October 26, 2022 | Defense News

Harden the cybersecurity of US nuclear complex now

Deterrence is only as good as it is credible
October 26, 2022 | Defense News

Harden the cybersecurity of US nuclear complex now

Deterrence is only as good as it is credible

Given Vladimir Putin’s reckless talk about his potential use of Russian nuclear weapons, the United States must ensure its own nuclear stockpile is safe, secure, and reliable. Yet, for decades, the stewards of the country’s nuclear complex — the Departments of Defense and Energy — failed to assess and remediate the cyber vulnerabilities of America’s strategic forces. An effort to reverse that neglect has been building momentum over the past five years. Both Congress and the executive branch must accelerate the pace.

On October 18, the Kremlin announced that the four Ukrainian regions recently “annexed” by Russia are now under the protection of the Russian nuclear umbrella. In plain speak, Putin suggested that attempts to aid Ukraine in the rescue of its sovereign territory could be met by a nuclear response. To deter additional aggression and dangerous escalation, Washington should ensure the U.S. nuclear triad stands ready and able, as the Pentagon says, to “deliver a decisive response anywhere, anytime.”

But deterrence is only as good as it is credible.

Two years before the February invasion of Ukraine, the congressionally mandated Cyberspace Solarium Commission called for a Cybersecurity Vulnerability Assessment across the U.S. nuclear command, control, and communications, or NC3, system.

The Commission’s rationale was simple: an adversary could breach any military system, including the NC3, reliant on computer networks built upon software and hardware of sometimes unknown provenance. A potential compromise could create a false warning of attack or prevent warning of an actual attack. A breach could render the U.S. launch capability inoperable or allow unauthorized use of weapons.

Given Moscow’s proclivity to use false flag operations to justify the use of force, America’s nuclear arsenal must be protected from manipulation by an adversary.

Buried in both the Senate and House versions of the massive 2023 National Defense Authorization Act are short provisions augmenting the cybersecurity of the NC3. This step forward builds on important work over the last few years by both Congress and the executive branch.

The Trump administration’s Nuclear Posture Review in 2018 first underscored the risk to the NC3, noting, “The emergence of offensive cyber warfare capabilities has created new challenges and potential vulnerabilities for the NC3 system.” A Government Accountability Office report later that year warned that “until recently, DOD did not prioritize weapon systems cybersecurity.” Against that backdrop, the Solarium Commission urged Congress to direct the Pentagon to “continuously assess weapon system cyber vulnerabilities” and “routinely assess every segment of the NC3.”

Congress has passed multiple pieces of legislation into law in recent years to harden the weapons complex. In the FY21 NDAA, Section 1712 requires periodic reviews of the vulnerabilities of major weapons systems and the critical infrastructure on which those systems rely. Section 1747 requires the DoD to establish a concept for operations needed to defend the NC3 from cyberattacks.

In last year’s NDAA, Congress again addressed this issue, this time in three places: Section 1525 requires the DoD to issue regular reports on the progress of the Strategic Cybersecurity Program, an effort that evaluates the cybersecurity of offensive cyber systems, long-range strike systems, nuclear deterrent systems, national security systems, and DoD critical infrastructure; Section 1534 puts a deadline on an existing mandate for assessments of the cyber resilience of nuclear command and control systems; and Section 1644 calls for an “independent review of the safety, security, and reliability of covered nuclear systems,” which includes, but is not limited to, cybersecurity.

The Biden administration complemented these statutory requirements in May 2021 with a new executive order on “Improving the Nation’s Cybersecurity,” requiring, among other things, that the secretary of defense provide further details on cybersecurity practices for national security systems.

Adm. Charles Richard, commander of the U.S. Strategic Command, meanwhile, affirmed in April that programs to upgrade the NC3 are “harden[ing] NC3 systems against cyber threats.” As a result, NC3′s cybersecurity protections will exceed “the DoD baseline standard” including persistent monitoring to detect and mitigate threats.

Congress now aims to build on this momentum. The Senate version of the FY23 NDAA has a provision that specifically extends the requirement for annual NC3 assessments another five years. The House version clarifies how Congress will receive briefings on vulnerabilities and remediation efforts and conduct oversight of the improvements made to the NC3 system.

The last three years of direction and funding from Congress could not be clearer: the Department of Defense must maintain a laser focus on hardening the country’s strategic forces against cyber threats. The security of these systems provides the bedrock of credible deterrence that prevents Putin from launching a nuclear war.

Samantha F. Ravich is the chair of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies and served on the congressionally mandated Cyberspace Solarium Commission. Retired Rear Adm. Mark Montgomery is CCTI’s senior director and leads CSC 2.0, an initiative to continue the work of the Cyberspace Solarium Commission, where he served as executive director. Follow Mark on Twitter @markcmontgomery. FDD is a Washington, D.C.-based, nonpartisan research institute focusing on national security and foreign policy.

Issues:

Cyber