2018 Georgetown University Press. All rights reserved. No part of this book may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and recording, or by any information storage and retrieval system, without permission in writing from the publisher.
The publisher is not responsible for third-party websites or their content. URL links were active at time of publication.
Library of Congress Cataloging-in-Publication Data
Names: Futter, Andrew, 1983 author.
Title: Hacking the bomb : cyber threats and nuclear weapons / Andrew Futter.
Description: Washington, DC : Georgetown University Press, 2018. | Includes bibliographical references and index.
Identifiers: LCCN 2017035576| ISBN 9781626165649 (hardcover : alk. paper) | ISBN 9781626165656 (pbk. : alk. paper) | ISBN 9781626165663 (ebook)
Subjects: LCSH: Nuclear weapons. | Nuclear weapons--Security measures. | Hacking. | Command and control systems. | Cyberspace operations (Military science) | Information warfare.
Classification: LCC U264 .F877 2018 | DDC 355.8/25119dc23
LC record available at https://lccn.loc.gov/2017035576
This book is printed on acid-free paper meeting the requirements of the
American National Standard for Permanence in Paper for Printed Library Materials.
19 18 9 8 7 6 5 4 3 2 First printing
Printed in the United States of America
Cover design by N. Putens.
FOREWORDA DECADE AGO , as the United Kingdoms secretary of state for defence, I was responsible for overseeing the beginning of the replacement of the Trident nuclear-armed submarines. This was a complex and difficult process, with many on both sides of the debate advancing passionate and important views about the necessity or desirability of retaining a nuclear weapons capability, well into the second half of this century. Absent from this discussion, however, was any mention that our submarines or nuclear weapons systems could be vulnerable to nonstate hackers or sophisticated state-based cyber warriors. Stuxnet was yet to be revealed, and though cyber operations and attacks had been ongoing for some time, news of them rarely reached public consciousness, and few, if any, had considered, far less written about, the vulnerability of nuclear weapons to the cyber threat.
It was not until 2013, when I read the US Defense Science Boards Task Force Report: Resilient Military Systems and the Advanced Cyber Threat, that I appreciated the seriousness of the situation and the scale of the challenge needed to address this broad and pervasive threat. The report explained in no uncertain terms that the most sensitive US military networked nuclear systems were vulnerable to a high-level cyberattack by a sophisticated and well-resourced opponent because, among other reasons, the networks themselves were built on inherently insecure architecture. Reading also that the authors of the report assessed that the equivalent systems of US allies were equally vulnerable, I raised my concerns with those now responsible for the United Kingdoms strategic deterrent, only to have them brushed aside by bland but unspecific assurances that all was well. After further research, it seemed to me that those in charge of nuclear weapons complexes in all the other leading nuclear-armed states were demonstrating a great deal of complacency about the cyber challenge. Many experts and military spokespeople assert that, because their weapons systems are not connected to the internet, there is no need for concern and, of course, submarines are deployed at sea. To me, this approach avoids many of the major aspects of the challenge. For example, increasingly, nuclear command and control structures rely on complex computer systems, and so too do the weapons themselves, and nuclear-armed submarines actually spend most of their time in port, linked up and essentially online. Admittedly, attacking these weapons systems would not be easybut no system is invulnerable, no matter how much we may wish this to be the case. This is why I have sought to push the issue in various international forums over the past few years, and have attempted, unsuccessfully I have to admit, to make cyber risks a major issue in the 2016 Trident renewal debate in the United Kingdom (see Watt, Trident Could Be Vulnerable, in the bibliography).
In almost all aspects of our lives, we are becoming more and more reliant on complex computer systems that fewer and fewer people really understand. We are living in a world where cyberattacks are likely to be more frequent, more sophisticated, and more pervasive. Purported ongoing US attacks against North Koreas missile program; alleged Russian interference in the US election in 2016; and the recent WannaCry attack on, among others, the UK National Health Servicenot to mention the extensive leaks from whistleblowers, such as Edward Snowdenare indicative of a fast-changing global security context. At the same time, global nuclear weapons complexes are becoming increasingly sophisticated, digitized, and reliant on ever more lines of computer coding and high-technology hardware. It is not impossible to foresee an accidental, miscalculated, or even unauthorized use of a nuclear weapon as a result of computer errors or cyberattacks. Certainly, the cyber threat will only grow, constantly and increasingly challenging established notions of mutually assured destruction, deterrence, crisis management, and proliferation. Thus, before it is too late, it is imperative that we take this threat seriously, include it in public nuclear discussions and debates, and, above all, secure our systems against hackers.
With all this in mind, Andrew Futters excellent book could hardly be more timely. In this very readable and accessible overview, he outlines the key elements of the cyber challenge to nuclear weapons, helps the reader unpack its various aspects, and sets it all in its proper context. As he explains, the cyber challenge is far more than a teenage hacker crouched over a computer in his bedroom, accidentally starting World War IIIalthough this is a possibility. Rather, the threats vary considerably across a spectrum, ranging from nuisance and espionage attacks right up to the possibility of national offensive cyber operations waging cyberwar. Each of these various versions of the threat have differing implications for how we think about and manage our nuclear weapons policy.
I have had the pleasure of knowing and, occasionally, working with Andrew during the last four years. During that time, he has written extensively, accessibly, and wisely about the impact of emerging technology on nuclear strategy, stability, and arms control. I have watched his reputation grow as his expertise has been sought further and wider. To my knowledge, his research, analysis, and advice have been deployed to the advantage of the deliberations of think tanks, academic institutions, and legislative committees here in the United Kingdom, in the United States, and across Europe. His research, analysis, and recommendations merit attention and should give policymakers food for thought as they set about building a cyber capability or deploying it in the nuclear realm and begin establishing a norm of hacking the bomb. I sincerely hope his groundbreaking work marks the beginning of concerted global engagement with this topic in both the academic and policy worlds.
CONTENTS