Every day, it seems, news of another cyber breach emerges. From huge entertainment companies to credit agencies to fast-food operations, cyber attackers are doing their dirty work and putting the public at risk. Name a company—Sony, Experian, Blue Cross Blue Shield, Arby’s, Saks Fifth Avenue—and it has been victimized. The implications are staggering—recent disclosures show that a 2013 attack on Yahoo e-mail compromised 3 billion accounts. Governments and government systems also have been hit, including the US Office of Personnel Management. In that 2015 incident, hackers targeted millions of people’s Social Security numbers and other personal information.
Given the frequency and scope of cyber threats and cyberattacks worldwide, it’s easy to imagine waking up one day to find even more frightening headlines. What if the targets compromised in a cyberattack were not just e-mail accounts or even banking systems, but nuclear weapons (or related systems)? What if:
A nuclear watch officer’s computer screens indicated that nuclear missiles were on the way? Could the officer be sure that she wasn’t the victim of a cyber-spoof? How would she respond?
Military officials were unable to communicate with the men and women controlling US nuclear weapons during an international security crisis? What would they think had happened? How would they respond?
Officials discovered malware on a nuclear-critical system—and suspected that it was just the tip of a cyber iceberg?
Unfortunately, these scenarios are all too plausible. Many experts believe it’s only a matter of time before truly devastating cyberattacks are mounted against critical civilian infrastructure—or even key military systems. Nuclear weapons and related systems, like all digital systems, are vulnerable to cyberattack. Though nations give the highest priority to the security of nuclear weapons systems, a successful cyberattack is possible and could be catastrophic. (Systems related to nuclear weapons include those involved in delivery, communication, planning, warning, and the like; nuclear weapons, along with these related systems, can be called “nuclear weapons systems” for short.)
Cyberattacks could compromise nuclear planning or delivery systems, interrupt critical communications, lead to false warnings of attack, or potentially even allow an adversary to take control of a nuclear weapon. Indeed, an increasing risk of cyberattacks could undermine confidence in nuclear deterrent forces—generating uncertainty about whether a nuclear-armed state could both assure the authorized use of its nuclear weapons and prevent their accidental, mistaken, or unauthorized use. (A “disabling” attack could prevent authorized use of a nuclear weapon; an “enabling” attack could lead to unauthorized nuclear use.) Such uncertainty could jeopardize strategic and crisis stability.
If the threat doesn’t feel vivid yet, consider the following hypothetical scenarios.
Scenario 1. Seeking to start a nuclear war, a terrorist organization uses a cyberattack to disrupt a nation’s early warning systems and credibly spoof a large nuclear attack by a rival government. National decision makers would have to rapidly determine the appropriate course of action, perhaps with erroneous information flowing from the warning system.
Is this plausible? Although warning systems are well protected, two real-life incidents have served as wake-up calls regarding their technical fallibility: the 1980 failure of a NORAD computer chip, which resulted in a false warning about an incoming nuclear attack; and, in 1983, a Soviet computer’s misidentification of sunlight reflecting off clouds as five incoming missiles. These incidents weren’t deliberately caused, but it is conceivable that similar effects could be caused deliberately by a cyberattack.
Scenario 2. In preparation for a nuclear attack (or perhaps as part of an extortion attempt), an adversary government uses cyberattacks to disrupt vital communications—between or among officials, operators, and nuclear systems themselves—eliminating the possibility of retaliation.
Is this plausible? In 2010, US launch-control officers lost communication with a squadron of 50 nuclear-tipped intercontinental ballistic missiles in Wyoming for 45 minutes. Although this incident was the result of a technical malfunction, a similar effect could be caused by a “distributed denial-of-service” attack such as occurred during the 2015 cyberattack on Ukraine’s power grid. As part of that attack, hackers executed a distributed denial-of-service attack against the power company’s customer-service phone lines to prevent the transmission of information about the power outage.
Scenario 3. Seeking to compromise an adversary’s nuclear deterrent, and exploiting vulnerabilities in the adversary’s supply chains, a nation-state places malware on a key nuclear weapon delivery platform. During an escalating crisis, it communicates that it has done so. In this situation, decision makers would have to consider whether and how to react as they tried to determine whether the problem was targeted or widespread and whether additional flaws might exist.
Again, is this scenario plausible? Concerns over supply-chain security have been highlighted in industries related to nuclear weapons. In March 2016, the Air Force Studies Board convened a workshop on the issue as it related to procurement of electronic components. Presenters from across industry confirmed not only that the defense supply chain can be compromised, but that serious concerns exist about insertion of malware into manufactured parts.
Although many key components related to nuclear weapons are produced in secure foundries, it is not safe to assume that all components are immune from supply chain vulnerabilities. For example, the National Nuclear Security Administration notes that “the trend toward a non-domestic supply chain for components of nuclear weapons and related systems may pose risks to these weapons and systems.” The sheer complexity of these systems opens the door to the introduction of vulnerabilities at various points in the supply chain.
Technical measures aren’t enough. Fortunately, these scenarios are just thought experiments today. But what do they teach us?
First, nuclear weapons and related systems are complex, and they present attackers with many and varied targets. A weapon’s cybersecurity vulnerabilities don’t just involve the weapon itself; they also involve communication systems, delivery platforms, and even planning systems. Some key systems—for example, power grids—are not even owned by the government, yet they could directly affect key nuclear systems.
Second, technical solutions alone are not enough. Technical measures to secure nuclear weapons and other critical digital systems are being aggressively pursued, but the enormous and growing complexity of these systems means that completely eliminating the risk of a cyber breach into a nuclear weapons system may never be possible. Individuals and organizations responsible for the security of nuclear arsenals—though this approach may seem counterintuitive—must seek additional, non-technical ways to reduce the cyber risk to the greatest extent possible.
Third, the increasing cyber threat to nuclear weapons systems necessitates a broad re-examination, in the United States and other countries with nuclear weapons, of these nations’ nuclear doctrines, policies, postures, structures, procedures, and technological bases. It should not be surprising that a re-examination is due—theories of nuclear deterrence and strategic stability, and consequently the role of nuclear weapons, were developed in an era when cyber threats did not exist. It is therefore time to ask whether and how cyber threats affect the continued viability of nuclear deterrence. How do cyber threats impact strategic stability? And will cyber threats require a change in assumptions regarding the role of nuclear weapons in international security?