Mutually Assured Disruption
Executive Summary
Click Here to Read the Full Report
The nuclear era began long before there was an awareness that international relations would be strategically and irreversibly shifted. The technology outpaced the policymaking and even the awareness or understanding of consequences. The cyber domain has similarly materialized in global affairs at lightning speed. While vastly different in material ways, both nuclear and cyber weapons are strategic capabilities that tilt the battlefield with a different calculus than traditional means of warfare.
Two facets particularly stand out and connect these otherwise isolated policy topics. One is the question of strategic continuance, for it is important that we examine the relevance of the strategic underpinnings of the nuclear era as they are shifting in the new cyber era. As policy thinkers and analysts, it is valuable to deconstruct and piece together shifts in the tectonic plates of the global order over the last few decades. In doing so, we must not ignore the technical shifts in capabilities, and so the other question is that of the intersection between cyber and nuclear capabilities, particularly on a tactical level. Both themes emerge, in different but equally relevant ways, throughout this analysis.
Today, cyber and nuclear capabilities are entangled in complex and dangerous respects that are not discussed or addressed often enough. Both domains – and the specialists, experts, engineers, technologists, policymakers, and practitioners associated with each – exist and operate in siloed spaces. This makes it particularly difficult to bridge the communities and make each aware of the threats against or concerns of the other. For this reason, such analysis is not only highly valuable, but critical.
The nuclear era spurred its own rules of the game – implicit and explicit – due to the existential risks deployment would pose to the entirety of mankind. Thus, even nations with very different interests came to follow a certain code of conduct, recognizing that all other interests were secondary to survival. This led to a decades-long continuance of the principle of Mutually Assured Destruction, which endured through the Cold War. While great powers such as the United States and the Soviet Union continued to push conflict to the brink in other domains, there remained a certain stability at the strategic level.
The stability of the nuclear era was further cemented due to the relatively high threshold for entry into the nuclear club, which allowed only a small and elite group of sophisticated countries in, vesting them with an element of control in balancing power. One of the most prohibitive barriers to entry was the lack of means – especially financially, with exorbitant costs linked to each step of nuclear development.
The threshold for entry into the cyber club is low. The comparison is especially stark when measuring cost as a barrier to entry. Technical know-how and expertise further tip the scales. Thus, cyberspace is relatively accessible for offensive purposes, with comparatively high prospects for success. Further, the infrastructure’s basic insecurity along with the lack of an agreed-upon normative framework means the technology exists in a gray area – easily exploitable by states and individuals.
The evolution of cyber conflict has also led to a shift in strategic culture. Cyber and nuclear create and exist in very different strategic environments. Nuclear weapons favor revealing capabilities for the extension of stability, whereas cyber weapons favor concealing capabilities to maintain a degree of strategic surprise and offensive advantage. The fact that these realities now coexist – along with conventional weapons – represents the fundamental and distinct paradox of our day and age, often complicating interstate relations on multiple levels.
***
It is vital to ask if the nuclear age is then the right analogy, with all the questions it raises – about controlling weapons, deterrence, mutually assured destruction, the risks of proliferation, and the risks of destabilization. All the questions might be the same, but the answers vastly differ.
The emphasis here is on evaluating points of convergence or divergence in the strategic thinking of the nuclear and cyber eras. Is there significant overlap or are we now operating with two different road maps in two different dimensions? Do core principles still apply or must we work with a whole new set of assumptions? Can the same behavior be expected and can the known elements of defense and deterrence be accordingly extended? Deterrence has been an often confused and misunderstood concept in the bridge from nuclear to cyber – a point of departure, and thus, a critical place to begin.
While it may not be the perfect term, it lends a few valuable characteristics to cyber thinking. Of course, cyber deterrence is closely tied to political (and technical) attribution – a task that is less mysterious with nuclear weapons. Yet, there remains a facet of retaliation that serves the function of credible deterrence even in cyber conflict.
The elusive question is: what would it take to create credible deterrence in the cyber realm – where there is no visible count of warheads as in the nuclear realm, where there is no magical missile detection or catchall missile defense? The U.S. military, policymakers, and experts are still grappling with this question and there is not yet a clear-cut answer. As the thinking continues to evolve and refine, it is worth highlighting the disparity between the growing number of offensive cyber incidents and the lack of substantial responses to them. It is, in fact, difficult to name a significant cyber incident in the post-Stuxnet era where the offender paid a serious price. North Korea (and Russia) know this.
***
Undoubtedly, the strategic impacts of cyber use are not as well defined as nuclear use, wherein the calculus is straightforward and the effects as well as the consequences are unambiguous. When a state is deciding whether to deploy nuclear weapons, the decision makers unquestionably know there will be an equal response with devastating force. Retaliation does not come with a question mark, but an exclamation point. With cyber capabilities, on the other hand, the effects and the response to those effects are blurry and the calculus is complex.
One of the key fears surrounding any discussion on cyber and nuclear weapons is the security of the latter from attacks using the former. Theoretically speaking, this is a justified concern, as all systems using any type of computer software are subject to cyber attacks and manipulation. In fact, nuclear systems have always been vulnerable to attackers to some degree; cyber attacks simply present a new means, not a new challenge. Ultimately, nonetheless, the weakest link is the human behind the system.
***
Russia stands as a pivotal player in both the nuclear and cyber clubs. Despite much posturing over the years, Russia has refrained from actually using nuclear weapons with good reason. Russia is highly cognizant of the different factors at play in different conflicts with different adversaries. With the near enemy, central considerations are always the proximity and the likelihood for blowback and fallout. With the far enemy, Russian brass is well aware of the retaliation and escalation that would lead to mutually assured destruction. The story is different in the cyber domain, allowing the astute nation greater creativity and freedom. Russia has always been masterful at information operations with both external conflict and internal persuasion. Cyberspace merely facilitates an extension of this aptitude. And cyber operations harness a far wider array of options – both traditional and hybrid. This is Russia’s gray area and it is becoming quite comfortable here.
China is another major player in both the nuclear and cyber clubs. With quite a different modus operandi than Russia, it is imperative to deconstruct China’s approach on each track. Does Chinese doctrine form any explicit links between nuclear and cyber capabilities? Or, are the two treated as separate and distinct? Where Russia often lives in the gray area of hybrid operations, China conducts integrated and broad military operations. Cyber means are typically part and parcel with modern day joint operations and seldom separated tactically or strategically. The goal is to get a head start with all the tools necessary to fight what China sees as the wars of the future: informatized wars.
It is worth recalling that China’s motives in the cyber dimension have most frequently been fueled by a perceived imbalance when it compares itself to superpowers and competing nations. This has been especially true in terms of economic growth, which lends itself to cyber espionage – mainly in the corporate world. Yet this has not entirely precluded China from also pursuing space, civilian, or military targets – especially in seeking out information on adversary’s policies, key personnel, and operational protocols. It all goes back to the integrated approach embedded in China’s operational psyche.
North Korea’s nuclear and cyber realities in this hybrid age deserve a closer look as well. On the nuclear front, the possession of such endangering weapons in the hands of a rogue state has been cause for concern from a U.S. standpoint – not to mention the risks of destabilization on the Korean peninsula and the fallout to the region, or the risks of proliferation to other rogue states and nonstate actors.
North Korea is also an interesting point of discussion when studying cyber as a full-scope weapon. Kim Jong-un seems astutely aware of this. Assessing some of North Korea’s previous cyber attacks (such as the 2014 Sony Pictures hack) demonstrates an awareness of the advantages to using cyber means over conventional weapons or modes of attack. The latter would almost certainly guarantee retaliation. The North Koreans have calculated that cyber is in fact a great short-of-war weapon.
***
Cyberspace stands as its own domain for conflict to manifest, but it simultaneously impacts traditional domains and strategic thinking in unprecedented ways. This is especially palpable in the nuclear realm. The coinciding existence of these two strategically impactful elements of national security creates an uncertain environment that is still being explored and analyzed. This new era cannot – must not – be left to the wayside. It can irreversibly impact interstate relations, balance of power, and global stability.
Times have changed alongside priorities. The safeguards we took for granted may or may not be able to prevent nuclear proliferation, and we may yet see more aspirants or copy-cats to come. The emphatic lesson here is that while the nuclear problem lives on, the principles deriving from nuclear security may in fact be dying. In other words, nuclear threats may continue to remain paramount – making this a global security challenge we have not yet left behind.
The reduction of certainty has only been exacerbated by the tenuous nature of operating in the ‘Wild West’ of cyberspace, where no clear rules have ever existed. In fact, we seem to be living in an era where experimentation prevails and rules writ large are designed and adjusted casually for individual states’ convenience, rather than formalized and cemented for mass observance. The absence of rules in the cyber domain has been a significant and complicating factor for both the nuclear and cyber spheres.
As cyberspace has become a fundamental dimension of modern life, it has touched every other facet of the current world order. It has altered the operating environment as well as the strategic culture that for decades underpinned global stability and security – from the nuclear to the conventional domain.
Where the nuclear era was defined by a degree of transparency, cyberspace is inherently opaque and invisible. It is tricky business to navigate through this dark space without any radar on what our adversaries are doing, how fast they are traveling, which direction they are going, or what their destination is. Add to this the reality that nuclear systems – facilities, weapons, command and control – could all be targets on the cyber highway. What is needed is greater communication and clarity in order to steer clear of everything from accidents and exploitations to provocations and incitements.