We are witnessing a general trend towards the militarization of cyberspace, and nuclear weapons are no exception. What will happen to strategic stability should cyber weapons be employed? Are nuclear weapons capable of deterring cyber warfare?
Formalization of the Threat
Several events took place in 2016 which allow us to speak about the new status of cyberspace from the standpoint of military planning and combat actions. For example, NATO Secretary General Jens Stoltenberg declared cyberspace a bona fide operational domain, adding that a cyber-attack on a NATO member could trigger Article 5  of the Alliance’s Charter. The 2017 United States federal budget calls for elevating United States Cyber Command (USCYBERCOM) from a subdivision under the United States Strategic Command (USSTRATCOM) to a full-fledged combatant command. USCYBERCOM Commander Admiral Michael S. Rogers continues to double as director of the National Security Agency, even though an active discussion continues as to the possibility of separating these two structures.
The National Defence Authorization Act for Fiscal Year 2018 proposes an even more radical step: introducing the position of Chief Information Warfare Officer within the Pentagon. This new presidentially appointed and Senate-confirmed position would report directly to the Secretary of Defence, and would assume responsibility for all matters related to the information domain of the Department of Defence, including cybersecurity and cyber warfare, space and space launch systems, and electronic warfare.
The military doctrine of the Russian Federation also notes that “exerting simultaneous pressure on the enemy throughout the enemy’s territory in the global information space, airspace and outer space, on land and sea” is a characteristic feature of modern military conflicts.
China’s International Strategy of Cooperation on Cyberspace stresses that “the tendency of militarization and deterrence build-up in cyberspace is not conducive to international security and strategic mutual trust.” This, however, does not at all imply that China is not building its own offensive cyber potential.
We may therefore say that an understanding is crystallizing on the significance of cyber threats in the modern world from a military planning perspective.
A Cyber-Attack on Nuclear Potential
NATO Secretary General Jens Stoltenberg declared cyberspace a bona fide operational domain, adding that a cyber-attack on a NATO member could trigger Article 5.
This problem is particularly acute when it comes to nuclear weapons, especially when we are talking about the arsenals of the strategic nuclear forces of Russia and the United States. It is in this field that a false signal, or a total absence of signals, could move troops to launch nuclear weapons delivery systems against preselected targets. The situation is further complicated by the continuing development of information and communication technology, and armed forces obviously cannot remain uninvolved in this process.
A vivid example of a dangerous situation similar to a cyber-attack was the incident at F.E. Warren Air Force Base in Wyoming in the autumn of 2010, when 50 intercontinental ballistic missiles were temporarily taken offline simultaneously. There is still no trustworthy information available from open sources as to what caused the malfunction.
The problem of the vulnerability of nuclear weapons command and control systems to intruders is exacerbated by the high alert status of strategic nuclear forces. A decapitation strike could be mounted using any means, including cyber weapons. At the same time, the perception of the risks connected with a potential enemy mounting a cyber-attack leads to improvements in the resistance of strategic nuclear forces command and control networks to unlawful interference, irrespective of sources, which is generally conducive to maintaining strategic stability.
An intriguing feature of cyber weapons that makes them somewhat similar to nuclear weapons is that the delivery system and the payload are separate: one and the same product can be used to infiltrate either spyware or malware specifically designed to intercept the control of weapon systems or disable command and control networks.
A similar problem could emerge in connection with third nuclear powers placing their non-strategic nuclear systems on high alert. For these countries, their nuclear weapons are of extremely high value, and the threat of losing them through command chain malfunctions is unacceptable. To prevent this scenario, the authority to use nuclear weapons could be delegated to lower echelons of command (in connection with the threat of a decapitation strike), which would further complicate the overall situation: a false command, or a false perception of the operational environment by a commanding officer thus authorized, is fraught with nuclear escalation, and increasing the number of such officers obviously leads to a proportional increase in the threat of nuclear escalation.
A relatively new threat directly related to day-to-day operations of nuclear-capable forces has to do with the proliferation of various simulators and simulated electronic launch solutions for training purposes. The information systems that support training and combat operations are separated, so the possibility of turning a simulated event into an actual launch of a nuclear-tipped missile with the help of a cyber-attack remains in the domain of science fiction. However, even an attempt to interfere with a simulator could be construed as an attack on the country’s nuclear forces, and the appropriate countermeasures could be employed.
An intriguing feature of cyber weapons that makes them somewhat similar to nuclear weapons is that the delivery system and the payload are separate: one and the same product can be used to infiltrate either spyware or malware specifically designed to intercept the control of weapon systems or disable command and control networks. This creates a certain decision-making bracket for both the attacker and the defender: following the successful infiltration of a relatively harmful payload into the defender’s networks, the attacker might attempt to replace it with a strike payload should tensions between the parties escalate. At the same time, the defender might detect the original attack in time and, having no trustworthy information as to the attacker’s intent, may choose to deliver a retaliatory or second strike, and not just in cyberspace. We are talking about the networks that are directly related to nuclear weapons and to the country’s survival (as per the modern approach to defining the role of nuclear weapons).
The possible emergence of automated retaliatory strike systems triggered by cyber-attacks poses a separate threat, although any protection against an attack in cyberspace is, by default, of an active nature.
In addition, in the past, the Pentagon confirmed its readiness to deliver pre-launch cyber-attacks on enemy missiles as part of its missile defence programme. The inclusion of cyber weapons in the missile defence programme is an even greater blow to strategic stability.
Attribution is the key problem of any of the aforementioned cyber-attack scenarios.
Cyber weapons are also characterized by a fairly low entry threshold: they may be used by an individual, a superpower, or anyone in between (down to a third-world schoolkid hired by proxies in the interest of one of the leading world powers).
It would be advisable to single out the four key categories of actors operating on the borderline between cyberspace and nuclear weapons: governments, proxies, private entities (including commercial entities and terrorist groups) and “lone wolves.” On the one hand, governments command the greatest potential, while on the other, they are, in the nuclear weapons context, the key potential victims. Countries may use proxies in their confrontations with other countries. Private entities may use cyber weapons to blackmail nuclear powers, or they may offer their services to provide protection against cyber-attacks. Lone wolves may pursue a variety of self-interests, from the desire to cash in on their skills by demonstrating them in the most spectacular way, to ideological and emotional motives.
It should be noted that a single actor may employ differing approaches to combat operations in cyberspace, including with regard to the acceptability of using proxies, advertising their own potential, commenting on offensive or defensive operations, and assessing the seriousness of cyber incidents (and being prepared to offer diligent assistance in investigations into such incidents).
At the same time, there already exists a fairly evolved black market for cyber weapons, one that is virtually impossible to control using traditional methods. Anyone can purchase commercial off-the-shelf samples, the application of which could also serve the interest of government actors.
The theatre of cyber operations is thus extremely convoluted and requires the utmost caution from participants in the international system of political and military relations.
It has become commonplace in both Russia and the United States to mock the low-tech data storage devices used by the strategic nuclear forces on a daily bases. However, this approach is perhaps among the most effective ways of protecting critical infrastructure against cyber-attacks. Furthermore, the exclusive use of domestically developed software and hardware that is incompatible with international standards could help reduce the cyber threat to nuclear weapons.
One possible way to reduce the threat of a nuclear conflict as a result of erroneous assessments of the enemy’s intentions is to use tried and tested approaches to resolving differences between nations, such as hotlines. A set of intergovernmental agreements signed between the United States and Russia in June 2013 called for the launch of a communications hotline that would be used to share information in case of cyber incidents. Nevertheless, the effectiveness of this system is questionable. For example, following its alleged “interference in the U.S. electoral system,” Russia received a request via the hotline just one week before the presidential election, and provided an exhaustive reply, but this exchange seems to have done nothing to influence the situation. Curiously, the national nuclear risk reduction centres of both countries were also at some point planned to be used for the purpose, but the official web page of the Russian centre contains no information to that effect.
In May 2015, Russia and China signed a bilateral agreement on international information security. The document has a very indirect relation to the military aspect of the topic, but on the whole it provides the framework for joint activities aimed at addressing global cybersecurity problems.
In the autumn of that same year, China signed an agreement on cybersecurity with the United States. That document is primarily focused on fighting industrial espionage.
On the other hand, it is quite possible that the existing interaction formats will be broadened in the future. The first step towards including the cybersecurity topic in the dialogue on strategic stability might come in the form of a relevant section to be added to the P5 Glossary of Key Nuclear Terms, which the permanent members of the UN Security Council agreed to finalize during the Washington conference on September 15, 2016. This would allow all the parties involved to speak the same language, thus improving the effectiveness of dialogue.
Also worth mentioning is the initiative voiced by former United States National Security Council Cybersecurity Director Richard Clarke, who called for an international treaty that would accomplish the following:
Ban cyber-attacks on certain facilities (including components of nuclear weapons infrastructure);
Require signatory nations to pass laws enforcing such norms;
Enable the UN Security Council to impose sanctions on violator states, as it did in the past with violators of the International Atomic Energy Agency (IAEA) safeguards against nuclear proliferation.
To some extent, this initiative is similar to the Russian approach to the possibility of creating a universal international regime that would govern the activities of states in the global information space, including the need for developing and adopting a code of responsible behaviour for states.
The existence of cyber weapons, combat operations in cyberspace, attempts by government and non-government actors to gain an advantage over potential enemies by causing damage to their nuclear weapons or creating a situation conducive to their erroneous use are all facts of life. The existing cyber threats could be used as an argument in campaigns for universal nuclear disarmament; however, a world without nuclear weapons but with all the current discords would hardly prove to be any more safe and stable. A less ambitious goal might be to reduce the nuclear weapons alert status, but this could reduce the deterrent factor, ultimately resulting in the destruction of strategic stability.
The most promising solution would be for all the parties involved at the national and supranational level (and possibly leading companies specializing in information technology and cybersecurity) to work in concert towards the formation of a general understanding of the emerging cyberspace landscape from a military standpoint. Such an approach would help identify the best ways to reduce the threat of involuntary use of nuclear weapons, while maintaining their deterrent characteristics. Simultaneously, special attention should be paid to protecting nuclear weapons and associated infrastructure against cyber threats, including by way of minimizing their footprint in cyberspace.