Nuclear weapons systems in the UK, US and elsewhere are increasingly vulnerable to cyber attacks, according to a new report by UK-based independent policy institute, Chatham House. The authors are by Beyza Unal, a research fellow at the institute who previously worked at Nato in strategic analysis, and Patricia Lewis, research director of the international security department at Chatham House.
In its report, Cybersecurity of Nuclear Weapons Systems: Threats, Vulnerabilities and Consequences, the leading thinktank warns that as nuclear weapons systems were built when computing was little used, little consideration was given to potential vulnerabilities in cyberspace. The report points out that “Many of the assumptions on which current nuclear strategies are based pre-date the current widespread use of digital technology in nuclear command, control and communication systems.”
The report says that those involved in nuclear military planning and the procurement of weapons are not giving cyberthreats significant enough attention. It blames this on a number of factors, including a failure to keep up with quickly moving advances and not sufficient numbers of staff with the right expertise.
“The likelihood of attempted cyber-attacks on nuclear weapons systems is relatively high and increasing from advanced persistent threats from states and non-state groups,” the report said.
The report says cyberattacks, such as denial-of-service (DoS), data manipulation and cyber spoofing could “jeopardize the integrity of communication, leading to increased uncertainty in decision making”.
During peacetime, these kinds of malicious cyber activities could create a dilemma for a state, which does not know if it has been the victim of a cyberattack or not. This could affect its decision-making, particularly as related to nuclear weapons deterrence policy.
At times of heightened tension, the report points out that “cyberattacks on nuclear weapons systems could cause an escalation, which results in their use. Inadvertent nuclear launches could stem from an unwitting reliance on false information and data. Moreover, a system that is compromised cannot be trusted in decision-making”.
The authors note the dilemma between needing to note the issues and the risks they carry by making them public. However, they criticize military failures to – so far – take the issue seriously enough.
“Military procurement programmes tend not to pay adequate consideration to emerging cyber risks – particularly to the supply chain – regardless of the government regulations for protecting data against cyber attacks.”
They also take issue with the lack of government oversight in the US and UK, saying, “Many aspects of nuclear weapons development and systems management are privatised in the US and in the UK, potentially introducing a number of private-sector supply chain vulnerabilities.”
The authors state that defense contractors should be forced to disclose information about cyberattacks with their governments; and strongly recommended that governments incorporate rigorous cyber-risk reduction into their nuclear command, control and comms systems without delay.