The Cyber Offensive: WannaCry and Beyond
In civilian and military spheres alike, cyber technology has come to dominate the way we operate. Maintaining a grasp of what renders these systems vulnerable is of acute importance, whether for the security of emails or complex military weapons. It is in this lens that the scope of government activity, particularly in the civilian sphere, is changing to incorporate these systems into its broader security mandate. However, this task has proven to be far more challenging and ambiguous than previously conceived.
Offensive capabilities are not to be understood as the product of a hacker singlehandedly infiltrating a security system from his/her basement, but as specialised government programs designed for use on a defined adversary. The Stuxnet virus in 2007 is the primary example of a state-developed offensive technology successfully penetrating an “air gapped” system (fully independent from the internet and other public networks), however the scope of state offensive technology goes beyond that.
The already infamous WannaCry attack in May 2017 infected 200,000 systems running Windows platforms older than Windows 10 without the MS-17-010 update, including the Russian Interior Ministry. The WannaCry virus was based on a design vigorously developed by the NSA that was stolen by a criminal organisation known as the Shadow Brokers. In 2015 a state sponsored offensive cyber virus, code named Project Sauron, infected air gapped systems via a USB insertion. It brought to light how stealthy and insidious cyber-attacks can be that operate in the background gathering information.
When it comes to Trident, the UK’s £205 billion nuclear continuous-at-sea deterrent, designed to be ready to attack any adversary at any given point in time, understanding and securing its cyber vulnerabilities should be a top imperative.
The prominent government position highlights its impermeability by virtue of being air gapped. Quite rightly, this dispels the notion that one could hack into the cyber components of the nuclear submarine while on patrol at sea. However, the key cyber vulnerabilities of Trident centre around three main areas, listed below. These relate to different parts of the weapon system itself and may present challenges to the submarine’s stealth, the vessel’s internal functions, the control of the nuclear missiles and operational information secrecy. The prominent government position highlights its impermeability by virtue of being air gapped. Quite rightly, this dispels the notion that one could hack into the cyber components of the nuclear submarine while on patrol at sea.
However, the key cyber vulnerabilities of Trident relate to different parts of the weapon system itself and may present challenges to the submarine’s stealth, the vessel’s internal functions, the control of the nuclear missiles and operational information secrecy. As a consequence, they centre around three main areas: create three general categories for these areas e.g. stationing, software, procurement.
The first vulnerability develops from the time each of the four Trident-armed submarines spends docked at the Faslane Naval Base in Scotland, which is up to 40% of its service life. Stationed here, the system is vulnerable to cyber-attack by the physical introduction of malware, which is often how air gapped systems are compromised. A breach of security became a legitimate concern in 2015 after an Engineer Technician Submariner for UK’s Trident II D5 System warned that the poor safety procedures at the base and aboard the submarine itself left the system vulnerable to attack.
The second concern is that Trident currently operates on an outdated software design. As it was built almost thrirty years ago, the Vanguard submarines use a Windows XP operating system. In 2004 the government said that continued use of Windows XP was credible because of Microsoft’s long-term product support, however that support has since stopped. Moreover, it was precisely the lack of a Microsoft update on older Windows systems that left systems susceptible to WannaCry’s EternalBlue malware.
The third weakness relates to the forthcoming procurement of the Dreadnought Class submarines. Due to be completed by the early 2030s, the new submarines are to replace the Vanguard Class submarines that have housed the Trident nuclear capability since the 1990s. The physical introduction of malware into the system can occur during the long procurement stage and lay dormant in the system until activated by the adversary. One solution would be a tightly coordinated procurement process, where the Ministry of Defence itself is overseeing the production of each component. This would help to minimise the risk of a malware introduction. However, BAE Systems, Rolls Royce, Babcock and other firms are all part of the construction process and will subsequently take responsibility for the security of each stage of production. This distribution of procurement responsibilities would augment to the vulnerabilities.
Given the importance of the UK’s £205 billion nuclear option and the archaic nature of cyber warfare, securing any vulnerabilities should be a top imperative. Despite assurances, Trident is vulnerable and identifying its three key cyber vulnerabilities is the first step to addressing them. Special attention should be given to: securing the nuclear naval base, developing a robust and bespoke operating system and carefully monitoring the procurement already in place to replace Trident in 2030.
Aleem Datoo is co-Leader of Agora’s Defence & Security Programme.