Could the United States, through its actions in North Korea, set a precedent for hacking nuclear arsenals?
Last week’s failed North Korean missile test indicates that all is not right with Pyongyang’s WMD program. Due to the lack of diplomatic or military options, it appears that the Stuxnet cyber playbook employed against Iran was dusted off to foil North Korean missile tests and possibly even prevent the launch of those missiles in the event of hostilities.
The move could send a dangerous signal to Russia and China that the U.S. might seek to undermine their nuclear deterrence capabilities by using the same sort of cyberattacks, and encourages them to reciprocate against ours. That dynamic opens a Pandora’s box of risk, largely because it may undercut deterrence. As my colleague Greg Austin argued, “Strategic nuclear stability may be at risk because of uncertainty about innovations in cyber attack capability.”
While hacking Iran or North Korea’s nuclear forces may be productive in getting them to the negotiating table, it can lead other countries to question whether the same cyber weapons could be unleashed against them. Worse, they could try to use the same weapons to disable the nuclear arsenals of the U.S. and its allies.
At the moment, it appears the United States will employ any cyber means available to stall, disable, or derail the nuclear ambitions of rogue nations that have engaged in the development of nuclear arms and the systems capable of delivering them. The Pentagon invested in a “left of launch” capability designed to prevent launches or destroy missiles in early flight. Specifics are few as to what these “non-kinetic” options are, but according the Chairman of the Joint Chiefs 2013 guidance on air and missile defense, they could include, “cyber, directed energy, and electronic attack.”
Cyberattacks (likely) cannot be used to detonate nuclear arms of adversaries on the ground, but can sew chaos in their development.
This is a double-edged sword, however. With the United States about to invest hundreds of billions in recapitalizing its nuclear forces, it will need to redouble efforts to protect weapons source code and critical communication links as the antiquated systems it deployed as far back as the 1960s are replaced by platforms created in our time of gross cyber vulnerability. The Chinese reputedly broke into the computers used to write software for the F-35. Could they or the Russians not also get away inserting flaws into the software code of the DoD’s new missiles, bombers, and submarines?
America’s use of cyber against North Korea should be of significant concern to those charged with oversight of national security because of the message it sends to other nuclear powers. Hacking and electronic attack against Pyongyang’s missiles no doubt produces concerns in Beijing and Moscow, and perhaps even India and Pakistan.
While the world’s major powers have engaged in dialogue on establishing norms regarding restraint in employment of cyber options under the UN’s Group of Government Experts (GGE) process, Iran flexed its muscles in its likely 2012 attack against Saudi Aramco, North Korea went after Sony for its unflattering film portrayal of Kim Jong Un (2013), and Russia attacked the Ukrainian power grid (2015). Cyber norms of restraint against other targets have yet to emerge, and America’s adversaries have amply demonstrated that they can “shoot back” in cyberspace.
The bottom line is that the U.S. must think strategically about the acceptable use of preemptive cyberattacks. The secretaries of State or Defense may want to be clearer about policies on the matter. Secretary of State Rex Tillerson’s ambiguous statement in Moscow comparing election hacking to hacks against weapons systems left us with more questions than anything else, and that uncertainty could damage policies of deterrence that have been maintained between Russia and the U.S.
Stanford’s Amy Zegart argues that today’s hacking may get results, “But 30 years from now we may decide it was a very, very dangerous thing to do.” It’s one thing to steal another country’s nuclear weapons designs, but it’s quite another to insert software bugs undercutting assurance that those weapons will work.