No Nukes In Cyberspace Please
Cyber security has been getting a lot of attention lately, which is good when it means a heightened awareness of cyber threats and the need for better ‘cyber hygiene’. It is not so positive when that attention generates exaggerated projections of cyber warfare and calls for gaining “offensive cyber superiority” over putative adversaries in the name of national security. Disquiet turns into real alarm when these calls are accompanied by assertions that a nuclear response should be part of the escalation ladder when confronted with a major cyber attack.
These ideas are not the preserve of some fringe group of militarists but the recommendations of a blue-ribbon panel mandated by the U.S. Department of Defense. The recently released report of the Defense Science Board (DSB)’s Task Force on “Resilient Military Systems and the Advanced Cyber Threat” is the product of an 18-month study and outlines what it refers to as an “overall risk reduction strategy”. That strategy projects a future of cyber warfare in which the U.S. will deter attacks in part by ensuring a nuclear strike capability in the face of “existential cyber attack” and developing “world class cyber offensive capabilities” and an expanded legion of “cyber warriors”.
The danger of this type of policy advice at a time when the international community is only just coming to terms with the offensive potential of cyber operations is that it can turn the initiation of cyber warfare into a self-fulfilling prophecy. As the militaries of several states develop their capacity for cyber operations and consider whether these capabilities should remain exclusively in the defensive realm or extend into the offensive, the direction that the U.S. takes will have a great influence on the behaviour of others. The DSB’s report appears to be setting the U.S. military on a course that will ensure cyberspace becomes the battleground that so many of its ‘netizens’ had hoped to avoid.
Capitalizing on the current and growing alarm over cyber attacks, the Board’s study also advocates a new role for nuclear weapons, seemingly in opposition to the Obama administration’s espousal of a policy that reduces reliance on nuclear arms and which would eventually narrow the function of its nuclear forces to deter exclusively a nuclear attack. In its 2010 Nuclear Posture Review, the Obama administration stated that, while it was not prepared at present to adopt the policy that deterring nuclear attack is the sole purpose of its nuclear weapons, it pledged to “work to establish conditions under which such a policy could be safely adopted”. The review also strengthened the country’s so-called nuclear security assurance by declaring that the U.S. “will not use or threaten to use nuclear weapons against non-nuclear weapon states that are party to the NPT and in compliance with their nuclear non-proliferation obligations”. By affirming the validity of a nuclear response to a major cyber attack, whatever its origins, the DSB report goes against the thrust of both of these nuclear policies and comes across as yet another effort by the proponents of nuclear arms to come up with a new justification for retaining them in the face of their ebbing military utility.
Just as disconcerting as the DSB’s rattling of the nuclear sabre is its unqualified espousal of offensive cyber superiority as a goal for the Department of Defense. “Cyber offense is both an enabler for military operations and…is a critical rung in the escalation for U.S. deterrence strategy” the report reads. In the future inevitable cyber conflict, it also warns that the “DoD should not expect adversaries to play by U.S. versions of the rules”. This is not surprising for a report that does not discuss rules or even take into account the laws of armed conflict that the U.S. states are applicable in cyberspace, nor considers options other than an offensive military build-up for reducing the risk of cyber attack.
Fortunately, there are other voices in Washington that suggest a less bellicose approach to international cyber security. In a recent speech, the National Security Adviser, Tom Donilon, expressed concern over growing threats to cyber security and called on China to engage in a dialogue on global standards for cyberspace. However, Donilon couched this concern as dealing only with the theft of information and was silent on the international security dimension of cyber security.
Although the Obama administration has for over a year declared an interest in developing a global consensus on what constitutes responsible state behaviour in cyberspace, it has done precious little to bring such a discussion about. It is time for the United States (in concert with like-minded states) to demonstrate that it has a diplomatic strategy for achieving its aim of an open and secure cyberspace. In the absence of an active policy alternative, it will be all too easy for the champions of cyber conflict and their band of cyber warriors to carry the day, leaving civilian interests in cyberspace as so much ‘collateral damage’.