Double Trouble: Cyber Deterrence in a Nuclear Armed World
The Russian invasion of Ukraine has brought prospects of nuclear escalation back to the forefront of Western policy debates. In response to NATO’s economic sanctions, Vladimir Putin ordered that the country’s nuclear forces be put on a higher level of alert, a move that some experts deem purely symbolic and otherwise irrelevant. However, a much expected element of the conflict has largely yet to materialize: cyber-attacks. Speculations on the reasons for the noticeable absence of a cyber element to this war have led some to argue that Russia fears cyber-retaliation. Indeed, one could draw a parallel to theories of nuclear deterrence and justify the claim that, despite moving its arsenal to a state of high alert, Russia will not cast the first nuclear stone in this conflict. It is nevertheless dangerous to equate the logic of cyber attacks to nuclear weapons, and tackling each problem the same way could lead us to overlook some of the crucial ways in which cyber-conflict increases the likelihood of nuclear war.
Prominent scholars like Kenneth Waltz have maintained that nuclear weapons are essentially useless as offensive weapons because no rational actor would risk deploying its arsenal against another state that could launch retaliatory strikes. Thus, the argument goes, nuclear weapons act only as a defensive measure to prevent conventional warfare from escalating beyond a certain threshold of destruction. To this argument’s credit, nuclear weapons have not prevented India and Pakistan—two nuclear-armed states—from engaging in a limited military conflict along a shared border or other border clashes between India and China which, needless to say, did not result in World War III. In sum, engaging nuclear weapons in a conflict against another nuclear-possessing state or, for our purposes, the alliance of states represented under NATO, is so risky that the opponent is likely to call your bluff.
Add to that the exorbitant price tag of nuclear weapons and the risks associated with accidental or unauthorized explosions requiring extensive safety measures and Command and Control (also known as “C2”) infrastructure, and one might concede that nuclear weapons are indeed lousy tools of coercion. In order to bargain with an opponent and maintain a potent national defense strategy, it seems reasonable to argue that mutual deterrence should operate on a lower level of destruction. Cyber deterrence supposedly helps states maintain the poker face in front of an adversary given that its use is more feasible, but its introduction has in reality opened a pandora box of security problems.
Granted, the principal argument in favor of a shift toward greater cyber capabilities—that its use usually doesn’t yield direct physical harm—is convincing. A simple Distributed Denials of Service, where multiple compromised computers flood the same network in an attempt to overwhelm it, or active measures—like the Russian doxing on the Democratic party during the 2016 election—can go a long way to stifle a country’s power without actually having to destroy its infrastructure. This is a stark contrast to nuclear attacks, which would almost inevitably result in massive civilian casualties. If anything, the international success of the Treaty on the Prohibition of Nuclear Weapons also demonstrates how humanitarian concerns increasingly influence states’ opposition to nuclear weapons, and cyber conflict therefore seems to become a more “acceptable” alternative to deter conflict. It should be noted that the United Nations is already discussing an eventual treaty regulating the ethics of cyber use, but such an agreement is unlikely to come to fruition in the near future given the general lack of consensus on its proposed scope.
The last decades have thus seen a large buildup of cyber-capabilities on the part of great powers, who are not-so coincidentally also nuclear-weapons possessors. President Biden proposed a budget allocating $4.3 billion to the Defense Department’s cyber operations and another $4.4 billion to civilian agencies and departments as a means to combat cyberattacks and cybercrime. This is perhaps an effort to counter Russian and Chinese cyber forces, which put greater emphasis on offense than their American counterpart, although the exact numbers of their spendings on these operations remain blurry. At first glance, this so-called Cyber Manhattan Project thus contrasts with dwindling nuclear arsenals worldwide.
However, this account fails to consider a very important development: if states have cut the number of nuclear weapons stockpiled since the end of the Cold War, the remaining weapons’ destructive capabilities have greatly increased. What’s more, the ever so expensive arsenals’ modernization, now totaling at around $50 billion a year in the U.S. alone according to a Congressional estimate, far eclipse its comparatively frugal cyber budget. These modernization efforts have, for instance, introduced dual-capable technology, weapons whose payload can be switched from conventional to nuclear when needed. Yet, this development makes the likelihood of nuclear escalation in the middle of a conventional war much more likely. Security Studies scholar Caitlin Talmadge illustrates this concern in her depiction of a hypothetical war between the United States and China over Taiwan, where the American military mistakenly disables Chinese nuclear missiles it thought to be conventional. Fearing that the United States might be plotting to erode its second strike capability and pave the way for a full scale invasion—or worse—a first strike, China may therefore be pushed to use its nuclear weapons before it loses them. As Talmadge remarks, “nothing says ‘you’ve crossed my red line’ quite like a mushroom cloud.”
Another take on this issue might be that there isn’t a zero-sum relationship between cyber and nuclear weapons, and as such, the future might be both nuclear and cyber-enabled. This is a cause for concern for some—especially for Kenneth Waltz’s proponents—insofar as the introduction of cyber capabilities wrecks the so-called balance of terror. Indeed, Waltz predicted that states with entrenched nuclear power will not attempt a preventive or disarming strike against an opponent who is developing nuclear weapons for fear that they may not succeed in destroying all of the weapons in one go. A single surviving missile is likely enough to inflict unacceptable damage on the aggressor. However, cyber capabilities have made this assumption murkier, because a targeted and discreet cyber-attack could leave the enemy utterly confused on the source and nature of the aggression.
This possibility is well exemplified by the Israelite and American 2010 Stuxnet attack on Iranian nuclear power plants in an attempt to slow its production of nuclear weapons. Iran initially attributed the malfunction to a technological failure rather than external attacks, however, what happened next offers a cautionary tale on the reliability of cyber attacks. Although the intrusion went unnoticed at first, the Stuxnet program spiraled out of control and targeted other nuclear plants in Eastern Europe, and a Belarusian antivirus firm’s investigation into these widespread malfunctions eventually uncovered the cyber scheme. Iran later responded in kind with a cyber attack on Saudi Aramco, crippling the oil company and displaying images of a burning U.S. flag on its compromised computers. Had it discovered the Stuxnet attack earlier, there is no telling how Iranian leadership might have reacted, but drawing inspiration from the fictitious example of Talmadge, Iran could very well have believed the cyber attack was precursor to a larger offense and therefore be tempted to take preventive actions against Israel or other American allies.
The most convincing arguments in favor of cyber-deterrence policy lies in the ability of states to infiltrate each other’s critical infrastructures and hold entire populations hostage by cutting their access to electricity or other basic needs. Not so different from nuclear weapons in the end, right? Although, there is some variance insofar as these intrusions are not as clear cut of a threat as pointing a nuclear missile in one’s direction might be. Take, for example, the SolarWinds Hack: experts are still debating whether the Russian hackers simply spied on the corporation or fomented an actual attack, perhaps placing a virtual backdoor in its program to re-infiltrate the system and cripple it in the future. This inability to differentiate between an attack and an act of espionage could therefore lead to inadvertent conflict escalation. Add to that the covert nature of these events, which are sometimes not publicly attributed for fear that it might reveal one’s sources and methods to pinpoint cyber attacks, and we have a recipe for disaster. Even the prospects of engaging in cyber arms control are dim as it requires telling other countries exactly what type of cyber-weapons, some of them known as zero-days, ones possesses, which is highly inefficient given that potential aggressors could find a patch in advance to defend against it. Even if some countries might struggle to attribute the attack right away, it is arguably less of an issue for leaders in cyber-security like China, Russia, or the U.S. who are proficient enough in this technology to quickly trace an attack back to its perpetrator. Cyber capabilities indeed do tilt the balance of powers—but we are largely unable to tell in favor of whom.
In the case of Russia, cyber is also much less subject to command and control than nuclear weapons, given that the state employs third parties—individual cyber-criminals—to launch attacks on a wide array of victims, a process which is loosely if at all screened by the relevant authorities. Although the threat of nuclear terrorism is not negligible, cyber weapons in a sense also democratize the ability to inflict terror given that anyone with a proficient knowledge of computers could theoretically cause a large number of casualities. In 2021, a hacker sabotaged the water system of a city in Florida by increasing the levels of sodium hydroxide to dangerous levels, an action that could have poisoned the whole city had a worker not noticed it and reversed the action in time. This worrying element leads me to segue into another difference between cyber and nuclear: the damage inflicted by cyber attacks, as extensive as it may be, is generally reversible. For example, after the 2007 cyberattacks on Estonia that disrupted many of its vital organizations including banks and parliamentary activity, the country developed a data embassy in Luxembourg. This was done so that, in the event of another attack, the country will be able to restore its functions back to what they were right before the attack. This process is similar to the cloud back-up of your computer, only on a much broader scale.
Some have thus argued that the best defense against cyber attacks may not be deterrence, but rather resilience. If a country can endure the attack long enough to find a patch against it, its aggressor will have to start from scratch and find another way to get to its goal. The promise of massive retaliation in line with traditional deterrence logic indeed falls short in cyberspace, a factor that President Obama recognized as early as 2015 when he stated, “with nuclear weapons there is a binary. Either there are no nuclear explosions or there are big ones and it is a real problem. In cyberspace, there are all sorts of gradations.”
In a nuclear world, vulnerability springs from defenselessness; in the cyber world, it comes from unpreparedness. As scholar Wyatt Hoffman argues, part of the issue of treating cyber capabilities like nuclear weapons is that leaders are sometimes inclined to stockpile technological vulnerabilities against other countries rather than developing the skills of those who identify and mitigate such vulnerabilities at home. If we continue on this path, focusing on offense in a world where both nuclear defenselessness and cyber unpreparedness are at play, we have all the more reasons to question the “nuclear peace” thesis and its intellectual vestiges from the Cold War era. Applying nuclear deterrence concepts to cyber conflict creates a false sense of security, especially when other countries do not subscribe to the same “rational” assumptions as we do. So the next time there is a conflict, be it conventional or cyber, you probably shouldn’t bet all of your chips on mutual deterrence to prevent escalation.
Anna Bartoux is a columnist for CPR and a junior studying Political Science at Columbia University’s School of General Studies.