Skip to content
Commentary | 29 November 2021

The nuclear consequences of cyber vulnerabilities

Image of Wilfred Wan

Wilfred Wan |Researcher at the United Nations Institute for Disarmament Research (UNIDIR)

Cyber Emerging technologies Nuclear Arms Control Nuclear Weapons Security Global Security

A recent report about a massive cyber surveillance campaign allegedly conducted by Russian intelligence against US government agencies reflects disturbing trends in cyberspace. The number of reported data breaches in 2021 is on pace to set a record, with government entities constituting the most targeted sector, and global supply chains increasingly impacted. The planning and sophistication that characterizes some of these operations in recent years also suggest more frequent State-level involvement, underlining the fact that cyber—or information security—capabilities increasingly constitute part of national strategic toolkits.

Operations in cyberspace have also targeted elements of the nuclear weapons enterprise across states. Recent known cases include the discovery in December 2020 of  “long duration activity” against the US National Nuclear Security Administration (responsible for the management of the US stockpile), and in April 2021 of operations against a firm linked to the design of Russian nuclear submarines. In neither instance was there any indication that functions related to nuclear weapons systems were impacted.

Yet these revelations should heighten concerns beyond the states targeted, as the existence of these operations could have implications for potential nuclear weapon use. Cyber operations of the kind cited are unlikely to cause detonation events directly. Yet operations that successfully interact with nuclear forces can undermine states’ confidence in their nuclear deterrence capability or credibility, which can trigger forceful military response and even prompt ‘use it or lose it’ nuclear dilemmas. The clearest path to this end involves intrusions into weapons systems themselves. This is not far-fetched. In limited testing with “relatively simple tools and techniques”, the US Department of Defense in 2018 “routinely found mission-critical cyber vulnerabilities” in their weapons systems under development. Other nuclear-armed states are likely to be similarly vulnerable.

Other infringements on deterrence include cyber operations that impact nuclear command, control, and communication. Increased digitalization is likely to create new vulnerabilities, exacerbated by reliance on the supply chain. Even systems isolated from the internet can be compromised. The militarization of cyberspace—and a legacy of Cold War electronic warfare — also raises the possibility that adversaries could now induce the kind of malfunctions (such as erroneous warnings in early warning systems) that in the past have fuelled several nuclear ‘close calls’. Additionally, cyber operations that amplify conventional capabilities to evade radar and air or missile defence may increase nuclear force vulnerability, real and perceived.

The reason why such intrusions may escalate to a scale even beyond the intentions of perpetrators centres on a lack of clarity around so-called cyber ‘red lines’. Several nuclear-armed states have acknowledged the possibility of escalation linked to the cyber domain, or in their nuclear doctrines open the door to use in response to cyber operations. Further precision on thresholds is generally absent, with deliberate ambiguity held in service of deterrence credibility. Yet notions of achievable strategic stability are undermined by the secretive nature of cyber operations, the many potential points of entry for cyber operations, and context-dependent concepts such as ‘critical infrastructure’. Cyber-nuclear interactions open the door for misperception, miscalculation, or misunderstanding.

Reducing cyber-nuclear risks requires preventing interactions between cyber operations and nuclear forces; it also requires mitigating the consequences of interactions when they do take place. Developments in cyber space suggest the potential development of voluntary ‘rules of the road’ that can support the former. Last month the US and Russia submitted a joint resolution to the UN General Assembly (co-sponsored by 104 States) on responsible behaviour in cyberspace. Cyberspace policy also features in ongoing US-Russia strategic stability talks; President Biden in June 2021 had provided President Putin a list of critical infrastructure sectors meant to be “off-limits” from cyber operations. Such negotiations of State behaviours would be significant but would only address part of the risk picture.

It is incumbent on nuclear-armed states to strengthen the cyber security of their weapons and related systems and to elaborate standards across the entirety of their supply chains. Dialogue among nuclear-armed and nuclear-allied states can inform common understandings of risk perceptions, and chip away at the ambiguity around red lines. States can also look to establish guard rails through the conflict-prevention toolkit. In fact, information exchange around cyber military exercises, memorandums of understanding on engagement with communications and radar systems, and political declarations that nuclear command and control lies outside cyber bounds can build a foundation for formal agreements down the line.

Cyber-nuclear interactions are likely to increase given trends in the militarisation of the cyber domain and the digitalisation of nuclear weapons systems. The secrecy across both domains presents significant challenges: not only in their regulation but also to underlining the urgency of the situation and creating the prerequisite momentum for such action. After all, the cyber equivalent of the Cuban Missile Crisis is unlikely to ever play out in public. Yet the very real risk of cyber-nuclear interactions driving inadvertent nuclear war should provide ready incentive for immediate action.

Wilfred Wan is the co-author of a new UNIDIR report on The Cyber-Nuclear Nexus: Interactions and Risks.

The opinions articulated above represent the views of the author(s), and do not necessarily reflect the position of UNIDIR, the European Leadership Network or any of its members. The ELN’s aim is to encourage debates that will help develop Europe’s capacity to address the pressing foreign, defence, and security challenges of our time.

Image: Israel Defense Forces