This paper will identify, raise awareness of, and help reduce risks to NATO’s nuclear weapon systems arising from cybersecurity vulnerabilities. It aims to respond to the need for more public information on cyber risks in NATO’s nuclear mission, and to provide policy-driven research to shape and inform nuclear policy at member-state level.
Appendix I: NATO Allies’ Nuclear Planning and NC3 Architecture
That NATO members’ NC3 architecture is secure and reliable is of particular importance for deterrence purposes. Even when the Alliance’s NC3 systems are under attack, all member states should be able to demonstrate their detection, forensics and response capabilities, which necessitates that NC3 architecture continues to function as planned. Drawing on information available in the public domain, this section sets out that architecture for the three nuclear weapon states within NATO.136
The US
Authority to order the use of the US’s nuclear weapons lies solely with the US president,137 as commander-in-chief of the armed forces. While this has been subject to deliberation,138 the role of actors other than the president in authorizing the use of nuclear weapons is consultative, and serves to assist the planning of operations. Critically, however, this does not extend to the ability to veto decisions.139 The NC3 architecture in the US has certain distinct functions, including force management, nuclear planning, situation monitoring, decision-making, and distributing force direction orders.140 The exercise of these functions requires dedicated, redundant and survivable connectivity for the president to communicate effectively with all nuclear-capable forces through a network of communications and warning systems. These allow the president to make and communicate critical decisions without constraint.141
The US NC3 system is known to comprise of as many as 160 different systems, including but not limited to communication networks, control centres, land stations, radio receivers, satellites and aircraft.142 As a result, there are many cases in which a number of different elements contribute to the delivery of US NC3 missions. Much of the apparatus presently included in this inventory is legacy infrastructure developed accumulatively throughout the course of the Cold War, which is now undergoing comprehensive modernization through a process that includes incorporating new technology means to tackle modern threats.143 US NC3 is composed of ‘early warning satellites and radars, communications satellites, aircraft, and ground stations, fixed and mobile command posts, control centers for nuclear systems’144 – all of which contain digital components. The malicious manipulation of hardware or software in a nuclear platform could cause malfunctioning of these elements, and may compromise the mission completely.
The president, the Secretary of Defense and other senior cadre make decisions on nuclear weapons deployment based on the collection of information via the US Nuclear Command and Control System (NCCS).145 Moreover, the NCCS provides the means by which the president can then make the decision to authorize the use of nuclear weapons, based on information gathered to provide warning of attacks on the US and its NATO Allies.146 There are a number of stages involved in this process that each entails the use of NC3 infrastructure, starting with intelligence gathering147 and proceeding through early warning systems, communications, authorizations and eventual launch.
For the purpose of providing missile early warning, the Defense Support Program (DSP) remains in use as part of the Satellite Early Warning System. The early warning system is composed of fixed, terrestrial phased array warning radars, as well as its successor, the Space Based Infrared System (SBIRS), and the US Nuclear Detonation Detection System.148 The DSP is a constellation of satellites that operate in geosynchronous orbit and detect launches using heat-detecting infrared sensors.149 SBIRS works similarly to DSP, and was aimed to replace this ageing system, with additional capabilities such as the ability to simultaneously scan large areas and fixate on a particular area for various scales of missile activities.150 However, a replacement to SBIRS, which began practical operations in 2011, has already been chosen in the form of the Next Generation Overhead Persistent Infrared System. This will consist of five satellites that are to build up SBIRS and ‘integrate missile defence sensors’,151 providing increased warning time and survivability.152 Together, these provide the basis of the US tactical warning system, along with the Ballistic Missile Early Warning System (BMEWS), which is comprised of terrestrial systems based in Alaska, Greenland and the UK. Considering that it relies on both terrestrial (i.e. radar) and space capabilities (e.g. satellites), there is a certain level of redundancy in the US early warning systems. Yet, this still may not provide survivability. Although these tactical warning systems are scattered around the world, they are only in three locations; and since these are fixed sites, they would be vulnerable to nuclear attack in time of conflict.
Communications as part of NC3 are carried out across the full breadth of the electromagnetic spectrum. This is due to the fact that the US operates multimodal nuclear weapon systems, which each benefit from the use of different bands of the spectrum for different systems, including higher-frequency waves for communication via satellites, while very low frequency (VLF) radio waves are used for broadcast communications with submersible vehicles such as submarines. For the purpose of communicating with air delivery crews and ICBM crews, the president and nuclear force commanders have both the Defense Satellite Communications System (DSCS) and the Advanced High Frequency Satellite System (AEHF).153 These operate within the super high frequency (SHF) and extremely high frequency (EHF) bands, respectively, and offer greater resilience against electromagnetic blackout caused in the event of nuclear detonation. These frequencies also benefit from having higher data transmission rates (in comparison with the ultra and very high frequency bands that are commonly used by commercial and military radios), and are more difficult for adversaries to jam.154 At the other end of the spectrum, large terrestrial antennas are required in order for nuclear command to communicate with submerged submarines. Submarines cannot receive EHF bands, as these waves cannot penetrate deep under water. Until 2004 extremely low frequency (ELF) waves were used to transmit messages to US submarines operating at great depths; however, a number of difficulties, including the rate at which data could be sent by using such means, reportedly led the US to shut down this method of communication.155 Instead, today the VLF band is preferred for use in communication with submerged submarines; however, this frequency does not allow for communication at as great depths as ELF.
In addition to these fixed and geosynchronous communications apparatus, the US also operates a mobile airborne communications relay capability in the form of the E-6B. This is equipped with the airborne launch control system (ALCS), which allows commanders on board to communicate with all three elements of the US nuclear triad, including a five-mile extendable antenna to allow communication with submerged submarines.156
The UK
The UK solely operates a continuous-at-sea nuclear capability, the Trident Vanguard-class submarine, with at least one on patrol at all times. It is stipulated that the notice to fire takes ‘several days’. 157 In other words, the nuclear missiles are currently not on standby (launch on warning) and would require an interval of time prior to launching. In theory, this would prevent any accidental launch scenarios. The 2013 Trident Alternatives Review, however, set out the requirement for deterrence as: ‘A minimum nuclear deterrent capability that, during a crisis, is able to deliver at short notice a nuclear strike against a range of targets at an appropriate scale and with very high confidence.’158 Although the review report emphasized that this requirement is not a statement of UK policy,159 if implemented, it may leave open the possibility of reducing the time frame to launch a missile to less than ‘several days’. It is viewed by some as one of Trident’s significant strengths that the ability exists to both shorten and extend this response time without such actions escalating a crisis.160 Furthermore, the 2006 White Paper on the UK’s nuclear deterrent outlined that while a ‘Trident submarine is on deterrent patrol at any one time … that submarine is normally at several days ‘notice to fire’’ [emphasis added].161 This formulation alludes to the possibility of reducing this several days’ notice to fire in exceptional, abnormal circumstances.
The UK currently maintains only sea-based nuclear forces.162 The prime minister possesses exclusive authority to ultimately authorize the launch of nuclear missiles, whose orders would likely be conveyed from the Nuclear Operations Targeting Centre within the Pindar complex under Whitehall.163 An accident and reporting document from the UK Government’s Marine Accident Investigation Branch noted: ‘Within the Northwood HQ, command and control of submarines was exercised by two Operating Authorities: Commander Task Force (CTF) 345, who exercised command of the Vanguard class strategic deterrent submarines; and CTF 311, who exercised command of all other UK submarines and NATO submarines operating in the Eastern Atlantic and UK waters.’164
During the Labour administration under Tony Blair, it was revealed that the prime minister also holds the authority to decide the contingency course of action to take in a situation where a decapitation attack has occurred (i.e. the British government has ceased to function). This is set out in four identical, handwritten ‘letters of the last resort’, addressed to the commanding officers of each Vanguard-class submarine.165 Deliberate ambiguity surrounds the details of this process; however, a 10 Downing Street spokesperson did reaffirm the existence of the letters in April 2020 during Prime Minister Boris Johnson’s hospitalization with COVID-19.166 External communication to and from the submarine reportedly uses a US–UK common military-grade encryption system, and transmits data through very low frequency and low frequency radio – although data may also be received from satellites when on or near the surface at higher frequency.167 Another redundancy measure available to the prime minister in times of crisis is the ability to nominate formal nuclear deputies.168 This measure, implemented after 9/11, allows these nominated ministers to make nuclear release decisions ‘in case the top political authority becomes decapitated’.169 In doing so, this adds another layer of resilience to the UK’s nuclear decision-making capability.
While the prime minister possesses exclusive authority over the launch of nuclear missiles, it is worth noting that in 1962 the UK’s nuclear capability was assigned to NATO through the Nassau Agreement, whereby ‘the UK Prime Minister offered to commit the UK’s nuclear armed V-bomber force, operational since the late 1950s, to a ‘NATO pool’, together with corresponding American, and possibly French, nuclear assets’, which has in turn influenced British nuclear policy and strategy.170 Although this has had some implications for the command and control of the UK’s nuclear weapons,171 the UK retains the authority to use its nuclear forces without the requirement to consult NATO Allies when ‘supreme national interests are at stake’.172 Moreover, the UK’s peacetime nuclear policy means that nuclear warheads are not preassigned to any targets (such as cities); hence the command and control relationship between the UK and NATO in the current structure is relatively loose.173 The UK is not reliant on the US Global Positioning System (GPS) for navigational purposes174 to launch nuclear missiles, given that Trident D5 missiles are believed to operate with precision guidance by astro-inertial navigation system instead.175
As previously noted, one method by which communications with the submerged submarines take place is through the use of VLF transmissions.176 The primary means by which these communications are reportedly transmitted is through the VLF transmitter at the Skelton Transmitting Station, however the NATO Interoperable Submarine Broadcast System (NISBS) also provides alternative routes by which to transmit messages.177 Should an attack take place on the Skelton Transmitting Station, or should it for whatever reason be rendered inoperable, measures exist by which to maintain the lines of communication between the prime minister and the submarines.
Despite assurances made by the then UK defence secretary Sir Michael Fallon that the Vanguard fleet of submarines ‘operate in isolation when they are out on patrol’,178 and are thus less likely to be affected by cyber operations, it is possible for systems on board the submarines to be compromised or hacked at alternative stages. While on patrol, the Vanguard submarines’ systems are largely isolated from the internet and civilian networks, and this does reduce the opportunities available to aggressors. Attack vectors do still exist, but these are more likely to be exploited during construction or maintenance phases, when new software and/or hardware are installed while the submarine is ashore.179 As such, it would be unwise to consider the submarines as being completely insulated against cyberattacks, given the various stages at which systems could be compromised, spoofed or hacked – whether at an early stage in the supply chain, or during routine maintenance and upgrades.
France
In March 1966, in a letter to US President Lyndon Johnson, President Charles de Gaulle declared his intention to withdraw France from the NATO integrated military command structure.180 This decision was reversed in 2009,181 but to date France does not participate in the NATO Nuclear Planning Group.182 France’s nuclear doctrine applies a principle of strict autonomy and sufficiency. In the view of many experts, by intending to maintain an independent nuclear force, France deliberately complicates the deterrence calculations of the adversary; thus, the Alliance supports the French nuclear policy.183 A future study of adversaries’ views on this matter could shed valuable light on the effectiveness of this policy. The French nuclear stockpile is stated to be kept always at the lowest level possible ‘compatible with the strategic context’.184 At present, France sustains capabilities to operate and launch nuclear strikes in two domains: in the air and at sea. The nuclear weapons possessed by France at present are exclusively of a strategic nature, 185 although in the past France developed short-range ballistic missiles capable of delivering a nuclear payload, such as Pluton and Hadès.186 The Gendarmerie de la sécurité des armements nucléaires, part of the Gendarmerie Nationale (a branch of the armed forces under the authority of the ministry of the interior), is responsible for the oversight, monitoring and control of nuclear stockpiles to ensure their readiness at all times.187
The president is the sole holder of the authority to order the launch of nuclear weapons. In addition to the president, the prime minister and the ministry of defence take part in the decision-making process.188 Moreover, chief of defence staff (CEMA), chief of the presidential military staff (CEMP), and Nuclear Forces Division of the Defence Staff (EMA/FN) play a role in the execution of the order. The president may give the order from the Jupiter Command Post located within the premises of the Élysée Palace, or from a mobile command post when the president is travelling.189 The order goes to CEMA, who has to verify the order, lay out a plan, and execute it. The transmission between the president and CEMA goes via an operational facility, the Centre opérationnel des forces nucléaires.190 The message is transmitted via the RAMSES strategic and survival meshed network.191 RAMSES has been undergoing a series of expansions (RAMSES IV is the latest version), and it is ‘hardened and protected against electromagnetic waves’192 – presumably to be hardened against an electromagnetic pulse (EMP) attack. Should the RAMSES network be unavailable or destroyed, the SYDEREC system (système de dernier recours) will be used as a last resort measure to ensure the transmission of nuclear orders made by the president.193 The SYDEREC system194 uses ‘antennas supported by inflatable balloons, carried by mobile vehicles’.195 Creating multiple pathways and capabilities in the decision-making process indicates considerations of redundancy throughout the communications systems, which reduces the risk of failure in case of a system shutdown.
Currently, through the HERMES programme, France is modernizing various nuclear transmission components, which rely on a network of infrastructures.196 Under this programme, the TRANSOUM (transmission des sous-marins) programme is dedicated to the modernization of transmissions at sea, while TRANSAERO is responsible for the modernization of means of communications in the airborne component – both related to nuclear deterrence and operations.197
On airspace control, France currently uses a mobile long-range air defence 3D radar system (Ground Master 406), which may possibly detect cruise missiles.198 Two of these systems were delivered in French Guiana and Nice in 2014 and 2017 respectively, and one was reported to be operational as of 2019 in Lyon;199 and it has been suggested that these radars could be linked to NATO’s Air Command and Control System or to the mobile component of the French Système de commandement et de conduite des opérations aérospatiales (command and control system of operations in aerospace).200 As a mobile system, Ground Master 406 would have greater protection (compared with fixed radar systems) against physical attacks at time of conflict. However, these systems may still be vulnerable to cyberattacks. Hence, radar systems many not be truly survivable in conflict, and satellite communications should always accompany them as a redundancy measure.
The 2018 Military Planning Act201 reiterates France’s strategic priorities for 2019–25, based on the 2013 White Paper, and sets the financial framework to put in place and operationalize the measures envisaged under the legislation. The act notably provides for an increase in the allocated budget for the armed forces, including to update existing operational capabilities, supporting national and European strategic autonomy as well as for research and development. Article 5 covers the increase in the armed forces human resources planned for the period to 2025, notably to underpin the prioritization of information and cyberdefence issues, as well as to address the vulnerabilities of command and control systems.202
The issue of the cybersecurity of command, control and communications systems has been officially recognized as a potential threat to nuclear deterrence both from a technical and a doctrinal perspective, as set out for instance in a 2017 Senate report.203 Cyber operations could disable or enable C3 systems that would ultimately either prevent the use of nuclear forces or to cause unintentional/accidental use.