The most dangerous new strategic policy currently being bruited about in the Pentagon and the White House—the idea that the United States might actually respond to a major cyber attack with nuclear weapons—is something of a blast (no pun) from the past. Specifically, it is an idea from the early 1950s, when policymakers were so fed up with the costly, indecisive fighting in Korea that they urged President Eisenhower, when he came into office early in 1953, to threaten to nuke Pyongyang. The war ended without such an attack, but this first inkling led to a broader policy, called "massive retaliation," which stated that the United States would consider using nuclear weapons in response to acts of aggression at almost any level—from conventional attack to the more irregular end of the spectrum of conflict.
The goal of this policy was to deter aggression anywhere, of virtually any sort, by means of such a massive retaliatory threat; but America's bluff was soon called, the Cold War continued, and opponents ranging from indigenous guerrillas to communist superpowers kept busy, quite undeterred. As Thomas Schelling noted in his magisterial study, Arms and Influence, "Massive retaliation was a doctrine in decline from its enunciation in 1954." In its place, Americans had to think through how to defend Europe with conventional forces, and how to wage counter-insurgencies. Deterrence by means of threatening of a massive nuclear attack was a non-starter.
And it still is, especially with regard to cyber attacks.
President Trump's recently announced Nuclear Posture Review is a 75-page document that could have been crafted in the Eisenhower era. It is redolent with notions of massive retaliation, asserting that "U.S. nuclear capabilities make essential contributions to the deterrence of nuclear and non-nuclear aggression." As to the level of aggression that might trigger a nuclear response, the document is ambiguous, describing only "significant non-nuclear strategic attacks" on the United States, its allies, or partners. This lack of clarity is deliberate. As the Review states, "It is the policy of the United States to retain some ambiguity regarding the precise circumstances that might lead to a U.S. nuclear response." The fact that cyberspace is mentioned, along with infrastructure, however, makes clear that these areas fall within the retaliatory plan's "big tent."
Well, the explicit threat of nuclear attack didn't shore up deterrence in the 1950s, and vague threats of engaging in this sort of disproportionate response to lesser acts of aggression won't work today. Indeed, when it comes to the virtual domain, this policy will only increase danger and encourage cyber mischief-making. For the most part, because the very idea of committing an act of mass destruction in response to what, at worst, might be a cyber act of "mass disruption," lacks credibility. It is also highly offensive morally.
But let us suppose for a moment that this policy were actually to be put into effect. The greatest risk likely to emerge would be that a malefactor would conduct a strategic cyber attack, but make it look like an innocent third party were really the perpetrator. On the basis of what kind of evidence could nuclear retaliation be conducted against a country that claimed its innocence, or that it was "being framed?"
I wrote a short story on this theme of cyber deception 20 years ago in Wired ("The Great Cyberwar of 2002"). What began as a disruptive set of strategic cyber strikes quickly escalated into major (though non-nuclear) warfare. In this story, there was nuclear restraint because the supposed aggressors were nuclear powers themselves; thus there was a nuclear stalemate, as would be the case in the real world today, which points to the illogic of threatening a nuclear power with nuclear attack in retaliation for its non-nuclear actions. Mutual deterrence still holds. And, as to the idea of hitting a non-nuclear power with nuclear weapons, it is simply abhorrent. Needless to say, a major cyber attack by a non-state actor would provide no target for nuclear retaliation.
The bottom line here is that this attempt to shore up deterrence with massive retaliation redux makes no sense and, in the cyber realm, offers up powerful temptation to a clever malefactor to use deception to finger an innocent party as a culprit.
In an earlier post I argued that we have to stop trying to revive the deterrence paradigm when it comes to cyber ("Stop Trying to Deter Cyber Attacks"), and put our emphasis fully on creating better defenses. The Trump Administration has instead chosen to double down on deterrence, even to try to extend it to cyberspace. This is a risky path to potential ruin that should, at the least, be debated in a thoughtful public discourse.
John Arquilla is professor and chair of defense analysis at the U.S. Naval Postgraduate School. The views expressed are his alone.