In the wake of a 2010 incident in which the Air Force lost contact with 50 intercontinental ballistic missiles, the service is figuring out how to protect its command-and-control systems from cyber attack -- a nonexistent threat when the missiles were designed decades ago.
"Our ability to keep our networks assured and protected and not vulnerable is really important, it's something we have looked at hard," Maj. Gen. William Chambers, head of Air Force Global Strike Command's nuclear deterrence shop, told Killer Apps during a Sept. 18 interview. "It's something that we build into all of our new nuclear weapons systems so that they remain cyber-secure."
Global Strike Command manages U.S. land-based nuclear ICBMs and air-launched nuclear cruise missiles and bombs.
Protecting what are arguably the nation's most important military assets from cyber attack, and avoiding the terrifying scenario of an enemy feeding incorrect information into the nuclear command-and-control networks "seized" Air Force officials after they lost contact with a field of 50 Minuteman III ICBMs at FE Warren Air Force Base in Wyoming for an hour in late 2010, according to Chambers.
"It's really important. It's a problem that about a year ago we were seized with. We have done some pretty comprehensive studies of the cyber-state of our ICBM force. We are confident in it," said Chambers. "There was an issue: we had a temporary interruption in our ability to monitor one of our missile squadrons back in the fall of 2010. That produced a need to take a comprehensive look at the entire system. It took a year to do that study, and we're confident that the system is good, but as we upgrade it, modernize it, integrate it, we've got to really pay attention to" protecting nuclear command-and-control information.
While Chambers didn't go into specifics of how Global Strike Command will protect its nuclear command-and-control networks from cyber attack, he did say that it is working to harden its networks against intrusion and the manipulation of nuclear command-and-control information and to increase backup communications abilities.
Chambers added that the Minuteman III ICBM command systems, designed in the 1960s and 1970s, are incredibly robust. "ICBM-wise we have a very secure system."
A Boeing official later told Killer Apps that while it is looking at upgrading the ancient technology used in parts of the Minuteman command networks, that technology is safe from hacking. Boeing is on contract with the Air Force to maintain the 1970s-vintage Minuteman III fleet and is helping the service keep the missiles in service through the 2030s.
"Our C2 [command-and-control] system for Minuteman is a very old system. There's a network called the HICS [hardened intersite cable system] network, and it's [made of] copper wire, and it's limited in bandwidth," said Peggy Morse, director of Boeing's strategic missiles systems programs, told Killer Apps on Sept. 18. While it's old, "it's very secure," she added.
Still, "as we look at different C2 systems and ways to move data about in the field, information assurance is a big deal there, and the security requirements are going to drive the solutions that we look at," said Morse. The company is also working to modernize the actual cryptographic devices used to encrypt and decipher launch codes for nuclear missiles.
Bruce Blair, a former Minuteman III launch-control officer and co-founder of the Global Zero movement to eliminate nuclear weapons, describes several ways the ICBMs' aging command-and-control technology are vulnerable to hacking.
Both the missile silos' radio receivers, which are designed to read messages from the flying command posts that would be used to launch the missiles in the event that land-based command centers have been destroyed, and the HICS cables are vulnerable, according to Blair.
"In the case of Minuteman, there are...potential entry points into the supposed fire-walled command and control system," Blair told Killer Apps in a Sept 25 email. "One of them is the radio antenna at the unmanned missile silos designed to allow airborne launch control centers to inject the three short signal bursts [telling the missiles to identify their targets, arm, and launch] in the event of a breakdown in the local underground command post system (for instance, their destruction by enemy nuclear missiles)."
If hackers were able to take over this antenna, "this entry point could provide access under a range of circumstances such as the loss of control experienced at FE Warren in a squadron of 50 missiles . . . or such as illicit actions taken by an ‘insider' agent," added Blair.
"Another [vulnerability] are the thousands of cables that run 6-feet underground interconnecting all of the missile silos with all of the launch control centers in a given squadron. It's possible to imagine outside parties surreptitiously tapping into one cable at one location or another, and thereby gaining access to the actual conduits that control and target, enable, and fire the missiles."
Still, doing so would require knowing exactly where the cables are and avoiding security details.
Chambers did not comment on the command systems for the service's air-launched nuclear cruise missiles and B-61 tactical nuclear bombs.
A key part of protecting nuclear weapons from cyber attack as they are modernized and upgraded is making sure that the supply chain for nuclear weapons electronics is secure -- a problem that has plagued the Defense Department for years.
"We are continuing to study the cyber assurance aspect of the supply chain that supports our nuclear weapons systems," said Chambers. "That work is underway and we're taking steps to mitigate and close off any vulnerabilities."
This effort is focused on making sure that Defense Department officials know exactly where the electronic chips and other components used in nuclear command and control come from and how they are produced.
"That's not just our problem, that's a national problem," added Chambers, referring to the fact that the entire DoD is concerned about counterfeit electronic parts making their way into its supply chains. Such parts are at best, potentially unreliable and at worst could be infected with malware aimed at U.S. military gear.