BUFFALO, N.Y. (WIVB) – It’s a nightmare scenario.
Some nation state or terrorist organization unleashes a cyber-attack on U.S. nuclear command and control systems.
Could it happen?
“The threat is there. The threat is real,” said Shambhu Upadhyaya, a University at Buffalo professor of computer science who specializes in cyber security.
He says possible attacks could involve gaining physical access to a system or sneaking in through cyberspace.
What’s the likelihood of that?
“I would say the weapons facilities, nuclear weapons facilities are very difficult to break in,” he said.
Upadhyaya’s research at UB includes beefing up the authentication process to prevent cyber intruders.
For example, he says the typing rhythm on a keyboard is unique from individual to individual.
“If you’re able to compromise the system and get control over the software, you’re the king. You have full control over the system,” he said.
But according to the U.S. Strategic Command, which oversees America’s nuclear forces, the current systems are “cyber secure.”
Air Force Capt. Brian Maguire, chief of media operations for USSTRATCOM based at Offutt Air Force Base near Omaha, Nebraska, tells News 4 that “nuclear command, control and communications are comprised of interdependent systems, facilities and platforms operating through space, air and terrestrial domains.”
“The ability to command and control our nuclear assets is fundamental to the national security of the United States, and U.S. Strategic Command is taking all available measures to protect those systems from intrusion and attack,” Maguire stated in an email response to questions about potential cyber threats.
When a North Korean missile blew up seconds after liftoff this month, there was speculation that the U.S. may have used cyber or electronic technology to sabotage the test launch.
Vice President Mike Pence was asked about it.
“I really can’t comment on the electronic or technical capabilities of our military,” Pence told CNN.
It’s been called the “new wild card,” — the notion that a state or non-state actor could break in, interfere with or sabotage nuclear command and control, and weapons systems.
“This is not to say that it would be easy to hack into U.S. nuclear weapons, but rather that it is at least theoretically possible. And I think behind the scenes increasingly it’s something that the Pentagon and others are becoming very much aware of,” said Andrew Futter, a professor of international politics at the University of Leicester in England.
Futter has written extensively about cyber threats and nuclear security.
“One of the big things with cyber is you don’t know what you don’t know.”
In a paper for the Royal United Services Institute for Defense and Security Studies, Futter suggested the cyber challenge also involves attempts to “compromise” or “spoof” early warning and communication systems.
“During a crisis, if you could spoof sensors and planners into believing an attack was underway, then this would be a way of indirectly causing it through cyber means,” he said.
Futter recommends reducing the alert state of nuclear weapons and limiting the amount of sophisticated software in computers and interlinked systems.
He believes nuclear systems need to be kept simple.
“The first thing we need to realize is that there is a threat, and that there is a risk. And actually this risk is shared by all nuclear-armed states, and therefore by everybody else as well,” Futter said.
Citing “operational security and classification issues,” USSTRATCOM would not discuss any hypotheticals nor provide specific information on potential vulnerabilities.
Maguire stated that “any cyber threat to those systems is very serious as it affects the nuclear capability” of the nation.
“U.S. Strategic Command works to ensure that the nuclear command, control and communication system is reliable and resilient across the full spectrum of conflict,” he said.
According to Nuclear Threat Initiative, there are about 15,000 nuclear weapons in the world today, while the U.S. and Russia hold the vast majority — around 90 percent.
It’s believed that both countries combined have a couple of thousand at the ready for launch within minutes.
Some argue that the biggest threat is not necessarily a premeditated launch by a nuclear-armed nation, but rather a cyber-attack that could undermine or compromise nuclear systems.
“The weakness of all of this is it needs one malicious actor either on the inside or the outside. It requires one infected computer either ported in or already in. And that’s the trigger right there. It’s one button,” said Arun Vishwanath, a University at Buffalo professor who specializes in cyber security.
“There are vulnerabilities in all technologies. And anything that’s connected to the internet, even if it’s on a separate secure network, as long as there are computers involved there’s a possibility of malware, software, hackers getting access.”
“This is a constant game of staying one step ahead of the bad guys who are looking for that one weakness out of a million,” he added.
Questions about the security of nuclear systems came up in 2013 before the Senate Armed Services Committee.
Retired Air Force Gen. Robert Kehler, then commander of the U.S. Strategic Command, told the panel that much of the nuclear command and control system is the legacy system that had been in place for years which “helps us in terms of the cyber threat.”
“However, we are very concerned with the potential of a cyber-related attack on our nuclear command and control, and on the weapons systems themselves. We do evaluate that,” Kehler told the committee in 2013.
In February, a Defense Science Board report on cyber deterrence recommended an annual assessment of the cyber resilience of the nation’s nuclear deterrent against a “top tier cyber threat.”
Air Force Gen. John Hyten, the current commander of the U.S. Strategic Command, told a Senate Armed Services Committee hearing in April that he sees “Russia and China” as a top tier cyber threat because “they have the ability to threaten the existence of this nation.”
“One of the reasons you have to be able to protect the nuclear command and control capabilities, it’s fundamental to deterrence,” Hyten told the committee. “If that’s ever brought into question that lowers our deterrent posture to top tier threats and we have to make sure we never allow that to happen.”
Maguire tells News 4 that USSTRATCOM provides annual reports on cybersecurity risks involving nuclear command, control and communications, and that the inaugural report was submitted in 2016.
According to Tom Collina, director of policy for the Ploughshares Fund in Washington, D.C., the U.S. is planning to spend a $1 trillion on nuclear weapons over the next 30 years.
Collina, whose global security foundation gives money to organizations in an effort to reduce the spread of nuclear weapons, suggests this could be the start of a new arms race with Russia.
He says cyber-attacks against nuclear command and control systems are “low probability, high consequence.”
“The chance of them happening may be small, but if they do happen the consequences will be huge,” Collina said.
He believes the greatest danger is a scenario where the U.S. and Russia initiate a nuclear exchange by mistake.
“The United States determines whether it’s under attack by another country by looking at computer programs that tell us what radars are saying. These things are all generated by computers,” Collina explained.
“Imagine in the worst case that someone gets in and hacks are computers to tell us that there’s a launch. That we’re under attack but we’re really not,” he added. “What do we do? How do we know? And if we think we’re under attack we launch a retaliatory strike and we’ve started a nuclear war.”
Collina is among others who think nuclear weapons should be taken off alert.
“It’s preventable if we both take our weapons off alert, stand down and agree not to launch our nuclear weapons under any circumstances unless there’s absolute proof that other weapons have been launched,” he said.
The cyber threat America faces today is a “significant element of our risk assessment” going forward, according to Maguire.
“As we modernize and build a 21st century nuclear command, control and communications architecture, cybersecurity and cyber defense must be built into the systems right from the beginning,” Maguire tells News 4.