The nexus of cyber threats and nuclear deterrence

In today’s security landscape, the rising cyber capabilities of (potential) adversaries have urged concern. Not only are policy considerations being discussed, but also the legal implications of cyber threats – from both offensive and defensive perspectives – are yet to be explored. The Cyber-Nuclear Nexus is mainly discussed when assessing the threats from cyberspace to nuclear weapons. Few studies have examined the role of nuclear weapons as an active part of the nexus: nuclear weapons as a means of deterrence against cyber attacks. Deterrence with nuclear weapons against cyber attacks poses new legal questions to international law and the global non-proliferation regime.

For the past decades (the prevention of) conflicts between nuclear-armed states were focused on deterrence by state-owned nuclear arsenal: the bigger the better, the more the merrier. In a technological era where deterrence needs to go beyond this concept and where advanced cyber capabilities are increasingly available to a wider range of states, non-state actors and proxies, and nuclear disarmament efforts stalling, there needs to be a more systematic understanding of the legal and policy mechanisms through which modern cross-domain deterrence can be operationalised more effectively but within the international legal framework.  But international law doesn’t exactly give the green light for cyber-nuclear deterrence.

The nature and scope of cyber threats

The evolution of cyber threats has progressed from simple espionage and disruption, jeopardising a state’s sovereignty, to complex, large-scale operations capable of causing harm to millions of people. State-sponsored cyber attacks, like the 2010 Stuxnet operation aimed at Iran’s nuclear facilities, have showcased the capacity of cyber warfare to inflict physical damage and unsettle global politics. Additionally, the growing interconnection of critical infrastructure with digital networks, including power grids, financial systems, health care providers and military command structures, has amplified the vulnerability of nations to severe cyber disturbances.

The dawn of cyber warfare is rapidly transforming the nature of conflict. Unlike traditional warfare, which relies primarily on kinetic forces and visible actors, cyber attacks—as means of cyber warfare—are often covert, instantaneous, and capable of causing widespread disruption without the need for conventional military assets. As states and critical infrastructures become increasingly digitised, cyber attacks not only represent a real threat to national security, economic stability, and public safety but also seem like a convenient and impactful means of warfare.

The use of nuclear weapons to deter cyber attacks poses unique legal issues under both international law and the global non-proliferation regime. In particular, it raises questions about the applicability of existing legal frameworks to non-kinetic threats, the proportionality of a nuclear response to a cyber attack, and the practicality of attributing cyber attacks to a specific state actor in a timely and accurate manner.

Cold War nuclear deterrence applied in a digital world

The rationale for applying nuclear deterrence to cyberspace stems from Cold War-era deterrence theory, specifically the principle of Mutually Assured Destruction (MAD). This strategic principle states that the threat of total annihilation through nuclear retaliation deters all parties from initiating a nuclear conflict, ensuring that no rational actor would risk such catastrophic escalation.

One might argue that, like how the fear of nuclear retaliation prevented widespread conventional warfare during the Cold War, it could also deter major cyber attacks on critical infrastructure today. However, deterring cyber threats by using nuclear weapons presents distinct obstacles.

Unlike conventional attacks (e.g., missiles), cyber attacks frequently lack clear attribution, as they are often carried out through intermediates, making it difficult to trace the origin and assign responsibility to a specific nation or state entity. The potential deployment of nuclear arms in reaction to a cyber attack raises concerns regarding the appropriate level of response and the potential for unmanageable escalation. This may interfere with legal and moral boundaries.

International legal frameworks and nuclear-cyber deterrence

The UN Charter and the use of force against cyber attacks

Applying established legal frameworks to the field of cyber-nuclear deterrence exposes a fundamental dilemma: Is the threat of nuclear retaliation ever justifiable or necessary in response to a non-physical cyber operation? The Tallinn Manual on the International Law Applicable to Cyber Warfare provides guidance, suggesting that responses to cyber attacks should align with established principles of the law of war, even though it does not explicitly address nuclear deterrence.

Article 2(4) of the UN Charter explicitly forbids the intimidation or employment of force against the (territorial) sovereignty of any state. Nevertheless, Article 51 acknowledges “the inherent right of individual or collective self-defence if an armed attack occurs”. The first legal uncertainty emerges in determining whether a cyber attack constitutes such an “armed attack” and thus may trigger a response justified under Article 51.

Established interpretations stem from a “pre-cyber era” and focus on kinetic force and physical destruction. And even then, a certain threshold of severity must be passed to justify a state’s response under Article 51. In the context of cyber, this threshold needs to be tailored to the specifics of cyber attacks for them to be considered significant enough to trigger a military or legal response. Only attacks causing substantial damage (to critical infrastructure) or posing a direct threat to national security could comply with the existing criteria. If the scale and effect of a cyber attack are comparable to those of a kinetic attack—resulting in significant damage, casualties, or disruption—it may constitute a justification for the use of force under Article 2(4) of the UN Charter, potentially justifying self-defence under Article 51. Granted, a cyber attack does trigger a state´s right to self-defence, but it remains disputed if a nuclear response (or threat) could ever comply with Article 2(4) of the UN Charter. The principles and rules of humanitarian law also have to be considered.

Attribution of cyber attacks and state responsibility

States can only be held legally responsible for cyber attacks when they are attributable to them.
A state´s responsibility in cyberspace arises when cyber attacks can be attributed to the state, either through direct involvement of state organs or via proxies acting under its effective control. Adversaries use third-party systems, proxy servers and VPNs, or even “false flags” to cover their operations. This makes presenting clear evidence linking an attack to a particular state difficult, although this is necessary under international law to prevent unjustified retaliation. The level of evidence required for legal attribution, which serves as the basis for lawful countermeasures under international law, is notably higher than what is needed to hold a state politically responsible.

This complexity of attribution due to the anonymity of cyber operations presents additional legal and operational challenges in determining the legality of deterrence through nuclear weapons. Considering the nature of nuclear weapons as the epitome of weapons of mass destruction, there cannot be any uncertainty about the origin of a cyber attack.

Treaty law: The Non-Proliferation Treaty (NPT)

There is only one international treaty that requires nuclear states to pursue nuclear disarmament and prevent the spread of nuclear weapons: the Treaty on the Non-Proliferation of Nuclear Weapons (NPT). All other legal frameworks dealing with arms control or disarmament are either defunct or have not been joined by nuclear-armed states. Using nuclear deterrence to prevent or respond to a cyber attack would thwart these objectives, as it broadens the conditions for the potential use of nuclear weapons. It might cause unnecessary escalation and undermine the NPT’s goal of reducing the role of nuclear weapons. While not explicitly prohibited, using nuclear deterrence against cyber threats could be seen as contrary to the spirit of this treaty.

Legal-ethical and strategic considerations

The very essence of nuclear weapons lies in their indiscriminate nature and the disproportionate devastation they inflict, thus contradicting the legal and ethical imperative to mitigate harm to non-combatants. Cyber attacks, in the vast majority of cases, will not justify a reaction that has the potential to cause the deaths of millions. These ethical considerations are reflected in the humanitarian law principles of proportionality and discrimination.

Bringing nuclear deterrence into cyberspace could prove the stability-instability paradox right.
This paradox suggests that while the threat of nuclear retaliation deters large-scale wars, it may encourage adversaries to engage in lower-level conflicts, assuming such actions would not provoke a nuclear response. Applying this concept to cyberspace, adversaries could (rightfully) interpret the nuclear deterrence threshold as high, encouraging cyber attacks that remain below that threshold. This dynamic could increase both the frequency and intensity of cyber conflicts.

Considering the challenging West-Russia relationship today, Russia has consistently demonstrated assertiveness in employing hybrid threats, including cyber attacks, as part of its broader geopolitical strategy. Its diverse toolbox includes interference in foreign elections, large-scale disinformation campaigns, and cyber attacks on critical infrastructure in Western states. Unlike traditional military confrontations, these hybrid operations are often conducted in the “grey zone” below the threshold of conventional armed conflict, making them difficult to attribute and respond to within existing legal frameworks.

In this context, nuclear deterrence faces a unique challenge. While it may deter direct, large-scale attacks, the nature of hybrid threats, especially those involving cyber attacks, allows adversaries to operate in this “grey zone” with easy deniability and test thresholds without crossing clear (legal) red lines. For instance, Russia’s willingness to deploy sophisticated cyber tools, as demonstrated in the NotPetya attack, highlights the limitations of conventional deterrence strategies. Even when such actions disrupt global systems or undermine national security, they often fail to trigger a response proportional to nuclear deterrence.

Moreover, relying on nuclear deterrence against cyber attacks holds a relatively high risk of escalation. Given the covert and fast-paced nature of cyber attacks, the odds of misattribution or misjudgement are significant. Russia, for example, has already demonstrated its willingness to exploit this uncertainty in the attribution process. This could lead to a nuclear response being misdirected or unjustified. Such a scenario would not only violate international law but also further destabilise the global order.

Towards a normative framework for cyber deterrence – without nuclear weapons

The reliance on nuclear deterrence as a countermeasure to cyber threats is loaded with legal, ethical, and strategic complexities that question its legitimacy and efficacy. International law, in particular the principles of proportionality and discrimination and the prohibition of the use of force enshrined in Article 2(4) of the UN Charter, might allow the deployment of nuclear weapons to deter cyber attacks only in exceptional cases. International law imposes very high thresholds and prerequisites. Additionally, when assessing the legality of using nuclear weapons in cyber deterrence, some unsolved legal questions about traditional nuclear deterrence intertwine with unsolved legal questions about cyberspace, and so nuclear weapons do not serve as an effective cross-domain means of deterrence against cyber attacks.

From an ethical standpoint, the disproportionate effects of nuclear weapons do not align with fundamental moral principles. On a strategic level, using nuclear weapons as a deterrent against cyber threats poses the risk of heightening the potential for catastrophic confrontation and escalation.

Considering these practical and legal complexities, addressing cyber attacks requires a context-aware approach. This involves redefining existing international norms for cyberspace, improving attribution mechanisms (both technically and legally), and – above all – fostering resilience against cyber operations rather than expanding the scope of nuclear deterrence. Only by acknowledging the unique characteristics of hybrid threats, the international community can develop effective and legally sound strategies to counter them.

The European Leadership Network itself as an institution holds no formal policy positions. The opinions articulated above represent the views of the authors rather than the European Leadership Network or its members. The ELN aims to encourage debates that will help develop Europe’s capacity to address the pressing foreign, defence, and security policy challenges of our time, to further its charitable purposes.

Image credit: Wikimedia Commons / US Air Force