Former counter-terrorism official Richard Clarke, famous for criticizing the Bush administration’s lax stance toward terrorism before 9/11, and former Clinton administration National Security Council official Steve Andreasen addressed the wisdom of responding to a cyber attack with nuclear weapons in a recent Washington Post op-ed. They wrote:
The Pentagon’s Defense Science Board concluded this year that China and Russia could develop capabilities to launch an “existential cyber attack” against the United States. … “While the manifestation of a nuclear and cyber attack are very different,” the board concluded, “in the end, the existential impact to the United States is the same.”
Yes, I know. How can you conflate the effects of a nuclear attack with that of a cyber attack, no matter how devastating? Clarke and Andreasen continue.
Because it will be impossible to fully defend our systems against existential cyberthreats, the board argued, the United States must be prepared to threaten the use of nuclear weapons to deter cyberattacks.
A salient passage of the report, titled Resilient Military Systems and the Advanced Cyber Threat, reads:
In the process of conducting this study, it became apparent that the full spectrum cyber threat represented by a Tier V-VI capability is of such magnitude and sophistication that it could not be defended against. As such, a defense-only strategy against this threat is insufficient to protect U.S. national interests and is impossible to execute. Therefore, a successful DoD cyber strategy must include a [nuclear] deterrence component.
The Board took its cue from the 2010 Nuclear Posture Review which, Colby writes, stated that the
… United States would only consider the use of nuclear weapons in “extreme circumstances.” … Presumably one would characterize a catastrophic Tier V-VI adversary cyber attack on the United States as “extreme circumstances” … so that is not precluded in the stated policy, but it is not explicitly mentioned.
At the National Interest, Eldridge Colby, a representative of the Department of Defense in New START negotiations, responding to Clarke and Andreasen’s op-ed, elaborates on what makes an attack worthy of nuclear reprisal. It would have to threaten our survival and be
… of such magnitude and duration that it would be essentially unmistakable as an existential attack … attacks which lead to planes falling out of the sky, water and power shutting off, communications dying, food rotting, and the like.
Colby writes that along with “the costliness of cyber defenses, and the affordability of cyber offenses,” attribution makes “the contemporary cyber domain a classic offense-dominant arena, one in which the attacker has huge advantages.”
The word “attribution” is often applied to determining the origins of a nuclear-weapons attack, especially if mounted by a terrorist group that fails to identify itself. In other words, attribution not only makes cyberspace an “offense-dominant arena,” as Colby asserts, it makes it difficult to decide who to retaliate against. From the report itself:
The cyber threat highlights another key element of deterrence theory–attribution. Providing attribution against an isolated cyber attack can be slow and difficult. However the Task Force believes that attribution can be accomplished for attacks that would reach the level of really harming the country, because attacks of that scale require planning and multiple attack vectors–which usually leave clues.
Which can take ages to track down – have the perpetrators of the Stuxnet attacks of 2010 ever been identified beyond a shadow of a doubt? Also, as with a terrorist group using nuclear weapons, who do you target in reprisal? Certainly not the terrorists’ state of origin. Nor the state from which it obtained its weapons unless the state that was attacked is able to prove that, for example, Pakistan actually provided militant extremists with weapons.
Then Colby writes that Clarke and Andreasen
… would presumably argue that the United States should indeed rely on deterrence to deal with this offense dominance problem—but only by using non-nuclear forces. [A] flaw in this approach [is that] even under favorable conditions it is unclear that our conventional forces alone could do enough damage to outweigh the advantages from crippling the United States that would accrue to a committed adversary in a conflict.
Say what? Colby writes as if he has no idea of the devastating damage that our conventional forces unleashed to their fullest extent – God forbid – could inflict. In the very next sentence he writes:
More to the point, if the United States found itself under existential cyber attack it would have to reckon that its conventional military forces would be … significantly degraded in capability.
He’s speaking of damage to the military’s computer network(s). But is nuclear command and control that less likely, if at all, to be taken offline by a cyber attack?
Ultimately, this could jump-start the arms race. Clarke and Andreasen again:
Russia and China would certainly take note — and presumably follow suit. Moreover, if the United States, Russia and China adopted policies threatening an early nuclear response to cyberattacks, more countries would surely take the same approach.
Kiss disarmament goodbye for another generation or three.
Against that backdrop, maintaining momentum toward reducing the role of nuclear weapons in the United States’ national security strategy (and that of other nations) — a general policy course pursued by the past five presidents — would become far more difficult.
On another troubling note, I can’t help but wonder if, presented with the option to extend nuclear deterrence to cyberwar, much of the public will respond: “See? We really do need nuclear weapons after all.” Deprive us of shopping online with two-day shipping and no doubt calls of “nuke ’em” will be heard across the land.