This paper will identify, raise awareness of, and help reduce risks to NATO’s nuclear weapon systems arising from cybersecurity vulnerabilities. It aims to respond to the need for more public information on cyber risks in NATO’s nuclear mission, and to provide policy-driven research to shape and inform nuclear policy at member-state level.
3. Nuclear Command, Control and Communication
NC3 systems refers to the information systems supporting the exercise of command and control, as well as the communications between units of command in military operations involving the planning and use of nuclear weapons.
The US is the only NATO member to have earmarked nuclear weapons (B61 gravity bombs) for the purpose of nuclear sharing in the context of NATO, and has stationed nuclear weapons in Belgium, Germany, Italy, the Netherlands and Turkey as part of nuclear burden sharing (see Appendix II). It is therefore inevitable that the NC3 system in place within NATO is inextricably linked to the US’s own NC3 system, which will be further outlined in detail below. The UK and France have independent nuclear weapon systems, addressed in Appendix I of this paper.
The protection of C3 systems requires the adoption of adequate, adaptable and robust cybersecurity measures to ensure their integrity and shield them from internal and external disruption. Cybersecurity measures are critical to ensuring the survivability, integrity and resilience of C3 systems. NATO has indeed designated cyberspace as a domain of operation since 2016, which attests to its importance in military operations.50
It should be noted that there is disagreement among some experts regarding the actual extent of cyberthreats against C3 assets, in particular those for nuclear operations. NC3 assets are, however, in themselves complex, and are part of a wider – itself more complex – ‘ecosystem’ of networks, software and hardware making up the entire NC3 system. Offensive cyber capabilities are without doubt highly sophisticated at present, and such capabilities are in the hands of a small number of actors. In other words, cyberthreats need to be tailored to the targeted assets along with the NC3 ecosystem of which they are part, which may be difficult given the secrecy surrounding the technical information and specifications of these systems. This, then, could result in scepticism regarding the actual feasibility of conducting any cyber operations at all against NC3 assets: unless adversaries issuing such threats display credibility and trigger actual fear, targeted states will not fully grasp the level of risk such cyberthreats may pose to the NC3 systems. The preparation, conduct and operationalization of cyberattacks against systems as complex as NC3 would require not only a tremendous amount of financial, technical and human resources, but also a great deal of time – which may be further extended if any of the targeted system’s configurations are modified, requiring the malware to be ‘updated’ accordingly. The development of such offensive cyber means would require a high level of expertise and knowledge to:
The preparation, conduct and operationalization of cyberattacks against systems as complex as NC3 would require not only a tremendous amount of financial, technical and human resources, but also a great deal of time
- Map out the NC3 system;
- Understand the interaction and dependency between networked assets;
- Identify potential vulnerabilities, entry points and additional layers of security;
- Disable potential redundancies; and
- Develop an accurate, effective malicious programme that would require testing before eventually being implanted to infect the NC3 ecosystem.
NATO cybersecurity practices across domains
In order to protect its C3 systems from cyber operations, NATO has put in place key measures, including Federate Mission Networking (FMN). Defined as a ‘capability aiming to support command and control and decision-making in future operations through improved information-sharing’,51 FMN’s architecture is framed so as to achieve interoperability between Allies and partner countries with capabilities ranging from messaging services to security services.52 FMN is built on lessons learned from the development, implementation and evolution of the Afghanistan Mission Network (AMN),53 a NATO-sustained initiative to create a common network from a collection of national and NATO networks.54 It has provided NATO with a coalition-wide network that has enabled greater situational awareness and facilitated better decision-making. FMN aims to go beyond mission-based networks and provide a ready mechanism that can support any training, exercise or operation NATO might undertake in the future.55 There are several FMN elements that are significant for achieving cybersecurity within Ally and partner capabilities: FMN rests on a governance model with rules, procedures, policies and standards, and it gives direction to NATO Allies and partners. Its baseline requirements also involve cyber and information security measures. Within the FMN management group, there are several working groups, including on capability planning, and on interoperability, assurance and validation. By allocating their capabilities to FMN, NATO Allies and partner countries confirm that their communication and information systems comply with NATO’s security and interoperability principles and standards.56
As agreed at its 2010 Lisbon Summit, NATO has been investing in a ballistic missile defence capability for collective defence purposes. As part of the burden sharing principle, members have agreed to expand the Active Layered Theatre Ballistic Missile Defence (ALTBMD) Capability.57 As a result, Turkey hosts a forward-based early warning radar in the context of NATO’s ballistic missile defence capability,58 and Romania hosts the Aegis Ashore ballistic missile defence system (BMDS).59
Even though deployed systems may be secured from cyberattacks, the servers and facilities of a host country may be vulnerable. A 2018 report by the US Department of Defense’s Inspector General found that there were specific vulnerabilities and weaknesses that could be exploited by security-cleared contractors, government officials or outside parties.60 These weaknesses included: not implementing multifactor authentication to access technical information at specific locations; not encrypting BMDS technical information during transmission (although the report redacts where this technical information was transmitted between); and not introducing intrusion detection techniques on classified networks. The report found that: ‘The disclosure of technical details could allow U.S. adversaries to circumvent BMDS capabilities, leaving the United States vulnerable to deadly missile attacks.’61 Such disclosure would have an impact beyond the US, and would affect NATO Allies at large, as these capabilities also form part of the Alliance’s overall missile defence capabilities.
Systems are only one component of what C3 constitutes. C3 capability as a whole is developed through establishing doctrine, operation, training, materiel, leadership, personnel, facilities and interoperability. C3 training is provided in NATO schools, such as in Oberammergau, Germany.
Assurance is also part of the process to ensure that capabilities developed are fit for cybersecurity baselines. Testing and retesting, as well as redundancy measures, are conducted throughout the development and design stages of C3 capabilities.
NATO has layers of security in place to prevent malicious access to C3 systems. There are barriers of entry, such as restricted access to critical systems. In the case of cyberspace, every element has a physical point of connection (e.g. critical national infrastructure, weapon systems). The security of these physical points rests with each member nation. There are national regulations to ensure cybersecurity measures are in place, and NATO can also issue additional requirements to its members. For instance, there are telecommunications requirements to support national disaster emergency response. However, the implementation of these requirements rests with each nation. Responsible state behaviour should accompany any baselines and standards in this area.
That NATO and its Allies recognize the importance of cybersecurity is reflected in various unclassified documents and statements in all domains of operation.
That NATO and its Allies recognize the importance of cybersecurity is reflected in various unclassified documents and statements in all domains of operation.62 The following five themes are identified as relevant to NATO and Allies’ C3 systems to ensure their cyber resilience:
- Software and network protection
- Data (integrity) protection
- Hardware protection
- Access/security controls
- Cybersecurity awareness/security by design
It is important to emphasize that these themes are not mutually exclusive, and that a critical node relevant to one may be equally relevant to others; hence, there may be coupling in systems. In other words, a cyber operation could affect C3 systems in more than one way. In 2011, for instance, malware reportedly infected the cockpits of the US’s Predator and Reaper drones,63 logging every keystroke made by pilots as they remotely flew missions over Afghanistan and other areas of operation.64 While, in this example, the protection of the cockpits’ network and software was jeopardized, so too was the integrity of the data (i.e. the pilots’ keystrokes). Unauthorized access and the obtaining of logged keystrokes could provide adversaries with data that would reveal usage patterns that could subsequently be used in their own operations to counter or avoid the drones, and/or eventually sell or otherwise distribute these data to third parties – including non-state armed groups. Furthermore, the interception of these data could also reveal how the piloting system (e.g. the software used to pilot the drones) works. This information may be used by an adversary to develop malware and other means to potentially disrupt and/or disable the piloting software – and ultimately bring about mission failure.
Furthermore, a cyber incident may affect more than one domain at the same time. For instance, in early 2009 the French navy’s computer systems and internal network were reported to have been infected by a malware (Conficker virus) as a result of failure to install Microsoft updates.65 Starting from the navy’s internal network (Intramar) on 12 January, the virus reportedly spread and affected logistics and communication exchanges. Claims that the virus also affected aircraft on the ground, which were unable to download flight plans as the virus also affected databases, were denied by the French defence ministry.66 In general, this example demonstrates that cyber incidents could potentially create a domino effect, affecting more than one domain simultaneously.
The five recurring cybersecurity themes that are relevant to ensuring the resilience of NATO’s C3 systems are examined in greater depth below. It is important to highlight that these principles have been identified by the authors through the study of official NATO documents on the subject, and that they do not represent acknowledged NATO policy.
Theme 1: software and network protection
Protection of software and networks covers the intangible dimension of C3 systems, and includes networks connecting computers and information systems to one another; networks connecting command and control systems to weapons systems; data processing software; and software as operations enablers (e.g. navigation software).67
Interference with communications networks could heavily disrupt control over weapons systems, and ultimately over operations and safety. Safeguarding networks is equally important in peacetime, as breaches could potentially result in misinterpretation, miscalculations and rapid inadvertent escalation. For instance, early in the morning of 23 October 2010, the US reportedly lost communication with 50 of its Minuteman III intercontinental ballistic missiles:68 computer screens at the Francis E. Warren Air Force Base underground launch control centres displayed the message Launch Facility Down (LFDN). While the cause of this incident was attributed to hardware issues69 (reports suggest that a circuit card had been dislodged by routine vibration and heat),70 this example stresses the importance of preserving the integrity of communications networks for monitoring purposes at all times. In a situation where political tensions are high, such incidents could potentially result in inadequate responses that may rapidly escalate the situation to an armed conflict – even nuclear – unless states have clear guidelines and procedures that allow them to detect and identify the nature of such incidents, and thus prevent the risk of unnecessary escalation due to misinterpretation/misunderstanding.
More recently, among the findings of the annual report for 2018 of the US Director, Operational Test and Evaluation was that there were survivability and cybersecurity shortfalls in the Patriot Post Deployment Build (PDB)-8 IOT&E, part of the Patriot missile defence system71 of the US Army.72 These shortfalls could provide an opportunity for adversaries to disrupt operations, or even tests, involving the Patriot system, thus weakening air and missile defence systems.
Some NATO documents indicate the need for software and network protection.73 For instance, the Allied Joint Doctrine for Air and Space Operations identifies joint intelligence, surveillance and reconnaissance (ISR) as an integrated intelligence and operations set of capabilities ‘which synchronizes and integrates the planning and operations of all collection capabilities with processing, exploitation, and dissemination of the resulting information in direct support of planning, preparation, and execution of operations’.74 Air and space-based ISR assets in particular play a critical role in building early understanding of potential crisis points and thus enhance the quality of political and high-level military decision-making, as well as in both conventional and nuclear weaponry command and control. ISR assets include airborne imagery platforms, satellites and ground sensors. Compromised ISR missions could affect NATO in many ways, including faulty assessment and response to threats; inability to transmit ISR information over potential adversaries’ territory; loss of situational awareness; loss of battlefield awareness, thereby jeopardizing the desired operational objective; and crippling of defensive systems. These vulnerabilities underscore the critical nature of software and network protection.75
Allies need to take vulnerabilities into account, exercise caution and conduct internal audits to identify and address cyber vulnerabilities.
Such incidents may not only result in the disruption, or potentially even the failure, of missions. They could also jeopardize the credibility of the state’s nuclear forces and, ultimately, undermine their ability to deter. Allies need to take such vulnerabilities into account, exercise caution and conduct internal audits to identify and address cyber vulnerabilities – both existing in weapons systems in service and in weapons systems under development across the entirety of the contractors’ and sub-contractors’ supply chain.
Theme 2: data (integrity) protection
Data protection has two dimensions: the protection of data from theft/unauthorized access; and the protection of the data’s integrity. Both are of equal importance and relevance to NATO’s C3 systems from a cybersecurity perspective, as they could equally affect the success of operations. For instance, NATO’s Allied Joint Doctrine for Land Operations states that land operations will seek to profit from cyber activity that can damage, defend, exploit and attack computers, as well as any data held on them.76 The document recognizes the importance of data and the value of affecting the adversary’s data – thus also recognizing the importance of protecting NATO’s own data. In this context, NCI Agency’s Network Services and IT Infrastructure Service Line facilitates the ‘enabling of secure and resilient data, voice and video communication services worldwide’, so as to ‘connect the dots in space, cyberspace, air, land and maritime’.77 Data security also plays an important role for instance when conducting image analysis for targeting purposes.
Protection of data from theft/unauthorized access
Commonly referred to as espionage, unauthorized access to data/information could present an opportunity for adversaries to understand the technical specifications of NC3 systems or learn stealth characteristics of nuclear-capable aircraft, which in turn could provide an opportunity for them to exploit this knowledge to interfere with these systems. While espionage in itself is not a new phenomenon, malicious actors are now able to access and steal a greater amount of data using increasingly sophisticated means, and they can potentially exploit these data through modelling and simulation techniques in order to gain advantage over NATO.
In December 2018 the US District Court, Southern District of New York (USA v Zhu Hua, Zhang Shilong) sealed an indictment against two members of a hacking group operating in China known as Advanced Persistent Threat 10 (APT10 Group).78 The APT10 Group was stated to have harnessed over 40 computers in order to steal confidential data from those systems belonging to the US Department of the Navy, including the personally identifiable information of more than 100,000 Navy personnel.79 In addition, the group ‘obtained unauthorized access to at least approximately 90 computers belonging to commercial and defence technologies companies and US Government agencies and stole hundreds of gigabytes of sensitive data and information from their computer systems’.80 Targets included seven companies involved in aviation, space and/or satellite technology, and three companies involved in manufacturing advanced electronic systems and/or laboratory analytical instruments (one company involved in maritime technology; the NASA Goddard Space Center; the NASA Jet Propulsion Laboratory). The group also ‘successfully obtained unauthorized access to computers belonging to at least 25 other technology-related companies involved in, among other things, information technology services, radar technology, and computer processor technology’.81
This example demonstrates that unauthorized access to data and data theft could have multiple implications for command, control and communications at various stages and in all domains of combat:
- Unauthorized access to personally identifiable information of personnel could provide opportunities for social engineering82 and subsequent gathering of confidential, critical information directly from the individual targets, or from the contamination of computer systems and networks as a result of the victim’s actions. In other words, members of the APT10 Group could use stolen identifiable information to reach Navy personnel, manipulate the target or use the target as a disguise, masquerade as an authorized entity to gain access to the Navy’s C3 systems by using the targeted personnel’s credentials, or by exploiting hardware, software and network vulnerabilities, critical to the nuclear systems.
- Unauthorized access to sensitive information related to warfare/defence technologies and electronic systems developed by private contractors – such as sensors, radars or information processing systems – could provide an opportunity to reverse-engineer these systems, thereby causing wider disruption.
- Access to such technical information could also provide an opportunity for an adversary to study and reverse-engineer the data, identify technical specificities and eventual vulnerabilities and shortfalls, and develop capabilities much more sophisticated than the original ones. These concerns are not new; however, the way adversaries could obtain these technical data is (e.g. through access to the targeted information). These data could also be stolen and sold – as was the case with sensitive documents related to the US MQ-9 Reaper drone and M1 Abrams tank advertised for sale on a dark web forum in 2018.83
Protection of integrity of data
This aspect of data protection refers to protection from any external, unwanted interference that could negatively affect decision-making and operations. This is particularly important in the context of the increasing use of artificial intelligence (AI) and machine learning, which depend heavily on the quantity and quality of input data. All aspects of C3 could potentially benefit from automation to collect and process a larger pool of data to feed into sophisticated training and simulation tools, data analyses, situational awareness, decision-making, control and monitoring processes as well as feedback mechanisms. Sensors and powerful computer processors are critical components, as is the quantity and quality of data fed into the machines at the development and training stages as well as in their actual use. The pool of data collected and used may be susceptible to data poisoning attacks, which would in turn corrupt the learning model84 and, subsequently, the results used to underpin C3. The US’s 2018 Nuclear Posture Review85 recognizes data integrity as part of a resilient NC3 network. Although AI and machine learning do not currently form part of the nuclear launch decision-making process, they have been considered and slowly integrated into the other parts of the military decision-making processes.86
Theme 3: hardware
The third relevant theme in the protection of NATO’s C3 systems is the protection of hardware/assets. The protection of the tangible components of these systems is equally important as software protection, and critical in preserving the C3 systems currently in place. Hardware may range from sensors for surveillance and tracking to cables supporting communication networks and computer systems. It is clear that the protection of hardware is vital for making NATO’s doctrines operational, including the Allied Joint Doctrine for Air and Space Operations and the 2009 Allied Land Tactics document.87 The importance of hardware is further recognized in NATO members’ national documents, such as the UK’s Joint Doctrine Note on Cyber and Electromagnetic Activities,88 or France’s 2017 Senate report on nuclear deterrence, which recognizes the potential kinetic consequences of cyberattacks.89 As NATO’s Allied Joint Doctrine for Land Operations notes, cyberspace has interdependence with the electromagnetic spectrum and space domain.90 The protection from cyberattacks of hardware, software, networks or data cannot be held strictly separate from the protection from electronic and electromagnetic threats.
Hardware plays a critical role in enabling communications – the disruption or destruction of which could enable adversaries to penetrate these communication lines and conduct cyber operations, or even destroy these lines. In October 2015 Russian submarines were reportedly operating ‘aggressively’ near vital undersea cables carrying almost all global internet communications, raising concerns among US military and intelligence officials that Russia might be planning to attack these lines in times of tension or conflict.91 While undersea cables are difficult to physically access, adversaries with the right capabilities to reach them could pose a serious threat to the survivability of networks relying on the cables in question.
Malfunctioning sensors, whether as a result of malicious interference or purely unintentional, may also have unforeseen links with command, control and communications, and such system connections may ultimately lead to catastrophic consequences.
Malfunctioning sensors, whether as a result of malicious interference or purely unintentional, may also have unforeseen links with command, control and communications, and such system connections may ultimately lead to catastrophic consequences. In June 2016 the UK Royal Navy’s HMS Vengeance test-fired an unarmed Trident II D5 ballistic missile off the coast of Florida; however, the missile went off course by reportedly several thousand miles.92 The problem seems to not come from the missile itself or the launch system, but involved telemetry data – information gathered from various points and fed to the missile.93 In principle, telemetry works through sensors at the remote source which measures physical or electrical data; and telemetry data may be relayed using radio, infrared, ultrasonic, GSM, satellite or capable, depending on the application.94 Although this incident did not result from malicious interference with the sensors, it serves to demonstrate how tampering with sensors could have serious consequences. Adversaries could either use electronic warfare capabilities to disrupt the data collected by the sensors, or they could launch cyberattacks on the means used to relay the telemetry data – for example satellites. In a situation of armed conflict, successful disruption of an armed missile’s trajectory would not only result in the loss of the mission from a strategic standpoint, it could also potentially lead to civilian harm, especially if the armed missile lands in a populated area – thus resulting in severe humanitarian consequences and violations of international humanitarian law (IHL). Protection of hardware is of particular importance in light of the sophistication of electronic warfare capabilities, such as the US Air Force’s Counter-Electronics High Power Microwave Advanced Missile Project (CHAMP),95 which could exploit high-power microwave bursts to disable computers and electronics within the targeted area.96 China is also reportedly developing similar high-power microwave technologies.97
Theme 4: access/security controls
Access and security controls are not explicitly mentioned in NATO’s strategy and doctrine documents per se, however it is clear that classification of information and limited physical access to certain premises constitute a critical part in protecting C3 systems. Providing layers of defence establishes oversight of the nuclear C3. Moreover, it enables limited physical access to sensitive C3 premises only by authorized individuals, including private contractors. Limiting physical access, as a result, reduces cyber risks from insider threats and prevents accidental breach.
The US Department of Defense has recently released two relevant reports. In March 2018 its Inspector General released a report, Logical and Physical Access Controls at Missile Defense Agency Contractor Locations,98 based on a performance audit conducted in March–December 2017. The publicly available report sets out in detail some of the findings, but does not disclose the name and location of the seven contractor facilities assessed.
This audit demonstrates that while the Missile Defense Agency (MDA)’s contractors may be dealing with highly sensitive components of nuclear C3 systems – such as classified technical information with access to classified networks – there remain many vulnerabilities that could present opportunities for adversaries to interfere, disrupt, or even disable and destroy critical components of C3 systems. This is of particular concern given past incidents and previous reports. For instance, a malware (agent.btz) infiltrated the US Central Command Computer systems through a USB drive in 2008.99
This may notably pose a threat to C3 systems, the survivability of which may depend on the security controls and processes implemented by MDA contractors. The report notes specifically that these contractors are in possession of classified and unclassified technical information related to BMDS; however, ‘system and network administrators at three contractors that managed BMDS technical information on classified networks did not identify and mitigate vulnerabilities on classified networks and systems’.100 Should an adversary be able to infiltrate these contractors’ networks, they may be able to obtain access to classified BMDS technical information, thus jeopardizing the credibility of Allies’ BMDS.
Fuller details from the Inspector General’s report are included in Appendix III. To summarize here, the ‘control deficiencies’ identified by the audit conducted on seven contractors in the US, and which may present serious implications for the security of BMDS facilities, included:101
- Multifactor authentication was not consistently used
- System passwords were not always strong
- Lack of periodical risk assessments by contractors
- Problems with systematically mitigating network and system vulnerabilities
- Lack of oversight of third-party service providers’ activities in network protection
- Contractors allowed users to process and store unclassified controlled technical information on personal electronic devices
- Removable media were not properly protected
- Problems with automatic locking of systems after inactivity or after unsuccessful login attempts
- Lack of consistency in how system access and user privileges were granted
- Issues in keeping and reviewing system activity reports
In December 2018 the Inspector General of the Department of Defense released a further report, Security Controls at DoD Facilities for Protecting Ballistic Missile Defense System Technical Information,102 that echoed the concerns expressed by the report published earlier that year. Its findings ultimately concluded that officials did not consistently implement security controls and processes to protect BMDS technical information, which could allow US adversaries to circumvent ballistic missile capabilities. The findings included: a vulnerability detected in 1990 and failure to mitigate the vulnerability ever since; officials did not encrypt removable media or did not enforce the use of encryption; and the Army, Navy and MDA did not protect networks and systems that process, store and transmit technical information from unauthorized access and use. Suffice to say that identification of cyber vulnerabilities is of value only if audit recommendations are implemented accordingly.
These documents attest to the US’s level of awareness and capabilities to addressing the identified cyber vulnerabilities. Such measures could constitute best practice for NATO and NATO Allies to consider adopting and implementing.
While both reports are worrying, and demonstrate the difficulties the US may have in ensuring constant oversight on the implementation of adequate and robust security measures by contractors, it is also encouraging to see that the US government is conducting audits to identify those vulnerabilities and issuing recommendations to address them. In 2019, for example, the US Defense Innovation Board published a study with recommendations to address ‘the most critical statutory, regulatory, and cultural hurdles US Department of fence faces in modernizing its approach to software’, including those developed by contractors.103 From as early as 2013, moreover, the Defense Science Board Task Force on Resilient Military Systems drafted a report, Resilient Military Systems and the Advanced Cyber Threat, as a result of which the Task Force was asked to ‘review and make recommendations to improve the resilience of DoD systems to cyberattacks, and to develop a set of metrics that the Department could use to track progress and shape investment priorities’.104 Yet, considering that the US is generally proactive in protecting its weapons systems, the findings of the audit should stimulate questions as regards the other nuclear weapons states. Publicizing these positive measures may not only play a role in reinforcing Allies’ own willingness to enhance their cybersecurity measures and ensure their C3 systems’ survivability; it may also play a deterrent role vis-à-vis adversaries. Put otherwise, these documents attest to the US’s level of awareness and capabilities to addressing the identified cyber vulnerabilities. Such measures could constitute best practice for NATO and NATO Allies to consider adopting and implementing.
Theme 5: cybersecurity awareness/by design
This final theme is to develop capabilities that are secure by design. Cybersecurity awareness and cybersecurity by design must be incorporated into the entire life cycle of weapons systems acquisitions and other capabilities, as well as in operations and missions.
From a cybersecurity awareness standpoint, NATO Allies must further reinforce cybersecurity training for all staff at all levels – to not only raise awareness of the existence of cyberthreats and vulnerabilities, but also to enhance their ability to identify, adopt the appropriate reaction and address adequately these risks. All staff across the entire chain of command need to be able to do this in a comprehensive manner to protect C3 systems. This ultimately underscores the importance of the human factor, which must not be neglected or overlooked in cybersecurity discussions: while software and hardware are the main areas of concern from a technical standpoint, human processes and human involvement in the weapons systems enterprise (i.e. operators, coders, engineers, system designers, among others) are equally critical for their security. This is also closely related to the previous theme, where access and security controls are heavily dependent on human processes, regulation and oversight. Challenges to cybersecurity will be fundamentally human in nature, and may very well represent one of the most worrying threat vectors to gain access and control to systems.
In addition, there is a need for NATO Allies to realize, acknowledge and ensure that their newly developed systems are secure by design. A report released by the US Government Accountability Office (GAO) in October 2018, DOD Just Beginning to Grapple with Scale of Vulnerabilities,105 underscores this point. The report identified that multiple factors contribute to the current state of the Department of Defense’s weapon systems cybersecurity, including: the increasingly computerized and networked nature of its weapons; its past failure to prioritize weapon systems cybersecurity; and its nascent understanding of how best to develop more cyber secure weapon systems.106 Specifically, the Department of Defense’s weapon systems are more software- and IT-dependent and more networked than ever before. The report further noted that this has transformed weapon capabilities and constitutes a ‘fundamental enabler’ of the US’s modern military capabilities. The report concluded that the Department of Defense is still in the early stages of trying to understand how to apply cybersecurity to weapon systems. One notable example cited in the report is the department’s choice to focus on the cybersecurity of its networks but not the weapon systems themselves, which points to the need for all states to rethink the way they approach and attempt to address cybersecurity vulnerabilities and threats, as well as the importance of adopting a comprehensive and holistic approach. In other words, the Department of Defense must not exclusively focus on the cybersecurity of its networks. It must also ensure that newly deployed weapons systems and those currently at the development, testing and evaluation stages are cyber secure by design (built-in), as well as adopt the adequate measures to ensure that those weapons systems that are already deployed, including legacy ones, are cyber secure (e.g. through regular stress-testing and scans, and technical and human resources dedicated to immediately develop and install patches remedying the effects and consequences of cyberattacks). This approach will foster a culture of cybersecurity and ensure in the long term that deployed weapons systems will be resilient against the growing number and sophistication of cyberattacks.
Several Department of Defense officials are of the opinion that it may take ‘some missteps’ for the department to learn what works and what does not work with respect to weapon systems cybersecurity.
Several Department of Defense officials are of the opinion that it may take ‘some missteps’ for the department to learn what works and what does not work with respect to weapon systems cybersecurity.107 This somewhat indicates a shift from the deterministic approach to traditional systems, expected to perform predictable tasks in bounded environments,108 towards a more probabilistic approach, accepting the fact that weapons systems may have cyber vulnerabilities and may actually face cyberattacks – or at least, to reiterate that wording, ‘some missteps’.109
This observation is echoed in the US Director – Operational Test and Evaluation’s (DOT&E) 2018 annual report, which sets out the need for further consideration for cybersecurity awareness and by design by the Department of Defense.110 Vulnerabilities identified during earlier testing periods were still present at cybersecurity testing in 2018, such as the vulnerabilities identified in the F-35 training systems, the Autonomic Logistics Information Systems (ALIS) version 3.0, and the ALIS-to-shipboard network interface on board a nuclear powered aircraft carrier.111 Cybersecurity testing on the currently fielded version of the Joint Operation Planning and Execution System (JOPES, v4.3.0.2) – the system that is used ‘to translate policy decisions into operations plans to meet U.S. requirements to employ military forces, support force deployment, and conduct contingency and crisis action planning’ – produced an inadequate test result due to the team’s failure to conduct the test in accordance with the approved test plan.112 No advanced attacks could be conducted. This means that the Department of Defense is currently using a version of a C2 system to operationalize policy decisions, including force deployment, without being fully aware of the extent of survivability of the system and without all the important actors knowing the full range of potential existing vulnerabilities.113 Another example relates to the Infantry Carrier Vehicle – Dragoon (ICV-D) developed by the US Army in March 2015.114 ICV-D obtained lethality upgrades allowing crews to detect, identify and defeat targets at greater ranges and against a wider array of enemy targets. However, exploitable cybersecurity vulnerabilities were found, and the report notes that adversaries demonstrate ‘the ability to degrade select capabilities of the ICV-D when operating in a contested cyber environment’.115 In most cases, the exploited vulnerabilities predate the integration of the lethality upgrade. ICV-D received lethal upgrades before exploitable cybersecurity vulnerabilities were identified and addressed. While on the one hand the upgrade may have changed the system such that prior vulnerabilities are no longer valid; on the other hand, the upgrade could result in even more cyber vulnerabilities.
Moreover, in 2018 the GAO found while the MDA is developing a system to track and destroy enemy missiles, the military personnel and decision-makers would benefit from better communication about the system’s capabilities and limitations116 – including, given its critical nature, in the realm of cybersecurity.
While these findings may be of high concern for NATO and its Allies, leading to questions regarding the survivability of NATO’s NC3 systems, it is also encouraging to see that the US has official bodies (the GAO, IG and DOT&E) conducting audits to identify those vulnerabilities and issuing recommendations to address them. What is critical, however, is whether these findings and recommendations will be taken into account and be implemented.