Nuclear Weapons Must Be Safe from Cyber Threats

Nuclear Weapons Must Be Safe from Cyber Threats

When it comes to reliability, safety, and confidence in the U.S. nuclear deterrent, there can be no cutting corners.

To keep costs down, one of our national laboratories used $5.00 off-the-shelf capacitors for a nuclear warhead modernization program. But tests later revealed the parts did not meet the high standards and reliability requirements for nuclear weapons components. A Department of Energy official acknowledged in congressional testimony that the switch to a new part and associated redesigns cost taxpayers millions of dollars. This example demonstrating the pitfalls of using commercial, off-the-shelf technology is just the tip of the iceberg of supply chain and other risks inherent in nuclear weapons modernization programs. To mitigate them, acquisition processes must prioritize digital security and reliability in addition to cost, schedule, and performance.

Only “Pass Go” If Digitally Secure

While the technologies being introduced into U.S. nuclear weapons systems are new, many of the technical, procedural, and policy measures that assure they meet the highest standards of reliability and control date back to the Cold War analog era. Supply chain risks are inherent in any modernization project, but with the full replacement of many U.S. nuclear weapons systems for the first time in decades, digital security risks and reliability concerns are more significant than ever before. There are at least forty-six disparate nuclear modernization acquisition programs underway, and the Nuclear Threat Initiative (NTI) estimates that nine out of ten will gain new digital components or upgrades. Digital technologies introduce new vulnerabilities, adding complexity to the modernization effort that is more complex than a one-for-one update of U.S. nuclear forces. (The United States is currently modernizing nuclear weapons and their delivery vehicles, including all three legs of the “triad”—intercontinental ballistic missiles, bombers, and submarines—and related command, control, and warning systems.)

Digital security weak points could come from cyberattacks or intrusions that exploit digital vulnerabilities and deny access to critical information through denial-of-service attacks or jamming. Information corruption or spoofing could lead to false conclusions and decisions premised on bad information—hardly an acceptable risk when it comes to the potential use of a nuclear weapon. The Department of Defense’s track record on cybersecurity for weapons systems has been found wanting in the past, but recent statements from U.S. Strategic Command refer to improvements in the past six to eight months. The Department of Defense has expanded efforts to track and reduce vulnerabilities, for instance through a voluntary vulnerability disclosure program for the defense industrial base. Recognizing vulnerabilities is the first step; mitigating if not eliminating them entirely is another.

When it comes to reliability, safety, and confidence in the U.S. nuclear deterrent, there can be no cutting corners. That is why the U.S. military, national laboratories, and the defense industrial base have worked toward high standards for nuclear weapons systems for decades, guarding against insider and safety risks. That same vigilance must now be applied to the modern challenges of digital security.

Robust testing, evaluation, validation, and verification of each new component that could impact the performance of and confidence in the new or upgraded delivery vehicles, command and control, and warning systems is a necessary, if costly, responsibility. Even in the cases where the modernization effort is already far along, systems should not “pass go” if they are found wanting; they should not proceed from research and development to deployment.

Business-as-usual acquisition processes will not be sufficient to protect the security and system reliability necessary as modernization proceeds in this era. Cost, schedule, and performance have long been the troika of priority in the acquisition process, but now a fourth factor must be added: high digital security and reliability requirements are essential for any system supporting nuclear deterrence.

Conduct a “Fail Safe” Review

In addition to updating the acquisition process, there may be other steps the United States can take unilaterally and with other countries to reduce cyber nuclear vulnerabilities. This is precisely the question that will be examined in the Biden administration’s anticipated “fail safe review” of nuclear weapons, command and control, and warning systems. NTI co-chairs Sam Nunn and Ernest Moniz have championed this idea with members of Congress and the executive branch, writing about the ways a modern review could reduce risks of nuclear use, “preventing unauthorized, inadvertent or mistaken use of a nuclear weapon, including through false warning of an attack.” The 2022 National Defense Authorization Act requires the secretary of defense to charter an independent Federal Advisory Committee to review the safety, security, and reliability of nuclear weapons and related systems. The need for this review reflects a concern that the risk of nuclear use or even nuclear conflict by blunder has risen, in part due to the possibility of cyberattacks on command and control and warning systems by nation states or even non-state actors or hacktivists.

There are questions about nuclear risks that have not been answered—at least in an unclassified, public way—since digital technologies became dominant within all nuclear command, control, communications, warning, and delivery systems. This “failsafe review” is intended to examine technical measures the United States could take but also potential cooperative risk reduction opportunities with other nuclear states.

The first such review was conducted in the early 1990s on the initiative of Secretary of Defense Dick Cheney. He tapped Ambassador Jeane Kirkpatrick to chair an independent advisory commission to assess how the United States was meeting the essential dual requirements of assurance against unauthorized use of nuclear weapons and timely, reliable execution when authorized. That review identified opportunities to enhance failsafe features. Among other tangible changes, the first failsafe review led to the use of permissive action links on all sea-based U.S. nuclear weapons. A similarly comprehensive and independent review has not been undertaken since.

The review today should address how systems are designed and built with cybersecurity in mind and how those systems, should they fail, could “fail safely” in this new era. For example, can the number of digital components be minimized to reduce the cyberattack surface? Can nuclear and conventional military systems, including command and control and warning systems in space, be isolated from each other to lessen the risks of entanglement, misattribution, and misunderstanding that could lead to early or unintended use of nuclear weapons? Can the connection between nuclear systems and critical national assets and infrastructure be limited to protect civilian systems while also reducing possible pathways to inadvertent nuclear escalation? What processes, such as periodic red team analysis, could improve confidence in the systems? Ultimately, some policies and postures may need adjustment to compensate for the technical and procedural weak points that will become a fixture in nuclear weapons systems and that cyberattacks could exploit.

The failsafe review should be transparent to the extent possible, including a published summary of unclassified findings and recommendations. It should engage top experts—inside and outside of government—to assess systems and think through performance against a variety of accidental or intentional threats. A full classified review should be conducted and widely shared across all relevant U.S. government departments and agencies including the Departments of Defense and Energy. The review should lead to findings and recommendations to the secretary of defense and the president, who should at the outset communicate his strong interest in the review. The President can then consider and implement recommendations, and where possible, explain to the American people and the world the steps he has taken to reduce nuclear risks.

The president should also share, in broad stroke, the outcome of the failsafe review with other states with nuclear weapons to encourage them to conduct their own, internal, periodic failsafe reviews. Every country with nuclear weapons—including Russia and China—is vulnerable to similar risks, raising the possibility of malfunction, misinformation, miscalculation, and even accidental or unintentional escalation. With tensions among nuclear states higher than ever in recent memory amid Russia’s war on Ukraine and Vladimir Putin’s nuclear saber-rattling, the stakes could not be higher. We have a mutual existential interest in avoiding the use of nuclear weapons, be it intentional or inadvertent, the result of cyber operations or not.

Steps to Reduce Nuclear Risks

There are no international agreements that prohibit cyberattacks against nuclear or related systems. While it is hard to imagine verifiable, legally binding agreements for this purpose, it may be possible to develop norms and practices whereby states with nuclear weapons agree to refrain from such attacks because of mutual self-interest. These and other cooperative measures should be considered in the failsafe review and taken up in strategic stability talks when the political environment is conducive to them. 

At a time when tensions between nuclear powers are higher than ever, each state with nuclear weapons must be vigilant against the risks of miscalculation, unintended escalation, and the unacceptable consequences of nuclear use. This includes assuring cybersecurity and resilience. Though negotiating new nuclear agreements with Russia and China in the near term seems unlikely, the Biden administration can, with its failsafe review, identify and undertake unilateral steps to reduce the risks that nuclear weapons could be used, and set a positive and responsible example for the world.

Erin D. Dumbacher (@erin_dian) is a senior program officer at the Nuclear Threat Initiative focusing on technology and nuclear security. She is a former strategy and research director in the private sector and began studying cyber and international security in Estonia in 2010 through a Fulbright fellowship.