Weapons systems cybersecurity
WE often hear about cyberattacks, cyber operations, and malware infections that target computer systems or smartphones. Attacks against civilian infrastructure facilities such as hospitals, water sanitation systems, and the energy sector similarly get a lot of airtime.
But there is another type of high stakes system that gets much less attention: military weapons systems. These include guided missiles, missile, and anti-missile systems, tanks, fighter jets, and more - all of which are computerised and networked. We can imagine that weapons systems contain security vulnerabilities similar to most other information systems, including serious ones like nuclear power plant control systems.
Most militaries struggle with the challenge of cybersecurity of its most advanced weapons systems. In times of crisis and conflict, it is critical that nations preserve its ability to defend when adversaries employ cyber capabilities to attack weapons systems and functions. Today, the very thing that makes these weapons so lethal is what makes them vulnerable to cyberattacks: an interconnected system of software and networks.
A malicious adversary taking over the control of deadly weapons capable of kinetic destruction may sound like a movie plot going begging. But the reality is today, computerised weapons systems control the defense pillars of many developed countries.
Although information on these systems is highly secretive, there is one thing we do know: While accessing such systems is not easy, they almost certainly contain vulnerabilities! My experience certainly indicates that there is no reason to think otherwise. And such a possibility constitutes a potential risk to regional and global security and stability.
The consequences of such hacking operations could be dire. Control over these weapons systems is an integral nation state prerogative, and any external interference with them could be interpreted as interference in the internal state matters, leading to retaliation. No country would simply allow adversaries to peek inside the matters restricted to state control, such as the oversight of the military. Thankfully, actually pulling this off is far from simple.
Conducting a cyberattack of this kind would require not only hostile intent, but also the existence of security vulnerabilities in the controlling systems. In order to exploit such bugs, the attacker would also need access to that system, which obviously is not easy to obtain.
But these obstacles are not impenetrable as we can see by the recent supply chain cyber attacks like the SolarWinds hack which impacted US government state and security agencies.
In fact, the 2019 US Government Accountability Office report includes an insightful remark about the routine identification of “mission-critical cyber vulnerabilities that adversaries could compromise,’’ including the ability to take full control over the tested systems, in some cases.
It goes on to explain that these vulnerabilities pose unique threats to large, interdependent systems, also because updating or replacing just one part is far from simple. What we must realise is that a patch or software enhancement that causes problems in an email system is considered inconvenient at best, whereas one that affects an aircraft or missile system could be catastrophic!
As with most other systems, a key reason weapons systems are so vulnerable is that, until recently, the military did not prioritise cybersecurity as part of the requirements stage of the development and acquisition process. This routinely left it to the program managers to incorporate cybersecurity into the later stages of development, “bolting it on” rather than “baking it in.” as the terminology goes.
It is also critical to remember that cybersecurity threats are not found solely in the newest and most advanced weapons systems. The modern battlefield is more interconnected than ever before. Numerous highly complex weapons from different generations interact with one another on a day-to-day basis.
For example the US Air Force’s B-52 bomber, which entered service in 1955, is still in use today and currently operates alongside systems like the advanced F-35 fighter. Legacy platforms are also highly vulnerable to cyberattacks, more so than newer systems.
When they operate alongside newly fielded platforms, cybersecurity measures must take an integrated approach that evaluates how a cyber intrusion or attack on one system could affect the rest. A breach in the weakest link can have severe consequences for the integrity of an entire mission. As is often remarked, a chain is as strong as the weakest link.
The (classified) results of the audit of the advanced B-2 stealth bomber, capable of carrying nuclear munitions, raises similar concerns. Technical details of the report are obviously not available, but what we can see allows us to reasonably conclude that serious cybersecurity vulnerabilities exist in weapons systems, including those that would let the potential adversary take control over a system.
This is likely because the maintenance of such old legacy systems is always a cybersecurity challenge, whether its obsolete systems used in hospitals, or advanced weapons systems used by the world’s modern militaries.
Fortunately, in the process of updating them, some issues are detected and corrected. But the phenomenon of cybersecurity risks in existing weapons systems is very real. And this is true not only of the weapons systems employed by the US and allies, but likely also of virtually every weapons system developed by other countries.
To avoid the risk of tampering, these sensitive systems should remain in non-public networks, isolated from public access. While air-gaps can be bypassed, it would still be challenging to maintain reliable enough access to such protected systems to prepare and execute attack plans.
In general the cyber resilience of weapons systems should always be considered high priority. Weapons systems structures are usually designed to have very few points of access or openings to cyberattackers ... not only because of their limited interconnection, but also because they use atypical technologies.
Even so, risks of supply-chain compromise remain high. When malicious or fraudulent elements are inserted into the system, it may impact its operation or integrity. Such risks are not merely imaginable.
Suspicions that such compromises have already happened appear in many national annual security reports. In it, there is often mention of “instances that may have been unsuccessful attacks on critical weapons systems via malicious insertion”. While unconfirmed, the ability of nation state actors to tamper with off-limits systems is worrying, especially when one imagines the consequences of losing control over weapons systems that can direct strikes.
Much like everything else, weapons systems will only become more computerised with the integration of Artificial Intelligence (AI) and machine learning. This will probably include all space-based systems and nuclear weapons systems as well.
In order to protect these, policymakers and the military decision-makers should consider recommendations to put in place assessment frameworks to identify and manage the cybersecurity risks facing further computerisation or interconnection built into weapons systems. Fixing existing systems might not result in headline topics, but it may bring tangible defensive benefits.
The exploitation of vulnerabilities in weapons systems brings high risk to the life of the humans operating these machines, the army who controls them, and even the nation and/ or region. The far-fetched consequences may even include escalating to an armed conflict or outright war. The world would be better prepared for such a risk if we could avert a cyberattack-based compromise of weapons systems.
As cyber threats from malicious actors become increasingly advanced and persistent, it is crucial for Defence Departments to place weapons system cybersecurity at the forefront of future major decisions.
Despite these efforts, the volume of new vulnerabilities in weapons systems may now exceed the ability of the military to identify and patch the systems before adversaries can exploit them, and the problem is only getting worse.
Without proper governance, authorities cannot ensure that it effectively identifies and manages cybersecurity risk as it continues to face a growing variety of cyber threats from adversaries on a global scale.
As always the ultimate test is whether weapons systems can accomplish their missions in a cyber-contested digital environment that is becoming the new norm.
As Chinese military strategist and philosopher Sun Tzu advised- “Invincibility lies in the defence …” Wishing you all a blessed Easter weekend, stay safe and well in both digital and physical worlds.