Nuclear weapons and powerplants possess various risks to the general population such as radioactive fallout mutating and killing flora and fauna as radiation is emitted into the atmosphere and contacts plants and animalsi. Nuclear weapons cause this damage through fallout that exists as radioactive particles enter the atmosphereii, while nuclear powerplants possess risks through both natural disasters such as earthquakes and tsunamisiii, mechanical faults during testingiv. Cyberwarfare is a method in which attacks are launched by states or non-state actors through the use of personal computers and offshore serversv in order to compromise another state’s infrastructure. Cyberattacks have already been used to compromise the Natanz nuclear facility’s centrifuges in Iranvi, creating a proof-of-concept that cyberattacks can be used to attack nuclear facilities in “undesired” nuclear states. Additionally, cyberattacks have been used by large states as a replacement for war in NATO member-statesvii because NATO affords collective security under Article 5 of its charter. Cyberattacks have also been used in “hybrid warfare,” where they are used in conjunction with traditional attacks to further weaken the attacked state.viii For nuclear weapons that are already used in attacks, this opens a new means of compromising the mechanisms that control these weapons and prevent catastrophic failures of protection mechanism.
By analyzing the role of cyberattacks on nuclear weapons mechanisms and nuclear powerplants, this entry will demonstrate how cyberwarfare is a legitimate threat against the computer systems that control many of the nuclear power and weapons facilities throughout the world. Using the attack on Stuxnet as a proof-of-concept, I will demonstrate that attacks, should they go unchecked by security organizations, can have worldwide implications far greater than imagined by the general population. Thus, this entry shows that there is more to worry about than merely traditional attacks or mechanical failure, but rather an encrypted attack that is nearly impossible to trace.
CYBERWAR AND NUCLEAR POWERPLANTS
The 2010 Stuxnet attack on the Natanz powerplant served as a proof-of-concept that attacking nuclear facilities needs a way to get into the facility, whether by remote attacks such as a distributed denial of service attack that overloads the servers through an extreme amount of requests to the server,ix or by a USB drivex brought in by a vendor.xi Internet connectivity is therefore not required in order to launch such an attack. Stuxnet was also considered a low-yield attack, as although it did destroy Natanz’ centrifuges, Stuxnet was intended to overpower the capabilities and understanding of Natanz’ operatorsxii. A higher-yield attack could have more staggering implications than simply setting back a country’s nuclear program.
A high-yield cyberattack on a nuclear powerplant could have greater implications than simple destruction of centrifuge. An increase in the frequency of cyberattacks against nuclear powerplantsxiii, along with the increasing professionalism of hackers that are beginning to hack encrypted networksxiv. Such attacks could reduce the rational decision-making abilities of world leaders due to the possibility of compromised credibility of those perceived as leaders.xv This is because leaders and diplomats such as General James Cartwright may compromise agreements between international leaders and such as the one pointed out by Israeli Prime Minister Benjamin Netanyahu, in which the United States and several western countries entered an agreement with Iran in regards to reform its nuclear programxvi.
Beyond the political implications, nuclear power is one of the most prevalent forms of power throughout Europe. Many European power plants, particularly in Eastern Europe, are nuclear-based, and are reliant on adversarial states such as Russia not engaging in cyberattacks in order to maintain operationxvii. As a whole, approximately one-fourth of Europe’s total energy consumption is a result of nuclear power production, and over one-half of all low-carbon production is nuclear-basedxviii. Previous cyberattacks against EU and NATO states, such as the cyberattack against Estonia in 2007, have resulted in extending disabling of political and economic structures within statesxix. While those cyberattacks did not attack centers where a deprivation of electricity and power could cause massive casualities such as hospitals. Although many hospitals may have backup power in the event of a short-term loss of power, the Estonian cyber war lasted over three weeksxx, more than enough time to deplete a hospital of its backup power and begin causing loss of life. Loss of life, or a lack thereof, was one of the reasons NATO did not participate in retaliating against the Russians in the Estonian cyberwar; not enough human life had been terminated to justify action.xxi
In reaction to the Estonian Cyber War, Rule 51 of the CCDCOE charter prohibits the use of cyberattacks in a way that would compromise human life or compromise infrastructures in excess of traditional warxxii. Although this gives NATO member-states a justifiable – albeit vague – statute, it only protects NATO member-states from other NATO member-states in much the same way that a common agreement between schoolyard children who wear glasses not to hit other children with glasses only works within that community.xxiii With nuclear reactors possessing uranium, depleted rods, and the ability to produce either nuclear power or potentially nuclear warheads (depending on the grade of uranium being refined)xxiv, a cyberattack’s ability to compromise protective measures, even through actions as simple as overpowering centrifugesxxv, could have potentially far reaching implications for human life and affected societies. In contrast, cyberwarfare against nuclear weapon sites takes on an entirely different set of issues that are arguably more pressing than issues against nuclear powerplants.
CYBERWAR AND NUCLEAR WEAPONS SITES
Cyberwars can be aimed not only at nuclear powerplants in order to compromise the affected state’s infrastructure,xxvi but can be used to compromise a state’s ability to defend itself or to trick the nuclear state’s infrastructure into launching an attack. Removing a state’s ability to defend itself or to launch an attack may be a preemptive war tactic in which the threatened state attacks on the basis of imminent threatxxvii. Cyberattacking a nuclear base may be a preemptive attack, but its results can be unintended, and potentially more disastrous if attacks manage to spoof various areas of military infrastructure into thinking a threat is imminentxxviii.
Using a cyberattack to spoof early warning networks that protect state military infrastructures can result in unnecessary conflicts due to a myriad of attack methods. These attacks range from simple automated bots – computers infected with viruses that allow another user control over their operations – that attack by scanning for vulnerabilities in nuclear defense networksxxix, to attacks that account for the network disconnection that nuclear facilities possess, such as the method used to infect Natanz with the Stuxnet virus. Furthermore, the potential spoofing that cyberattacks can perform on nuclear weapons networks has raised questions as to whether the appropriate response to a cyberattack against a nuclear facility would be to engage in nuclear warfare.xxx
Spoofing attacks have become vitriolic that states’ governments have considered nuclear retaliation to cyberattacks as a viable measure against future attacks.xxxi Elbridge Colby of the National Interest states:
The DSB Task Force wasn’t focused on those kinds of attacks. Rather, they were looking at what they referred to as “existential cyber attacks”: large-scale, brutally effective attacks on critical elements of the U.S. military and civilian infrastructure that would impose significant loss of life and tremendous degradation of our national welfare. What they meant was attacks which lead to planes falling out of the sky, water and power shutting off, communications dying, food rotting, and the like. As Task Force Chairman (and Under Secretary of Defense in the Clinton administration) Paul Kaminski made clear, any cyber attack meriting consideration of nuclear use would “have to be extreme. It would have to be the kind of attack that we would judge would be threatening our survival.”xxxii
Thankfully, the United States’ policy of a nuclear retaliation against a successful large-scale cyberattack that would affect the basic infrastructures of American life serves as a last resort;xxxiii the fact it exists at all as a viable countermeasure is still a scary thought. More typical responses to cyberattacks include diplomacy, sanctions, and more traditional warfare.xxxiv This is because countering cyberattacks exclusively with cyberattacks is considered bad defense practice due to the cost of cyberdefense compared to cyberoffense.xxxv However, continued investments by the United States Military in bolstering its nuclear resources in response to cyberattacks shows a continued tie to the nuclear-based brinksmanship prevalent in Cold War-era United States Foreign Policyxxxvi. Thus, while the United States has accepted that cyberattacks against nuclear facilities may be a reality, retaliation by nuclear attack shows the myopic vision that hegemonic states have with regards to long-term effects against the environment, agriculture, and effected populations.xxxvii
Cyberattacks against nuclear weapons bases can have just as malignant effects as traditional attacks due to the predisposition of states to retaliate through nuclear means. They are more malignant in that they are false positives that can have long-standing implications in international relations. The ability to cause a war for no other reason than for hacking and attacking pleasure means that states must now be aware that wars can ensue from an attack by an infected computer. Peace Action New York State takes the position that nuclear weapons and power facilities are a threat to the environment and to life; the ability to launch cyberattacks and cause potential false positives exacerbate international relations between nuclear states and their neighbors, and need to be addressed not just in a reactive fashion through the proposed nuclear counterattacks, but through strong countermeasures. A cyberattack can be an effective countermeasure, but it needs to be used in conjunction with diplomacy and sanctions, and in very controlled conditions, in order to be coercive enough to stave off war, but not threaten a violent response.
iJeffrey Masters, Ph.D, “The Effect of Nuclear War On Climate,” Weather Underground, accessed April 10, 2015, http://www.wunderground.com/resources/climate/nuke.asp?MR=1.
iiCatherine Sauvaget et al., “Intake of Animal Products and Stroke Mortality in the Hiroshima / Nagasaki Life Span Study,” International Journal of Epidemiology32, no. 4 (November, 2003): 538-39, accessed May 15, 2015, http://ije.oxfordjournals.org/content/32/4/536.full.pdf+html.
iiiSteven Starr, “Costs and Consequences of the Fukushima Daiichi Disaster,” Physicians for Social Responsibility, accessed May 15, 2015, http://www.psr.org/environment-and-health/environmental-health-policy-institute/responses/costs-and-consequences-of-fukushima.html.
iv“Backgrounder On Chernobyl Nuclear Power Plant Accident,” United States Nuclear Regulatory Committee, December 12, 2014, accessed June 5, 2015, http://www.nrc.gov/reading-rm/doc-collections/fact-sheets/chernobyl-bg.html.
vDanny Bradbury, “Testing the Defences of Bulletproof Hosting Companies,”Network Security no. 6 (2014): 9.
viRalph Langner, To Kill a Centrifuge: A Technical Analysis of What Stuxnet’s Creators Tried to Achieve (Arlington, VA: The Langner Group, 2013), 12.
viiJames S. Corum, Development of the Baltic Armed Forces in Light of Multinational Deployments. (Carlisle Barracks, PA: U.S. Army War College Press, 2013), 10, 17.
viiiPrashanth Parameswaran, “Are we Prepared for ‘hybrid warfare’?,” The Diplomat, February 13, 2015, accessed June 5, 2015, http://thediplomat.com/2015/02/are-we-prepared-for-hybrid-warfare/.
ix“What Constitutes a Cyber Attack?,” NEC, accessed June 5, 2015, http://www.nec.com/en/global/solutions/safety/info_management/cyberattack.html.
xDavid Shamah, “Stuxnet, Gone Rogue, Hit Russian Nuke Plant, Space Station,” Times of Israel, November 11, 2013, accessed June 5, 2015, http://www.timesofisrael.com/stuxnet-gone-rogue-hit-russian-nuke-plant-space-station/.
xi“Stuxnet: Zero Victims,” SecureList, November 11, 2014, accessed June 5, 2015, https://securelist.com/analysis/67483/stuxnet-zero-victims/.
xiiiJim Urquhart, “World Nuclear Facilities Vulnerable to Cyber-Attack – UN Agency,” Russia Today, June 2, 2015, accessed June 5, 2015,http://rt.com/news/264069-united-nations-cyber-nuclear/.
xivSergei Karpukhin “Cyber threats increase, new international net cops needed – Kaspersky to RT,” Russia Today, January 24, 2015, accessed June 5, 2015, http://rt.com/news/225951-cybercrime-international-police-kaspersky/.
xvFranz-Stefan Gady, “Could Cyber Attacks Lead to Nuclear War?,” The Diplomat, May 4, 2015, accessed June 5, 2015, http://thediplomat.com/2015/05/could-cyber-attacks-lead-to-nuclear-war/.
xvi“US Stuxnet leak investigation stalls amid Israeli concerns,” Start-Up Israel, March 12, 2015, accessed June 5, 2015, http://www.timesofisrael.com/us-stuxnet-leak-investigation-stalls-amid-israeli-concerns/.
xviiKathryn Sparks, “Europe’s Dependence On Russian Energy: Deeper Than You Think,” The Atlantic Council, April 27, 2014, accessed June 5, 2015, http://www.atlanticcouncil.org/blogs/new-atlanticist/eastern-europe-s-russian-energy-dependence-deeper-than-you-think.
xviii“Nuclear Power in the European Union,” World Nuclear Association, last modified May 22, 2015, accessed June 5, 2015, http://www.world-nuclear.org/info/Country-Profiles/Others/European-Union/.
xixEric Filiol and Robert Adrien Erra, Proceedings of the 11th European Conference On Information Warfare and Security(Reading, UK: Academic Conferences Ltd., 2012), 46-47.
xxEneken Tikk, Kadri Kaska, and Liis Vihul, International Cyber Incidents: Legal Considerations (Tallinn, Estonia: NATO CCDCOE, 2010), 18-20.
xxiPaul J. Springer, Cyber Warfare: A Reference Handbook (Santa Barbara, CA: ABC-CLIO, 2015), 212.
xxiv“Parameters for a Joint Comprehensive Plan of Action regarding the Islamic Republic of Iran’s Nuclear Program,” WhiteHouse.Gov, April 2, 2015, accessed June 12, 2015, https://www.whitehouse.gov/sites/default/files/docs/parametersforajointcomprehenisveplanofaction.pdf.
xxviSee Langner 12, 15; Filiol and Erra 46-47; and Tikk, Koska and Vihul 18-20.
xxviiColin S. Gray, The Implications of Preemptive and Preventive War Doctrines: A Reconsideration (Washington, DC: Strategic Studies Institute, 2007), v.
xxviiiGady – Diplomat
xxixJason Koebler, “U.S. Nukes Face Up to 10 Million Cyber Attacks Daily,” U.S. News, March 20, 2012, accessed June 16, 2015, http://www.usnews.com/news/articles/2012/03/20/us-nukes-face-up-to-10-million-cyber-attacks-daily.
xxxRuss Wellen, “Cyberwar and Nuclear War: The Most Dangerous of All Conflations,” Foreign Policy in Focus, July 16, 2013, accessed June 16, 2015, http://fpif.org/cyberwar-and-nuclear-war-the-most-dangerous-of-all-conflations/.
xxxiiElbridge Colby, “Cyberwar and the Nuclear Option,” The National Interest, June 24, 2013, accessed June 16, 2015,h ttp://nationalinterest.org/commentary/cyberwar-the-nuclear-option-8638.
xxxviTimothy Farnsworth, “Is There a Place for Nuclear Deterrence in Cyberspace?,” Arms Control Now, May 30, 2013, accessed June 16, 2015, http://armscontrolnow.org/2013/05/30/is-there-a-place-for-nuclear-deterrence-in-cyberspace/.
xxxviiMasters, Ph.D – The Effects of Nuclear War