flyingreactor_drawingThere are some things that should stop everyone in their tracks. At the top of that list should be an apparent lack of risk awareness concerning nuclear weapons.

This line from Patrick Tucker’s article in last month’s The Atlantic stopped me cold;

Future nuclear missiles may be siloed but, unlike their predecessors, they’ll exhibit “some level of connectivity to the rest of the warfighting system,” according to Werner J.A. Dahm, the chair of the Air Force Scientific Advisory Board. That opens up new potential for nuclear mishaps that, until now, have never been a part of Pentagon planning. In 2017, the board will undertake a study to see how to meet those concerns. “Obviously the Air Force doesn’t conceptualize systems like that without ideas for how they would address those surety concerns,” said Dahm.

Stop. Stop right there.

If this reporting is accurate, the work of Air Force Scientific Advisory Board needs to be halted immediately and a thorough review of the members and leadership of the board conducted by an outside party.

Our nuclear weapons themselves must in no way be part of any IP connectivity or network enabled in any way. Full stop.

“We have formal Air Force documents that detail the formal certification process for nuclear weapons. To what extent do the current models for certifying nuclear systems carry over into these modern, network enabled systems and how would you re-conceptualize certification for systems that are likely to come out of these recap programs?” asked Dahm.

Some support systems? Sure, but command, control, mission loading, arming, and launch must be contained in a robust, hardened, isolated & closed system. Simple, almost primitive, with multiple physical human interfaces required. To be even thinking of network access to the weapons systems themselves is the height of irresponsibility; even more irresponsible than a reliance on GPS or satellite systems as a point of failure between authorization, launch, and “servicing the target.” Ahem.

This is the same kind of thinking that leads otherwise smart people to think “smart gun” technology is a good idea. It simply assumes away all risk, and places everything in the unstable hands of hubris-centered hope ungrounded by operational experience.

The fact that future nuclear weapons will be far more networked (though not necessarily to the open Internet) will create better safety and oversight, and allow for more coordinated operations. But more connectivity also introduces new potential vulnerabilities and dangers.

“You have to be able to certify that an adversary can’t take control of that weapon, that the weapon will be able to do what it’s supposed to do when you call on it,” said Dahm. “It isn’t just cyber. That’s definitely the biggest piece, but … When was the last time we built a new nuclear system? Designed and built one? It’s been several decades now. We, as an Air Force, haven’t done certification of new nuclear systems in a long time. These systems are different … What are the surety vulnerabilities for such a system, so to speak? How would you address them? How would you certify that the system will work when you need it to work and will do what it’s supposed to do?”

That’s what the study will cover.

The entire entering argument is wrong.

The only thing worse than the accidental launch of a nuclear weapon would be for our deterrent to be unable to perform when tasked – or worse – a hostile power thinks they can prevent its use.

Eric Schlosser’s book, Command and Control: Nuclear Weapons, the Damascus Accident, and the Illusion of Safety, is required reading for those not up to speed on how lucky we have been when it comes to nuclear weapons in case you are overconfident.

Opening additional paths for benign or malicious human malpractice?

No. Just no.




Posted by CDRSalamander in Air Force
Tags: , ,

You can leave a response, or trackback from your own site.

  • Change60

    My jaw dropped when I read that story last week. Incredible that USAF would setup the worlds most desired cyber target. However given President-Elect Trump’s healthy and wise skepticism of the inherent security of a given computer or network I doubt these people will be around for long.

    • Aubrey

      Any network can be hacked and turned against you… A-N-Y N-E-T-W-O-R-K.

      Blindly ignoring and wishing away weaknesses will get an awful lot of people killed if and when the balloon goes up.

      • NavySubNuke

        I agree with your point – but ICBMs are already networked – that is how we get launch commands from launch control centers (where crews our) to launch facilities (where missiles are) even though they are miles apart.
        We also already have the capability of launching our ICBMs via transmission from the E-6B. This prevents our adversaries from just taking out our launch control centers and leaving the missiles sitting there useless in the launch control centers.
        This has been this way since the 1960s when Minuteman first came online.

      • Again, that is all known and well within my rqmts at USNIBlog that, “must be contained in a robust, hardened, isolated & closed system.”

    • its_me_LL

      They need to set up a password like “password” that nobody could figure out…USAF…

      • VelocityVector

        Mine is “log in” to remind me when I forget. Did I just compromise security?

      • Aubrey

        I use a long string of swear words created the last time I had to reset the p/w

  • bullnuke

    Another instance of ” Just because you can do it doesn’t automatically mean you should do it.”. The Air Force, in its search for relevance, is known for some hare-brained schemes but this is really nuts.

  • CynicSquid

    Time for some firings, and forced referrals for psych evals.

  • @USS_Fallujah

    Ugh, why must you work so hard to ruin the Terminator series. If we don’t enable skynet we’re never going to get to see Sarah Connor’s boobs.

    • Change60

      With entertainment today, Sarah is probably half zir, half borg.

  • DELTAKILOMIKE

    At least he didn’t say the words, “Net-centric,” or “GIG Enabled.”

    • Hundycougar

      It’s a warhead-frame not a missile.

  • CAPT Mongo

    There they go again. “Transformational” ain’t gonna turn out well in this area. Sheez!

    • DELTAKILOMIKE

      So, what do I need to know to launch to a pre-planned target? What’s the order? is it authentic? How much real-time networking and bandwidth do I need for that, and are my network “needs” greater than my risks of a network compromise? So, I used to pee in a bottle once a month, at least, whether I needed to go or not. My estimates are not so much (“need”) and a whole lot (risk), respectively.

    • Cynic2

      As far as I read it, it is not about being transformational but about replacing patchworked CIC infrastructure and systems from the 1960s and 1980s with a comprehensive system.
      If they actually do this, it will be a massive undertaking as the CIC systems have only been partially replaced or adjusted before. Sure there are lots of risks in implementing a new network, but the old network does not function perfectly either.

      • CAPT Mongo

        Not saying we don’t need to keep all of our systems updated–including nuclear C2. I am skeptical of USAF (or anyone else) being “Transformational”. It has not worked out well in the past.

      • Cynic2

        I could not find that much information about this task but it appears the board assesses how to keep weapons and C2 systems secure before changes are made or new systems designed. Therefore they should especially evaluate transformational ideas and come up with realistic solutions.

      • CAPT Mongo

        We can hope.

  • surfcaster

    Air Gap
    Concrete Gap
    Steel Gap
    SAW Gap
    Beyond Stretched arms Gap

    Repeat after me:

    Air Gap
    Concrete Gap
    Steel Gap
    SAW Gap
    Beyond Stretched arms Gap

    And the Chorus

    Air Gap
    Concrete Gap
    Steel Gap
    SAW Gap
    Beyond Stretched arms Gap

    Refrain 1:

    Air Gap
    Concrete Gap
    Steel Gap
    SAW Gap
    Beyond Stretched arms Gap

    Refrain 2:

    Air Gap
    Concrete Gap
    Steel Gap
    SAW Gap
    Beyond Stretched arms Gap

    And another chorus:

    Air Gap
    Concrete Gap
    Steel Gap
    SAW Gap
    Beyond Stretched arms Gap

    • DELTAKILOMIKE

      So…no LOT? (LOT – Launch on Tweet”)

    • VelocityVector

      Our nuclear forces have been networked by open air radio for decades. I have to believe the Soviets studied our ELF transmissions from the Upper Peninsula of Michigan and at least considered hacking or otherwise interfering with these at some level.

      • surfcaster

        So let’s add another attack surface or 3 😉

        No networked election machines
        No nerworked nukes

      • MPH

        You sound like Cmdr. Adama from the new Battlestar: Galactica

      • surfcaster

        I am just a mid-level IT guy.

        Though back when BSG fan films were popular I did think of doing a BSD/WEBBYS The Website is Down mashup…

        Google it – NSFW

      • MPH

        If you’ve seen the new BSG, you’ll recall that Adama was adamant about not networking the computers on Galactica, since the cylons were so adept at hacking them. It was the fact that newer battlestars had their navigation computer networked to the rest of the ship’s computers that allowed the worm placed in the new navigation update to drop the ship’s defenses.

      • surfcaster

        Haha – I understand

      • That is not “networked” as they are speaking.

  • NavySubNuke

    Before everyone goes off the rails too far on this here is a bit of unclassified background for those unfamiliar:
    The missiles are already networked – the difference is right now they are networked by the Hardened Interstitial Cable System (HICs) and have been since Minuteman came online and you had silos separated from launch crews (and launch crews responsible for multiple missile) for the first time.
    The missiles already include the capability of being launched via a wireless launch command from the E-6Bs if connectivity is lost between the silos and their launch control centers.
    The HICS cables themselves were laid down in the 1960s and haven’t been updated since. In order to ensure their survivability there are thousands of miles of interconnected cables (think spider web) so that each silo and each launch control center are connected to multiple other silos and launch control center.
    Therefore:
    There is nothing new under the sun – there is nothing being discussed here that is different from what is already done. The only real difference is the idea of using current technology to do it rather than relying on 1960s technology. Maybe that means upgrading and replacing HICs with a rad-hard fiber optic connection and maybe that means using a mixture of the HICs cables for certain data/commands (i.e. launch, re-targeting, some security information) and a less secure method for other information (i.e. maintenance status, video and other security information, etc.) remains to be seen.

    • That is all known and well within my rqmts that, “must be contained in a robust, hardened, isolated & closed system.”

      • NavySubNuke

        E-6B radio transmissions are not and have not ever been.
        Also, isolated and closed systems are harder to hack but the idea that they provide you protection from hacking because they are isolated and closed is a false one and one that could easily lead to miscalculations that make you think you are safer than you are — just ask the Iranians who had all their centrifuges on an isolated and closed system.

      • ronsnyder

        Or those undersea isolated and closed systems?

      • Cynic2

        I do not get all the fuss. What these people are talking about is conducting a study of how to replace a communication structure patchworked since the 1960s and computers from the 1980s supporting a highly complicated, compartmentalized and purposely redundant command and control structure with a new system and likely nuclear weapons to be replaced in the coming years. The CIC structure currently is a network and currently has interfaces with the rest of the armed forces as needed.
        Replacing this structure is a massive undertaking simply thinking about the definition of infrastructure and system functionality and security requirements and certification tests and benchmarks alone. Not even thinking about implementation. This system will highly likely be a closed, hardened and monitored system, which would need customized hardware and likely completely new operating systems and applications with every line of code wirtten and inspected by DOD or NSA personnel. And while they are at it rethinking the complete requirements of a new system they might just include more requirements than those systems had 30 to 50 years ago.
        By the way, if your requirement is “with multiple physical human interfaces required” and you want one weapon to be launchable by more than one command center, which need to be at distance from the wepaon for reasons of security and redundancy, this means you explicitly require network access to the weapon systems. A closed network with limited users, limited roles and rights and strict monitoring but network access nontheless.

      • Mud

        I can see it now. A new use for raspberry pi. We could call it Nuke Pi or even better, POE pi.

      • EODC D.B.

        Pi Of Essence.

    • max

      Maybe that means upgrading and replacing HICs with a rad-hard fiber optic connection

      Replacing the cables and replacing the computers that use the cables are two entirely different things. There are wires/wireless comms to/from NCA and silo command bunkers, wiring and electronics inside command bunkers and wiring to/from command bunkers to actual silos.

      There’s no reason to replace the wiring from command bunkers to silos – a wire pair is a wire pair and as long the electronics on either end have the right physical interface a wire pair should continue working until it is damaged. There’s no reason to replace those at the current time. Replacing the computers handling encrypted communications to/from silos to NCA is another matter – but this also should be easy to do since at the worst, you could emulate the IBM processing hardware on a (now very small) embedded device and just run the same code that has been running since the ’60’s. Problem solved.

      You could, if you were silly, decide to ‘upgrade’ the protocol used to communicate with the silos over the wires, and maybe even make it all IPish and whatnot (seems silly, unless you intend to install a web server on a Minuteman so you can review settings via a browser), but you still wouldn’t need to replace the wires. Changing to fiber from copper wouldn’t make for much of an improvement, given that you aren’t downloading videos to your pet Minuteman, and arguably it would be less physically resilient.

      The only place in need of replacement appears to be in the silo electronics proper and that doesn’t and shouldn’t involve IP at all, except for some limited internal networking purposes that could just as easily be handled by other or custom-created protocols.

      max
      [‘You’ve really need a good reason to bring IP networking into this situation and no one has bothered to suggest any yet.’]

      • VelocityVector

        But have you seen the price per unit of copper recently? We’re more than 20 trillion dollars in debt, and there is a mass of copper out there awaiting salvage by the creditors. You just know they’ll try for it.

      • Cynic2

        Besides updating systems in place the study will likely also have a focus on requirements for new systems as the Air Force currently plans to introduce a new ICBM to replace the Minuteman, a new strategic bomber to replace the B-52, B-1 and eventually the B-2 and new nuclear armed cruise missiles. All these systems need functionality and security requirements and so somebody has to evaluate what risks come with what functionality so it can be decided what to include and how to plan, implement and certify it.

    • timactual

      Thank you. I am indeed unfamiliar.

  • milprof

    To make this worse, btw, it’s not like DoD doesn’t get the threat. Public statements out of the Missile Defense Agency, NORTHCOM, and Dep Sec Work in the last year all suggest we ourselves are working on cyber-attack methods against foreign nuclear missile launch capabilities. Why give adversaries the same vector against us?

  • VelocityVector

    What they want to obtain, if I read them correctly, is to implement tighter control mechanisms and prevent a Barksdale-type incident in which the CIC isn’t even aware nuclear weapons have been actually “enabled” until several hours after the fact. And in the event the balloon goes up they want CIC to better understand which weapons have been released for assessment purposes, including reattack, under circumstances where we’ve lost radars, satellites and key nodes to a first strike or sabotage. Our nuclear forces have been networked via landlines and radio for more than half a century already. I doubt any sane person would argue we should network nuclear capabilities with the interwebs, I mean the app on CIC’s iPhone could crash or something and ruin the show, j/k.

    • surfcaster

      “I mean the app on CIC’s iPhone could crash or something and ruin the show, j/k.”

      Or get blocked by a hard to read Captcha

      • VelocityVector

        “Is that an ‘S’ like I thought or a five?! What do you mean I’m outta tries and need to contact staff for verification of my identity, I’m the effing President of the United States and I’m retaliating!”

        “Sorry Mr. President, they failed to consider Captcha and myopia when devising the new SIOP and nuclear weapons release protocols.”

        “Well dabgumnit, sonny boy, Ima gonna get me those launches if it harelips everybody at Bear Creek …”

        “Sir, I’m afraid Captcha won’t permit authorization until authentication and there’s no way around it. We’ve called and emailed Support but all lines are down in India and the Philippines at the moment …”

        “Break out the bourbon, the stuff Jackson left behind …”

  • timactual

    Is there a problem with the current system?

    “You have to be able to certify that …”

    Well, as long as it is certified, it’s okay by me.

    A couple of years ago I was taking a Cybersecurity class and we discussed a major data theft from a large company (Sony?). As I recall the vulnerability used by the hackers was created when ONE server out of hundreds, maybe thousands, was not properly patched or updated. Not some cutting-edge software or technology, just an oversight or glitch.

    Of course something like that could never happen in the military.

    • ssgcmwatson

      Of course not! That would be like OPM letting their server get hacked so that all the info on my security clearance questionnaire went to the highest bidder!

      • surfcaster

        No, you mean like hiring the Red team (literally) to do your IT support.

  • Billy

    Let’s appoint Robert Farley SECAF, this will be fixed.

  • submandave

    Not sure how much alarm this really warrants. Patrick Tucker is a “futurist” with a Masters in Writing, apparently with a knack for reading ominous tones into press releases. Did he actually interview the people quoted and ask them relevant questions to ascertain if the “some level of connectivity to the rest of the warfighting system” referenced includes Command and Control? If the USAF, or anyone, is talking about integrating the ability for a field commander to request a nuclear strike like they request CAS then sign me up for the coup to stop this nonsense, but this, to me, is just sensationalism, especially given its publication in the Atlantic and the obligatory “Trump tweets” ping.

  • kmhall

    This isn’t about the capability, its utility, or its potential vulnerabilities. This is about StratCom getting their ducks organized to go after that sweet, sweet pork that Trump is about to unleash on the DoD.

  • Mark Richards

    It appears at first glance that all this discussion of upgrading nuclear missile networking is a desperate attempt at creating a problem, where neither need nor problem exists. If it’s broken, *repair* it. If it’s not broken, leave it alone. There’s a reason why the system is so elegantly simple and crude. The consequences of “oops, we didn’t consider that” are way too high.