We often hear about cyberattacks, cyber operations, and malware infections that target computer systems or smartphones. Attacks against civilian infrastructure facilities such as hospitals, water sanitation systems, and the energy sector similarly get a lot of airtime. But there is another type of high stakes system that gets much less attention: weapons systems. These include guided missiles, missile, and anti-missile systems, tanks, fighter jets, and more—all of which are computerized and possibly networked. We can imagine that weapons systems contain security vulnerabilities similar to most other information systems, including serious ones.
A malicious adversary taking over the control of deadly weapons capable of kinetic destruction may sound like a political fiction plot begging to be overhyped. But today, computerized weapons systems control the defense pillars of many countries. And though information on these systems is highly secretive, there is one thing we do know: While accessing such systems is not easy, they almost certainly contain vulnerabilities. My experience indicates that there is no reason to think otherwise. And such a possibility constitutes a potential risk to the world’s security and stability.
The consequences of such hacking operations could be dire. Control over these weapons systems is an integral state prerogative, and any external interference with them could be interpreted as interference in the internal state matters, leading to retaliation. No country would simply allow adversaries to peek inside the matters restricted to state control, such as the oversight of the army. Fortunately, actually pulling this off is far from simple.
Conducting a cyberattack of this kind would require not only hostile intentions, but also the existence of security vulnerabilities in the controlling systems. In order to exploit such bugs, the attacker would also need access to that system, which is not easy to obtain. But these obstacles are not impenetrable.
We should hope that such cyber risks remain low. In order to ensure that they do, the number and severity of these vulnerabilities must be controlled. The world’s militaries and governments must create a management process for the discovery of vulnerabilities—one that encourages finding them, establishes a system for fixing them, possibly even shares the information with allies, and generally works toward attaining stability. Similarly, the opportunity to exploit any weaknesses should be tightly guarded, typically by allowing access only from the internal networks, which malicious actors would be unable to reach.
Hopefully, the world’s militaries are already, in fact, looking for these vulnerabilities. But if they have found them in the past, the information about such findings has rarely been disclosed in the public. This sphere is permeated with silence. The public tidbits come from the rare reports or occasions of remarkable transparency. Such reports are a litmus test, confirming suspicions of vulnerable weapons systems. For example, the 2018 US Government Accountability Office report includes a remark about the routine identification of “mission-critical cyber vulnerabilities that adversaries could compromise,” including the ability to take full control over the tested systems, in some cases. It goes on to explain that these vulnerabilities pose unique threats to large, interdependent systems, also because updating or replacing just one part is far from simple. According to the report, a “patch or software enhancement that causes problems in an email system is inconvenient, whereas one that affects an aircraft or missile system could be catastrophic.”
Fortunately, awareness of this issue does seem to exist in certain communities. In a 2021 declassified briefing, the US Department of Defense disclosed that cybersecurity risks had been identified in multiple systems, including a missile warning system, a tactical radio system, a guided missile, and the B-2 Spirit Bomber. While the details of the identified and fixed cybersecurity issues remain classified, we can reasonably conclude that these and other weapons systems contain serious weaknesses.
The (classified) results of the audit of a 16-year-old B-2 Spirit bomber, capable of carrying nuclear munitions, raises similar concerns. Technical details of the report are not available to the public, but what we can see allows us to reasonably conclude that serious cybersecurity vulnerabilities exist in weapons systems, including those that would let the potential adversary take control over a system. This is likely because the maintenance of such old legacy systems is always a cybersecurity challenge, whether it’s obsolete systems used in hospitals, or weapons systems used by the world’s militaries. Fortunately, in the process of updating them, some issues are detected and corrected. But the phenomenon of cybersecurity risks in existing weapons systems is real. And this is true not only of the weapons systems employed by the US, but likely also of virtually every other weapons system employed by any other country.