by Paul Esau

Earlier this year I wrote an essay on how the rise of cyber warfare should change NATO’s nuclear deterrence policies. I was supposed to describe practical and easy steps the alliance could take to advance nuclear disarmament, but instead I got seduced by the possibility of bigger paradigm changes.

I argued that the possibility of cyber attacks on nuclear infrastructure are so destabilizing that NATO should give up the option of being the first party to use a nuclear weapon in the event of a war, and the capability of launching a nuclear strike in the brief period between the launch and detonation of enemy missiles (“prompt-launch”). While the arguments for a “No First Use” policy and against “prompt launch” posture aren’t new, I believe the threat of cyber warfare has definitively proven them. We cannot rely on analog thinking in what is quickly becoming a cyber age.

In 2018, NATO signed the Brussels Declaration, affirming its commitments to further nuclear disarmament and eventual nuclear abolition. However, the Declaration, like most NATO policy on the topic, is a ritualistic formality without practical steps for implementation. Since the mid-1950s, the alliance has been an American-dominated institution, and the United States is currently embarking upon a 30-year, $1.2 trillion nuclear modernization program while exploding decades of negotiation on arms control agreements.[i] NATO has been firm to reject attempts to disrupt the nuclear status quo, whether in the form of North Korean nuclear proliferation, or the 2017 Treaty on the Prohibition of Nuclear Weapons. Yet, while NATO policy promises that “as long as nuclear weapons exist, NATO will remain a nuclear alliance,”[ii] new challenges to international stability and security require that the alliance modify its current nuclear posture.

The NATO rationale for nuclear capability is that nuclear deterrence is an essential requirement of the alliance’s core functions: collective defence, crisis management, and cooperative security. Yet the deterrence model assumes that the alliance’s nuclear command, control, and communications (NC3) is completely reliable and impervious to sabotage and penetration. This assumption has been challenged by the rise of state-resourced cyber warfare, especially since the international community has been unable to reach a consensus on whether NC3 infrastructure is a legitimate target of state-sanctioned cyber operations. Additionally, nuclear modernization programs and the militarization of the space environment have made NC3 systems increasingly digital, and therefore increasingly vulnerable to cyber incursion. Consequently, NATO partners should adopt a “No First Use” (NFU) pledge, and voluntarily remove their capacity to “launch-on-attack” by taking nuclear assets off hair-trigger alert (alternatively known as prompt launch posture).[iii]

An NFU pledge by NATO would require posture modifications by the three nuclear-armed states in the alliance: the US, the UK, and France. Relinquishing “launch-on-attack” would primarily affect US nuclear protocol, since the UK and France already operate under a second-strike policy. By taking these steps, NATO partner states would be addressing a key vulnerability in their NC3 infrastructure, reducing the risk of accidental nuclear exchange and signaling the potential for renewed disarmament negotiation on both nuclear and cyber issues.

There are three interrelated arguments for incorporating an NFU pledge into NATO policy and reducing the alert level of NATO nuclear assets.[iv] First, launch-on-attack is hopelessly idealistic. Even under ideal conditions, the 30-minute flight time of a Russian ICBM to the continental US leaves a window of only eight minutes for a US president to be briefed on the incoming threat and make a final decision to launch a US response.[v] Missiles launched against US targets from an enemy submarine in the Atlantic have under 15 minute flight time,[vi] and attacks against non-US targets, or using unconventional delivery systems, might provide little or no warning at all. Under such conditions, perpetuating a “launch-on-attack” posture while maintaining adequate checks-and-balances against accidents, cyber penetration, and human error seems increasingly unfeasible.[vii] Consequently, the US need to recognize that further reliance on a prompt-launch posture for deployed nuclear assets is needlessly destabilizing. Instead, the protocol of all nuclear-armed NATO states should focus on preserving second-strike capabilities to fulfill the same deterrence objective.

Of course, institutional traditions like prompt launch do not die easily. Some experts have argued that the U.S. should increase the efficiency of “launch-on-attack” by removing humans from the loop – putting launch authority under the control of “an automated strategic response system based on artificial intelligence.”[viii] This suggestion has been largely met with incredulity, derision, and science-fiction references. However, it represents a second reason for eliminating the “launch-on-attack” doctrine: the modernization of NC3 through the incorporation of complex software and digital networks also increases the risk of accidental failure, intentional sabotage, or automation bias.[ix] These risks undermine the principle of deterrence, incentivize cyber assaults on critical defence infrastructure, and increase the possibility of accidental launch.

Modernization of the American NC3 is unavoidable. However, the replacement of antiquated equipment like 50 year-old floppy disks with new, more complex technologies make NC3 operation more difficult to monitor.[x] While the incorporation of more sensors, satellites, data streams and networks increases the surveillance potential of the system as a whole, it decreases the ability of a human operator to identify malfunctions under the time constraints of a launch scenario (an essential function during the later decades of the Cold War).[xi] For example, there is no guarantee that a modern Stanislav Petrov would have either the time or expertise to correctly identify a nuclear launch alert as a false alarm.[xii]

Cyber warfare creates significant instability because it is currently more effective as a pre-emptive aggression than as a resilient defence. The extensive digital infrastructure which has long provided an economic and military advantage to NATO states leaves them vulnerable to cyber attacks even as the success of their own cyber offensives produces a reluctance to pursue rules of cyber engagement. Cyber weapons are highly resistant to inspection or verification procedures because software exploits and inserted malware are entirely dependent upon secrecy and surprise for effective operation. Consequently, cyber operations are transforming the certainty of Mutually Assured Destruction (MAD) into the dangerous ambiguity of Mutually Unassured Destruction (MUD) as the reliability of a state’s own nuclear arsenal is called into doubt.

NATO has begun to recognize this danger. The alliance committed to an Enhanced Cyber Defence Policy in the 2014 Wales Declaration, and declared cyberspace an official domain of operations via a Cyber Defence Pledge in 2016.[xiii] In 2018, NATO established a Cyberspace Operations Centre, complete with NATO Cyber Rapid Reaction Teams, as well as collaborative information sharing and training exercises between member states.[xiv] NATO’s Cooperative Cyber Defence Centre in Estonia has also produced and promoted the Tallin Manual, or the world’s first comprehensive academic study on the applicability of international law to cyber operations.[xv] However, the increasing complexity of American, British, and French NC3 systems, and the threats of cyber infiltration, continue to complicate deterrence calculations. Air-gapped systems can be compromised by foreign agents or unwitting employees,[xvi] limited attacks can cause massive, unanticipated collateral damage,[xvii] and supply-chains can be infiltrated and hardware components compromised during manufacturing.[xviii]

Third, the space-based sensors critical to the alliance’s early launch detection capability are uniquely vulnerable to cyber meddling. While NATO does not own any space-based assets, it draws upon the collective capabilities of member states – many of whom are deeply reliant on satellite networks for surveillance, communication, location services, and targeting. While many commentators have focused on the proliferation of kinetic anti-satellite weapons, cyber warfare could degrade or incapacitate satellite networks without launching a single missile.[xix] Ground stations, antennas, landlines, and user terminals are all potential entry points for cyber exploitation targeting data streams rather than the physical satellites.[xx] The cyber vulnerabilities of space-based assets undermine confidence in strategic stability and contribute to the above-mentioned transformation of MAD to MUD.

Unfortunately, simply increasing NATO’s cyber capabilities and defences is insufficient if the NC3 of other nuclear actors remains comparatively vulnerable (especially if NATO first-strike policy remains ambiguous). Russia mirrors the American launch-on-attack posture, and is engaging in limited digital collaboration with China because of significant concern over the possibility of American cyber incursion into each state’s defence networks.[xxi] More critically, indicators suggest that Russian NC3 is structurally vulnerable to cyber warfare.[xxii] Digital security breaches at civilian reactors in India and Ukraine, as well as nuclear research facilities in Russia and Romania, evidence the increasing risk of nuclear proliferation or sabotage.[xxiii] As well, smaller nuclear states which rely on mobile delivery systems to achieve second-strike capability are increasingly vulnerable to the abilities of machine learning and big data analytics to locate these systems.[xxiv] Since it is often hard to identify the source of a cyber-weapon, and since such weapons often spread beyond their intended target to other networks, cyber warfare seems engineered to decrease transparency and fuel conflict escalation. Consequently, the vulnerability of global nuclear infrastructure requires a global agreement on the norms of responsible state behavior in cyberspace, one which may require NATO states to sacrifice nuclear flexibility in return for international stability.

Collectively agreeing to a NFU policy, as well as dismantling the US “launch-on-warning” capability, would be an effective way for NATO states to advance the stated disarmament goals of the 2018 Brussels Declaration while also exhibiting a powerful example of alliance commitments to international stability. At the same time, the alliance should explore a binding international agreement on the norms of cyber warfare.[xxv] As conflict moves into the cyber domain, NATO must not sacrifice the fundamental purpose of deterrence to maintain the bluster of a possible first strike or an antiquated prompt-launch capability. NATO’s nuclear posture needs to recognize that algorithms, not nukes, are the most terrifying weapons of the 21st century.

[i] Congressional Budget Office, “Approaches for Managing the Cost of U.S. Nuclear Forces, 2017-20146,” October 31, 2017.

[ii] North Atlantic Treaty Organization, “North Atlantic Council Statement on the Treaty on the Prohibition of Nuclear Weapons,” Sept 20, 2017.

[iii] George P. Shultz, William J. Perry, Henry A. Kissinger and Sam Nunn, “A World Free of Nuclear Weapons,” The Wall Street Journal, January 4, 2007.

[iv] These arguments have an obvious American focus since the US controls 77% of deployed NATO nuclear assets, as well as the majority of the space-based surveillance infrastructure NATO relies upon for early warning and threat assessment. See Hans M. Kristensen and Matt Korda, “Status of World Nuclear Forces,” Federation of American Scientists., and Beyza Unal, “Cybersecurity of NATO’s Space-based Strategic Assets,” Chatham House (July 2019).

[v] Jeffrey Lewis, “Our Nuclear Procedures Are Crazier Than Trump,” Foreign Policy, August 5, 2016.

[vi] Amy. F. Woolf, “Defense Primer: Command and Control of Nuclear Forces,” Congressional Research Services, updated December 11, 2018.

[vii] Jeffrey Lewis, “Is Launch Under Attack Feasible?” Nuclear Threat Initiative, August 24, 2017.

[viii] Adam Lowther and Curtis McGiffin, “American Needs a ‘Dead Hand’,” War on the Rocks, August 16, 2019.

[ix] David A. Deptula, William A. LaPlante, and Robert Haddick, “Modernizing U.S. Nuclear Command, Control, and Communications,” The Mitchell Institute for Aerospace Studies and The MITRE Corporation (February, 2019)., and Michael C. Horowitz, Paul Scharre, and Alexander Velez-Green, “A Stable Nuclear Future? The Impact of Autonomous Systems and Artificial Intelligence,” December 2019.

[x] Andre Futter, “The Double-Edged Sword: US Nuclear Command and Control Modernization,” Bulletin of the Atomic Scientists, June 29, 2016.

[xi] Between 1977 and 1984 NORAD’s Early Warning System recorded 1,152 “moderately serious” false alarms, an average of three per week. Operator discretion prevented these alarms from precipitating a retaliatory strike. See Linn I. Sennot, “Overlapping False Alarms: Reason for Concern?” in Breakthrough: Emerging New Thinking, ed. Anatoly Gromyko and Martin Hellman (New York: Walker and Company, 1988).

[xii] A Soviet officer, Petrov correctly identified a false launch alert in 1983, preventing a potential nuclear exchange. See Dylan Matthews, “36 Years Ago Today, One Man Saved us from World-Ending Nuclear War,” Vox, updated September 26, 2019.

[xiii] North Atlantic Treaty Organization, “Wales Summit Declaration,” updated August 30, 2018., and
Public Diplomacy Division, “Factsheet: NATO Cyber Defence,” NATO, February 2019.

[xiv] North Atlantic Treaty Organization, “Cyber Defence,” updated September 6, 2019., The above-mentioned Brussels Declaration also includes a substantial paragraph on cyber defence, which articulates the necessity of alliance operation in the cyber landscape.

[xv] Michael N. Schmitt and Liis Vihul (eds.), “Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations,” NATO Cooperative Cyber Defence Centre of Excellence (Cambridge University Press, 2017).

[xvi] Kim Zetter, “An Unprecedented Look at Stuxnet, the World’s First Digital Weapon,” WIRED, November 3, 2014., and “The Return of the Worm That Ate the Pentagon,” WIRED, December 9, 2011.

[xvii] Andy Greenberg, “The Untold Story of NotPetya, the Most Devastating Cyberattack in History,” WIRED, August 22, 2018.

[xviii] Defence Science Board. “Cyber Supply Chain,” Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics (April 2017).

[xix] Max Eddy, “Satellite Communications Hacks Are Real, and They’re Terrifying,” PC Mag, August 9, 2018., Patrick Tucker, “The NSA Is Studying Satellite Hacking,” Defence One, September 20, 2019., and Office of Inspector General, “Report No. IG-19-022: Cybersecurity Management and Oversight at the Jet Propulsion Laboratory,” NASA (June 18, 2019).

[xx] Todd Harrison, Kaitlyn Johnson, and Thomas G. Roberts, “Space Threat Assessment 2018,” CSIS Aerospace Security Project (April 2018).

[xi] Amirudin Bin Abdul Wahab and Lora Saalman, “New Domains of Crossover and Concern in Cyberspace” in China-Russia Relations and Regional Dynamics, ed. Lora Saalman (SIPRI, March 2017).

[xii] M. V. Ramana and Mariia Kurando, “Cyberattacks on Russia—the nation with the most nuclear weapons—pose a global threat,” Bulletin of the Atomic Scientists, 75 no. 1 (2019), 44-50.

[xiii] Catalin Cimpanu, “Employees connect nuclear plant to the internet so they can mine cryptocurrency,” ZDNet, August 22, 2019., and “Confirmed: North Korean malware found on Indian nuclear plant’s network,” ZDNet, October 30, 2019.

[xiv] Thereby increasing these states incentive to launch pre-emptively. See Paul Bracken, “The Cyber Threat to Nuclear Stability,” Orbis 60, no. 2 (2016).

[xv] Paul Meyer, “Global Cyber Security Norms: A Proliferation Problem?” ICT4Peace Foundation, March 12, 2018.