Hacking Nuclear Weapons

Until I saw the title of Andrew Futter’s Hacking the Bomb:  Cyber Threats and Nuclear Weapons in the new-books shelf of my university library, I had never given any thought to what the new threat of cyber warfare means to the old threat of nuclear war.  Quite a lot, it turns out. 

Futter is associate professor of history at the University of Leicester in the UK, and has gathered whatever public-domain information he could find on what the world’s major nuclear players—chiefly Russia, China, and the U. S.—are doing both to modernize their nuclear command and control systems to bring them into the cyber era, and to keep both state and non-state actors (e. g. terrorists) from doing what his title mentions—namely, hacking a nuclear weapon, as well as other meddlesome things that could affect a nuclear nation’s ability to respond to threats. 

The problem is a complicated one.  The worst-case scenario would be for a hacker to launch a live nuclear missile.  This almost happened in the 1983 film WarGames, back when cyberattacks were primitive attempts by hobbyists using phone-line modems.  Since then, of course, cyber warfare has matured.  Probably the most well-known case is the  Stuxnet attack on Iranian nuclear-material facilities (probably carried out by a U. S -Israeli team) discovered in 2010, and Russia’s 2015 crippling of Ukraine’s power grid by cyberweapons.  While there are no known instances in which a hacker has gained direct control of a nuclear weapon, that is only one side of the hacker coin—what Futter calls the enabling side.  Just as potentially dangerous from a strategic point of view is the disabling side:  the potential to interfere with a nation’s ability to launch a nuclear strike if needed.  Either kind of hacking could raise the possibility of nuclear war to unacceptable levels.

At the end of his book, Futter recommends three principles to guide those charged with maintaining control of nuclear weapons.  The problem is that two of the three principles he calls for run counter to the tendencies of modern computer networks and systems.  His three principles are (1) simplicity, (2) security, and (3) separation from conventional weapons systems. 

Security is perhaps the most important principle, and so far, judging by the fact that we have not seen an accidental detonation of a nuclear weapon up to now, those in charge of such weapons have done at least an adequate job of keeping that sort of accident from happening.  But anyone who has dealt with computer systems today, which means virtually everyone, knows that simplicity went out the window decades ago.  Time and again, Futter emphasizes that while the old weapons-control systems were basically hard-wired pieces of hardware that the average technician could understand and repair, any modern computer replacement will probably involve many levels of complexity in both hardware and software.  Nobody will have the same kind of synoptic grasp of the entire system that was possible with 1960s-type hardware, and Futter is concerned that what we can’t fully understand, we can’t fully control.

Everyone outside the military organizations charged with control of nuclear weapons is at the disadvantage of having to guess at what those organizations are doing along these lines.  One hopes that they are keeping the newer computer-control systems as simple as possible, consistent with modernization.  What is more likely to be followed than simplicity is the principle of separation—keeping a clear boundary between control systems for conventional weapons and systems controlling nuclear weapons.

Almost certainly, the nuclear-weapons control networks are “air-gapped,” meaning that there is no physical or intentional electromagnetic connection between the nuclear system and the outside world of the Internet.  This was true of the control system that Iran built for its uranium centrifuges, but despite their air-gap precaution, the developers of Stuxnet were able to bridge the gap, evidently through the carelessness of someone who brought in a USB flash drive containing the Stuxnet virus and inserted it into a machine connected to the centrifuges. 

Such air-gap breaches could still occur today.  And this is where the disabling part of the problem comes in. 

One problem with live nuclear weapons is that you never get to test the entire system from initiating the command to seeing the mushroom cloud form over the target.  So we never really know from direct experience if the entire system is going to work as planned in the highly undesirable event that the decision is made to use nuclear weapons. 

The entire edifice of nuclear strategy thus relies on faith that each major player’s system will work as intended.  Anything that undermines that faith—a message, say, from a hacker asking for money or a diplomatic favor, or else we will disable all your nuclear weapons in a way you can’t figure out—well, such an action would be highly destabilizing for the permanent standoff that exists among nuclear powers. 

Though it’s easy to ignore it, Russia and the U. S. are like two gunslingers out in front of a saloon, each covering the other with a loaded pistol.  Neither one will fire unless he is sure the other one is about to fire.  But if one gunman thought that in a few seconds, somebody was going to snatch his gun out of his hands, he might be tempted to fire first.  That’s how the threat of an effective disabling hack might lead to unacceptable chances of nuclear war. 

These rather dismal speculations may not rise to the top of your worry list for the day, but it’s good that someone has at least asked the questions, and has found that the adults in the room, namely the few military brass who are willing to talk on the public record, are trying to do something about them.  Still, it would be a shame if after all these decades of successfully avoiding nuclear war, we wound up fighting one because of a software error.

Sources:  Andrew Futter’s Hacking the Bomb:  Cyber Threats and Nuclear Weapons by Andrew Futter was published by Georgetown University Press in 2018.  I also referred to the Wikipedia article on Stuxnet.

Cyber Command Gets a Promotion

On Friday, Aug. 18, President Trump announced that the Defense Department's U. S. Cyber Command would be elevated to the status of a "unified combatant command," joining the nine other commands such as the U. S. Central Command (CENTCOM) that oversees all military operations in the Middle East, and the U. S. Strategic Command in charge of nuclear weapons.  The heads of these commands are just below the Secretary of Defense in the chain of command, and each unified combatant command cuts across the traditional armed-services divisions of army, navy, and air force. 

According to a report at the website Politico, the promotion of the Cyber Command has been in the works for years, but carrying out this promotion is in line with the President's campaign promises to bolster the Cyber Command.  Currently that Command is headed by Admiral Mike Rogers, who also heads the National Security Administration (NSA).  The Senate must confirm a new Cyber Command leader before the reorganization is fully implemented, but no particular problems are expected on that score.

After taking an initial leadership position, the U. S. has appeared lately to be lagging in the recognition that cyberwarfare is no longer some science-fiction pipe dream.  The nature of cyberwarfare makes it difficult to state with certainty exactly who is responsible for what.  But most experts agree that, for example, Russia has been plaguing the Ukraine with cyberattacks of many kinds for the last few years, ranging from invading servers used by news media to causing widespread power blackouts in large cities such as Kiev in the middle of the winter.

Probably the first cyberattack that became widely known and has definite attribution was called Stuxnet.  Developed by the U. S. NSA, possibly with cooperation from Israel, it was a clever attack on Iran's uranium centrifuges in 2010 that caused numbers of them to self-destruct.  Stuxnet was the last major focused cyberattack we know of that the U. S. has committed, but by the nature of the business, there may be others we don't know about yet. 

In conventional warfare, the enemy is in a clearly defined geographical area, and even wears uniforms and puts insignia on their equipment so you can tell who are the good guys and who are the bad guys.  Alas, such formality is long gone in many battlefields, and in the anonymous world of cyberspace it is next to impossible to identify the source of an attack in terms of a physical location and which people are doing the bad stuff.  In this regard cyberwarfare borrows from the world of espionage the mysteries and guesswork that makes spy novels so interesting, and makes actual espionage work so frustrating. 

But just because the enemy can't always be clearly identified, that doesn't mean we can ignore what they can do.  There is an old saying that generals always prepare to fight the last war, meaning that military thinkers are slow to deal with combat innovations.  The elevation of the Cyber Command to a level equal to the Strategic Command says that, organizationally at least, we are taking the threat of cyberattacks and the damage they could cause at least as seriously as we are taking the threat of nuclear attacks, which are far less likely but have a higher potential for damage.

Or maybe not.  At any given time, there is probably a maximum amount of damage that a determined cyberattacker could do with the capabilities they have and the nature of the target.  One advantage that the U. S. has compared to smaller and more tightly organized countries is that we have a lot of diversity in our technical infrastructure.  For example, in the recent flap about Russia's attempt to sway U. S. elections, no one has found any convincing evidence that Russian hackers were able to manipulate electronic vote counting.  Even if they had wanted to, the hackers face the difficulty that votes are counted in literally thousands of different jurisdictions using a wide variety of systems.  Anybody wanting to mess with a voting district that was big enough to make a difference would probably have to have a spy physically present for some time in order to gather enough information to give a cyberattack even a chance of success.  Something of the same principle applies to our electric grid, which is a congeries of old and new technology with a bewildering variety of SCADA (supervisory, control, and data acquisition) systems.  Again, a determined cyberattacker would have to focus on one system that is particularly vulnerable and large enough to make a terrorist attack worthwhile in terms of headlines.

Despite these built-in defenses, the U. S. should not be complacent with regard to the possibility of a crippling cyberattack, and the promotion of the U. S. Cyber Command to the board of Unified Combatant Commands is a step in the right direction.  As I mentioned not long ago in a blog on ransomware, one of the U. S. government's primary responsibilities is to defend the nation against attacks, and this includes cyberattacks.  The spectacle of private companies, even small ones, getting held up for ransom by hackers is morally equivalent to a cross-border raid by physical invaders.  What would normally be a domestic police matter then becomes an international incident, and the intervention of the U. S. military would be appropriate in both cases.

But a lot is yet to be defined about the responsibilities of the military on the defense side.  Historically, the computer industry has held consumers responsible for cybersecurity to the extent of installing patches and upgrades promptly and following good cybersecurity "hygiene."  But as attacks become more sophisticated, there may have to be closer cooperation among private technology developers, their customers, and the military, which up to now has not had much input into the business except as a good customer. 

If history is any precedent, not much will change in a major way until a foreign cyberattack succeeds with a truly crippling blow that costs many billions of dollars, affects millions of people, or results in multiple deaths and injuries.  Then we will get serious about how the military can fight the next war—a cyberwar—and not the last one.

Sources:  Politico.com carried a story entitled " Trump elevates U.S. Cyber Command, vows 'increased resolve' against threats" on Aug. 18, 2017 at http://www.politico.com/story/2017/08/18/trump-us-cyber-command-elevated-unified-combatant-command-241783.  I referred to an article in Wired Magazine published June 20, 2017 at https://www.wired.com/story/russian-hackers-attack-ukraine/ and the Wikipedia article on Unified Combatant Command.  My blog on ransomware appeared on Mar. 27, 2017 at http://engineeringethicsblog.blogspot.com/2017/03/ransomware-comes-to-heartland.html.

Will ISIS Hack the U. S. Power Grid?

In a meeting of electric-power providers last week, U. S. law enforcement officials revealed that Islamic State operatives have tried to hack into parts of the American power grid, so far without success.  But the mere fact that they're trying has some grim implications.

One of the officials, Caitlin Durkovich, is assistant secretary for infrastructure protection at the U. S. Department of Homeland Security.  She refused to provide specific details of the attacks, but an FBI official said so far that the attacks are characterized by "low capability." 

For some time now, it's been obvious that cyberwarfare may play an increasing role in future conflicts.  Perhaps the most significant successful attack up to now was mounted by a team of U. S. and Israeli experts in what came to be known as Stuxnet.  The attack was aimed at Iran's nuclear-material centrifuges and allegedly disabled many of them in 2010 before operators figured out what was going on. 

That attack was aimed at one specific facility, and the attackers had access to abundant information on the particular equipment involved.  Doing something similar to a significant part of the U. S. power grid would be a harder proposition for several reasons.

A Stuxnet-style attack on one generator, or even an entire plant, might temporarily  damage that plant and take it out of commission.  But the power grid is designed to deal with just such occurrences without major disruptions.  At any given time, a certain number of generators are offline for repairs or maintenance, and every so often a problem will cause one or more generators to trip out unexpectedly.  Unless the loss of capacity is very large or happens at a critical high-demand time (say on the hottest day of summer), the system absorbs the loss and reroutes power from other sources to make up the difference, often with no noticeable interruption to customers. 

So in order to produce a large-scale blackout that would do some good from a terrorism point of view, a different approach would be needed. 

The most vulnerable parts of the power grid from a hacking point of view are the network control systems themselves—the SCADA (supervisory control and data acquisition) devices and communications systems that tell system operators (both human and electronic) what the status of the grid is, and open and close the big high-voltage switches that route the energy.  A simultaneous order to a lot of circuit breakers to open up all across a large grid would throw the whole system into chaos, tripping other automatic breakers everywhere and necessitating a total shutdown and resynchronization, which could take hours or days—even longer if widespread mechanical damage occurred, which is possible. 

But doing that sort of attack would be very hard.  I am no power-grid expert, but I do know that long before the Internet came along, power utilities constructed their own special-purpose communication networks that carried the switch-command instructions, often by means of microwave relays or dedicated cables.  Originally, these specialized networks were entirely independent of the Internet because there was no such thing yet, and so were perfectly secure from Internet-based hacking.  Utilities tend not to throw anything away that still works, so my suspicion is that a good bit of network-control data still gets carried on these physically isolated communications links.  For a set of hackers halfway around the world to get into those specialized communications systems would require either amazing hacking abilities, or inside information, or most likely both. 

This is not to say that it's impossible.  But the job is orders of magnitude harder than disabling one uniform set of machines in one location.  As reports on the power-grid hacking attempts pointed out, the U. S. grid is a hodge-podge of widely different equipment, systems, protocols, hardware, and software.  A hack that might take out a power plant in Hackensack would probably be useless on a plant in Houston.  So to mount a coordinated attack that would create a politically significant amount of trouble would be a monumental undertaking—so hard that evil guys with limited resources may decide that some other type of troublemaking would be a better use of their time.

Does that mean we can just sit back and enjoy the fact that the Islamic State hackers don't know what they're doing?  Not necessarily.  Hackers come in all flavors, and as the Internet has played an increasing role in the day-to-day operation of electric utilities, those same firms have had to deal with the accompanying hazards of malevolent cyberattacks from who knows where.  So the fact that Islamic State hackers are going after the power grid is not exactly a surprise.

While the recent revelations have led to some calls for increased government oversight of cybersecurity for the power grid, the industry so far seems to have done a fairly good job at policing itself.  A report in USA Today back in March of 2015 said that the North American Electrical Reliability Corporation (NERC), which is the non-profit industry-sponsored security-standard enforcer, has slacked off on the number of penalties and fines it has assessed on its members in recent years.  But the president of NERC says this doesn't necessarily mean that his organization is getting lazy—it could just as well be that utilities are following the rules better.

Rules or no rules, the danger that foreign and domestic terrorist organizations could cause massive power blackouts in the U. S. is real.  And constant vigilance on the part of the utility operators is needed to prevent these attacks from getting anywhere.  Fortunately, the present structure of the grid makes it a particularly difficult target.  But that doesn't mean it couldn't ever happen.

Sources:  I referred to reports of the disclosures about cyberattacks on utility infrastructures carried by CNN on Oct. 15, 2015 at http://money.cnn.com/2015/10/15/technology/isis-energy-grid/, and by the Washington Examiner at http://www.washingtonexaminer.com/article/2552766.  USA Today carried an in-depth study of the issue by Steve Reilly on Mar. 24, 2015 at http://www.usatoday.com/story/news/2015/03/24/power-grid-physical-and-cyber-attacks-concern-security-experts/24892471/. I blogged on Stuxnet on July 24, 2011 and July 2, 2012.