“Russian and US experts meet this month to assess terror tactics, from hacking into systems to seizing a weapon.” From The Christian Science Monitor, with thanks to EPG:
MOSCOW – Imagine this scenario: Computer hackers working for Al Qaeda break into Russia’s nuclear weapons network, and “spoof” the system into believing it is under attack, setting off a chain reaction, and a real nuclear counterattack.
Another doomsday possibility made headlines when Ayman al-Zawahiri, Osama bin Laden’s No. 2, was quoted last month boasting that Al Qaeda had already acquired “some suitcase bombs” – radioactive material packed with conventional explosives. Mr. Zawahiri said that anything was available for $30 million on the Central Asian black market or from disgruntled Soviet scientists. Russia immediately rejected the claim.
But such what-ifs are among the nuclear terrorism threats that analysts are reexamining, as the learning curve of terror groups today comes closer to intersecting the vulnerabilities of atomic arsenals.
A handful of Russian and American nuclear experts, both military and civilian, are quietly convening a first meeting in Moscow later this month, to launch a year-long modeling exercise to specify the new dangers.
“These are future threats, but we must be ready for them today,” says Pavel Zolotarev, a former major general in Russia’s Strategic Rocket Forces, which inherited the vast Soviet nuclear arsenal. “There should be no chance that wrong signals get into the system, to provoke a presidential decision [to launch].”
In the past, top priority in Russia has been protecting its stocks of bomb-grade nuclear material. The US has been spending roughly $1 billion per year to upgrade Russia’s nuclear security and dismantle warheads.
But experts are now looking at new terror tactics, from hacking to seizing a complete weapon.
“The threats are changing in the most radical way,” says Vladimir Dvorkin, a former rocket forces major general, who was head of development for the Russian Defense Ministry’s strategic forces, missile defense, and space systems until 2001.
Cyberwarfare meets 50s tech
Ironically, Russia’s older systems may be less vulnerable than US weaponry to the most cutting-edge threats, particularly cyberwarfare.
Russia’s strict centralized control system – a holdover from the Soviet era – makes it “harder, at some level, for terrorists to do something to break the safeguards and launch,” says Bruce Blair, a nuclear security expert and former Minuteman launch officer who heads the Center for Defense Information in Washington (CDI).
In contrast, the US Department of Defense infrastructure consists of over 2.1 million computers, with 10,000 local area networks, and 1,000 long-distance networks.
Danger from hackers
Hackers have been active against government networks, if targeted US systems are any gauge. Mi2g, a digital security analyst company based in London, found that 2003 yielded a “meteoric rise in electronic crime,” and that along with criminal scams, “extremist group activity” had risen by several hundred percent.
The sobering results of the still- classified work by a Pentagon “Commission on Nuclear Fail-Safe” – to which Mr. Blair testified about Soviet nuclear safeguards, inside a vault at the Pentagon around 1992 – point to US vulnerabilities that could also apply to Russian systems today. Investigators found an “electronic back door” into the US Navy’s system for broadcasting nuclear launch orders to Trident submarines.
“This deficiency allowed unauthorized hackers, which could be terrorists or high school mischief makers, to potentially insert a launch order and transmit it to the Trident,” Blair says. The gap was so serious that Navy launch order verifications had to be revised.
Indeed, few systems are safe. The US National Security Agency hired 35 hackers in 1997 to simulate a cyberterrorist attack. They were able to break into defense networks and shut down parts of the power grid and emergency services.
Such risks prompted the UN’s nuclear watchdog, the International Atomic Energy Agency, to hold a first meeting on the issue of vulnerable electronic systems in October 2002.
“We are aware of the problem and addressing it as part of our broader nuclear security,” says an IAEA official in Vienna. “It goes hand in hand with the ability of hackers to get into supposedly secure systems.”
Russia’s early warning and launch system is self-contained, however, and not connected in any way to the Internet or other outside portals, so it is widely deemed here to be secure. Like US nuclear command and control – some elements of which were built in the 1950s and 1960s – Russia relies on an antiquated system.
“It’s like having a first generation Mercedes Benz that no modern repair center can fix,” says Maxim Shingarkin, a former major in the 12th Main Directorate of Russia’s Defense Ministry, which protects the nuclear arsenal.
Even when military cables are laid alongside nonmilitary ones, exposing the system to outside access, terrorists could “take the signal, but could not generate it” without being detected, Maj. Shingarkin says.
‘Old scrap of metal’
A special project begun in the late 1990s took three years to get a modern computer to recognize and integrate information from “this old scrap of metal” that handles nuclear weapons systems, Shingarkin adds.
Even today, perforated punch cards are often used instead of normal computer passwords.
But Russia’s underpaid and poorly maintained military poses its own terror risks, says the CDI’s Blair. “There’s now the question of insider collusion, and if you have people on the inside sharing information about potential vulnerabilities, you quadruple the problem.”
$750,000 for a can of mercury
Tentative first signs of such collusion are already raising red flags, though making the link hasn’t been easy, says Matthew Bunn, a nuclear expert at Harvard’s Project on Managing the Atom.
“The connection between the guy in a position to steal, and Al Qaeda, is a pretty difficult step,” says Mr. Bunn. “It’s not like you can walk in wearing a white turban waving a million dollars around, and expect to get anywhere.”
Last year, however, a Russian businessman was found to have offered $750,000 for weapons-grade plutonium, and contacted scientists at a key Russian institute, Bunn says. They deceived him by selling him a canister of mercury.
The days of the “desperate insider” of the 1990s – when guards at nuclear sites left their posts to forage for food, or electricity to alarms and weapons systems was cut because bills had gone unpaid – are now giving way to the “greedy insider,” Bunn adds.
And what money can’t buy may be more easily acquired by force.
The US military has demonstrated this danger by staging successful mock terror attacks on American nuclear facilities that included setting off an improvised nuclear device within minutes on site. Secret Russian test exercises have also broken through security at nuclear sites.
Several terror-related events have been raising concern. In four incidents in 2001 and 2002, Chechens were caught scoping out two nuclear sites – so secret that even their location was supposed to be unknown – and two mobile missiles.
Chechen separatists have strong links with Al Qaeda, and have warned explicitly that they might take over a nuclear facility. Few doubt their chutzpah. Russians were shocked when 41 heavily armed Chechens seized a theater in downtown Moscow in October 2002 – a force that could easily overwhelm numerous remote nuclear sites, says Bunn.
“This is very worrisome,” says Bunn. “The basic assumption is that the intelligence services are so good, they’ll know [when intruders are] coming. [But] if they don’t know, they’re going to be in trouble.”
Security kits remain in boxes
Bureaucracy is blunting the effectiveness of US efforts to tighten Russian nuclear security. Just half of the 123 US-supplied kits for making quick-fix upgrades at secret sites have been installed, four years after delivery. They each include a half a mile of multilayer fencing and an array of intrusion detectors.
“A huge part of security for those sites is that nobody knows where they are,” Bunn says. “[The upgrade kits] are sitting on shelves, and terrorists apparently know where sites are. It’s unbelievable.”
Many Russian experts argue, though, that even if a terror group seized a nuclear weapon, they would not be able to use it. American and most Russian intercontinental ballistic missiles have various safeguards that can permanently disable a weapon if it is tampered with, or require an actual missile launch to arm the warhead.
“We can’t exclude terrorists seizing a missile, but that will be the end of this terrorist act, because they will not be capable of launching it – never,” says Dvorkin, who also discounts chances of an inside job. “There is not a single worker next to a nuclear weapon who is capable of giving this information, because the codes are only known to the highest command.”
However, Russia is believed to have around 3,400 live “tactical” nuclear weapons – such as mines and artillery shells, which are sometimes triggered only by radar or radio signals. US experts suspect that these weapons are often not protected by much more than padlocks.
Beyond James Bond
Still, the amount of foresight Al Qaeda displayed in the Sept. 11, 2001, attacks deepens fears of nuclear terror.
“It’s more complicated than slapping on an alarm clock and running a couple of wires, like James Bond,” says Jon Wolfstahl, a nuclear nonproliferation expert at the Carnegie Endowment for International Peace in Washington. “But we believe it’s within the capability of more sophisticated, well-financed groups, especially if they can get their hands on scientists or engineers with knowledge of these systems.”
Al Qaeda tops that short list.
“[Al Qaeda cells] are not very capable, technically, but they’re learning more and more, and this isn’t going to go away in one or two years,” says David Albright, a physicist who heads the Institute for Science and International Security in Washington. Searching for clues about the level of Al Qaeda nuclear expertise, he has examined troves of documents and videos uncovered in Afghanistan after the fall of the Taliban.
“They make a lot of mistakes, [but] they’re becoming more capable over time,” says Mr. Albright. Recruiting nuclear and computer experts could make the dangers surge.
“People have that capability, they may turn sympathetic to Al Qaeda, or be blackmailed by Al Qaeda,” Albright says. “You can’t build a defense on the premise that Al Qaeda can’t do it.”