As the world’s infrastructure becomes increasingly interconnected, more critical systems are exposed to cyber threats. A cyber threat is a malicious act intended to steal, damage, or disrupt digital data. Cyber threats seek to turn potential security vulnerabilities into attacks on systems and networks.

Alarmingly, vulnerabilities may threaten the security of U.S. nuclear materials or compromise nuclear command, control, and communication (NC3) systems. NC3 is necessary to ensure authorized employment and termination of operations, securing against accidental or unauthorized access resulting in the loss of control, theft, or unauthorized use of nuclear force.

In Cyber Threats and Nuclear Weapons, Herbert Lin describes the unique set of cyber vulnerabilities associated with NC3. In the process, he explores a number of cyber-nuclear escalation pathways, identifies six specific observations and imperatives regarding future cyber-nuclear design, and puts forth three major policy recommendations.

Cyber risks abound. It is difficult, for example, to distinguish a cyber intrusion for intelligence gathering and a cyber-attack, since both operations employ the same techniques. Thus, if one country detects an adversary in their NC3 networks, especially at a time of heightened tension, it might assume malicious behavior and decide to preempt. Both sides may find themselves with terrible incentives to “use it or lose it.”

Lin specifically points to the importance of decision-maker psychology, asserting that the psychological factors in each scenario can dictate different outcomes depending on the decision-makers involved. Additionally, the psychological effects of cyber operations on the perceptions and confidence of decision-makers are as important as their physical effect on infrastructure. In periods of heightened tension or war, the human dimension looms large.

Lin warns that the entanglement of convention and nuclear functions in operational systems increase the risk of inadvertent nuclear escalation. To avoid this fate, he urges designers of modern NC3 to moderate the desire for increased functionality in favor of security. Finally, he urges nuclear-armed nations to minimize the possibility that attacks on conventional assets will be seen as attacks on nuclear assets.

Short timelines for decision-making increase the risk. Effective NC3 systems give leaders more time to make hard choices, but this is difficult given the speed of cyberspace operations. Lin offers some recommendations for overcoming this problem, including a move away from “launch on warning” protocols (LOW), as I discuss in more detail below.

The current NC3 system has operated well for decades, which is why Lin does not recommend replacing it too hastily. Instead, he suggests that as NC3 systems are modernized, system designers should require modernized NC3 systems to function similarly to legacy systems. Specifically, Lin suggests that as NC3 systems are modernized, legacy and modernized components should operate in parallel. The old system, which predates the cyber era, is relatively invulnerable to cyber-attack. Operating the two systems at the same time for a period allows operators to check the new system against the old system for mistakes, minimizing potential cyber risks.

Securing NC3 means grappling with difficult tradeoffs. Throughout Cyber Threats and Nuclear Weapons, Lin does an excellent job of highlighting the cybersecurity challenges associated with NC3 modernization efforts. Lin demonstrates that familiar tradeoffs for decision-makers are made more complex (and have higher stakes) in the cyber-nuclear realm, weighing two controversial tensions in cyber-nuclear decision-making: the always/never dilemma and functionality vs. security.

Always/Never Dilemma

Nuclear weapons must always be used when they are properly authorized for launch and must never be used when they are not authorized. Civilian authorities are invested in ensuring the never part, while military officials are invested in upholding the always. The always/never dilemma highlights the two ways that cyber operations can target a nuclear enterprise: to launch a weapon without authorization or to prevent an authorized launch. The always/never criteria also uphold nuclear deterrence strategies. Weapons that are not usable in a crisis undermine credible use-of-force threats, and weapons that are used without proper authentication give adversaries little reason to comply with threats.

Unfortunately, weapons that are always ready for launch are more likely to be used inadvertently. Weapons redundantly protected to ensure they are never launched without proper authentication are more likely to be deactivated in a nuclear crisis.

Lin demonstrates the always/never paradox in practice through the discussion of launch on warning. Removing LOW might buy decision-makers more time when responding to incoming data about an imminent nuclear attack, underscoring the importance of the never requirement. If NC3 is experiencing a cyber defect and the systems falsely identify an incoming missile (which has occurred on numerous occasions, like the U.S. False Warning 1979), the United States risks launching an accidental nuclear attack. There is a tradeoff, however, because removing LOW undermines the always requirement and subsequent nuclear deterrence. Delaying retaliatory strikes can suggest that U.S. adversaries have an incentive to launch a successful first-strike that decapitates U.S. retaliatory capabilities.

The always/never dilemma makes these policy choices difficult. Despite decades of calls to change the United States’ posture, nuclear doctrine has held steady. The primary purpose of LOW is to enhance deterrence, which remains important during the current period of geopolitical instability. Critics argue that the prospect of removing LOW and the always/never dilemma is more complicated than Lin conveys. There is a very low probability of accidental launch, and this holds true for cyber threats. In 32 nuclear weapons accidents, the U.S. has never experienced an accidental detonation or escalation resulting in war. As Lin addresses in later chapters, this resilience is due to the redundancy and heterogeneity in the U.S. nuclear enterprise.

However, Lin weighs the consequences of the always/never dilemma in his suggestion to remove LOW from NC3 systems. He argues that a cyber defect (whether intentional or accidental) that results in incorrect data is more likely than the outbreak of intentional nuclear war. Thus, the never risk of lowering U.S. deterrence by removing LOW from NC3 systems is less than the always risk of accidentally triggering nuclear war. While accidental launch is unlikely, alternative mechanisms like the fog of cyberwar or foiled prevention may lead to unintentional non-nuclear escalation between adversaries. In these scenarios, Lin’s suggestion to extend decision-making timelines and increase adversarial communication ring true.

Functionality vs Security

A second major tension governing cyber-nuclear decision-making is the tradeoff between functionality and security. Increasing the functionality of a system leads to increased complexity and weaker cybersecurity posture. NC3 modernization is slated to increase the complexity of NC3 system functions. This increased complexity benefits decision-makers by making systems easier to use, more flexible, faster, and more efficient. Unfortunately, these benefits increase the number of potential attack surfaces. Evaluating the security of a system becomes more difficult, with more interfaces, code, users, and options to secure.

Throughout the book, Lin advocates for prioritizing security over functionality. However, it is incredibly difficult to convince policymakers that security is more important than functionality, especially when there hasn’t been a major incident impact NC3 since 1985. In all domains of life, users have developed an appetite for increased performance afforded by information technology innovation. Actors at different points in the NC3 lifecycle are also concerned by development schedules. Cybersecurity requirements add time to the manufacturing, deployment, and use of NC3 systems, disincentivizing policymakers.

However, an underexplored aspect of Lin’s argument is that relative security preserves functionality. Good security is necessary for NC3 systems to remain flexible and efficient. Lin’s suggestion to use modernized and legacy NC3 systems in parallel is one way to balance the desire for increased functionality with security protections. Additionally, exploring incentives for cybersecurity prioritization should occur at a federal level to ensure that all points in the NC3 supply chain are following best practices. While it is impossible to assure perfect security, best practices such as mandating basic computer hygiene at a human level, regular red team exercises at a system level, and component inspection at a supply chain level can provide adequate protection and readiness.

While Lin explores some radical changes to U.S. nuclear doctrine, such as abandoning unilateral launch authority or segregating nuclear and conventional forces, he recognizes the stability of nuclear policy between administrations. Despite the political infeasibility of implementing these changes, considering why such radical changes would improve cyber-nuclear security is a critical exercise for policy-makers. Marginal reforms, such as prioritizing nuclear security or issuing decision-making impact statements to adversaries are necessary first steps in preventing cyber-nuclear conflict.