WASHINGTON: The head of Strategic Command testified to Congress today that the US nuclear command, control and communications network is well protected against cyber attack, but he added that more investment is needed in the long-term.
“Fundamentally, I am confident in our NC3 cyber-resiliency,” Adm. Charles Richard told the Senate Armed Services Committee (SASC) today during a joint hearing with Space Command head Gen. James Dickinson. “It exists in relative isolation. It has tremendous redundancy. It gets the best intelligence.”
Richard noted in his written remarks for the hearing that STRATCOM already is “taking actions to enhance cyber resiliency for systems under development,” but added that cybersecurtiy needs to be “a prioritized investment to ensure ongoing modernization initiatives remain operationally relevant.”
STRATCOM is in the midst of a sweeping modernization of NC3, called NC3 Next, as part of its larger modernization plans for the US nuclear force structure.
Indeed, Richard told senators at the SASC hearing, “the number one thing I need to do” to have the same level of confidence in the future is “to modernize” the NC3 system. “I have to get it out of legacy modes of operation in order to pace this threat going in the future.”
Congress has been worried about the security and resilience of the NC3 network, which links the president to commanders of nuclear forces, for some time. Those worries have only been exacerbated by recent events such as the massive Russian SolarWinds hack. The 2021 National Defense Authorization Act ordered STRATCOM to provide a detailed annual report, starting this year, on the state of NC3 cyber protection.
That report is due in October, and a SASC source confirmed today that it has yet to be submitted by STRATCOM.
Richard and other STRATCOM officials have repeatedly said that cybersecurity is being worked into its sprawling effort to upgrade the NC3 network not as an afterthought, but as an upfront requirement as new software and hardware is being designed.
The NC3 Next modernization effort covers the radios and terminals embedded into some 62 different systems — from satellites such as the Advanced Extremely High Frequency (AEHF) for encrypted strategic communications to nuclear submarines to the E-4B National Airborne Operations Center (NAOC) aircraft known as the “Doomsday” planes to the B-52 bomber. (Richard, in fact, mentioned that upgrading the bomber’s NC3 capabilities is as crucial to the B-52’s future operations as the much more public engine competition that is expected to wrap up this year.)
Most of those systems are ancient in information technology years, with many dating back to the 1980s, the pre-Internet era.
Richard said in his written remarks to the SASC that the NC3 Next program, much of which is classified, has four main thrusts that are being undertaken on a rolling basis to ensure that the most up-to-date tech is being integrated:
“The first focuses on programs of record encompassing budget and acquisition lifecycle processes to deliver, modernize, and sustain future core capabilities. The second assesses demonstrations, experiments, and tests aimed at enhancing discovery and development of innovative technology approaches, to transform existing NC3 programs and operations. The third reviews and revises policies, postures, Tactics, Techniques and Procedures (TTPs) to streamline enterprise guidance and efficiently achieve operational outcomes. The fourth expands the use of critical technology enablers such as artificial intelligence, digital engineering, and modeling and simulation.”
At the same time, Richard explained, modernizing older systems can only go so far, particularly in the area of cybersecurity.
“If you try to life-extend a weapon system that was built before the invention of the Internet, and then turn around and ask me why it’s not cyber-secure — I don’t know how,” he said. “Fundamentally nothing lasts forever. And we eventually have to get new stuff.”