Trans-Pacific View author Mercy Kuo regularly engages subject-matter experts, policy practitioners, and strategic thinkers across the globe for their diverse insights into U.S. Asia policy. This conversation with Dr. Herbert S. Lin – senior research scholar for cyber policy and security at the Center for International Security and Cooperation and Hank J. Holland Fellow in Cyber Policy and Security at the Hoover Institution, both at Stanford University, and author of newly published “Cyber Threats and Nuclear Weapons” (Stanford University Press, 2021) ̶ is the 301st in “The Trans-Pacific View Insight Series.”
Define key elements of the U.S. nuclear enterprise.
The nuclear enterprise consists of everything that touches nuclear weapons issues, including nuclear weapons design and stewardship; nuclear delivery systems (e.g., missiles, submarines, bombers); nuclear command, control, and communications (NC3); nuclear planning and decision-making; and nuclear operations. Information technologies (also known as computing and communications technologies) are critical for all of these elements of the nuclear enterprise.
Identify plausible cyber risk scenarios of the U.S. nuclear enterprise.
First, an adversary may conduct a deliberate cyberattack against some element(s) of the U.S. nuclear enterprise that could compromise the U.S. ability to use its nuclear weapons when appropriate (e.g., in retaliation). A report from the U.S. Government Accountability Office probed cyber vulnerabilities in U.S. weapons systems (including some nuclear systems), noting that the Department of Defense routinely finds mission-critical cyber vulnerabilities during operational testing of weapons systems that are under development, pointing out that “using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected.” Exploitation of such vulnerabilities could cripple nuclear weapons delivery systems on the ground or in flight.
The 2018 Nuclear Posture Review also identifies adversary offensive cyber capabilities as creating new challenges and potential vulnerabilities for U.S. NC3, calling out challenges to network defense, authentication, data integrity, and secure, assured, and reliable information flow. Compromises to NC3 could disconnect the National Command Authority from U.S. nuclear forces, fail to provide warning of incoming nuclear attack, or falsely signal the existence of a nuclear attack.
A second type of cyber risk arises from the integration of nuclear and nonnuclear capabilities, which is often enabled by computing and communications technology. Such integration likely raises the risk of inadvertent nuclear escalation in times of conflict. For example, integrating nuclear and conventional systems confers operational advantages in warfighting, and is also generally less expensive than acquiring separate nuclear and conventional systems. But such advantages trade off against an increased possibility that cyberattacks directed against a dual-purpose system for non-nuclear reasons could be interpreted by U.S. decision-makers as an attack on U.S. nuclear capabilities, especially if those cyberattacks are coming from another nuclear power. Thus, they may feel more pressure to escalate up the nuclear ladder.
A second scenario is based on the fact that cyberattacks and cyber espionage/intelligence gathering use the same penetration techniques and differ only in what they seek to accomplish. Thus, any given cyber penetration carries with it an unknown potential for attack, for intelligence gathering, or both. A cyber penetration from China or Russia detected in U.S. NC3 system could be part of a relatively benign attempt to gather intelligence, or it could be the start of a serious cyberattack that is intended to degrade NC3. But it is impossible for U.S. decision-makers to know China’s or Russia’s intention before we observe the actual results of the penetration. If the United States detects a cyber penetration of its NC3 during a crisis or during the initial phases of a kinetic conflict, U.S. decision-makers may jump to a worst-case assessment.
Analyze the capabilities of China and North Korea in generating cyber nuclear risks.
Chinese and North Korean capabilities to generate cyber risks to the U.S. nuclear enterprise are not known in the unclassified literature. However, it is known that Chinese offensive cyber capabilities are world-class, and North Korea’s capabilities are substantial, even if not necessarily on a par with China’s at every level and for every contingency.
Furthermore, certain operational scenarios involving China in particular implicate a number of dual-purpose systems. For example, the United States maintains a number of early warning satellites in geo-synchronous orbit that can identify the launch of nuclear intercontinental ballistic missiles. But these satellites are also sensitive enough to detect the launch of shorter-range tactical ballistic missiles used in conventional warfighting. U.S. defenses against such tactical ballistic missiles make use of satellite-based early detection to improve the likelihood of being able to conduct an intercept – and thus China or North Korea would have an incentive to launch cyberattacks on U.S. early warning satellites to degrade the performance of U.S. tactical ballistic missile defenses. Such attacks could lead U.S. decision- makers to be concerned about its ability to identify the launch of Chinese ICBMs against the United States, thus increasing pressures to escalate the conflict.
Explain the core components of cyber nuclear risk profile that U.S. nuclear decision-makers need to understand.
Senior U.S. decision-makers are well aware of the first cyber risk described above — the risk of deliberate cyberattack — or more precisely, they acknowledge it as an issue and have initiated programs and activities to address it. What is less certain is the extent to which they understand the frequent disconnects between policy statements and what actually happens on the ground. The latter can only be ascertained by sustained red-team efforts that challenge security programs and practices as they are being carried out.
I don’t believe that they are as aware of the risk of inadvertent escalation, especially as it affects the U.S. side. Remember that by definition, inadvertent escalation involves a misunderstanding or a misinterpretation of the actions of the other side, and few decision-makers are willing to acknowledge the possibility that they may be mistaken in their judgments. A policy recommendation to address this problem is therefore to make every effort to separate rather than to integrate nuclear and conventional capabilities in system acquisition.