Last Week in Tech Policy #63: War Games: Nuclear Deterrence Against Cyberattacks

(by Alex Kimata, Colorado Law 3L)

Could a massive cyber attack start a nuclear war?  Early in February, after weeks of rumors, the Department of Defense released the 2018 Nuclear Posture Review and alluded to the idea that for the first time cyberattacks could be met with nuclear deterrence.

The Nuclear Posture Review was originally created by the Department of Defense in 1993 to determine “what the role of nuclear weapons should be.”  The Review is issued in response to a request by Congress; previous reports have been issued in 2002 and 2010 to establish near-term U.S. nuclear policy. The main objective of the Nuclear Posture review is to “ensure a safe, secure, and effective nuclear deterrent that protects the homeland, assures allies and above all, deters adversaries.”

The 2010 Nuclear Posture Review noted that a United States “first use” of nuclear weapons could only be used in a very narrow set of circumstances.  “The 2010 review sought to narrow the roles and mission for nuclear weapon in the U.S. strategy,” said Daryl Kimball, executive director of the Arms Control Association.

However, the new nuclear review brings up the possibility that nuclear weapons could be first used to respond to “extreme circumstances.”  The Review is unclear on  exactly constitutes an “extreme circumstance”, but the Review’s constant mention of the danger of cyberwarfare capabilities of other states suggests that the United States could treat this type of threat as warranting nuclear retaliation.

Some commentators, including Senator John McCain and Representative Mac Thornberry, believe that this deterrence policy is necessary.  They argue that a well-funded military and nuclear program act as a deterrent to future aggression.  That the U.S. infrastructure relies on systems that are open to cyberattack and that these systems are increasingly being attacked bolsters their argument.  In only the second half of 2016 alone, 40% of industrial control systems and critical infrastructure faced some type of cyberattack.

These attacks are not inconsequential.  For example, in 2013, Iranian computer hackers were able to to hack into the computer-guided controls for the Bowman Avenue Dam in Rye Brook, New York.  And while not on U.S. soil, the 2015 cyber attack on Ukraine’s power grid that left 700,000 without power for several hours shows the potential of cyberattacks to seriously damage critical U.S. infrastructure.  Finally, recently the New York Times reported that nuclear power plants across the country have been targeted by cyberattacks.

Some argued that that current U.S. policy did not effectively deter cyberattacks.  President Obama argued that the U.S. “will respond proportionally” against cyberattacks.  Traditionally, these retaliatory options included diplomatic, legal, or economic sanctions against the bad actor.  However, these have not deterred cyber criminals as attacks have continually increased.

On the other side of the spectrum, critics of the change have argued that this policy actually increases the chances of nuclear war.  In an op-ed , Ernest Monin and Sam Nunn of the Nuclear Threat Initiative argue that increasing the range of threats to which nuclear responses may be available “greatly increases the risks of miscalculation or blunder.”  Furthermore, they argue that such policies risk escalating policies in other countries to the point that nuclear use become highly probable.

The Review’s vague language for determining when nuclear response is allowed leaves open to interpretation when this policy may be triggered.  For example, in a well known case from 2014, FireEye, a cybersecurity firm, discovered that Russia had infected much of the electrical grid with malware known as Black Energy.  This was the same version of malware that eventually caused the energy blackout in Ukraine.  However, Russia never triggered the malware against the U.S.  Would this type of incursion into the security of U.S. infrastructure allow a nuclear response?

Furthermore, the U.S. is not innocent in its use of cyberattacks.  For example, the infamous Stuxnet virus that destroyed Iran’s uranium centrifuges was a U.S. cyberattack (in connection with Israel) that caused massive infrastructure damage to the program.  Whether one believes Iran’s version that the uranium was being used for nuclear energy or the U.S. version that it was being developed for nuclear weapons, the virus’s deployment was a serious attack on Iran’s infrastructure. A similar attack on the U.S. could plausibly lead to nuclear war under a doctrine similar to the Nuclear Posture Review.

Now that the U.S. has adopted this policy, new questions arise on what occasions the  U.S. would consider using nuclear deterrence.  Will the policy be construed broadly?  Because deterrence only works if it is treated seriously, will the U.S. flex its muscle on this policy to show is seriousness?  Is this only a short term development or will it become a fixture of U.S. nuclear policy?