On Cyberattacks and the Accidental War
The first real doomsday scenario of cybersecurity is here: hacker attacks on nuclear weapons. While rumors of possible cyberattacks have existed for years, a consequence of the IT modernization of many nuclear arsenals is that these threats are becoming increasingly clear. South Korea announced plans to build cyberattacks to infiltrate and shutdown North Korean nuclear missiles, for example.[i] Many cybersecurity experts regard this scenario as an extremely high risk, especially because it introduces strong unknowns into nuclear weapon systems.
What could go wrong?
Cyberattacks do not develop neatly in such unusual environments, giving rise to two dangerous outcomes for errors.
Outcome one: the computers crash. While in many scenarios this is mostly harmless, it could be dramatic with nuclear weapons. A possible example is Russia. In the course of modernizing its arsenals Russia may have installed a new variant of the Dead Hand system, which automatically fires nuclear weapons when certain systems are disabled and an attack on Moscow must be assumed. But even without a Dead Hand, catastrophic accidental developments can’t be excluded with high reliability when nuclear command and control computers crash.
Outcome two (and worse): the infected computers do not simply switch off, but react in an unprecedented fashion. In this case, everything is possible—including the accidental deployment of nuclear weapons.
How likely is it that hacks will trigger major nuclear incidents?
We can still reasonably exclude terrorists’ attacks. They would have to gather dozens of experts over a long period of time, all with rare expertise, while having access to expert insiders right in the command and control environment. Only then could a successful attack be constructed and positioned.
But other triggers are possible.
Containment issues may occur. Stuxnet proved this a few years ago. Initially created for just one uranium production facility in Iran, the computer worm was found thereafter on thousands of similar systems worldwide, generating malfunctions and damages on completely different installations.
The consequences would be terrible. A plausible scenario is that South Korea constructs an attack on North Korea’s nuclear weapons that works flawlessly and resolves harmlessly. But North Korea’s nuclear weapons come from China—evolved from plans stolen from Los Alamos and sold to Pakistan and Beijing. Pakistani and Chinese nuclear weapons therefore have a similar technical setup. If a cyberattack gets there by one of a thousand coincidences, it could simultaneously reach new environments, i.e., reacting unpredictably with command and control environments with a total ranging from 240 to 3,000 nuclear missiles.[ii]
Does anyone care?
Outcomes and probabilities are two serious unknowns, making an inadvertent nuclear war more likely by an undefined factor.
Does anyone know and care about this? Probably not.
Behind the fog of secrets, there is usually little more than a rather irrelevant wrangling over jurisdiction and power, and incompetence for highly complex problems. This is already impressively apparent for trivial problems, such as digital pickpocketing. The State is barely able to cope—not understanding the problem, its causes, or possible solutions. No wonder: Parliamentarians and government staff can’t get sufficient numbers of specialized cyber experts, mostly due to huge salary gaps, and are besieged by hordes of lobbyists and buzzword-armed opportunists of all kinds, including many pseudo-experts. They cannot separate the wheat from the chaff.
It is also becoming increasingly difficult for real experts. What is a problem or a solution and what is not is roughly a matter of opinion. There is no objective basis on which to make clear assertions about security. The fused complexity of problems and solutions makes it impossible. The world’s militaries are no better. In defensive cybersecurity, no one stands out.
No one expects the cybersecurity of nuclear missiles to be better at this moment. Most of the sector’s experts are still on the open market, not in any underground war rooms. In fact, the nuclear and cyber communities have only recently started collaborating. The IAEA’s first major conference on civil nuclear cybersecurity was only two years ago - the consensus was that they were still at the very beginning of the learning curve. There are experts with a lot of overlapping knowledge, but they are too few and too ineloquent to persuade high-ranking politicians or to feasibly work on the problem.
The sector’s experts believe that no one really knows what can happen, whether something can happen, and how to get it under control. Some expect dialogues between the nuclear powers, but this too is complicated. While often seen as global leaders in cyber diplomacy, the responsible parties in the US and Russia unfortunately cannot stand to work together. Other States and institutions do not dare to deal with such complex matters but rather remain within clear and easy to navigate cyber areas with high consensus potential. The Snowden case, for example, is still chewed over in Berlin think tanks—an outdated but far more comfortable problem.
In short, the greatest threat to humanity has become more dangerous and uncontrollable by a great, unknown factor. And no one feels responsible.
[i] Keck, Zachary. “S. Korea Seeks Cyber Weapons to Target North Korea’s Nukes,” The Diplomat, February 21, 2014. http://thediplomat.com/2014/02/s-korea-seeks-cyber-weapons-to-target-north-koreas-nukes/
[ii] Kristensen, Hans. “STRATCOM Commander Rejects High Estimates for Chinese Nuclear Arsenal,” FAS, August 22, 2012. https://fas.org/blogs/security/2012/08/china-nukes/; Karber, Phillip A. “Strategic Implications of China’s Underground Great Wall.” FAS, September 11, 2011.