Cyber Attacks and the Dangers of Hacking the Bomb

The United States’ pre-emptive cyberwar doctrine formulated around “strategic strike in milliseconds” has been tacitly acknowledged by U.S. defense officials over the years and was partially confirmed by the leaked Presidential Policy Directive/PPD-20 signed by U.S. President Barack Obama in October 2012.

In March 2017, The New York Times revealed a clandestine U.S. campaign of sophisticated cyberattacks against North Korea’s ballistic missile program that appears to be in line with this pre-emptive doctrine. It was the first public disclosure of U.S. “left of launch” operations in cyberspace, i.e. the use of offensive cyber weapons or electromagnetic warfare to pre-emptively strike and disable ballistic missiles before they ever reach the launch pad or seconds after they are fired.

While “left of launch” operations can also be conducted via conventional means (for example, via conventional prompt global strike weapons that allow the United States to conduct precision strikes anywhere in the world in as little as an hour), it is the use of offensive weapons to disrupt nuclear-capable ballistic missile arsenals that has the greater potential to disrupt nuclear strategic stability and accelerate conflict among nuclear powers.

Among other reasons, should a nuclear arsenal and its command and control (C2) systems come under cyberattack, it is difficult – given the secrecy surrounding offensive cyber capabilities – to immediately assess the damage to a country’s nuclear strike capability, which can invite disproportionate retaliation. With conventional pre-emptive strikes, the damage to a nuclear arsenal can be more easily assessed and appropriate and measured responses up the “escalation ladder” adopted.

The potentially greater danger stemming from offensive cyber weapons rather than conventional weapons when it comes to nuclear escalation is not meant to imply that conventional global strike capabilities currently under development in the United States cannot also have an escalatory effect on nuclear strategies in China, Russia, and North Korea in addition to other nuclear powers.  This article merely posits that the cascading effects of a cyber attack on nuclear forces pose a likely higher risk factor to global strategic nuclear stability than conventional strikes. 

Indeed, unlike conventional strikes, cyber attacks not only threaten the positive control of nuclear weapons (i.e. the guarantee that a nuclear weapon can be fired at a moment’s notice under all circumstances) but also affect its negative control – the guarantee that a nuclear weapon is not fired by accident or operated by any unauthorized third party as, for example, seen in the 1980s movie War Games. I described such a scenario in the context of the U.S.-Russia nuclear competition in a 2015 article for The Diplomat:

First, sophisticated attackers from cyberspace could spoof U.S. or Russian early warning networks into reporting that nuclear missiles have been launched, which would demand immediate retaliatory strikes according to both nations’ nuclear warfare doctrines. Second, online hackers could manipulate communication systems into issuing unauthorized launch orders to missile crews. Third and last, attackers could directly hack into missile command and control [C2] systems launching the weapon or dismantling it on site...

The bottom line is that while all of this appears unlikely to occur on a large scale, the increasing complexity as a result of computerization and digitization of nuclear C2 is opening up new vectors of attack. Policymakers have to labor under the assumption that computer systems used for controlling a country’s nuclear arsenal contain inherent vulnerabilities that can be exploited by hackers. (Not to mention the more prevalent danger of cyber espionage operations that can undermine a country’s nuclear deterrence posture by stealing information about nuclear weapons designs or operational procedures.)

It is important to realize that cyber as a warfighting domain cannot be decoupled from a country’s nuclear weapons posture. The two are interlinked and cyber defensive and offensive capabilities will play an increasingly larger role in debates about a country’s nuclear strategy and nuclear deterrence. Analyzing the growing entanglement of the cyber and nuclear domains, three likely consequences come to mind.

First, countries with a no-first-use policy (i.e. the pledge not to launch a nuclear attack unless attacked) like China will perhaps be incentivized to rethink this policy in the face of growing uncertainty as to whether its nuclear forces will in fact be capable of responding in the event of an nuclear attack by an outside power that is preceded by strategic cyber strikes against Chinese nuclear C2 systems.

Second, given the growing vulnerability of nuclear weapons to cyber attacks, we might see an expansion in the number of deployed nuclear forces rather than a reduction given the uncertainty over the operational readiness of nuclear missiles. China, for example, could abandon its so-called minimum nuclear deterrent. Consequently, it is also fair to assess that a nation’s cyber capabilities will have a direct impact on any nuclear arms control and reduction negotiations.

Third, given the rising cyber vulnerabilities of nuclear arsenals, debates will continue in the United States over the utility of its so-called Launch Under Attack capability, which demands that the U.S. military detect the launch of Russian intercontinental ballistic missiles and launch retaliatory nuclear strikes before they take out U.S. missile silos on the continental United States. Nuclear missiles on hair-trigger alert connected to an early-warning system that is spoofed into believing that an attack is underway could result in consequences too terrible to contemplate.