Page Stoutland, Ph.D.
Consultant, Scientific and Technical Affairs
Atomic Pulse
If you’ve been distracted over the last couple of weeks by
the tempo of the news cycle in Washington, you may have missed two important
reports that together are likely to cause some sleepless nights:
One outlines the cyber threat to nuclear weapons and all of the
related systems such as command and control, warning, and delivery. The second
tells the story of an intentional, state-sponsored effort to control computer hardware
used throughout the United States, in both corporate and intelligence systems.
Both reports point to the growing, urgent need for policy options designed to reduce
risks to our digital systems to avoid potentially catastrophic results of a
cyber hack.
Cyberattacks on
Nuclear Weapons Systems
Although it is nearly impossible to have 100% confidence in
the security of a digital system, and even well-secured nuclear weapons systems
are not immune from cyberattacks, NTI’s report provides a set of
recommendations for reducing the risk of cyberattacks on nuclear weapons and
related systems and outlines four specific cyberattack scenarios:
There’s no question that the job of securing nuclear systems
is getting more difficult. Cyberattacks are becoming increasingly sophisticated
and levels of digitization are growing (for example, as will undoubtedly occur
during the upcoming modernization
of the U.S. nuclear arsenal). Taken together, this is a dangerous mix and
governments and industry must act to address the threat.
Supply Chain Attacks
The Bloomberg report details how China reportedly used a
hardware hack to infiltrate U.S. companies’ computer systems, including some
used for intelligence purposes. Specifically, it details how Chinese
manufacturers of chips used in specialty video processing servers were
approached by people who, through a combination of bribes and/or strong-arm
tactics, modified tiny chips in a way that was extremely difficult to detect
but which gave the China the ability to remotely take over the microprocessor.
If this turns out to be true (note that the U.S. companies involved are strongly
denying
the report), this would be one of the most serious computer security breaches
in history with enormous implications for national security, as well as the
economy.
What can be done?
There are no easy answers.
Driven by a desire to lower costs, most chip production is now
done overseas. Any attempt to bring it back to the U.S. would have enormous cost
implications and would likely take years to achieve. There do exist “secure
foundries” that make some of the key chips in military systems, but
even in those military systems, most of the chips are commercially-available
commodity products that draw on global supply chains.
This example of what appears to be a supply-chain breach of
historic proportions serves to reinforce one of the NTI report’s underlying
assumptions, namely that: “Although
technical cybersecurity measures are critically important and should be pursued…
we must operate under the assumption that… nuclear weapons systems, may already
be compromised.”
As a result, governments must aggressively explore technical
and policy options that incorporate this aspect of the cybersecurity threat,
understanding that it is impossible to have full confidence in the information
our digital systems provide or transmit and indeed, adversaries already may be
able to observe or, worse, sabotage our data. In the case of high-consequence
systems, all policy and technical options to reduce risks must be explored, including
the possibility of using non-digital,
non-hackable systems.
Sign up for our newsletter to get the latest on nuclear and biological threats.
Cyber Threats to Nuclear Weapons: Should We Worry? A Conversation with Dr. Andrew Futter
Vladimir Putin’s invasion of Ukraine is a prime example of a regional conflict that could inadvertently escalate beyond any of the protagonists’ expectations. History is replete with similar instances of humanity stumbling into devastating conflict.
What happens “if we can’t rely on the information we have,” asks Christopher Painter, former top U.S. cyber diplomat. In an NTI seminar on January 25, Painter posed this critical question and discussed a range of issues at the intersection of cyber and nuclear security.