Nuclear Weapons Systems Cyber-Attack Risk Relatively High.
US, British and other nuclear weapons systems are increasingly vulnerable to cyber attacks, according to a new study by the international relations think-tank Chatham House. The threat has received scant attention so far from those involved in nuclear military planning and the procurement of weapons, the report said. It blames this partly on the failure to keep up with fast-moving advances, lack of skilled staff and the slowness of institutional change.
“Nuclear weapons systems were developed before the advancement of computer technology, and little consideration was given to potential cyber vulnerabilities. As a result, the current nuclear strategy often overlooks the widespread use of digital technology in nuclear systems,” the authors of the study said. Nuclear weapons systems are under threat from hostile states, criminal groups and terrorist organisations exploiting cyber vulnerabilities. “The likelihood of attempted cyber-attacks on nuclear weapons systems is relatively high and increasing from advanced persistent threats from states and non-state groups,” the report said. It cited examples such as a report the US could have infiltrated the supply chain of North Korea’s missile system that contributed to a test failure in April last year. The silos of US nuclear-tipped Minuteman intercontinental ballistic missiles “are believed to be particularly vulnerable to cyber attacks”.
The study also recorded illicit trafficking in Moldova and Georgia of radioactive and nuclear materials; a group in Belgium affiliated to Islamic State monitoring the movements of a nuclear scientist, and German-owned Patriot missiles reported to have been hacked in 2015. The report, Cybersecurity of Nuclear Weapons Systems: Threats, Vulnerabilities and Consequences, was written by Beyza Unal, a research fellow at London-based Chatham House who previously worked on strategic analysis at Nato, and Patricia Lewis, research director of the international security department at Chatham House. “There are some vulnerabilities and pathways through which a malicious actor may infiltrate a nuclear weapons system without a state’s knowledge,” the report said. “Human error, systems failures, design vulnerabilities and susceptibilities within the supply chain all represent common security issues in nuclear weapons systems.” The authors noted there is a dilemma between needing the private sector to keep up with advances in technology and the risks they bring with them “Many aspects of nuclear weapons development and systems management are privatised in the US and the UK, potentially introducing some private-sector supply chain vulnerabilities.” It added: “Presently, this is a relatively ungoverned space and these vulnerabilities could serve to undermine the overall integrity of national nuclear weapons systems. For example, the backdoors in software that companies often maintain to fix bugs and patch systems are targets for cyber-attacks once they are discovered and become known.”
Potential artificial intelligence (AI) applications, while creating new opportunities for cybersecurity, add another layer of complexity for nuclear weapons that could be exploited. The authors criticise military failures to – so far – take the issue seriously. “Military procurement programmes tend not to pay adequate consideration to emerging cyber risks – particularly to the supply chain – regardless of the government regulations for protecting data against cyber attacks. This could be due to constantly lagging behind the fast-moving nature of cyber attacks, a lack of skilled personnel and the slow institutional and organisational implementation of changes.” Digital components, material and software, can quickly become obsolete and, without proper updates and patch, “they are subject to intrusion.” The authors cite the UK’s new aircraft carrier, HMS Queen Elizabeth, which appeared to be using the same version of Windows in its control room at the outdated system that left the NHS exposed in the WannaCry ransomware attack in May last year.
Credit: Ewen MacAskill for The Guardian, 11 January 2018.