on dual-purpose command and control systems. The crucial issue under consideration is the cybersecurity of command, control, and communication systems of NATO’s nuclear capabilities: more than half of the report’s substantive part focuses on this. In addition to the prominent place and much attention given to this issue, its importance for the authors (the report has three co-authors: Yasmin Afina, Calum Inverarity and Beyza Unal) is underscored by their previous publications on this topic. In particular, Dr Beyza Unal, a Senior Research Fellow of Chatham House’s International Security Programme, has, over the last few years, co-authored such reports as “Cybersecurity of Nuclear Weapons Systems: Threats, Vulnerabilities and Consequences ” (2018), “Cybersecurity of NATO’s Space-based Strategic Assets” (2019), “Perspectives on Nuclear Deterrence in the 21st Century” (2020).
It appears that an overall assessment of this report should be based on its co-authors’ effectiveness in achieving their declared objective. They state, “This paper will identify, raise awareness of, and help reduce risks to NATO’s nuclear weapon systems arising from cybersecurity vulnerabilities. It aims to respond to the need for more public information on cyber risks in NATO’s nuclear mission, and to provide policy-driven research to shape and inform nuclear policy at member-state level.” The report partly achieves these objectives to the extent possible under the current restrictions. In particular, as the co-authors themselves note, this is a classified topic, so only open sources can be used and, accordingly, the information at the authors’ disposal may be outdated and/or incomplete. The authors tried to offset this problem by involving experts and former officials with knowledge of the subject. Even so, this approach does not provide a complete solution.
On the whole, this report has been prepared at a quite high methodological level, as is attested by the well-structured narrative and the authors having used a large corpus of both official documents and research that also solidly substantiate the recommendations offered. The authors consider five aspects that affect cybersecurity of the command, control, and communication systems: network and software protection, protecting data integrity, hardware protection, access/security controls and cybersecurity awareness/security by design. The report contains several points that prompt readers’ agreement, such as that, as cutting-edge technologies are used increasingly in command and control systems, these systems grow more vulnerable and that there are no invulnerable systems. Additionally, the authors rightly point out that new technologies (such as quantum computing) may create novel risks. Additionally, special mention should be made of the detailed overview of NATO’s command and control structure covering all the principal operational grounds (air, ground, and water). Appendices to the report also contain overviews of potential special interest to experts of the command, control and communication systems of the USA, UK, and France’s nuclear forces.
At the same time, the manner in which the report considers NC3 problems as applied to nuclear capabilities is flawed in several respects. Let us detail the most important of these. First, the authors claim that the responsibility for ensuring the cybersecurity of command, control and communication systems lies with all NATO members, not only with nuclear powers. This point invites debate. The authors themselves note that “the US is the only NATO member to have earmarked nuclear weapons … for the purpose of nuclear sharing in the context of NATO. … So it is inevitable that the NC3 system in the place within NATO is inextricably linked to the USA’s own NC3 system.” Curiously, the authors cite a report by the United States Government Accountability Office, but they do not indicate that the report mentions “mission-critical cyber vulnerabilities” in virtually all major programmes for acquiring weapons and equipment tested in 2012–2017. The media reported that the systems under review included two elements of the nuclear triad: future Columbia-class submarines and Ground Based Strategic Deterrent missiles intended to replace Minuteman III ICBMs. In view of this, the authors could have recommended that nuclear powers assume the principal responsibility for the cybersecurity of relevant NC3 systems. Although the report emphasises the mutual connections between NC3 systems for conventional and nuclear weapons, the real scale of this phenomenon remains under-researched.
Second, the authors note that new technologies could help resolve the problem of data integrity (using, among other things, modelling and simulation techniques and big data analysis) and of decision-making within a very short time-frame. Indeed, the problem of cutting decision-making time is topical today, especially with respect to strategic stability, and states view artificial intelligence (AI) as a means for resolving it. For instance, “improving situational awareness and decision-making” is one AI task identified in the 2018 Department of Defense Artificial Intelligence Strategy. The authors of the Chatham House report point out that “at times, new technology (AI with machine learning techniques, for instance) may challenge NC3” and specify that data used in machine learning could be corrupted specifically to ensure subsequent system malfunction. The danger pointed out in the report appears to be part of a whole range of problems related to using AI for military purposes. It is quite obvious, among other things, that AI systems constitute a hardware-software complex vulnerable to cyberattacks. Additionally, the research showed that, to provoke AI mistakes, no interference in the learning process is required: specifically rigged data could result in malfunctioning of an already functioning system. Such attacks could be seen as attacks of a new, cognitive type intended to make use of flaws in the ways AI processes information. Current cybersecurity means do not appear up to the task of counteracting such threats.
Third, the authors note that attribution and response are measures for counteracting cyberattacks. The report also states that “NATO members’ NC3 architecture is secure and reliable is of particular importance for deterrence purposes. Even when the Alliance’s NC3 systems are under attack, all member states should be able to demonstrate their detection, forensics and response capabilities…” The report fails, however, to make any mention of the fact that, as of today, no international legal mechanisms have been created as a framework for considering and assessing dangerous ICT incidents; equally, there is no system in place for recording the facts related to those incidents. Many famous cases of establishing the culpability of a particular state in various ICT-related incidents resorted to so-called “public attribution”: in the absence of legally significant facts and due process, the guilty party was “appointed” on the basis of political considerations and subjected to various measures. A rapid and precise ICT attribution has been and is a rather labour-intensive procedure. The authors state that “offensive cyber capabilities are without doubt highly sophisticated at present, and such capabilities are in the hands of a small number of actors.” One can hardly agree with this statement since, in some estimates, over 60 countries have cyber weapons today. It is very difficult to assess how sophisticated a particular country’s capabilities are. The number of actors in possession of cyber weapons keeps growing, this making attribution even more difficult and entailing higher risks of misinterpretation and incorrect response. NATO is already known to view cyberspace as a fully-fledged operational ground and the Alliance is building up its military potential in cyberspace, while several of its member states have already formed specialised military units.
Finally, the report’s principal flaw is that it virtually ignores entirely the multilateral nature of controlling and reducing nuclear arms and reducing the danger of accidentally unleashing a nuclear war through, among other factors, cyber interference. According to current assessments, Russia and the US account for 90% of the world’s nuclear arsenal, so they appear to have a special role in maintaining global peace and security. Strategic stability essentially means strategic relations between the powers that remove incentives for a nuclear first strike.  bearing that in mind, one could draw parallels with protecting launchers: by default, their vulnerability creates an incentive for a first strike. Vulnerabilities in control and command of nuclear capabilities create similar incentives. Such vulnerabilities should not be removed unilaterally since, if one party to the confrontation has a high cyber defence level, this, too, creates an incentive for a first strike preceded by a cyberattack against the potential adversary’s command and control systems.
Finding a solution to the problem of ensuring the cybersecurity of nuclear capabilities and developing such mechanisms to rule out accidental escalation goes beyond NATO. Here, it would be apposite to recollect that, even at the peak of the Cold War, the communications channels between the two superpowers remained open and the urgent issues were discussed at all levels. The “Joint Statement by the Presidents of the United States of America and the Russian Federation on a New Field of Cooperation in Confidence Building” was signed less than ten years ago, in 2013. This statement touched upon certain aspects of cooperation in protecting critical information systems. It also laid the foundations for developing mechanisms for reducing cyberspace threats. Today, there is no such cooperation; moreover, since 2017, the US has imposed prohibitive restrictions on concluding any cybersecurity cooperation agreement with Russia.
It appears that, despite the report’s merits and its informational and analytical value, what essentially nullifies all of the recommendations it contains is the fact that it does not even hint that certain mutual steps for reducing cyber risks should be worked out jointly with other nuclear states, including those that have been openly labelled “unfriendly.” One of the few paragraphs dedicated to Russia (and China) states that “NATO should also address the cyber risk that comes with the procurement of military equipment from countries that are not friendly to NATO (e.g., Russia or China).” In order to reduce the risk of misinterpretation and rapid escalation, the report recommends conducting “an assessment of how adversaries think about command and control.” Since the report is positioned as a source of information for decision-makers, such an ideological slant toward creating an “enemy image” will hardly prove useful in developing long-term policies, especially given the current acute lack of international confidence.
 Soviet-United States Joint Statement on Future Negotiations on Nuclear and Space Arms and Further Enhancing Strategic Stability. State Visit of USSR Secretary General Mikhail Gorbachev to the United States of America. May 30 – June 4, 1990 (in Russian) // Documents and Materials. (in Russian) Moscow: Politizdat, 1990, p. 335.
From our partner RIAC