Andrew Futter. Hacking the Bomb: Cyber Threats and Nuclear Weapons. Washington, DC: Georgetown University Press, 2018. xiii + 197 pp. $29.95 (paper), ISBN 978-1-62616-565-6.
Reviewed by Paul Springer (Air University, Air Command and Staff College)
Published on H-War (June, 2020)
Commissioned by Margaret Sankey (Air University)
Andrew Futter’s Hacking the Bomb has a lot of fascinating concepts but is hindered by the author’s inability to verify some of his arguments and suppositions due to the classified nature of the subjects he is investigating. Quite frankly, there is nothing more classified and secured than national nuclear enterprises—even materials from seven decades ago are tightly controlled. The design concepts of the Manhattan Project are still under close hold, although the broad principles of the first atomic weapons are well known. Due to this secrecy, the public has a very distorted concept of how nuclear weapons operate, and whether they might be vulnerable to outside influence, including through the cyber domain. Likewise, the most nation’s cyber capabilities are classified at the highest levels. As an employee of the federal government, I will do nothing in this review to illustrate the areas in which Fuller may or may not be accurate in his assumptions and deductions, save to note that they are, by definition, based upon information he can access, which is extremely limited within these two domains. Unfortunately, the author is not immune to some of the Hollywood fantasies about how nuclear weapons work, such as his assumption that a few keystrokes can retarget an intercontinental ballistic missile, or, for that matter, that somehow locking operators out of controlling such a missile would make prevention of a launch impossible. There are a lot of mechanical means to prevent a launch, such as jamming the launch doors or physically damaging a missile from within its silo. Assuming that the missiles are so easily compromised tends to inject a level of fear into the work that is not merited by the facts.
Although WikiLeaks has released a trove of cyber information, including substantial amounts of classified material ostensibly from the United States, there has been no comparable compromise of current nuclear data—making the arguments in this work somewhat difficult to evaluate. Given the difficulty of obtaining nuclear weapons without substantial external assistance, even at the relatively primitive levels of the 1940s and early 1950s, it seems that this approach to nuclear information security has been overwhelmingly successful for several decades. The creation of nuclear weapons is not something that relatively impoverished or technologically backwards societies can accomplish, at least without making ruinous sacrifices in major sectors of the national endeavors.
Futter presents two key arguments. The first is that cyber warfare is fundamentally altering every aspect of nuclear weapons, including their development, utilization, and control. Second, he argues that there needs to be an international norm that hacking any aspect of nuclear weapons is off-limits, as it is too dangerous to be acceptable. Futter notes that while nuclear and cyber enterprises are vastly different, it would be foolish to treat either in a vacuum, and they are becoming more intertwined, especially in the face of nuclear modernization programs.
Chapter 1 opens with a very effective discussion of the term “cyber” and all of its related derivatives. It is concise, informative, and demonstrates a mastery of the underlying concepts. Futter writes in a fashion that is accessible to the educated layperson with little background in cyber, while still providing substantial concepts for experts to consider. His next chapter focuses upon the vulnerability of nuclear systems. Unfortunately, this is where many of the suppositions of the work commence—the author assumes a lot of vulnerabilities within nuclear command and control systems, but how many unauthorized uses of nuclear weapons have ever occurred? Nations have a massive incentive to secure their nuclear arsenals and they behave accordingly, but Futter suggests a lot of vulnerabilities without being able to point to any of them in the real world. By remaining entirely hypothetical, his is a much tougher argument to present—but it is his only real option here due to the classification issues illustrated above. The result is a lot of “could, might, and will probably at some point” argumentation, but he provides little credit for the fact that redundancies in the system have allowed for the unforeseen, such as false detections of enemy missile launches, to not result in nuclear attacks.
In chapter 3, Futter turns to nuclear espionage and the growing threat of cyber attacks to facilitate such snooping. Here, Futter does an excellent job of illustrating the potential utility of cyber espionage for learning about another state’s technology, capabilities, and intentions. While the cyber domain facilitates the transfer of enormous volumes of data, it also makes it harder to be certain that data is untampered. Nuclear espionage has occurred at least since the 1940s—cyber is simply the latest mechanism for it. Also, the norms of espionage put the onus on the defender, not the aggressor—espionage, even against allies, is considered a normal nation-state behavior, and most nations are on both sides of espionage campaigns without spy-catching triggering escalations to acts of war. Futter provides a wonderful overview of nuclear espionage, particularly of the past four decades—a fact that makes this work a very attractive option for adoption in a wide variety of courses for undergraduates and graduates alike.
Chapter 4 investigates the question of whether nuclear devices might be triggered or negated through cyber attacks. It discusses conventional uses of cyber attacks to support or replace kinetic strikes and does a nice job of illustrating Operation Orchard (the Israeli attack against a Syrian nuclear reactor in 2007). It also effectively analyzes Stuxnet, but in both cases, there was no use of nuclear weapons, nor did either operation target them. While both targets were a necessary step in the creation of nuclear weapons, in each case, the victim state had not completed the process and successfully detonated a nuclear device, assuming that was ever their goal. Futter also discusses cyber attacks against US infrastructure targets, such as the Aurora Generator Test. Although that test was alarming, as it demonstrated that under controlled conditions a cyber attack might destroy a generator and trigger a cascade of power failures, it was conducted under optimal conditions. In other words, the Aurora Generator Test involved an aggressor, but no defenders—there were no active attempts to “fight back” and thus the attack was moderately successful. Assuming that nuclear arsenals are similarly configured to electrical generator stations, and not continually monitored against intrusions from unauthorized sources, has all the hallmarks of a straw man argument.
Chapter 5 conceptualizes nuclear and cyber enterprises as akin because each represent strategic-level threats. However, it seems to miss the concept that almost all cyber effect (though not all) can be turned off or reversed, which is certainly not true of a nuclear detonation. Futter sees a punishment strategy as a viable deterrent—but there is little evidence for such a position. The author might benefit by studying Robert Pape’s Bombing to Win (1996), which presents a cogent argument regarding the differences between punishment and denial campaigns, and which could be adapted to cyber discussions with little effort. Chapter 6 consists primarily of a litany of cyber attacks, real and rumored, possibly launched by a variety of actors. But which of these was strategic in nature? Which of these produced a catastrophic effect, or offered even the theoretical potential to do so? The chapter has too little cohesion and seems more determined to evoke fear than illustrate one of the fundamental concepts of the work. Futter concludes the chapter with a suggestion that new capabilities may push nations away from retaliatory deterrence and into “preemptive deterrence based on denial,” which appears to be an oxymoron—how is this deterrence, in any useful definition of the word? After all, by definition, engaging in conflict in a preemptive fashion illustrates the failure of deterrence.
Chapter 7, which is arguably the strongest chapter devoted to linking nuclear and cyber enterprises, focuses upon nuclear arsenal modernization efforts and the potential challenges they might present. Upgrading nuclear weapons tends to include complicating their systems, and in Futter’s view, this means more opportunities to create errors in their design. However, an analogous comparison might be made to modern aircraft—the industry and its component parts are more complex than ever before (and more numerous) and yet, the safety margins have, if anything, improved with time. Yet, for all of the safeguards and precautions of the airline industry, it is not remotely in the same class as the nuclear enterprise regarding security efforts.
In the end, Futter’s book reminds us that the world needs norms, for cyber activities in general and for the nuclear-cyber relationship in particular. Futter thinks civilian targets for nuclear weapons should be off the table (although they definitely are not in the current period)—but this might be impossible in the cyber domain, where attacks can go awry and discriminating between military and civilian targets is often impossible. In Futter’s view, all nuclear states need to harden their nuclear facilities and weapons against cyber attacks, plus build time into the nuclear decision process. The former is an obvious statement (which has no doubt already occurred to those tasked with nuclear security) while the former is a more difficult argument, in that it might open a nuclear arsenal to a decapitation strike from an enemy. Futter suggests that a delay of twenty-four hours or longer from command to launch would serve to reduce or eliminate the chances of a computer hack triggering a launch. This reviewer would argue that Futter is giving way too much credence to nonstate cyber actors, who thus far have demonstrated little capability to penetrate state-level enterprises. This is particularly true of nonstate cyber attackers who might possess the motivation to conduct such an operation—there is simply no evidence that they have even remotely the capacity to penetrate and control nuclear weapons through the cyber domain.
Overall, Futter’s work is interesting and raises a lot of valuable questions. In particular, the strategic links between nuclear and cyber capabilities are worthy of investigation. While the work struggles at the tactical level, due to the classified nature of the concepts being discussed, it is still a useful addition to the shelves of any reader interested in nuclear and cyber enterprises, and is particularly recommended as a potential course adoption for any classes investigating twenty-first-century national security issues.
If there is additional discussion of this review, you may access it through the network, at: https://networks.h-net.org/h-war.
Citation:
Paul Springer. Review of Futter, Andrew, Hacking the Bomb: Cyber Threats and Nuclear Weapons.
H-War, H-Net Reviews.
June, 2020.
URL: http://www.h-net.org/reviews/showrev.php?id=53494
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License. |