November 2019
By Michael T. Klare

In January 2018, details of the Trump administration’s Nuclear Posture Review (NPR) were posted online by the Huffington Post, provoking widespread alarm over what were viewed as dangerous shifts in U.S. nuclear policy. Arousing most concern was a call for the acquisition of several types of low-yield nuclear weapons, a proposal viewed by many analysts as increasing the risk of nuclear weapons use.

Another initiative incorporated in the strategy document also aroused concern: the claim that an enemy cyberattack on U.S. nuclear command, control, and communications (NC3) facilities would constitute a “non-nuclear strategic attack” of sufficient magnitude to justify the use of nuclear weapons in response.

Under the Obama administration’s NPR report, released in April 2010, the circumstances under which the United States would consider responding to non-nuclear attacks with nuclear weapons were said to be few. “The United States will continue to…reduce the role of nuclear weapons in deterring non-nuclear attacks,” the report stated. Although little was said about what sort of non-nuclear attacks might be deemed severe enough to justify a nuclear response, cyberstrikes were not identified as one of these. The 2018 NPR report, however, portrayed a very different environment, one in which nuclear combat is seen as increasingly possible and in which non-nuclear strategic threats, especially in cyberspace, were viewed as sufficiently menacing to justify a nuclear response. Speaking of Russian technological progress, for example, the draft version of the Trump administration’s NPR report stated, “To…correct any Russian misperceptions of advantage, the president will have an expanding range of limited and graduated [nuclear] options to credibly deter Russian nuclear or non-nuclear strategic attacks, which could now include attacks against U.S. NC3, in space and cyberspace.”¹

The notion that a cyberattack on U.S. digital systems, even those used for nuclear weapons, would constitute sufficient grounds to launch a nuclear attack was seen by many observers as a dangerous shift in policy, greatly increasing the risk of accidental or inadvertent nuclear escalation in a crisis. “The entire broadening of the landscape for nuclear deterrence is a very fundamental step in the wrong direction,” said former Secretary of Energy Ernest Moniz. “I think the idea of nuclear deterrence of cyberattacks, broadly, certainly does not make any sense.”²

Despite such admonitions, the Pentagon reaffirmed its views on the links between cyberattacks and nuclear weapons use when it released the final version of the NPR report in February 2018. The official text now states that the president must possess a spectrum of nuclear weapons with which to respond to “attacks against U.S. NC3,” and it identifies cyberattacks as one form of non-nuclear strategic warfare that could trigger a nuclear response.

That cyberwarfare had risen to this level of threat, the 2018 NPR report indicated, was a product of the enhanced cybercapabilities of potential adversaries and of the creeping obsolescence of many existing U.S. NC3 systems. To overcome these vulnerabilities, it called for substantial investment in an upgraded NC3 infrastructure. Not mentioned, however, were extensive U.S. efforts to employ cybertools to infiltrate and potentially incapacitate the NC3 systems of likely adversaries, including Russia, China, and North Korea.

For the past several years, the U.S. Department of Defense has been exploring how it could employ its own very robust cyberattack capabilities to compromise or destroy enemy missiles from such states as North Korea before they can be fired, a strategy sometimes called “left of launch.”³ Russia and China can assume, on this basis, that their own launch facilities are being probed for such vulnerabilities, presumably leading them to adopt escalatory policies such as those espoused in the 2018 NPR report. Wherever one looks, therefore, the links between cyberwar and nuclear war are growing.

The Nuclear-Cyber Connection

These links exist because the NC3 systems of the United States and other nuclear-armed states are heavily dependent on computers and other digital processors for virtually every aspect of their operation and because those systems are highly vulnerable to cyberattack. Every nuclear force is composed, most basically, of weapons, early-warning radars, launch facilities, and the top officials, usually presidents or prime ministers, empowered to initiate a nuclear exchange. Connecting them all, however, is an extended network of communications and data-processing systems, all reliant on cyberspace. Warning systems, ground- and space-based, must constantly watch for and analyze possible enemy missile launches. Data on actual threats must rapidly be communicated to decision-makers, who must then weigh possible responses and communicate chosen outcomes to launch facilities, which in turn must provide attack vectors to delivery systems. All of this involves operations in cyberspace, and it is in this domain that great power rivals seek vulnerabilities to exploit in a constant struggle for advantage.

The use of cyberspace to gain an advantage over adversaries takes many forms and is not always aimed at nuclear systems. China has been accused of engaging in widespread cyberespionage to steal technical secrets from U.S. firms for economic and military advantages. Russia has been accused, most extensively in the Robert Mueller report, of exploiting cyberspace to interfere in the 2016 U.S. presidential election. Nonstate actors, including terrorist groups such as al Qaeda and the Islamic State group, have used the internet for recruiting combatants and spreading fear. Criminal groups, including some thought to be allied with state actors, such as North Korea, have used cyberspace to extort money from banks, municipalities, and individuals.⁴ Attacks such as these occupy most of the time and attention of civilian and military cybersecurity organizations that attempt to thwart such attacks. Yet for those who worry about strategic stability and the risks of nuclear escalation, it is the threat of cyberattacks on NC3 systems that provokes the greatest concern.

This concern stems from the fact that, despite the immense effort devoted to protecting NC3 systems from cyberattack, no enterprise that relies so extensively on computers and cyberspace can be made 100 percent invulnerable to attack. This is so because such systems employ many devices and operating systems of various origins and vintages, most incorporating numerous software updates and “patches” over time, offering multiple vectors for attack. Electronic components can also be modified by hostile actors during production, transit, or insertion; and the whole system itself is dependent to a considerable degree on the electrical grid, which itself is vulnerable to cyberattack and is far less protected. Experienced “cyberwarriors” of every major power have been working for years to probe for weaknesses in these systems and in many cases have devised cyberweapons, typically, malicious software (malware) and computer viruses, to exploit those weaknesses for military advantage.⁵

Although activity in cyberspace is much more difficult to detect and track than conventional military operations, enough information has become public to indicate that the major nuclear powers, notably China, Russia, and the United States, along with such secondary powers as Iran and North Korea, have established extensive cyberwarfare capabilities and engage in offensive cyberoperations on a regular basis, often aimed at critical military infrastructure. “Cyberspace is a contested environment where we are in constant contact with adversaries,” General Paul M. Nakasone, commander of the U.S. Cyber Command (Cybercom), told the Senate Armed Services Committee in February 2019. “We see near-peer competitors [China and Russia] conducting sustained campaigns below the level of armed conflict to erode American strength and gain strategic advantage.”

Although eager to speak of adversary threats to U.S. interests, Nakasone was noticeably but not surprisingly reluctant to say much about U.S. offensive operations in cyberspace. He acknowledged, however, that Cybercom took such action to disrupt possible Russian interference in the 2018 midterm elections. “We created a persistent presence in cyberspace to monitor adversary actions and crafted tools and tactics to frustrate their efforts,” he testified in February. According to press accounts, this included a cyberattack aimed at paralyzing the Internet Research Agency, a “troll farm” in St. Petersburg said to have been deeply involved in generating disruptive propaganda during the 2016 presidential elections.⁶

Other press investigations have disclosed two other offensive operations undertaken by the United States. One called “Olympic Games” was intended to disrupt Iran’s drive to increase its uranium-enrichment capacity by sabotaging the centrifuges used in the process by infecting them with the so-called Stuxnet virus. Another left of launch effort was intended to cause malfunctions in North Korean missile tests.⁷ Although not aimed at either of the U.S. principal nuclear adversaries, those two attacks demonstrated a willingness and capacity to conduct cyberattacks on the nuclear infrastructure of other states.

Efforts by strategic rivals of the United States to infiltrate and eventually degrade U.S. nuclear infrastructure are far less documented but thought to be no less prevalent. Russia, for example, is believed to have planted malware in the U.S. electrical utility grid, possibly with the intent of cutting off the flow of electricity to critical NC3 facilities in the event of a major crisis.⁸ Indeed, every major power, including the United States, is believed to have crafted cyberweapons aimed at critical NC3 components and to have implanted malware in enemy systems for potential use in some future confrontation.

Pathways to Escalation

Knowing that the NC3 systems of the major powers are constantly being probed for weaknesses and probably infested with malware designed to be activated in a crisis, what does this say about the risks of escalation from a nonkinetic battle, that is, one fought without traditional weaponry, to a kinetic one, at first using conventional weapons and then, potentially, nuclear ones? None of this can be predicted in advance, but those analysts who have studied the subject worry about the emergence of dangerous new pathways for escalation. Indeed, several such scenarios have been identified.⁹

The first and possibly most dangerous path to escalation would arise from the early use of cyberweapons in a great power crisis to paralyze the vital command, control, and communications capabilities of an adversary, many of which serve nuclear and conventional forces. In the “fog of war” that would naturally ensue from such an encounter, the recipient of such an attack might fear more punishing follow-up kinetic attacks, possibly including the use of nuclear weapons, and, fearing the loss of its own arsenal, launch its weapons immediately. This might occur, for example, in a confrontation between NATO and Russian forces in east and central Europe or between U.S. and Chinese forces in the Asia-Pacific region.

Speaking of a possible confrontation in Europe, for example, James N. Miller Jr. and Richard Fontaine wrote that “both sides would have overwhelming incentives to go early with offensive cyber and counter-space capabilities to negate the other side’s military capabilities or advantages.” If these early attacks succeeded, “it could result in huge military and coercive advantage for the attacker.” This might induce the recipient of such attacks to back down, affording its rival a major victory at very low cost. Alternatively, however, the recipient might view the attacks on its critical command, control, and communications infrastructure as the prelude to a full-scale attack aimed at neutralizing its nuclear capabilities and choose to strike first. “It is worth considering,” Miller and Fontaine concluded, “how even a very limited attack or incident could set both sides on a slippery slope to rapid escalation.”¹⁰

What makes the insertion of latent malware in an adversary’s NC3 systems so dangerous is that it  may not even need to be activated to increase the risk of nuclear escalation. If a nuclear-armed state comes to believe that its critical systems are infested with enemy malware, its leaders might not trust the information provided by its early-warning systems in a crisis and might misconstrue the nature of an enemy attack, leading them to overreact and possibly launch their nuclear weapons out of fear they are at risk of a preemptive strike.

“The uncertainty caused by the unique character of a cyber threat could jeopardize the credibility of the nuclear deterrent and undermine strategic stability in ways that advances in nuclear and conventional weapons do not,” Page O. Stoutland and Samantha Pitts-Kiefer wrote in 2018 paper for the Nuclear Threat Initiative. “[T]he introduction of a flaw or malicious code into nuclear weapons through the supply chain that compromises the effectiveness of those weapons could lead to a lack of confidence in the nuclear deterrent,” undermining strategic stability.¹¹ Without confidence in the reliability of its nuclear weapons infrastructure, a nuclear-armed state may misinterpret confusing signals from its early-warning systems and, fearing the worst, launch its own nuclear weapons rather than lose them to an enemy’s first strike. This makes the scenario proffered in the 2018 NPR report, of a nuclear response to an enemy cyberattack, that much more alarming.

Yet another pathway to escalation could arise from a cascading series of cyberstrikes and counterstrikes against vital national infrastructure rather than on military targets. All major powers, along with Iran and North Korea, have developed and deployed cyberweapons designed to disrupt and destroy major elements of an adversary’s key economic systems, such as power grids, financial systems, and transportation networks. As noted, Russia has infiltrated the U.S. electrical grid, and it is widely believed that the United States has done the same in Russia.¹² The Pentagon has also devised a plan known as “Nitro Zeus,” intended to immobilize the entire Iranian economy and so force it to capitulate to U.S. demands or, if that approach failed, to pave the way for a crippling air and missile attack.¹³

The danger here is that economic attacks of this sort, if undertaken during a period of tension and crisis, could lead to an escalating series of tit-for-tat attacks against ever more vital elements of an adversary’s critical infrastructure, producing widespread chaos and harm and eventually leading one side to initiate kinetic attacks on critical military targets, risking the slippery slope to nuclear conflict. For example, a Russian cyberattack on the U.S. power grid could trigger U.S. attacks on Russian energy and financial systems, causing widespread disorder in both countries and generating an impulse for even more devastating attacks. At some point, such attacks “could lead to major conflict and possibly nuclear war.”¹⁴

These are by no means the only pathways to escalation resulting from the offensive use of cyberweapons. Others include efforts by third parties, such as proxy states or terrorist organizations, to provoke a global nuclear crisis by causing early-warning systems to generate false readings (“spoofing”) of missile launches. Yet, they do provide a clear indication of the severity of the threat. As states’ reliance on cyberspace grows and cyberweapons become more powerful, the dangers of unintended or accidental escalation can only grow more severe.

‘Defending Forward’

Under these circumstances, one would think the major powers would seek to place restrictions on the use of offensive cyberweapons, especially those aimed at critical NC3 systems. This approach, however, is not being pursued by the United States and the other major powers.

Under the Obama administration, the Department of Defense was empowered to conduct offensive cyberstrikes on foreign states and entities in response to like attacks on the United States, but any such moves required high-level review by the White House and were rarely approved. This approach was embedded in Presidential Policy Directive 20 (PPD-20), adopted in October 2012, which states that any cyberaction that might result in “significant consequences,” such as loss of life or adverse foreign policy impacts, required “specific presidential approval.”

Officials in the Trump administration found this requirement unduly restrictive and so persuaded the president to rescind PPD-20 and replace it with a more permissive measure. The resulting document, National Security Presidential Memorandum 13 (NSPM-13), was approved in September 2018 but has not been made public. From what is known of NSPM-13, senior military commanders, such as Nakasone, enjoy preapproval to undertake offensive strikes against foreign entities under certain specified conditions without further White House clearance. In accordance with the new policy, military planners can prepare for offensive cyberattacks by seeking vulnerabilities in adversarial computer networks and by implanting malware in these weak spots for potential utilization if a retaliatory strike is initiated.¹⁵

As translated into formal military doctrine, this approach is described as “defending forward,” or seeking out the originators of cyberattacks aimed at this country and neutralizing them through counterstrikes and the insertion of malware for future activation. “Defending forward as close as possible to the origin of adversary activity extends our reach to expose adversaries’ weaknesses, learn their intentions and capabilities, and counter attacks close to their origins.”¹⁶

In embracing this strategy, Nakasone and other senior officials insist that their intention is defensive: to protect U.S. cyberspace against attack and deter future assaults by letting opponents know their own systems will be crippled if they persist in malicious behavior. “For any nation that’s taking cyber activity against the United States,” said National Security Advisor John Bolton when announcing the adoption of NSPM-13, “they should expect…we will respond offensively as well as defensively.”17 For any potential adversary following these developments, defending forward will certainly be interpreted as preparation for offensive strikes in the event of a crisis, inviting stepped up defensive and offensive moves on their part.

Much less is known about the strategic cyberwar policies of other powers, but they likely parallel those of the United States. China, for example, has long been known to employ cyberspace to spy on U.S. military technological capabilities and steal what they can for use in developing their own weapons systems. Russia has been even more aggressive in its use of cyberspace, employing cyberweapons to cripple Ukraine’s electrical grid in 2015 and to influence elections. That Moscow has also sought to infiltrate the U.S. electrical grid suggests that it too intends to defend forward, by preparing for possible cyberattacks on U.S. command, control, and communications capabilities, including NC3 facilities.

Although occurring largely in secret, what can aptly be called “an arms race in cyberspace” is underway. Where this might lead is difficult to foresee, but it is certain to involve the development of ever more potent cyberweapons. Each nuclear power will seek to enhance its defenses against future cyberattack. Yet, just as is the case in missile warfare, it is easier and cheaper to devise new offensive cybersystems than defensive ones. In the event of a crisis, then, there will be a strong temptation to employ the new technologies early in the encounter, when they might be used to maximum effect, setting in motion an escalatory process resulting in nuclear weapons use. As noted, the mere fact that disruptive malware is known to have been embedded in the vital command-and-control systems of a nuclear power could lead it to distrust its early-warning and intelligence systems and, in a panicky response to ambiguous signals, assume the worst and launch its nuclear weapons.

Arms Control in Cyberspace

Given the various ways in which conflict in cyberspace could result in nuclear weapons use, steps must be taken to minimize the risk of escalation from one domain to the other, but conceiving of agreements to curb malicious and escalatory behavior in cyberspace is no easy task. Computer software cannot readily be classified and counted the way planes and missiles can, and states do not agree on definitions of offensive and defensive cyberweapons, let alone on measures to control them. Nevertheless, some efforts have been made to develop rules and protocols to restrain the destabilizing use of cybertechnologies, and these provide a framework for further consideration.

Perhaps the most extensive effort to adopt rules for acceptable behavior in cyberspace has been undertaken by the United Nations, in accordance with a series of General Assembly resolutions on the topic. This process first gained momentum in December 2011, when that body, “expressing concern” that emerging cybertechnologies “can potentially be used for purposes that are inconsistent with the objectives of maintaining international stability and security,” established a group of governmental experts to assess the dangers in cyberspace and consider “possible cooperative measures to address them, including norms, rules, or principles of responsible behavior of States.”¹⁸

In its initial report, released in June 2013, the experts group warned of increasing threats to the safety of what it described as the realm of information and communications technology (ICT). “States are concerned,” it noted, “that embedding harmful hidden functions in ICTs could be used in ways that affect secure and reliable ICT use…and damage national security.” With this in mind, it affirmed a basic principle: “International law, and in particular the Charter of the United Nations, is applicable” in the ICT domain. On this basis, it called on member states to work together in “the application of norms derived from existing international law relevant to the use of ICTs.” Furthermore, as part of this effort, it recommended the crafting of confidence-building measures, such as the creation of information-sharing mechanisms to investigate serious cybersecurity incidents, aimed at minimizing the risk of unintended consequences.¹⁹

As the evidence of dangerous developments in cyberspace multiplied, UN General Assembly Resolution 68/243, called for the formation of a new experts group to consider restraints on ICT malpractice. That body released its report in July 2015, providing the most comprehensive blueprint to date for the management of cyberspace. Building on the earlier experts group report, it articulated a set of norms that should govern behavior in this realm. Foremost among these was the precept that states “should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure” of another country. Other norms articulated in the report include the proviso that states should not allow their territory to be used for “internationally wrongful acts using ICTs” and should seek to “prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions.”²⁰

By articulating a set of fundamental norms, the 2015 experts group report provides a useful starting point for further consideration of arms control in cyberspace. Lacking any decision-making authority, however, the UN group in advocating for those norms called only for conversations among states on their implementation and the adoption of “voluntary, non-binding norms” for responsible behavior. The General Assembly, addressing the topic on several occasions since then, has only reiterated the principles of the 2015 report and called on member states to follow its guidance without achieving any obvious, genuine progress.

Several other initiatives have been undertaken by states and nonstate entities to promote restraint in cyberspace. In February 2017, Brad Smith, the president of Microsoft, called for the formulation of a “Digital Geneva Convention,” modeled on the existing, post-World War II Geneva Conventions, aimed at protecting civilians from the negative consequences of cyberattacks.²¹ Some academics, including scholars at the Notre Dame Institute for Advanced Study, have carried this notion further, calling for the worldwide embrace of "cyberpeace" based on the adoption of common norms and rules.²² “Just as the world’s governments came together in 1949 to adopt the Fourth Geneva Convention to protect civilians in times of war,” he declared, “we need a Digital Geneva Convention that will commit governments to implement the norms that have been developed to protect civilians on the internet in times of peace.”

President Emmanuel Macron of France has advocated for similar measures at the international level. In November 2018, he unveiled the “Paris Call for Trust and Security in Cyberspace” at a major gathering in the French capital. Essentially a rewording of past UN resolutions and the 2015 experts group report, it called for international cooperation in reducing malicious behavior, especially cybercrime and political warfare.²³ Although signed by leaders of more than 50 countries, including France, Germany, Italy, Japan, and the United Kingdom, President Donald Trump refused to endorse the Paris call, presumably because it might infringe on U.S. plans to employ cyberweapons in an offensive mode (no reasons were provided for the U.S. refusal to sign).²⁴

At this point, the likelihood that the United States, Russia, and China will adopt and respect international constraints on the use of cyberweapons aimed at the critical information and communications systems of their adversaries appears virtually nil. Nevertheless, it is vitally important that UN officials, industry figures, and prominent national leaders continue to articulate such norms and call for their adoption. Hopefully, these precepts will form the basis for binding international agreements, when enough key governments are prepared to embrace such measures. In the meantime, it is essential that policymakers and arms control advocates pursue other routes to arms control in cyberspace.

Perhaps the most promising approach in this regard is the adoption of formal or informal agreements to eschew certain behaviors that would increase the risk of unintended or accidental nuclear escalation. This would involve meetings between U.S. and Russian officials, possibly under the auspices of the currently suspended Strategic Stability Dialogue; between U.S. and Chinese officials; or possibly all three together aimed at identifying certain rules of the road to which all sides would agree to adhere, such as a ban on the implantation of malware in the NC3 systems of their adversaries.

A precedent for such high-level accords is provided by U.S. President Barack Obama’s September 2015 agreement with Chinese President Xi Jinping to bar the use of cyberspace for the theft of intellectual property. Although there is widespread debate over the extent to which China has abided by the 2015 accord, there is general agreement that it did result for a time in a diminished level of Chinese cyberespionage in the United States.²⁵

Such an approach was advanced by Stoutland and Pitts-Kieter in their 2018 study of cyberweapons and nuclear stability. “As a priority first step,” they said, “the United States should seek to initiate a bilateral dialogue with Russia” intended to “develop mutual understanding on how cyber threats can affect deterrence and strategic stability.” Such talks, they wrote, “should be held with a view toward developing a shared understanding of our mutual interest in minimizing that risk and identifying practical ways to address it bilaterally and multilaterally.”²⁶

At present, none of these approaches for the control of cyberspace appears to be making any headway. As a consequence, the arms race in cyberspace is rapidly gaining momentum, greatly increasing the likelihood that future confrontations among the major powers will entail the early use of sophisticated cyberweapons, magnifying the risk of rapid and uncontrolled nuclear escalation. Because this danger has received far less attention than other pathways to escalation, it is essential that policymakers and arms control advocates devote far more effort to controlling cyberspace than they have up until now.

ENDNOTES
 

1. U.S. Department of Defense, Nuclear Posture Review (draft), January 2018, p. 17, at https://fas.org/nuke/guide/usa/npr2018-draft.pdf.

2. Aaron Mehta, “Nuclear Posture Review Draft Leaks,” Defense News, January 12, 2018, https://www.defensenews.com/space/2018/01/12/nuclear-posture-review-draft-leaks-new-weapons-coming-amid-strategic-shift/.

3. For background on these efforts, see Andrew Futter, “The Dangers of Using Cyberattacks to Counter Nuclear Threats,” Arms Control Today, July/August 2016, pp. 8–14.

4. For a comprehensive assessment of the cyberweapons threat in all its forms, see
David E. Sanger, The Perfect Weapon (New York: Crown, 2018).

5. For a thorough assessment of these vulnerabilities, see Beyza Unal and Patricia Lewis, “Cybersecurity of Nuclear Weapons Systems,” Chatham House, January 2018, https://www.chathamhouse.org/sites/default/files/publications/research/2018-01-11-cybersecurity-nuclear-weapons-unal-lewis-final.pdf.

6. Julian E. Barnes, “Cyberattack Neutralized Russian Trolls as U.S. Voted,” The New York Times, February 27, 2019.

7. For background on these operations, see Sanger, Perfect Weapon, pp. 7–36 and 276–283.

8. David E. Sanger, “Russian Hackers Train Focus on U.S. Power Grid,” The New York Times, July 28, 2018.

9. For a summary of such scenarios, see Page O. Stoutland and Samantha Pitts-Kiefer, “Nuclear Weapons in the New Cyber Age: Report of the Cyber-Nuclear Weapons Study Group,” Nuclear Threat Initiative, September 2018, p. 12, https://media.nti.org/documents/Cyber_report_finalsmall.pdf.

10. James N. Miller Jr. and Richard Fontaine, “A New Era in U.S.-Russian Strategic Stability,” Harvard Kennedy School Belfer Center for Science and International Affairs and the Center for a New American Security, September 2017, p. 18, https://s3.amazonaws.com/files.cnas.org/documents/CNASReport-ProjectPathways-Finalb.pdf.

11. Stoutland and Pitts-Kiefer, “Nuclear Weapons in the New Cyber Age,” p. 12.

12. See Ivan Nechepurenko, “Kremlin Warns of Cyberwar After Report of U.S. Hacking of Electrical Grid,” The New York Times, July 18, 2019.

13. See Sanger, Perfect Weapon, pp. 43–47.

14. Miller Jr. and Fontaine, “New Era in U.S.-Russian Strategic Stability,” p. 19.

15. Zachary Fryer-Biggs, “The Pentagon Has Prepared a Cyberattack Against Russia,” Daily Beast, November 2, 2018, https://www.thedailybeast.com/the-pentagon-has-prepared-a-cyber-attack-against-russia.

16. U.S. Cyber Command, “Achieve and Maintain Cyberspace Superiority: Command Vision for U.S. Cyber Command,” n.d., https://www.cybercom.mil/Portals/56/Documents/USCYBERCOM%20Vision%20April%202018.pdf?ver=2018-06-14-152556-010 (released
April 2018).

17. Fryer-Biggs, “Pentagon Has Prepared a Cyberattack Against Russia.”

18. UN General Assembly, Resolution 66/24, December 2, 2011.

19. UN General Assembly, “Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security: Note by the Secretary-General,” A/68/98, June 24, 2013 (containing the report).

20. UN General Assembly, “Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security: Note by the Secretary-General,” A/70/174, July 22, 2015 (containing the report).

21. Brad Smith, “The Need for a Digital Geneva Convention,” Microsoft, February 14, 2017, https://blogs.microsoft.com/on-the-issues/2017/02/14/need-digital-geneva-convention/.

22. Scott Shackelford, "The Meaning of Cyber Peace," Notre Dame Institute for Advanced Study, https://ndias.nd.edu/news-publications/ndias-quarterly/the-meaning-of-cyber-peace/.

23. “Paris Call for Trust and Security in Cyberspace,” November 12, 2018, https://www.diplomatie.gouv.fr/IMG/pdf/paris_call_cyber_cle443433-1.pdf.

24. David E. Sanger, “U.S. Declines to Sign Macron Declaration Against Cyberattacks,” The New York Times, November 13, 2018.

25. See Adam Segal, “Is China Still Stealing Western Intellectual Property?” Council on Foreign Relations, September 26, 2018, https://www.cfr.org/blog/china-still-stealing-western-intellectual-property.

26. Stoutland and Pitts-Kiefer, “Nuclear Weapons in the New Cyber Age,” p. 27.