Cyberwar and the Nuclear Option

It would be a mistake to take nuclear retaliation off the table against even the most grievous cyberattacks.

Thus a major cyber attack’s effect on our conventional forces could mean that, without our nuclear forces in the equilibrium, the United States might well find itself with no serious riposte to a massive cyber assault, leaving us exposed to coercion or worse. Thus, while the Task Force wisely advocated for having more discriminate cyber and other non-nuclear options to provide steps on the escalatory ladder, it rightly argued that at the top of that ladder resides the U.S. nuclear deterrent—the ultimate reminder that, even if a major cyber attack could emasculate our conventional forces, our resilient nuclear forces would still pose a devastating threat that would make such an assault patently foolhardy. (The Task Force also rightly advocated ensuring the absolute effectiveness of our nuclear forces even under highly sophisticated cyber assault.)

Now these kinds of scenarios might seem fantastically remote—and thankfully they are highly unlikely. But worst cases can happen, and what else are our most powerful military forces for, if not for warding off the worst cases? More likely, however, is the danger that adversaries would derive coercive leverage if both we and they know that they have the upper hand on the escalatory ladder.

Advantages at the top of the escalatory ladder can cast a dark shadow. For instance, during the 1950s, the United States used its huge advantages at the level of nuclear warfare to try to coerce Maoist China, with at least some success. So, if China or Russia knows that we would never consider using nuclear weapons in response to even a massive cyber attack, then that gives them a strong incentive to try to exploit that advantage—even implicitly—by using cyber as a way to deter and even coerce the United States and our allies. Low-level versions of this problem are apparent today.

But what if the United States and China squared off over one of the territorial maritime disputes in the Western Pacific or South China Sea? Or if the United States and Russia faced off over instability in a NATO Baltic state? The United States does not want to find itself in a situation in which it has no good options to respond to escalating cyber attacks. Perhaps even worse, it would not want to find itself in a situation in which it felt itself forced into actually considering nuclear options when it had loudly declared that it would not.

But even if this is all true, what to make of Clarke and Andreasen’s claim that a nuclear deterrent against cyber attacks is more dangerous than it’s worth? If this were true, it would be a serious problem. But the reality is that they dramatically overstate the dangers of making major cyber attacks part of our nuclear declaratory policy. For instance, they argue that such a posture would force a “rapid” decision regarding nuclear use in response to cyber attacks and would set up a “cyber-nuclear action-reaction dynamic.”

But this doesn’t follow at all. The recommended posture does not say that a president would have to use nuclear weapons in response to any given cyber attack. In fact, the scenario in which nuclear weapons would be considered in this context would be a cyber attack of such magnitude and duration that it would be essentially unmistakable as an existential attack (although attacks on our national command and control or strategic-deterrent capabilities could also presumably qualify). Moreover, the Task Force’s recommendation that U.S. national command and control and strategic nuclear forces be especially hardened against cyber attacks should, if effectively implemented, ensure that national leaders could make decisions with more time and evidence, lessening any “use or lose” pressures. Nor would the president have to use lots or our full complement of nuclear weapons, laying to rest Clarke and Andreasen’s argument that this policy would bloat the nuclear targeting list. The policy would simply state that the United States would be prepared to undertake some use of nuclear weapons in response to profoundly threatening cyber attacks.

Rather than increasing nuclear and cyber dangers, the real effect of such a policy should actually be to encourage stability by making it clear that cyber is not a “Wild West” arena from which the caution-inducing effects of nuclear deterrence are banished. Given that we don’t really know what is and could become possible in terms of cyber attacks, it makes sense to be clear that major, devastating attacks could well provoke the most severe response we can muster. This essentially stabilizing message can and should be no secret, but rather should be communicated through formal declaratory policy statements as well as directly to Russian, Chinese, and other governments through formal and informal tracks.

Ultimately the question of how we seek to deter major cyber attacks delves into questions of how deterrence—and especially nuclear deterrence—operates. Is major war, including nuclear war, best acceptably avoided by shrinking the range of provocations to which it should be expected to apply? Or are stability and safety best secured by ensuring that the shadow of nuclear weapons does not recede too far, lest their caution-inducing influence be lost and the possibility they are introduced into a conflict suddenly and unexpectedly be heightened? Clarke and Andreasen clearly hold to the former view, the Task Force to the latter.

Given that the security concern that lead nations to acquire and retain nuclear weapons haven’t been resolved—or even noticeably improved in recent years—it seems clear that nuclear weapons aren’t going anywhere. If that’s the case, isn’t it far better to ensure that everyone remembers very clearly that undertaking anything so destructive as an existential cyber attack could quite possibly provoke a nuclear response?