Retired General James Cartwright, who was in charge of the entire nuclear arsenal of the United States, once said, “You’ve either been hacked and (are) not admitting it or you’re being hacked and don’t know it.”
Worldview’s Jerome McDonnell discussed the threat of cyber attacks on nuclear weaponry with Paul Carroll, director of programs at the Ploughshares Fund, a foundation that supports initiatives that prevent the spread of nuclear weapons.
Paul Carroll: Absolutely. There’s at least three real problems here. For anyone out there who’s a parent or maybe even an aunt or an uncle, the first problem is the, “Do what I say, not what I do” problem. That is, the United States — there seems to be very strong evidence particularly with the case of Iran and the Stuxnet virus. … This seems like a fairly strong consensus that Israel and the United States were very successful in creating sort of a super-worm aimed very specifically at Iran’s uranium enrichment facilities and it caused them to spin out of control and literally break apart. So if the United States does it, doesn’t that legitimize it? Doesn’t that mean anyone can do it? This is fair game now. It’s very unclear whether that’s a world we want to go into.
The second issue is it’s not just nation-states that would be perpetrators or the targets. North Korea is credited or blamed with a very famous hacking incident on the Sony corporation. That is not a state entity, but the United States rose to its defense. So again you have this almost sci-fi world where it wasn’t NORAD or the Pentagon that was hacked by North Korea, it was Sony Entertainment, not even a U.S. company — a Japanese company — but look at the reaction and the response. So I go back to my earlier point: the technology and the sophistication is well-beyond the discussion about how do we govern.
And the third thing I will say is we’re also blending 21st century threats and technologies with a 20th century risk, which is nuclear weapons. It’s almost like you’re going back to the days of a gatling gun coming on the scene, and maybe a drunken colonel who’s in charge of it. You’re mixing the hangover or the leftovers of the Cold War that are incredibly devastating and powerful, and they were created and designed in a world when cyberthreats didn’t exist. So that intersection is very frightening and unknown.
McDonnell: It seems like one of the things Bruce Blair suggested in his New York Times piece was to take our weapons off hair-trigger alert, which would be one thing to do for more safety.
Carroll: Absolutely, the hacking threat is complicated. There’s several fronts. You could have a War Games-movie-type scenario where someone hacks and says, “Watch this, I’m going to launch that country’s weapons.” I wouldn’t say that’s impossible but that’s a less likely scenario. Other scenarios that may be more likely are just sort of creating confusion. A hacker might create some type of confusion whether it’s in the nuclear command and control system or even elsewhere that causes uncertainty, and causes say, the president, or naval commanders to say, “Wow, I wonder if we’re under attack?” De-alerting our forces would greatly reduce the risks that something happens by accident or by miscalculation. It’s as though in an old western, you have a six-shooter and it’s cocked and ready to go, and you hear a bang. Well, was that someone shooting at you? Or was that just a mining explosion in the distance? If you’re not cocked and ready to go, you’re not as much at risk. And so that recommendation of de-alerting is not only as relevant for cyber-security, but it’s relevant for a whole host of other scenarios where there could be confusion or miscalculation.
This interview has been edited for brevity and clarity. Click the ‘play’ button to listen to the entire interview.