The US Military's lack of cybersecurity precautions nearly led to a global nuclear disaster

 by Eli Greenberg

   From the investigative website Bellingcat, US servicemen that are being held accountable for guarding nuclear weapons in Europe utilized popular education websites to make flashcards. This resulted in disclosing their exact locations and top-secret security processes.

   The military created digital flashcard sets on apps like Chegg Prep, Quizlet, and Cram to make themselves more familiar with topics like which bunkers in various places held “hot” vaults with live nuclear bombs, security patrol schedules, and identification badge data.

   “By simply searching online for phrases publicly known to be related with nuclear weapons, Bellingcat was able to uncover cards used by military personnel stationed at all six European military bases alleged to hold nuclear devices,” stated Bellingcat’s Foeke Postma.

   On Chegg, they have a set of 70 flashcards named “Study!” that explained and described in detail the exact locations of nuclear weapons shelters at Volkel Air Base in the Netherlands.

   “How many WS3 vaults are there on Volkel ab,” one virtual flashcards question asked.

   On the answer side, it said “11.”

   While six of the eleven vaults were “cold” with nuclear weapons, the remaining five of the eleven vaults were “hot”. This information was specified from some other cards in the same decks as to which vaults were “hot” and cold”. 

   On the Cram flashcard site, a set of 80 cards described the “hot” and “cold” vaults at Aviano Air Base in Italy, in addition to that it describes how a soldier should activate them based on the changing levels of alarms received.

   Some secrets were revealed at bases in Turkey, Belgium, and Germany due to other cards. Some bases supplied the locations of surveillance cameras, while others revealed the secret “duress words” that a soldier, possibly kidnapped, would say over the phone to notify he had been kidnapped.

   The flashcards that were uncovered by Bellingcat were publicly available as early as 2013, and some were still being used as recently as a couple of months back, in April 2021.

   After contacting NATO and the US military for comment before the publishing of its article, Bellingcat revealed those it had seen appeared to have been erased or deleted.

   It is Digital Edge’s vision that using an online system can be very risky. To consider the risks of using an online system, the following three things are what every organization has to follow when using an online public system:

  • analyze risks
  • review disclosure policies and cybersecurity practices of the provider
  • handling policies and practices  

   When using public systems like those aforementioned and AWS (where there is shared responsibility but sole liability), clients need to be vigilant to protect themselves from any possible breaches that may occur.  

Was this article helpful?