Nuclear Posture and Cyber Threats: Why Deterrence by Punishment is Not Credible – and What to Do About It

By Eva-Nour Repussard. Originally published on 19 September 2024 by the European Leadership Network on its website.

The United Kingdom’s latest nuclear doctrine suggests that severe cyber-attacks on their national or critical infrastructure could provoke a nuclear response. Despite this, cyber-attacks against the UK have surged over the past decade. This increase can be partly attributed to the perceived lack of credibility in the UK’s nuclear retaliation threat towards cyber-attacks. With regard to cyber-attacks, the strategy of deterrence by punishment is ineffective for two main reasons: i) the threshold for transitioning from a cyber to a kinetic response remains hard to meet in times of relative peace between two countries, and ii) the inherent challenges in attributing cyber-attacks to specific state actors. Instead of deterrence by punishment, the UK should seek to increase its resilience to cyber-attacks and focus on a strategy of deterrence by denial regarding cyber threats.

Nuclear postures are increasingly explicit about the conditions under which nuclear weapon states might use nuclear weapons in response to non-nuclear threats, particularly from emerging technologies or emerging threats. This is evident in the United Kingdom’s 2021 Integrated Review, which states that they “will not use, or threaten to use, nuclear weapons against any non-nuclear weapon state party to the Treaty on the Non-Proliferation of Nuclear Weapons 1968 (NPT)”, but then continues by stating that they “reserve the right to review this assurance if the future threat of weapons of mass destruction, such as chemical and biological capabilities, or emerging technologies that could have a comparable impact, makes it necessary”. Arguably, the French posture on “core interests”, Russia’s Principle on Deterrence, and the United States’ 2022 Nuclear Posture Review, all hint at a similar posture in regard to nuclear weapons and “emerging threats”.

The United Kingdom’s latest nuclear doctrine suggests that severe cyber-attacks on their national or critical infrastructure could provoke a nuclear response. Despite this, cyber-attacks against the UK have surged over the past decade. This increase can be partly attributed to the perceived lack of credibility in the UK’s nuclear retaliation threat towards cyber-attacks. With regard to cyber-attacks, the strategy of deterrence by punishment is ineffective for two main reasons: i) the threshold for transitioning from a cyber to a kinetic response remains hard to meet in times of relative peace between two countries, and ii) the inherent challenges in attributing cyber-attacks to specific state actors. Instead of deterrence by punishment, the UK should seek to increase its resilience to cyber-attacks and focus on a strategy of deterrence by denial regarding cyber threats.

Nuclear postures are increasingly explicit about the conditions under which nuclear weapon states might use nuclear weapons in response to non-nuclear threats, particularly from emerging technologies or emerging threats. This is evident in the United Kingdom’s 2021 Integrated Review, which states that they “will not use, or threaten to use, nuclear weapons against any non-nuclear weapon state party to the Treaty on the Non-Proliferation of Nuclear Weapons 1968 (NPT)”, but then continues by stating that they “reserve the right to review this assurance if the future threat of weapons of mass destruction, such as chemical and biological capabilities, or emerging technologies that could have a comparable impact, makes it necessary”. Arguably, the French posture on “core interests”, Russia’s Principle on Deterrence, and the United States’ 2022 Nuclear Posture Review, all hint at a similar posture in regard to nuclear weapons and “emerging threats”.

Instead of deterrence by punishment, the UK should seek to increase its resilience to cyber-attacks and focus on a strategy of deterrence by denial regarding cyber threats.

Whilst the British nuclear posture is meant to deter cyber-attacks—the number of cyber-attacks has continued to increase in recent years. According to the Information Commissioner’s Office, the UK experienced more cyber-attacks in 2023 than ever. Several reports also warn that the UK is especially vulnerable to cyber-attacks on its critical infrastructure. For example, according to the Joint Committee on the National Security Strategy, “the UK could face a crippling cyber-attack on its critical national infrastructure (CNI) at any moment”, whilst, for example, the Office of the Nuclear Regulator has “repeatedly found gaps in Sellafield’s cybersecurity from 2019 to 2023 that could not be fully resolved during that time”. Arguably, nuclear retaliation to cyber-attacks is not credible—and such a lack of credibility also weakens the credibility of the British deterrent altogether.

The first reason for the lack of credibility is that the threshold for transitioning from a cyber to a kinetic response remains hard to meet and assess in times of relative peace between two countries. Recent history is full of examples in which critical cyber-attacks—even when attributed with high confidence—have not been met with kinetic retaliation. Some of the most famous examples being Stuxnet, a cyber-attack targetting Iran’s Natanz uranium enrichment plant, attributed to the United States and Israel; and the WannaCry Ransomware attack, attributed to North Korea. These cyber-attacks, despite their criticality, have not met kinetic retaliation. The reason for the lack of kinetic retaliation is not solely due to the attribution problem (that I will cover in the next paragraph) but also due to the fact that cyber-attacks and kinetic attacks still differ significantly—notably in terms of gravity—making proportional and justified kinetic retaliation extremely complex. Whilst the International Criminal Court recently started to investigate whether alleged Russian cyber-attacks on Ukrainian civilian infrastructure could be deemed war crimes, such a decision is taking place whilst an ongoing kinetic conflict is already happening between Russia and Ukraine. In times of peace between two countries, whether cyber-attacks can be deemed war crimes, or acts of war, is still yet to be seen, as it is still highly complex to assess at which point a cyber-attack could be met with kinetic retaliation. Whilst the threshold certainly exists, it has yet to be assessed and agreed upon with regard to international law.

Whilst the British nuclear posture is meant to deter cyber-attacks—the number of cyber-attacks has continued to increase in recent years.

Second, the issue of attribution is inherently problematic in cyberspace, and is the main reason why kinetic retaliation is near impossible in practice. High-confidence attribution is common (through diplomatic, intelligence and technical means), but identifying the sponsor of a cyber-attack with absolute certainty is extremely challenging, rendering nuclear retaliation too high of a risk for the affected country to undertake—regardless of the severity of the cyber-attack. In cyberspace, it is much harder to identify the sponsor behind an attack: have such attacks been decided and sponsored by a nuclear weapons state? Or have they been carried out independently by a group of hackers or ‘hacktivists’? Indeed, contrary to the kinetic domain, the cyber domain has a low barrier to entry, and any ‘patriot’ can carry out cyber-attacks without requiring sponsorship or approval from a state. What complicates the task is that—regardless of their potential sponsorship—alleged sponsor states have always denied cyber attacks and have claimed plausible deniability.

Lately, this has been seen with the Killnet group in Russia and Anonymous in Western states. Furthermore, false attributions are also common in cyberspace and states increasingly conduct ‘false-flag’ attacks, that is, attacks designed to deflect attribution to an uninvolved party. For example, during the 2018 Pyeongchang Winter Olympic Games in South Korea, the Russian GRU targeted the Games with the “OlympicDestroyer” cyber-attack; however, the Russian group designed its attack to appear as if it had been the work of North Korea. A kinetic retaliation from South Korea—if wrongly attributed to North Korea—would have been an unprovoked act of war against North Korea and could have led to a conflict with its neighbour. Whilst this false-flag attack has been rightly attributed to the Russian GRU, other cyber-attacks might have been wrongly attributed.

Therefore, whilst such a nuclear posture may appear concerning at first, it lacks credibility and fails to provide effective deterrence against cyber-attacks. Instead, the UK should consider removing “emerging technologies” from their nuclear posture, or be more specific in its references to “emerging” threats, and clearly state which emerging threat it is seeking to deter through nuclear retaliation. Furthemore, the the current ambiguity does not give the UK a strategic advantage, but rather the lack of credibility with regard to cyber-attacks weakens the overall credibility of the British deterrent.

By enhancing resilience and deterrence by denial, the UK can render potential cyber-attacks impractical and unlikely to succeed.

Cyberspace intrinsically differs from the kinetic arena; thus, cyber problems require cyber solutions. Regarding cyber threats, rather than deterrence by punishment and kinetic retaliation, the UK should focus its energies on prevention rather than punishment, and seek to achieve ‘deterrence via denial’ whereby the feasibility of a successful cyber-attack is so low that the threat is sufficiently mitigated. The UK should seek to increase the cost and difficulty for potential aggressors to successfully enact a cyber-attack on its critical infrastructure. This can be achieved through cybersecurity measures such as reducing the attack surface (i.e., reducing the number of points where an attacker can try to access a system), such as air-gapping systems, modern encryption and zero trust architecture. Air-gapping can effectively increase the cost of a cyber operation, making it extremely costly for future attackers. As the cyber expert Kim Zetter wrote in her book “Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon”, Stuxnet cost hundreds of millions of dollars to carry out, and several years to plan.

Though deterrence by denial is not infallible, cyber resilience is the other important tool in the UK toolkit. The need for cyber resilience is the recognition that some attacks will still happen, and the UK will need to be prepared for these, i.e. be resilient enough to minimise their impact and be able to recover. In most cases, this can be achieved through backup systems that operate independently from cyber. In other cases, such as the British nuclear deterrence ability, cyber resilience can be built with its Allies—France and the United States—which could ensure deterrence if the British nuclear-powered ballistic missile submarines were incapacitated by cyber-attacks.

Thus, to effectively address the rising threat of cyber-attacks, the UK must shift from relying on nuclear retaliation to focusing on bolstering its cyber defences. By enhancing resilience and deterrence by denial, the UK can render potential cyber-attacks impractical and unlikely to succeed.