What if nuclear terrorism were just a mouse click away?

Excuse the sensationalistic head: the subject lends itself to hyperbole both because of its urgency and the imperative to draw reluctant readers. Of course, the “What if” doesn’t actually figure to materialize any time soon. Still, it hints at what a Pandora’s box the development of nuclear weapons has been for over six decades. Actually, it’s starting to look more like a clown car — an evil-clown car.

At Politico, Laura Rozen monitored the engineering failure at F.E. Warren Air Force Base in Wyoming that knocked 50 nuclear ICBMs (intercontinental ballistic missiles) offline. She referred us to fellow Politico reporter Gordon Lubold, who wrote:

Tony Cordesman of CSIS told Morning Defense that, based on preliminary reports, there was not a crisis: “Unless something is released that somehow indicates that you broke through every known barrier to a system that is not connected to the Internet or outside command-and-control, it is a warning that you need to look at the particular system failure, but that is as far as it goes,”

Cordesman’s words that we’ve highlighted are an allusion to hacking. Ms. Rozen also cites Marc Ambinder at the Atlantic (again, emphasis added).

It is next to impossible for these systems to be hacked, so the military does not believe the incident was caused by malicious actors.

However reassuring it is to hear that a nuclear-weapons launch system can’t be hacked, it nevertheless plants the seed of a fear in us that most never knew existed. The worm Stuxnet that infiltrated Iran’s nuclear program is considered a state-supported project. But what if a terrorist group were to take a shot at the impossible and attempt to hack into a nuclear-weapons launch system?

In his recent New Yorker piece, The Online Threat, a cautionary tale about the dangers of allowing the intelligence communities and the military to hype cyberwarfare, Seymour Hersh also downplays the threat of terrorist hackers. “There is surprising unanimity among cyber-security experts on one issue,” he writes, “that the immediate cyber threat does not come from traditional terrorist groups like Al Qaeda.”

He quotes John Arquilla of the U.S. Naval Postgraduate School: “Terrorist groups are. . . . not that interested in. . . . attacking our computer system.” When it comes to cyber security, ther priority is to “protect their operations.” Still Hersh warns: “As terrorist groups get better at defense, they may eventually turn to offense.”

When that time comes, they may also choose to make one of their dreams come true — attacking the Western world with nuclear weapons. (Even if essentially they would be fouling their future caliphate by turning it into a nuclear wasteland.) At which time, they’ll ask themselves: Is hacking into a nuclear weapons system more daunting a challenge than acquiring or developing a nuclear weapons program? Bear in mind that trafficking in the hardware and not the software also requires terrorists to transport bombs to the West and light the fuses, as it were, themselves.

In his 2007 book On Nuclear Terrorism, Michael Levi, now of the Council on Foreign Relations, demonstrated just how difficult it is to pull off nuclear terrorism the old-fashioned way. Failure at just one of any of the innumerable stages — especially if it’s made more likely by a defense strategy that incorporates the military, law enforcement, intelligence, border control, and port security — stops them dead in their tracks.

Dim prospects for success acquiring or developing their own system might factor into a decision by terrorists to try their hand at hacking into a nuclear weapons system instead. Still sounds too sci-fi to be real? In July this year, the International Commission on Nuclear Non-proliferation and Disarmament (ICNND), which described itself as “a joint initiative of the Australian and Japanese Governments” intended to “reinvigorate” international efforts on nuclear nonproliferation and disarmament, closed up shop.

One of ICNND’s products was an exhaustive report titled Eliminating Nuclear Threats: A Practical Agenda for Global Policymakers. Another useful paper it commissioned was one it published in 2009 by Chinese cyberwarfare expert Jason Fritz titled Hacking Nuclear Command and Control. Among the advantages of going that route are . . .

. . . its relatively low cost, only requiring an off the shelf computer and an internet connection. . . . Cyber terrorism allows greater anonymity than traditional terrorism, as tracking the source of attacks is hindered by proxies, spoofed IP addresses, botnets, [not to mention] legal hindrances. . . . Cyber terrorists can strike an enormous number of targets around the globe without having to be physically present, thereby reducing the risk of death or injury to the attacker. . . . Reducing the risk of death, and the physical or psychological demands, makes it easier to recruit new members for their cause.

Wait, isn’t the computer component of nuclear command and control a closed network? Yes, but, Fritz explains, it may be . . .

. . . compromised by various hacker methods, such as privilege escalation, roaming notebooks, wireless access points, embedded exploits in software and hardware, and maintenance entry points.

A closed network may also be breached via e-mail “spoofing,” in which the sender address and/or header are changed to hide the source of the email. Targeted at individuals “who have access to a closed network, [it] could lead to the installation of a virus on an open network. This virus could then be carelessly transported on removable data storage between the open and closed network.”

Fritz is effectively foreshadowing Stuxnet, the worm thought to have infiltrated Iran’s nuclear-weapons program via a flash drive. As for the maintenance entry points mentioned above (emphasis added) . . .

Efforts by militaries to place increasing reliance on computer networks, including . . . autonomous systems, and their desire to have multiple launch options . . . enables multiple entry points for terrorists.

Though Fritz does not present an attack scenario, he concludes:

Despite claims that nuclear launch orders can only come from the highest authorities, numerous examples point towards an ability to sidestep the chain of command and insert orders at lower levels. [Early] warning and identification systems. . . . are placed at a higher degree of exploitation due to the need for rapid decisions under high pressure with limited intelligence. . . . Lastly, if a nuclear device were detonated, its destructive power can now be magnified by computer network operations, such as misinformation or shutting down key infrastructure.

Though un-cited by Fritz, hacking nuclear command and control presents yet another threat. Even if cyberwarfare is much less expensive than acquiring nuclear weapons, the resources of al Qaeda central (such as they are today), not its small “franchises,” are required. Michael Levi and others emphasize that al Qaeda is notoriously reluctant to stage massive attacks that have a high degree of failure. But when it comes to loss of life and funds — not to mention face — cyberwarfare presents fewer risks. In other words, terrorist computer geeks can hack away all day every day.

With the end of the Cold War, nuclear terrorism has displaced an attack by the Soviet Union as the prime nuclear fear in the minds of most Americans. What’s most frightening about hacking nuclear command and control is how it not only revives the specter of a traditional nuclear attack, but combines it with nuclear terrorism.

Cross-posted from the Foreign Policy in Focus blog Focal Points.