Cyberwar and the Nuclear Option

It would be a mistake to take nuclear retaliation off the table against even the most grievous cyberattacks.

Would a cyberattack ever call for a nuclear response? In a recent op-ed for the Washington Post, former counterterrorism czar Richard Clarke and former Clinton NSC official Steve Andreasen argue that the United States should definitively take the threat of nuclear retaliation off the table in response to major cyber attacks. The two were responding to a January report of a task force of the Defense Science Board (DSB), whose recommendation to include existential cyber attacks in the scope of U.S. nuclear deterrence they see as destabilizing, dangerous and inimical to broader U.S. goals. Clarke and Andreasen argue that by giving notice that we will count massive cyber assaults as a possible basis for a nuclear response we would exacerbate instability and tensions, provoke mimicking responses from Russia and China, and block progress on reducing nuclear risks.

But are they right that such a policy linking nuclear and cyber is unwise? Intuitively it certainly seems that a nuclear response to even significant cyber attacks would be grossly disproportionate. Would the United States really believe itself justified in launching a nuclear strike against a country responsible for disrupting, say, your bank’s servers or the oil refinery that services your gas station? Or would it seriously consider a nuclear response to a successful cyber attack against a non-nuclear military asset, such as a fighter wing or a ship?

Obviously not. But the DSB Task Force wasn’t focused on those kinds of attacks. Rather, they were looking at what they referred to as “existential cyber attacks”: large-scale, brutally effective attacks on critical elements of the U.S. military and civilian infrastructure that would impose significant loss of life and tremendous degradation of our national welfare. What they meant was attacks which lead to planes falling out of the sky, water and power shutting off, communications dying, food rotting, and the like. As Task Force Chairman (and Under Secretary of Defense in the Clinton administration) Paul Kaminski made clear, any cyber attack meriting consideration of nuclear use would “have to be extreme. It would have to be the kind of attack that we would judge would be threatening our survival.”

The Task Force was saying that if an enemy hits us with a cyber attack of a scale comparable to a nuclear blow, we should be ready to retaliate with a nuclear strike. This is in line with longstanding U.S. nuclear doctrine, most recently restated in the 2010 Nuclear Posture Review, that the United States reserves the right to retaliate with nuclear weapons in response to non-nuclear attacks of great severity or danger—in “extreme circumstances,” in the Review’s apt parlance.

But Clarke and Andreasen argue that reserving this right is both unnecessary and dangerous. They readily concede that cyberthreats are real, but contend that we should rely on a combination of defenses, non-nuclear retaliation, and diplomacy to guard against such attacks. Meanwhile, they argue, introducing the nuclear element into the cyber balance will only exacerbate instability and provoke nuclear-cyber arms races with Russia, China and others.

The problem with this argument is that it both understates the value and overstates the danger of the nuclear element in deterring (both actual and threatened) existential cyber attacks. They understate the value because the United States needs deterrence, as we simply can’t practically defend against large-scale, sophisticated cyber assaults. A central finding of the Task Force was that “the full spectrum cyber threat [of a top-tier cyber power] is of such magnitude and sophistication that it [cannot] be defended against. As such, a defense-only strategy against this threat is insufficient to protect U.S. national interests and is impossible to execute. Therefore, a successful DoD cyber strategy must include a deterrence component.” In other words, a military strategy relying only on defenses against cyber attacks is a recipe for failure. This makes sense—the problems of attribution, the costliness of cyber defenses, and the affordability of cyber offenses all make the contemporary cyber domain a classic offense-dominant arena, one in which the attacker has huge advantages and which can be very unstable unless the offense dominance is balanced by the credible threat of retaliation.

Now, Clarke and Andreasen would presumably argue that the United States should indeed rely on deterrence to deal with this offense dominance problem—but only by using non-nuclear forces. The flaw in this approach, however, is twofold. First, even under favorable conditions it is unclear that our conventional forces alone could do enough damage to outweigh the advantages from crippling the United States that would accrue to a committed adversary in a conflict. More to the point, if the United States found itself under existential cyber attack it would have to reckon that its conventional military forces would be under intense pressure and might well be significantly degraded in capability. (Indeed, the Task Force took the threats to our military forces so seriously that it recommended basically taking a portion of our forces “off the grid,” compromising the evident advantages of cyber-enabled connectivity in favor of greater resilience in the event of an effective cyber onslaught from a capable opponent.)

Thus a major cyber attack’s effect on our conventional forces could mean that, without our nuclear forces in the equilibrium, the United States might well find itself with no serious riposte to a massive cyber assault, leaving us exposed to coercion or worse. Thus, while the Task Force wisely advocated for having more discriminate cyber and other non-nuclear options to provide steps on the escalatory ladder, it rightly argued that at the top of that ladder resides the U.S. nuclear deterrent—the ultimate reminder that, even if a major cyber attack could emasculate our conventional forces, our resilient nuclear forces would still pose a devastating threat that would make such an assault patently foolhardy. (The Task Force also rightly advocated ensuring the absolute effectiveness of our nuclear forces even under highly sophisticated cyber assault.)

Now these kinds of scenarios might seem fantastically remote—and thankfully they are highly unlikely. But worst cases can happen, and what else are our most powerful military forces for, if not for warding off the worst cases? More likely, however, is the danger that adversaries would derive coercive leverage if both we and they know that they have the upper hand on the escalatory ladder.

Advantages at the top of the escalatory ladder can cast a dark shadow. For instance, during the 1950s, the United States used its huge advantages at the level of nuclear warfare to try to coerce Maoist China, with at least some success. So, if China or Russia knows that we would never consider using nuclear weapons in response to even a massive cyber attack, then that gives them a strong incentive to try to exploit that advantage—even implicitly—by using cyber as a way to deter and even coerce the United States and our allies. Low-level versions of this problem are apparent today.

But what if the United States and China squared off over one of the territorial maritime disputes in the Western Pacific or South China Sea? Or if the United States and Russia faced off over instability in a NATO Baltic state? The United States does not want to find itself in a situation in which it has no good options to respond to escalating cyber attacks. Perhaps even worse, it would not want to find itself in a situation in which it felt itself forced into actually considering nuclear options when it had loudly declared that it would not.

But even if this is all true, what to make of Clarke and Andreasen’s claim that a nuclear deterrent against cyber attacks is more dangerous than it’s worth? If this were true, it would be a serious problem. But the reality is that they dramatically overstate the dangers of making major cyber attacks part of our nuclear declaratory policy. For instance, they argue that such a posture would force a “rapid” decision regarding nuclear use in response to cyber attacks and would set up a “cyber-nuclear action-reaction dynamic.”

But this doesn’t follow at all. The recommended posture does not say that a president would have to use nuclear weapons in response to any given cyber attack. In fact, the scenario in which nuclear weapons would be considered in this context would be a cyber attack of such magnitude and duration that it would be essentially unmistakable as an existential attack (although attacks on our national command and control or strategic-deterrent capabilities could also presumably qualify). Moreover, the Task Force’s recommendation that U.S. national command and control and strategic nuclear forces be especially hardened against cyber attacks should, if effectively implemented, ensure that national leaders could make decisions with more time and evidence, lessening any “use or lose” pressures. Nor would the president have to use lots or our full complement of nuclear weapons, laying to rest Clarke and Andreasen’s argument that this policy would bloat the nuclear targeting list. The policy would simply state that the United States would be prepared to undertake some use of nuclear weapons in response to profoundly threatening cyber attacks.

Rather than increasing nuclear and cyber dangers, the real effect of such a policy should actually be to encourage stability by making it clear that cyber is not a “Wild West” arena from which the caution-inducing effects of nuclear deterrence are banished. Given that we don’t really know what is and could become possible in terms of cyber attacks, it makes sense to be clear that major, devastating attacks could well provoke the most severe response we can muster. This essentially stabilizing message can and should be no secret, but rather should be communicated through formal declaratory policy statements as well as directly to Russian, Chinese, and other governments through formal and informal tracks.

Ultimately the question of how we seek to deter major cyber attacks delves into questions of how deterrence—and especially nuclear deterrence—operates. Is major war, including nuclear war, best acceptably avoided by shrinking the range of provocations to which it should be expected to apply? Or are stability and safety best secured by ensuring that the shadow of nuclear weapons does not recede too far, lest their caution-inducing influence be lost and the possibility they are introduced into a conflict suddenly and unexpectedly be heightened? Clarke and Andreasen clearly hold to the former view, the Task Force to the latter.

Given that the security concern that lead nations to acquire and retain nuclear weapons haven’t been resolved—or even noticeably improved in recent years—it seems clear that nuclear weapons aren’t going anywhere. If that’s the case, isn’t it far better to ensure that everyone remembers very clearly that undertaking anything so destructive as an existential cyber attack could quite possibly provoke a nuclear response?

Elbridge Colby is a principal analyst at CNA, where he focuses on strategic issues and advises a number of U.S. Government entities. He previously served with the Department of Defense on the New START treaty negotiation and ratification effort and as an expert advisor with the Congressional Strategic Posture Commission.