The Complex

Keeping nukes safe from cyber attack

In the wake of a 2010 incident in which the Air Force lost contact with 50 intercontinental ballistic missiles, the service is figuring out how to protect its command-and-control systems from cyber attack -- a nonexistent threat when the missiles were designed decades ago.

"Our ability to keep our networks assured and protected and not vulnerable is really important, it's something we have looked at hard," Maj. Gen. William Chambers, head of Air Force Global Strike Command's nuclear deterrence shop, told Killer Apps during a Sept. 18 interview. "It's something that we build into all of our new nuclear weapons systems so that they remain cyber-secure."

Global Strike Command manages U.S. land-based nuclear ICBMs and air-launched nuclear cruise missiles and bombs.

Protecting what are arguably the nation's most important military assets from cyber attack, and avoiding the terrifying scenario of an enemy feeding incorrect information into the nuclear command-and-control networks "seized" Air Force officials after they lost contact with a field of 50 Minuteman III ICBMs at FE Warren Air Force Base in Wyoming for an hour in late 2010, according to Chambers.

"It's really important. It's a problem that about a year ago we were seized with. We have done some pretty comprehensive studies of the cyber-state of our ICBM force. We are confident in it," said Chambers. "There was an issue: we had a temporary interruption in our ability to monitor one of our missile squadrons back in the fall of 2010. That produced a need to take a comprehensive look at the entire system. It took a year to do that study, and we're confident that the system is good, but as we upgrade it, modernize it, integrate it, we've got to really pay attention to" protecting nuclear command-and-control information.

While Chambers didn't go into specifics of how Global Strike Command will protect its nuclear command-and-control networks from cyber attack, he did say that it is working to harden its networks against intrusion and the manipulation of nuclear command-and-control information and to increase backup communications abilities.

Chambers added that the Minuteman III ICBM command systems, designed in the 1960s and 1970s, are incredibly robust. "ICBM-wise we have a very secure system."

A Boeing official later told Killer Apps that while it is looking at upgrading the ancient technology used in parts of the Minuteman command networks, that technology is safe from hacking. Boeing is on contract with the Air Force to maintain the 1970s-vintage Minuteman III fleet and is helping the service keep the missiles in service through the 2030s.

"Our C2 [command-and-control] system for Minuteman is a very old system. There's a network called the HICS [hardened intersite cable system] network, and it's [made of] copper wire, and it's limited in bandwidth," said Peggy Morse, director of Boeing's strategic missiles systems programs, told Killer Apps on Sept. 18.  While it's old, "it's very secure," she added.

Still, "as we look at different C2 systems and ways to move data about in the field, information assurance is a big deal there, and the security requirements are going to drive the solutions that we look at," said Morse. The company is also working to modernize the actual cryptographic devices used to encrypt and decipher launch codes for nuclear missiles.

Bruce Blair, a former Minuteman III launch-control officer and co-founder of the Global Zero movement to eliminate nuclear weapons, describes several ways the ICBMs' aging command-and-control technology are vulnerable to hacking.

Both the missile silos' radio receivers, which are designed to read messages from the flying command posts that would be used to launch the missiles in the event that land-based command centers have been destroyed, and the HICS cables are vulnerable, according to Blair.

"In the case of Minuteman, there are...potential entry points into the supposed fire-walled command and control system," Blair told Killer Apps in a Sept 25 email. "One of them is the radio antenna at the unmanned missile silos designed to allow airborne launch control centers to inject the three short signal bursts [telling the missiles to identify their targets, arm, and launch] in the event of a breakdown in the local underground command post system (for instance, their destruction by enemy nuclear missiles)."

If hackers were able to take over this antenna, "this entry point could provide access under a range of circumstances such as the loss of control experienced at FE Warren in a squadron of 50 missiles . . .  or such as illicit actions taken by an ‘insider' agent," added Blair.

"Another [vulnerability] are the thousands of cables that run 6-feet underground interconnecting all of the missile silos with all of the launch control centers in a given squadron. It's possible to imagine outside parties surreptitiously tapping into one cable at one location or another, and thereby gaining access to the actual conduits that control and target, enable, and fire the missiles."

Still, doing so would require knowing exactly where the cables are and avoiding security details.

Chambers did not comment on the command systems for the service's air-launched nuclear cruise missiles and B-61 tactical nuclear bombs.

A key part of protecting nuclear weapons from cyber attack as they are modernized and upgraded is making sure that the supply chain for nuclear weapons electronics is secure -- a problem that has plagued the Defense Department for years.

"We are continuing to study the cyber assurance aspect of the supply chain that supports our nuclear weapons systems," said Chambers. "That work is underway and we're taking steps to mitigate and close off any vulnerabilities."

This effort is focused on making sure that Defense Department officials know exactly where the electronic chips and other components used in nuclear command and control come from and how they are produced.

"That's not just our problem, that's a national problem," added Chambers, referring to the fact that the entire DoD is concerned about counterfeit electronic parts making their way into its supply chains. Such parts are at best, potentially unreliable and at worst could be infected with malware aimed at U.S. military gear.

U.S. Air Force

National Security

It's the data stupid

The Air Force has realized that simply trying to wall off its networks from cyber threats, which become more sophisticated every day, will work about as well as the Maginot Line. So it is working on a two-pronged approach to protect its most valuable information and to ensure that it can transmit that information even while under attack. This effort reflects a shift from the Air Force's focus on defending networks to protecting what really matters: the data itself.

"Our adversary has found ways to get over, under, around, and through our defenses," said Air Force Maj. Gen. Earl Matthews, chief of cyber operations in the Air Force's Chief Information Officer's shop during a Sept. 18 speech at the Air Force Association's annual conference just outside of Washington. "We still need to protect the network, but we must also protect the reason for the network, the data and information that resides and flows through the network.... [That] must be our focus."

One of the biggest parts of the service's effort to protect its ability  -- and DoD's ability as a whole -- to move critical data is something called the Joint Aerial Layer Network, a plan to provide multiple means of communication for the military should it find its radio, cellular, computer, or even satellite communications networks jammed by the enemy.

"We need resiliency in our hardware and our applications...the ability to endure outside stresses from an event, multiple events and to be able to continue to function," said Matthews. "If our satellite communications capabilities were to be temporarily interrupted, how would we pass information to the aircrews and warfighters at the edge? We would need an alternate link, perhaps a radio."

The Joint Aerial Layer Network is meant to "link air, space, and cyber forces together, providing resilient capabilities in each of those domains," added Matthews. The network will consist of aircraft, manned and unmanned (drones can stay aloft much longer than manned aircraft), that provide a backup communications system allowing U.S. forces to pass data in real time should their radio, satellite, or Internet communications be taken out. These aircraft will contain a variety of transmission and relay devices known as "smart nodes," allowing U.S. forces to pass data to one another. An existing example of the type of system is the Battlefield Airborne Communications Node (BACN, yes it's pronounced, "bacon"). BACN is being used now in Afghanistan -- it is sometimes hoisted aloft by ancient WB-57 Canberras, one of the world's first jet bombers, designed just after World War II --  where it translates and passes data that troops, aircraft and command centers send from a variety of communications devices that weren't originally designed to communicate with one another.

All of this is part of the Pentagon's plan to fight an adversary that will try to blind the United States in a conflict -- removing the massive advantage provided by all the UAVs, satellites, guided munitions, and stealthy jets loaded with sensors that have given the U.S. an edge for decades.

"All command and control runs through cyber now," said Matthews. "We can't launch [the Air Force's newest fighter] aircraft, the F-22 or the F-35, without the network being established and operating and secure. . . . Not a single [UAV] mission would be possible without a functioning and secure cyber domain."

The obvious question is, just how many aircraft will be needed to do implement the aerial network and what happens when the enemy attacks it, either with missiles or cyber weapons?

When it comes to actually protecting data, the service is moving to encrypt as much sensitive data as it can. The Air Force recently ordered that all personal information -- data that can be used to glean an airman's identity -- be encrypted before it is transferred across the service's networks. That's right, the air service is just as concerned about protecting its members' personal information from hackers as online-privacy advocates are about protecting citizens' information from the government.

This is just the start.

"As we identify other information, critical to our Air Force operations, [Lt. Gen. Mike Basla, the Air Force's CIO] intends to establish similar criteria and policies focused on the protection of mission-essential information and data on our networks, especially information like deployment readiness or logistics data," said Matthews.

Deployment readiness and logistics data may sound boring, but it is hugely important, as Maj. Gen. Christopher Bodgan, deputy program manager for the F-35 Joint Strike Fighter pointed out this week when he revealed that the jet's computerized maintenance system called ALIS (Autonomic Logistics Information System) had to be tweaked to prevent spies from hacking it.  Gaining access to ALIS would let hackers see how many of the jets were able to fly versus how many were down for maintenance and other details that could be extremely useful when planning to fight U.S. air forces.

"You don't mission-plan without it, you don't maintenance debrief without it, you don't pull your training records without it, you don't make sure the airplane is ready to go without it -- so it's so crucial to maintaining this airplane. It's frightening, almost," said Bodgan during the same conference. "One of the big problems was security. You can imagine that a system that has all that information about an F-35 Joint Strike Fighter in it: what parts need to be fixed, what pilots are qualified, what maintainers are qualified, what mission planning is going on. You've got to protect that information.... We did some testing and found some vulnerabilities." 

U.S. Air Force