Last month, the Trump administration officially unveiled the results of a year-long review of the United States’ nuclear posture and its strategic vision for how to incorporate nuclear capabilities into an overarching security strategy. In the official White House press release announcing the publication of the 2018 Nuclear Posture Review (NPR), President Trump states that this strategy “enhances deterrence of strategic attacks against our Nation, and our allies and partners, that may not come in the form of nuclear weapons.” The NPR makes clear that the American nuclear arsenal serves a deterrent purpose not only against nuclear threats, but also against “non-nuclear aggression,” including cyber threats. It also emphasizes that the United States’ non-nuclear forces, though an important component of its overall deterrent strategy, “do not provide comparable deterrence effects—as is reflected by past, periodic, and catastrophic failures of conventional deterrence to prevent Great Power war before the advent of nuclear deterrence.” Thus, it seems that while the Trump administration’s nuclear strategy considers non-nuclear actions as legitimate causes for retaliation, it sees a nuclear response as the most effective threat against those actions.
This reference to the use of nuclear weapons against non-nuclear attacks, and its explicit inclusion of cyber attacks as part of the “unprecedented range and mix of threats” the United States is facing, has sparked speculation that the administration plans to seriously contemplate nuclear retaliation as a potential option against cyber attacks. Indeed, the NPR specifically highlights the cyber threat to nuclear command, control, and communications systems as a vulnerability of considerable concern. If the administration is in fact considering nuclear retaliation against cyber attacks, this approach represents a new role for the American nuclear arsenal and therefore deserves some careful analysis as to its legal and practical merits. First of all, can the United States, according to internationally recognized legal parameters regarding the conduct of conflict, respond to a cyber attack using nuclear weapons? And, if this type of response is available as a theoretically legal option, will it prove effective in practice? The answers to these questions could shape not only the effectiveness of US foreign policy, but also shape the behavior of our allies and adversaries and have significant consequences for America’s reputation and role in the international system.
The Legal Case for Nuclear Retaliation
The United States has long claimed that existing international law applies in cyberspace. The UN Charter serves as the main source of international law for how states should behave in times of war, otherwise known as the “law of armed conflict,” exhorting all members to “refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state.” Nevertheless, it also acknowledges the “inherent right of individual or collective self-defense” in the face of an armed attack, thus establishing the legal parameters within which the use of force is appropriate. However, neither the UN nor the United States have clarified what constitutes an armed attack in cyberspace.
The Tallin Manual, widely accepted by the legal community as the definitive document outlining how the law of armed conflict applies to cyberspace, tries to resolve these questions by treating cyberspace as a physical domain. Therefore, an attack in cyberspace is a violation of sovereignty in the same way as a physical invasion. Thus, according to international law, an attack in cyberspace constitutes an armed attack against which a state has the right to self-defense.
Though this sounds rather straightforward, there is no universally accepted understanding of what constitutes an armed attack in cyberspace. Legal scholars have developed a set of three approaches by which to evaluate whether a belligerent action crosses the threshold of an armed attack.
The instrument-based approach deems only those attacks using “traditional weapons with physical characteristics” to constitute armed attacks. According to this view, cyber attacks never reach the threshold of an armed attack, regardless of the resulting destruction. The second approach is the target-based perspective and considers the type of system against which the attack is conducted. This approach would consider an attack against any physical structure, especially critical infrastructure, an armed attack. However, this approach does not factor in the severity of the attack and therefore includes acts of espionage against critical infrastructure systems, which are generally accepted as legal according to international law, as armed attacks. This perspective is arguably far too inclusive and creates an unnecessary risk of escalation over relatively minor cyber offenses.
While the instrument-based approach is highly restrictive and the target-based one arguably too permissive, the effects-based framework attempts to navigate a middle ground by considering the effects of a cyber attack. The effects-based definition considers a cyber attack to be an armed attack if its effect is “equivalent to that of an armed attack carried out by physical weapons.” A memo published the by Joint Chiefs of Staff in 2011 clarifying terminology for cyberspace operations reflects this. Though the memo does not explicitly identify what constitutes an armed attack, its definition of a cyber attack emphasizes its effects on both “critical cyber systems” and physical infrastructure or command-and-control capabilities. Thus, the US national security apparatus seems to accept the effects-based approach to defining an armed attack in cyberspace.
Once an action has been identified as an armed attack, the question becomes one of response. An subsequent version of the Tallinn Manuel,Tallinn Manual 2.0, also evaluates the legally appropriate use of countermeasures in response to a cyber attack, stating that “non-cyber countermeasures may be used in response to an internationally wrongful act involving cyber operations, and vice versa.” However, international law still stipulates that the response must be proportional to the attack; that is, the effects of the countermeasure should not significantly outweigh the effects of the original attack.
If we combine this view of what constitutes an armed attack and legal response with the ambiguous language of the 2018 NPR, it is not unreasonable to reach the conclusion that a cyber attack on critical national infrastructure could be deemed an armed attack against which the United States could respond with non-cyber means. Currently, the Department of Homeland Security has identified sixteen sectors—including the energy, financial services, information technology, and health and public health sectors—as critical infrastructure. It thus follows that, if the severity of an attack on the financial sector or energy grid were to cause a significant enough amount of damage, it could, theoretically, legally merit a nuclear response.
The Practical Deterrent Effect
Just because an action is legal does not necessarily mean it is effective. Deterrence relies on the belief that the threat of pain can shape an adversary’s behavior by forcing a cost-benefit analysis. If the cost (the threat of pain) of perpetrating an action is higher than the benefit to be gained by that action, the adversary will be deterred from carrying it out. Defense and administration officials should evaluate whether a policy that allows for a nuclear response to cyber attacks will successfully deter our adversaries, taking into consideration the unique characteristics of cyberspace and the current international geopolitical environment.
The 2018 NPR claims that “in the absence of U.S. nuclear deterrence, the United States, its allies, and partners would be vulnerable to coercion and attack by adversaries who retain or expand nuclear arms and increasingly lethal non-nuclear capabilities.” As the NPR points out, “U.S. nuclear capabilities have made essential contributions to the deterrence of nuclear and non-nuclear aggression,” as well as the absence of Great Power war. Given the success of nuclear deterrence, it is not surprising that its logic and rhetoric have become firmly entrenched in the strategic and military discourse around cyber warfare. Pick up a book, read an article, or attend a cyber conference and you will inevitably encounter a discussion about how to “deter” in cyberspace and the possible effects of a cyber “arms race.” Indeed, the US government reflects this theoretical bias both structurally and substantively: US Cyber Command was once under the control of US Strategic Command, the Department of Defense’s unified command responsible for maintaining and operating the instruments of US Cold War nuclear deterrence strategy. And while Cyber Command’s ongoing transition to a unified command “demonstrates the increased US resolve against cyberspace threats,” the defense community continues to try to fit the square cyber threat into the proverbially round deterrence hole. In 2017, the Defense Science Board published a report outlining what it views to be the three major cyber deterrence challenges and proposing recommendations for how to respond to them. It seems, at least in national security circles, that the concept of deterrence and cyberspace are inextricably linked.
However, the jury is still out as to whether nuclear weapons can effectively deter in cyberspace. The very nature of the domain presents challenges to the effective use of deterrence therein. Two key challenges—that of attribution and how to demonstrate resolve—complicate a state’s ability to use the threat of pain to reshape an adversary’s cost-benefit calculations. Despite advances in cyber forensics, attackers can still mask their identities through a variety of technical and legal means. Moreover, state actors can conceal their involvement by perpetrating attacks through proxy actors. This ability to obscure an attacker’s identity or involvement obviously minimizes the potency of the deterrent threat because the ability to successfully retaliate is greatly reduced.
Even if the perpetrator of an attack can be identified, effective deterrence also requires demonstrating the resolve to follow through on a threat. In a recent press conference, Gen. Paul Selva, the vice chairman of the Joint Chiefs of Staff, denied that the Pentagon was considering using nuclear weapons in response to cyber attacks. Other defense officials have since expressed similar sentiments. This lack of clarity between a published policy document and its interpretation by those charged with carrying it out does not signal the level of resolve necessary for a deterrent strategy to be effective.
Finally, this strategy should take into consideration the likely response of our adversaries. While our Cold War strategy was effective at preventing nuclear war, it led to an arms race between the United States and the Soviet Union, arguably leading to the proliferation of nuclear weapons that set the stage for current security challenges, such as Iran and North Korea’s pursuit of a nuclear capabilities. Would the 2018 NPR’s expansion of the United States’ nuclear deterrence strategy truly constrain our adversaries’ behavior or incentivize those with their own nuclear capabilities to mimic our policy by also expanding the circumstances in which they would use them? Arguably, this strategy would be less effective against such states, like Russia and China. As the 2018 NPRoutlines, Russia has been modernizing its existing systems and developing new ones, including an undersea autonomous torpedo and a ground-launched cruise missile in violation of the 1987 Intermediate-Range Nuclear Forces Treaty. Similarly, China has been expanding its nuclear capabilities. Though its arsenal remains relatively small, it deployed nuclear-powered ballistic submarines within the last year and is planning to field its next-generation submarines within the next decade. Given that the 2018 NPR considers these states, along with North Korea, to represent the greatest threats to US national security, officials must objectively evaluate whether the proposed strategy will actually help deter them or only further incite them.
The Leader of the Free World
In addition to the legal and practical implications of this strategy, the Trump administration should also ponder the normative effects of this new plan. That is, even if the strategy is legal and could work in practice, should the United States adopt a policy that expands the circumstances under which it will use its nuclear weapons? In a recent article, Jacquelyn Schneider and Sarah Kreps share the results of their research showing that Americans are less likely to support retaliation for a cyber attack than a physical attack with the same results. If Americans hold this opinion, our allies might feel similarly. Though the United States remains the world’s strongest military and economic power, it relies on allies and partners in both realms. The 2018 NPR reflects a significant shift in US policy that for decades has sought the reduction of nuclear arms towards one that will modernize and expand our arsenal, potentially encouraging our adversaries and many of our allies to do the same. Ultimately, the Trump administration must ask itself whether this policy will achieve its objectives of safeguarding the homeland, assuring allies, and deterring adversaries, or if it will have the exact opposite effect and undermine global security.