The terrible possibility of cyber attacks on weapon systems

We often hear on cyber attacks, cyber operations and malware infections that target computer systems or smartphones. Attacks on civilian infrastructure such as hospitals, water sanitation systems and the energy sector also get a lot of airtime. But there is another type of high-stakes system that receives a lot less attention: weapon systems. These include guided missiles, missiles and anti-missile systems, tanks, combat aircraft, etc., all computerized and possibly networked. One can imagine that weapon systems contain security vulnerabilities similar to most other information systems, including the most serious.

A malicious adversary taking control of lethal weapons capable of kinetic destruction can look like a plot of political fiction that begs to be overrated. But today, computerized weapon systems control the pillars of defense in many countries. And while the information on these systems is very secret, there is one thing we do know: Although access to such systems is not easy, they almost certainly contain vulnerabilities. My experience indicates that there is no reason to think otherwise. And such a possibility constitutes a potential risk to the security and stability of the world.

The consequences of such hacking operations could be disastrous. Control of these weapon systems is an integral prerogative of the state, and any external interference with them could be interpreted as interference in the internal affairs of the state, leading to retaliation. No country would simply allow its adversaries to glance at issues restricted to state control, such as military oversight. Fortunately, achieving this is far from straightforward.

Carrying out such a cyberattack would require not only hostile intentions, but also the existence of security vulnerabilities in control systems. In order to exploit such bugs, the attacker would also need to access this system, which is not easy to obtain. But these obstacles are not impenetrable.

Hopefully these cyber risks remain low. In order to ensure that they do this, the number and severity of these vulnerabilities must be monitored. Military and governments around the world must create a management process for discovering vulnerabilities – a process that encourages finding them, establishes a system to fix them, maybe even shares information with allies, and generally works on it. stability. Likewise, the opportunity to exploit weaknesses should be closely monitored, usually by allowing access only from internal networks, which malicious actors could not reach.

Hopefully the armies of the world are already, in fact, looking for these vulnerabilities. But while they have found them in the past, information about these finds has rarely been disclosed to the public. This sphere is imbued with silence. Public treats come from the rare reports or occasions of remarkable transparency. These reports are a litmus test, confirming suspicions of vulnerable weapon systems. For example, the United States of 2018 Government Accountability Office Report includes a note on routinely identifying “mission critical cyber vulnerabilities that adversaries could compromise”, including the ability to take full control of systems under test, in some cases. He goes on to explain that these vulnerabilities pose unique threats to large, interdependent systems, also because updating or replacing a single part is far from straightforward. According to the report, “a patch or software enhancement that causes problems in an email system is impractical, while a patch that affects an aircraft or missile system could be catastrophic.”

Fortunately, awareness of this problem seems to exist in some communities. In a declassified 2021 briefing, the US Department of Defense revealed that cybersecurity risks had been identified in several systems, including a missile warning system, a tactical radio system, a guided missile and the B-2 Spirit bomber. While the details of the cybersecurity issues identified and resolved remain confidential, we can reasonably conclude that these and other weapon systems have serious weaknesses.

Similar concerns are raised by the (classified) results of the audit of a 16-year-old B-2 Spirit bomber capable of carrying nuclear munitions. The technical details of the report are not publicly available, but what we can see allows us to reasonably conclude that serious cybersecurity vulnerabilities exist in weapon systems, including those that would allow the potential adversary to take control. control of a system. This is likely due to the fact that maintaining these old legacy systems is still a cybersecurity challenge, whether they are outdated systems used in hospitals or weapon systems used by armies around the world. Fortunately, when updating them, some issues are detected and fixed. But the phenomenon of cybersecurity risks in existing weapon systems is real. And this is true not only of the weapon systems employed by the United States, but probably also of virtually all other weapon systems employed by any other country.