This paper will identify, raise awareness of, and help reduce risks to NATO’s nuclear weapon systems arising from cybersecurity vulnerabilities. It aims to respond to the need for more public information on cyber risks in NATO’s nuclear mission, and to provide policy-driven research to shape and inform nuclear policy at member-state level.
- NATO’s nuclear capability is provided by the US and the UK. The modernization of systems and arsenals held by both states is proceeding apace. This has involved – and continues to involve – the integration and use of increasingly sophisticated new technologies within their nuclear programmes, including in their respective command, control and communication (C3) systems.
- Cyber operations targeting NATO members’ C3 systems and their assets, including nuclear assets, are also increasingly sophisticated in nature. While cybersecurity is a serious concern, and there is acknowledgment of the potential magnitude of cyberattacks, documentation available in the public domain indicates the need for NATO and its members to put in place further measures to ensure the cybersecurity of C3 systems, including those of nuclear systems (NC3). This is all the more pertinent given that some Allies’ military capabilities still include legacy systems from the Soviet era.
- The protection of C3 systems requires the adoption of adequate, adaptable and robust cybersecurity measures, in order to ensure the integrity of these systems and to shield them from both internal and external disruption. The following five considerations are of relevance for the protection of NATO’s own C3 systems, and those of its member states: software and network protection; data (integrity) protection; hardware protection; access/security controls; and cybersecurity awareness/security by design. These attest to the need for robust measures beyond the non-kinetic, digital realm to ensure the cybersecurity of NATO’s C3 ecosystem.
- The increasing reliance on C3 assets that may be used for both conventional and nuclear operations raises the prospect of entanglement, and the associated risk of rapid escalation. The potential for unintended escalation is further exacerbated by the threat of cyberattacks and possible new threats emanating from other emerging technologies, including quantum computing. Unknown and unanticipated effects from cyber operations targeted at C3 assets may compromise the legality of these attacks when such assets may be of both military and civilian use simultaneously.
- Measures to prevent misinterpretation and rapid escalation are critical to the security of C3 systems. Such measures could include a clearer understanding of: how adversaries think about command and control; what would constitute a cyberattack in the context of C3 systems; and what would constitute adequate responses to such attacks within the frameworks of international law – particularly international humanitarian law.
- False confidence and false stress are equally problematic. In addition to ensuring the cybersecurity of their existing nuclear planning and NC3 architecture, NATO and Allies must reflect on how these dynamics will affect current understanding, arrangements and strategies surrounding the concept of nuclear sharing. Concerns over legacy infrastructure, in the context of an evolving threat landscape and the modernization of systems with digital means, raise questions with regard to the way forward for the hosting of US nuclear weapons in Europe, as well as for existing nuclear burden sharing agreements.