This paper will identify, raise awareness of, and help reduce risks to NATO’s nuclear weapon systems arising from cybersecurity vulnerabilities. It aims to respond to the need for more public information on cyber risks in NATO’s nuclear mission, and to provide policy-driven research to shape and inform nuclear policy at member-state level.
6. Conclusion and Way Forward
This paper addresses, for the public domain, cyber resilience in NATO’s NC3 systems in the air, land and maritime domains. In this regard, the paper has considered five themes that are valuable for cybersecurity considerations: software and network protection; data protection; hardware protection; access/security controls; and cybersecurity awareness/security by design.
The cybersecurity of weapon systems comes down to the confidence in system and information integrity. In order to ensure system integrity, resilience approaches should also be complex. It is important to realize that public perception regarding the cybersecurity of nuclear weapon systems is relatively unfavourable, compared with the confidence that NATO and NATO Allies have in their C3 systems. This paper covers a spectrum of known cybersecurity incidents. It is important to acknowledge that, due to NATO’s established barriers to prevent entry to critical systems, not all known cases may pose meaningful threats to the Alliance’s C3 and/or NC3 systems.
At the technical level, even if known cases do pose threats to NC3 systems, some level of vulnerability may in fact increase system resilience in the long run. Managing risk through the experience of past cyber incidents and the process of mitigating these threats and actively withstanding some disturbances with acceptable recovery time may be considered un mal nécessaire130 in protecting NC3 systems. At the decision-making level, however, there is almost no margin for error. This means that policymakers and military cadre alike must assess intelligence data and all other relevant information with a critical eye, because missteps in decision-making may result in conflict escalation.
It is impossible to know how many of the cyberattacks that have been reported have posed real, tangible risk to NC3 systems. It may be the case that one side is over-exaggerating the problem (civil society in public discourse) whereas the other at times is understating it (official discourse).
In the public sphere, it is impossible to know how many of the cyberattacks that have been reported have posed real, tangible risk to NC3 systems. It may be the case that one side is over-exaggerating the problem (civil society in public discourse) whereas the other at times is understating it (official discourse). False confidence and false stress are equally problematic. Whereas false confidence may lead to unintended consequences (e.g. accidental nuclear use), false stress may lead to excessive fear, and this may affect policies and decision-making as well potentially resulting in overspending. Bridging the gap between the two discourses requires both sides to work together: NATO Allies must be able to share relevant information in the public domain without breaching security, and experts must work to debunk false certainties with regard to the cybersecurity (or insecurity) of NC3 systems.
As technological progress proceeds apace, networks that are physically isolated at the design stage are rarely isolated throughout their life cycle. Patching, maintenance and the introduction of new digital components to legacy systems, or even the proximity of smart devices, will continue to challenge the cybersecurity of weapon systems. Closed networks may have connections with open networks; however, there will still be protocols, such as limited access and clearance requirements, and screening processes, that can prevent cyber infiltration. In simple terms, if someone plugs an infected USB into a system, this does not necessarily mean that the system will be compromised: a system can be protected against infection by existing barriers.
The ecosystem is in itself important in upholding cybersecurity. In this regard, trying to change human behaviour through regulation (not allowing smart watches into military compounds, for instance) may be necessary, but regulation alone is insufficient as a defence, and it may overlook and detract from addressing fundamentally systemic issues. States should prioritize making networks and systems human-friendly, while taking active measures to remediate potentially harmful human behaviour by fostering a culture of cybersecurity.131
Cyberthreats may pose questions as regards the integrity of data, thus leaving decision-makers in doubt as to whether the information they hold is truly reliable. The application of emerging technologies may be useful in providing evidence-based information in such instances. Although, at times, new technology (AI with machine learning techniques, for instance) may challenge NC3, technology-enhanced decision-making (e.g. through modelling and simulation techniques and big data analysis) may be able to provide valuable information when decisions need to be taken within a very short time frame. Autonomous and automated technologies will also play an increasingly important role in detecting, assessing, characterizing and mitigating vulnerabilities and novel attack vectors in critical systems, as the work of the US Department of Defense’s Defense Advanced Research Projects Agency (DARPA) and its contractors suggests.132
An assessment of how adversaries think about command and control might also help NATO and Allies to understand cyber offence and cyber defence strategies. NATO should also address the cyber risk that comes with procurement of military equipment from countries that are not friendly to NATO (e.g. Russia or China). At its 2018 Brussels Summit, NATO stated its commitment to ‘working to address existing dependencies on Russian-sourced legacy military equipment through national efforts and multinational cooperation’.133 At present, several NATO countries – among them Montenegro, Romania, Bulgaria and Poland – possess legacy equipment from the Soviet era.134 A study of the cybersecurity of Russian legacy systems in NATO member countries and methods, as part of efforts to reduce this dependency, would provide important analysis and insights for the Alliance.
There will always be some risks for NATO when it comes to defending its strategic assets, including nuclear systems.135 The question is therefore: What are the areas in which its assets are so critical that NATO cannot tolerate any risk at all, and where could it progressively accept a greater level of risk as the importance of certain assets declines? Considering that NATO cannot defend all of its assets, prioritization of efforts on the basis of significance and risk should continue to be the guiding principle.