This paper will identify, raise awareness of, and help reduce risks to NATO’s nuclear weapon systems arising from cybersecurity vulnerabilities. It aims to respond to the need for more public information on cyber risks in NATO’s nuclear mission, and to provide policy-driven research to shape and inform nuclear policy at member-state level.
2. Command, Control and Communication in NATO
A C3 system12 may be broadly defined as the information system that enables the command, control and communications within a given military structure.13 This chapter will examine command, control and communication, and examine the C3 concept within the framework of NATO, particularly in relation to the Alliance’s core domains of operation: air, maritime and land. An understanding of NATO’s C3 systems in these domains is conducive to further reflection on the relevance of cybersecurity to their effective functioning.
While the definition and scope of C3 varies from one structure to another, NATO defines the first two elements as follows:
- Command: ‘The authority vested in an individual of the armed forces for the direction, coordination, and control of military forces.’14 Planning may not be excluded from this component, given its importance to providing direction, coordination and control, in addition to early warning as well as threat detection and identification systems.
- Control: ‘The authority exercised by a commander over part of the activities of subordinate organizations, or other organizations not normally under his command, that encompasses the responsibility for implementing orders or directives.’15
The US Naval Academy’s definition of communications in the context of C3 systems may be used as a reference for the purpose of this paper:
- Communications: ‘The ability and function of providing the necessary liaison to exercise effective command between tactical or strategic units of command.’16
It is also important to note that while in many instances official documents may be exclusively referring to command and control (C2), the latter requires communications to ensure its effectiveness in operations.17 Communications is critical, and arguably forms one of three ‘building blocks’ of any deterrent strategy; hence it cannot be separated from command and control, as any attack on communications assets would have serious implications on the exercise of C2, and even attacks that are not directly aimed at those communications assets would eventually have the spillover effect of disrupting communications.18
The C2 system in place within NATO is designed to support both strategic commands of NATO’s Command Structure: Allied Command Operations (ACO) and Allied Command Transformation (ACT).19 ACO, under the command of the Supreme Allied Commander Europe (SACEUR), is responsible for the planning and execution of all NATO military operations, as directed by the North Atlantic Council. ACT, under the command of Supreme Allied Commander Transformation (SACT), is mandated to spearhead NATO’s military transformation; its main areas of responsibility include education, training and exercises, and promoting interoperability throughout the Alliance. Allies provide resources and capabilities to the NATO Command Structure. In military operations –for deploying forces, for instance – NATO’s deployable C2 systems are connected through deployable interfaces to those of national systems. In this regard, NATO relies on the Federated Mission Network (FMN) capability to bring national and NATO capabilities together, and to better train, communicate and operate.20
NATO relies on the Federated Mission Network (FMN) capability to bring national and NATO capabilities together, and to better train, communicate and operate.
A NATO Research Task Group (SAS-085) identified and set out the principles of a successful command and control, capable of effecting, coping with, and/or exploiting changes in circumstances.21 NATO refers to this capability as ‘C2 agility’, which may have different approaches depending on the parameters of the mission – including information availability, the level of collaboration, and the decentralization of decisions.22 The study undertaken by the NATO Research Task Group identifies five approaches based on these three parameters, ranging from one without shared collective objectives, or kinds of interaction between C2 nodes (conflicted C2), to a robustly networked collection of C2 nodes with the broadest possible distribution of decision rights (edge C2).23 Thus, to ensure effective agility so that Allies may ‘switch’ approaches at all times, depending on the needs of operations,24 there is a need for thorough security across all hardware, networks and software used by the Alliance to allow for such agile command and control. For instance, an operation that requires the decentralization of decisions may be rendered ineffective if the parts of the network that are used to communicate and coordinate decisions are tampered with by adversaries: the transmission of information and decisions may be delayed; critical information may be intercepted; and, ultimately, operation success will be hampered. Centralized decisions will also require strong resilience in supporting assets, as an attack against those part of the central system may subsequently affect the wider ecosystem of C2 assets. In some situations, decentralization of decisions may benefit the Alliance, as this may force the adversary to execute simultaneous attacks upon the decentralized network.
NATO relies on tactical data links (TDL) as part of its command, control, communication, computers, intelligence, surveillance and reconnaissance (C4ISR) systems. TDL provides information transmission in near-real time and simultaneously across NATO platforms, such as space, ground, air and surface platforms. It allows users to transmit and receive encrypted data, and can differentiate between ‘friendly’ data and data received from adversarial systems. It is an important component of the Joint Intelligence Surveillance and Reconnaissance (JISR) capability, critical for early warning, operations planning, situational awareness and target information.25 TDL is used in a number of applications, including air, land, surface, subsurface and space surveillance, electronic warfare sensors, weapon coordination, air control, navigation and network management.26 The loss of TDL due to physical or cyber intrusion may subsequently have high mission impact and jeopardize its success.
The following elements supporting NATO’s operations in three of its ‘physical’ domains of operation – air, land and maritime – provide an overview of elements constituting NATO’s C3 system.
Air domain
For peacetime tasks and as part of NATO integrated air and missile defence (NIAMD), air C2 and ballistic missile defence fall under the responsibility of the Commander Allied Air Command. In crisis response operations, SACEUR will appoint a Joint Force Air Component Commander (COM JFAC) to conduct air C2 specifically for a designated operation.27
Air C2 systems enable the management of all types of air operations over NATO Allies territory and beyond, ranging from air traffic control and airspace management to surveillance and force management, including refuelling.28 These systems integrate, inter alia, surveillance, air mission control and force management functions. The implementation of air C2 systems also entails the activation of ‘a number of deployable control and reporting centres […] with integrated deployable sensors’.29 The extent to which this applies in space (which it should be noted is beyond the scope of this paper) may potentially evolve, given that NATO only recently recognized space as a discrete domain of operations.30
In the air domain, threat analysis generated through air-based defence systems provides situational awareness in airspace. This information feeds into the Combat Reporting Centre, which is then reported up to the senior level. Depending on the issue area, senior cadre decides on the necessary response, such as tasking an Ally aircraft to undertake an action. This process forms NIAMD. NIAMD can pull together air, land and maritime threats, to provide timely and robust information to the Alliance in peacetime as well as in crisis and conflict. Currently, NIAMD’s mission involves observing Alliance airspace for threats and defending the Alliance against ballistic missile threats. Securing NIAMD from cyberattacks at a time of conflict would be mission-critical to preserving NATO’s situational awareness.31
Effective, robust and reliable communication systems are critical to allowing ‘effective liaison’ at all times – i.e. the communication system needs to survive in crisis situations – which has been defined as a ‘key factor in the success of joint operations’.32 The 2016 Allied Joint Doctrine for Air and Space Operations attests to the need for effective liaison between forces for coordinated operations, with the air operational liaison reconnaissance team, with the on-site personal representative, and between the various joint boards and working groups that take part in decision-making processes. This also implies the need to protect the ‘hardware’ assets underpinning C3 systems such as radars, sensors and communications assets, including those based in space, without which effective liaison, coordination and implementation of C2 would not be possible.33
NATO capabilities have been undergoing significant transformation. This includes integrating different types of theatre ballistic missile defence systems (BMDS) provided by key NATO Allies, including Italy, Germany France, the UK and the US, into a single network, while providing layered protection against ballistic missile attacks.34 For instance, as part of the Active Layered Theatre Ballistic Missile Defence (ALTBMD) programme, NATO is replacing its existing C2 systems in Europe, setting ‘new standards of interoperability for air operations’.35 Through interoperability, NATO is connecting Ally forces and increasing their readiness and effectiveness for NATO missions and operations. Interoperability, however, brings with it cybersecurity challenges.
NATO capabilities have been undergoing significant transformation. This includes integrating different types of theatre ballistic missile defence systems (BMDS) provided by key NATO Allies, including Italy, Germany France, the UK and the US, into a single network, while providing layered protection against ballistic missile attacks.
Interoperability of forces to conduct joint operations is only possible when Allies rely on ‘friendly’ capabilities. For instance, the disagreement over Turkey’s purchase of Russian S-400 air missile defence system (discussed in fuller detail in Appendix II) is causing great concern within the Alliance. Some of the concerns raised in this regard include the lack of interoperability between the S-400 system and the US’s F-35 programme of which Turkey had been part. Another concern relates to the possibility of providing the vendor country (in this case Russia) with the ability to collect sensitive information about Ally forces if NATO’s TDL system is integrated with the system being purchased. TDL in the air domain shares near real-time information with air, land and maritime forces, meaning that, at a time of conflict, an adversary (or adversaries) in possession of such sensitive information could have tremendous advantage over NATO Allies, with the potential to considerably jeopardize mission success.
Considering that weapon systems may have cybersecurity vulnerabilities from the design stage, it would only be the manufacturing company and the vendor (state) that would be fully aware of the system’s design features and potential vulnerabilities. NATO’s and the US’s concern to protect Alliance systems is critical; yet there has not been much discussion in the public domain of the cybersecurity aspect of the S-400 purchase.
The purchase of Russian or Chinese defence equipment by NATO Allies has long been an issue of concern for the Alliance. In 2013, for instance, Turkey indicated its intention to purchase a Chinese missile defence system, although it later reversed this decision when it became apparent that China would not transfer the technological details of the system, including the full specification and design. And there are three countries within NATO – Bulgaria, Greece and Slovakia – that purchased Russian S-300 missile defence systems back in the 1990s. One of the logical ways to resolve the S-400 predicament, therefore, is the establishment of stronger procurement baselines and standardization agreements (STANAGs) for NATO that integrate cybersecurity measures and the examination of potential cyber vulnerabilities. Considering that nuclear forces and conventional forces are intertwined in the C2 structure, it is vital to understand the full range of possible risks posed by the S-400 – including for all integrated C3, nuclear planning and nuclear systems. This also means that the Alliance always needs close oversight of the state of health of hardware, firmware and the software in order to ensure that NATO forces are securely connected in times of crisis.
Land domain
NATO Allied Land Command (LANDCOM) is responsible for coordinating and synchronizing NATO and partner land forces, and deploys, on order, headquarter elements to provide planning, coordination and C2 capabilities to Allied forces.36
The 2016 NATO Command and Control of Allied Land Forces document is referenced in the Allied Joint Doctrine for Land Operations to provide the doctrine applicable to the C2 of NATO land forces, including decision-making and targeting processes, organizational structure, duties and responsibilities.37 It has been described as supporting the Allied Joint Doctrine for Land Operations published in March 2016.38 The latter provides overall guidance on the principles needed to plan and conduct land operations within the framework of NATO, and is complemented by both the NATO C2 of Allied Land Forces (ATP-3.2.12) and Land Tactics (ATP-3.2.1) documents.39
The NATO Communication and Information Agency (NCI Agency) has been leading the acquisition and support processes for NATO’s new Land C2 Information System (LC2IS), a software designed to support the planning, execution and the assessment of land-heavy operations. The software’s functions include: ‘to enable and improve the effective C2 of NATO Land Forces; support NATO commanders in their-decision making process; and improve information exchange’. LC2IS has also been stated to enable improved interoperability with national systems, and, as part of several testing rounds, underwent an interoperability test with the national systems of the Netherlands and the US.40
In addition to the need for close oversight of all assets, as previously stated, interoperability with national systems also implies the need for a degree of technical harmonization between Alliance and national systems. Their respective encryption standards and settings must allow straightforward and effective interoperability when the need arises, while also ensuring that they maintain the highest encryption and authentication standards possible to secure the C3 systems.
Maritime domain
The Allied Maritime Command (MARCOM) constitutes the central command of all NATO maritime forces, and is responsible for all maritime matters within NATO’s remit.41 In particular, it is responsible for the planning and command of maritime operations, and of major maritime and joint exercises. In addition, Naval Striking and Support Forces (STRIKFORNATO) is mandated to deliver, on order, a deployable and scalable headquarters to plan and execute joint maritime operations and provide the C2 of maritime ballistic missile defence.42
The maritime domain is not a single-flag task force. It is always a joint task, and requires robust communication channels across allied forces. In peacetime, maritime capabilities are on standby on a continuous basis. NATO Maritime Interdiction Operational Training Centre (NMIOTC), in Crete (Greece), is a Centre of Excellence that supports maritime operations through training in Ally and partner countries. It examines cybersecurity in order to manage risks pertaining to the maritime sector.
The maritime domain relies on both ground and space capabilities, such as satellite communications and radio frequencies. Moreover, systems that ships rely on go through digitalization and automation processes,43 both of which present challenges to cybersecurity. Maritime unmanned systems, for instance require autonomous and remotely operated equipment, including Global Positioning System (GPS) receivers. With advanced networking, despite all efforts of segmentation, maritime unmanned systems are reported to be ‘frequently connected to the internet’.44 Moreover, ships rely on position, navigation and timing (PNT) characteristics, with specific GPS application, that are subject to cyber intrusions.
Compared with the land and air domain capabilities (e.g. aircraft, ground-based missile platforms, etc.), the submarine environment may have an advantage in that its ‘network architecture is physically isolated from the internet and any civilian network, thus severely limiting the possibility of real time external access into the command network by remote hackers’.45 This does not, however, mean that submarines are immune to cyberattacks. Contrary to common belief, submarines can be vulnerable to data corruption and malware injection, among others, especially when they are undergoing maintenance.
Technological advances, specifically those in cyber technology, will continue to challenge new systems, eventually exposing previously unknown weaknesses in their design.
In order to coordinate activities among Allied forces in the maritime domain, NATO relies on the Link 22 network. Link 22 is a NATO-wide, secure, beyond line of sight (BLOS)46 TDL. Prior to Link 22, NATO used Link 11 (also known as TADIL A), to exchange near real-time information across the Alliance. The range of problems reported with Link 11 includes: delays in processing and receiving information (due to roll-call transmission characteristics); crypto-technology not meeting modern processing requirements (encryption problems); security vulnerabilities in the system bringing the possibility of spoofing; and the use of single fixed-frequency network (either high frequency or ultra-high frequency) leading to potential jamming.47 By switching to Link 22, NATO provided time-based encryption,48 resulting in improved cybersecurity of data. However, secure architecture and inherent design can only protect military systems to a certain point. Technological advances, specifically those in cyber technology, will continue to challenge new systems, eventually exposing previously unknown weaknesses in their design.
In addition, MARCOM and Supreme Headquarters Allied Powers Europe (SHAPE) have been developing a NATO Joint Maritime Deployable C2 Capability, for which the C2 Centre of Excellence is providing expertise and recommendations.49 This capability would enable the use of other physical platforms, such as landing platform docks, ships taken up from trade, and landing platform helicopters, other than a command ship as a mobile, afloat command platform to conduct operations, including C3, at sea. This is particularly important for the decentralized conduct of operations and creating resilience in maritime C2 systems.