Angela Suriyasenee | Cyber & Tech Fellow
The risk of nuclear-weapons use is at its highest since the Cold War. Earlier this year, the UN’s Under-Secretary and High Representative for Disarmament Affairs cautioned all states to exercise restraint from all actions that could result in nuclear escalation and lethal miscalculation. To make matters worse, these risks are exacerbated by growing cyber threats to nuclear facilities and nuclear command, control, and communications, referred to as NC3.
Nuclear weapons systems, like most complex digital infrastructure, are prime targets for cyber assaults. Yet, there is a concerning lack of expertise and safeguards across the nuclear sector to help mitigate these issues. The evolving capabilities of cyber actors, in our increasingly interconnected digital worlds, underscores the urgent need to strengthen our technical capacities and security mechanisms.
Cyber-Nuclear Threats (CNTs) - What is at Stake?
The safe and secure management of nuclear weapons has long been a complex challenge, but these challenges are magnified by new cyber capabilities and dynamics. This convergence of the nuclear weapons complex, that is the infrastructure, facilities, and operations related to the research, development, production, and maintenance of nuclear weapons, with cyber tools has opened up a new security threat landscape full of vulnerabilities that demand our attention.
The hacking of nuclear facilities to enable the theft of highly enriched uranium for weaponisation by terrorist groups is no longer a distant possibility. The Nuclear Threat Initiative’s (NTI) ‘Outpacing the Cyber Threat’ report discusses these very risks, emphasising cyber saboteurs and their potential to incapacitate or hold hostage nuclear infrastructure. This could result in anything from the theft of nuclear weapons-making materials, to the triggering of catastrophic meltdowns, and manipulation of nuclear missiles systems to provoke devastating retaliatory strikes.
Such threats loom ominously closer than we may realise. Director of the Nautilus Institute, Peter Hayes, backs the importance of NC3 security, stating “there is a reason, however, that David slung his stone into the forehead of Goliath rather than his musculature. Without a head connected to a body, a nuclear force is useless … [NC3] is perhaps the most critical element of making nuclear war.”
Since the 1990s, there have been over 20 known cyber incidents at nuclear facilities. The sabotage of these industrial control systems are becoming more common. These incidents include the disabling of the United States’ Davis-Besse power plant’s safety monitoring systems for five hours; the theft of data from Germany’s Gundremmingen nuclear facility; the hacking of India’s largest nuclear power plant; the infiltration of the agency responsible for the maintenance of the US’s nuclear weapons stockpile, the National Nuclear Security Administration; and the numerous cyber-attacks and physical damage inflicted on Iran’s Natanz’s centrifuges. These security breaches across the globe, and the growth in their frequency, highlight the urgent need for continuous and comprehensive review of our safety mechanisms.
Without robust safeguards in place, our NC3 apparatus are a lethal playground for harmful agents and entities. Hackers can manipulate or falsify data which could misinform decision-making around the use of nuclear weapons, modify missile trajectories, or target coordinations or sensor readings. Disruption of communication networks and channels could hinder authorities’ abilities to relay critical information, impeding timely and accurate NC3 functions.
CNTs have global ramifications. A successful attack on one nation’s nuclear infrastructure or weapons arsenal could unleash an environmental and public health crisis. Despite the gravity of these threats, most states struggle to keep up with the ever-changing cyber-nuclear threat landscape. While some nuclear weapons states have taken steps to enhance cybersecurity measures, significant gaps and vulnerabilities persist and pose challenges for policymakers.
Strengthening Cybersecurity Measures
To date, there are nine nuclear-weapons states in possession of nuclear weapons, yet no nation is impenetrable to CNTs. The NTI’s 2020 Nuclear Security Index indicated that improvements in cybersecurity scores among the 49 nations that possess nuclear materials, facilities, and weapons, were lagging and international cooperation on nuclear security has slowed considerably.
At present CNT developments are outpacing countries’ preparedness; only a third of these countries have sufficient cybersecurity standards and regulations in place. A 2016 NTI report revealed 23 cyber incidents at nuclear facilities had been publicly disclosed since the 1990s, yet only 47 percent of countries have implemented cyber incident response plans. In June 2021, the Euro-Atlantic Security Leadership Group reiterated the need for nuclear weapons states to make a commitment to undertake internal reviews of their NC3 systems, and advised that they develop “fail-safe” steps to enhance safeguards against CNTs. While the US has initiated their “Fail-safe Review”, substantial progress in this area is yet to be seen.
International collaboration and knowledge sharing is needed to combat these cyber-nuclear threats effectively. Action at both the national and international level needs to be taken to bolster our combined resilience against nuclear risks, and dialogue between nuclear weapons states on these issues must be restored and maintained regardless of current political tensions. CNTs will only increase as nuclear facilities continue to digitalise their control centres. Developing a common understanding through endorsing dialogue and transparency in doctrines and cyber-related missions among nuclear-armed and nuclear-allied nations can, in the very least, assist confidence-building measures. Through these practices, parties can collectively discuss the complications of the cyber-nuclear nexus, risk perceptions and intended missions, and deepen their understanding of one another’s interests, boundaries and willingness to use force, ultimately promoting stability, trust, and cooperation.
The gravity of cyber-nuclear threats to NC3s cannot be underestimated. Any vulnerability in a nuclear system poses a risk to us all. The potential for an anonymous actor to trigger a global catastrophe with a single cyber-attack is a stark reality we must confront. The urgent need for action is evident, and it is the responsibility of every nation to actively engage and establish a robust defensive cybersecurity architecture to safeguard against these risks.. By doing so, we can collectively reduce the growing danger posed by cyber-nuclear threats and protect our international security.
Angela Suriyasenee is the Cyber & Tech Fellow for Young Australians in International Affairs.