iMAD: How Cyberattacks Threaten Global Nuclear Security

As the tools of modern warfare have developed from tanks and submarines to drones and satellites, one thing has stayed consistent: For the past 50 years, the theory of Mutually Assured Destruction (MAD) has been the backbone of American nuclear strategy. The doctrine is based on deterrence, which is a strategic stalemate in which all sides refrain from attacking the others because of the certainty that there would be a retaliatory nuclear strike. But today, MAD faces a dangerous new threat: cyberwarfare. Like anti-ballistic missiles in the 1970s, cyberwarfare threatens to remove the fear of certain destruction that keeps nuclear nations from attacking each other. Maintaining MAD in the world of cyberwarfare won’t be easy. The United States will need to develop its own arsenal of offensive and defensive cyber weapons in order to protect against these new risks. However, with the threat of crisis looming, a global solution is needed, and the international community must act quickly to establish and enforce cyberwarfare norms that will maintain nuclear stability.

In order for MAD to be effective, each side must have a reliable second-strike capability. Mutually assured destruction is not mutual if one nation can stop the other from retaliating. The US uses the nuclear triad – land-based missiles, strategic bombers, and submarine-launched missiles – to ensure that it can launch a counterstrike if it is attacked first. But even with these precautions in place, technological advances have consistently threatened to upend MAD. In the late 1960s, for instance, the Soviet Union began to construct a limited Anti-Ballistic Missile (ABM) systems that could shoot down incoming nuclear warheads. Because a nation with an ABM system could attack without fear of retaliation, this defense system threatened to limit the efficacy of second-strike capability as deterrence. In 1972, President Nixon and Soviet General Secretary Leonid Brezhnev signed the interim Strategic Arms Limitation Talks Treaty (SALT), which restricted the development of such weapons systems in order to preserve MAD. A decade later, President Reagan’s Strategic Defense Initiative again threatened MAD’s precarious peace. The new defensive system, commonly referred to as Star Wars, would consist of a multi-layered shield that would essentially act as a dome, protecting a large area from ballistic missiles. The project never came to fruition because of its high cost and disregard of the SALT treaty. Still, in the intervening period, most nuclear nations have avoided trying to develop missile defense systems that would undermine global stability.

Cyberwarfare is the latest technological development to challenge defense strategists. Cyberattacks take many different forms, including espionage and sabotage. The targets can range from water treatment facilities to the Democratic National Committee. Attacks can do everything from steal information to disable nuclear centrifuges. Since the extent of damage and the capability of each nation and non-governmental network is unknown, these attacks are difficult to defend against – or even detect. Thus far, cyberattacks by non-state actors have mostly been used to steal information for financial gain, but major nations have also used cyberwarfare to great effect. Russia, the alleged perpetrator behind the December 2015 and December 2016 attacks on Ukraine’s power grid, has not been shy about its extensive cyber capabilities. China, too, has been accused of hacking networks in Australia, Canada, India, and the US. While cyberwarfare has historically centered on espionage and stealing information, experts say that the volume of state-sponsored cyberattacks that include direct warfare and bypass the digital realm is likely to increase in the near future. And the potential for cyberwar to undermine nuclear safety and weapons is particularly alarming.

In 2010, centrifuges used in Iran’s Nantanz nuclear facility and uranium enrichment plant started failing unexpectedly. Scientists at the plant were horrified. A catastrophic failure seemed to ensue for no reason – that is, until researchers found Stuxnet, a digital weapon, had infiltrated their computer systems. Stuxnet is widely believed to have been engineered by the US in conjunction with Israel – though neither nation has admitted to involvement – suggesting that cyberwarfare could be strategically applied both to prevent nuclear proliferation and disable another country’s weapons with little more than lines of code.

The potential for this sort of attack is not limited. Before leaving office, President Obama ordered the Pentagon to increase cyber and electronic attacks against North Korea’s missile program. The large number of military rockets that began to malfunction – exploding, veering off course, disintegrating in midair, and falling into the ocean – could be part of an American antimissile defense program. Some skeptics attribute the failure of the rockets to manufacturing errors and general incompetence. But because cyberwarfare is inherently clandestine, it is unclear what role, if any, cyberwarfare played in these missile-test failures. If countries can indeed utilize cyberattacks to disable launch computers, nuclear states could disable the second-strike capability of smaller states – such as North Korea, with limited channels of deploying warheads – potentially leading to pre-emptive attacks. This is a far cry from Reagan’s public pursuit of anti-ballistic missiles, and the clandestine nature of cyberwarfare may be particularly damaging to MAD.

The potential for cyberattacks on nuclear facilities and weapons are also numerous. A cyberattack could falsely alert a country’s early-warning networks that an enemy has launched a nuclear weapon and elicit an immediate retaliatory attack. Online hackers could manipulate communication systems into launching unauthorized missiles. Hackers could infiltrate missile command systems and launch or dismantle the weapons on site. In all of these scenarios, cyberwarfare and nuclear weapons could be used in conjunction. Perhaps the potential for such an attack seems low, but in the case of nuclear war, there is no margin for error. As a result, NATO has encouraged member states to prepare to defend their networks against increasingly sophisticated cyber threats. Most nuclear nations have not yet adapted to the new reality that cyberwarfare presents, and in the absence of a fully developed response, the doomsday clock may inch closer to midnight.

There are many challenges associated with creating a coherent and coordinated cyber security policy. For one, there is no international architecture for handling non-state cyber warriors. Additionally, the US does not have a unified national cybersecurity strategy – the National Security Agency, the Department of Defense, the Federal Bureau of Investigation, and many other government organizations all have their own frameworks for responding to and defending against cyberattacks. The limited evidence of what defense strategies have worked historically or what attacks have taken place presents another challenge.

NATO has encouraged members to prepare to defend their networks against cyber threats.

To tackle these structural issues, the global community needs to establish a set of norms to protect MAD in the cyber age. International agreements outlining standards and expectations for this new kind of warfare can serve a similar purpose to Nixon’s SALT treaty. If nations can be relatively certain that critical nuclear infrastructure won’t come under attack, they won’t have the same incentive to develop dangerous offensive weapons. There’s evidence that the international community is interested in such an agreement. Brad Smith, the president of Microsoft, has called for a Digital Geneva Convention, and the US and China have also held high level talks on cybersecurity in search of a détente. However, no such agreement has been reached, and it is imprudent to wait any longer.

MAD and the uncertain peace it brings are under attack by invisible weapons. The capacity of cyberattacks to disrupt and destroy is largely unknown and constantly evolving, and the increasing frequency with which nations and companies are reporting hacks is a clear sign that cyberwarfare has arrived. The next steps are to begin to understand this multifaceted method of war and take steps to control it. New technologies present new obstacles, and there will undoubtedly be unforeseen consequences as cyberwarfare continues to advance. In order to effectively defend against cyberwarfare, global leaders must actively pursue offensive and defensive cyber strategies and evaluate the role of regulation and treaties in protecting against this new form of attack.