Similarities between a cyber-attack and a WMD attack push countries into a cyber arms race like the one between the U.S. and the U.S.S.R. during the Cold War.

By Julien Chesaux, Cyber Security Consultant

Different Types for Different Missions

A WMD is a powerful weapon that is capable of a high order of destruction, causing mass deaths and casualties. Usually, we refer to different categories of WMDs: nuclear, radiological, chemical and biological. Despite that, all of them are still stocked and used by some states, the most destructive and feared one is the nuclear bomb. Several international conventions and treaties try to govern their development and use, like the Nuclear Non-Proliferation Treaty (NPT) with little success. Since its signature in 1968, the treaty did not prevent a vertical (in the number of warheads) and horizontal (in the number of states having the bomb) proliferation. Hopefully, the only country to have launched a nuclear attack remains the U.S. with their World War II bombing of Hiroshima (August 6, 1945) and Nagasaki (August 9, 1945). In those attacks, around 100,000 people died, instantly burned to ashes, and 95,000 were injured or died after the blasts due to side effects (radiations, burns, illness or malnutrition). Today, eight states officially have nuclear capabilities, namely the U.S., Russia, France, the U.K., China, India, Pakistan, and North Korea. Israel also has it but has chosen a policy of ambiguity for strategic reasons, as the country is in an unstable region surrounded by hostile Arab states.

The Absolute Weapon

According to the latest figures of the Stockholm International Peace and Research Institute (SIPRI), the U.S. has 1,930 nuclear warheads that are operational and ready to be launched within minutes. An additional 5,070 are kept in stock. With a total of 7,000, these warheads would be enough to destroy several planets within a few hours. With a Russian arsenal of roughly the same size, Washington and Moscow together hold around 90% of the total warheads around the world. Currently, four nations (U.S., Russia, China, and India) have the possibility to deliver their nuclear payloads towards what is called the ‘nuclear triad’; through strategic bombers (air delivery), intercontinental ballistic missiles (land delivery), and submarine-launched ballistic missiles (sea delivery).

Due to predictability and intelligence, most of the nuclear warheads delivered by plane can be detected quickly and the positions of the land-based ones are already known. Thus, the only really functional missiles in the triad remain the submarine-launched ballistic missiles (called SLBMs), as ballistic missile submarines (i.e. SSBNs) can stay undetected under water for months thanks to their nuclear-powered engines. They have the capacity to contain between 16 (for the Russian ‘Borei’ class submarines) and 20 (for the American ‘Ohio’ class submarines) Multiple Independently Targetable Reentry Vehicles (MIRVs), which are ballistic missiles that can aim at different places within a given area. Every MIRV can contain 6 to 12 warheads, with the power of 100 to 150 Kilotons (kt). As a comparison: The ‘Little Boy’ and the ‘Fat Man’ bombs that hit Hiroshima and Nagasaki in WWII had an explosive power of 15 kt and 21 kt respectively[1]. Therefore, only one ballistic missile submarine can carry, in theory, around 100 warheads with the potential explosive force of 10,000 kt (which is equivalent of 10,000,000 tons of TNT).

Submarine Vulnerability

Classical submarine network architecture is air-gapped, meaning that it is physically isolated from the public Internet or unsecured local area network (LAN), like most critical infrastructure. Nevertheless, this does not ensure total security, as evidenced by the 2010 “Operation Olympic Games” where Iranian Natanz nuclear enrichment lab plant was attacked by a worm malware named Stuxnet. This cyber weapon developed jointly by the U.S. CIA and the Israeli Mossad (probably the UNIT 8200, specialized in SIGINT [SIGnal INTelligence]) overheated the uranium-enriching centrifuges and seriously damaged the military nuclear program of Iran. This cyber attack was the first one having kinetic consequences on critical infrastructure.

According to a publication from the British American Security Information Council (BASIC), a London-based think tank, the UK Trident II D-5 ballistic missile, used as the SLBM (Submarine-Launched Ballistic Missile) by the U.S. and the U.K. in their SSBNs (Submersible Ship Ballistic Missile Nuclear Powered), is sensitive to cyber-attacks[2]. The paper argues that although submarines in patrol and the trident’s sensitive cyber systems are air-gapped, “the vessel, missiles, warheads, and all the various support systems rely on networked computers, devices, and software, and each of these has to be designed and programmed. All of them incorporate unique data and must be regularly upgraded, reconfigured and patched”[3]. For example, underwater drones, nano and bionic technologies such as implantable and subdermal data storage and communication devices may be smuggled into the vessel and activated autonomously, manually or remotely. If not directly within the vessel, a malware injection could happen during the manufacturing of a submarine, missile, warhead, hardware or software, the refurbishment, maintenance or update of it or data during transmission when not in operation. This vector of attacks considerably complexities the attack surface of an armament.

Differences and Similarities between WMDs and cyber attacks

Governments do not yet know how to retaliate from a cyber-attack: What is the red line? How to retaliate? With a cyber or a conventional attack? At which scale? Most of these unresolved questions create instability and let hackers proliferating and navigating within the cyberspace with low or no consequences. Therefore, militaries are trying to develop analogies between the nuclear world and cyberspace using the nuclear arms race as a starting point.

Indeed, Joseph Nye, an American political scientist and theoretician of neoliberalism and soft power, established that there are similar elements between the nuclear arms race of the Cold War and cyber warfare[4]: (1) superiority of offense over defense; (2) use of weapons for tactical and strategical purposes; (3) possibilities of first and second use scenario; (4) possibility of automated responses; (5) the likelihood of unintended consequences and cascading effects.

Still, differences remain. The commercial predominance, accessibility, and low cost of cyber warfare make it a far more accessible option for an asymmetrical approach, especially for nonstate actors. Also, a cyber-attack does not carry with it the existential dread associated with nuclear attacks. As American scholar, Martin Libicki pointed out, destruction or disconnection of cyber systems could return us to the economy of the 1990s, a huge loss of GDP, but a major nuclear war could return us to the Stone Age[5].

Nonetheless, the cyber threat is becoming ever more dangerous, and malware could be assumed as the new “absolute” weapon, referring to the military strategist Bernard Brodie’s book “The Absolute Weapon: Atomic Power and World Order”, published in 1949. The book explains the fundamentals of the nuclear deterrence strategy where its main purpose was not in its use but in the threat of it: “Thus far the chief purpose of our military establishment has been to win wars. From now on its chief purpose must be to avert them. It can have almost no other useful purpose” [6]. Therefore, the cyber weapon can also become a deterrent tool.

Cyber Arms Race

The current unstable global situation could potentially lead to a cyber arms race like the nuclear one between the U.S. and the U.S.S.R. during the Cold War. Then, an act of war would have meant the annihilation of both opponents, due to the excessive number and power of weapons at their disposal. For this reason, the Cold War resulted in the Mutual Assured Destruction (MAD) doctrine. What the result will be of the cyber arms race remains to be seen but malware is cheap, easily accessible and efficient.

What is known is that the cyber arms race will almost certainly be fought chiefly between the U.S. and China, with Russia as a potential third player. In September 2017, President Vladimir Putin stated that artificial intelligence (related to cyber capacities) is “the future, not only for Russia but for humankind”[7]. China also recognized the power of the digital world. According to Tencent’s “Internet Security Report: First Half of 2017”, China currently suffers from a severe shortage of cybersecurity professionals. Thus, Beijing aims to graduate 1.4 million cybersecurity majors in the next decade (a significant increase from the roughly 30,000 graduates it produces today)[8]. To do so, China claims it will establish four to six world-class cyber security schools in Chinese universities to create “cyber warriors” within 10 years[9].

 

About the Author

Julien Chesaux is a Cyber Security Consultant at Kudelski Security, a Swiss and American cybersecurity company. Julien mainly works on cybersecurity, information security, and geopolitics analysis in order to help clients to find solutions regarding their threats. He is also a mediator and writer for the Swiss Think Tank Foraus and the co-founder of the www.stralysis.com. He has worked in diplomacy and cyber security for seven years in Switzerland, Australia, and France. His main research interests are Global Security, Cyber Geopolitics, and International Affairs.

LinkedIn profile: www.linkedin.com/in/julien-chesaux-65279456

You can reach me at julien.chesaux@gmail.com

[1] CHESAUX Julien. “Do We Really Need Thousands of Nuclear Warheads?”, Foraus blog, May 05, 2017

http://www.foraus.ch/#!/blog/c!/content-6811-do-we-really-need-thousands-of-nuclear-warheads

[2] ABAIMOV Stanislav & INGRAM Paul. “Hacking UK Trident: A Growing Threat”, British American Security Information Council (BASIC), Jun, 2017

http://www.basicint.org/sites/default/files/HACKING_UK_TRIDENT.pdf

[3] ABAIMOV Stanislav & INGRAM Paul. “Hacking UK Trident: A Growing Threat”, British American Security Information Council (BASIC), Jun, 2017

http://www.basicint.org/sites/default/files/HACKING_UK_TRIDENT.pdf

[4] NYE Jr. Joseph S. “Nuclear Lessons for Cyber Security? Strategic”, Studies Quarterly 5(4), pp. 18-38., 2011

https://dash.harvard.edu/bitstream/handle/1/8052146/Nye-NuclearLessons.pdf

 

[5] LIBICKI Martin. “Cyberwar as a Confidence Game”, Strategic Studies Quarterly 5, no.1, 2011

https://www.files.ethz.ch/isn/153779/spring11.pdf

[6] BRODIE Bernard. “The Absolute Weapon: Atomic Power and World Order”, Yale Institute of International Studies, New Heaven, U.S., 1949

https://www.osti.gov/opennet/servlets/purl/16380564-wvLB09/16380564.pdf

[7] MEYER David. “Vladimir Putin Says Whoever Leads in Artificial Intelligence Will Rule the World”, Fortune, Sep 04, 2017

http://fortune.com/2017/09/04/ai-artificial-intelligence-putin-rule-world/

[8] TENCENT COMPUTER MANAGER. “2017 Internet security report in the first half of the year”, Tencent, Aug 04, 2017

https://guanjia.qq.com/news/n1/2039.html

[9] ZI Yang. “China Is Massively Expanding Its Cyber Capabilities”, The National Interest, Oct. 3, 2017

http://nationalinterest.org/blog/the-buzz/china-massively-expanding-its-cyber-capabilities-22577%22