Lin Herbert - Cyber Threats and Nuclear Weapons

CYBER THREATS AND NUCLEAR WEAPONS

HERBERT LIN

STANFORD UNIVERSITY PRESS

Stanford, California

Stanford University Press

Stanford, California

2021 by Herbert Lin. All rights reserved.

No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording, or in any information storage or retrieval system without the prior written permission of Stanford University Press.

Printed in the United States of America on acid-free, archival-quality paper

Library of Congress Cataloging-in-Publication Data

Names: Lin, Herbert, author.

Title: Cyber threats and nuclear weapons / Herbert Lin.

Description: Stanford, California : Stanford University Press, 2021. | Includes bibliographical references and index.

Identifiers: LCCN 2021021374 (print) | LCCN 2021021375 (ebook) | ISBN 9781503630390 (paperback) | ISBN 9781503630406 (ebook)

Subjects: LCSH: Nuclear weaponsUnited States. | Nuclear weaponsSecurity measuresUnited States. | Computer securityUnited States. | Command and control systemsSecurity measuresUnited States. | Cyberspace operations (Military science)United States.

Classification: LCC U264.3 .L56 2021 (print) | LCC U264.3 (ebook) | DDC 355.8/25119028558dc23

LC record available at https://lccn.loc.gov/2021021374

LC ebook record available at https://lccn.loc.gov/2021021375

Cover illustration: shutterstock | Maha Heang

Cover design: Rob Ehle

Contents

Preface

Information and communications technologies now pervade all aspects of life, both civilian and military. That most people in civilian life struggle with getting those technologies to work properly is commonly understood. Most of us have watched a speaker struggling to get his or her computer to work properly with a projector for an entirely routine presentation. Most of us have had a help desk tell us, Lets try X to solve your problem. If that doesnt work, well try Y, and if that doesnt work, well try Z. Most of us have stared at our computers in disbelief at one time or another, saying out loud, Huh? Why did you [the computer] do that?

What is less commonly understood is that things are no better with military applications of information technology. Military information technologies were once far more sophisticated than the technologies available to the civilian world, but those days lie decades in the past. Today, the most advanced information technologies are first developed for use in the private sector, and most military applications of information technology are years behind those in the private sector. Most important, military personnel face many of the same kinds of problems that ordinary civilians face.

Computer security, or cybersecurity, is no exception to this rule. Military personnel and civilians alike find cybersecurity to be an inconvenience that gets in the way of doing real work. It may be marginally easier to order military personnel to follow security procedures that civilians would not tolerate, but the underlying urge to ignore security is the same, and the security outcomes for civilian and military computer systems are often more similar than might be expected.

Moreover, as weapons systems are brought into the internet age, they may well become more vulnerable to attack than older ones. Each electronic component, each wireless communications link, each contractor-supplied software system used in a weapons system is a potential vulnerability as well as an asset. National leaders who command the red button (a very common metaphor for a trigger that could set into motion the use of nuclear weapons and the end of the world) have unvetted Twitter and Facebook feeds to inform their decision-making as well as vetted intelligence feeds and diplomatic telegrams and letters.

Many of the existing components of the U.S. nuclear enterprisethat is, the entire array of activities and operations that have some significant connection to any aspect of nuclear explosive devices (i.e., nuclear weapons), whether in production, acquisition, operations, organization, or strategywere developed before the Internet of things, the World Wide Web, and mobile computing and smart cell phones became ubiquitous throughout society. Today, the United States is embarking on a nuclear modernization program, and unlike in the past, cyber technologies will play a much larger part in it.

How, if at all, could increasing dependencies on modern information technologies lead to a nuclear war that no sane person would want? This is the question that motivates this book.

A cyber-enabled world affords many benefits to individuals, businesses, and society at large, as well as to the military. Today, U.S. military forces are unparalleled in the world, in part because of their use of information technology. But the growing use of modern information technologies has a downside as well, and where nuclear weapons are concerned, it behooves us to examine that downside and to mitigate it where possible.

Thus, in an age of increasing dependence on information technology, cyber risk is one element of the risk profile against which U.S. decision-makers, both civilian and military, must prepare, anticipate, and mitigate. This book addresses the relationship to and possible impact of cyber technology on all aspects on U.S. nuclear forces and operations. Most of the work done in this area relates to nuclear command and control, and that is a very important topic. Loosely, command and control refers to the processes and arrangements that enable the president and senior military leaders to decide upon the actions of military forces and provide these individuals with the information needed to make good decisions; a more precise definition will be presented in the main text of this book. It is with command and control that the button is usually associated.

But the forces must be acquired and organized before they are ordered into action, and once they are ordered into action, they must be able to operate so that they can achieve their mission objectives. Cyber technology is an integral element both of force acquisition and of force operations. In short, cyber technology affects all aspects of the nuclear enterprise. Hence, a multiple-button metaphor is more appropriate. One button orders nuclear forces to operate; after that, a variety of different cyber buttons are needed to operate the various weapons systems and information-gathering systems as those orders are put into effect.

The bottom line? Cyber risks across the nuclear enterprise are poorly understood. As a result, a number of aspects of the nuclear modernization effort may well exacerbate rather than mitigate these risks, and the incoming administration will have to find ways to effectively manage tensions between new nuclear capabilities and increasing cyber risk. Senior U.S. decision-makers are aware of these problems to some extent, but they face two important challenges. The first is that limiting cyber risk may require some hard choices about what nuclear capabilities to give up; the second is closing the large gap that exists between that awareness and remedial actions on the ground.

The rationale and intended audience for this book

A public discussion of the cyber risks to the nuclear enterprise is essential if they are to receive any kind of sustained attention. The management of cyber risks and cybersecurity is almost always a poor stepchild to other aspects of technology acquisition (such as cost, scheduling, and performance) and operations (such as military efficacy, resource allocation, and adaptability). Acquisition and operations managers have every incentive to say cybersecurity is receiving adequate attention while in fact doing the minimum necessary to keep security auditors off their backs, because cybersecurity just gets in the way of doing their jobs, which is to deploy a working system or to use it to accomplish some important task.