MESOP MIDEAST WATCH Cyber Signaling &Nuclear Deterrence: Implications for the Ukraine Crisis

Erica Lonergan and Keren Yarhi-Milo WAR ON THE ROCKS – April 21, 2022

From its opening moments, the conflict in Ukraine has involved a nuclear dimension. On Feb. 24, Russian President Vladimir Putin ominously warned of “consequences you have never seen” if other countries tried to get involved in Ukraine — an implied nuclear threat.

Several days later, Putin announced that Russia’s nuclear forces would be put on a “special combat readiness” status. More recently, Dmitry Medvedev, a senior Russian official, warned that if Finland and Sweden join NATO, “there can be no more talk of any nuclear-free status for the Baltic.”

So far, the Biden administration has attempted to dismiss Russia’s announcement as irresponsible saber-rattling. But as Putin continues issuing nuclear threats, policymakers are likely to feel growing pressure to respond. In particular, they may be tempted to find ways to signal to Russia to deter the use of nuclear weapons. One way this might be done is through cyber operations. In fact, some cyber experts are already calling for the United States to consider cyber attacks for signaling purposes. For example, writing in the Washington Post, Dmitri Alperovitch and Samuel Charap call on the Biden administration to consider a cyber “shock-and-awe demonstration” in response to a major Russian cyber attack against the West. They claim that such a response, which could include disrupting the Internet throughout Russia, would signal U.S. resolve and help prevent further escalation that they fear “could result in nuclear war.”

However, conducting cyber operations to signal deterrence would, paradoxically, increase risks of escalation. This risk is not just hypothetical, especially in light of Russia’s updated declaratory policy for the first use of nuclear weapons, which may include responses to cyber attacks. Russia has reinforced this message during the war in Ukraine. In early March, a hacking group affiliated with Anonymous claimed that it had shut down the control center of Russia’s space agency. While denying that the attack took place, Russia nevertheless warned that a cyber attack against its satellites would be a justification for war.

The Biden administration should clearly communicate that cyber operations for nuclear signaling are out of bounds, just as it declared restraint in other aspects of this conflict, like the deployment of American troops to Ukraine.

How Cyberspace Is Creating Nuclear Risks

Policymakers and academics are attuned to the cyber risks to nuclear command and control. The practitioner community has largely focused on U.S. vulnerabilities and how to mitigate them. Scholars, in turn, worry about how cyber operations could have unintended escalatory consequences. But less attention has been paid to another likely scenario: the use of cyber operations for signaling purposes (operations with visible effects that aim to convey a message to another state) in a nuclear context. The ambiguity of cyber operations can sometimes be useful for signaling — but the same ambiguity can be dangerous during a nuclear crisis. The problem is that civilian leaders in particular, distinct from the military, are inclined to see cyber attacks as effective signaling tools.

Cyber operations could have nuclear implications, especially because modern nuclear command and control systems, like those in Russia and the United States, are becoming increasingly dependent on digital infrastructure. Nuclear command, control, and communications systems, which include early warning, information collection, and communications capabilities, alert decision-makers to impending nuclear strikes and also enable leaders to control decisions about nuclear use (or non-use). But their digital dependencies are creating opportunities for exploitation using cyber means. In a 2020 report, the Nuclear Threat Initiative found that “almost 9 out of 10 planned nuclear modernization programs involve at least some new digital components or upgrades.”

Vulnerabilities inherent in the digital infrastructure that undergird modern nuclear systems provide opportunities for actors to engage in cyber espionage — gaining access to a network or system to steal information — or even conduct cyber attacks. Hypothetically, a cyber power like Russia could conduct a cyber attack against a U.S. early warning satellite to degrade its functionality. This has become an urgent concern for practitioners. U.S. Strategic Command, for instance, is currently working to “operationally harden NC3 systems against cyber threats.” Congress has also gotten involved, requiring the Defense Department to evaluate the cybersecurity of major weapon systems. And the Government Accountability Office has published multiple reports decrying the state of cybersecurity and scope of vulnerabilities of weapon systems, including elements of the nuclear triad.

From an academic perspective, scholars have investigated how cyber operations targeting nuclear systems could exacerbate escalation risks. Focusing on nuclear forces, early research, such as work by Martin Libicki, was skeptical of the dangers posed by cyber operations. Nuclear forces were seen as being largely immune from digital attacks because they were “air gapped,” meaning that they were separated from information technology systems.

However, as nuclear systems have become increasingly intertwined with the digital environment — not to mention the dual-use nature of many elements of nuclear command, control, and communications systems (like early warning or position, navigation, and timing satellites) — the protection offered by being segregated from the internet is less robust. Jacquelyn Schneider, Benjamin Schechter, and Rachael Schaffer, for instance, ran a series of wargames demonstrating that decision-makers in hypothetical crises are likely to use their cyber exploits against an adversary’s nuclear systems. They found that this could have negative effects on states’ respective nuclear strategies, especially decisions to pre-delegate nuclear launch authority or automate nuclear responses. Erik Gartzke and Jon Lindsay argue that the clandestine nature of cyber operations means that one state could secretly gain access to an adversary’s nuclear command, control, and communications systems, giving the former an information advantage or even creating an incentive for the latter to use its nuclear weapons out of the fear that it may lose them. James Acton notes that the difficulties of distinguishing between cyber espionage and attack could lead a state to misperceive the intent behind a cyber operation, generating a similar “use it or lose it” calculus.

The Limited Escalation Risks of Cyber Operations

But all of this focus on cyber operations causing nuclear escalation may be misplaced and, more importantly, distract policymakers from the dangers of a more plausible scenario: the use of ambiguous cyber signals during nuclear crises. Specifically, the nature of cyber operations reduces their inherent escalatory potential, particularly when compared to other ways a state could attack an adversary’s nuclear forces or command, control, and communications systems, like a direct counterforce strike or employing anti-satellite weapons. But their misuse as a signaling tool could do more harm than good.

First, successfully conducting cyber operations against strategic targets, like nuclear systems, is harder than the conventional wisdom might suggest. It requires a means of gaining access to a particular system and developing an exploit to cause a desired effect — and then maintaining persistent (and stealthy) access to be able to conduct an offensive operation at the desired time. Moreover, the overall outcome may be unpredictable and net less-than-desirable results.

Second, even if a state is able to conduct these kinds of operations, they typically prefer to do so in secret — and this mitigates some escalation concerns. That’s because, to cause an escalatory response, a state like Russia would have to uncover a cyber operation during a particular time period — such as while the Ukraine conflict is unfolding. For example, Russia would have to detect a cyber operation against a nuclear command and control system to cause Putin to perceive a “window of vulnerability,” perhaps assessing that it is part of a U.S. or NATO counterforce strategy to disable Russia’s ability to retaliate with nuclear weapons. But the likelihood of these circumstances arising is low because — unless a state is trying to signal with a cyber capability — it will try to keep these kinds of sensitive operations secret. Therefore, the chances of such an operation being discovered at a particular time period are relatively small.

Finally, even if, hypothetically, Russia was to discover a cyber operation taking place, the likelihood of it leading to escalation is low. This is due to the virtual nature of cyber “weapons” — they rarely cause destruction in the physical world, let alone permanent damage. For example, even Russia’s 2015 cyber attack against Ukraine’s power grid, an important example of a strategic cyber attack against civilian critical infrastructure, only resulted in service disruptions for a few hours. During the current conflict, Russia-linked actors have so far been stymied in using cyber operations for strategic impact, such as the failed cyber attack by the group Sandworm against Ukraine’s power grid.

Taken together, this reasoning suggests that, in practice, cyber operations may not rise to a level that would cause a state like Russia to actually fear the integrity of its nuclear command, control, and communications systems, creating few reasons to escalate to the level of nuclear employment.

Civil-Military Relations and the Risks of Cyber Signaling in Nuclear Crises

But what if a state, such as the United States, wanted a cyber operation to be visible to an adversary, such as Russia, during a nuclear crisis — in other words, to send a cyber signal?

Signaling is essential for coercive diplomacy and international crises because it helps states convey their intent to one another. The civil-military relations literature has found that civilian (rather than military) leaders are more inclined to use military force as a form of signaling, rather than for operational effect.

Why does this matter? When civilian and military leaders have different views, civilians could make decisions around using military force for signaling purposes in a way that exacerbates ongoing crises. For instance, writing about Cold War nuclear crises, Scott Sagan has shown that civilian decision-makers have made crises more dangerous by taking actions without fully understanding the military implications and risks of inadvertent escalation. Jack Levy, writing about the causes of World War I, discusses how, during the July Crisis preceding the outbreak of war, civilians saw military mobilization as a political tool for coercive diplomacy, whereas military leaders, who were focused on the operational implications, perceived mobilization as a means of preparing for imminent war.

Differences in how civilian and military leaders see the use of military power are likely to be even more salient in cyberspace, for three reasons. First, cyberspace is a highly technical environment where civilians typically lack subject matter expertise. Practitioners are likely to have far more up-to-date operational experience and, therefore, fluency with the technical issues and constraints posed by cyber operations than civilian leaders (even those with prior and, potentially, outmoded experience). Cyberspace is also a highly classified environment — one in which information is highly segmented and only accessible to a select group of individuals. Therefore, some civilian officials may not be privy to all of the details surrounding cyber operations. Finally, unlike other technical and secretive environments, cyberspace has an additional element that makes it even more difficult for non-experts to grasp its nature. Specifically, cyberspace is also an esoteric environment; cyber operations and their effects are not easily visible in a way that other types of military capabilities are, making it difficult to conceptualize their utility in a tangible manner.

There is evidence supporting this idea. For instance, senior civilian leaders across multiple U.S. administrations, as well as in Congress, typically describe cyber operations as useful for signaling deterrence and resolve. Chris Inglis, the Biden administration’s inaugural National Cyber Director, described how he’d “like to change the decision calculus of those who transgress in this space,” and contemplated that “[p]erhaps our actions should be felt by an adversary. They should know that they have just felt the hand of whomever.” Similarly, Senator Angus King, discussing the threat of Russian-linked ransomware attacks in the summer of 2021, noted that he wants “somebody … in the Politburo to say, ‘Gee, boss, I’m not sure we ought to do this because we’re liable to get whacked in some way by those Americans.’”

John Bolton, former national security advisor under President Donald Trump, in multiple public statements, has depicted the purpose of U.S. cyber operations — especially offensive ones — as a means of influencing adversary perception. He described how the employment of offensive cyber power creates “structures of deterrence, so that it’s publicly known,” and that “it is important that our adversaries know [that] …we have authorized offensive cyber operations to … demonstrate to our adversaries that the costs of engaging in operations against us is higher than they want to bear.” Michael Daniel, the Obama administration’s cyber czar, depicted the purpose of imposing costs on Russia in response to its 2016 election interference as “to openly demonstrate that we could do it as a deterrent and also clandestinely disrupt their operations as well.”

In contrast, while some military leaders do talk about cyber deterrence, the language they employ is anchored in tactical and operational objectives, rather than aiming to influence adversary perception and decision-making. This is evident in how both civilian and military leaders use the language of “imposing costs.” Military leaders tend to describe cost-imposition as supporting the disruption, degradation, denial, or destruction of adversary offensive capabilities and operations. For instance, in December 2021, Gen. Paul Nakasone, commander of U.S. Cyber Command and director of the National Security Agency (NSA), described “imposing costs” against Russian-linked ransomware groups as the goal in itself. The month prior, at the November 2021 Aspen Security Forum, he argued for the United States to impose costs in cyberspace, but stated that a traditional deterrence strategy “does not comport to cyberspace.” In another example, in 2019, Lt. Gen. Stephen Fogarty, commander of Army Cyber Command, voiced skepticism about cyber deterrence in remarks about defending the 2020 elections against cyber interference, noting that “I don’t know of a single thing we could do that would prevent [adversaries] from competing, but I want to impose as much cost on them as possible.”

Implications for the Ukraine Crisis and Beyond

What are the implications of this for the current Ukraine crisis? Thus far, while cyber operations have been used on both sides of the conflict, they have not played a decisive role on the battlefield. So far, the United States has been focused on providing cyber defense support to Ukraine and NATO, reportedly to include dispatching Cyber Command’s cyber mission teams to Eastern Europe, as well as seeking to deter potential Russian cyber retaliation in response to U.S. and Western sanctions, especially attacks on U.S. critical infrastructure.

However, if the nuclear dimension of the crisis becomes more acute, policymakers may be tempted to turn to cyber operations to signal resolve to deter Russia in the nuclear domain. Such an approach could be seen as particularly appealing precisely because cyber operations are not kinetic and, therefore, less dangerous than other military moves. But this could have the inverse effect of making nuclear escalation, rather than deterrence, more likely, for the following reasons.

In 2020, Russia clarified its nuclear declaratory policy to state that Russia reserves the right to use nuclear weapons under a range of contingencies, including an adversary attack against “critical governmental or military sites of the Russian Federation, disruption of which would undermine nuclear forces’ response actions.” Cynthia Roberts has suggested that this particular scenario “likely include[s] cyber attacks against command and control infrastructure and/or attempted leadership decapitation.” Similarly, Dmitry Stefanovich wrote that “[t]here is a wide consensus within the Russian expert community that this also includes possible cyber threats as well as other non-nuclear dangers.” Interestingly, Russia’s declaratory policy contains parallels to the implicit link between cyber attacks and nuclear use contained in the 2018 U.S. Nuclear Posture Review. That document notes that the United States would consider using nuclear weapons under “extreme circumstances,” including “significant non-nuclear strategic attacks … [such as] attacks on U.S. or allied nuclear forces, their command and control, or warning and attack assessment capabilities.”

Therefore, a hypothetical attempt by the United States to conduct a cyber operation against Russian nuclear command, control, and communication systems for signaling purposes, such as to demonstrate resolve or convey a desire to deter the use of nuclear weapons could in practice make their use more likely. Unlike most cyber operations, which rely on secrecy, signals are meant to be seen. And to be sufficiently credible, this kind of cyber operation would have to demonstrate an ability to cause a meaningful effect against Russia’s nuclear systems, rather than a low-cost, unsophisticated cyber operation. Therefore, assuming such an attack were feasible, the chances are greater in this scenario that Russia could interpret U.S. cyber signals as an attack against its critical military systems.

The problem is that, more often than not, cyber operations are ambiguous signals. There is evidence that states can use cyber operations under some (narrow) conditions to signal a desire to de-escalate international crises. But these findings do not extend well to nuclear crises where clarity, rather than uncertainty, is important for stability. The use of cyber operations to defuse crises have involved cyber signaling short of war, not during an ongoing conventional conflict involving nuclear powers. And they have not involved cyber operations targeting a state’s nuclear command and control where states, like Russia, have already staked out declaratory policies. Moreover, states are still at a nascent stage in developing shared indices to inform assessments of intent in cyberspace, especially when it comes to cyber operations in nuclear crises.

Therefore, even if Russia would not take the cataclysmic step of escalating to the first use of nuclear weapons in response to a U.S. cyber operation, it could misinterpret U.S. signaling efforts and take measures to make nuclear use easier (such as making warheads operational, dispersing forces, pre-delegating authority, or increasing automaticity). These readiness measures could increase the chances of inadvertent or even accidental escalation.

The Biden administration has been commendable in clearly and consistently communicating to Russia, and other audiences, what the United States will not do in the Ukraine crisis — like sending American forces to Ukraine or establishing a no-fly zone. In addition, the administration should be equally clear about what is off the table in cyberspace — what Jacquelyn Schneider has termed a “strategic no-first-use” policy in cyberspace. Specifically, the United States should unequivocally convey to Russia that it will refrain from taking actions in cyberspace during this crisis that would undermine nuclear stability, such as conducting disruptive cyber-attacks against early warning satellites. This is different — the opposite, in fact — from drawing “red lines” in cyberspace, which are meant to deter unwanted behavior but can often backfire. Instead, the United States should communicate where it will exhibit restraint in cyber operations — a form of confidence-building. This could be conveyed publicly through statements by administration officials, similar to statements that Biden has made about other aspects of America’s role in Ukraine. It could also be privately communicated through ongoing backchannels taking place between U.S. allies, like France, and Russia.

There are also policy implications beyond the Ukraine conflict, especially in an environment in which the United States confronts potential future crises with other nuclear powers. In particular, senior national security officials have repeatedly emphasized that China represents a “pacing challenge” for the United States, including across the nuclear and cyber realms. In fact, Gen. Nakasone recently announced the creation of a China Outcomes Group under Cyber Command and the NSA. And researchers have identified how hypothetical crises involving the United States and China could escalate along dangerous trajectories, including to the use of nuclear weapons. The consequences of misunderstanding the utility of cyber signaling in this area are significant. Therefore, policymakers must consider how to improve civil-military coordination and cohesion so that the employment of military cyber power — especially when used against sensitive adversary systems, particularly nuclear ones, during delicate periods — is not out of sync with strategic objectives. The United States should also develop a more robust effort to clarify to adversaries, including China, how it will constrain its own behavior in cyberspace specifically during nuclear crises. The potential implications of misperceptions surrounding cyber operations targeting nuclear systems during a future crisis with a nuclear-armed adversary are simply too significant.

Erica D. Lonergan is an assistant professor in the Army Cyber Institute at West Point and a research scholar at the Arnold A. Saltzman Institute of War and Peace Studies at Columbia University. The views expressed are personal and do not reflect the policy or position of any U.S. government entity or organization.

Keren Yarhi-Milo is the Arnold A. Saltzman Professor of War and Peace Studies in the political science department and the School of International and Public Affairs. She is also the director of the Arnold A. Saltzman Institute of War and Peace Studies at Columbia University.

CORRECTION: In referencing an article in the Washington Post by Dmitri Alperovitch and Samuel Charap, this article implied they were calling for a preemptive cyber attack against Russia, when in fact, Alperovitch and Charap were calling for such an attack only in response to “Russia’s first wave of major cyberattacks” against the West. This incorrect depiction was unintentional, due to an editorial error, and has been corrected in the text.