The Arms Control Association is an "exceptional organization that effectively addresses pressing national and international challenges with an impact that is disproportionate to its small size." 

– John D. and Catherine T. MacArthur Foundation
January 19, 2011
Study Sees Cyber Risk for U.S. Arsenal

Timothy Farnsworth

U.S. nuclear weapons systems may be vulnerable to highly sophisticated cyberattacks, and the Pentagon should take steps to ensure they could survive such a threat, a Defense Department advisory group said in a recent study.

The January study by a Defense Science Board (DSB) task force, which was made public at the end of February, also said the United States should continue to invest in its nuclear arsenal in order to deter a catastrophic cyberattack against its critical infrastructure by other countries.

The study, which was commissioned in 2011 by Deputy Secretary of Defense William Lynn to study the resilience of Pentagon systems to cyberattacks and make recommendations to the defense secretary, said the department has not kept up with “cyber adversary tactics and capabilities” and therefore is “not prepared” to defend against a sophisticated cyberattack.

The threat is “serious, with potential consequences similar in some ways to nuclear threat of the Cold War,” the report said, adding that it will take years for the Pentagon to build an “effective response” to the threat.

Asked at a March 12 Senate Armed Services Committee hearing about the study’s conclusions, Gen. C. Robert Kehler, the head of U.S. Strategic Command (STRATCOM), said he is “very concerned with the potential of a cyber-related attack on our nuclear command and control and on the weapons systems themselves.” STRATCOM needs to undertake a comprehensive review, he said.

Kehler said there have been ongoing reviews of U.S. nuclear command and control systems and nuclear weapons platforms and that he is confident that they “do not have a significant vulnerability” that would prevent STRATCOM from performing its mission or “disconnect the president from the [nuclear] forces.” Kehler also said that many of the nuclear command and control systems are “point-to-point hardwired” and not connected to the larger network, making it very difficult for an adversary to penetrate them.

In his written testimony for the same hearing, Gen. Keith Alexander, the head of U.S. Cyber Command, addressed another aspect of the vulnerability question, saying he is confident that foreign leaders believe that a major cyberattack on the United States would be traced back to them and would “elicit a prompt and proportionate response.”

Alexander said he would not rule out the possibility “that some future regime or…actor could misjudge the impact and certainty of our resolve.” He said he had “some confidence” in Washington’s ability to “deter major state-on-state attacks in cyberspace” but that the United States is not deterring “low-level harassment of private and public sites, property, and data.”

According to the U.S. intelligence community’s “Worldwide Threat Assessment,” released March 12, there is a “remote chance” that the next two years will see a major cyberattack against U.S. critical infrastructure, producing “long-term, wide-scale disruption of services, such as a regional power outage.” The assessment went on to say that countries with advanced cyberattack capabilities, such as Russia and China, “are unlikely to launch such a devastating attack” outside a “military conflict or crisis.”

Nuclear Deterrence in Cyberspace

In its report, the DSB task force said the threat that the United States would respond by using offensive cyber-, conventional, and, as a last resort, nuclear weapons was the only way to ensure that adversaries refrain from launching sophisticated cyberattacks. The report recommended that the Defense Department invest in offensive cyber and conventional capabilities, including conventional prompt global strike capabilities, which utilize ballistic missiles that have conventional warheads; penetrating bombers; and submarines with long-range cruise missiles. That way, policymakers and commanders have a range of viable responses rather than being restricted to a “nuclear-only option,” the report said.

Some cyber experts say a nuclear response to a cyberattack would not be proportional and therefore would not meet one of the basic requirements for a response under international law of armed conflict. James Lewis, a cybersecurity expert at the Center for Strategic and International Studies, said in a March 18 e-mail to Arms Control Today that he believes that cyberdeterrence does not work, in part because of “the limited destructive capacity” of cyberweapons and the “absence of existential or serious harm from their use.”

With regard to the DSB task force’s recommendation, Lewis said that some people are “desperate to find some way to resuscitate” the debate over cyberdeterrence that took place in policy circles a few years ago, “including rattling the nuclear saber.”

U.S. Nuclear Policy

The 2010 “Nuclear Posture Review [NPR] Report,” which sets out the roles and missions of U.S. nuclear weapons, does not make any specific mention of the use of nuclear weapons to deter cyberattacks by other countries.

The NPR report says that “[t]he fundamental role of U.S. nuclear weapons, which will continue as long as nuclear weapons exist, is to deter nuclear attack on the United States, our allies, and partners.”

In a March 21 e-mail to Arms Control Today, Barry Blechman, a distinguished fellow at the Stimson Center, said that the DSB report’s recommendation on nuclear retaliation to cyberattack “flies in the face” of a decades-long trend toward “narrowing the role of nuclear weapons” in U.S. policy.

According to the NPR report, any state that used chemical or biological weapons to attack the United States or its allies would face “a devastating conventional military response.” Blechman said he saw no reason why the threat of U.S. retaliation with conventional weapons or cyberweapons would not be sufficient to deter cyberattacks.

In making its case for holding open the option of a nuclear response to a cyberattack, the DSB task force cited a passage in the NPR report saying that the United States “would only consider the use of nuclear weapons in extreme circumstances to defend the vital interests of the United States and its allies and partners.” A catastrophic cyberattack would meet this threshold, the report said.