H-Diplo | ISSF

Review Essay 43

Andrew Futter.  Hacking the Bomb:  Cyber Threats and Nuclear Weapons.  Washington, D.C.:  Georgetown University Press, 2018.  ISBN:  9781626165649 (hardcover, $89.95); 9781626165656 (paperback, $29.95).

Reviewed by Jacquelyn Schneider, U.S. Naval War College.[1]

Published 11 October 2018 | issforum.org

Editor:  Diane Labrosse
Web and Production Editor:  George Fujii

 

Shortlink: http://tiny.cc/ISSF-RE43
Permalink: https://issforum.org/essays/43-hacking-bomb
PDF URL: https://issforum.org/ISSF/PDF/RE43.pdf

Hacking the Bomb begins its narrative with WarGames—a 1980s sci-fi movie about a teenager who inadvertently almost starts nuclear war by hacking into a nuclear control program within a U.S. computer. This is a common vignette within the cyber literature (see, for example, the introductions of Fred Kaplan’s Dark Territory[2] as well as “Thermonuclear War”[3]) and it represents what most scholars believe is the most dangerous potential implication of cyber operations—the cyber threat to nuclear command, control, and communications (NC3). As Erik Gartzke and Jon Lindsay conclude, “offensive cyber operations against NC3 raise the risk of nuclear war . . . today the proliferation and modernization of nuclear weapons may raise the risk slightly. Subversion of NC3 raises the danger of nuclear war slightly more. Cyberwar is not war per se, but in rare circumstances it may make escalation to thermonuclear war more likely.”[4]

The potential of a cyber-nuclear threat becomes even more pressing as states move to digitize the technologies within their nuclear arsenal. The United States, for example, is currently in the midst of a major nuclear modernization effort prompted by a damning finding from the Government Accountability Office that “Defense is still using 8-inch floppy disks in a legacy system that coordinates the operational functions of the United States’ nuclear forces.”[5] In response, Strategic Command has prioritized the digitization of NC3, arguing to Congress that “any delay, deferment, or cancellation of NC3 modernization will create a capability gap potentially degrading the President’s ability to respond appropriately to a strategic threat.”[6] Further, recent Department of Defense cloud computing initiatives suggest that the U.S. might go so far as to store nuclear information in contractor-provided cloud computing services.[7] The bottom line is that modern nuclear arsenals are becoming more and more entangled with cyber infrastructure. Clearly Andrew Futter’s Hacking the Bomb introduces an important puzzle at an extremely relevant time.

The book also has the potential to be a significant contribution to our limited understanding of the impact of cyber operations on nuclear stability. The literature on cyber deterrence, cyber escalation, and cyber war has proliferated over the last five to ten years. Early leaders such as Martin Libicki, Jason Healey, Fred Kaplan, Lucas Kello, Thomas Rid, and Herb Lin have laid a strong foundation of cyber puzzles and their books have generated a rich set of hypotheses about the implication of cyber operations on broader crisis stability.[8]

In order for books to be judged contributions to this now burgeoning field, works must move past this rich foundation of hypotheses and instead build knowledge and fill in theoretical gaps. Despite the increase in attention to cyber threats, authors have been so far unable to answer the fundamental question of international relations—do cyber operations increase or decrease the chance for war? In order to answer this pivotal question, the cyber field benefits from work that 1) characterizes the technical nature of the threat (i.e. can cyber operations pull off these kinds of attacks?), 2) provides empirical data on use of or response to cyber operations—especially about sensitive exploitation or attack planning, or 3) generates testable theories with clear independent variables, dependent variables, and causal mechanisms. While the framing of a cyber-nuclear puzzle is compelling, in order for the study to be a significant contribution it should either present new technical knowledge about the feasibility of impactful cyber attacks, new empirical data about the propensity for the use of or reaction to cyber operations against nuclear targets, or new theories about cyber operations and nuclear stability with clear logics and falsifiable hypotheses. Any one of these contributions could help us answer whether cyber operations increase, decrease, or have no effect on the chance for nuclear war.

Unfortunately, Hacking the Bomb is in the vein of much of the existing cyber literature and the ultimate question about nuclear war is left unresolved. It is primarily an exploratory presentation of various cyber-nuclear challenges with an articulation of debates within policy and popular discussion. It does not present new empirics on the use of cyber operations and relies on a limited amount of secondary sources for its analysis. It does, however, have the potential to generate new theoretical perspectives. Perhaps the most useful contribution of the book comes from Futter’s typology of nuclear control in chapter 2. Here, Futter illustrates potential cyber vulnerabilities through the lens of two categorizations taken from the nuclear theory world: the vulnerabilities that incentivize negative control, or unwarranted use, and vulnerabilities that incentivize positive control, or first strike incentives. This is a useful frame and a good way to incorporate the very mature theories of nuclear use with our very immature understandings of the implications of cyber operations. Unfortunately, because the book is primarily an exploration and not an argument, Futter does not carry this frame beyond the chapter.

Hacking the Bomb might not solve the primary limitations of current cyber literature, but it does highlight the fertile landscape for future cyber work. In particular, the book suggests the need for three types of follow-on work. First, the lack of primary source knowledge about the technical feasibility of cyber attacks on NC3 severely limits the ability to generalize the potential impact of cyber operations on nuclear stability. Future work that provides more technical detail about the probability of success and the extent of effect would be extraordinarily helpful. In particular, analysis of the cascading effects to the NC3 from cyber attacks on civilian critical infrastructure would provide useful granularity about the impact of cyber operations on an under-studied vulnerability of NC3.

The lack of technical cyber contributions within larger international relations literature is partly due to the fact that the virtual and constantly changing nature of networks and cyber attacks makes it difficult to assess potential effects. However, a good scholarly analysis of technical cyber capabilities is not impossible. Rebecca Slayton’s analysis of the cyber offense-defense balance is a particularly interesting way to broach the technical feasibility challenge.[9] Instead of delving into the technical details of cyber attacks, Slayton’s work focuses on the limits and advantages of organizations in building offensive and defensive tools. By abstracting out from “cyber” to organizations, Slayton is able to trace the overall probability of cyber advantage without extraordinarily detailed technical work. Based on that kind of analysis, one could imagine follow-on research on the cyber-nuclear problem that walks through the technical characteristics of the NC3—satellite relays, fiber optic cabling, data storage and analytics—and abstracts out to organizations in order to perform an unclassified analysis of the ability to access, exploit, and then degrade or destroy functionality.

Second, much of Hacking the Bomb assumes states’ reactions to cyber operations or at least proposes a range of potential responses without providing evidence for which responses are more or less likely to occur. However, some of those assumptions might be testable with either unclassified data sets, case studies, or the use of war gaming. Some of this work is emerging,[10] and future use of innovative methodologies to generate empirics on cyber behaviors might help future literature lean less on assumptions about how states could react to exploits and vulnerabilities of NC3.

A third potential for follow-on research from Hacking the Bomb is the development of more explicit theories about what potential cyber effects and behaviors mean for nuclear policy, operations, and doctrine. For example, an analysis could theorize the potential span of cyber effects within discrete categories (degradation of trust in data, deletion of data, functionality of a weapon system, etc.) without making any technical claim about the probability of these effects. Then, the researcher could run logical experiments, game theory, or simulations in which the only difference between nuclear crises is the categorized cyber effects. By identifying the variable we are interested in, hypothesizing potential effects, and then controlling for the variable that we want to explore, future work could create theoretical advances in our understanding of the impact of cyber operations on nuclear stability.

Finally, the policy implications of much of this cyber literature have been either largely abstract, often contradictory, or stove-piped within the cyber domain. For example, authors often recommend better cyber defense and resiliency without acknowledging the large trade-off between cyber defense or resiliency and leveraging cutting-edge digital technologies in military operations. Futter’s recommendations suffer from similar problems and he does not generate concrete recommendations outside the cyber realm for nuclear policy planners or nuclear acquisition strategies. Future work should generate empirics or theories that lead to recommendations not only for better cyber defense or deterrence, but also for investments in different nuclear delivery platforms, in decentralized versus centralized command and control, in the storage of targeting data, and in the operational concepts states develop to deliver or respond to nuclear weapons.

 

Jacquelyn Schneider is an Assistant Professor at the U.S. Naval War College where she is an affiliated faculty in the Center for Cyber Conflict Studies. Her work on cyber, unmanned technologies, and national security has appeared in a variety of outlets including Journal of Conflict Resolution, Security Studies, Strategic Studies Quarterly, War on the Rocks, Foreign Affairs, Washington Post, Bulletin of the Atomic Scientists, and National Interest.

©2018 The Authors | Creative Commons Attribution-NonCommercial-NoDerivs 3.0 United States License

 

Notes

 


[1] The views reflect those of the author’s alone and do not represent those of the Naval War College, U.S. Navy, or the Department of Defense.

[2] Fred Kaplan, Dark Territory: The Secret History of Cyber War (New York: Simon and Schuster, 2016).

[3] Erik Gartzke and Jon Lindsay, “Thermonuclear Cyberwar,” Journal of Cybersecurity 3:1 (2017): 45.

[4] Gartzke and Lindsay, 45.

[5] GAO, Information Technology, Federal Agencies Need to Address Aging Legacy Systems (Washington, D.C.: 2016), https://www.gao.gov/assets/680/677436.pdf, 26.

[6] House Committee on Armed Services, Statement of John E. Hyten Commander United States Strategic Command Before the House Committee on Armed Services (Washington, D.C.: 8 March 2017), https://docs.house.gov/meetings/AS/AS00/20170308/105640/HHRG-115-AS00-Wstate-HytenUSAFJ-20170308.pdf, 6.

[7] Jacquelyn Schneider, “JEDI: Outlook for Stability Uncertain as Pentagon Migrates to the Cloud,” Bulletin of the Atomic Scientists, 21 June 2018, https://thebulletin.org/jedi-outlook-stability-uncertain-pentagon-migrates-cloud11927.

[8] Martin Libicki, Cyberdeterrence and Cyberwar (Santa Monica: Rand Corporation, 2009); Herbert Lin, “Offensive Cyber Operations and the Use of Force,” Journal of National Security Law and Policy 4:63 (2010): 63-75; Jason Healey and Karl Grindal, eds., A Fierce Domain: Conflict in Cyberspace, 1986 to 2012 (Washington, D.C.: Cyber Conflict Studies Association, 2013); Kaplan, Dark Territory, Lucas Kello, The Virtual Weapon and International Order (New Haven: Yale University Press, 2017); Thomas Rid, Cyber War Will Not Take Place (New York: Oxford University Press, 2013).

[9] Rebecca Slayton,”What is the Cyber Offense-Defense Balance? Conceptions, Causes, and Assessment,” International Security 41:3 (2017): 72-109.

[10] Brandon Valeriano and Ryan C. Maness, Cyber War Versus Cyber Realities: Cyber Conflict in the International System (New York: Oxford University Press, 2015); Brandon Valeriano, Benjamin Jensen, and Ryan C. Maness, Cyber Strategy: The Evolving Character of Power and Coercion (New York: Oxford University Press, 2018); Jacquelyn Schneider. “The Information Revolution and International Stability: A Multi-Article Exploration of Computing, Cyber, and Incentives for Conflict.” Ph.D. diss., The George Washington University, 2017; Jon Lindsay, “Stuxnet and the Limits of Cyber Warfare,” Security Studies 22:3 (2013): 365-404.

In “Nuclear Beliefs: A Leader-Focused Theory of Counter-Proliferation,” Rachel Whitlark advances a new framework to explain why military force is rarely employed to prevent the spread of nuclear weapons. According to power transition theory, a nuclear weapons program should spark an intense security dilemma with a high risk of war as other nations consider using force to forestall an adverse shift in the balance of power.[1] Contrary to this conventional wisdom, Whitlark demonstrates that even a looming proliferation threat does not pressure all leaders to “think and act similarly” by mulling over preventive war (550). Instead, the article shows that presidents and prime ministers come into political office with prior beliefs about the consequences of proliferation and stability of nuclear deterrence. For some leaders, a sanguine judgement about the ability to manage nuclear-armed adversaries becomes an anchor against even deliberating coercive counter-proliferation strategies. Whitlark marshals archival evidence to show how President John F. Kennedy’s entrenched pessimism about proliferation led him to consider a range of military options against China’s emerging nuclear program. In stark contrast, President Lyndon B. Johnson’s optimism seemed to result in these same options being taken off the table on the eve of the first Chinese nuclear weapons test.

Continue reading

Unclear Physics coverMalfrid Braut-Hegghammer’s new book Unclear Physics: Why Iraq and Libya Failed to Get the Bomb should find itself on the shelf of any serious student of nuclear proliferation, international security, and the internal and external security dynamics of dictatorial regimes. It is by far the best history of Iraq’s and Libya’s failed attempts at acquiring nuclear weapons, leveraging diverse archival material and primary interviews to illuminate new and interesting features of both programs. It argues that due to a lack of state capacity, Iraqi and Libyan dictators Saddam Hussein and Muammar Gaddafi stunted their own nuclear programs, but to varying degrees. The Libyan program was terminally ill from the beginning, but Saddam and his son-in-law, Hussein Kamil, according to Braut-Hegghammer, were on the cusp of a major breakthrough in their nuclear program on the eve of the 1990 invasion of Kuwait. She argues that while both programs suffered from deep pathologies, Kamil’s management of the program pushed Iraq farther along by 1990 than anyone had realized. The implication is that, had Saddam not invaded Kuwait, Iraq might have successfully acquired nuclear weapons. The historical value of the book alone is worth the price of admission. It has no peer in its discussion of these nuclear programs. And the implicit theoretical argument raises a host of fascinating questions about the ability of some types of regimes to effectively pursue nuclear weapons, advancing work done by Jacques Hymans and, more recently, myself.[1]

Continue reading

The nuclear football

This football comes only in black…

President Donald Trump has now assumed control over the nation’s arsenal of more than 4,000 nuclear weapons. What will he do with them? We do not yet know the Trump administration’s approach to nuclear strategy, but Trump has offered some clues to his mindset. He has denounced nuclear arms control, declaring that he would welcome a renewed nuclear arms race with Russia.[1] He has indicated that he might be willing to allow Japan and other U.S. allies to acquire nuclear weapons.[2] And he has suggested that he might be willing to use nuclear weapons against the Islamic State.[3]

 

Continue reading

When British voters chose to leave the European Union in a 23 June 2016 referendum, they unleashed an intense and ongoing national debate over the consequences. Not surprisingly, the debate has largely surrounded the economic, political, and social consequences of “Brexit.” Those in favour of leaving emphasized the benefits of independence from what they saw as a sclerotic and undemocratic EU. Those opposed warned about the economic consequences of withdrawing from a common market, and feared that the vote was evidence of creeping nativism in British society.

 

Continue reading

T.V. Paul has captured something both intangible and frustrating in debates over nuclear deterrence: the disconnect between strategic and moral thinking. Anyone who has worked on these issues is — or should be — struck by the almost casual way in which planners and strategists speak about the use of nuclear weapons, especially against small nuclear powers or even against non-nuclear states about to cross the nuclear threshold. It is not unusual to hear the use of five, ten, or twenty tactical nuclear weapons being mooted in various scenarios, or even to contemplate the employment of a small number of strategic strikes.

Continue reading

Jayita Sarkar’s generous though critical review of my article flags several aspects concerning its methodology and substance. These criticisms demand answers and I am happy to provide them.

Continue reading

Internationl Security coverGaurav Kampani investigates a crucial research puzzle in nuclear proliferation literature, namely, the possible underpinnings of India’s slow weaponization process. Addressing the period 1989-1999, he argues that despite acquiring nuclear weapons in 1989-1990, New Delhi lacked the capability to “deliver them reliably or safely until 1994-95 or possibly 1996” (81). According to Kampani, it was internal secrecy that prevented India’s swift acquisition of operational nuclear capability. He underlines that the “hoarding and compartmentalization of information not only prevented India from coordinating the weapons development and weaponization programs efficiently, but also encouraged sequential decisionmaking” (82).

Continue reading

No Use coverOne of the perennial questions of the nuclear age is ‘How Much is Enough?’ In the late 1950’s, Admiral Arleigh Burke and the U.S. Navy argued that the American arsenal could be much smaller than the massive one that had been created over the course of the decade. The Navy position, which came to be known as one of ‘minimum’ or ‘finite’ deterrence, never prevailed during the Cold War; the American nuclear arsenal during the Cold War contained over 30,000 warheads by the late 1960’s. In his thoughtful and provocative new book, Tom Nichols argues that the time for the adoption of a minimum deterrent posture is now. Despite the large reductions in the American arsenal since the end of the Cold War, Nichols argues that further reductions in the size of that arsenal are long overdue. In his view, the 1550 warheads provided for by the ‘New Start’ treaty can and should be reduced much further.

Continue reading

International Security coverIn 2010 U.S. President Barack Obama stated that nuclear terrorism was “the single biggest threat to U.S. security, both short-term, medium-term and long-term”.[1] The events of September 11, 2001 demonstrated the real risk of catastrophic terrorism. It also exacerbated existing fears that groups such as Al-Qaeda would be willing to detonate a nuclear device either on U.S. territory or American valuables abroad. It is one thing to hijack a plane and crash it into a building. It is quite another challenge to obtain a nuclear weapon or the materials needed to assemble a nuclear bomb. Unlike ‘conventional’ arms which proliferate much more easily in the international system, nuclear weapons are much harder to assemble or obtain; a terrorist group would need a state’s assistance to do this. This has raised the issue of terrorism as a technique – that a state might resort to nuclear attack by proxy against the United States and its allies in order to avoid attribution.[2]

Continue reading