Corbin Stevens is an intern in the Council on Foreign Relations Digital and Cyberspace Policy program and a graduate student at Princeton University’s School of Public and International Affairs.
An increasing collection of research asserts that cyber operations could cause nuclear crisis instability by creating pressure on leaders to use nuclear weapons preemptively. State actors have developed cyber capabilities conceivably sophisticated enough to allow them to compromise the digital components of a country’s nuclear weapon infrastructure, such as early-warning satellites, nuclear command, control, and communication (NC3) systems, and even possibly the delivery systems themselves. The findings of this research suggest that due to the secretive nature of cyber operations and the wide array of vulnerable targets, decision-makers have a justified fear that their nuclear deterrent could be compromised by a cyberattack at a moment’s notice and, in a crisis situation, feel pressure to use nuclear weapons before they could be affected.
Two pathways have been identified for dealing with this escalatory risk: creating cyber norms limiting the targeting of nuclear systems and for states to demonstrate unilateral restraint when conducting cyber operations. However, current cyber doctrines by nuclear-armed states fail to acknowledge the risk of nuclear crisis instability and even actively undermine these two pathways toward strategic stability.
Looking at the United States’ National Cyber Strategy [PDF], the main area of concern is the increasing lack of distinguishability between offensive and defensive cyber operations. On the offensive side, the Department of Defense’s (DOD) cyber strategy [PDF] calls for “conducting cyberspace operations that enhance U.S military advantages” and has been pointedly silent about whether it would target nuclear systems as part of this mandate. On the defensive end, DOD and Cyber Command, acknowledging the difficulty of cyber deterrence, have recently adopted the doctrine of persistent engagement [PDF], which aims to enforce cyber norms through continuous cyber operations against adversary states to prevent cyberattacks from reaching U.S. networks. While much has been written about how many of these “defending forward” operations comply with and reinforce some of the explicit norms recognized by multilateral bodies, less has been said on how an adversary state is supposed to distinguish between these defensive operations and offensive ones. From a technical and normative standpoint, all a state sees is the United States conducting more cyber operations against its networks.
This behavior could fuel nuclear crisis instability due to the growing problem of nuclear entanglement, where a state’s nuclear and conventional military forces are comingled, share components, or are considered dual-use in their functionality. For example, a state’s NC3 systems would be entangled if they also directed non-nuclear military assets. Given that dual-use networks are not clearly delineated, even if Cyber Command was conducting defensive cyber operations, it could easily end up on dual-use networks. The adversary state, unable to distinguish this from an offensive operation, might interpret this as an attempt to undermine its nuclear deterrent and thus conclude that its nuclear weapons would be vulnerable in a crisis situation. With the United States placing a greater emphasis on continuous cyber operations, there is a higher likelihood of these sorts of incidents occurring and subsequently deteriorating perceptions of strategic stability.
The second main issue is that U.S. cyber strategy has apparently recently seen a reduction in civilian oversight, undermining efforts to demonstrate unilateral restraint. National Security Presidential Memorandum-13 (NSPM-13), which codified persistent engagement, removed the Obama administration-era requirement for presidential approval for cyber operations. Despite being passed in late 2018, NSPM-13 was only made available to Congress in March 2020 after months of demands from lawmakers. Additionally, recent reporting indicates that President Trump issued a secret presidential finding in 2018 allowing the Central Intelligence Agency to engage in forms of covert cyber action without White House approval.
With the approval process for cyber operations increasingly delegated to government agencies and congressional access to the interagency process limited, senior U.S. civilian leadership cannot be sure what their country’s cyber operations are targeting at a given moment. Consequently, even with the best intentions, they are unable to ensure that U.S. cyber operations do not lead to inadvertent escalation or fuel nuclear crisis instability. Further, they are unable to demonstrate to other states’ leadership that they will have adequate control over the United States’ cyber operations during a crisis situation.
It is important to acknowledge that the shift to more proactive cyber operations has addressed valid national security concerns and allowed the United States to better combat cyber threats. Still, despite these defensive gains, the U.S. government needs to address the risk of crisis instability caused by cyber operations and begin to incorporate adequate risk management into the interagency process. However, it is unlikely that such a policy change will gain traction until similar efforts are taken by the United States’ main nuclear-armed adversaries, Russia and China. This poses a much more difficult situation that will be discussed in Part 2.