Windows for Warships nears frontline service
The real blue screen of death
Customers like this aren't going to be very critical of even the most unimpressive kit. The RN will likely be very chuffed with its huge leap forward to Win2k, though many of Microsoft's civilian customers will be three operating systems down the road by the time the Type 45s join the fleet.
So reliability, usability and maintainability may not be an issue, at least not for these benighted end-users. But what about security? An enemy will find it difficult to exploit a brief, random system crash aboard a warship, as he won't be able to predict it. But downtime caused by malware could well be predictable and/or persistent, giving all sorts of openings to the opposition. Worse, malware can do more than knock systems down. It can extract information and potentially send it elsewhere. It can insert spoof data. Worst of all, it could potentially take control of hardware directly, raising the spectre of weapons being fired to the direction of an evilly-disposed black hat.
The nuclear-armed Vanguard-class boats, perhaps naturally, tend to cause the most worry in this context:
"Of more concern to Windows detractors than the fitting of Type 45s was the news from AMS [that] it was conducting early development work for retrofitting [Win2k] to the Royal Navy's Vanguard-class submarines," Richard Smedley said in LXF(pdf).
Paradoxically, perhaps, this is not true. The V-boats are actually one of the less bothersome cases. To be sure, bot-controlled nukes would be bad news, but it isn't really possible. Submarine warfare in general and deterrent patrols in particular aren't a worrying environment for network security. Nuclear-propelled submarines – especially Trident ones – spend almost all their sea time underwater.
The standard UK means of communication with a submerged boat is VLF radio from a single massively secure shore transmitter. It is shore-to-ship only, and extremely low bandwidth (say 300 baud). Even this vanishingly thin, one-way, inaccessible pipe isn't always there, and it isn't directly connected to the sub's command system anyhow.
Of course, there are other ways than networks for malware to arrive, but the command system of a V-boat isn't going to have USB slots or optical drives. Furthermore, nobody has ever gained unauthorised access to the interior of an ICBM sub. Peaceniks with time on their hands have reached the outer casing, though the boat in question was unarmed and de-fuelled at the time. People more dangerous than the disarmament hippies have never yet bothered with such capers, perhaps because one can't achieve much once inside.
Even bearing all this in mind, it is still possible that a V-boat might one day suffer from malware in its command system. However, the command system never gets any control over the nukes unless the prime minister has decided to launch them. One-time-pad messages have to be sent and read by live people, physical keys have to be turned by human hands. There are many chances to abort. There isn't any rush or hurry - that's the whole point of sub-launched nukes, after all. You don't need to sweat about an incoming counter-force strike, you don't need to get your shot off first. Submarine strategic weapons are not a time-critical application.
Against all odds
And remember, this is already a highly disastrous, very statistically rare event we're discussing. Somebody's getting nuked here by UK weapons designed and intended for second-strike use, which suggests that a lot of Reg readers are already dead. Frankly, a slim chance of technical delays to the retribution doesn't seem worth losing sleep over. If somebody needs nuking, they'll get nuked sooner or later.
Even supposing there's a noticeable risk of the submarine's weapons being permanently disabled, it still doesn't matter. If the UK is launching its nukes at all, they've already failed to achieve their purpose. Far from needing five-nines reliability, a strategic deterrent only really requires, say, 90 per cent assurance that it will function. That's quite enough to deter anyone who can be deterred. You'd need to be a very odd enemy to say: "What's that? The UK's nukes have only 90 per cent reliability due to running on Windows? Well let's attack Blighty then. A one-in-ten chance of not being vapourised by the response sounds good to me."
In theory, an unbelievably puissant black hat in the pay of Dark Forces might manage to write specialist malware that could reliably direct or sabotage the weapons rather than just crash the system. This code could perhaps fire our Tridents at the UK, or an ally, or relatively harmlessly into the sea – without the sub's crew noticing and aborting the launch. Somehow, this uber-malware might be introduced into a V-boat command system and survive undetected until the government decided to nuke someone and the weapons releases were unlocked. A nuclear-armed enemy might be so entirely confident of all this that he might seize the chance to wipe out Britain, happy in the knowledge that there would be no response.
We're starting to search really hard for things to panic about here. It would make more sense to worry about a rogue sub crew – or, likelier, a rogue prime minister. Anyway, an agency with the resources for such an attack would be equally capable of doing it to a Linux box.
So the presence of Windows in the Trident boats isn't of great concern. However – again for hardware reasons – it is reasonable to be worried about the Type 45 destroyers, despite the lesser power of their weapons.
This is because the Type 45s are air-defence ships. They are intended to shoot down incoming ship-killer missiles such as the Russian Moskit, known to NATO as "Sunburn". A Sunburn flies low above the waves, so it doesn't appear over the horizon until it's quite near the defending destroyer. The entire design of the Type 45 is devoted to getting its fire-control radar as high above the waterline as possible in order to see the missiles further off, but even so it is only 30 metres up.
A radar is a heavy object, and putting heavy stuff high up in a ship tends to make it capsize. Thus, a Type 45 can't expect to acquire a sea-skimmer at ranges much greater than 20 miles. The Sunburn is better than Mach 2, and can hit the destroyer perhaps 30 seconds after appearing on radar – and that's game over for 200 British sailors.
This means the Type 45's combat system needs to go from acquisition to kill in well under 30 seconds – we don't want supersonic debris pelting the ship. During that time an Aster counter-missile must launch vertically from its silo, tip over, accelerate to Mach 3-plus, and bullseye the Sunburn head-on at a closing speed in excess of Mach 5. There is no margin whatsoever for a bored human being to spill his tea, assess what's happening, and decide whether or not to approve weapons launch. This really is a time-critical application.
Sponsored: Data Loss Prevention & Data Theft Prevention