Professional Documents
Culture Documents
doi: 10.1093/cybsec/tyw017
Advance Access Publication Date: 14 February 2017
Research paper
Research paper
Thermonuclear cyberwar
Erik Gartzke1 and Jon R. Lindsay2,*
Abstract
Nuclear command and control increasingly relies on computing networks that might be vulnerable
to cyber attack. Yet nuclear deterrence and cyber operations have quite different political proper-
ties. For the most part, nuclear actors can openly advertise their weapons to signal the costs of
aggression to potential adversaries, thereby reducing the danger of misperception and war. Cyber
actors, in contrast, must typically hide their capabilities, as revelation allows adversaries to patch,
reconfigure, or otherwise neutralize the threat. Offensive cyber operations are better used than
threatened, while the opposite, fortunately, is true for nuclear weapons. When combined, the war-
fighting advantages of cyber operations become dangerous liabilities for nuclear deterrence.
Increased uncertainty about the nuclear/cyber balance of power raises the risk of miscalculation
during a brinksmanship crisis. We should expect strategic stability in nuclear dyads to be, in part, a
function of relative offensive and defensive cyber capacity. To reduce the risk of crisis miscalcula-
tion, states should improve rather than degrade mutual understanding of their nuclear deterrents.
Introduction weaker nations, terrorist cells, or even lone rogue operators to para-
In the 1983 movie WarGames, a teenager hacks into the North lyze vital infrastructure [4–8]. The other side argues that operational
American Air Defense Command (NORAD) and almost triggers difficulties and effective deterrence restrains the severity of cyber at-
World War III. After a screening of the film, President Ronald tack, while governments and cybersecurity firms have a pecuniary
Reagan allegedly asked his staff, “Could something like this really interest in exaggerating the threat [9–13]. Although we have con-
happen?” The Chairman of the Joint Chiefs of Staff replied, tributed to the skeptical side of this debate [14–16], the same stra-
“Mr. President, the problem is much worse than you think.” The tegic logic that leads us to view cyberwar as a limited political
National Security Agency (NSA) had been hacking Russian and instrument in most situations also leads us to view it as incredibly
Chinese communications for years, but the burgeoning personal destabilizing in rare situations. In a recent Israeli wargame of a re-
computer revolution was creating serious vulnerabilities for the gional scenario involving the United States and Russia, one partici-
United States too. Reagan directed a series of reviews that culmi- pant remarked on “how quickly localized cyber events can turn
nated in a classified national security decision directive (NSDD-145) dangerously kinetic when leaders are ill-prepared to deal in the
entitled “National Policy on Telecommunications and Automated cyber domain” [17]. Importantly, this sort of catalytic instability
Information Systems Security.” More alarmist studies, and potential arises not from the cyber domain itself but through its interaction
remedies, emerged in recent decades as technicians and policy- with forces and characteristics in other domains (land, sea, air, etc.).
makers came to appreciate the evolving threat [1–3]. Further, it arises only in situations where actors possess, and are
Cyber warfare is routinely overhyped as a new weapon of mass willing to use, robust traditional military forces to defend their
destruction, but when used in conjunction with actual weapons of interests.
mass destruction, severe, and underappreciated, dangers emerge. Classical deterrence theory developed to explain nuclear deter-
One side of a stylized debate about cybersecurity in international re- rence with nuclear weapons, but different types of weapons or com-
lations argues that offensive advantages in cyberspace empower binations of operations in different domains can have differential
effects on deterrence and defense [18, 19]. Nuclear weapons and used without authorization (to enhance safety and reassurance).
cyber operations are particularly complementary (i.e. nearly com- Friendly errors or enemy interference in NC3 can undermine the
plete opposites) with respect to their strategic characteristics. “always-never” criterion, weakening deterrence [31, 32].
Theorists and practitioners have stressed the unprecedented destruc- NC3 has long been recognized as the weakest link in the US nu-
tiveness of nuclear weapons in explaining how nuclear deterrence clear enterprise. According to a declassified official history, a
works, but it is equally, if not more, important for deterrence that Strategic Air Command (SAC) task group in 1979 “reported that
capabilities and intentions are clearly communicated. As quickly be- tactical warning and communications systems . . . were ‘fragile’ and
came apparent, public displays of their nuclear arsenals improved susceptible to electronic countermeasures, electromagnetic pulse,
deterrence. At the same time, disclosing details of a nation’s nuclear and sabotage, which could deny necessary warning and assessment
capabilities did not much degrade the ability to strike or retaliate, to the National Command Authorities” [33]. Two years later, the
given that defense against nuclear attack remains extremely difficult. Principal Deputy Under Secretary of Defense for Research and
Knowledge of nuclear capabilities is necessary to achieve a deterrent Engineering released a broad-based, multiservice report that
weak spots. A 2007 Air Force study addressed portions of this the internet, which then helped to create the present-day cybersecur-
issue for the ICBM leg of the U.S. triad but was still not a com- ity epidemic, which has come full circle to create new fears about
plete assessment against a high-tier threat. [41] NC3 vulnerability.
If NC3 vulnerabilities are unknown, it is also unknown whether an NC3 vulnerability is not unique to the United States. The NC3
advanced cyber actor would be able to exploit them. As Kehler of other nuclear powers may even be easier to compromise, espe-
notes, “We don’t know what we don’t know” [28]. cially in the case of new entrants to the nuclear club like North
Even if NC3 of nuclear forces narrowly conceived is a hard tar- Korea. Moreover, the United States has already demonstrated both
get, cyber attacks on other critical infrastructure in preparation to the ability and willingness to infiltrate sensitive foreign nuclear in-
or during a nuclear crisis could complicate or confuse government frastructure through operations such as Olympic Games (Stuxnet),
decision making. General Keith Alexander, Director of the NSA in albeit targeting Iran’s nuclear fuel cycle rather than NC3. It would
the same Senate hearing with General Kehler, testified that: be surprising to learn that the United States has failed to upgrade its
Cold War NC3 attack plans to include offensive cyber operations
• “Us[e of] the technical installations of ‘Radio Free Europe/Radio conceivable political reward? Canopy Wing highlights some of the
Liberty’ and ‘Voice of America,’ as well as the radio communica- strategic dangers of NC3 exploitation. Warsaw Pact observers ap-
tions installations of the U.S. Armed Forces for creating interfer- pear to have been deeply concerned that the program reflected an
ence and other electronic effects.” American willingness to undertake a surprise decapitation attack:
they said that it “sent ice-cold shivers down our spines” [50]. The
Wolf also ran a spy in the US Air Force who disclosed that
Soviets designed a system called Perimeter that, not unlike the
the Americans had managed to penetrate the [Soviet air base at Doomsday Device in Dr. Strangelove, was designed to detect a nu-
Eberswalde]’s ground-air communications and were working on clear attack and retaliate automatically, even if cut off from Soviet
a method of blocking orders before they reached the Russian high command, through an elaborate system of sensors, under-
pilots and substituting their own from West Berlin. Had this suc- ground computers, and command missiles to transmit launch codes
ceeded, the MiG pilots would have received commands from [54]. Both Canopy Wing and Perimeter show that the United States
their American enemy. It sounded like science fiction, but, our and the Soviet Union took nuclear warfighting seriously and were
systems can and cannot do, where they are located, how they are (or believe) that the adversary understands this as well, then the rela-
operated, and how to devise countermeasures and array defenses to tionship is stable. Countries engage nuclear powers with consider-
blunt or disarm an attack. In contrast, relatively little reduction in able deference, especially over issues of fundamental national or
destruction follows from enemy knowledge of nuclear capabilities. international importance. At the same time, nuclear weapons appear
For most of the nuclear era, no effective defense existed against a nu- to be of limited value in prosecuting aggressive action, especially
clear attack. Even today, with evolving ABM systems, one ICBM over issues of secondary or tertiary importance, or in response to ag-
still might get through and annihilate the capital city. Nuclear forces gression from others at lower levels of dispute intensity. Nuclear
are more robust to revelation than other weapons, enabling nuclear weapons are best used for signaling a willingness to run serious risks
nations better to advertise the harm they can inflict. to protect or extort some issue that is considered of vital national
The need for transparency to achieve an effective deterrent is interest.
driven home by the satirical Cold War film, Dr. Strangelove: “the As mentioned previously, both superpowers in the Cold War
whole point of a Doomsday Machine is lost, if you keep it a secret! considered the warfighting advantages of nuclear weapons quite
could not credibly promise to refrain from reorienting defenses and one cannot credibly threaten nuclear suicide. The consistently am-
dispersing the Pacific Fleet. War resulted not just because of what biguous phrasing of US cyber declaratory policy (e.g. “we will re-
opponents did not know but because of what they could not tell spond to cyber-attacks in a manner and at a time and place of our
each other without paying a severe price in military advantage. The choosing using appropriate instruments of U.S. power” [82]) seeks
military benefits of surprise (winning) trumped the diplomatic bene- to operate across domains to mobilize credibility in one area to com-
fits of coercion (warning). pensate for a lack of credibility elsewhere, specifically by leveraging
Cyber operations, whether for disruption and intelligence, are the greater robustness to revelation of military capabilities other
extremely constrained by the military commitment problem. than cyber.
Revelation of a cyber threat in advance that is specific enough to This does not mean that cyberspace is categorically useless for
convince a target of the validity of the threat also provides enough signaling, just as nuclear weapons are not categorically useless for
information potentially to neutralize it. Stuxnet took years and hun- warfighting. Ransomware attacks work when the money extorted to
dreds of millions of dollars to develop but was patched within weeks unlock the compromised host is priced below the cost of an investi-
nuclear actor “faced with a sudden burst of holes in its vital warning The targeted nature and uncertain effects of offensive cyber oper-
and response systems might, for example, press the preemption but- ations put additional pressure on decision makers. An intrusion will
ton instead of waiting to ride out the attack and then retaliate” [85]. probably disable only part of the enemy’s NC3 architecture, not all
The outcome of fog of decision scenarios such as these depend of it (which is not only operationally formidable to achieve but also
on how humans react to risk and uncertainty, which in turn depends more likely to be noticed by the target). Thus the target may retain
on bounded rationality and organizational frameworks that might control over some nuclear forces, or conventional forces. The target
confuse rational decision making [89, 90]. These factors exacerbate may be tempted to use some of them piecemeal to signal a willing-
a hard problem. Yet within a rationalist framework, cyber attacks ness to escalate further, even though it cannot actually escalate be-
that have already created their effects need not trigger an escalatory cause of the cyber operation. The cyber attacker knows that it has
spiral. While being handed a fait accompli may trigger an aggressive escalation dominance, but when even a minor demonstration by the
reaction, it is also plausible that the target’s awareness that its NC3 target can cause great damage, it is tempting to preempt this move
has been compromised in some way would help to convey new in- or others like it. This situation would be especially unstable if only
Britain, France, and Israel have modest arsenals in the range of sev- disarm it. Successful mitigation here is assumed to restore mutual as-
eral dozen to a couple hundred weapons, but they have very differ- sessments of the balance of power to what they would be absent the
ent doctrines, conventional force complements, domestic political cyber attack.
institutions, and alliance relationships. The recent nuclear powers Table 1 shows how these factors combine to produce different
lack the hard-won experience and shared norms of the Cold War to deterrence outcomes in a brinksmanship (chicken) crisis. If there is
guide them through crises, and even the United States and Russia no cyber compromise and the target detects nothing (no false posi-
have much to relearn. tives) then we have the optimistic ideal case where nuclear transpar-
Cyber warfare capacity also varies considerably across contem- ency affords stable “deterrence.” Transparency about the nuclear
porary nuclear nations. The United States, Russia, Israel, and Britain balance, including the viability of secure second strike forces, pro-
are in the top tier, able to run sophisticated, persistent, clandestine vides strategic stability. We also expect this box to describe situ-
penetrations. China is a uniquely active cyber power with ambitious ations where the target has excellent network defense capabilities
cyber warfare doctrine, but its operational focus is on economic es- and thus the prospect of defense, denial or deception successfully
revelation as a credible signal of superior capability in the midst of a deterrence benefit enhanced by Stuxnet and Snowden). The situation
crisis. It would be important to exploit this fleeting advantage via is less stable if the United States is the attacker. The most dangerous
other credible military threats (e.g. forces mobilized on visible alert dyad is a stronger and a weaker state (United States and North
or deployed into the crisis area) before the window closes. Korea or Israel and Iran). Dyads involving strong and middle
One side may be able gain an unearned advantage, an opportun- powers are also dangerous (United States and China). The stronger
ity for coercion via a “bluff,” by the same window-of-opportunity side is tempted to disrupt NC3 as a warfighting hedge in case deter-
logic. A target concerned about NC3 compromise will probably rence breaks down, while the weaker but still formidable side has a
have some network monitoring system and other protections in reasonable chance at detection. The marginally weaker may also be
place. Defensive systems can produce false positives as a result of in- tempted to subvert NC3, particularly for reconnaissance; the stron-
ternal errors or a deception operation by the attacker to encourage ger side is more likely to detect and correct the intrusion but will be
paranoia. It is logically possible that some false positives would ap- alarmed by the ambiguity in distinguishing intelligence collection
pear to the target to be difficult to mitigate. In this situation, the tar- from attack planning [98]. In a brinksmanship crisis between them,
maintain transparency. If knowledge of a shift in relative power is “war” and “coercion” outcomes (in the language of our typology)
concealed, then the deterrent effect of nuclear capabilities is under- short of actual nuclear war. CDD does not necessarily improve de-
mined. This will tend to occur in periods where concern over nuclear terrence and in many ways is predicated on the failure of deterrence,
attack is heightened, such as in the midst of a militarized crises. Yet but the broadening of options may lessen the consequences of that
there is no reason to believe that states will wait for a crisis before failure (i.e. if a machine asks, “Do you want to play a game?” it
seeking to establish advantageous positions in cyberspace. Indeed, would be helpful to have options available other than “global
given the intricate intelligence and planning required, offensive thermonuclear war”). The implications of choice among an ex-
cyber preparations must precede overt aggression by months or even panded palette of coercive options in an open-ended bargaining
years. It is this erosion of the bulwark of deterrence that is most scenario is a topic for future research.
troubling. Finally, every effort should be made to ensure that senior
What can be done? Arms control agreements to ban cyber at- leaders—the President and the Secretary of Defense in the United
tacks on NC3 might seem attractive, but the cyber commitment States, the Central Military Commission in China, etc.—understand
16. Lindsay JR. The impact of China on cybersecurity: fiction and friction. 44. Haney C. Department of defense press briefing by Adm. Haney in the
Int Security 2014;39:7–47. pentagon briefing room. U.S. Department of Defense, March 24, 2015.
17. Opall-Rome B. Israeli cyber game drags US, Russia to brink of Mideast http://www.defense.gov/News/News-Transcripts/Transcript-View/Article/
war. Defense News, November 14, 2013. http://www.defensenews.com/ 607027
article/20131115/C4ISRNET07/311150020/Israeli-Cyber- Game-Drags- 45. Baran P. On Distributed Communications Networks. Santa Monica,
US-Russia-Brink-Mideast-War. CA: RAND Corporation, 1962.
18. Lindsay JR, Gartzke E. Cross-Domain Deterrence as a Practical Problem 46. Clark DD. A cloudy crystal ball: visions of the future. Plenary presenta-
and a Theoretical Concept. Cross-Domain Deterrence: Strategy in an tion presented at the 24th meeting of the Internet Engineering Task
Era of Complexity, Gartzke E and Lindsay JR (eds.), La Jolla, CA: Force, Cambridge, MA, July 17, 1992.
Manuscript, 2016. 47. Abbate J. Inventing the Internet. Cambridge, MA: MIT Press, 1999.
19. Carcelli S, Gartzke E. Blast from the Past: Revitalizing and Diversifying 48. Long A, Green BR. Stalking the secure second strike: intelligence, coun-
Deterrence Theory. Working Paper. La Jolla, CA, 2016. terforce, and nuclear strategy. J Strat Stud 2014;38:38–73.
20. Powell R. Nuclear Deterrence Theory: The Search for Credibility. New 49. Wolf M, McElvoy A. Man Without a Face: The Autobiography of
78. Gartzke E, Kaplow JM, Mehta RN. Offense, defense and the structure of 92. Kristensen HM, Norris RS. Status of world nuclear forces. Federation of
nuclear forces: the role of nuclear platform diversification in securing se- American Scientists 2016. http://fas.org/issues/nuclear-weapons/status-
cond strike. Working Paper, 2015. world-nuclear-forces (5 June 2016, date last accessed)
79. Gartzke E. War bargaining and the military commitment problem. 93. HP Security Research. Profiling an Enigma: The Mystery of North Korea’s
New Haven, CT: Yale University, 2001. Cyber Threat Landscape. HP Security Briefing. Hewlett-Packard
80. Powell R. War as a commitment problem. Int Organ 2006;60:169–203. Development Company, August 2014. http://h30499.www3.hp.com/
81. Carson A, Yarhi-Milo K. Covert communication: the intelligibility and hpeb/attachments/hpeb/off-by-on-software-security-blog/388/2/HPSR%
credibility of signaling in secret. Security Stud Forthcoming. 20SecurityBriefing_Episode16_NorthKorea.pdf.
82. Ash C. Remarks by Secretary Carter at the Drell Lecture Cemex 94. Jervis R. The Meaning Of The Nuclear Revolution: Statecraft and the
Auditorium. Stanford, CA: Stanford Graduate School of Business, 2015. Prospect of Armageddon. Ithaca, NY: Cornell University Press, 1989.
83. Lindsay JR, Gartzke E. Coercion through Cyberspace: The Stability- 95. Rid T, Buchanan B. Attributing cyber attacks. J Strat Stud
Instability Paradox Revisited. In The Power to Hurt: Coercion in Theory 2015;38:4–37.
and in Practice, Greenhill KM and Krause PJP (eds.). New York: Oxford 96. Jervis R. Perception and Misperception in International Politics.