Washington security circles are abuzz with rumors about the Trump administration’s forthcoming Nuclear Posture Review. Word is that it includes this: If a country launches a major cyberattack on critical U.S. infrastructure — water or energy facilities, say — the United States will respond with a nuclear attack.
That would be a big decision. Nuclear retaliation for a cyberattack would be a new — and controversial — solution to a problem that the United States has grappled with for years: How can the United States deter adversaries from launching large-scale attacks against a civilian infrastructure that is both digitally dependent and tremendously vulnerable to attack?
Right now, the U.S. doesn’t have an effective way to deter cyberattacks
Threatening a non-cyber response to cyberattacks is not new. The 2015 DoD Cyber Strategy keeps all potential options for retaliation on the table — although the Defense Department doesn’t specifically threaten nuclear retaliation. In practice, the United States has mostly responded to cyberattacks through diplomatic, legal or economic means. Under the Obama administration, official policy promised “proportional responses,” never mentioning nuclear attacks. And evidence from crisis war gaming suggests that U.S. decision-makers are more likely to ignore cyberattacks of any level than to respond with military force.
So far, the United States hasn’t suffered any large-scale cyberattacks that physically damaged critical infrastructure, which seems to be the Nuclear Posture Review’s focus. But congressional leaders and a recent Defense Science Board aren’t convinced this means that cyber-deterrence policies actually work. The argument is that, because of human error, the proliferation of access points and increasingly complex code underwriting modern infrastructures, cyberattacks can’t be completely defeated or deterred by defensive measures such as network hardening or patching. Therefore, the only way to prevent significant attacks is to promise harsh punishment if one occurs.
What’s the problem with threatening proportional responses as punishment? Why not just threaten to respond with a similar cyberattack? The first pragmatic issue is that the effects of cyberattacks are inherently uncertain. A state may think it has a tool to unleash cyber-Armageddon but discover that its adversary’s software means the tool arrives not with a bang but with a whimper.
Second, compared with its less open and less digitally dependent adversaries such as North Korea, the United States may be asymmetrically vulnerable to the damage from a major cyber-offensive. That may make it impossible to unleash proportional cyber-damage. Policymakers are stuck between limited and uncertain cyber-responses and the difficulty of using economic sanctions to deter attack.
So why not threaten to go nuclear?
If the United States has such a problem with credible cyber-deterrence, why wouldn’t a nuclear threat help solve the problem? For this threat to be effective, adversaries must believe that the United States really would respond to a cyberattack with a nuclear weapon. And only the widespread support of Americans would make the threat credible.
Our research suggests that Americans would not support a nuclear counterattack, seeing it as excessive. That would undermine any such threat’s deterrence value.
Here’s how we did our research
To find out what Americans thought about this question, we conducted a survey experiment on a sample of almost 1,100 U.S. citizens on Amazon Mechanical Turk, an online labor market.
We had each respondent read a description of an attack on critical U.S. infrastructure, with scenarios that varied in approach and severity. Some read about cyberattacks, others about airstrikes and still others about nuclear attacks. For each of these, some read scenarios with serious consequences — such as heavy financial costs, a large number of casualties, or radiation and fallout — while others read about less severe consequences. We wanted to know what kind of retaliation Americans would support and how that would vary by either the means of attack or the severity of the results. If the casualties or financial results were the same, would it matter to respondents whether the attack had been launched online, by air or with nuclear weapons?
The answer: Yes.
More Americans are willing to respond militarily to physical attacks than to comparable cyberattacks
Americans were statistically less likely to support retaliation for a cyberattack, even if that attack had the same kind of consequences as a physical attack. If a cyberattack left thousands dead, our respondents were reluctant to respond with force — but they were remarkably bellicose about the same results after a conventional or nuclear attack.
For example, when our hypothetical cyberattack killed thousands of Americans, only 42 percent of Americans were willing to retaliate with airstrikes. Compare that to 55 percent support for air attacks in response to a conventional attack and 62 percent to retaliate for a nuclear attack. We gave respondents a chance to offer open-ended responses. These revealed that cyberspace attacks affected them quite differently than physical attacks.
Why the difference? It may be that Americans can’t yet imagine a cyberattack akin to 9/11. Until now, cyberattacks have had only “non-kinetic” effects: disrupted financial transactions, election meddling or website blackouts. So far we’ve seen no direct human casualties. It’s possible that respondents can’t imagine how they would feel if a cyberattack killed thousands.
Or it may be that cyberattacks are different from physical attacks in ways that make it unlikely that the American public would respond the same way. It will never be as easy to identify a cyberattack perpetrator as it is to identify who launched an airstrike or nuclear-armed missile. What’s more, the physical effects of a cyberattack wouldn’t come immediately; any fatalities from, say, a power grid crash or failed water supply would come days later. And without bombs or bullets — visible, physical things that cause visceral fear — cyberattacks may simply not seem as terrifying.
How do you make sure threats are credible enough?
During the Cold War, some U.S. policymakers worried that Russia might not believe the United States would respond as forcefully to an attack on an ally as to an attack on U.S. soil. And so the United States developed measures that would credibly and publicly commit it to using force — even if, say, the American public might not be willing to defend Paris if it meant inviting an attack on New York. If the United States does intend to respond to cyberattacks with nuclear weapons, it would need to find ways to make that threat credible, despite public hesitation. Otherwise, the logic of deterrence will unravel.
Sarah Kreps is an associate professor in Cornell University’s department of government.
Jacquelyn Schneider is an assistant professor at the Naval War College. The opinions here are her own and do not represent those of the U.S. Navy, the Naval War College or the Department of Defense.