Over the July 4 weekend, the Russian-based cybercriminal organization REvil claimed credit for hacking into as many as 1,500 companies in what has been called the largest ransomware attack to date. In May, another cybercriminal group, DarkSide, also apparently located mainly in Russia, shut down most of the operations of Colonial Pipeline, which supplies nearly half the diesel, gasoline and other fuels used on the East Coast — setting off a round of panic buying that ended only when the company handed over a ransom. These incidents were bad enough. But imagine a much worse cyberattack, one that not only disabled pipelines but turned off the power at hundreds of U.S. hospitals, wreaked havoc on air-traffic-control systems and shut down the electrical grid in major cities in the dead of winter. The grisly cost might be counted not just in lost dollars but in the deaths of many thousands of people.

Under current U.S. nuclear doctrine, developed during the Trump administration, the president would be given the military option to launch nuclear weapons at Russia, China or North Korea if that country was determined to be behind such an attack.

That’s because in 2018, the Trump administration expanded the role of nuclear weapons by declaring for the first time that the United States would consider nuclear retaliation in the case of “significant non-nuclear strategic attacks,” including “attacks on the U.S., allied, or partner civilian population or infrastructure.” The same principle could also be used to justify a nuclear response to a devastating biological weapons strike.

But our analysis suggests that using nuclear weapons in response to biological or cyberattacks would be illegal under international law in virtually all circumstances. Threatening an illegal nuclear response weakens deterrence because the threat lacks inherent credibility. Perversely, this policy could also wind up committing a president to a nuclear attack if deterrence fails. While the American public would indeed be likely to want vengeance after a destructive enemy assault, the law of armed conflict requires that some military options be taken off the table. Nuclear retaliation for “significant non-nuclear strategic attacks” is one of them.

The Biden administration is now conducting its own review of the U.S. nuclear posture. The 2018 Trump change is an urgent candidate for reevaluation, but people have generally ignored it up to now. As officials work on this process, they have the chance to take full account of what could be called the “nuclear law revolution” — a growing recognition that international-law restrictions on warfare, and especially those that protect civilians, apply even to nuclear war.

Most Americans are aware of the strategic revolution that nuclear weapons themselves kicked off: The massive destruction they created made deterrence the highest national security priority. Soon after the bombing of Hiroshima in 1945, for example, Bernard Brodie, a preeminent early Cold War strategist, wrote: “Thus far the chief purpose of our military establishment has been to win wars. From now on its chief purpose must be to avert them.”

Inherent in the idea of deterrence for decades was the notion that the United States would rain “assured destruction” on the cities of any nation that attacked us or our allies with nuclear weapons. During the height of the Cold War, for instance, U.S. nuclear war plans were designed to destroy “at least 70% of the urban industrial bases of the USSR and Communist China” and expected to kill “30% of the people,” according to declassified top-secret documents from the Nixon administration written in 1969 and 1971.

But such plans were manifestly not reconcilable with the central principles of the international law of armed conflict. This helps explain why the U.S. government asserted at the time of its negotiation that the 1977 Protocol I to the 1949 Geneva Conventions did not apply to nuclear weapons. That later treaty codified the obligation of all state parties to follow in war the principles of distinction (drawing a line between military targets and civilians), proportionality (making sure the unintended or “collateral” civilian harm resulting from a legitimate attack does not exceed the military advantage of that attack) and precaution (doing everything feasible to avoid or at least minimize collateral civilian deaths). U.S. nuclear war plans in the 1970s didn’t follow any of these rules.

In 2013, however, the Obama administration’s official nuclear weapons employment guidance announced that henceforth, “all plans must also be consistent with the fundamental principles of the Law of Armed Conflict.” From then on, even nuclear war plans would apply the principles of distinction, proportionality and precaution.

The Obama guidance document was categorical: “The United States will not intentionally target civilian populations or civilian objects.” According to Gen. C. Robert Kehler, the head of U.S. Strategic Command from 2011 to 2013, implementing this guidance led the command to develop nuclear delivery “tactics and techniques to minimize collateral effects,” and to “expand non-nuclear strike alternatives and add significant flexibility to our contingency plans.” The Trump administration’s 2018 Nuclear Posture Review reaffirmed the U.S. commitment to “adhere to the law of armed conflict” in any “initiation and conduct of nuclear operations” — but its interpretation of the law (allowing nuclear weapons to be used in response to a massively destructive biological or cyberattack) was flawed.

The unambiguous embrace of the application of international law to nuclear weapons means that if a future president ordered a Hiroshima-like attack, striking a city to kill as many enemy civilians as possible, it would be an illegal order that senior generals would be required to disobey. This would be true even if the order came in response to a nuclear attack on an American city; nations are not permitted to flout the rules of war protecting civilians simply because their enemies do. (A theory called “belligerent reprisal” holds that states may strike back at civilian populations in a proportionate way if the intent is to get the enemy to stop its own illegal warfare. We and other scholars have argued that this practice is not compatible with current understandings of international law.)

Yet it is not only pundits and the public that have failed to notice this legal revolution. Some writings by nuclear strategists, even those seeking to limit the dangers of nuclear war, have ignored the shift. In 2018, for instance, the late Princeton research scholar Bruce Blair proposed a policy of what he and others have called “minimal deterrence”: His version involved cutting the U.S. arsenal to fewer than 700 warheads, from some 2,000 today, and aiming them to guarantee “the annihilation of scores of [Russian] cities housing banking and oil infrastructure as well as key manufacturing and leadership facilities.” But a policy targeting civilian infrastructure would clearly violate international-law rules that Washington recognizes apply to nuclear targeting.

This is not to say that the laws of war preclude all use of nuclear weapons (a conclusion that some legal scholars have embraced). The principle of proportionality permits some U.S. nuclear attacks against military targets — for example, when the harm such a strike would prevent to U.S. and allied populations would exceed the foreign collateral damage it caused. (Any associated civilian deaths would have to be truly incidental and unavoidable. Deliberately causing purported “collateral” civilian damage to force an enemy to stand down would be illegal.) Those planning a nuclear counterattack would also be obliged to use the lowest-yield weapons necessary to destroy or neutralize the legitimate military targets they place in their sights.

If the laws of war strictly constrain nuclear retaliation for a nuclear attack on the United States, they all but certainly bar such a strike in response to a cyber- or biological attack — even one causing many civilian casualties. In almost any imaginable scenario, the use of nuclear weapons would violate the principle of precaution, the requirement to minimize harm to civilians if feasible. That’s because the formidable U.S. military has the capacity to halt, or to induce the adversary to halt, ongoing cyberattacks through conventional or cyber-responses that would cause less harm to foreign civilians than would a retaliatory nuclear strike.

There are a few possible, but largely hypothetical, exceptions to this rule. One would be if the individuals or organization responsible for the cyber- or biological attack were in an underground bunker that couldn’t be destroyed any other way. Another hypothetical option, a nuclear demonstration strike against an isolated military target, might be legal, but it would be strategically stupid, as it would actually demonstrate lack of resolve. A stronger response would directly target — through conventional means — the perpetrators and their ability to launch further attacks on us or our allies.

Using nuclear threats to deter cyberattacks is also inherently less credible than threatening retaliation with conventional weapons or in kind (that is, with cyber-retaliation). The states that we worry most will launch cyberattacks — Russia, China and North Korea — also have nuclear weapons, and their leaders might reasonably calculate that any U.S. president would be reluctant to use nuclear weapons against a nation that can retaliate in kind. An adversary might also believe that the U.S. military would refuse to use nuclear weapons in response to non-nuclear attacks precisely because of questions around legality. Such suspicions undermine the deterrent force of nuclear weapons; in contrast, if the United States were to commit to only conventional or cyber-retaliation to “significant non-nuclear strategic attacks,” adversaries would have fewer doubts that we would follow through.

Not only might a U.S. nuclear threat against a cyber- or biological attack be perceived as a bluff, it could be doubly dangerous if it subjected the president to what has been called the “commitment trap.” If Washington threatens a nuclear response to deter a cyberattack, but adversaries go ahead anyway because the threat is deemed not credible, then there would be increased pressure on the president to order a nuclear strike to rebut domestic political claims of weakness and shore up international perceptions about the credibility of future threats. But succumbing to such political pressure or the urge for vengeance would create an unacceptable risk of further nuclear escalation.

In their joint memoir, “A World Transformed,” Brent Scowcroft explained why he and President George H.W. Bush did not issue an explicit threat to retaliate with nuclear weapons if Saddam Hussein ordered the use of chemical weapons against U.S. troops in the 1991 Persian Gulf War: “It is bad practice,” he wrote, “to threaten something you have no intention of carrying out.” The U.S. government should follow that principle today. In an era of escalating cyber-dangers, it would be prudent to pay closer attention to both the laws of armed conflict and the logic of credible deterrence. The threat of nuclear retaliation in response to a cyber- or biological attack should be ruled out.

correction

An earlier version of this article incorrectly rendered the first name of former national security adviser Brent Scowcroft as “Brett.” The article has been corrected.

Read more