Cyber Threats And Nuclear Weapons Systems

Uploaded on 2019-05-30 in GOVERNMENT-Defence, FREE TO VIEW, TECHNOLOGY--Hackers

It is accepted that all states are vulnerable to cyber threats. Yet, a majority of states have yet to develop coherent cyber strategies or implement sufficient preventive measures. 

Despite the increase in severe cyber incidents directed at national power plants, companies and nuclear-related military equipment, the threat of cyber interference in national nuclear weapons systems is not being properly tackled.

With multinational nuclear supply chains and nuclear command and control systems at risk of being compromised, this must be urgently addressed.

The more Complex, the more Vulnerable

Governments and legislators are struggling to keep pace with the rapid development of cyber capabilities. As military systems become more technically complex it would be easy to assume that they are more secure. The opposite is true.

Increased automation and connectivity increases vulnerabilities to cyber-attacks. Measures such as air-gapping a system (i.e. de-connecting it from the internet) can fall short.

A recent US Government Accountability Office (GAO) report assessed the cyber security of US weapons systems and found “mission critical cyber vulnerabilities in nearly all weapons systems […] under development.”

While the report does not make reference to any specific system type, one can reasonably assume that nuclear weapons systems are vulnerable to cyber-attacks.

Possible kinds of Cyber-Attacks

Cyber-attacks can take many forms. Activities range from cyber espionage, data theft, infiltration of nuclear command, control and communications (NC3), denial of service/distributed denial of service (DoS/DDoS) attacks, false alarms (jamming and spoofing), sabotage and physical damage. When directed against nuclear weapons systems, in the worst possible case this may escalate to a deliberate or inadvertent exchange of nuclear weapons.

Another area of concern is the supply chain, comprised of any hardware and software components belonging to the nuclear weapons system, including NC3, platforms, delivery systems and warheads.

The supply chain usually includes a string of companies and providers located in different countries with varying cyber security standards, which means there is room for manipulation and sabotage.

Take, for instance, a computer chip produced in country A. If a vulnerability were inserted at the production stage, it could then be remotely activated at a later point, when the chip is integrated into the military system of country B. If the attacker happened to be an “insider” with unlimited access to a military site, compromising military equipment could be easier.

This could be done for instance through an infected USB drive when security standards in a military facility happen to be low, leaving the victim of the attack unaware of the manipulation up until it is too late.

Limited awareness of Cyber Risks to Nuclear Systems

There is a lack of awareness within the expert community and among decision-makers and a reluctance by states to implement measures such as common cyber security standards and the sharing of information on vulnerabilities.

Among the nuclear weapons states, only in the United States have high-ranking officials, such as Gen. Robert Kehler (ret.) and Air Force Gen. John Hyten (STRATCOM), in two Senate Armed Service Committee hearings in 2013 and 2017 expressed their concerns about a potential cyber-attack affecting the US nuclear deterrent.

One reason why decision-makers and governments are unwilling to take these steps could be that it seems too unrealistic or improbable a threat, merely belonging to the worlds of science fiction and doomsday scenarios. But there is no reason to assume that the warnings of the GAO, the US 2017 Task Force on Cyber Deterrence or the Nuclear Threat Initiative (NTI) are exaggerated.

Certainly, there has not yet been a major cyber-attack on a state-run nuclear weapons programme – at least none we have publicly heard of.

But there are, a string of examples of cyber interference, in nuclear installations or parts of the supply chain related to them.

These include: The Stuxnet attack in 2010 affecting over 15 Iranian nuclear facilities which slowed down the development of Iran’s alleged nuclear weapons programme; a massive cyber-attack on Lockheed Martin in 2009 during which thousands of confidential files on the US F35 Lightning II fighter aircraft were compromised by hackers.

Also the 2017 hacking of the THAAD missile defence system in South Korea; the 2009 Conficker Worm attack on the French Marine Nationale and a 2011 cyber espionage campaign on the French nuclear company Areva and deep worries over the WannaCry virus possibly targeting parts of the UK Trident system in 2017.

What should Decision-Makers and Policy-Makers do?

Governments need to grapple with how to handle rapidly developing cyber capabilities. A critical first step is to develop a better understanding of the threat, including by answering the following questions:

  • What are the possible targets within the entire supply chain, the nuclear weapons system itself and within the upgrades, modernization and maintenance processes? What kind of vulnerabilities do they have?
  • Who are the potential actors likely to carry out a serious cyber-attacks? Which state, non-state actor or state-sponsored group would have (1) an interest and (2) the resources and capabilities?

All states possessing nuclear weapons, hosting NATO nuclear weapons on their soil, or running a civil nuclear programme should conduct annual assessments of the cyber resilience of all systems in question.

No less important is improved information sharing on possible and actual vulnerabilities and lessons learned with large technology companies, suppliers, vendors and manufacturers, and the implementation of common security standards.

These companies are normally not keen to disclose information on vulnerabilities because of possible reputational damage or for fear of revealing details that potential hackers or competitors could exploit. Government and business must work closely together to overcome these challenges and address joint concerns.

Governments must also invest heavily in research activities in the framework of existing institutions such as the NATO Cooperative Cyber Defence Centre of Excellence (CCD COE), the EU CBRN Centres of Excellence, or in cooperation with the European External Action service (EEAS), the United Nations (UNICRI) and, of course, within national cyber security institutions.

Governments and decision-makers of the nuclear-armed states should also publicly acknowledge that cyber security for nuclear weapons systems is a top tier priority for the safety and security of national military programmes.

If the security of nuclear weapons is in question, this not only reduces their credibility and deterrent value but it also poses a massive safety and security risk. This is a risk that no government, population or company can or should manage alone.

European Leadership Network

You Might Also Read: 

Is the Pentagon Cloud Secure Enough to Hold Nuclear Secrets?:

UK’s Trident Nuclear Subs Vulnerability To Hackers:

 

 

« Limit The Duration Google Holds Your Data
Hackers Steal Bitcoins Worth $41m »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Logicalis

Logicalis

Logicalis are a leading provider of global IT solutions and managed services.

Computer Laboratory - University of Cambridge

Computer Laboratory - University of Cambridge

Computer security has been among the Laboratory’s research interests for many years, along with related topics such as cryptology

Alan Turing Institute

Alan Turing Institute

Alan Turing Institute is the UK national institute for data science. A major focus is Big Data analysis with applications including cyber security.

Center for Cyber Safety and Education

Center for Cyber Safety and Education

The Center for Cyber Safety and Education works to ensure that people across the globe have a positive and safe experience online through our educational programs, scholarships, and research.

StormWall

StormWall

StormWall is an Anti-DDoS protection service for websites and networks. We offer 100% protection from all types of DDoS attacks and 24/7 technical support.

Marcus Donald People

Marcus Donald People

Marcus Donald People is a UK IT recruitment specialist covering the following sectors: Infrastructure & Cloud, Information Security, Development, Business transformation.

Electric Power Research Institute (EPRI)

Electric Power Research Institute (EPRI)

The Electric Power Research Institute’s Cyber Security Research Laboratory (CSRL) addresses the security issues of critical functions of electric utilities.

Cryptyk

Cryptyk

CRYPTYK CLOUD is the first complete enterprise-class cloud security solution that includes cloud storage and broad protection against all external and internal threats.

Cybots Pte Ltd

Cybots Pte Ltd

Cybots is a multinational cyber defence brand founded in Singapore in 2018 to help organizations stay ahead of increasingly sophisticated threats from cyber criminals.

South West Cyber Resilience Centre (SWCRC)

South West Cyber Resilience Centre (SWCRC)

The South West Cyber Resilience Centre (SWCRC) is led by serving police officers, as part of a not-for-profit partnership with business and academia.

Ipstack

Ipstack

Ipstack offers one of the leading IP to geolocation APIs and global IP database services worldwide. Protect your site and web application by detecting proxies, crawlers or tor users at first glance.

Exalens

Exalens

With deep roots in AI-driven cyber-physical security research and intrusion detection, at Exalens, we are enhancing operational resilience for cyber-physical systems at the OT edge.

CSIR Information & Cybersecurity Research Centre

CSIR Information & Cybersecurity Research Centre

The CSIR Information & Cybersecurity Research Centre focuses on research, development, and innovation of home-grown cyber and information security.

National Cybersecurity Alliance

National Cybersecurity Alliance

The National Cybersecurity Alliance is a non-profit organization on a mission to create a more secure, interconnected world.

Cisilion

Cisilion

Cisilion's mission is simple – to transform and connect business with next-generation IT infrastructure. Our expertise includes enterprise networking, security, data centre & cloud, managed services.

OryxLabs

OryxLabs

OryxLabs provide advanced enterprise digital risk protection solutions. Learn more about how 24x7 continuous assessment, monitoring, and improvement can secure your network.