Nuclear Defense and Control Systems (NC3) Threatened Through Advancing Technology Within Cyber Operations

By Hunter Karr

It is no secret that cyber is the world’s newest battlefield, however, the cyber attacks the United States has been subjected to so far are do not even scratch the surface of what is possible: nuclear systems can become targets. One of the most concerning possibilities in today’s cyber warfare is that nuclear command, control, and communication (NC3) systems, and other nuclear-related systems, could be the target of a coordinated cyber-attack.  That these cyber-attacks could come from weaker states and lead to global escalation makes the prospect all the more troubling. 

In cyber warfare, weaker states have the potential to cause harm to more powerful nations in a way impossible in traditional warfare. It should come as no surprise that we are seeing an intensification of these cyber programs, making the possibility of weaker states seeking to cripple the United States’ nuclear defense systems a credible threat. An attack on NC3 systems could result in a dangerous escalation of nuclear threats across the globe and could have catastrophic consequences. 

Nuclear command, control, and communication (NC3) systems are operational at all times, transmitting orders from the President that communicate with bombers, ballistic submarines, and intercontinental ballistic missiles dispersed across the United States. These systems are critical to ensure crisis stability, deter attacks against the U.S. and its allies, and to maintain the safety, security, and effectiveness of the U.S. nuclear deterrent. While there have not been any clear attempts of a cyber-attack with the intent of taking control of NC3 systems, the potential threat presents a major risk to national security. 

That our present-day NC3 systems are digital leaves them open to cyber vulnerabilities, which the Department of Defense (DOD) has identified as a threat. The introduction of malware into the NC3 systems could either cause a shutdown of the system or, worse yet, give a malicious actor control over the system.  That second possibility amplifies the tensions present and make it difficult to maintain the effectiveness of a nuclear deterrent. Potential consequences include the possibility of a miscalculated nuclear attack or response, a possible false warning of a nuclear attack, the risk of unauthorized use, and the reduction of confidence in nuclear deterrence. Because of the high risk this poses to a state’s NC3 system, it is hard to overstate how important it is that these cyber vulnerabilities are quickly addressed to ensure that confidence in NC3 systems is maintained.

Cyberspace is often used to gain advantage over enemies, whether it is through cyber espionage campaigns, coordinated cyber-attacks on private industries, or major attacks on critical infrastructure. A weaker state launching a cyber-attack against a stronger state, such as the United States, is certainly within the realm of possibility. If a weaker state were able to deny access to, or take control of, a stronger state’s NC3 systems through a coordinated cyber-attack, there could be devastating results, the worst being all out nuclear war. Currently, two weaker states that present this concern to the United States are Iran and North Korea. 

Within the past decade, the Iranian cyber program has undergone significant improvement. They have been accused of multiple different cyber-attacks against the United States, as well as actors within their own region. These attacks showcased Iran’s cyber capabilities and underscored that Iran is not afraid to launch major cyber-attacks against the United States and other powerful entities. Iran recently entered into a cyber agreement with Russia, which includes a new emphasis on training and cooperation between these two countries. This agreement, coupled with Iran’s continuous development of its own cyber capabilities, makes Iran a critical cyber threat to the United States; this threat is exacerbated by the high tensions between our two states.

There have also been multiple reports stating that North Korean hackers present a more tangible threat than their nuclear missiles. The premise is that their hackers are at work every day infiltrating and stealing information from various systems. North Korean hackers and cyber organizations have been tied to multiple attacks within this past decade. These attacks have demonstrated the expertise of their organizations and a willingness to attack high-profile targets such as Sony, Microsoft, and other major establishments. North Korean hackers have been recognized as some of the best in the world at finding and exploiting vulnerabilities within a system. The assertions regarding North Korea, in addition to their immense history of cyber-attacks, make North Korea a constant threat in cyberspace. Tensions between our two countries amplifies this threat.

Unfortunately, the cyber threat presented by Iran and North Korea has become more realistic and tangible over the past decade. Their capabilities are becoming increasingly complex, and they are emboldened to attack high-profile targets to showcase their abilities. These two countries, although historically considered weak in comparison to the United States, present a major concern to U.S. systems, including U.S. NC3 systems, because of their advanced cyber capabilities and their ability to gain major advantages through a coordinated cyber operation against these systems.

Is An Attack On Nuclear Systems Realistic?

Some would argue, an attack against NC3 systems is not likely because weaker states wouldn’t risk the retaliation ensuing from attacking another state’s nuclear command, control, and communication system. The low probability of this happening is outweighed by the immensely high potential cost if a cyber-attack like this were to happen and, therefore, must be treated as a tangible threat to national security. Within cyberspace, and cyber operations specifically, there are many ways to mask an attack. This makes attribution of cyber-attacks highly difficult. Knowing they may be able to cloak their identity makes states and cyber organizations more willing to launch attacks against higher profile targets. 

We already know the above is a real possibility because we have seen a highly coordinated attack against a nuclear system more than a decade ago. Stuxnet is a malicious computer worm that allowed control over aspects of a nuclear system, which is believed to have caused substantial damage to Iran’s nuclear program in 2010. This computer worm is really a cyber weapon understood to have been built by the United States and Israel. This cyber weapon was designed to manipulate aspects of Iran’s nuclear systems through controlling critical components of the system, as well as spreading the virus across the system, over a period of time. The result would be havoc on the entire nuclear system. Stuxnet consequently crippled Iran’s emerging nuclear program, which was the goal of the United States and Israel, who perpetrated the attack. 

The unlikelihood of a coordinated cyber-attack against NC3 systems still remains a strong argument. However, the example of Stuxnet proves that attacks against nuclear systems are not only possible, but can be highly successful with destructive outcomes. Because that possibility exists, the United States must do everything in its power to avoid a situation similar to Stuxnet. 

With technology continually advancing within cyber operations and cyber-attacks increasing across the world, the critical threats presented to NC3 systems will most likely increase. It is urgent for states to address vulnerabilities within their systems. We must acknowledge that weaker states, such as Iran or North Korea, will continue to advance their cyber capabilities to try and gain an advantage. While a cyber-attack such as this may seem to have a low probability of occurring today, that may not always be the case. An attack on NC3 systems poses such an extremely high risk to the national security of the United States, that it is imperative to address the vulnerabilities present within the U.S. NC3 systems and harden our defenses.

Works Cited:

Iran and Cyber power. (2021, February 10). Retrieved February 12, 2021.

The Iran-Russia Cyber agreement and U.S. strategy in the Middle East. (n.d.). Retrieved April 28, 2021.

Larsen, M. (2021, March 15). While North KOREAN Missiles sit in Storage, their hackers go rampant. Retrieved April 28, 2021. 

Nuclear Command, Control, and Communications (NC3) Modernization. (2020, December 8). Retrieved April 28, 2021.

Zetter, K. (n.d.). An unprecedented look At Stuxnet, the world's first DIGITAL WEAPON. Retrieved April 28, 2021.