“The Arms Control Association and all of the staff I've worked with over the years … have this ability to speak truth to power in a wide variety of venues.”
– Marylia Kelley
Tri-Valley Communities Against a Radioactive Environment
June 2, 2022
Michael Klare

Pentagon Board Issues AI Guidelines

December 2019
By Michael Klare

On Oct. 31, after 15 months of private deliberation and public meetings, the Defense Innovation Board (DIB), an independent advisory arm of the Office of the Secretary of Defense, issued a set of recommendations on “ethical principles” for the use of artificial intelligence (AI) by the Defense Department.

Eric Schmidt, executive chairman of Google's parent company Alphabet Inc., speaks during a National Security Commission on Artificial Intelligence conference on Nov. 5. He chaired the Defense Innovation Board which recently issued recommendations on the military use of artificial intelligence. (Photo by Alex Wong/Getty Images)The DIB had originally been asked in 2018 to devise such recommendations by Defense Secretary Jim Mattis following a revolt by workers at Google over the company’s AI work for the department. Some 4,000 employees signed a petition calling on Google to discontinue its work on Project Maven, a pioneer Pentagon effort to employ AI in identifying suspected militants, possibly for elimination through drone attack. Google subsequently announced that it would not renew the Maven contract and promised never to develop AI for “weapons or other technologies whose principal purpose or implementation is to cause or directly facilitate injury to people.”

Knowing that the military would have to rely on Silicon Valley for the talent and expertise it needed to develop advanced AI-empowered weapons and fearful of further resistance of the sort it encountered at Google, the Defense Department leadership sought to demonstrate its commitment to the ethical use of AI by initiating the DIB study. This effort also represents a response of sorts to growing public clamor, much of it organized by the Campaign to Stop Killer Robots, for a treaty banning fully autonomous weapons systems.

The DIB, chaired by Eric Schmidt, former executive chairman of Alphabet, Google’s parent company, held three closed-door meetings with academics, lawyers, company officials, and arms control specialists in preparing its recommendations. A representative of the Arms Control Association submitted a formal statement to the board, emphasizing the need to ensure human control over all weapons systems and for the automatic deactivation of autonomous systems that lose contact with their human operators.

In its final report, the DIB appears to have sought a middle course, opening the way for expanded use of AI by the military while trying to reassure skeptics that this can be done in a humane and ethical fashion.

“AI is and will be an essential capability across [the Defense Department] in non-combat and combat functions,” the board stated. Nevertheless, “the use of AI must take place within the context of [an] ethical framework.”

The military has long embraced new technologies and integrated them in accordance with its long-standing ethical guidelines, the DIB indicated. But AI poses distinct problems because such systems possess a capacity for self-direction not found in any other weapons. Accordingly, a number of specific “AI ethics principles” are needed when employing these technologies for military purposes. Specifically, such systems must be “responsible, equitable, traceable, reliable, and governable,” the DIB wrote.

Each of these five principles seeks to address concerns raised by meeting participants over the use of AI in warfare. The DIB report led with the principle of ultimate human responsibility over all AI systems deployed by the Defense Department. Similarly, in response to concerns about biases built into AI target-identification systems—one of the issues raised by rebel workers at Google—it offers equity. The Defense Department,
it affirmed, should “avoid unintended bias in the development and deployment of combat or non-combat AI systems that would inadvertently cause harm to persons.”

The precepts of traceability and reliability are responses to scientific critics who worry that AI-empowered machines may act in ways that humans cannot understand or behave erratically, causing unintended harm. Accordingly, those principles state that it is essential that AI systems’ decision-making processes be traceable, hence correctable, by humans and that any programming flaws be detected and repaired before such munitions are deployed on the battlefield.

The final principle, governability, is of particular concern to the arms control community as it bears on commanders’ ability to prevent unintended escalation in a crisis, especially a potential nuclear crisis. The original text stated that all AI systems must be capable of detecting and avoiding unintended harm and disruption and be able to “disengage or deactivate deployed systems that demonstrate unintended escalatory or other behavior.” Some DIB members argued that this left too much to chance, so the final text was amended to read that such systems must possess a capacity “for human or automated disengagement or deactivation” of systems that demonstrate escalatory behavior.

The DIB recommendations will be forwarded to the defense secretary, where their fate is unknown. Nevertheless, the principles articulated by the board are likely to remain a source of discussion for some time to come.

Panel produces recommendations on “ethical principles” for use of artificial intelligence by the U.S. military.

Cyber Battles, Nuclear Outcomes? Dangerous New Pathways to Escalation

November 2019
By Michael T. Klare

In January 2018, details of the Trump administration’s Nuclear Posture Review (NPR) were posted online by the Huffington Post, provoking widespread alarm over what were viewed as dangerous shifts in U.S. nuclear policy. Arousing most concern was a call for the acquisition of several types of low-yield nuclear weapons, a proposal viewed by many analysts as increasing the risk of nuclear weapons use.

A U.S. F-22 fighter shadows a Russian Tu-95 bomber on May 20 in international airspace near Alaska. Aircraft and missile detection systems rely heavily on electronic communications, making them potential targets for cyberwarfare. (Photo: NORAD)Another initiative incorporated in the strategy document also aroused concern: the claim that an enemy cyberattack on U.S. nuclear command, control, and communications (NC3) facilities would constitute a “non-nuclear strategic attack” of sufficient magnitude to justify the use of nuclear weapons in response.

Under the Obama administration’s NPR report, released in April 2010, the circumstances under which the United States would consider responding to non-nuclear attacks with nuclear weapons were said to be few. “The United States will continue to…reduce the role of nuclear weapons in deterring non-nuclear attacks,” the report stated. Although little was said about what sort of non-nuclear attacks might be deemed severe enough to justify a nuclear response, cyberstrikes were not identified as one of these. The 2018 NPR report, however, portrayed a very different environment, one in which nuclear combat is seen as increasingly possible and in which non-nuclear strategic threats, especially in cyberspace, were viewed as sufficiently menacing to justify a nuclear response. Speaking of Russian technological progress, for example, the draft version of the Trump administration’s NPR report stated, “To…correct any Russian misperceptions of advantage, the president will have an expanding range of limited and graduated [nuclear] options to credibly deter Russian nuclear or non-nuclear strategic attacks, which could now include attacks against U.S. NC3, in space and cyberspace.”1

The notion that a cyberattack on U.S. digital systems, even those used for nuclear weapons, would constitute sufficient grounds to launch a nuclear attack was seen by many observers as a dangerous shift in policy, greatly increasing the risk of accidental or inadvertent nuclear escalation in a crisis. “The entire broadening of the landscape for nuclear deterrence is a very fundamental step in the wrong direction,” said former Secretary of Energy Ernest Moniz. “I think the idea of nuclear deterrence of cyberattacks, broadly, certainly does not make any sense.”2

Despite such admonitions, the Pentagon reaffirmed its views on the links between cyberattacks and nuclear weapons use when it released the final version of the NPR report in February 2018. The official text now states that the president must possess a spectrum of nuclear weapons with which to respond to “attacks against U.S. NC3,” and it identifies cyberattacks as one form of non-nuclear strategic warfare that could trigger a nuclear response.

That cyberwarfare had risen to this level of threat, the 2018 NPR report indicated, was a product of the enhanced cybercapabilities of potential adversaries and of the creeping obsolescence of many existing U.S. NC3 systems. To overcome these vulnerabilities, it called for substantial investment in an upgraded NC3 infrastructure. Not mentioned, however, were extensive U.S. efforts to employ cybertools to infiltrate and potentially incapacitate the NC3 systems of likely adversaries, including Russia, China, and North Korea.

For the past several years, the U.S. Department of Defense has been exploring how it could employ its own very robust cyberattack capabilities to compromise or destroy enemy missiles from such states as North Korea before they can be fired, a strategy sometimes called “left of launch.”3 Russia and China can assume, on this basis, that their own launch facilities are being probed for such vulnerabilities, presumably leading them to adopt escalatory policies such as those espoused in the 2018 NPR report. Wherever one looks, therefore, the links between cyberwar and nuclear war are growing.

The Nuclear-Cyber Connection

These links exist because the NC3 systems of the United States and other nuclear-armed states are heavily dependent on computers and other digital processors for virtually every aspect of their operation and because those systems are highly vulnerable to cyberattack. Every nuclear force is composed, most basically, of weapons, early-warning radars, launch facilities, and the top officials, usually presidents or prime ministers, empowered to initiate a nuclear exchange. Connecting them all, however, is an extended network of communications and data-processing systems, all reliant on cyberspace. Warning systems, ground- and space-based, must constantly watch for and analyze possible enemy missile launches. Data on actual threats must rapidly be communicated to decision-makers, who must then weigh possible responses and communicate chosen outcomes to launch facilities, which in turn must provide attack vectors to delivery systems. All of this involves operations in cyberspace, and it is in this domain that great power rivals seek vulnerabilities to exploit in a constant struggle for advantage.

The use of cyberspace to gain an advantage over adversaries takes many forms and is not always aimed at nuclear systems. China has been accused of engaging in widespread cyberespionage to steal technical secrets from U.S. firms for economic and military advantages. Russia has been accused, most extensively in the Robert Mueller report, of exploiting cyberspace to interfere in the 2016 U.S. presidential election. Nonstate actors, including terrorist groups such as al Qaeda and the Islamic State group, have used the internet for recruiting combatants and spreading fear. Criminal groups, including some thought to be allied with state actors, such as North Korea, have used cyberspace to extort money from banks, municipalities, and individuals.4 Attacks such as these occupy most of the time and attention of civilian and military cybersecurity organizations that attempt to thwart such attacks. Yet for those who worry about strategic stability and the risks of nuclear escalation, it is the threat of cyberattacks on NC3 systems that provokes the greatest concern.

Gen. Paul M. Nakasone, commander of U.S. Cyber Command, testifies during a Senate Armed Services Committee hearing on February 14. He warned that China and Russia are conducting sustained cybercampaigns against the United States. (Photo: Mark Wilson/Getty Images)This concern stems from the fact that, despite the immense effort devoted to protecting NC3 systems from cyberattack, no enterprise that relies so extensively on computers and cyberspace can be made 100 percent invulnerable to attack. This is so because such systems employ many devices and operating systems of various origins and vintages, most incorporating numerous software updates and “patches” over time, offering multiple vectors for attack. Electronic components can also be modified by hostile actors during production, transit, or insertion; and the whole system itself is dependent to a considerable degree on the electrical grid, which itself is vulnerable to cyberattack and is far less protected. Experienced “cyberwarriors” of every major power have been working for years to probe for weaknesses in these systems and in many cases have devised cyberweapons, typically, malicious software (malware) and computer viruses, to exploit those weaknesses for military advantage.5

Although activity in cyberspace is much more difficult to detect and track than conventional military operations, enough information has become public to indicate that the major nuclear powers, notably China, Russia, and the United States, along with such secondary powers as Iran and North Korea, have established extensive cyberwarfare capabilities and engage in offensive cyberoperations on a regular basis, often aimed at critical military infrastructure. “Cyberspace is a contested environment where we are in constant contact with adversaries,” General Paul M. Nakasone, commander of the U.S. Cyber Command (Cybercom), told the Senate Armed Services Committee in February 2019. “We see near-peer competitors [China and Russia] conducting sustained campaigns below the level of armed conflict to erode American strength and gain strategic advantage.”

Although eager to speak of adversary threats to U.S. interests, Nakasone was noticeably but not surprisingly reluctant to say much about U.S. offensive operations in cyberspace. He acknowledged, however, that Cybercom took such action to disrupt possible Russian interference in the 2018 midterm elections. “We created a persistent presence in cyberspace to monitor adversary actions and crafted tools and tactics to frustrate their efforts,” he testified in February. According to press accounts, this included a cyberattack aimed at paralyzing the Internet Research Agency, a “troll farm” in St. Petersburg said to have been deeply involved in generating disruptive propaganda during the 2016 presidential elections.6

Other press investigations have disclosed two other offensive operations undertaken by the United States. One called “Olympic Games” was intended to disrupt Iran’s drive to increase its uranium-enrichment capacity by sabotaging the centrifuges used in the process by infecting them with the so-called Stuxnet virus. Another left of launch effort was intended to cause malfunctions in North Korean missile tests.7 Although not aimed at either of the U.S. principal nuclear adversaries, those two attacks demonstrated a willingness and capacity to conduct cyberattacks on the nuclear infrastructure of other states.

Efforts by strategic rivals of the United States to infiltrate and eventually degrade U.S. nuclear infrastructure are far less documented but thought to be no less prevalent. Russia, for example, is believed to have planted malware in the U.S. electrical utility grid, possibly with the intent of cutting off the flow of electricity to critical NC3 facilities in the event of a major crisis.8 Indeed, every major power, including the United States, is believed to have crafted cyberweapons aimed at critical NC3 components and to have implanted malware in enemy systems for potential use in some future confrontation.

Pathways to Escalation

Knowing that the NC3 systems of the major powers are constantly being probed for weaknesses and probably infested with malware designed to be activated in a crisis, what does this say about the risks of escalation from a nonkinetic battle, that is, one fought without traditional weaponry, to a kinetic one, at first using conventional weapons and then, potentially, nuclear ones? None of this can be predicted in advance, but those analysts who have studied the subject worry about the emergence of dangerous new pathways for escalation. Indeed, several such scenarios have been identified.9

The first and possibly most dangerous path to escalation would arise from the early use of cyberweapons in a great power crisis to paralyze the vital command, control, and communications capabilities of an adversary, many of which serve nuclear and conventional forces. In the “fog of war” that would naturally ensue from such an encounter, the recipient of such an attack might fear more punishing follow-up kinetic attacks, possibly including the use of nuclear weapons, and, fearing the loss of its own arsenal, launch its weapons immediately. This might occur, for example, in a confrontation between NATO and Russian forces in east and central Europe or between U.S. and Chinese forces in the Asia-Pacific region.

Speaking of a possible confrontation in Europe, for example, James N. Miller Jr. and Richard Fontaine wrote that “both sides would have overwhelming incentives to go early with offensive cyber and counter-space capabilities to negate the other side’s military capabilities or advantages.” If these early attacks succeeded, “it could result in huge military and coercive advantage for the attacker.” This might induce the recipient of such attacks to back down, affording its rival a major victory at very low cost. Alternatively, however, the recipient might view the attacks on its critical command, control, and communications infrastructure as the prelude to a full-scale attack aimed at neutralizing its nuclear capabilities and choose to strike first. “It is worth considering,” Miller and Fontaine concluded, “how even a very limited attack or incident could set both sides on a slippery slope to rapid escalation.”10

U.S. servicemen conduct a defensive cyberoperations exercise at Ramstein Air Base, Germany, on March 8.  (U.S. Air Force photo by Master Sgt. Renae Pittman)What makes the insertion of latent malware in an adversary’s NC3 systems so dangerous is that it  may not even need to be activated to increase the risk of nuclear escalation. If a nuclear-armed state comes to believe that its critical systems are infested with enemy malware, its leaders might not trust the information provided by its early-warning systems in a crisis and might misconstrue the nature of an enemy attack, leading them to overreact and possibly launch their nuclear weapons out of fear they are at risk of a preemptive strike.

“The uncertainty caused by the unique character of a cyber threat could jeopardize the credibility of the nuclear deterrent and undermine strategic stability in ways that advances in nuclear and conventional weapons do not,” Page O. Stoutland and Samantha Pitts-Kiefer wrote in 2018 paper for the Nuclear Threat Initiative. “[T]he introduction of a flaw or malicious code into nuclear weapons through the supply chain that compromises the effectiveness of those weapons could lead to a lack of confidence in the nuclear deterrent,” undermining strategic stability.11 Without confidence in the reliability of its nuclear weapons infrastructure, a nuclear-armed state may misinterpret confusing signals from its early-warning systems and, fearing the worst, launch its own nuclear weapons rather than lose them to an enemy’s first strike. This makes the scenario proffered in the 2018 NPR report, of a nuclear response to an enemy cyberattack, that much more alarming.

Yet another pathway to escalation could arise from a cascading series of cyberstrikes and counterstrikes against vital national infrastructure rather than on military targets. All major powers, along with Iran and North Korea, have developed and deployed cyberweapons designed to disrupt and destroy major elements of an adversary’s key economic systems, such as power grids, financial systems, and transportation networks. As noted, Russia has infiltrated the U.S. electrical grid, and it is widely believed that the United States has done the same in Russia.12 The Pentagon has also devised a plan known as “Nitro Zeus,” intended to immobilize the entire Iranian economy and so force it to capitulate to U.S. demands or, if that approach failed, to pave the way for a crippling air and missile attack.13

The danger here is that economic attacks of this sort, if undertaken during a period of tension and crisis, could lead to an escalating series of tit-for-tat attacks against ever more vital elements of an adversary’s critical infrastructure, producing widespread chaos and harm and eventually leading one side to initiate kinetic attacks on critical military targets, risking the slippery slope to nuclear conflict. For example, a Russian cyberattack on the U.S. power grid could trigger U.S. attacks on Russian energy and financial systems, causing widespread disorder in both countries and generating an impulse for even more devastating attacks. At some point, such attacks “could lead to major conflict and possibly nuclear war.”14

These are by no means the only pathways to escalation resulting from the offensive use of cyberweapons. Others include efforts by third parties, such as proxy states or terrorist organizations, to provoke a global nuclear crisis by causing early-warning systems to generate false readings (“spoofing”) of missile launches. Yet, they do provide a clear indication of the severity of the threat. As states’ reliance on cyberspace grows and cyberweapons become more powerful, the dangers of unintended or accidental escalation can only grow more severe.

‘Defending Forward’

Under these circumstances, one would think the major powers would seek to place restrictions on the use of offensive cyberweapons, especially those aimed at critical NC3 systems. This approach, however, is not being pursued by the United States and the other major powers.

Under the Obama administration, the Department of Defense was empowered to conduct offensive cyberstrikes on foreign states and entities in response to like attacks on the United States, but any such moves required high-level review by the White House and were rarely approved. This approach was embedded in Presidential Policy Directive 20 (PPD-20), adopted in October 2012, which states that any cyberaction that might result in “significant consequences,” such as loss of life or adverse foreign policy impacts, required “specific presidential approval.”

Officials in the Trump administration found this requirement unduly restrictive and so persuaded the president to rescind PPD-20 and replace it with a more permissive measure. The resulting document, National Security Presidential Memorandum 13 (NSPM-13), was approved in September 2018 but has not been made public. From what is known of NSPM-13, senior military commanders, such as Nakasone, enjoy preapproval to undertake offensive strikes against foreign entities under certain specified conditions without further White House clearance. In accordance with the new policy, military planners can prepare for offensive cyberattacks by seeking vulnerabilities in adversarial computer networks and by implanting malware in these weak spots for potential utilization if a retaliatory strike is initiated.15

As translated into formal military doctrine, this approach is described as “defending forward,” or seeking out the originators of cyberattacks aimed at this country and neutralizing them through counterstrikes and the insertion of malware for future activation. “Defending forward as close as possible to the origin of adversary activity extends our reach to expose adversaries’ weaknesses, learn their intentions and capabilities, and counter attacks close to their origins.”16

In embracing this strategy, Nakasone and other senior officials insist that their intention is defensive: to protect U.S. cyberspace against attack and deter future assaults by letting opponents know their own systems will be crippled if they persist in malicious behavior. “For any nation that’s taking cyber activity against the United States,” said National Security Advisor John Bolton when announcing the adoption of NSPM-13, “they should expect…we will respond offensively as well as defensively.”17 For any potential adversary following these developments, defending forward will certainly be interpreted as preparation for offensive strikes in the event of a crisis, inviting stepped up defensive and offensive moves on their part.

Much less is known about the strategic cyberwar policies of other powers, but they likely parallel those of the United States. China, for example, has long been known to employ cyberspace to spy on U.S. military technological capabilities and steal what they can for use in developing their own weapons systems. Russia has been even more aggressive in its use of cyberspace, employing cyberweapons to cripple Ukraine’s electrical grid in 2015 and to influence elections. That Moscow has also sought to infiltrate the U.S. electrical grid suggests that it too intends to defend forward, by preparing for possible cyberattacks on U.S. command, control, and communications capabilities, including NC3 facilities.

Although occurring largely in secret, what can aptly be called “an arms race in cyberspace” is underway. Where this might lead is difficult to foresee, but it is certain to involve the development of ever more potent cyberweapons. Each nuclear power will seek to enhance its defenses against future cyberattack. Yet, just as is the case in missile warfare, it is easier and cheaper to devise new offensive cybersystems than defensive ones. In the event of a crisis, then, there will be a strong temptation to employ the new technologies early in the encounter, when they might be used to maximum effect, setting in motion an escalatory process resulting in nuclear weapons use. As noted, the mere fact that disruptive malware is known to have been embedded in the vital command-and-control systems of a nuclear power could lead it to distrust its early-warning and intelligence systems and, in a panicky response to ambiguous signals, assume the worst and launch its nuclear weapons.

Arms Control in Cyberspace

Given the various ways in which conflict in cyberspace could result in nuclear weapons use, steps must be taken to minimize the risk of escalation from one domain to the other, but conceiving of agreements to curb malicious and escalatory behavior in cyberspace is no easy task. Computer software cannot readily be classified and counted the way planes and missiles can, and states do not agree on definitions of offensive and defensive cyberweapons, let alone on measures to control them. Nevertheless, some efforts have been made to develop rules and protocols to restrain the destabilizing use of cybertechnologies, and these provide a framework for further consideration.

French President Emmanuel Macron speaks November 12, 2018 at the Internet Governance Forum in Paris, where he introduced the “Paris Call for Trust and Security in Cyberspace," which has been signed by more than 50 nations, but not the United States. (Photo: Ludovic Marin/AFP/Getty Images)Perhaps the most extensive effort to adopt rules for acceptable behavior in cyberspace has been undertaken by the United Nations, in accordance with a series of General Assembly resolutions on the topic. This process first gained momentum in December 2011, when that body, “expressing concern” that emerging cybertechnologies “can potentially be used for purposes that are inconsistent with the objectives of maintaining international stability and security,” established a group of governmental experts to assess the dangers in cyberspace and consider “possible cooperative measures to address them, including norms, rules, or principles of responsible behavior of States.”18

In its initial report, released in June 2013, the experts group warned of increasing threats to the safety of what it described as the realm of information and communications technology (ICT). “States are concerned,” it noted, “that embedding harmful hidden functions in ICTs could be used in ways that affect secure and reliable ICT use…and damage national security.” With this in mind, it affirmed a basic principle: “International law, and in particular the Charter of the United Nations, is applicable” in the ICT domain. On this basis, it called on member states to work together in “the application of norms derived from existing international law relevant to the use of ICTs.” Furthermore, as part of this effort, it recommended the crafting of confidence-building measures, such as the creation of information-sharing mechanisms to investigate serious cybersecurity incidents, aimed at minimizing the risk of unintended consequences.19

As the evidence of dangerous developments in cyberspace multiplied, UN General Assembly Resolution 68/243, called for the formation of a new experts group to consider restraints on ICT malpractice. That body released its report in July 2015, providing the most comprehensive blueprint to date for the management of cyberspace. Building on the earlier experts group report, it articulated a set of norms that should govern behavior in this realm. Foremost among these was the precept that states “should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure” of another country. Other norms articulated in the report include the proviso that states should not allow their territory to be used for “internationally wrongful acts using ICTs” and should seek to “prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions.”20

By articulating a set of fundamental norms, the 2015 experts group report provides a useful starting point for further consideration of arms control in cyberspace. Lacking any decision-making authority, however, the UN group in advocating for those norms called only for conversations among states on their implementation and the adoption of “voluntary, non-binding norms” for responsible behavior. The General Assembly, addressing the topic on several occasions since then, has only reiterated the principles of the 2015 report and called on member states to follow its guidance without achieving any obvious, genuine progress.

Several other initiatives have been undertaken by states and nonstate entities to promote restraint in cyberspace. In February 2017, Brad Smith, the president of Microsoft, called for the formulation of a “Digital Geneva Convention,” modeled on the existing, post-World War II Geneva Conventions, aimed at protecting civilians from the negative consequences of cyberattacks.21 Some academics, including scholars at the Notre Dame Institute for Advanced Study, have carried this notion further, calling for the worldwide embrace of "cyberpeace" based on the adoption of common norms and rules.22 “Just as the world’s governments came together in 1949 to adopt the Fourth Geneva Convention to protect civilians in times of war,” he declared, “we need a Digital Geneva Convention that will commit governments to implement the norms that have been developed to protect civilians on the internet in times of peace.”

President Emmanuel Macron of France has advocated for similar measures at the international level. In November 2018, he unveiled the “Paris Call for Trust and Security in Cyberspace” at a major gathering in the French capital. Essentially a rewording of past UN resolutions and the 2015 experts group report, it called for international cooperation in reducing malicious behavior, especially cybercrime and political warfare.23 Although signed by leaders of more than 50 countries, including France, Germany, Italy, Japan, and the United Kingdom, President Donald Trump refused to endorse the Paris call, presumably because it might infringe on U.S. plans to employ cyberweapons in an offensive mode (no reasons were provided for the U.S. refusal to sign).24

At this point, the likelihood that the United States, Russia, and China will adopt and respect international constraints on the use of cyberweapons aimed at the critical information and communications systems of their adversaries appears virtually nil. Nevertheless, it is vitally important that UN officials, industry figures, and prominent national leaders continue to articulate such norms and call for their adoption. Hopefully, these precepts will form the basis for binding international agreements, when enough key governments are prepared to embrace such measures. In the meantime, it is essential that policymakers and arms control advocates pursue other routes to arms control in cyberspace.

Perhaps the most promising approach in this regard is the adoption of formal or informal agreements to eschew certain behaviors that would increase the risk of unintended or accidental nuclear escalation. This would involve meetings between U.S. and Russian officials, possibly under the auspices of the currently suspended Strategic Stability Dialogue; between U.S. and Chinese officials; or possibly all three together aimed at identifying certain rules of the road to which all sides would agree to adhere, such as a ban on the implantation of malware in the NC3 systems of their adversaries.

A precedent for such high-level accords is provided by U.S. President Barack Obama’s September 2015 agreement with Chinese President Xi Jinping to bar the use of cyberspace for the theft of intellectual property. Although there is widespread debate over the extent to which China has abided by the 2015 accord, there is general agreement that it did result for a time in a diminished level of Chinese cyberespionage in the United States.25

Such an approach was advanced by Stoutland and Pitts-Kieter in their 2018 study of cyberweapons and nuclear stability. “As a priority first step,” they said, “the United States should seek to initiate a bilateral dialogue with Russia” intended to “develop mutual understanding on how cyber threats can affect deterrence and strategic stability.” Such talks, they wrote, “should be held with a view toward developing a shared understanding of our mutual interest in minimizing that risk and identifying practical ways to address it bilaterally and multilaterally.”26

At present, none of these approaches for the control of cyberspace appears to be making any headway. As a consequence, the arms race in cyberspace is rapidly gaining momentum, greatly increasing the likelihood that future confrontations among the major powers will entail the early use of sophisticated cyberweapons, magnifying the risk of rapid and uncontrolled nuclear escalation. Because this danger has received far less attention than other pathways to escalation, it is essential that policymakers and arms control advocates devote far more effort to controlling cyberspace than they have up until now.



1. U.S. Department of Defense, Nuclear Posture Review (draft), January 2018, p. 17, at https://fas.org/nuke/guide/usa/npr2018-draft.pdf.

2. Aaron Mehta, “Nuclear Posture Review Draft Leaks,” Defense News, January 12, 2018, https://www.defensenews.com/space/2018/01/12/nuclear-posture-review-draft-leaks-new-weapons-coming-amid-strategic-shift/.

3. For background on these efforts, see Andrew Futter, “The Dangers of Using Cyberattacks to Counter Nuclear Threats,” Arms Control Today, July/August 2016, pp. 8–14.

4. For a comprehensive assessment of the cyberweapons threat in all its forms, see
David E. Sanger, The Perfect Weapon (New York: Crown, 2018).

5. For a thorough assessment of these vulnerabilities, see Beyza Unal and Patricia Lewis, “Cybersecurity of Nuclear Weapons Systems,” Chatham House, January 2018, https://www.chathamhouse.org/sites/default/files/publications/research/2018-01-11-cybersecurity-nuclear-weapons-unal-lewis-final.pdf.

6. Julian E. Barnes, “Cyberattack Neutralized Russian Trolls as U.S. Voted,” The New York Times, February 27, 2019.

7. For background on these operations, see Sanger, Perfect Weapon, pp. 7–36 and 276–283.

8. David E. Sanger, “Russian Hackers Train Focus on U.S. Power Grid,” The New York Times, July 28, 2018.

9. For a summary of such scenarios, see Page O. Stoutland and Samantha Pitts-Kiefer, “Nuclear Weapons in the New Cyber Age: Report of the Cyber-Nuclear Weapons Study Group,” Nuclear Threat Initiative, September 2018, p. 12, https://media.nti.org/documents/Cyber_report_finalsmall.pdf.

10. James N. Miller Jr. and Richard Fontaine, “A New Era in U.S.-Russian Strategic Stability,” Harvard Kennedy School Belfer Center for Science and International Affairs and the Center for a New American Security, September 2017, p. 18, https://s3.amazonaws.com/files.cnas.org/documents/CNASReport-ProjectPathways-Finalb.pdf.

11. Stoutland and Pitts-Kiefer, “Nuclear Weapons in the New Cyber Age,” p. 12.

12. See Ivan Nechepurenko, “Kremlin Warns of Cyberwar After Report of U.S. Hacking of Electrical Grid,” The New York Times, July 18, 2019.

13. See Sanger, Perfect Weapon, pp. 43–47.

14. Miller Jr. and Fontaine, “New Era in U.S.-Russian Strategic Stability,” p. 19.

15. Zachary Fryer-Biggs, “The Pentagon Has Prepared a Cyberattack Against Russia,” Daily Beast, November 2, 2018, https://www.thedailybeast.com/the-pentagon-has-prepared-a-cyber-attack-against-russia.

16. U.S. Cyber Command, “Achieve and Maintain Cyberspace Superiority: Command Vision for U.S. Cyber Command,” n.d., https://www.cybercom.mil/Portals/56/Documents/USCYBERCOM%20Vision%20April%202018.pdf?ver=2018-06-14-152556-010 (released
April 2018).

17. Fryer-Biggs, “Pentagon Has Prepared a Cyberattack Against Russia.”

18. UN General Assembly, Resolution 66/24, December 2, 2011.

19. UN General Assembly, “Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security: Note by the Secretary-General,” A/68/98, June 24, 2013 (containing the report).

20. UN General Assembly, “Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security: Note by the Secretary-General,” A/70/174, July 22, 2015 (containing the report).

21. Brad Smith, “The Need for a Digital Geneva Convention,” Microsoft, February 14, 2017, https://blogs.microsoft.com/on-the-issues/2017/02/14/need-digital-geneva-convention/.

22. Scott Shackelford, "The Meaning of Cyber Peace," Notre Dame Institute for Advanced Study, https://ndias.nd.edu/news-publications/ndias-quarterly/the-meaning-of-cyber-peace/.

23. “Paris Call for Trust and Security in Cyberspace,” November 12, 2018, https://www.diplomatie.gouv.fr/IMG/pdf/paris_call_cyber_cle443433-1.pdf.

24. David E. Sanger, “U.S. Declines to Sign Macron Declaration Against Cyberattacks,” The New York Times, November 13, 2018.

25. See Adam Segal, “Is China Still Stealing Western Intellectual Property?” Council on Foreign Relations, September 26, 2018, https://www.cfr.org/blog/china-still-stealing-western-intellectual-property.

26. Stoutland and Pitts-Kiefer, “Nuclear Weapons in the New Cyber Age,” p. 27.


Michael T. Klare is a professor emeritus of peace and world security studies at Hampshire College and senior visiting fellow at the Arms Control Association. This is the fourth in the “Arms Control Tomorrow” series, in which he considers disruptive emerging technologies and their implications for war-fighting and arms control.


Rapidly advancing cybertechnology threatens to undermine traditional thinking on when the use of nuclear weapons may be provoked.

Global Flashpoints and the Risks of Escalation

October 2019

The Senkaku Paradox: Risking Great Power War Over Small Stakes
By Michael E. O’Hanlon.
Brookings Institution, 2019, 258 pp.

Reviewed by Michael T. Klare

How will a great-power nuclear war erupt? How can its outbreak be prevented? These questions have bedeviled nuclear strategists and peace advocates since the dawn of the Atomic Age and are gaining fresh urgency as tensions among China, Russia, and the United States intensify.

Theorists generally assume that such a horrific cataclysm would occur when the major powers have amassed large nuclear arsenals, have primed these weapons for early use, and have reached a fever pitch of hostility. Under these conditions, it is feared, any outbreak of armed hostilities could lead swiftly to a clash of major conventional forces and, were one side or another to face overwhelming defeat, the early use of nuclear weapons.

Historically, it was believed that such incidents would arise along NATO-Soviet borders or in the North Atlantic, where the warships of the major powers often crossed paths. To avert a nuclear catastrophe, global leaders labored over the years to reduce tensions among the major powers through U.S.-Soviet summits, UN sessions, intense diplomacy, and so forth and to reduce the size and alert status of their nuclear arsenals. Unfortunately, less effort has been directed at identifying potential flashpoints and reducing the risk of uncontrolled escalatory spirals.

This lack of attention is especially critical in the current era of great power competition, says Michael O’Hanlon of the Brookings Institution in his new book The Senkaku Paradox: Risking Great Power War Over Small Stakes. He claims that although the probability of a deliberate, full-scale military assault by one of the major powers against another is extremely low, significant risks remain for minor aggressions to escalate quickly. There is considerable potential for a limited Russian intrusion into one of the Baltic republics or a Chinese seizure of a Japanese-claimed island in the East China Sea to spin out of control, possibly triggering the use of nuclear weapons.

Under existing U.S. military doctrine, he explains, any assault on a NATO country or a U.S. treaty ally, however trivial, should automatically prompt a full-scale military drive to reverse the intrusion and punish the aggressor. Such an endeavor would require a full-scale mobilization of U.S. and allied forces and still might not succeed, or if it did, it might so alarm enemy officials that they might resort to launching nuclear weapons. Fearing such an outcome, U.S. leaders might allow the original intrusion to stand, thereby jeopardizing U.S. alliances and inviting further aggression, with every likelihood that all-out war would eventually follow.

This, he explains, is what constitutes the “Senkaku paradox”: In the event of a limited enemy aggression, say in the uninhabited Senkaku Islands of the East China Sea, “a large-scale U.S. and allied response could seem massively disproportionate.” On the other hand, “a nonresponse would be unacceptable, and inconsistent with American treaty obligations.” What is needed are credible responses that fall between the extremes of acquiescence to aggression and military escalation.

O’Hanlon proposes an “asymmetric defense” consisting of economic penalties and limited military actions. These could include sanctions aimed at critical nodes of the aggressor’s economy, such as energy, banking, and transport, along with air and missile strikes against key logistical targets, such as pipelines, port facilities, and oil tankers. At the same time, the United States and its allies would reinforce defense positions near the initial conflict. The aim of all this would not be to reverse the original intrusion but rather to demonstrate that any further aggression would be met with intensified economic hardship and a brutal confrontation with U.S. and allied armies.

In assessing U.S. strategic options, O’Hanlon focuses on three potential flashpoints: the Baltic region, the East China Sea, and Taiwan. Of all conceivable war-igniting scenarios involving the great powers, he suggests, the most likely are a Russian attempt to seize a sliver of eastern Estonia or Latvia, where Russian speakers are in the majority; a Chinese occupation of one of the Senkaku Islands, claimed both by China, which calls them the Diaoyu’s, and Japan; and a Chinese naval blockade of Taiwan to thwart any Taiwanese move toward independence.

A Japan Coast Guard vessel sprays Taiwanese fishing boats with water near the Senkaku islands in September 2012. The dispute over the islands' sovereignty  could create risks that a small conflict could escalate quickly. (Photo: Yomiuri Shimbun/AFP/GettyImages)In any of these scenarios, O’Hanlon claims, U.S. military policy would presuppose a rapid and harsh response. Yet, any U.S. drive to dislodge Russian or Chinese forces from those locations would require a major commitment of force and, given recent improvements in those countries’ combat capabilities (especially through the acquisition of high-tech weaponry), might not prove easy to accomplish. A U.S. victory would be the most likely outcome, but could prompt Russia or China to employ nuclear weapons. Far better, he argues, to counter such assaults with asymmetric moves, such as attacks on vital energy infrastructure located outside the Russian or Chinese heartland, along with the reinforcement of positions in areas near the original intrusion.

O’Hanlon deserves credit for seeking credible alternatives to all-out war as a response to low-stakes challenges of these sorts. His emphasis on economic tools of coercion, as opposed to full-scale military mobilization, merits close attention by U.S. strategists. He also performs an important service by shining a spotlight on those potential flashpoints. Clearly, unless greater effort is made to understand and defuse the sources of friction in all three, other efforts to avert catastrophe could come to naught.

That said, many of his recommendations deserve careful scrutiny. Would Russian or Chinese leaders consider attacks on their energy facilities and logistical chokepoints as acceptable retribution? Perhaps such moves would incite them to undertake even harsher countermeasures of their own. To punish China for any future misbehavior in the East China Sea or in waters off Taiwan, for example, he proposes blocking Chinese oil imports from the Persian Gulf, a venture that he estimates will require four to six U.S. aircraft carriers and supporting vessels and would likely initiate a major naval conflict in the Indo-Pacific region. Although certainly superior to the immediate onset of full-scale war, asymmetrical moves of this sort do not necessarily promise a pacific outcome. Surely, O’Hanlon could have devoted more attention to preventative and diplomatic endeavors, such as confidence-building measures and power-sharing arrangements, such as for the Senkaku/Diaoyu Islands.

Indeed, the deeper lesson to be drawn from The Senkaku Paradox is the difficulty in envisioning any outcomes from future U.S.-Russian or U.S.-Chinese military encounters that do not risk a nuclear escalation. Modern conventional weapons are capable of inflicting immense damage on vital military infrastructure, including, conceivably, nuclear command-and-control facilities, so it is easy to envision Russia or China responding with battlefield nuclear weapons.

Asymmetric responses are a welcome contribution to the discussion of alternative options, but a far more thorough reassessment of U.S. strategy is required, aimed at reducing U.S. risk of military entanglement in far-off hotspots and putting more space between conventional combat and the onset of nuclear war.

Michael T. Klare is professor emeritus of peace and world security studies at Hampshire College and senior visiting fellow at the Arms Control Association.



Michael E. O’Hanlon considers how to lower the risks of small conflicts escalating into major, even nuclear wars.

U.S. University to Speed Hypersonic Development

September 2019
By Michael T. Klare

Texas A&M University will build one of the world’s largest wind tunnels on behalf of the U.S. Army Futures Command as part of an accelerating U.S. effort to develop hypersonic weapons, according to an August announcement. The unusual partnership of the university, the Army, and the state of Texas represents a throwback to the Cold War, when prominent educational institutions built and managed major military research facilities, such as the Lawrence Livermore National Laboratory, established by the University of California, Berkeley, in 1952.

Texas A&M University plans to augment its existing wind tunnel facilities, such as the Oran W. Nicks Low Speed Wind Tunnel shown here, with a long wind tunnel to test hypersonic aircraft. (Photo: Texas A&M University) In its announcement, University officials described plans to construct a “ballistic aero-optics and materials” (BAM) test facility for $130 million on a 2,000-acre campus near the small city of Bryan, about 100 miles east of Austin.

“Texas A&M will be the hypersonics research capital of the country with the planned construction of [the BAM] facility,” said Katherine Banks, the school’s vice chancellor and dean of engineering. The facility will consist of an above-ground tunnel 1 kilometer long and 2 meters in diameter, making it one of the largest such installations in the world. According to Defense One, the university will contribute $80 million toward construction costs with $50 million more provided by the state; additional sums will come from the Futures Command, which will operate the facility.

As U.S. military leaders appear determined to outpace China and Russia in the exploitation of advanced military technologies, and now unfettered by the defunct Intermediate-Range Nuclear Forces (INF) Treaty, the Defense Department is accelerating its drive to develop and deploy hypersonic weapons, projectiles that can fly at five times the speed of sound or faster, evading most air defenses. (See ACT, June 2019.) Many such projectiles, some of which with ranges that would have been limited by the INF Treaty, are being rushed into development, and the Pentagon is planning to procure vast numbers of these munitions as soon as they are deemed ready for combat.

The United States needs “many dozens, many hundreds, maybe thousands of assets,” said Michael Griffin, undersecretary of defense for research and engineering, on Aug. 7. “This takes us back to the Cold War where at one point we had 30,000 nuclear warheads and missiles to launch them. We haven’t produced on that kind of scale since the [Berlin] Wall came down.”

To satisfy this requirement, analysts say the arms industry will have to overcome numerous technical issues involving the design and production of hypersonic weapons. Projectiles flying at hypersonic speeds encounter immense pressures and temperatures in the Earth’s atmosphere, deforming even specialized materials and distorting electronic and communications links. Long before such weapons can be deployed, therefore, they must be rigorously tested under realistic conditions. This is normally done in wind tunnels, but hypersonic weapons fly so fast that few such facilities are capable of providing the necessary test environment. The BAM facility is planned to supplement hypersonics testing at NASA’s Ames Research Center, located at Moffett Field, Calif., where the Pentagon currently conducts the bulk of its hypersonic testing.

Texas A&M University expands its aerospace engineering capacity to support U.S. military goals.

Few Tech Firms Limit Autonomous Weapons

September 2019
By Michael T. Klare

Only a handful of global technology firms have adopted explicit policies to prevent their products from being used in lethal autonomous weapons systems, also called “killer robots,” according to a survey published in August. Such weapons have become highly controversial because they are gaining a capacity to identify and attack targets without human supervision.

A survey of 50 international technology firms found that Google was one of just seven companies to follow best practices in ensuring their technology is not used for lethal autonomous weapons. A 2018 staff action led the California-based firm to seek no renewal of a contract with the U.S. Defense Department. (Photo: Justin Sullivan/Getty Images)Just seven of 50 companies surveyed in 12 nations were rated as following the best practices of ensuring their technology would not be used in these systems. The survey, called “Don’t Be Evil?” was conducted by PAX, a Dutch advocacy group.

“Don’t Be Evil” was once the official motto of Google, where thousands of workers signed an open letter in April 2018 calling on the company to cancel its involvement with Project Maven, a Pentagon-funded initiative aimed at harnessing artificial intelligence (AI) for the interpretation of video images that would potentially enable lethal attacks by autonomous weapons systems. Google’s management chose not to renew the contract when it came up for renewal in June of that year, promising that the company would not help develop AI for “weapons or other technologies whose principal purpose or implementation is to cause or directly facilitate injury to people.”

The PAX survey queried major firms known to be developing technologies relevant to autonomous weaponry, such as AI software and systems integration, pattern recognition, aerial drones and swarming, and ground robotics. The list included many household names (Amazon, Google, IBM, and Microsoft) as well as less-known firms involved in specific facets of tech development (Anduril, Clarifai, and Palantir). The companies were asked to describe their policies on development of these weapons systems on a questionnaire submitted by PAX; some responded, some declined.

Using survey responses and open-source literature, PAX analysts placed the companies into one of three categories: Best Practices (firms that explained their policies for preventing the use of their technology in developing lethal autonomous weapons systems); Medium Concern (firms known to be working on military applications of their technologies that refused to answer the survey or did answer the survey and claimed their military work did not encompass these systems); and High Concern (firms working on military applications of relevant technologies that refused to answer the survey).

Only seven companies, including Google and General Robotics, were rated as Best Practices; another 22, including Apple, Facebook, and IBM, were placed in the Medium Concern category; and 21, including Amazon, Intel, and Microsoft, were rated in the High Concern column.

With no international agreement in place to constrain the development and deployment of lethal autonomous weapons systems, a greater burden falls on executives of the major tech firms to establish and enforce ethical principles on the military applications of their products. Although officials at some tech firms, such as Google, have expressed reservations about working for the military on projects related to these systems, their colleagues at other companies have professed a willingness to work for the Defense Department or the militaries of other countries on such devices. This lack of consistency could lead to an unregulated environment in which the introduction of these systems proceeds apace. By publishing its survey, PAX hopes to encourage greater transparency and self-restraint on the part of key tech firms.

“Companies working on these technologies…need to have policies that make clear how and when they draw the line regarding the military application of their technology,” said the PAX report.


Global tech firms have yet to adopt policies to ensure their applications are not used for lethal autonomous weapons.


Subscribe to RSS - Michael Klare