Dr. Beyza Unal on the threat posed by hackers to nuclear weapon security

Senior Research Fellow, Nuclear Weapons Policy, International Security Department, Chatham House

Research by Chatham House has identified nuclear weapons as potential targets of cyberattack. How an offensive cyber-operation against nuclear weapons systems might work, and why states have not yet undertaken such an attack, are issues worth examining in detail.

A cyberattack against nuclear weapons systems would require extraordinary state-level capabilities. It would entail virtual or physical access to closed networks that could be achieved only by exploiting a range of vulnerabilities, which may be found in the supply chain, poor design, altered software and hardware, or clandestine digital routes to the critical assets.

An insider threat – someone working in a weapons complex with malicious intent − could implant malware to degrade, disrupt or destroy systems and assets. The malware could lie dormant and unnoticed in the system for months or even years, to be activated when necessary.

An offensive cyber-operation thus requires knowledge of the design of an adversary’s nuclear weapons, as well as ways to infiltrate their systems. The operation might target the command, control and communications of the weapons system, or it could target the wider nuclear enterprise, which could mean interfering with the digital systems of aircraft that launch nuclear bombs. The design of the latest US nuclear bomb, the B61-12, suggests increased reliance on GPS satellites and laser guidance to improve targeting.

By exploiting satellite, ground station or supply chain vulnerabilities, missiles could be redirected away from their target.
According to some experts, North Korea’s recent failed missile tests raise the possibility that the US has infiltrated the North Korean supply chain.

Another way in which a cyberattack might work is by targeting contractors working in operational or logistic networks. This has happened at a lower scale with conventional weapons. Chinese hackers allegedly conducted 50 successful intrusions of the command responsible for transporting US conventional weapons. Targeting the logistics networks in the nuclear field may provide vital intelligence on locations for the deployment of equipment and forces.

Cyber risks in this area highlight the need for taking a closer look at how bombers or missile platforms could be compromised. For instance, bombers with nuclear capabilities rely on data transmission and real-time information for mission-critical commands. An adversary could jam or imitate communications sent to and from ground stations, compromising the information received. This may lead decision-makers to rely on false information.

If there are ways to conduct an effective offensive operation against strategic systems then why have states  been reluctant to carry one out? There may be a number of reasons. States may have already infiltrated an adversary’s nuclear weapons systems and installed malware sleeper cells which await activation. Command-and-control systems of nuclear weapons have not been used for more than seven decades, so their readiness may be questionable. This could mean accidental launches or failure to launch when intended, both of which could have catastrophic consequences.

Nuclear weapons states with cyber-offensive capabilities might have realized that the cost of an offensive operation would outweigh potential benefits. Currently, there is no agreed body of international law on how to respond to a cyber-attack, nor what constitutes an appropriate response to an attack on nuclear weapons systems. A memorandum of understanding between Russia and the US, for instance, agreeing not to hack each other’s nuclear command and control could be a positive step, yet technically challenging as it would require continuous monitoring and technical verification.

A cyberattack on nuclear weapons systems may cause a paradigm shift in military strategy. Today’s mainstream theories argue that nuclear weapons exist for the purpose of deterrence, which relies on states not conducting a first strike for fear of the devastating retaliation. If one side is confident that the other cannot retaliate − for example because its weapons systems are compromised − then the logic of deterrence would not hold.

These are grey areas. The suspicion that nuclear weapons systems may be unreliable as a result of cyberattacks should be the basis for a reconsideration of how decision-makers react to cyber risks in times of crisis.