By Alexandra Theodora Tsitsiringos
Research Question: What steps might the United States undertake to reduce the vulnerability of its nuclear command, control, communications, intelligence, surveillance, and reconnaissance (C3ISR) to cyberattacks?
PAPER OUTLINE:
Executive Summary
Theoretical Framework
Literature Overview and Contribution to IR
Governance Structure of C3ISR
Definition of Cyberattacks & Cyberattacks on C3ISR
The Modernization Debate
Hypothesis one and expected evidence
Hypothesis two and expected evidence
Empirical Evidence
Proving Hypothesis 1
Defending Forward
Active defense
Merge of strategies and consideration
Case Study
Proving Hypothesis 2
Supply chain and its impact on security by design
Current state of security by design and the patching effect
Attack vector analysis and potential countermeasures
Conclusion
Appendix
SECTION 0: ABSTRACT
This paper explores methods to improve the cybersecurity strategy specific to the C3ISR. The first hypothesis supports that a combination of offense and defense is the best approach to improve C3ISR cybersecurity practices. The second hypothesis states that a “blanket” strategy is not sufficient, security by design and securing all different subparts and attack vectors is a necessary C3ISR cybersecurity measure. The next section of this paper provides the theoretical framework that allows the reader to understand what the C3ISR is in terms of governance and equipment, what cyberattacks on the C3ISR may look like, the current modernization debate that surrounds it, and the two hypotheses and what evidence would prove or disprove them. The following section presents and analyzes the evidence in support of the first hypothesis, followed by the evidence in support of the second hypothesis. The last section of the paper is the conclusion. The evidence supports both of the hypotheses presented in this paper, however one hypothesis can be considered stronger than the other due to feasibility. The evidence presented in support of the first hypothesis points to the fact that through the DoD’s “defend forward” and Van Dine’s “active defense”, both scholarly work and current government programs suggest that a mixture of defensive and offensive capabilities can lead to a stronger cybersecurity strategy for the C3ISR. The findings pertinent to the second hypothesis suggest that while there are ongoing programs in the DoD to implement security by design, they often function as bandaids instead of core solutions. This is often a result of supply chain issues and the multiplicity of vendors and contractors working with the DoD. The DoD contracts more than 50,000 companies, without considering the origin of subparts; the number of devices and subparts indicates that it would be very hard, if not impossible to ensure that each is completely secure - a problem that becomes even more crucial as hacker ingenuity increases. Provided that the DoD continues with this level of contracting, reliance on “blanket” strategies, such as a defend forward or other combinational plans, seems to be a more feasible option for the foreseeable future.
SECTION 1: EXECUTIVE SUMMARY
In 2003, the Davis-Besse nuclear power plant in Ohio was infected with the Slammer worm after a consultant connected to the plant’s corporate network. The safety parameter display system (SPDS) was shut down for nearly five hours, and prevented operators from seeing sensitive information about the reactor core. In 2009, After Dong Chul Shin was fired from the Dallas-based power company that operates the Comanche Peak Nuclear Power Plant, he logged onto the company’s corporate network, modified and deleted files, and e-mailed sensitive information to himself. In 2011, Oak Ridge National Laboratory in Tennessee was victimized by a sophisticated cyberattack that exploited a zero-day vulnerability in Internet Explorer that allowed attackers to infect computers when users visited malicious websites. Although the lab started blocking malicious emails soon after they started coming in, administrators quickly discovered that a server had been breached when they noticed data leaving the network. Attacks on the C3ISR can have devastating effects; information can be lost or miscommunicated, accidental launches can take place, development plans can allow other state or non-state actors to proliferate or advance their nuclear programs. Given these consequences, a robust cybersecurity strategy specific to the C3ISR is of paramount importance. My first hypothesis supports that a combination of offense and defense is the best approach to improve C3ISR cybersecurity practices. My second hypothesis states that a “blanket” strategy is not sufficient, security by design and securing all different subparts and attack vectors is a necessary C3ISR cybersecurity measure. The next section of this paper will provide the theoretical framework that allows the reader to understand what the C3ISR is (governance and equipment), what cyberattacks on the C3ISR may look like, the current modernization debate that surrounds it, and the two hypotheses and what evidence would prove or disprove them. The following section presents and analyzes the evidence in support of the first hypothesis, followed by the evidence in support of the second hypothesis. The paper ends with a conclusion on the findings.
SECTION 2: THEORETICAL FRAMEWORK
There are multiple debates and issues surrounding the cybersecurity of the nuclear C3ISR. In both academia and government there is an ongoing debate about whether or not the ongoing C3ISR modernization efforts make systems more or less secure. The body of literature on the subject of C3ISR cybersecurity consists of discussions on security by design, offensive operations, defensive operations, different C3ISR attack vectors, the institutionalization of cybersecurity, and the impact of complexity in cybersecurity. This paper focuses on how merging offensive and defensive capabilities would improve cyber protection of the C3ISR and how security by design and cyber resilience are necessary components of a successful cybersecurity strategy. One of the most important considerations that arises is the cybersecurity dilemma and the question of intention when it comes to escalation of threats. Official government documents on nuclear weapons, and particularly their cybersecurity and the security of the C3ISR, are highly classified and sparsely used in security literature. As a result, this paper includes some primary sources, such as interview quotes from officials, DoD cybersecurity strategy documents, nuclear matters handbooks, and Government Accountability Office (GAO) reports. The bulk of the paper draws from scholarly articles and some news reports are also included. Due to the contemporaneous nature of cybersecurity, most of the literature and documents used are fairly recent, published between 2012 and 2019. This paper contributes to the subfield of security studies in international relations, and particularly to the debates of whether modernization serves cybersecurity of critical systems better than analog systems, what are the best cybersecurity measures to protect critical systems (such as the C3SIR), how cybersecurity offense and defense can contribute to escalation risks, and how important security by design is.
C3ISR: The Governance Structure
To gain an understanding of what cybersecurity threats the C3ISR is facing and how they can be countered, it is crucial to understand what the C3ISR is and how it is related to the different United States government entities. The United States possesses the ability to perform a second strike and has completed the nuclear triad: the ability to launch nuclear weapons from land, air, and sea through the possession of intercontinental ballistic missiles (ICBMs), Bombers, and Submarine Launched Ballistic Missiles (SLBMs)[1]. In 2001, the President also directed the transition to a new set of military capabilities more appropriate for credible deterrence in the 21st Century, which includes the traditional triad, along with command and control (C2) intelligence and planning, active and passive defenses, and responsive defense infrastructure (See: Appendix, Figure 1). Based on the March 2019 New Start Declaration, the United States possesses 1,365 strategic nuclear warheads deployed on 656 intercontinental ballistic missiles, submarine-launched ballistic missiles, and strategic bombers. The Federation of American Scientists (FAS) estimates approximately 3,800 stockpiled warheads and 2,385 retired warheads for a total of 6,185 warheads as of early 2019[2]. Since the 1960s, the United States stockpile has experienced significant cuts in its active and inactive nuclear weapons programs based on the different nuclear arms treaties it has participated in under its non-proliferation plans (See: Appendix, Figure 2)[3].
The U.S. nuclear command, control, communications, intelligence, surveillance, and reconnaissance system (C3ISR) refers to the collection of activities, processes, and procedures performed by appropriate military commanders and support personnel that, through the chain of command, allow for senior-level decisions on nuclear weapons employment to be made based on relevant information and subsequently allow for those decisions to be communicated to forces for execution (page: 51)[4]. Decisions on the employment of nuclear weapons can be made only by the National Command Authority (NCA), which consists of the President of the United States and the Secretary of Defense, acting in concert. This chain of command is largely determined based on the Nuclear Command and Control System (NCCS). The NCCS is composed of five elements: facilities, equipment, communications, procedures, and personnel[5] (page: 55). The NCCS is an interagency system that includes stakeholders from the White House, the Department of Defense (DoD), the Department of State (DOS), the Department of Homeland Security (DHS), the Department of Justice (DOJ)/Federal Bureau of Investigation (FBI), the Department of Energy (DOE), and the Director of National Intelligence (DNI). These elements compose the infrastructure that supports the president, through his military commanders, in exercising his authority over U.S. nuclear weapons operations, enabling the performance of the five nuclear C3 functions: force management, planning, situation monitoring, decision making, and force direction [6]. The Air Force Global Strike Command now oversees the NC3 program, and the Air Force Nuclear Weapons Center serves as the integrator of NC3 systems and manages acquisition programs[7]. Nuclear Command and Control Nuclear command and control (C2)—or the exercise of authority and direction by the president through established command lines over nuclear weapons operations, as the Chief Executive over all nuclear weapons activities that support those operations, and as the Head of State over required multinational actions that support those operations—is provided through a survivable “thin line” (first layer) of communications and warning systems that ensure dedicated connectivity from the president to all nuclear-capable forces. The second layer is the current day-to-day/crisis architecture, which can also be described as a “thick-line” system. The present U.S. nuclear C3 architecture is composed of these two thick and thin line systems[8].
Equipment
To specify what types of devices might be vulnerable to cybersecurity threats, we must also specify the equipment used by the NCCS. NCCS equipment includes information protection (cryptological) devices, and the sensors (radars and infrared satellites, fixed, mobile and processing systems) of the Integrated Tactical Warning/Attack Assessment (ITW/AA) System[9]. To assist in ITW/AA decisions, two independent information sources using different physical principles, such as radar and infrared satellite sensors associated with the same event, help clarify the operational situation and ensure the highest possible assessment credibility. The NCCS relies on terrestrial (e.g., land-based secure and non-secure phone lines and undersea cables), airborne relay (e.g., E-4B and E-6B), and satellite (military and commercial) sensors to transmit and receive voice, video, or data[10]. The ability to move trusted data and advice from sensors to correlation centers, from presidential advisors to the President, from the President to the NMCC, and from the NMCC to nuclear weapons delivery platforms depends on NC3 systems (See: Figure 3). In a 2017 interview, General Robin Rand claimed that there are about 107 different systems, placed in 13 different categories[11].
Defining Cyberattacks and Cyberattacks on C3ISR
A cyber attack is deliberate exploitation of computer systems and networks using malicious software to compromise data or disable operations. Cyber attacks enable cyber-crimes like information theft, fraud and ransomware schemes. Some examples of cyber attacks include zero day exploits, malware, phishing, Dos/DDoS attacks (Denial of Service/Distributed Denial of Service attacks), SQL injection, man in the middle attacks (See: Appendix, Table 1)[12]. Cybersecurity attacks on nuclear facilities and components of the NC3 have taken place globally and affected various governments. The United States is the number one target for targeted cyberattacks. Targeted attacks are often state-sponsored, though some have been by private groups. The President’s Budget for fiscal year 2019 earmarks $15 billion for cyber security-related activities, which is a 4 percent increase compared to last year[13]. Attacks on other states nuclear facilities can serve as an example of the havoc an attack on the C3ISR would cause. The Natanz uranium enrichment facility in Iran was attacked with the Stuxnet virus between 2009 and 2010; the virus led to damaged centrifuges and also delayed enrichment activities. This case is particularly notable because the facility was well defended and isolated from the Internet. Since news of Stuxnet broke in 2010, revelations of malware found in nuclear facilities and critical infrastructure have only increased in frequency. In 2014 alone, a cyberattack against a German steel mill caused massive physical damage, malware was introduced into the control room at Japan’s Monju nuclear power plant, and the Korea Hydro and Nuclear Power in South Korea was hacked. The Japanese and South Korean cases resulted in the release of technical data online. In 2015, a Japanese facility that handles plutonium and other nuclear materials revealed that it had discovered malware in its systems. In 2016, a German nuclear power plant was found to be infected with malware, and officials discovered a spear-phishing campaign that had been exfiltrating data from a Japanese research center for months[14].
The Modernization Debate
“The NC3 is a work in progress. It is a very difficult challenge, as we have allowed this system of systems to atrophy.”
- General Robin Rand (Commander of Global Strike Command)
The equipment used for C3ISR is a mixture of hardware and software: warning satellites and radars; communications satellites, aircraft, and ground stations; fixed and mobile command posts; and the control centers for nuclear systems. Many of these systems are antiquated technology, otherwise known as “legacy systems”, and have not been updated since more than three decades ago[15]. Thus, one of the biggest ongoing debates within the Pentagon and academic circles is whether these systems should be modernized or not. Proponents of digitization claim that using these old systems makes C3ISR technology obsolete and unable to keep up with the current pace of technological advancement. They also claim that the old technology makes devices more vulnerable to cyberattacks. General Robin Rand claimed that “I am more concerned about what the enemy is being able to do — and continue to do — that I think will continue to make legacy systems less capable. Those are the consequences. That is obviously why we need to modernize”[16]. On the other hand, there are those who support switching to analog systems and simplifying the technology as much as possible. U.S. Strategic Command General John Hyten explained that “This is an old system, but by virtue of being old and of being a “closed network” it’s also less vulnerable to cyber attacks than modern digital systems that are connected to the internet. It’s very resilient against threats, and I’m very confident it can handle anything today.[17]” Complexity means multiple layers and subparts to secure, and as those increase so do cyberthreats to the overall system[18]. Using analog systems means that the “cyber” aspect is removed in its entirety - there are no cybersecurity threats, because no digital system is used. Furthermore, modernization would cost a considerable sum of money, taking up a large part of the DoD budget. The Congressional Budget Office has estimated that modernizing the NC3 will cost $58 billion over 10 years[19]. To put that in perspective, the total DoD budget for 2018 was 639 billion[20]. In the realm of cybersecurity of nuclear weapons and the C3ISR academia and government are torn between what best serves security: modernizing or reverting to analog?
Hypotheses
This paper focuses on two competing hypotheses about how to best improve the cybersecurity of the C3ISR. First, no cybersecurity defense plan can be entirely comprehensive and the potential for a successful breach should not be underestimated. As such, responses and procedures to counter these breaches should be developed and personnel should be trained not only for a defensive strategy but also for offensive procedures. Second, a merge of defense and offense is not sufficient to maximize security of nuclear systems. Security by design and securing all possible attack vectors is a necessary component of an effective cybersecurity strategy for the C3ISR.
My first hypothesis is that no cybersecurity defense plan can be entirely comprehensive and the potential for a successful breach should not be underestimated. As such, responses and procedures to counter these breaches should be developed and personnel should be trained for an offensive strategy. The independent variable in this hypothesis is that nuclear command cybersecurity strategy should focus on a mixture of offensive and defensive responses rather than purely defensive ones. The dependent variable is improvements in the cybersecurity strategy of the C3ISR. The causal mechanism is that no cybersecurity defense plan can be comprehensive enough to counter all possible attack plans and the potential for breaches is often underestimated.
My second hypothesis is that a cyber-offensive strategy cannot be sufficient in and of itself. Security by design and securing all possible attack vectors is a necessary component of an effective cybersecurity strategy for the C3ISR. The independent variable in this hypothesis is that nuclear command cybersecurity strategy should focus on security by design to secure all attack vectors. The dependent variable is improvements in the cybersecurity strategy of the C3ISR. The causal mechanism is that offensive or defensive strategies for complete systems are not sufficient in ameliorating cybersecurity practices, as subpart and design weaknesses can leave systems exposed to attackers.
SECTION 3: EMPIRICAL EVIDENCE
Proving Hypothesis One
During the Obama era, United States cyber operations were focused more on defensive efforts and prevention of escalation. The current DoD’s “defend forward” is a strategy to include more offensive steps in cyberdefense. Van Dine et. al suggest a C3ISR strategy called “active defense”, which focuses on creating strong defense mechanisms. I suggest a combination of both is necessary for a tailored strategy given the high risk involved with C3ISR systems, and present how this system could be applied in the case of the Oak Ridge National Laboratory cyberattack.
The DoD has made the first steps towards the adoption of a cybersecurity strategy that incorporates offense as well as defense through its “defend forward” strategy. Prior to “defend forward”, General Paul Nakasone, the head of the NSA and Cyber Command, stated that adversaties of the country do not fear the United States when it comes to cyber operations[21]. The lack of American dominance in cyberspace was highlighted by the 2018 DoD Cyber Strategy document itself, which points to persistent campaigns by both Russia and China that pose a long-term strategic threat to the country[22]. One of the most important aspects of “defend forward” is cooperation within and outside the DoD. The strategy leverages all DoD branches as well as non-DoD governmental bodies and the assistance of United States allies. Under this framework, public and private sector partners are provided with indications and warnings (I&W) of malicious cyber activity. The report makes it clear that cybersecurity needs to be viewed as an all-encompassing issue that transcends DoD boundaries, rather than viewed in isolation. “Defend forward” posits that cyber operations targeting not only the DoD but also non-DoD Defense Critical Infrastructure and Defense Industrial Base Entities need to be halted or degraded. In addition. cyber attacks threatening the United States’ critical infrastructure need to be preempted, defeated, or deterred[23]. These attacks may not directly affect the DoD’s warfighting ability but they still constitute significant cyber incidents. This strategy aims to defend forward by “stopping threats before they reach their targets”. One of the key aims of the strategy is to “build a more lethal Joint Force” as well as to compete and deter in cyberspace[24]. Specifically, the Joint Force needs to be strengthened by cyberspace operations to enhance military advantages. This strategy was an abrupt turn from the Obama era cyber strategy, which placed importance on risk mitigation and controlling escalation[25]. The Trump administration loosened these restrictions, allowing the United States cyber command to focus outward on foreign networks to better defend from adversarial hackers and re-establish fear over Washington’s capabilities[26]. The 2018 “defend forward” plan suggests a pathway towards using offensive operations in defending the DoD in cyberspace.
In 2016, Alexandra Van Dine et al. suggested “mounting an active defense” so as to enhance cybersecurity of nuclear facilities[27]. Static prevention, which means securing vulnerable parts of systems in anticipation of attacks, has proven an insufficient tactic as air gaps, firewalls, and antivirus programs fail against even untargeted viruses - targeted attacks would be even more damaging. On the other hand, an active defense is defined as “the continuous process of analysts monitoring for, responding to, learning from, and applying their knowledge of threats internal to the network in order to detect, block, and expel adversaries[28].” There are three different bodies that need to implement changes for a more successful C3ISR cybersecurity strategy: the government, the nuclear industry, and international bodies. The lack of technical experts in the cybersecurity industry can be identified as a key reason as to why security of nuclear systems is so vulnerable[29]. Governments and regulatory bodies should focus on developing cyber prevention and response plans that are created through cyber expertise, sharing relevant threat information with industry, developing and exercising cyber incident response capabilities, and supporting efforts to re-tool defense strategies. Response plans should go above and beyond, covering areas that facilities could not reasonably be expected to handle, by providing additional resources. Nuclear industry should initiate the development of active defense capabilities at the facility level, including providing training opportunities and assistance to boost human capacity. This could include developing mutual-aid agreements or other cross-industry resources to allow facilities to access needed skills. International organizations should facilitate the sharing of threat information where possible and appropriate. Unlike the DoD strategy which views cybersecurity through a broader lense, Van Dine’s “active defense” is specifically tailored for the C3ISR and nuclear facilities.
Merging these frameworks, I would argue that “active defense” and “defend forward” should be combined to create a tailored C3ISR cybersecurity strategy. This cybersecurity strategy should be a mixture of active defense and offense when necessary, considering both proportionality and deterrence as important variables. As Ben Buchanan emphasizes, while “defend forward” is a path towards restoring fear over what the United States can do in cyberspace, escalation risks should always be considered when following more offensive courses of action[30]. When intruders appear on the country’s networks, it is unclear whether their intention is a cyberattack or simply intelligence gathering. As such, cybersecurity threats constitute a twist on the traditional security dilemma between nations, and clarifying intention in cyberspace becomes a necessity in preventing escalation. There are scholars that go so far as to suggest that using cyber offensive capabilities to impact nuclear capabilities is “inherently destabilizing”, creating uncertainty as to how credible and reliable nuclear threats are[31]. Under the scenario that the nuclear capabilities of a state have been disabled due to a cyberattack, states might be privy to asymmetric information and be wrongly overconfident in their abilities - thus acting in a more reckless manner. When applying this merge of strategies, it would be important for the United States government to exercise balance between defense and offense, perhaps veering into offense in cases when the intention of the intruders is evidently to attack. As an example, strategic assets can be infiltrated silently by offensive stealth campaigns, meaning that the planted malware only becomes active at a later time and under certain conditions (such as when a nuclear launch order is received)[32]. Strengthening the case for the use of both defense and offense, Russia, Iran and North Korea are known to carry out offensive cyber operations[33]. The United Kingdom carried out offensive attacks against ISIS [34]. Multiple states engaging in offensive cyber operations would suggest that the United States would be able to compete and potentially dominate in cyberspace by employing cyber offensive measures. Furthermore, there is precedent of using a mixture of offense and defense in cybersecurity as evidenced by The United States Presidential Policy Directive (PPD 20) which was revealed by WikiLeaks. PPD 20 instructed governmental departments and agencies to be ready for both defensive and offensive cyber operations, suggesting US willingness to utilize cyber offensive actions ‘to advance U.S. national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging[35].” To better understand how defense and offense can be intermixed for an offensive cybersecurity strategy, it is important to consider a past case when the C3ISR was threatened in cyberspace as a case study.
Oak Ridge National Laboratory in Tennessee was victimized by a sophisticated cyberattack that exploited a zero-day, or previously undiscovered, vulnerability in Internet Explorer that allowed attackers to infect computers when users visited malicious websites[36]. The laboratory is home to several of the world's top supercomputers including the world's most powerful supercomputer ranked by the TOP500, Summit, and is a leading neutron science and nuclear energy research facility that includes the Spallation Neutron Source and High Flux Isotope Reactor. The attack was first delivered via a spear-phishing email sent in April 2011 that was disguised as an email from the human resources department. The email contained a link to a malicious website; when users visited the site, malware took advantage of the vulnerability in Internet Explorer to download the malware to various computers. About 530 of 5,000 employees at Oak Ridge received the email; only 57 clicked on the link, and only two computers were infected. Although the lab started blocking malicious emails soon after they started coming in, administrators quickly discovered that a server had been breached when they noticed data leaving the network. This system was cleaned up, but then other servers began experiencing similar effects; the malware had camouflaged itself on systems and had been designed to self-eradicate if attempts to compromise a given system were unsuccessful. Ultimately, a few megabytes of data were taken before the lab shut down Internet access to prevent further data loss. This incident highlights the ways in which attackers leverage any access gained through spear-phishing emails, and it shows that even facilities keenly aware of the cyber threat are still vulnerable to it. The defensive capabilities that could be used in this scenario are email firewalls and employee training. Email firewalls are set up to protect individuals or complex networks. They filter incoming and outgoing email-server traffic based on a set of rules determined by the firewall administrator and can be set to catch email addresses that masquerade as different ones by separating official addresses from unrecognized ones. Since an email firewall was not in place, an additional cybersecurity measure that would have helped if it was in place would be employee training - staff could have been trained on how to recognize malicious email addresses and to always check email senders before opening email content. In terms of offensive steps, the IP addresses of the sender could be backtraced and investigated to gain intelligence on the intentions and nature of the attacker and notify government bodies, having already attributed the attack. Government bodies could take this step on by themselves after the attack has been revealed. Furthermore, government bodies could engage in a counter-attack against the specific IP addresses had the information been critical or the damage too high to the organization or the C3ISR.
“The best defense is a good offense” is a popular idiom that seems to have found resonance in the current administration’s cybersecurity strategy. While defensive measures are necessary, they cannot be used in isolation to completely secure the C3ISR. Alexandra Van Dine and her colleagues suggest how active defense is an important step in improving C3ISR cybersecurity measures. This academic approach can be combined with the more offensive “defend forward”, to make a new, tailored C3ISR strategy.
Proving Hypothesis Two
While combining offensive and defensive mechanisms is an important step in creating a more effective C3ISR cybersecurity strategy, another strategy that can be used is “securing all attack vectors” which also includes security by design. Attack vectors are defined as the different pathways through which a malicious actor can gain access to a system[37]. These attack vectors range from using remote malware to activating previously installed exploits or human assets. A large component of this strategy is security by design. The hardware, software, other digital and electronic components of nuclear weapons systems may be compromised before being introduced to the established systems, so manufacturers need to ensure their security before they become part of a larger whole[38]. Security by design or lack thereof is what ultimately leads to what the attack vectors are for each system.
Security by design is quite a difficult task as the C3ISR is composed of a multiplicity of devices, as explained in the Equipment section of this paper. The C3ISR is composed of about 107 different systems, placed in 13 different categories. All of these systems have their own subparts, and entire devices as well as their subparts can involve a number of different contractors. The security of these devices is a crucial issue not only for DoD officials who are responsible for their use, but also for manufacturers and vendors. The DoD currently has 560,000 individual contractors under its employ[39]. On the other hand, vendors (companies) with Awards above $25,000 are about 37.800[40]. A Congressional Research Service Report explains that for FY 2015 “DOD also contracted with more than 50,000 companies besides the primes, a number that does not include subcontracts let by the primes themselves”[41]. Some of these companies are also foreign-based ones. The top five DoD contractors are Lockheed Martin Corporation, The Boeing Company, Raytheon Company, General Dynamics Corporation, Northrop Grumman Corporation. Although there is some level of cooperation between the United States government and manufacturers, very often these actors do not share a common view of threats. Therefore, an important consideration in security by design is to ensure closer cooperation between the public and the private sector, as well as cooperation with academia. Cyberattacks on private sector IT systems may result in the theft of nuclear weapons design information in order to sell or pass on to interested parties, including non-state actors[42]. This potential attack highlights the risk of proliferation that ensues from weak cybersecurity practices. Protecting nuclear weapons design information requires training personnel in nuclear weapons facilities (including laboratories). Personnel should be aware of cybersecurity best practices, and have an advanced understanding of cyberthreats. The multiplicity of companies involved in the supply chain suggests the need for a holistic secure by design approach to reduce vulnerabilities in the supply chain. This holistic approach should be formed based on possible risks in system architecture, design, manufacturing, and maintenance[43]. While the protection of national nuclear forces is a responsibility of equal interest to all stakeholders, this is undermined by the persistence of unidentified or inadequately addressed vulnerabilities in the nuclear supply chain.
Security by design for C3ISR systems is inherently disadvantaged given that when nuclear weapons systems were first developed, computer capabilities were limited, leading to no consideration of potential cyber vulnerabilities. Cybersecurity measures were not included in the development of the design structures. The DoD is currently applying the “Program Protection Plan”, a framework to reduce risks by identifying and managing threats to mission-critical systems[44]. While mission critical systems are crucial to protect, there is a multiplicity of devices attackers can get access to in order to compromise C3ISR security. Attackers can also use multiple methods to infiltrate nuclear weapons systems, like compromising source code, firmware, or internal portals. This allows attackers to interfere with subcomponents such as computer chips at the design and production levels, a phenomenon the military characterizes as systems “compromised by design”. In the computer chip scenario, the chip functions as expected, leaving the user unaware of its use for data gathering. Having interfered with the chip at the production level, attackers are able to use it for data gathering and data corruption. Rather than acquiring chips from defense entities and laboratories, most states acquire them from the global marketplace. Russia is an example of a state more aware of this risk, as they only used domestic computer hardware components until recently. While the DoD Program Protection Plan is an important framework in protecting C3ISR systems, it is by no means comprehensive and functions more as a bandaid or a patch rather than a solution.
This bandaid function was clearly illustrated during the modernization of Minuteman III missiles’ guidance systems and patching of their rocket motors, as well as the patching of DoD telecommunications systems[45]. The Minuteman silos used to store the United States nuclear arsenal. A report issued by the Obama administration revealed that there were potential vulnerabilities linked to the silos connection to the internet, which could cause the missile’s flight guidance systems to malfunction. The DoD contracted Boeing to counter these risks, with the company providing the design, modernization and testing of the missiles[46]. One of its steps was to incorporate a guidance computer for the missiles to provide precision. The Minuteman III improvements began based on concerns over the possible vulnerability of the nuclear weapons program on a larger scale. Another example of this patching process is C3ISR telecommunications systems. In 1997, the United States National Security Agency (NSA) conducted its first large-scale cyber-testing operation to ascertain the military’s agility against cyberthreats. The exercise, known as Eligible Receiver, revealed that the military’s telecommunications system could be hacked through commercial software. As a result of the exercise, the military purchased intrusion detection systems and installed them in a large number of computers. This allowed them to identify a real cyberattack just months after the exercise. Years later, in 2008, a similar operation revealed that the threat had not disappeared. The United States GAO studied physical security and cybersecurity in the Los Alamos National Laboratory. The results showed vulnerabilities in the areas of identifying and authenticating users, encrypting sensitive information, and monitoring and auditing security policy compliance[47]. In order to tackle these challenges to cybersecurity, the National Nuclear Security Administration in the Department of Energy set up the Baseline Cyber Security Program, mapping out an organization-wide risk-management approach[48]. The recurring threat that emerged in 1997, and then again in 2008, suggests that creating a bandaid or simply patching issues within nuclear command and control systems is not sufficient - it is necessary to perform risk assessments on a regular basis and re-evaluate the security of the fundamental components of the C3ISR.
The supply chain and security by design flaws make different attack vectors available to infiltrators who want to disrupt C3ISR operations[49]. To understand these attack vectors it is necessary to first separate the C3ISR into different nuclear segments. The first segment is research, development, testing, simulation, and maintenance and the attack vectors are supply chains, manufacturing, supercomputers, and technical personal. Compromising these systems can lead to unreliability, readiness delays, and prolonged financial expenditures. The potential countermeasures to secure these attack vectors are onshore logistics, redundant supplies, redundant verification protocols, cyber and physical security best practices. The next nuclear segment are early warning satellites and radars and the attack vectors hackers can exploit are directed energy, communication links, and ground station processing. Interference with satellites and radars can lead to false positive results, also known as spoofing, and false negative results, known as blinding. The cybersecurity of these systems can be ensured by redundant sensors, multiple phenomenology, and all-source intelligence fusion. During crisis intelligence and assessment processes there is potential for deception, social media flooding and manipulation, false flag signaling, and jamming. These attack vectors can allow hackers to cause confusion, misattribution, threat inflation, and centralization error. Potential countermeasures to maintain the integrity of crisis intelligence, is counterintelligence, active defense, all-source fusion, multiple advisors, a strong public affairs strategy and a crisis hotline. The command, control, communications, and computing architecture can allow the access, authentication, confidentiality, and integrity of network operations to be exploited. Infiltrators can cause unauthorized launches, accidental launches, launch failures, and targeting errors. To counter these potential attacks, redundant communication and authentication needs to be in place, along with limited connections, heterogeneous systems, network monitoring, and cybersecurity best practices. Operational units and delivery platforms and warheads are also part of the C3ISR and attackers can use the supply chain, the C3 network, and telemetry as attack vectors. These vulnerabilities can lead to launch failure, guidance failure, and self destruction of systems. Redundant systems, testing, and authentication can be used to secure these units. Finally, missile defense can be considered the last nuclear segment that has supply chain, sensors, and the C3 network as its attack vectors. Hackers can use these weaknesses for detection, tracking, and interception failure. To counter these risks, redundant sensors, networks, interceptions, and cybersecurity best practices can be employed. Through the separation of the C3ISR into different nuclear segments we can examine the different attack vectors on those segments, the consequences of exploiting those attack vectors, and the potential countermeasures to secure systems.
Security by design is a necessity when it comes to C3ISR cybersecurity practices. However, this security is often compromised by supply chain issues and the multiplicity of vendors and contractors under DoD employ. The DoD often responds to these issues by using bandaid/patching approaches instead of securing the fundamentals of these systems. By separating the C3ISR into different nuclear segments, we can have a clearer view of the attack vectors, the potential consequences of exploiting these vectors, and what countermeasures can be used.
SECTION 4: CONCLUSION
Overall, the C3ISR is a complex body that includes 107 different systems, antiquated devices, and subparts originating from different departments, companies and sometimes even countries. The high consequences resulting from cybersecurity attacks on the C3ISR, such as accidental launches, make the need for the very best cybersecurity practices mandatory. Both of the hypotheses presented in this paper are supported by the evidence, however one can be considered stronger than the other due to feasibility. The evidence presented in support of the first hypothesis points to the fact that through the DoD’s “defend forward” and Van Dine’s “active defense”, both scholarly work and current government programs suggest that a mixture of defensive and offensive capabilities can lead to a stronger cybersecurity strategy for the C3ISR. The findings pertinent to the second hypothesis suggest that while there are ongoing programs in the DoD to implement security by design, they often function as bandaids instead of core solutions. This is often a result of supply chain issues and the multiplicity of vendors and contractors working with the DoD. Academic work provides a framework with which to separate the C3ISR into different nuclear segments, analyze potential attack vectors and risks, and present countermeasures. Merging offense and defense to create a tailored C3ISR strategy as well as security by design and securing all attack vectors have both proven equally important steps in improving C3ISR cybersecurity practices. However, the second hypothesis raises feasibility concerns given that the DoD contracts more than 50,000 companies, without considering the origin of subparts. Simply the number of devices and subparts indicates that it would be very hard, if not impossible to ensure that each is completely secure - a problem that becomes even more crucial as hacker ingenuity increases. The DoD itself is struggling with solving the supply chain issue, leaving a number of different attack vectors exposed. Provided that the DoD continues with this level of contracting, reliance on “blanket” strategies, such as a defend forward or my own combinational strategy, seems to be a more feasible option for the foreseeable future. This feasibility concern does not mean that security by design should be neglected or ignored just because it is harder to achieve. This paper examines strategies without considering some other important ongoing debates, such as institutionalization of cybersecurity and complexity’s impact on cybersecurity. Readers or researchers desiring to further explore the variables that could potentially change or enhance the findings of this paper can delve deeper into those and other debates.
Author Biography
Alexandra Tsitsiringos is a rising senior studying Computer Science and International Relations at Tufts University. She grew up in Athens, Greece and moved to the United States to pursue her academic and professional goals. Her passion for politics and international affairs started from Model United Nations Conferences and continued through Harvard Summer School courses, as well as research along side Harvard Professor George Soroka. Before starting college, she also interned for the Governor of Massachusetts, Charlie Baker. At Tufts, her interest in international studies grew while she explored technology and engineering for the first time. She is the current President of the Tufts Women in Computer Science group, and has gradually focused her attention on cybersecurity. Last summer, she developed an anomaly detection system against Distributed Denial of Service attacks with her team at Booz Allen Hamilton, and this summer she is working at GoDaddy as a Cloud Security Engineering intern. Her paper “Narrow Artificial Intelligence Weapons Systems and their Impact on the Balance of Power” was published at the Yale Review of International Studies Winter Issue 2019. Through her publications and work, she aims to continue her exploration of the intersection of politics and technology.
Appendix
Figure 1: Traditional and New Nuclear Triad
Nuclear Matters: A Practical Guide. Los Alamos Study Group. Pages: 7-8. https://www.lasg.org/Nuclear_Matters_A_Practical_Guide_DoD.pdf
Figure 2: US Nuclear Stockpile 1962-2017
Kelsey Davenport and Kingston Reif. “Nuclear Weapons: Who Has What at a Glance” Arms Control Association, July 2019. https://www.armscontrol.org/factsheets/Nuclearweaponswhohaswhat (page: 4).
Figure 3: Command and Control Components
Nuclear Matters Handbook. Office of the Assistant Secretary of Defense for Nuclear, Chemical, and Biological Defense Programs, 2016. https://www.acq.osd.mil/ncbdp/nm//NMHB/docs/NMHB_2016-optimized.pdf (page: 78).
Table 1: In the definition of cyberattacks section, the paper defines and explains what cyberattacks mean overall and provides examples of specific attacks on nuclear facilities in other countries. This table provides an overview of the potential attacks that could threaten the C3ISR in broad terms. They will be analyzed later in the paper (Empirical Evidence → Proving Hypothesis 2)
Cybersecurity Risks - C3ISR
● Communications between command and control centres;
● Communications from command stations to missile platforms and missiles;
● Telemetry data from missiles to ground- and space-based command and control assets; Analytical centres for gathering and interpreting long-term and real-time intelligence;
● Cyber technologies in transport;
● Cyber technologies in laboratories and assembly facilities;
● Pre-launch targeting information for upload;
● Real-time targeting information from space-based systems including positional, navigational and timing data from global navigational systems;
● Real-time weather information from space-, air-, and ground-based sensors;
● Positioning data for launch platforms (e.g. submarines);
● Real-time targeting information from ground stations;
● Communications between allied command centres; and Robotic autonomous systems within the strategic infrastructure.
[1] Nuclear Matters: A Practical Guide. Los Alamos Study Group, 2008. Pages: 7-8. https://www.lasg.org/Nuclear_Matters_A_Practical_Guide_DoD.pdf (Originally published by Office of the Deputy Assistant to the Secretary of Defense for Nuclear Matters)
[2] Kelsey Davenport and Kingston Reif. Nuclear Weapons: Who Has What at a Glance Arms Control Association, July 2019. https://www.armscontrol.org/factsheets/Nuclearweaponswhohaswhat (page: 4).
[3] Kelsey Davenport and Kingston Reif.
[4] The Nuclear Matters Handbook: Expanded Edition. Foundation of American Scientists (FAS), 2011. https://fas.org/man/eprint/NMHB2011.pdf (Originally published by: Office Of The Deputy Assistant To The Secretary Of Defense), page: 51
[5] Nuclear Matters Handbook, 2011. Page: 55
[6] Nuclear Matters Handbook, 2011. Page: 54
[7] “AFGSC stands up Air Force NC3 Center”. Air Force Global Strike Command Air Forces Strategic - Air. https://www.afgsc.af.mil/News/Article-Display/Article/1139359/afgsc-stands-up-air-force-nc3-center/
[8] Nuclear Matters Handbook, 2011. Page: 5
[9] Nuclear Matters Handbook. Office of the Assistant Secretary of Defense for Nuclear, Chemical, and Biological Defense Programs, 2016. Page: 76 https://www.acq.osd.mil/ncbdp/nm//NMHB/docs/NMHB_2016-optimized.pdf
[10] Nuclear Matters Handbook, 2016. Page: 76
[11] Magnuson, Stew. “Exclusive: Interview with Gen. Robin Rand, Head of Air Force Global Strike Command.” National Defense, November 14, 2017. https://www.nationaldefensemagazine.org/articles/2017/11/14/global-strike-command-tackles-atrophying-nuclear-command-control-systems
[12] “Learn about cyber attacks and how to defend against them”. IBM Services, 2 October 2018. https://www.ibm.com/services/business-continuity/cyber-attack
[13] “10 cyber security facts and statistics for 2018”. Norton, 2018. https://us.norton.com/internetsecurity-emerging-threats-10-facts-about-todays-cybersecurity-landscape-that-you-should-know.html
[14] Alexandra Van Dine, Michael Assante, Page Stoutland. “Outpacing Cyber Threats: Priorities for Cybersecurity at Nuclear Facilities.” Nuclear Threat Initiative. December 7, 2016. https://media.nti.org/documents/NTI_CyberThreats__FINAL.pdf (page: 10)
[15] “Nuclear Posture Review”. Department of Defense, 2018. Page: 19. https://media.defense.gov/2018/Feb/02/2001872886/-1/-1/1/2018-NUCLEAR-POSTURE-REVIEW-FINAL-REPORT.PDF
[16] Magnuson, Stew. “Exclusive: Interview with Gen. Robin Rand, Head of Air Force Global Strike Command.”
[17] Dye, Robert (PhD Deputy Program Director National Security & Defense). “Update on the Status of Modernizing NC3”. Page: 9 https://permalink.lanl.gov/object/tr?what=info:lanl-repo/lareport/LA-UR-19-26886
[18] Alexandra Van Dine, Michael Assante, Page Stoutland. Page: 6
[19] Dye, Robert (PhD Deputy Program Director National Security & Defense). “Update on the Status of Modernizing NC3”
[20]“FY 2018 Budget”. Department of Defense. https://dod.defense.gov/News/Special-Reports/0518_budget/
[21] Buchanan, Ben. “The Implications of Defending Forward in the New Pentagon Cyber Strategy”. Council on Foreign Relations September 25, 2018. https://www.cfr.org/blog/implications-defending-forward-new-pentagon-cyber-strategy
[22] Department of Defense. “Summary: Department of Defense Cyber Strategy 2018”. Department of Defense. September 18, 2018. https://media.defense.gov/2018/Sep/18/2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_FINAL.PDF (page: 1)
[23] Ibid, page: 2
[24] Ibid, page: 4
[25] Department of Defense Cyber Strategy. Department of Defense, 2015. https://archive.defense.gov/home/features/2015/0415_cyber-strategy/Final_2015_DoD_CYBER_STRATEGY_for_web.pdf
[26] Buchanan, Ben. “The Implications of Defending Forward in the New Pentagon Cyber Strategy”.
[27] Alexandra Van Dine, Michael Assante, Page Stoutland. “Outpacing Cyber Threats: Priorities for Cybersecurity at Nuclear Facilities.” Nuclear Threat Initiative. December 7, 2016. https://media.nti.org/documents/NTI_CyberThreats__FINAL.pdf (page: 6)
[28] Van Dine et. al, page: 22
[29] Van Dine et. al, page: 6
[30] Buchanan, Ben. “The Implications of Defending Forward in the New Pentagon Cyber Strategy”.
[31] Beyza Unal and Patricia Lewis. “Cybersecurity of Nuclear Weapons: Threats, Vulnerabilities and Consequences.” Chatham House, International Security Department. January 2018. https://www.chathamhouse.org/sites/default/files/publications/research/2018-01-11-cybersecurity-nuclear-weapons-unal-lewis-final.pdf (page: 15)
[32] Ibid
[33] ‘Which Countries are Ready for Cyber War?’. Cyber Security Intelligence, 18 September 2017. https://www.cybersecurityintelligence.com/blog/which-countries-are-ready-for-cyberwar-2763.html.
[34] UK defense secretary Sir Michael Fallon speaking at Chatham House Cyber 2017 Conference in June 2017.
[35] Federation of American Scientists. Presidential Policy Directive 20: U.S. Cyber Operations Policy, Washington: Federation of American Scientists, 2012. https://fas.org/irp/offdocs/ppd/ppd-20.pdf.
[36] Van Dine et. al, page: 23
[37] Beyza Unal and Patricia Lewis, page: 5
[38] Ibid, page: 13
[39] CIVILIAN AND CONTRACTOR WORKFORCES DOD’s Cost Comparisons Addressed Most Report Elements but Excluded Some Costs
Civilian and Contractor Workforces: DOD’s Cost Comparisons Addressed Most Report Elements but Excluded Some Costs. Government Accountability Office, Report to Congressional Committees. April 2018.
[40] FY 2018 DOD Vendors with Awards of $25,000.00 and over FPDS Data as of 1/18/2019. The Office of the Secretary of Defense. https://ogc.osd.mil/defense_ethics/resource_library/contractor_list.pdf
[41] Schwartz, Moshe , John F. Sargent, and Christopher T. Mann“Defense Acquisitions: How and Where DOD Spends Its Contracting Dollars” Congressional Research Service, July 2 2018. https://fas.org/sgp/crs/natsec/R44010.pdf
[42] Beyza Unal and Patricia Lewis, page: 14
[43] Beyza Unal and Patricia Lewis, page: 13
[44] “Program Protection”. Department of the Army, Research, Development, and Acquisition. June 8, 2018. https://armypubs.army.mil/epubs/DR_pubs/DR_a/pdf/web/ARN8083_AR70-77_Web_FINAL.pdf
[45] Woolf, A. F. U.S. Strategic Nuclear Forces: Background, Developments and Issues, Washington: Congressional Research Service, 2007. https://fas.org/sgp/crs/nuke/RL33640.pdf
[46] Keller, J. ‘Boeing to continue upgrading and maintaining missile guidance on fleet of Minuteman III ICBMs’, Military &å Aerospace, 1 February 2016, http://www.militaryaerospace.com/articles/2016/02/minuteman-missile-guidance.html
[47] US GAO. Nuclear Security: Los Alamos National Laboratory Faces Challenges in Sustaining Physical and Cyber Security Improvements, Washington: Government Accountability Office, 2008. http://www.gao.gov/new.items/d081180t.pdf
[48] US GAO. Information Security: Actions Needed to Better Manage, Protect and Sustain Improvements to Los Alamos National Laboratory’s Classified Computer Network, Washington: Government Accountability Office, 2009. http://www.gao.gov/assets/300/296796.pdf
[49] Jon Lindsay. “Cyber Operations and Nuclear Weapons.“ NAPSNet Special Reports. June 20, 2019. https://nautilus.org/napsnet/napsnet-special-reports/cyber-operations-and-nuclear-weapons/
