This paper will identify, raise awareness of, and help reduce risks to NATO’s nuclear weapon systems arising from cybersecurity vulnerabilities. It aims to respond to the need for more public information on cyber risks in NATO’s nuclear mission, and to provide policy-driven research to shape and inform nuclear policy at member-state level.
1. Introduction
With the growing sophistication of cyberthreats and digitalization of weapons systems, it is difficult to ensure cybersecurity from the design stage to deployment of a weapon system. Weapon systems increasingly rely on cutting-edge technologies in order to improve efficiency and accuracy. These technologies, however, may render weapon systems more vulnerable to cyberattacks. Some of the recurring technical aspects of weapons design that increase cyber vulnerability include:1
- Software dependencies
- Hardware dependencies
- Increased connectivity of networked systems
- Automation/autonomy
This is not necessarily a big problem. Cyberattacks against networked systems are not new, and they can be defended against and the worst impacts prevented. The problem is compounded, however, when countries put too much trust into complex systems that they consider failsafe and immune to cyberattacks – and subsequently choose to neglect the full range of potential threats and vulnerabilities. In terms of explosive and long-term impact, nuclear weapons are significantly more powerful than conventional weapons. Yet the system design of nuclear and conventional weapon systems is intertwined2 through command, control and communication (C3) structures. Acknowledging that there are differences in functionality and varying levels of complexity between conventional and nuclear weapon systems, neither nuclear nor conventional C3 structures are, however, immune to cyberattacks.
For NATO, given a spectrum of weapon systems that has conventional means at one end and nuclear at the other, cyber technologies complicate warfighting and policy planning efforts. In conventional warfare, the fight is generally against a single adversary. When it comes to cyberattacks, decision-makers can find themselves combating multiple actors (both state and non-state) simultaneously and over a long period. In traditional policy planning, decision-making is structured around collective defence as enshrined in Article 5, whereby an armed attack against one NATO member is an attack against all members of the Alliance.3 These parameters do not correspond directly to the cyber realm, which means that determining whether to invoke Article 5 measures may not be adequate and/or appropriate. The multiplicity of cyber incidents means that while NATO needs to take specific actions step-by-step, it needs to take these decisions on a daily basis. This puts tremendous strain on the traditional crisis management machinery.
It is important to realize that, in NATO, not all capabilities are generated, trained and exercised in the same manner. There are, variously, capabilities owned by NATO; capabilities that are provided by Allies; and other capabilities – such as offensive cyber operations – that are strictly under national control and conducted by states without NATO’s involvement.
There have been several studies of the cybersecurity of nuclear weapon systems in recent years. Chatham House researchers have previously examined this issue, identifying cyber-vulnerable technologies in nuclear weapons systems in at least 13 areas.4 Other researchers have also highlighted the growing threat and the need for managing risks.5 However, due to classification issues, not much has been written for the public domain on NATO’s C3 systems, and on how NATO incorporates cybersecurity into its capability development. Studies have also explored wider C3 issues such as the cyber vulnerabilities of NATO space-based strategic systems.6
Multiple issues arise from the literature in dealing with cyberattacks:
- Attribution: How can NATO and its Allies attribute malicious cyber activities? Is it useful to do so in all instances? If not, when is attribution important and valuable? How should NATO trust the reliability of the intelligence received from Allies and partner countries? What risks does NATO take when considering intelligence from external parties?
- Response: If NATO adopts a disproportionate response in a hasty manner, might this be considered as retaliation rather than response? If NATO responds consistently, would this result in deterrence against future attacks over time? What will reduce the risk and increase the gain (low risk/high gain) for NATO?
- Deterrence: What type of approach(es) could be successful against an adversary to deter them from attacking nuclear C3 (NC3) systems? Is successful deterrence achieved through deterrence by denial – i.e. by focusing on defensive measures, including resilience and redundancy? Or is it achieved through deterrence by punishment – i.e. by demonstrating that there are severe consequences for the aggressor? Is it through both deterrence by denial and deterrence through punishment? Or is it through neither?
NATO’s security and defence policy clearly outlines NATO as a nuclear Alliance, and states that for so long as nuclear weapons exist, NATO will continue to rely on them for deterrence purposes.7 However, nuclear deterrence in the 21st century is in flux, due to a wide range of socio-political and technological challenges – among them cyber vulnerability.
NATO’s nuclear capability is provided by the US and the UK.8 Through the nuclear sharing principle, NATO’s capabilities defend and protect all Allies. Moreover, all the non-nuclear weapon states within NATO (i.e. all Allies except the US, the UK and France) have committed, as signatories to the nuclear Non-Proliferation Treaty (NPT) not to resort to acquiring nuclear weapons themselves. It should be noted here that France, unlike the Alliance’s other 29 member states, does not participate in the Nuclear Planning Group (NPG), the senior body responsible for determining NATO’s nuclear policy and the role of its nuclear forces. (See Appendix I for further information on the NC3 architecture of the US, the UK and France.)
The nuclear burden sharing principle, which originated in the early 1960s, aimed to discourage proliferation while fostering unity and partnership across the Alliance.
The nuclear burden sharing principle, which originated in the early 1960s, aimed to discourage proliferation while fostering unity and partnership across the Alliance.9 Through this principle, Belgium, Germany, Italy, the Netherlands and Turkey currently host an estimated total of around 150 US forward-deployed nuclear weapons that are earmarked for the Alliance.10 The US National Nuclear Security Administration (NNSA) is replacing the nuclear weapons deployed in Europe with modern systems through a life extension programme that consolidates four B61 models (B61-3, -4, -7 and -10) into a single design (B61-12). The B61-12 features new digital components, such as a guided tail-kit assembly, for increased accuracy. These digital upgrades make cybersecurity a greater challenge.11
This paper argues that NC3 is an area in which NATO cannot accept a high level of cyber risk. It is important to emphasize at the outset that this study comes with certain constraints. First, most of the open-source information comes from the Cold War period, and it must be assumed that NATO’s nuclear planning and NC3 have evolved since then. Second, nuclear weapon states within NATO have been modernizing their NC3 structures; therefore, information available at present in the public domain may be contested. The confidentiality surrounding NATO’s NC3 systems is in line with the importance of protecting these assets against potential threats. Therefore, this study comes with the predicament that it draws on open-source analysis and information, some of which was not officially verified. In addition, experts’ analysis, including that of (former) officials, reflects their own subjective perceptions, such as confirmation bias and/or self-censorship, among others. The authors have attempted to partially mitigate this problem by including information and understanding obtained through discussions with experts and officials in specific contexts (i.e. discussion in events and conferences held under the Chatham House Rule), to increase its accuracy and salience for today’s NC3 systems.
This paper will first introduce NATO’s C3 structure through the air, land and maritime domains. Second, the paper will introduce NC3, and examine key Ally countries’ contribution to NATO’s nuclear policy. The paper subsequently examines known incidents involving nuclear weapon systems as a means to frame the discussion on the level of risk that NATO and Allies are facing. In conclusion, it will offer a set of recommendations for NATO. The purpose of the paper is to identify, raise awareness of, and help reduce risks to NATO’s nuclear weapon systems arising from cybersecurity vulnerabilities. It aims to respond to the need for more public information on cyber risks in NATO’s nuclear mission, and to provide policy-driven research to shape and inform nuclear policy at member-state level by demonstrating that the responsibility to protect NATO’s systems lies not just with the nuclear weapon states, but with all Allies.