The Cyber Threat to Nuclear Non-Proliferation
Published by The Lawfare Institute
in Cooperation With
Most cyber scholars looking at the nexus of cyber campaigns/operations and the nuclear weapons enterprise—command and control, communications, and delivery systems—focus on the consequences of targeting the enterprise through cyber operations during militarized crises or armed conflicts between nuclear powers. There is a third geopolitical condition—competition short of crisis and armed conflict—where the consequences, although of a different ilk, are no less severe. Whereas analyses in crises and armed conflicts center on the consequence of dyadic nuclear strategic instability between the opponents, the consequence in a condition of competition could be global geostrategic instability resulting from nuclear proliferation.
The United States provides extended strategic deterrence (a “nuclear umbrella”) for around 30 nonnuclear allied countries (many within the North Atlantic Treaty Organization) and also has notable arrangements of this type with South Korea, Japan, and Australia. Such guarantees are not limited to the United States. In December 2013, Ukrainian President Viktor Yanukovych and Chinese Communist Party leader Xi Jinping signed a bilateral treaty and published a joint statement in which China reaffirmed a 1994 agreement in which it pledged “to provide Ukraine nuclear security guarantee when Ukraine encounters an invasion involving nuclear weapons or Ukraine is under threat of a nuclear invasion.” Additionally, as a key member of the Collective Security Treaty Organization, Russia ascribes to the language of Article 4 of the organization’s treaty, which establishes that an aggression against one signatory would be perceived as an aggression against all.
If a state’s nuclear enterprise suffers a cyber intrusion that is revealed in a condition of competition, the credibility of the nuclear security guarantees that state may provide to other states would be undermined—a second strike would no longer be assured.
States that formerly benefited from nuclear security guarantees could decide to pursue security through alternative ways and means, including significantly increasing their investments in conventional capabilities and force structure, or pursuing nuclear weapons development programs. The former could lead to arms races that destabilize regional subsystems, and the latter would further complicate global nuclear dynamics as states abandon their commitments to the Nuclear Non-Proliferation Treaty.
Are cyber intrusion revelations and these consequences plausible? The recent discovery and disclosure that North Korea compromised a Russian missile engineering company, and a “natural experiment” in which the commitment of the nuclear umbrella was called into question, suggests that they are. This should further incentivize nuclear states to cultivate an explicit norm that declares the nuclear weapons enterprise a “no touch” zone for cyber campaigns.
Discovery and Disclosure
Given the challenges cyber defenders face, some may take the position that an intrusion would not likely be discovered, let alone revealed. But empirical evidence and the challenge of compromising complex systems suggests otherwise. On Aug. 7, SentinelLabs published a report noting that, “while conducting our usual hunting and tracking of suspected-North Korean threat actors, we identified a leaked email collection containing an implant with characteristics related to previously reported DPRK-affiliated threat actor campaigns.” The target of North Korea’s cyber campaign was NPO Mashinostroyeniya, a Russian company that is a pioneer developer of hypersonic missiles, satellite technologies, and newer generation ballistic armaments. The email archive included exchanges between NPO information technology (IT) staff highlighting questionable communications between specific processes and unknown external infrastructure. Security analysts at SentinelLabs identified the archive after discovering that an NPO IT staffer accidentally leaked his company’s internal communications while attempting to investigate the North Korean attack by uploading evidence to a private portal used by cybersecurity researchers worldwide.
There are three important takeaways from the SentinelLabs report. First, North Korea’s intrusion was discovered by IT staff. Second, SentinelLabs came across the email tranche over the course of routine business practices. And third, the information was revealed by a staffer of the Russian firm by accident. There is nothing exceptional about any of these circumstances.
Regarding discovery, those arguing that deception is at the heart of every cyber campaign/operation claim that offensive deception becomes more difficult if the target is complex and/or possesses greater political value. Stated differently, cyber intruders are more likely to be discovered the more complex and politically valuable the target is. That which comprises the nuclear weapons enterprise checks both boxes.
Regarding accidental disclosure, if one presumes that such information regarding similar U.S. technologies is classified, “classified spillage” is “incredibly common[,]” according to former intelligence officials and attorneys who specialize in cases involving classified information. One would expect the highest controls on nuclear enterprise-associated programs, which would lessen the likelihood of accidental spillage but likely not eliminate it.
Additionally, disclosures may be intentional actions by insiders motivated by various reasons. In 2016, a U.S. contractor shared the details of Russia’s 2016 intrusions into U.S. election systems with the media, because they felt that the American people were “being led astray.” Further, an anonymous person provided confidential documents from NTC Vulkan, a contractor working for Russia’s military and intelligence establishment, to the German media, stating that “[t]he company is doing bad things, and the Russian government is cowardly and wrong” and “I am angry about the invasion of Ukraine and the terrible things that are happening there[.] … I hope you can use this information to show what is happening behind closed doors.” The cache of information included manuals, technical specification sheets, and other details for software designed by NTC Vulkan, as well as internal company emails, financial records, and contracts that show the ambition of Russia’s cyber operations and the breadth of its outsourcing efforts. Finally, in 2022-2023, a U.S. Air National Guard member leaked onto the social media platform Discord classified U.S. assessments on the war in Ukraine, the capabilities and geopolitical interests of other nations, and other national security issues. The U.S. Justice Department has not alleged a particular motive for these actions.
In sum, the discovery and disclosure of a compromise of a state’s nuclear weapons enterprise is plausible. Thus its potential effect on states’ perceptions of the credibility of extended strategic deterrence ought to be considered.
A Natural Experiment
The success of extended strategic deterrence fundamentally rests on two factors: perceptions of the credibility of will and the credibility of capability. U.S. policy and actions in the previous administration cast unprecedented doubt on U.S. commitments to the nuclear security of its European and Australasian allies (that is, credibility of will). These historically deviant U.S. actions represent an “intervention” in experiment parlance and may be considered as the basis for a natural experiment. A natural experiment differs from a formal experiment in that the random or as-if random assignment that characterizes experiments, which, in this case has taken the form of a nonsystematic intervention, occurs as a feature of social and political processes—not in connection with a manipulation planned and carried out by an experimental researcher. In considering the impact of discovery and disclosure of a cyber intrusion on extended strategic deterrence, the nonsystematic intervention examined here comprises remarks calling into question the credibility of U.S. will.
In this same political environment, Republican presidential front-runner Donald Trump’s 2015 accusations that South Korea was free-riding on U.S. security guarantees has had an enduring and increasing impact on the views of the South Korean leadership and populace, with some of the former and most of the latter believing that America’s security guarantees are only as good as its next leader. Opinion polls from 2017 revealed that about two-thirds of South Korean respondents said they supported their country once again hosting tactical nuclear weapons, as it did prior to 1991. In a 2017 interview, Suh Kune-yull, a professor of nuclear engineering at Seoul National University, said, “If we decide to stand on our own feet and put our resources together, we can build nuclear weapons in six months.” More recently, three-quarters of the populace has expressed support for South Korea to develop its own nuclear weapons.
A recent agreement in which the U.S. committed to periodically deploying nuclear-armed submarines to South Korea and to involve Seoul in nuclear planning operations in exchange for a commitment by South Korea to not develop nuclear weapons has not placated some who want South Korea to develop its own arsenal. In response to the agreement, a leading proponent of South Korea “going nuclear,” Cheong Seong-chang, a senior researcher at the nonpartisan foreign policy-focused Sejong Institute, said that, although the declaration had many positive aspects, it was “extremely regrettable that South Korea had openly given up its right to withdraw from the Nuclear Non-Proliferation Treaty,” adding that this had “further strengthened our nuclear shackles.”
Several other key U.S. allies had strong reactions to the Trump administration’s perceived change to U.S. security guarantees. In June 2018, after the G-7 Summit, but before the NATO and Helsinki summits, then-German Foreign Minister Heiko Maas stated that “[p]art of the new transatlantic reality is that we need to take on more responsibility for our own security because we can no longer count on the other side of the Atlantic doing so for us.” The same theme was echoed in July 2018 by then-Australian Prime Minister Tony Abbott, who stated: “I fear there will have to be a much greater focus on strategic deterrence, especially if a rogue state like North Korea has long-range nuclear weapons—and especially if the American nuclear shield becomes less reliable.”
Finally, whereas Japanese public support for nuclear weapons historically remained low, it more than doubled (5 percent to 12 percent) from 2016 to 2017. The increase in Japan may be attributed to statements made by then-U.S. Secretary of State Rex Tillerson during a visit to Japan in March 2017. When speaking to the nuclear threat posed by North Korea, Tillerson stated publicly that the United States might support Japanese acquisition of nuclear weapons (for mutual deterrence reasons) if the North Korean threat is not resolved. Additionally, in November 2022, retired Adm. Kawano Katsutoshi, the longest-serving chief of Japan’s Self-Defense Forces’ Joint Staff under the Abe Shinzo administration, noted that, under his “America First” policy, former U.S President Trump used to profess that Americans shouldn’t sacrifice their lives to fight for other nations. When commenting on this position, Katsutoshi stated: “Regarding the United States’ nuclear umbrella, even if Washington says, ‘You don’t have to worry about it,’ a suspicion crosses my mind. Is it really okay?”
The only significant barrier preventing Japan from developing nuclear weapons is the security it obtains from relying on the United States. Japan’s nuclear latency ensures that a nuclear weapon is “a screwdriver’s turn away.” In combination with missile technologies developed by the Japanese Aerospace Exploration Agency, Japan could rapidly develop its own strategic nuclear deterrent.
These reactions to a changed perception of the credibility of U.S. nuclear security guarantees suggest that similar dynamics would emerge if it was disclosed that a state’s nuclear weapons enterprise had been compromised via a cyber campaign/operation. Even if the targeted state sought to reassure that it had the will to fulfill a commitment, the perception of an assured capability to carry out a nuclear threat could be undermined. It is reasonable to conclude that states that enjoy nuclear security guarantees from China and Russia would react similarly. Importantly, the U.S., China, and Russia would all be subject to the geostrategic instability that would likely result from such a perception, no matter the state(s) for which that perception is held and no matter the agent behind the cyber campaign/operation that compromised the enterprise.
When Proliferation Optimists Become Pessimists
A scenario in which a nuclear weapons enterprise is compromised through cyber ways and means might even turn proliferation optimists into pessimists. In 1990, John Mearsheimer considered alternative futures for Europe following the collapse of the Soviet empire and proposed that the least dangerous scenario for maintaining peace in Europe was one in which nuclear weapons proliferate in Europe through a well-managed process overseen by the then-nuclear powers. Importantly, however, Mearsheimer commented that “it is not likely that proliferation would be well-managed.” Moreover, he commented that “proliferation is more likely to happen under disadvantageous international conditions than in a period of calm,” which in turn places an even greater burden on management.
It is likely that the disclosure, accidental or otherwise, of a cyber-enabled disruption would be an unexpected and thus a “sudden” event, as are the disclosures of most significant cyber campaigns/operations. This, coupled with the reality that several states that currently enjoy security guarantees are nuclear latent states, suggests that a revelation could result in unanticipated and rapid proliferation, thereby putting managed proliferation at risk. Additionally, the poor state of relations between the U.S. and China and the U.S and Russia, and the hostility between Europe and Russia and many Indo-Pacific countries and China, arguably represents “disadvantageous international conditions” and thus further strains managed proliferation.
For over a decade, states have been experimenting in and through cyberspace to identify novel cyber ways and means short of threats and uses of force to secure and/or advance their national interests in a geopolitical condition of competition. A successful compromise of another’s nuclear weapons enterprise in competition carries with it the risk of discovery and disclosure, which in turn could fuel global geostrategic instability, a significant consequence that has received little attention. States could, of course, seek to reassure allies about technical reliability much as they do with credibility of will. Alternatively, there ought to be reinvigorated efforts to develop an explicit nuclear power agreement to forego cyber campaigning in competition that targets nuclear weapons enterprises. Credible nuclear possession is vitally important for the U.S., China, and Russia, and thus the basis for formally negotiated parameters ought to be viable.
The views in this article do not necessarily reflect those of the U.S. Department of Defense or the U.S. Government.