NTI Seminar: Chris Painter on Avoiding Nuclear Escalation from Cyberattacks

What happens “if we can’t rely on the information we have,” asks Christopher Painter, former top U.S. cyber diplomat.

In an NTI seminar on January 25, Painter posed this critical question and discussed a range of issues at the intersection of cyber and nuclear security.

If the information upon which leaders depend to make critical security decisions, including about use of nuclear weapons, cannot be trusted, catastrophe could follow, Painter cautioned. Cyberattacks that target sensitive information, nuclear weapons and related systems, or critical infrastructure that supports daily life are insidious threats to peace and security.

But some lessons from the nuclear risk reduction playbook can apply to cyber, and where mutual interest can be found among nuclear weapons states, it could, in Painter’s words, “help save the world.”

Don’t Forget the “I” in “CIA”

“If you have an attack that can change the information, that can be really debilitating,” Painter says.

Cyber experts have long categorized attacks as jeopardizing the confidentiality, the integrity, and/or the availability of digital information and tools—the “CIA” triad. Theft of personal information could be a breach of confidentiality. A brute-force cyberattack that stops a customer from getting access to a bank’s website is an availability concern.

The “C” and the “A” cannot be forgotten. More should be done to harden key targets, like nuclear systems, to keep the most sophisticated cyber aggressors out. As roughly 90 percent of U.S. nuclear systems gain new digital tools or upgrades, the potential attack area is growing. And as tensions rise in central and eastern Europe, Painter says cyberattacks that disable critical Ukrainian, U.S., and allied infrastructure are possible.

But integrity of information of all kinds—from health records to nuclear commands—are also at risk. Information corruption or spoofing of radar or satellites meant to notify with early warning of an incoming nuclear attack could result in a launch of the world’s deadliest weapons. Poisoned information at a dangerous moment could lead to poor diplomatic and military decisions—and in most nuclear weapons states, one person has sole authority to make the grave decision of whether to use nuclear weapons.

Transparency to Diminish Escalation

Even though “there are no launch plumes in cyber,” some of lessons from arms control and nuclear risk reduction are relevant for reducing cyber risks. While most parallels between cyber and nuclear war are exaggerated, governments should borrow from the nuclear risk reduction playbook and pursue confidence-building and transparency measures. “Measures that allow us to dial-down or avoid escalation,” especially the potential for misperception, are needed, he said.

The United States has been a leader in developing frameworks for cooperation and stability in cyberspace, Painter notes. Some cyber activities are akin to armed attack and subject to international law, and many activities should adhere to international norms of responsible state behavior.

The escalation pathways in cyber are still immature and misunderstood, says Painter. What message does each action send? “Countries can have completely different perceptions of what activity is. We may think we’re sending one message with a cyber tool, whereas the adversary” understands another, he explained.

Options for Restraint

Policy changes could help reduce the risk of escalation from cyberattack to nuclear war, according to Painter. For example, the 2018 Nuclear Posture Review (NPR), a key governing document for nuclear policy in the United States, added an option for the president: respond to non-nuclear strategic attacks, like cyberattacks, with nuclear weapons. The Biden administration is preparing their version of the NPR now and might narrow this potentially escalatory option. Other nuclear weapons states could similarly affirm that a cyberattack should not escalate, especially given consensus that a “nuclear war cannot be won and should never be fought.”

States could also agree that certain targets are off-limits, like nuclear weapons’ command, control, and communications systems. The dangers of pre-positioning or conducting espionage in a nuclear weapons system should be apparent to governments, which, if discovered, could lead to misunderstanding, confusion, and catastrophic decisions. Agreements not to interfere in one another’s nuclear command and control systems could take shape in both bilateral and multilateral formats. There are challenges to manage in implementation, like differentiating nuclear from other military systems and verifying compliance. But prioritizing cyber-nuclear escalation issues in discussions among American and Russian counterparts through Strategic Stability Dialogues is useful.

No one approach will be sufficient to reduce risks of escalation from cyberattacks to nuclear war, but Painter nonetheless calls for quick action: “It’s critical we [act] now. The vulnerabilities are too great. The risks are too great.”

A National Security Priority

The film War Games features a hacker, false warning of nuclear attack, and threat of an automated response that could devastate two continents. A screening of the film at Camp David reportedly led President Reagan to ask important, prescient questions about cybersecurity and nuclear command and control.

Escalation risks have only increased as digital tools have become commonplace. The films that feature hackers and nuclear security are increasingly realistic, Painter says. “The good news is that this is now a national security priority.”