“Joan Rohlfing on How to Avoid Catastrophic Nuclear Blunders: The Interaction between Nuclear Weapons and Cybersecurity”, 2022-03-29 ():
Rob Wiblin: Yeah. I’m interested to talk for a second about the interaction between nuclear weapons and cybersecurity. I just started reading this book called Hacking the Bomb—which from the title sounds a little bit sensationalist, but actually I can recommend it, because it’s quite a serious and sober, more academic look at the issues of play here.
Joan Rohlfing: Is this Andrew Futter’s book?
RW: I think that’s right, yeah. What do you think people who are somewhat informed about this area don’t know or don’t recognize about the interaction between nuclear weapons and cybersecurity?
JR: Thanks for raising that. Andrew Futter is doing some really important work in this space. For me, a cyber hack of our nuclear weapons is one of the most likely pathways to nuclear use. I worry a lot about it. NTI has done some [2018] work on this space. In 2018, we convened a study group with senior former military officials, civilian government officials, and experts in the field to look at this issue of implications of cyber vulnerabilities of nuclear weapons.
In part, we were motivated to do that because we had been watching this space closely, and were very concerned about a report that was published by the Defense Department itself. The Defense Department has an advisory board called the Defense Science Board that undertook a study in the 2013 timeframe, and published a report that basically says—and I’m paraphrasing the top-level recommendation—that all of our military operational systems are vulnerable to cyber attacks.
If you think about it, this is logical. All of our military forces have thousands of digital components—not all of those digital components come out of secure foundries, so we may be baking into our military systems faulty, compromised components. Then we also know that even if you have systems that aren’t directly connected to the internet air gap, there are a lot of ways they can be compromised by an adversary. We saw how that might work with the cyberattack on Iranian centrifuges—which were not connected to the internet and nevertheless had a massive failure because of the introduction of a cyberattack.
The upshot of the report is that we have to assume that our nuclear forces may already be compromised, and that there is no technical solution. That’s the other chilling part of that story: this is not something you can just patch and be done, and you’re fine. It forces us to rethink: if this is true and we can’t have confidence in the system that it’s going to work as designed—that it’s not compromised—then what kind of policy changes do we need to be thinking about to counter what we can’t manage and that there’s no technical fix to? So this is a very real problem.
By the way, Andrew Futter, whose book you just referred to, was one of the participants in the 2018 NTI study on cyber-vulnerabilities of nuclear systems, which also included a former Head of US Strategic Command, and former Vice Chairman of the Joint Chiefs of Staff. There is consensus that this is a very substantial problem.