A new assessment claims that nuclear weapons systems in the United States and United Kingdom are increasingly vulnerable to cyber attack because they are reliant on outdated legacy systems that lack cyber defensive capabilities.
The report, Cybersecurity of Nuclear Weapons Systems: Threats, Vulnerabilities and Consequences, by Beyza Unal, a research fellow at London-based Chatham House who also conducted strategic analysis at NATO, and Patricia Lewis, research director of the international security department at Chatham House, identified a number of vulnerabilities.
For instance, researchers found that the nuclear systems had failed to keep up with technology advances, are manned by a lack of skilled staff, and have fallen victim to bureaucratic inertia in their respective defense and political institutions.
It also identified the need to use the private sector while increasing risk as a result, with this supply chain described as “relatively ungoverned space.”
“Our critical infrastructure is just that, critical. Protecting it is a matter of national security,” said Azeem Aleem, director Advanced Cyber Defence Practice EMEA & APJ Region at RSA Security.
“Yet critical infrastructure companies are often dependent on legacy infrastructures with complex dependencies, and little visibility. Take the recent wave of WannaCry and Petya attacks; the industry was quick to cry ‘patch’, but actually that isn’t always possible, as patching systems without proper testing could actually cause more damage,” he continued.
“My advice would be to face these challenges head-on and the only way to do this is by having visibility and context. This means conducting a thorough risk assessment, understanding the dependencies between systems, using threat detection to monitor and alert on attacks, and contextualizing results with business context in order to prioritize events.”
Said Javvad Malik, security advocate at AlienVault: “There are many risks with connecting legacy systems, we’ve seen in the past years an increase in the attempts to attack critical national infrastructure such as electricity. Going after connected weaponry is the next step, be it for espionage purposes, or something more sinister. Owing to the legacy infrastructure, rapid patches, or constant monitoring is not always feasible, therefore, it is in the best interests to keep such systems as segregated as possible to minimise the risk of external actors being able to access.”
Other experts recommended that regular security checks and threat assessments be performed at military nuclear sites. [source]
(Analyst comment: As the world’s declared — and in Israel’s case, undeclared — nuclear powers upgrade their nuclear weapons and delivery systems, there is an ongoing debate in the U.S. about the utility of the land-based ICBM force and whether or not the Pentagon should spend tens of billions over the next decade to replace Minuteman III missiles built in the 1960s and deployed in the 1970s. Some argue that nuclear deterrence can easily be achieved without them using American bombers and submarines. It’s a debate that will continue to rage, as there is no clear winner yet.
That said, we can’t have systems that are easily hacked. Bear in mind that our nuclear weapon systems are old but not forgotten; they receive regular maintenance. But one comparison said it’s a bit like keeping maintenence on a classic car — it may still look and run great, but there’s only so much you can do to upgrade the car’s technology.)