If you’ve been distracted over the last couple of weeks by the tempo of the news cycle in Washington, you may have missed two important reports that together are likely to cause some sleepless nights:
- NTI’s report:
- Bloomberg’s investigation:
One outlines the cyber threat to nuclear weapons and all of the related systems such as command and control, warning, and delivery. The second tells the story of an intentional, state-sponsored effort to control computer hardware used throughout the United States, in both corporate and intelligence systems. Both reports point to the growing, urgent need for policy options designed to reduce risks to our digital systems to avoid potentially catastrophic results of a cyber hack.
Cyberattacks on Nuclear Weapons Systems
Although it is nearly impossible to have 100% confidence in the security of a digital system, and even well-secured nuclear weapons systems are not immune from cyberattacks, NTI’s report provides a set of recommendations for reducing the risk of cyberattacks on nuclear weapons and related systems and outlines four specific cyberattack scenarios:
- An attack on early warning
systems that provide false indications of a nuclear attack during a crisis
- Disruption of communications between
officials, operators, and nuclear systems and/or international counterparts in
a potential crisis
- Introduction of a
flaw or malevolent code into nuclear weapons through the supply chain or
otherwise in a way that could compromise the effectiveness of those weapons
unauthorized control of a nuclear weapon through cyber-assisted theft and/or
defeating of security devices.
There’s no question that the job of securing nuclear systems is getting more difficult. Cyberattacks are becoming increasingly sophisticated and levels of digitization are growing (for example, as will undoubtedly occur during the upcomingof the U.S. nuclear arsenal). Taken together, this is a dangerous mix and governments and industry must act to address the threat.
Supply Chain Attacks
The Bloomberg report details how China reportedly used a hardware hack to infiltrate U.S. companies’ computer systems, including some used for intelligence purposes. Specifically, it details how Chinese manufacturers of chips used in specialty video processing servers were approached by people who, through a combination of bribes and/or strong-arm tactics, modified tiny chips in a way that was extremely difficult to detect but which gave the China the ability to remotely take over the microprocessor. If this turns out to be true (note that the U.S. companies involved are stronglythe report), this would be one of the most serious computer security breaches in history with enormous implications for national security, as well as the economy.
What can be done?
There are no easy answers.
Driven by a desire to lower costs, most chip production is now done overseas. Any attempt to bring it back to the U.S. would have enormousimplications and would likely take years to achieve. There do exist “ ” that make some of the key chips in military systems, but even in those military systems, most of the chips are commercially-available commodity products that draw on global supply chains.
This example of what appears to be a supply-chain breach of historic proportions serves to reinforce one of the NTI report’s underlying assumptions, namely that: “Although technical cybersecurity measures are critically important and should be pursued… we must operate under the assumption that… nuclear weapons systems, may already be compromised.”
As a result, governments must aggressively explore technical and policy options that incorporate this aspect of the cybersecurity threat, understanding that it is impossible to have full confidence in the information our digital systems provide or transmit and indeed, adversaries already may be able to observe or, worse, sabotage our data. In the case of high-consequence systems, all policy and technical options to reduce risks must be explored, including the possibility of using, non-hackable systems.