Spring 2020

Cyber Warfare & Inadvertent Escalation

James M. Acton

The advent of cyber warfare exacerbates the risk of inadvertent nuclear escalation in a conventional conflict. In theory, cyber espionage and cyberattacks could enhance one state’s ability to undermine another’s nuclear deterrent. Regardless of how effective such operations might prove in practice, fear of them could generate escalatory “use-’em-before-you-lose-’em” pressures. Additionally, cyber threats could create three qualitatively new mechanisms by which a nuclear-armed state might incorrectly conclude that its nuclear deterrent was under attack. First, cyber espionage could be mistaken for a cyberattack. Second, malware could accidentally spread from systems that supported non-nuclear operations to nuclear-related systems. Third, an operation carried out by a third party could be misattributed by one state in a bilateral confrontation to its opponent. Two approaches to risk reduction are potentially viable in the short term: unilateral restraint in conducting potentially escalatory cyber operations, and bilateral or multilateral behavioral norms.

James M. Acton holds the Jessica T. Mathews Chair and is Co-Director of the Nuclear Policy Program at the Carnegie Endowment for International Peace. His recent work includes the 2018 International Security article, “Escalation through Entanglement: How the Vulnerability of Command-and-Control Systems Raises the Risks of an Inadvertent Nuclear War.”

Cyber weapons may be relatively new, but non-nuclear threats to nuclear weapons and their command, control, communication, and intelligence (C3I) systems are not. In fact, before the United States dropped the bomb on Hiroshima in August 1945–before it even conducted the world’s first nuclear test in July of that year–it had started to worry about non-nuclear threats to its nascent nuclear force, in particular, Japanese air defenses. As the Cold War developed, fears multiplied to encompass threats to almost every component of the United States’ nuclear forces and C3I systems. While these threats emanated primarily from Moscow’s nuclear forces, they were exacerbated by its improving non-nuclear capabilities, particularly in the final decade of the Cold War. A two-decade hiatus in worry following the Soviet Union’s collapse is now over; today, non-nuclear threats to U.S. nuclear C3I assets–in particular, the growing capability of Chinese and Russian antisatellite weapons–are a major concern.

The United States’ experience is the norm. All nuclear-armed states have felt, and continue to feel, similar concerns. Indeed, the last few decades have seen the emergence of new potential vulnerabilities–this time in cyberspace–as nuclear weapons and C3I systems have come to rely increasingly on digital technology. To be sure, the networks involved in nuclear operations are almost certainly among the most secure anywhere. Yet there is broad agreement among technical experts that perfect network security is “impossible.” As a result, the possibility of cyber interference with nuclear forces and C3I systems is real.

. . . 

To read this essay or subscribe to Dædalus, visit the Dædalus access page
Access now