Cyber Threats to Nuclear Weapons: Should We Worry? A conversation with Dr. Andrew Futter

Last year, in an article for the European Leadership Network, Dr. Andrew Futter, an associate professor of international politics at the University of Leicester in the United Kingdom, asked an important question: Is the United Kingdom’s nuclear arsenal safe from cyberattack?

 NTI has convened a group of former military and government officials, as well as other experts, to try to answer this question with respect to U.S. nuclear weapons and develop policy recommendations for addressing the cyber threat to nuclear weapons. As a leading voice on this topic, Dr. Futter is a key member of this group.

 Here, in his first interview for Atomic Pulse, Dr. Futter talks about why we should be concerned about cyber threats to nuclear weapons.

For our readers who are new to this topic, what does “cyber” actually mean?

 The term “cyber" is used differently by different people and states. But it is perhaps best thought of as involving computers, digital networks, and information technology. In this sense, “cyber” is both a context that impacts every aspect of our daily lives and a set of capabilities, tools, and possibly weapons.

Could a hacker actually detonate a nuclear weapon or launch a nuclear missile?

 I think that we must assume the answer is yes, although in my view it is very, very unlikely and varies according to the actor and system involved. The most vulnerable systems are probably those that are the most modern and complex, and particularly those systems that control nuclear weapons held on high alert. Nuclear weapons software and associated systems could be altered as they are being built, electronic signals might somehow be sent to nuclear weapons, or perhaps hackers could seek to precipitate nuclear use indirectly by misleading those systems and manipulating the information that they rely upon.

 However, we must also consider who would want to do this. The most sophisticated hackers are state based and it is difficult to see why they would want to cause a nuclear launch or explosion. It is more likely that these hackers would want to stop the systems from working. 

What first brought your attention to this issue?

Cyber hype appeared to be everywhere, and everything was apparently vulnerable to “hackers,” but no one seemed to have given much thought about what this might mean for nuclear weapons. The obvious question was, “Could hackers cause a nuclear launch?” 

Given my previous work on ballistic missile defense, advanced conventional weapons, and challenges to nuclear stability, this seemed an obvious question to explore.    

What is the most surprising fact you have learned in your research on this issue?

I was surprised by three things. First, was the overwhelming confidence of government and military officials in several countries that I spoke with that their systems could not be hacked. Second, was the way that so much of the cyber debate is hindered by a lack of an accepted definition or common understanding of what cyber means.  Third, was the extent to which humans and the human-computer interface are often the easiest target and biggest security risk in cyber operations.

 

What are the international implications of this threat? Should we be more worried about certain regions, or is this a concern for any country with nuclear weapons?

The threat applies to all nuclear-armed states, but it seems to be most serious for countries that keep systems on high alert–ready to be used quickly; countries where nuclear and conventional weapons share command and control and early warning systems; countries that exist in a heightened threat environment; and countries that are geographically close to each other making warning times shorter. Although the nuclear-cyber nexus is therefore perhaps most pronounced in the U.S.-Russia and U.S.-China relationships, perhaps the greatest worry is in South Asia. The threat is also dependent on how digitally sophisticated and networked a nation’s nuclear systems are; older, simpler systems with less pressure placed upon them will probably be more secure. 

In the race to protect nuclear weapons systems from hackers, who is winning? 

Because so much of this information is classified, it’s hard to tell. But it seems to me that states have (finally) woken up to the possibly of hackers interfering with nuclear weapons systems in recent years and have begun to include this in their planning. However, the move toward more complex and interconnected systems for nuclear weapons and nuclear weapons management is, in my opinion, a dangerous development that will increase the risks of hackers getting in or simply of things going wrong. This is because more complex systems will contain more software bugs and will be more difficult to understand, which in turn increases the likelihood of mistakes, accidents and unintended consequences. This is especially the case during a crisis where these systems will be under enormous strain a time pressure.

Young people don’t remember the Cold War, but they are very in touch with cyber-related issues. How can we get more young people involved in understanding and helping to address the cyber-nuclear threat?

I think one of the things that has worked really well in the past when it comes to raising public awareness and the consciousness of young people in particular, is the use of films and TV dramas. Dr Strangelove, Threads, War Games, When the Wind Blows, and The Day After Tomorrow, all raised awareness of the nuclear threat in the past, and this might be a good way forward today. Eric Schlosser’s book and film, Command and Control, have been really good in this regard, and I would like to see more.

What should world leaders be doing to address this threat?

The first thing is to recognize that this is an international challenge–no country benefits from hackers getting into nuclear systems and causing inadvertent or mistaken nuclear use. Some experts have suggested a moratorium prohibiting attacks on nuclear command and control systems to which all could sign up. Another option is to share best practices and intelligence on threats to nuclear systems. It might also be a good idea to start including discussions of cyber threats as part of broader nuclear arms control talks–this might begin with some type of agreement about how the term “cyber” is understood, what it includes, and how it is being used if we are to move forward on any of these initiatives.

Above all, I would recommend that all nuclear-armed states keep their nuclear systems secure (well protected, isolated from the Internet, etc.), simple (avoiding digital complexity and unnecessary added functionality and pressures), and separate (from other weapons and control systems), in order to minimize the potential risks.

Are there any silver linings? Do you see any hope for progress on this issue?

Yes. The fact we are talking about it today is a good start—governments officials, academics, and the media have clearly woken up to this new challenge, and although work and thinking on the threat is just beginning, we are certainly heading in the right direction. 

If you could tell the world one thing about this threat, what would it be?

The cyber threat to nuclear systems is unquestionably real, but it is far more nuanced than it is often portrayed. For example, the biggest risk by far is that of cyber-nuclear espionage—that is, stealing nuclear operational or design secrets. Also, states are much more likely to seek to disrupt or disable an opponent’s nuclear systems than seek to cause a launch or explosion. Finally, although the risk of a third party or cyber-terrorists hacking into a nuclear system and causing a launch is real, it is arguably easier for, and more likely, that these groups will seek to precipitate or deepen a nuclear crisis or cause inadvertent or mistaken nuclear use. 

January 25, 2017
Authors
Alexandra Van Dine
Alexandra Van Dine

Program Associate, Scientific and Technical Affairs

Most Popular