Photo: The US nuclear command and control system spans the globe and reaches into space

15 June 2021 | Richard Walker | DM

A global cyberwar has begun. And it will probably never end.

That is the brutal truth that governments, militaries, intelligence services, companies and individuals are facing up to — everywhere.

And it is at the core of the conflict between the United States and Russia.

It’s a war that pits states against states and criminals against corporations, often blurring the lines between who is who. And increasingly, civilians are getting caught up in it, either as direct targets or as the collateral damage of the digital age.

“You have a mix of state level and nonstate actors constantly probing and attacking networks around the world,” said Martijn Rasser, a former CIA emerging technology analyst now at the prominent defense think tank, the Center for a New American Security. He was speaking in the recent DW documentary Future Wars — and How to Prevent Them.

“That’s just the reality of 21st-century life and something that we’ll have to deal with,” he said.

NATO members affirmed that cyberattacks could trigger the alliance’s Article 5 clause

NATO’s Article 5 goes cyber

This reality is underlined by no fewer than 25 “cyber” mentions in the final communique of this week’s NATO summit.

The allies signed off on a new “Comprehensive Cyber Defense Policy,” affirming that, if serious enough, a cyberattack could lead to the invocation of NATO’s core Article 5: that an attack on one member is considered an attack on all.

Recent targets have included various parts of the US government, the  German parliament and election campaigning in France. Ever more corporations have been held up by ransomware, with their systems blocked in an attempt to extort money.

And these are just the attacks we know about.

Turning the lights out

One of the most serious intrusions in recent years hit Ukraine’s electricity grid, cutting power to more than 200,000 people in the winter of 2015. It showed how cyberattacks could bring societies to their knees.

Kyiv and Washington blamed the Russian government, with the US even singling out a member of the GRU military intelligence agency in late 2020.

“These were the first reported destructive malware attacks against the control systems of civilian critical infrastructure,” said John Demers, the US assistant attorney general at the time, announcing the charges.

“No country has weaponized its cyber capabilities as maliciously and irresponsibly as Russia.”

World’s most sensitive infrastructure

Cyberattacks on civilian infrastructure have triggered broad public concern, and debate on how to protect against them.

But cyberwar could also hit the world of nuclear weapons — an even more serious prospect. And only a small group of experts have been speaking out about this risk.

“This is an issue that is enormously important — and exceptionally difficult to discuss,” said James Acton, co-director of the Nuclear Policy Program at the Carnegie Endowment for International Peace in Washington. “Because it is so heavily classified.”

Acton’s concerns center on cyber intrusions not against nuclear weapons themselves, but the command and control systems surrounding them. “Nuclear command and control is everything apart from the physical weapons themselves that are needed to make those weapons work,” he explained.

This is perhaps the most sensitive infrastructure in the world. It’s so sensitive that the US explicitly said in its latest “Nuclear Posture Review” that if it comes under attack, it could respond with a nuclear strike.

US early warning systems have entered the digital age, opening them up to the prospect of cyber attack

Nuclear goes digital

The warning betrays the fact that this infrastructure has become vulnerable in the digital age. Acton singled out long-range communications and early warning systems as components that are especially prone to interference.

“Systems are now relying on digital signals as opposed to analog signals, increasingly relying on things like IP-based operating systems,” he said. “Old-fashioned nuclear command and control systems that didn’t use digital systems were invulnerable to cyberattacks. There was no code there to do the attacking.”

Now, the opportunity is there. And the motive, too — whether for espionage or outright disruption.

“There are various countries that could have incentives to launch cyberespionage or prepare for cyberattacks by inserting malware against the US early warning system,” said Acton. “North Korea would have an incentive for doing it. China would have an incentive for doing it. Russia would have an incentive for doing it, maybe others, too.”

‘Nuclear entanglement’

What makes this situation even more unstable is that many of America’s command and control facilities are no longer just serving nuclear weapons — they’re involved in conventional systems, too. Acton calls this phenomenon “entanglement.”

“The US in many ways does not have a nuclear command and control system. We have a command and control system that does both nuclear and non-nuclear operations,” he said.

This means that more US adversaries might have a reason to launch malware against these systems, to spy on or disrupt conventional operations.

Even if an intrusion were only related to conventional weapons, Acton stressed that the Americans would not be able to tell the difference. “It may look to us like they’re trying to interfere with our nuclear forces, which could be exceptionally escalatory.”

Lethal uncertainty

The lethal force driving that potential for escalation is uncertainty — about where malware comes from, and what it might do.

“If you find malicious code in your networks, it’s very hard to know what that code does. It takes a long time to analyze the code and understand what the other side is doing,” said Acton. “And this makes it very hard to know whether this malicious code is just for espionage or is also for offensive operations.”

In the DW documentary Future Wars – and How to Prevent Them Acton outlines a scenario showing how things could go disastrously wrong in today’s atmosphere of rock-bottom trust between Russia and the West. The uncertainty and speed of cyber warfare mix with the astronomical stakes of nuclear weapons, triggering a spiral of escalation all the way to the brink of nuclear war.

Cyber intrusions against nuclear command and control could prompt nations to scatter their ground-based nuclear forces

‘Strategic stability’

With Presidents Joe Biden and Vladimir Putin holding their first summit this week, there have been some hopes they could take steps to address these kinds of catastrophic risk under the banner of “strategic stability.”

Acton believes some worthwhile guardrails could be set unilaterally. “Countries should adopt a rule that before launching any cyber intrusions against nuclear command and control, including dual-use assets, that should have to be signed off on by a secretary of defense or a head of state as a way of ensuring these things are not routine,” he said.

But more meaningful steps would require cooperation between the major powers.

“One could imagine a behavioral norm under which the US, Russia and China reciprocally agree not to launch any intrusions against one another’s command and control systems,” Acton proposed.

“The idea would be that if you detected another state in your network, the deal was off and you could go after their network. And so in this way, you’d hope to enforce this agreement through mutual deterrence.”

Too tense to talk

Martijn Rasser agreed that even discussing such an idea would be “fraught with difficulty.” Expectations of the Biden-Putin summit are correspondingly low, with lower-level talks on strategic stability considered the most optimistic likely outcome.

Rasser compares this time to the early days of the nuclear arms race. “It’s very similar, I think, to the types of debates that were being held over nuclear weapons in the ’40s and ’50s,” said Rasser. “The complexity is arguably considerably more intense.”

Secrecy is a giant obstacle. “We’re not going to go into a negotiation with Russia and say, well, we’ve got this type of capability here that exploits this vulnerability. How would you feel if we if we executed it?” said Acton.

“We’re going to hold our cards close to our chest, both about our fears about our vulnerabilities, and how we might go about exploiting that vulnerability. So, there’s going to have to be a deep, serious review process internally within each state to decide what they can actually usefully say about this cyber nuclear interaction.”

Martijn Rasser of the CNAS think tank: Constant cyber attacks ‘just the reality of 21st century life’

Don’t trust, can’t verify

The lack of trust between the major powers remains a fundamental problem.

“When there is lack of trust, you tend to attribute all kinds of intentions to the other party,” Amandeep Singh Gill, a veteran of efforts to curtail autonomous weapons at the United Nations in Geneva, told DW. “You tend to overestimate what they might be doing and overshoot in terms of your own response.”

“Trust but verify” was former US President Ronald Reagan’s mantra for coping with this risk in Cold War arms control negotiations, with verification usually a matter of counting warheads.

Today in the cyber realm, verification is not possible. There is nothing to count.

So as the world sinks deeper into the cyberwar era, finding anything approaching trust between the major powers might be the biggest challenge of all.

For more, watch the DW Documentary Future Wars – and How to Prevent Them on YouTube.