Last month the General Accountability Office announced that parts of the command and control system used to manage US nuclear weapons rely on eight-inch floppy disks, an IBM Series/1 computer, and other hardware that is more than 50 years old. So old in fact that many parts for these systems have long since ceased to be manufactured or stocked. Although the Strategic Automated Command and Control System (or SACCS)—which is used, in part, to send and receive Emergency Action Messages to nuclear weapons systems and their operators—is not the only so-called legacy system in use across the US government, it is without doubt the one that would create the most severe consequences, should it go wrong. That this system has not been fundamentally overhauled since the 1960s, while billions of dollars have been spent on a wide variety of new nuclear weapons and delivery platforms, also raises serious concerns that the system would work as expected, if and when it was ever required.
To be sure, the nuclear command and control apparatus is now undergoing a comprehensive upgrade; legacy systems and out-of-date technologies are being retired and replaced with the latest digital hardware and software. Floppy disks, primarily associated with the communications aspect of nuclear command and control, are due to be replaced with secure digital cards by the end of 2017, and the whole modernization plan is scheduled for completion by 2020. The stated aim is to take advantage of the considerable benefits offered by high-speed networking, processing power, and net-centric interoperability. This infrastructure refurbishment will also allow for the development of a full spectrum of integrated strategic missions, involving not just different nuclear attack plans, but also military operations that incorporate new conventional prompt-strike technologies, cyber capabilities, and ballistic missile defense.
The basis of these new capabilities is ISPAN, the Integrated Strategic Planning and Analysis Network, which will provide planning capabilities and support to the strategic deterrence mission and global strike program for US Strategic Command (STRATCOM). Implementation of ISPAN began in 2004, and when this and other upgrade programs are complete, they will allow rapid planning, targeting, and bespoke mission solutions for operators at STRATCOM headquarters near Omaha, Nebraska, drawing on a wide spectrum of sensors.
But even in this digital age—during which society prides and even defines itself on using the latest, fastest, most advanced technology—there are many reasons to be careful about what we wish for when it comes to modernizing the nuclear command and control system. More technological capability will not necessarily create a more secure world.
Is newer tech necessarily safer tech? The current US nuclear command and control system is relatively simple, and the nature of its technology makes that system fairly easy to protect, and fairly easy to monitor, so military leaders know if something has gone wrong. The false alarms at the North American Air Defense Command (NORAD) in 1979 and 1980—which suggested that the United States was under Soviet attack when it was not—might be held up as examples of problems with old cranky legacy systems. But the very fact that the crises were averted had much to do with the ability of system operators to find the problem swiftly, because they understood the system and its major processes. In one instance, in October 1979, a training tape was wrongly inserted into a computer; in June 1980, the problem was twice caused by a faulty circuit card. In neither case did the United States launch a military response.
The new command and control systems now in development will likely be fully digitized; as a result, those in charge may find it difficult keep pace with problems that arise much less train operators to recognize, diagnose, and fix them—and quickly. The planning and targeting system alone is likely to rely on many millions of lines of complex computer code that will be unfathomable to all but the most specialized of programmers. The challenge of monitoring such a network will be exacerbated as more sensors, more data streams, and more weapons systems are combined under one inclusive strategic umbrella. Such complexity also increases the risks of "normal nuclear accidents;" the theory that complex systems—particularly those that can never be fully tested—are bound to go wrong some of the time and involve unintended and often unforeseen consequences.
A greater reliance on complex, networked digital computers for the management of US nuclear weapons creates a second, perhaps more worrying problem: that these systems might somehow be hacked into and compromised so that they do not work or provide misleading information that might lead to nuclear use. Of course, the computers and networks that control US nuclear weapons are well protected and physically air-gapped from the wider internet (at least we hope they are), but this does not make them foolproof. Malware might be inserted into hardware and software during the procurement phase, or when systems are being updated and patched. It may also be possible to "jump the air gap" in the future. Such malware might be designed to either prevent systems working as planned, or to cause them to generate false information that could lead to erroneous decisions. It may be impossible to fully test the system against every conceivable type of threat posed by attackers, and some malware may be designed to initiate only when certain conditions are met. Consequently, while more networked sensors and computing power will potentially provide more opportunity to unmask false attack warnings, greater complexity and the need to process ever-increasing amounts of data accurately and quickly also provides more vulnerabilities that could be exploited by would-be attackers.
Attackers may also seek to compromise the communications systems more directly, or to spoof sensors and processors with incorrect or misleading data. Imagine for example, that hackers acquired launch-codes through (cyber) espionage, and had somehow broken into the nuclear control system and sent the go-codes to weapons digitally? While this may have the feel of the 1983 Hollywood blockbuster War Games, if these codes ever were 00000 as has been previously rumored, this may not be as difficult or as far-fetched as it may seem. Indeed, former launch officer Bruce Blair, now a research scholar at Princeton University, has warned that it is certainly not impossible that terrorists could have caused a nuclear launch through cyber and electronic means after launch centers lost their ability to detect and cancel any unauthorized launch attempts in October 2010.
This threat is likely to increase with the added complexity of systems being used for nuclear command and control; more lines of code and more hi-tech software and hardware will provide more vulnerabilities that might be exploited by attackers.
Why nuclear command and control should be simple, separate, and secure. The argument here is not that no modernization of the US nuclear command and control systems should be done—I am neither a nuclear nor a digital luddite—but rather that the modernized nuclear systems should be kept as simple as possible and remain distinctly separate from non-nuclear systems. Keeping nuclear and conventional command and control apparatus—and especially anything linked to fire control—separate would seem imperative to preventing inadvertent undesirable outcomes. Indeed, sharing command and control between nuclear and conventional weapons systems—now contemplated as part of the ISPAN implementation—unquestionably increases risks of misperception and perhaps unintended escalation during any future crisis. Attacks on US (or other states’) conventional command systems may be interpreted as attacks on nuclear command capabilities, for example. Modernization will also need to be complemented with training and education about these new systems, and particularly about the importance of good “cyber hygiene", that is, steps for users to enhance cybersecurity and general good practice when it comes to using computers. It might also be useful to have operators with a background in computer programming and network security in control of these weapons systems.
In the realm of nuclear command and control, modernization is a doubled-edged sword. It will undoubtedly deliver increases in functionality, speed, and options, but it will also make these systems more complex, difficult to protect, and, possibly, more vulnerable to those seeking to interfere with them.
Keeping the nuclear command and control system simple, separate, and secure may not seem very sexy in today’s digital world of extraordinary technological advance, but it might be the best way to minimize miscalculation, accidents, and even unauthorized use of nuclear weapons. Thus, while modernization of nuclear control systems is to be welcomed, planners need to think long and hard about just what this system should do, and particularly the wisdom of commingling the apparatus used for nuclear, conventional, and, increasingly, cyber operations. Keeping this system simple and separate also helps reinforce the notion that modernization is not secretly designed to enhance nuclear usability. As the old adage goes, "If it ain't broke, don’t fix it."
The Bulletin elevates expert voices above the noise. But as an independent nonprofit organization, our operations depend on the support of readers like you. Help us continue to deliver quality journalism that holds leaders accountable. Your support of our work at any level is important. In return, we promise our coverage will be understandable, influential, vigilant, solution-oriented, and fair-minded. Together we can make a difference.