Cybersecurity of our nuclear systems needs to be a top priority

Many jokes have been made about who actually invented the internet, most notably after former Vice President Al Gore publicly declared he took the initiative to create it during his time in Congress. But credit — for the impetus, at least — for creation of the internet goes to the former Soviet Union (USSR). On October 4, 1957 the USSR launched Sputnik, the first artificial satellite. Then-Senate Majority Leader Lyndon B. Johnson remarked “Now, somehow, in some way, the sky seemed almost alien.” He remembered “the profound shock of realizing that it might be possible for another nation to achieve technological superiority over this great country of ours.”

In February of 1958, the Advanced Research Projects Agency (ARPA) was born. According to the history of ARPA, the first three primary research priorities focused on space technology (to counter Sputnik), ballistic missile defense (to counter the USSR) and solid propellants (to eventually power the Minuteman ICBM).

As ARPA grew, so did the threats they were being asked to counter. In the 1960s, telephone systems were copper wire and circuit-based. This made our primary means of communication vulnerable to a single missile strike by the USSR. What was needed was a “galactic network” of computers that would continue to function even if the Soviets devastated our telephone system.{mosads}

Twelve years after the launch of Sputnik, ARPAnet went live. On October 29, 1969 researchers at four universities delivered the first node-to-node communication. UCLA, Stanford, UC Santa Barbara and the University of Utah became the vanguard for what would become the modern internet. That invention is now coming back to threaten the very thing it was designed to counter; the threat of nuclear weapons.

The Nuclear Posture Review (NPR) is a “legislatively-mandated review that establishes U.S. nuclear policy, strategy, capabilities and force posture for the next five to ten years.” The first NPR took place in 1994. In 2010, the NPR referred to ‘cyber’ once as the report only discussed the need to “protect its assets in cyberspace and outer space and enhanced by U.S. capabilities to deny adversaries’ objectives through resilient infrastructure (including command and control systems), global basing and posture, and ballistic missile defense and counter-WMD capabilities.” 

Fast forward to the 2018 Nuclear Posture Review and ‘cyber’ is mentioned sixteen times. This reflects the changing nature of our most critical systems, and the still-lacking protections our aging systems are dealing with. The most critical system is our Nuclear Command, Control and Communications (NC3).

According the 2018 NPR, “The United States must have an NC3 system that provides control of U.S. nuclear forces at all times, even under the enormous stress of a nuclear attack. NC3 capabilities must assure the integrity of transmitted information and possess the resiliency and survivability necessary to reliably overcome the effects of nuclear attack.”

What is most telling is what the report lists as the first initiative to ensure “our NC3 system remains survivable and effective. That initiative is “strengthening protection against cyber threats.” Since the 2010 NPR, the threats globally have worsened and include “an unprecedented range and mix of threats, including major conventional, chemical, biological, nuclear, space, and cyber threats, and violent non-state actors.”

There is no doubt that Russia and China continue to be our biggest nuclear threats from a state-actor perspective. But it’s two other state-actors, both state sponsors of terrorism, that can and do cause as much concern as China and Russia. Those countries would be Iran and North Korea.

These concerns about our aging NC3 system and inadequate cybersecurity in general threaten to dilute the most effective weapon we have—deterrence. Here’s why. The 2018 NPR addresses the modernization of the NC3 system. Two paragraphs from that report should make us shudder.

“Today’s NC3 system is a legacy of the Cold War, last comprehensively updated almost three decades ago. It includes interconnected elements composed of warning satellites and radars; communications satellites, aircraft, and ground stations; fixed and mobile command posts; and the control centers for nuclear systems.{mossecondads}

“While once state-of-the-art, the NC3 system is now subject to challenges from both aging system components and new, growing 21st century threats. Of particular concern are expanding threats in space and cyber space, adversary strategies of limited nuclear escalation, and the broad diffusion within DoD of authority and responsibility for governance of the NC3 system, a function which, by its nature, must be integrated.” 

This means North Korea and Iran now have the ability to impact the potent, and usually unspoken, threat of nuclear attack or retaliation. If they can compromise our aging NC3 networks, and plant the seeds of doubt, then they will have successfully turned a credible threat into a bluff.

This also means North Korea and Iran will be able to join Russia and China in a club once limited to nations that were great powers. The 2018 NPR addresses an “evolving and uncertain international security environment.” This environment was eloquently captured by Admiral J.M. Richardson, Chief of Naval Operations, in the report “A Design for Maintaining Maritime Superiority” released in January of 2016.

“For the first time in 25 years, the United States is facing a return to great power competition. Russia and China have both advanced their military capabilities to act as a global power… Others are now pursuing advanced technology, including military technologies that were once the exclusive province of great powers – this trend will only continue.” 

A recent report on the Cybersecurity of Nuclear Weapons sums it up succinctly.  “A compromised nuclear system that cannot be trusted and lacks credibility will undermine nuclear deterrence and its rationale. Additionally, the assurances that nuclear weapons states make to allies would likely lose their reliability if an adversary could successfully hack into the nuclear weapons systems on which several countries rely.”

With great power comes great responsibility. Our government must modernize our NC3 and ensure no one thinks we’re bluffing.

Morgan Wright is an expert on cybersecurity strategy, cyberterrorism, identity theft and privacy. He previously worked as a senior advisor in the U.S. State Department Antiterrorism Assistance Program and as senior law enforcement advisor for the 2012 Republican National Convention. Follow him on Twitter @morganwright_us.