Nuclear Command, Control and Communication systems (NC3) is a complex and integrated system to establish an effective chain of command connecting the higher tiers of civilian leadership to the combat commanders for the effective employment and deployment of nuclear weapons in the evolving contingencies. The corresponding elements include warning satellites and radars, communication satellites, aircraft and ground stations, fixed and mobile command posts, and control centers for nuclear systems.
Nuclear command, control, and communication structures have remained a subset of doctrinal thinking and following strategies, as reflected by state practices.
According to the 2018 US Nuclear Posture Review (NPR), the “NC3 system performs five crucial functions: detection, warning, and attack characterization; adaptive nuclear planning; decision making conferencing; receiving Presidential orders; and enabling the management and direction of forces”. As indicated by the US state practice, NC3 comprises of two layers: a thick one dealing with crisis architecture and a thin one establishing an enduring and survivable communication link between various stakeholders.
With the evolving nuclear doctrines and modernization of various delivery vehicles; NC3 systems are digitized to ensure speedy and effective decision-making at the expense of making them vulnerable to a plethora of cyber threats. The fears of cyber-attacks on critical infrastructure including NC3 systems were highlighted in the Nuclear Posture Review (NPR) formulated by the Trump administration. The rationale behind the cyber-attacks on these systems is to achieve strategic advantage through non-kinetic and non-nuclear means. Due to its less escalatory nature and lack of attribution, the employment of cyber weapons against NC3 is a plausible option. The United States has not only developed offensive cyber capabilities but manifested its prowess on Iranian nuclear facilities: the use of Stuxnet malware. US Cyber Command has a strategy of forward defense to kill cyber threats at the place of the origin.
As NC3 systems operate in a networked space with many digital components, planting any malware through any of the means will surely undermine its efficacy.
Space-Based Infrared System (SBIRS), Early Warning satellites (EWS), detect incoming ballistic missiles at their launch. Sensors detect the infrared wavelengths emanating from the flames and then send the signal to the onboard computer. The malware injected into the onboard computer could affect the functioning of sensors and halt the processing of the computer itself. For instance, malware: a code, alters the sensitivity of Infrared sensors, and the very possibility of detecting a ballistic missile at launch diminishes. In another contingency, the signal feed by the Sensor into the onboard computer is numerically altered during the processing phase, thus failing to generate a warning. In either of the scenarios discussed above, the attacking state will wipe out the nuclear capabilities of the adversary while launching first.
Building on the apprehensions discussed above, let’s take a look at the space-based nuclear explosion sensors fielded by great powers and their cyber vulnerabilities. These sensors are hosted on the Global Positioning System (GPS) and various government-owned satellites. Recently deployed payloads include Global Burst Detector (GBD) and a Space and Atmospheric Burst Reporting System (SABRS). Sandia National Laboratories and Los Alamos National Laboratory in the US test the latest Sensors in lieu of improving their detection capabilities. Any cyber-attack on a GPS system that has no backup could lead to disastrous consequences for nuclear decision-making. Unintended ramifications may include losing vital spatial information about your various nuclear installations and rendering your weather radars of no use. Above-said will surely be a nightmare for the operational planners. Furthermore, any tempering with the sensor’s hardware and software in its manufacturing and testing phase at any laboratory will definitely impact its detection capabilities.
Curtailing the spread of nuclear weapons remains the topmost agenda of the nuclear non-proliferation regime. Limiting the testing of nuclear explosive devices is the lynchpin of this regime as reflected in various international documents including Comprehensive Nuclear Test Ban Treaty (CTBT). If states are struggling to detect nuclear explosions, the future of this regime stays in the dark.
Milstar (Military Strategic and Tactical Relay satellites) is a group of satellites being stationed in the geosynchronous orbit for establishing effective communication links between various tactical and strategic commands of the US Army. This system has three components: space (the satellites), terminal (the users), and mission control. This system appears to be very sophisticated, secure, and jam-resistant as compared to ground relays, although hackers often come up with zero-day vulnerabilities pertaining to hardware, and software, thus risk assessment must be carried out at frequent intervals.
Ground systems have remained an integral part of the space-based satellites deployed either as an early warning system or a communication channel. Although ground systems have not been given due salience in the context of cyber threats. A ground system comprises a network of computers, antennas, and functions controlling the satellites being put into orbit. Ground systems are of critical importance as the translation and transfer of the data take place here. Earth terminals and user receivers translate the satellite signal into usable data. Such systems are the juncture at which space and cyber technologies are mated together. Ground stations create an interface between the satellites and various classified and unclassified military networks. Open telecommunication protocols are used at this stage to speak the satellite’s unclassified language for the uplinks and downlinks of the data. Furthermore, Navigation systems that create meaningful data from dispersed spatial information rely on cyber technologies. For a commander at the tactical level, accurate and timely spatial data and survivable communication channels are the keys to success.
Cyber threats to the ground systems may include cyber espionage, cyber exploitation, and access operations. NASA networks faced 12 cyber espionage attacks from 1997-2013. Furthermore, US DOD, NASA, and research institutes faced a massive infiltration campaign from Chinese sources from 2003-2006.
Cyber exploitation is aimed at gaining access to a computer network, especially positioning to acquire and alter the information or may disrupt the proceedings. Phishing attacks are the most common cyber-attacks for maintaining access and exploitation in networked spaces.
As per US DOD cyber security evaluation teams, web exploitation is another source of cyber intrusions.
Across the globe, the rise of non-state actors and the employment of asymmetric warfare have rung alarm bells for nuclear security practitioners. Non-state actors and proscribed outfits tend to rely on informal kinetic and non-kinetic means to disrupt and acquire nuclear technologies. In a bid to acquire such technologies, proscribed outfits use unsophisticated techniques to launch cyber-attacks, undermining the security parameters of the nuclear facilities. Once security parameters are neutralized, kinetic actions take place. Accounting for the circumstances discussed above, there exists a high probability of unauthorized nuclear use.
Building cyber resilience of the inter-networked spaces in the NC3 systems is the only way out. States must focus on software and network security, maintaining the integrity of the data, and defining access controls. Awareness campaigns surely help organizations to develop a common theoretical framework to define the critical infrastructure and corresponding security measures. In the case of dual usage of NC3, states must share the relevant information and develop a mutual understanding of such systems.
Emerging technologies like quantum computing pose grave threats to Nuclear Command, Control, and Communication, thus robust security measures should be installed to mitigate the threats.
The author is pursuing M.Phil in Defense & Strategic Studies from Quaid-i-Azam University Islamabad. He holds certifications from the Stimson Centre, the EU Non-proliferation Consortium, the United Nations Office of Disarmament Affairs, and the International Atomic Energy Agency. He has contributed his writings to national and international military modernization and nuclear strategy platforms. He tweets @PakAllabove