Cyberwar and the Nuclear Option
Would a cyberattack ever call for a nuclear response? In a recent op-ed for the Washington Post, former counterterrorism czar Richard Clarke and former Clinton NSC official Steve Andreasen argue that the United States should definitively take the threat of nuclear retaliation off the table in response to major cyber attacks. The two were responding to a January report of a task force of the Defense Science Board (DSB), whose recommendation to include existential cyber attacks in the scope of U.S. nuclear deterrence they see as destabilizing, dangerous and inimical to broader U.S. goals. Clarke and Andreasen argue that by giving notice that we will count massive cyber assaults as a possible basis for a nuclear response we would exacerbate instability and tensions, provoke mimicking responses from Russia and China, and block progress on reducing nuclear risks.
But are they right that such a policy linking nuclear and cyber is unwise? Intuitively it certainly seems that a nuclear response to even significant cyber attacks would be grossly disproportionate. Would the United States really believe itself justified in launching a nuclear strike against a country responsible for disrupting, say, your bank’s servers or the oil refinery that services your gas station? Or would it seriously consider a nuclear response to a successful cyber attack against a non-nuclear military asset, such as a fighter wing or a ship?
Obviously not. But the DSB Task Force wasn’t focused on those kinds of attacks. Rather, they were looking at what they referred to as “existential cyber attacks”: large-scale, brutally effective attacks on critical elements of the U.S. military and civilian infrastructure that would impose significant loss of life and tremendous degradation of our national welfare. What they meant was attacks which lead to planes falling out of the sky, water and power shutting off, communications dying, food rotting, and the like. As Task Force Chairman (and Under Secretary of Defense in the Clinton administration) Paul Kaminski made clear, any cyber attack meriting consideration of nuclear use would “have to be extreme. It would have to be the kind of attack that we would judge would be threatening our survival.”
The Task Force was saying that if an enemy hits us with a cyber attack of a scale comparable to a nuclear blow, we should be ready to retaliate with a nuclear strike. This is in line with longstanding U.S. nuclear doctrine, most recently restated in the 2010 Nuclear Posture Review, that the United States reserves the right to retaliate with nuclear weapons in response to non-nuclear attacks of great severity or danger—in “extreme circumstances,” in the Review’s apt parlance.
But Clarke and Andreasen argue that reserving this right is both unnecessary and dangerous. They readily concede that cyberthreats are real, but contend that we should rely on a combination of defenses, non-nuclear retaliation, and diplomacy to guard against such attacks. Meanwhile, they argue, introducing the nuclear element into the cyber balance will only exacerbate instability and provoke nuclear-cyber arms races with Russia, China and others.
The problem with this argument is that it both understates the value and overstates the danger of the nuclear element in deterring (both actual and threatened) existential cyber attacks. They understate the value because the United States needs deterrence, as we simply can’t practically defend against large-scale, sophisticated cyber assaults. A central finding of the Task Force was that “the full spectrum cyber threat [of a top-tier cyber power] is of such magnitude and sophistication that it [cannot] be defended against. As such, a defense-only strategy against this threat is insufficient to protect U.S. national interests and is impossible to execute. Therefore, a successful DoD cyber strategy must include a deterrence component.” In other words, a military strategy relying only on defenses against cyber attacks is a recipe for failure. This makes sense—the problems of attribution, the costliness of cyber defenses, and the affordability of cyber offenses all make the contemporary cyber domain a classic offense-dominant arena, one in which the attacker has huge advantages and which can be very unstable unless the offense dominance is balanced by the credible threat of retaliation.
Now, Clarke and Andreasen would presumably argue that the United States should indeed rely on deterrence to deal with this offense dominance problem—but only by using non-nuclear forces. The flaw in this approach, however, is twofold. First, even under favorable conditions it is unclear that our conventional forces alone could do enough damage to outweigh the advantages from crippling the United States that would accrue to a committed adversary in a conflict. More to the point, if the United States found itself under existential cyber attack it would have to reckon that its conventional military forces would be under intense pressure and might well be significantly degraded in capability. (Indeed, the Task Force took the threats to our military forces so seriously that it recommended basically taking a portion of our forces “off the grid,” compromising the evident advantages of cyber-enabled connectivity in favor of greater resilience in the event of an effective cyber onslaught from a capable opponent.)