Cybersecurity

Anything New Under the Sun? Nuclear Responses to Cyberattacks.

By Herb Lin
Friday, January 19, 2018, 7:00 AM

A recent New York Times regarding the draft Nuclear Posture Review said:

A newly drafted United States nuclear strategy that has been sent to President Trump for approval would permit the use of nuclear weapons to respond to a wide range of devastating but non-nuclear attacks on American infrastructure, including what current and former government officials described as the most crippling kind of cyberattacks.

The Times report acknowledges that the draft review “does not explicitly say that a crippling cyberattack against the United States would be among the extreme circumstances” that would warrant a nuclear response but noted expert judgment that “a cyberattack [is] one of the most efficient ways to paralyze systems like the power grid, cellphone networks and the backbone of the internet without using nuclear weapons.” (I concur with that judgment, though I would argue that bringing down the electric grid on a national scale for an extended period would not be as easy as many people seem to believe.)

Any story about a newly released Nuclear Policy Review is newsworthy, especially when a new administration is assuming the reins of power. The draft Trump review signals an important break with the nuclear policy of the previous administration, in that its tone moves away from one that de-emphasizes the role of nuclear weapons in the U.S. national security strategy. But the proposal for possible first use of nuclear weapons in response to a devastating cyberattack is less of a departure from previous policy than it might seem. For example, the from the Joint Chiefs of Staff states that:

Nuclear capabilities [of the United States] continue to play an important role in deterrence by providing military options to deter a range of threats, including the use of WMD/E [i.e., weapons of mass destruction or effect] and large-scale conventional forces. Additionally, the extension of a credible nuclear deterrent to allies has been an important nonproliferation tool that has removed incentives for allies to develop and deploy nuclear forces. (p. 12)

The 2004 document also stated that:

The term WMD/E relates to a broad range of adversary capabilities that pose potentially devastating impacts. WMD/E includes chemical, biological, radiological, nuclear, and enhanced high explosive weapons as well as other, more asymmetrical “weapons.” They may rely more on disruptive impact than destructive kinetic effects. For example, cyberattacks on US commercial information systems or attacks against transportation networks may have a greater economic or psychological effect than a relatively small release of a lethal agent. (p. 1)

Taken together, these two statements are clear – the United States (in 2004) believed that its nuclear capabilities played an important role in deterring the use of WMD/E, including “cyberattacks on US commercial information systems or attacks against transportation networks” that have a “greater economic or psychological effect than a relatively small release of a lethal agent.”

Does the 2018 document articulate a new policy regarding the use of nuclear weapons to respond to devastating cyberattacks? In the context of the 2004 statements, the policy enunciated in the draft Nuclear Posture Review is more of a return to past policy and practice than an entirely new policy. To be sure, Obama administration statements about declaratory nuclear policy did not explicitly couple the two, and I know from various conversations with Obama administration officials that the lack of such coupling was not an inadvertent oversight. But the Times article quoted Gary Samore, a nuclear adviser to President Obama, as saying that a good deal of the draft strategy “‘repeats the essential elements of Obama declaratory policy word for word’—including its declaration that the United States would ‘only consider the use of nuclear weapons in extreme circumstances to defend the vital interests of the United States or its allies and partners.’”

Moreover, even the Obama administration’s declaratory policy did not categorically or explicitly rule out the use of nuclear weapons in response to certain kinds of cyberattacks. As the Times article suggested, the difference between the Obama and Trump administrations lies in what each administration would define as the “devastating consequences” or “extreme circumstances” that could or would warrant a nuclear response. And if that is the case, concerns should focus on whether the nation should place more or less trust in the judgment of those who would be making those decisions for the Trump administration as compared to their counterparts under President Obama.