Cyberweapons vs. Nuclear Weapons

Good essay pointing out the absurdity of comparing cyberweapons with nuclear weapons.

On the surface, the analogy is compelling. Like nuclear weapons, the most powerful cyberweapons -- malware capable of permanently damaging critical infrastructure and other key assets of society -- are potentially catastrophically destructive, have short delivery times across vast distances, and are nearly impossible to defend against. Moreover, only the most technically competent of states appear capable of wielding cyberweapons to strategic effect right now, creating the temporary illusion of an exclusive cyber club. To some leaders who matured during the nuclear age, these tempting similarities and the pressing nature of the strategic cyberthreat provide firm justification to use nuclear deterrence strategies in cyberspace. Indeed, Cold War-style cyberdeterrence is one of the foundational cornerstones of the 2015 U.S. Department of Defense Cyber Strategy.

However, dive a little deeper and the analogy becomes decidedly less convincing. At the present time, strategic cyberweapons simply do not share the three main deterrent characteristics of nuclear weapons: the sheer destructiveness of a single weapon, the assuredness of that destruction, and a broad debate over the use of such weapons.

Posted on July 22, 2016 at 11:08 AM • 28 Comments

Comments

RopJuly 22, 2016 11:40 AM

IMHO a main strategic difference between cyber weapons and nuclear ones (not discussed in this text) is that nuclear strikes by nation states can be attributed because of a system of satellites to detect launches. With a cyber strike there may be no clues where it came from, or only misleading ones. Deterrence only works if you know who to strike back at.

EvilKiruJuly 22, 2016 2:06 PM

The fear-mongers don't care who you strike back at—so long as you strike back at somebody...

James BabcockJuly 22, 2016 2:50 PM

This seems to omit what is, by far, the most important difference between cyberweapons and nuclear weapons: nuclear weapons by their nature tend to cause mass civilian casualties when used, while cyberweapons are capable of being extremely precise.

DaisyJuly 22, 2016 3:22 PM

The one key parallel between the two kinds of weapons is that the US government proliferates the hell out of them both. Stuxnet and Regin let loose proliferate in exactly the same way as the nuclear technology Marc Grossman sold to every comer. Not just states but organizations and even individuals can get them as innovation diffuses.

http://www.veteranstoday.com/2016/07/20/duff-on-rense-nuclear-threat-on-america-the-hard-proof/

It's not rocket science, not if you put one in the trunk of your beater and drive it down to Langley.

Soon script kiddies will be needing stuff like this from github.

DDOS is old hat. Who among us wouldn't be delighted to see Washington get nuked? It's the only efficacious reform.

DaisycutterJuly 22, 2016 3:48 PM

Delighted to see Washington get nuked?? Yeah, that'd be a real chuckle, all those women and babies getting fried along with the politicians you disagree with. Laugh a minute, right?

Ixnay with the azycray ullshitbay.

Or better yet, just take it back to Facebook.

VetchJuly 22, 2016 3:59 PM

@Daisycutter
Don't bother trying. Crazy shit like that gets said all the time by people here.

CuriousJuly 22, 2016 4:26 PM

I think an obvious issue with anything "cyberweapons", is that the word "cyberweapons" might as well just be a 'name' used which in turn doesn't necessarily reference real things in the real world. "Cyberweapon" could easily become a metaphor, by simply making a point about something being "used like a cyberweapon", in which the meaning of 'cyberweapon' then won't be a real thing to reference back to, but would instead be something understood as an idea, or as something on some conceptual (and abstract) level.

And so, every time "cyberweapon" is thought about as some conceptual metaphor in one discussion or another (think rhetoric), there is no way of really knowing what is meant by it, if only existing in the world of ideas of one or a few involved.

albertJuly 22, 2016 4:36 PM

From the essay: "...On the surface, the analogy is compelling..."

It's not even close to compelling, on any surface.

When the day comes that nuclear strikes can be triggered entirely via cyberspace, then be afraid, very afraid.

Given that the degree of psychopathy in foreign policy officials rises as the square of their degree of responsibility, 'limited'(tactical) nuclear warfare seems ever more likely.

. .. . .. --- ....

TedJuly 22, 2016 5:04 PM

@Curious

"Cyberweapon" could easily become a metaphor, by simply making a point about something being "used like a cyberweapon", in which the meaning of 'cyberweapon' then won't be a real thing to reference back to, but would instead be something understood as an idea, or as something on some conceptual (and abstract) level.

Your questions piqued my interest.

"Cyber weapons: 4 defining characteristics"

Tallinn Manual
“The Tallinn Manual (originally entitled, Tallinn Manual on the International Law Applicable to Cyber Warfare) is an academic, non-binding study on how international law (in particular the jus ad bellum and international humanitarian law) applies to cyber conflicts and cyber warfare. Between 2009 and 2012, the Tallinn Manual was written at the invitation of the Tallinn-based NATO Cooperative Cyber Defence Centre of Excellence by an international group of approximately twenty experts. In April 2013, the manual was published by Cambridge University Press.”

"In late 2009, the NATO Cooperative Cyber Defence Centre of Excellence convened an international group of legal scholars and practitioners to draft a manual addressing the issue of how to interpret international law in the context of cyber operations and cyber warfare. As such, it was the first effort to analyse this topic comprehensively and authoritatively and to bring some degree of clarity to the associated complex legal issues."

Tallinn 2.0, which followed the original manual, was designed to expand the scope of the Tallinn Manual, Tallinn 2.0 will become the second edition of the Tallinn Manual and be published by Cambridge University Press in 2016.”

NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE)
Tallinn Manual 2.0 to Be Completed in 2016

Cambridge University Press
Tallinn Manual on the International Law Applicable to Cyber Warfare

HermanJuly 22, 2016 5:13 PM

Comparing malicious software to a nuclear bomb is extreme hyperbole and simply absurd.

DaisyJuly 22, 2016 6:11 PM

@Daisycutter don't be silly, nukes are used at all scales now. You can't equate nukes with WMD anymore, not since the nuke the US used at Baghdad airport after Saddam annihilated the 3/7 Cav and fought the attacking army to a standstill. They're ordinary elements of the armory, particularly ERMs, used lately in Gaza and Yemen. Washington is taking a calculated risk of getting nuked, rather than come into conformity with law, so you're foolish to dismiss it as crazy. They rolled out all their Mad-Max COG plans. That's why your constitution's gone. One hopes this is not news to you.

CuriousJuly 23, 2016 3:55 AM

@Ted

Interesting. My immediate reaction to there existing such a manual, have me think of institutionalized knowledge, or simply institutions themselves as stubborn self righteous entities tainted by various bias. Needless to say perhaps, I am skeptical.

Having said that, I can see the value of discussing such things on a larger scope (large scale warfare), though I have a suspicion that such a manual wouldn't be that useful for small scale warfare if also involving defining what is and what isn't acts of war, which I suspect won't be helpful when "cyber" infrastructure is terrible.

Building on that last notion of mine, about bad infrastructure, I can also imagine that anything "cyber warfare" might end up favoring one party over the other. It seems like, today, any super power simply get away with bad behavior, because they might only have to prove to themselves that they were to be blamed, something they probably will want to refuse doing and so they would then get away with it.

Don JoeJuly 23, 2016 3:58 AM

If someone does let a seriously damaging cyber attack let rip and they get charged in court then the sentence is going to have to be around 3000 years or it will highlight some of the charges for defacing websites and unauthorised computer access as being in fact extremely draconian and leave room for grounds for appeal.

Imagine if they threatened 30 year sentences for graphiti of a billboard or trespassing. I doubt anyone has had 30 years levelled at them for unauthorised CD or DVD sales from the trunk of a car either.The kind of bizarre sentences threatened and handed out is hardly encouraging people to help them identify problems in vulnerable systems, rather it seems they are waiting until someone hacks unencrypted ACARS or SCADA systems,causes a serious disaster and then maybe only then will they consider fixing the problems.

The bulk mass surveillance of everyone has also created an environment where increasingly people are going dark or mitigating against meta data collection and surveillance. Unfortunately so are increasingly the criminals taking precautions, and most worryingly, terrorist groups and individuals motivated by them.Governments have also used terrorism as an excuse to utilise electronic surveillance techniques to help them locate and then kill journalists or dissidents and opposition figures.

One does not need to imagine the Stasi or Nazi regimes with modern surveillance capabilities, it's already a reality. Let's hope we don't end up with a true megalomaniac in power in our own nations in the near future. Even if much of the press was in a far better state than it currently is, it may not prove to be much of a help when it can't protect it's sources or itself and garner enough public support. The unfolding situation in Turkey could prove to be a valuable case in point, either for the benefit of media freedom or to it's detriment.


$$$July 23, 2016 7:34 AM

The DoD Strangeloves call software a weapon. Of course they do. They think everything's a weapon, because to them everything that happens is war. And Cirenza swallows it hook line and sinker. All he can do is niggle at it around the edges. This is not war at all. Grow up.

The sane way to look at this is, wrongful acts in transnational networks give rise to state responsibility. Pacific dispute resolution defines that responsibility case by case, as some mix of reparation, restitution, compensation, or satisfaction. This is settled law, it's how the world works, and everybody knows it but the Pentagon. Why is Cirenza humoring them?

The facts of the wrongful act are submitted to the ICJ or the PCIA, or they're resolved by negotiation. That's how it works when some USN idiot blows a civilian Iranian airliner out of the sky. That's how it works when an NSA idiot bricks crucial Syrian communications infrastructure in the midst of a humanitarian disaster. When it's over the US quietly pays through the nose for the conduct of its military shitheads.

albertJuly 23, 2016 9:53 AM

@$$$,

"...to them everything that happens is war...." - Indeed.

BTW, 'we' are not subject to international law. The USG doesn't give a rats sorry ass about it. Sadly, that's not a truism for most Americans.

Your handle actually answers the question of what motivates the politicians to wage war in the first place; it's the 'industrial' part of the military/industrial complex.

Cyber isn't warfare, but it is a useful adjunct in a real war, both defensively and offensively. Given the US reliance on high-tech systems, the main efforts need to be concentrated on cyber-defense, especially redundancy.

Or there will be the Devil to pay...

WWIV will be fought with sticks and stones.

. .. . .. --- ....

$$$July 23, 2016 12:39 PM

@Albert, do you know how much the US paid Iran to drop its ICJ case? If they really didn't give a rats' they wouldn't have paid a penny. Another ICJ case stopped a US attack on Libya in 1992. The US goes through amazing contortions to avoid being seen to break the law. You have to dig through lots of propaganda to see it though.

albertJuly 23, 2016 1:26 PM

No.

If it was more expedient to pay, then they will pay. The US wanted regime change in Libya for a long time, now they got it, in spades. Unfortunately, it's unlikely that a US-centric regime will come out of the chaos.

They stubbed their toe in Syria, big time, and Iran is still on the short list, as well as Venezuela, Cuba, etc. They play the long game, and it ain't over.

Obama summarized US foreign policy: "...'We have to twist arms when countries don't do what we need them to'..." - (paraphrased)

I couldn't have said it better myself.

. .. . .. --- ....

$$$July 23, 2016 2:38 PM

You fell for the macho 'realism' pose, which is all about saving face at home. What they tell the masses is very different than what they tell the outside world. The trick works by keeping you in the dark about what goes on internationally. There's a reason why the government went apeshit when Manning released the State cables. Sounds like you haven't read the cables showing cookie-pushers frantically trying to pacify Europe's mutiny over torture, or the panicky buck-passing as the rest of the world tightens the screws. Sounds like you never hear about it when US war criminals get convicted or locked up or get their assets seized abroad. Low-information citizens are the USA's last remaining strategic material.

RandalJuly 23, 2016 7:30 PM

Regardless of any similarities, if a cyber attack degrades military communications, the team in charge of the "football" and the launch officers with the keys are going to be a little bit jumpy.

JHandJuly 25, 2016 7:44 AM

Can we screw up the Internet of Things badly enough so that cyberweapons become comparable to nuclear weapons in the future?

albertJuly 25, 2016 2:09 PM

"...Can we screw up the Internet of Things badly enough so that cyberweapons become comparable to nuclear weapons in the future?..."

NO! Nothing compares to the devastation of a nuclear holocaust. It's effects can (in human terms) last forever. Hiroshima and Nagasaki were firecrackers compared to the weapons we have today ( See https://en.wikipedia.org/wiki/Tsar_Bomba ) and that was 1960s technology. I'm sure -we- can do better!

See:
http://www.counterpunch.org/2016/07/22/the-big-boom-nukes-and-nato/

Two points:

US foreign policy is being set by psychopaths in the CFR and USDOS. There's no other way to say it. Let's hope there are DOD folks who can resist them.

There seems to be a blind faith in computer technology as the solution for everything. Nuclear war decisions should not depend on computers. Humans, imperfect though they may be, have saved our sorry asses in the past. Here's hoping they can in the future.

. .. . .. --- ....

SkepticalJuly 25, 2016 4:24 PM


From the article:

Indeed, Cold War-style cyberdeterrence is one of the foundational cornerstones of the 2015 U.S. Department of Defense Cyber Strategy.

Deterrence is part of US strategy. But there's nothing particularly "Cold War" about it, much less anything indicative that "cyberthreats" are being treated akin to nuclear threats.

In fact, US strategy in this domain is profoundly unlike nuclear deterrence. Nuclear deterrence in the Cold War was predicated upon "deterrence by punishment." Hence the obsessive concern about "first strike" capabilities upsetting a balance of power by eliminating capacity for an annihilating retaliatory strike.

By contrast, US deterrence strategy in the cyber realm includes both "deterrence by denial", i.e. preventing an attack with network defenses and other measures, as well as "deterrence by punishment." Moreover, as to the punishment involved, a broad spectrum of responses are elucidated by US strategy, covering the full range of diplomatic, economic, and military possibilities, from the least destructive to the most, from the covert to the resoundingly overt.

For example, the agreement by the PRC to reduce certain types of cyber operations, which according to some reports they seem to have followed through with, was motivated by various components that form part of US deterrence, the threat of trade sanctions among them.

The article threads together a few out-of-context remarks by officials in order to show that some seriously consider nuclear and cyber threats to be closely analogous, but in fact the US Department of Defense does not appear to agree with that assessment, and I cannot think of anyone who does.

@Daisy: ... not since the nuke the US used at Baghdad airport after Saddam annihilated the 3/7 Cav and fought the attacking army to a standstill.

Sure, that nuke.

Clive RobinsonJuly 26, 2016 3:51 AM

@ Albert,

NO! Nothing compares to the devastation of a nuclear holocaust

Ahh the Tzar Bomb, the one tested was only half the power that was designed. The reason for the half size has been debated by historians. However those whacky Russian Nuclear scientists under various military egos came up with the idea of a fail safe deterant.

Their doomsday device was a fusion bomb of almost unimaganable scale, it needed a ship the size of a large oil tanker to hold it. It was to sail a route where by if it was triggered it would convert a considerable quantity of water into radioactive fall out that would have been globe straddling.

The failsafe mechanism was supposadly unstoppable by humans, and was triggered by various events such as an increase in background radiation lack of certain radio broadcasts etc...

Why was it not built, well it appears the Russian senior politicians on being told and seeing the plans, thought the idea and the people behind it to be compleatly mad...

Now the question is when did you hear of US Politicals turning down the power of nuclear devices, the US after all has more of them than anyone else...

ianfJuly 26, 2016 6:08 AM


Thank you, Clive, for that wonderful nighttime-is-scary-time fable of a “Russian doomsday device, a fusion bomb of almost unimaginable scale that needed a ship the size of a large oil tanker to hold it.” I shall entertain my grandchildren with it, as soon as I get some.

    One thing that you apparently deemed still too secret to share with us was what color the vessel? Logic tells me its hull must've been fully covered in maritime-camouflage mirrors of different grey-blue-green colors, to better reflect its watery surroundings, and thus enhance its undetectability by hostile forces.

But then I'm no Russian, and, judging by your erudite explanations, those “whacky Russian Nuclear scientists under various military egos" could not have been expected to act in any rational fashion, hence may now not be subjected to post-pre-annihilation color-spectrum analysis of any default type. Cable back yes if you don't know, no if you do—I'll keep a dedicated Ack Ack in store for you.

RD for poseursJuly 26, 2016 10:28 AM

@Clive, Tsar Bomba was 50 MT half-cocked. And the contemplated use of it you described was as a 100 MT torpedo that could eradicate a US seaboard. But far from being completely mad, the inventor was pre-eminent refusenik Andrei Sakharov, who certainly knew what he was doing when he reduced the nuclear arms race to an absurdity. That was the reason for Putin's pointed leak of the concept when 3rd-rate beltway shitheads started telling Europe let's you and him fight.

http://www.moonofalabama.org/2015/11/russia-resuscitate-long-dead-nuclear-torpedo-restablishes-nuclear-deterrence.html

As for turning down the power of nuclear devices, that's been the stable trend for decades. Overpressure is a spherical bubble, so big warheads waste a lot of energy blowing up birds and clouds. To optimize death and destruction on the ground you don't want a few big bubbles, you want suds. When you look at what beltway traitor Marc Grossman peddled to all comers, in manifest breach of the NWC, it's nothing like Tsar Bomba. It's little firecrackers.

https://www.corbettreport.com/who-is-marc-grossman/

SkepticalJuly 26, 2016 11:27 AM


@RD: That was the reason for Putin's pointed leak of the concept when 3rd-rate beltway shitheads started telling Europe let's you and him fight.

Pointed leak of a 60 year old concept that happens to undermine his entire case against ABM systems. Brilliant move on his part if that was the point. Right up there with invading Crimea and Ukraine - which, by the way, was actually picking a fight with Europe, notwithstanding your belief in the power of "third-rate beltway etc".

The "leak" was theatre for the masses, a burnishing of Russian national strength, part of the same old program.

But then, nuclear confrontation isn't really the game here. Russia wants the ability to continue to wage forms of hybrid warfare, to varying degrees of intensity, against those near neighbors that the ruling circle perceives as having improperly broken from Russia, compounding their sin by adopting democratic institutions and closer relations with the West. Cowing Europe is part of that plan.

Of course, it has backfired. Europe has been prodded from its slumber, and Putin has accomplished what no one else could: he has reinvigorated NATO.

But, it will help keep him in power, and insofar as he equates his own grip on power with Russian stability and progress, perhaps the cost of Russia's relationship with the world is worth the benefit in the eyes of some.

The Blue Angels F-35 Precision Yaw and Crater SquadronJuly 26, 2016 4:20 PM

Capital! Always nice to have the viewpoint of the 3rd-rate beltway ASVAB waivers who are dishonest enough to be bankers but not quite smart enough. Let's float on red-white-and-blue cotton candy clouds and fly with the eagles, fly, fly, in their fantasy world! Let's see, hmm...

Lots of not-even-wrong, like the typical childish soldier boy catchphrase picking a fight, cherished by international law ignoramuses. And even now, after an overwhelming referendum in Crimea and a domestic Crimean accession decision in full accord with international law and precedent ( http://www.icj-cij.org/docket/index.php?p1=3&p2=4&case=141&p3=4 ), beltway losers are still parroting their 'invasion' Big Lie. They're still rubbing their contused b-ttcracks because they took over Ukraine and wound up with the Exclusion Zone.

Ah. And hybrid warfare. If you're smart enough for government work - just smart enough - that means Russia not taking any sh-t because they can kick your a-s in any real war, like Syria, and you can't do sh-t and you know it. Losers.

And what would a skeptical post be without delusional bombast: Europe has been prodded from its slumbaahs...

Zzz, Zzz, Zzz, Hmh? snort, scratch, stretch, f-rt, cut off the power to Incirlik, slough off Trident, drop illegal US sanctions, get to work on South Stream, celebrate Russia day in Rostok, sneer at 2%, roll over and go back to sleep. Nice work - for an ASVAB 20. Your fake democracy is still a laughingstock, even among your bought-and-paid-for satellite regimes.

SkepticalJuly 27, 2016 10:00 AM


@Novo-Pravda:

Your parody of Russian propaganda is spot on! From painting the referendum in Crimea as legal (or indeed remotely fair, given complete Russian state domination of the media and the opposition), to the delusions of Russian military might, to the "reporting" on Incirlik (briefly without external power during the coup - never without power), on Trident (renewed), it's simply one laughable half-truth or outright lie after another.

Between the phonetic theatrics and the sneers, among the stumbling over terms clearly beyond your ken ("hybrid warfare" is something far more multidimensional than whatever you think you're referring to re "real war"), we find... nothing.

Listen, I'm terribly sorry that the Soviet Union collapsed. Obviously the loss of such a paradise was a blow to all who had blamed their shortcomings upon capitalism or democracy or those grossly childish Americans. But chin up - we must carry on. There you are now. Off you go. Somewhere a Youtube video is waiting for your comment.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.