The US Air Force has quietly replaced the infamous floppy disks it was using to manage the country’s nuclear arsenal with what sources described as a “highly-secure solid state digital storage solution.”
The switch reportedly took place in June this year, according to defense news site C4ISRNET, citing Lt. Col. Jason Rossi, commander of the Air Force’s 595th Strategic Communications Squadron.
Lt. Col. Rossi’s unit is in charge of maintaining the US Strategic Automated Command and Control System (SACCS).
SACCS is the communications system the US uses to relay messages and keep tabs on its nuclear capabilities, such as nuclear bombers, nuclear submarines, and nuclear depos housing intercontinental ballistic missiles.
The system was created in 1968 and has been running for nearly 50 years on top of an IBM Series/1 mainframe, using 8-inch floppy disks as its storage medium.
A CBS “60 Minutes” investigation that aired in the spring of 2014 brought this old but crucial piece of machinery to the limelight.
US government officials sought answers following the CBS investigation. A report by the US Government Accountability Office confirmed the CBS crew’s findings. The US Air Force told GAO they intended to update SACCS “by the end of fiscal year 2017.”
However, Lt. Col. Rossi told C4ISRNET that the modernization efforts won’t involve upgrading all of SACCS’ capabilities. The Air Force likes their antiquated systems as they are, mainly because they can’t be reached over normal internet-based protocols, keeping it away from nosey hackers.
“You can’t hack something that doesn’t have an IP address. It’s a very unique system – it is old and it is very good,” Lt. Col. Rossi told C4ISRNET. “I joke with people and say it’s the Air Force’s oldest IT system. But it’s the age that provides that security.”
However, SACCS is not faring much better than other US nuclear systems. Last year, the US Department of Defense Inspector General (DOD IG) found that the Missile Defense Agency (MDA) had very poor cyber-security practices, such as not using antivirus programs, not using encryption to secure sensitive data, not using multi-factor authentication solutions, and not patching software flaws, some of which were 28-years-old.