The flawed analogy between nuclear and cyber deterrence

“If Internet security cannot be controlled, it’s not an exaggeration to say the effects could be no less than a nuclear bomb,” said General Fang Fenghui, Chief of General Staff of the People’s Liberation Army of China, in April 2013. General Fang is not alone in drawing comparisons between nuclear and cyber weapons during the past few years. Secretary of State John Kerry responded to a cyber security question during his confirmation hearings in January 2013 by saying, “I guess I would call it the 21^st century nuclear weapons equivalent.” That same year, Russian Deputy Prime Minister Dmitry Rogozin praised cyber weapons for their “first strike” capability. Since 2013, a number of leaders in the US national security establishment—including former National Security Advisor Brent Scowcroft in January 2015, Admiral Michael Rogers of Cyber Command in March 2015, and Director of National Intelligence James Clapper in February 2016—have stated that the threat posed by cyber weapons is comparable to, or greater than, that of nuclear weapons. The list of high-ranking officials who have made an analogy between the fundamentally different nuclear and cyber weapons systems, and are using this flawed analogy as a basis for policy, is a long one.

On the surface, the analogy is compelling. Like nuclear weapons, the most powerful cyber weapons—malware capable of permanently damaging critical infrastructure and other key assets of society—are potentially catastrophically destructive, have short delivery times across vast distances, and are nearly impossible to defend against. Moreover, only the most technically competent of states appear capable of wielding cyber weapons to strategic effect right now, creating the temporary illusion of an exclusive cyber club. To some leaders who matured during the nuclear age, these tempting similarities and the pressing nature of the strategic cyber threat provide firm justification to use nuclear deterrence strategies in cyberspace. Indeed, Cold War-style cyber deterrence is one of the foundational cornerstones of the 2015 US Department of Defense Cyber Strategy.

However, dive a little deeper and the analogy becomes decidedly less convincing. At the present time, strategic cyber weapons simply do not share the three main deterrent characteristics of nuclear weapons: the sheer destructiveness of a single weapon, the assuredness of that destruction, and a broad debate over the use of such weapons.

The development of fission and then fusion nuclear weapons made it possible to inflict truly unacceptable costs upon an adversary. The invention of delivery technologies—such as secure second-strike capabilities, intercontinental ballistic missiles, and nuclear payloads with multiple independently targetable reentry vehicles—guaranteed the credibility of the threat. And finally, the vibrant and interconnected debates within government, academia, and think tanks about the use of nuclear weapons have guided policy and technology toward an outcome of stable deterrence. It took the combination of these three characteristics to create a truly unacceptable and credible deterrent threat. By contrast, strategic cyber weapons have not met these criteria.

Sheer destructiveness. Despite former Chairman of the Joint Chiefs of Staff Admiral Mike Mullen claiming in 2011 that cyber weapons are the “single biggest existential threat that’s out there,” they have actually inflicted very little physical destruction to date. Stuxnet, the largest known cyber weapon to cross the cyber-physical barrier, only damaged a thousand uranium enrichment centrifuges. Further, it is generally accepted that not a single person has died as a direct result of a cyber attack.

The destructive power of even the smallest of nuclear devices still greatly eclipses that of the demonstrated destruction of cyber weapons. Even if the reverential statements of world leaders about the potential destructiveness of strategic cyber weapons are taken at face value, their power still does not compare to that of nuclear weapons. As Colonel Jamie Wakefield, currently the chief of contingency operations for US Northern Command, said in an interview for my thesis in April 2015, “Cyber may be able to threaten the way we live or the way we do business, but nuclear weapons threaten the fact that we live at all.” Simply put, strategic cyber weapons are not currently capable of inflicting the unacceptable costs necessary for stable deterrence in cyberspace.

Assuredness of destruction. Questions about the assured delivery of cyber “payloads” also weaken strategic cyber weapons’ credibility as a deterrent. While the delivery of a nuclear weapon relies on the vehicle that carries the weapon’s warhead, the delivery of a strategic cyber weapon is much more dependent on weaknesses in the target’s defenses. If a network administrator patches vulnerabilities in the target computer code, or an agent is unable to insert a USB drive to cross an air-gapped system (a system that is physically disconnected from unprotected networks), then a strategic cyber weapon that was deliverable yesterday might not be today.

Even if a strategic cyber weapon makes it past a system’s defenses, there is no guarantee that it will have its intended effect—it could do nothing at all or cause significant unintended collateral damage. There simply is no analogue in the nuclear world, where a weapon’s destruction is a predetermined, known quantity. As President Barack Obama observed when I spoke with him at the White House Summit on Cybersecurity and Consumer Protection in February 2015, “With nuclear weapons there is a binary. Either there are no nuclear explosions or there are big ones and it is a real problem. In cyberspace, there are all sorts of gradations.” While a state may promise to massively retaliate against a cyber attack, neither the attacker nor the defender can be entirely sure that this will happen because the state may not have the capability to fulfill its threat. This problem significantly undermines the feasibility of applying deterrence principles in cyberspace.

A common understanding. Finally, the open-source debate surrounding the use of strategic cyber weapons is still very much in its infancy. In the absence of major public demonstrations of strategic cyber weapons, the debate largely centers on speculation about cyber capabilities. Without a common understanding of strategic cyber weapons, participants take uncoordinated stabs in the dark over what the policy implications of the weapons are. In combination with the limited interaction between the public debate and its classified counterpart, the result is a rather weak conversation. As former CIA director Michael Hayden commented when I interviewed him in March 2015, “No one has yet begun to write the On Thermonuclear War  [Herman Kahn’s classic 1959 text on nuclear strategic concepts] for cyber conflict.” Admiral Jim Ellis, former commander of US Strategic Command, put it far less charitably in my interview with him, also in March 2015, saying that the debate was “like the Rio Grande, a mile wide and an inch deep.”

The flawed analogy of nuclear and cyber weapons is dangerous because it creates the illusion of security when potentially there is none. At present, a number of factors—including other forms of deterrence and economic interdependence—are discouraging use of the strategic cyber weapons that states around the world are quickly amassing. However, if the global security situation unexpectedly changes, and the United States bases its cyber policy on the shaky assumption that it can deter strategic cyber weapons, then it could be vulnerable to attack by those who do not share its views. Chinese experts, for example, have espoused skepticism about the feasibility of cyber deterrence. A misjudgment now about strategic cyber weapons could have catastrophic consequences later.

Why does such a flawed analogy have so much traction at the moment? It could be because it is a ploy to inflate budgets for what some call the “cybersecurity industrial complex.” Such methods have a proven track record; by one estimate the United States spent upward of $5.5 trillion on nuclear weapons between 1940 and 1996. Indeed, there is talk of an ongoing US “cyber Manhattan Project” (again, note the pervasive nuclear analogizing). However, the analogy is much more likely a way for a generation of leaders who were not “born digital” to come to terms with the intricacies of cyberspace through concepts with which they are familiar. Just as military commanders confounded by nuclear weapons in the 1950s reached for works on air power by Generals Giulio Douhet and Billy Mitchell, so too are the national security leaders of today looking to the treatises of American nuclear strategists Bernard Brodie and Thomas Schelling for guidance on cyber warfare.

The future of cyber warfare. Under certain conditions, it is possible that the cyber-nuclear analogy could apply in the future. As societies adopt more cyber-reliant technologies in transportation infrastructure, the electrical grid, and nuclear power plants, a massive cyber attack could result in prohibitively high costs and deaths. In combination with the more pernicious second-order effects of cyber attacks on emergency responder communications networks, municipal water and wastewater systems, and agricultural and pharmaceutical supply and distribution chains, the effects may even become comparable to those of nuclear weapons. Provided that the most powerful cyber weapons do not proliferate beyond a small subset of states, destruction could be assured, and cyber actors could reach a consensus about how they should use the weapons, it might be possible to have stable, nuclear-style deterrence in cyberspace.

It is far more likely, however, that the nuclear template will not fit neatly onto the situation in cyberspace. As the barriers to entry lower, it may be that thousands or even millions of untraceable actors will become capable of inflicting enormous damage through cyberspace. It could also be that the world overestimated the prowess of these weapons and that they are not nearly as dangerous as first thought.

So how should leaders think about the wide-open future of cyber warfare? Comparing cyber weapons almost exclusively to nuclear weapons straitjackets thinking into the narrow confines of a single weapons system. A better approach would be to go back to the principle that makes the analogy compelling and expand from there. The core element of the nuclear-cyber analogy is that strategic cyber weapons appear set to revolutionize military affairs in a comparable way to nuclear weapons. However, strategic cyber weapons could develop into a revolution that more closely resembles another military technology, or a mixture of several, or none at all. To cover the full range of possible outcomes, it would therefore be prudent to broaden the analogy to include the lessons of other revolutions in military affairs.

A prime example would be the “offset strategy” technologies that enabled the United States and its allies to achieve overwhelming victory over Saddam Hussein’s then-vaunted military in the First Gulf War, but then became bogged down against lightly armed insurgents during the occupation of Iraq. Drawing insight from how revolutions such as the offset strategy reached critical mass, how actors exploited them, and how other actors countered and eventually conventionalized them could provide the conceptual flexibility and hybrid strategy necessary to confront the presently unforeseeable challenges that lie ahead in cyberspace.