Many of world’s strategists still share same conviction: as Kathryn Bigelow’s film A House of Dynamite (2025) dramatizes, nuclear escalation can only originate from missile of unknown origin heading straight for Chicago. Yet, this old “Cold War” vision no longer seems entirely relevant. As cyberattacks target critical infrastructure, long-taboo question arises: how far can we tolerate digital offensives that paralyze country or manipulate election before considering nuclear response? What if most dangerous attack to unfold in late 2020s originates not from silo, but from single line of code?
Cyber Shockwaves
Imagine simple piece of computer code shutting down nuclear power plants, paralyzing transportation networks, and disrupting vital military systems. For more than decade, cyberattacks against critical infrastructure have been more than just intrusions; they can have effects comparable to those of conventional acts of war, and threatening global stability.
For nuclear democracies, question has become crucial: at what point does digital incident cross threshold of severity required to trigger deterrence calculations, or even justify nuclear response? Cyberspace is now theater of constant confrontation where adversaries seek to undermine each other’s trust, disrupt economies, and test resilience.
This invisible competition weakens traditional deterrence mechanisms, which rely on clear signals. In cyberspace, nothing is clear, with uncertain effects and often unintentional escalation. Yet, potential damage of sophisticated cyberattack against electrical grid or supply chains could exceed that of conventional bombing. Problem stems from three major developments.
Critical Weak Spots
First development is increasing vulnerability of critical infrastructure, whose technical complexity creates countless points of weakness. Hospitals, refineries, water distribution systems, and railway networks rely on technologies that are sometimes outdated and rarely protected against determined state and non-state actors. Coordinated and simultaneous attack against multiple sectors could severely paralyze country for weeks to months, causing economic chaos and widespread social disruption.
Second development concerns strong integration of cyberspace and nuclear power. Command, control, and communication systems have become more digital than ever, and thus more exposed to cyberattacks. Even non-destructive intrusion, subtly targeted and difficult to detect, could be interpreted as attempt to undermine capacity to retaliate. In such cases, precise or approximate perception of risk becomes as dangerous as attack itself, amplifying potential for misunderstandings and unintentional escalation.
Third development, finally, is bolder behavior of adversaries of democratic regimes, who use cyberspace as tool for exerting pressure without incurring significant costs. Who would doubt that Russia, China, North Korea, and Iran regularly demonstrate their ability to disrupt institutions of democratic regimes? Relative success of their operations encourages them to push boundaries even further, as they are aware of existence of “gray zone” where traditional deterrence does not fully apply.
Should Democracies Clarify Doctrine?
These major transformations lead to fundamental question: should democracies clarify as quickly as possible that certain cyberattacks could cross threshold triggering major military response, including nuclear? Objective of new doctrine would then not be to lower nuclear threshold, but to re-establish credible and robust level of deterrence. Because if adversaries believe that cyberattacks are “zero-cost,” they will continue to systematically target vital infrastructure, exploiting critical vulnerabilities with impunity and minimal risk to themselves.
Strategic High Stakes
First argument for clarifying doctrine rests on proportionality: massive cyberattack targeting critical infrastructure could have consequences comparable to bombing. In this context, it would be consistent to specify that response is not limited to conventional means. Analysts point out that U.S. nuclear doctrine already considers possibility of devastating consequences from non-nuclear strategic attacks, and they believe that nuclear threat is not explicitly excluded, even if no-first-use scenario remains dominant.
Second argument concerns strategic stability. Today, adversaries regularly stress defenses of democratic regimes in “gray zone,” without immediate risk of escalation. Clarifying rules of engagement and explicitly integrating cyberspace into strategic thinking could strengthen deterrence and limit adversarial gambles in this gray zone. United States, United Kingdom, and France could thus reduce uncertainty regarding potential consequences of sophisticated cyberattacks, one form of irregular warfare, while emphasizing that any major offensive would have significant repercussions.
Third argument concerns protection of nuclear command. Even limited attack on control systems could be interpreted as attempt to neutralize second-strike capability, creating extreme risk of miscalculation, especially with increasing use of artificial intelligence. By clearly announcing that such intrusion would be considered serious and unacceptable act, democratic regimes would strengthen their strategic stability, discouraging any hostile action and reducing risk of unintentional escalation during times of international crisis.
Perilous Lines
This doctrinal shift, however, carries significant risks, notably unintentional lowering of nuclear threshold. Even if clarification primarily aims to strengthen deterrence, it could be perceived as excessive threat by non-democratic States, prompting them to rapidly modernize their nuclear arsenals or develop sophisticated offensive cyber capabilities. Proliferation of cyber threats with potentially physical effects creates low-profile but ultimately strategic space for competition, paradoxically exacerbating tensions and instability.
Responding to cyberattack with nuclear strike requires absolute certainty as to its true perpetrator. Yet, operations in cyberspace often involve proxies, opaque international relays, and technical masking of source. Attribution error could have profound consequences. Additionally, cyber intrusion seen as preparation for major attack might provoke overreaction during crisis. Any doctrine that includes possibility of nuclear response must therefore incorporate rigorous deconfliction mechanisms, otherwise worst will happen.
Middle Ground Emerges
However, these risks should not obscure strategic reality: current doctrine dates to time when cyberattacks could not paralyze country in minutes. This is no longer case. Adversaries of democratic regimes have understood that cyberspace offers them means of inflicting considerable damage while remaining below threshold for nuclear response. Doing nothing would amount to accepting structural vulnerability, especially since middle ground is emerging.
This involves explicitly defining two categories of cyberattacks likely to trigger appropriate military response:
- Attacks causing massive impacts on civilian population or critical infrastructure (hospitals and emergency services, water distribution networks, etc.).
- Intrusions targeting command systems of armed forces, even without destructive effects, with aim of degrading country’s decision-making capacity.
Though it would not directly reference nuclear weapons, this clarification would connect strategic cyberattacks to potential responses, giving decision-makers flexibility while clearly warning adversaries. More explicit doctrine should reduce risks of accidental escalation and limit audacity of State and non-State actors willing to test nerves of democratic regimes, in line with recent analyses on evolution of U.S. nuclear posture in face of new strategic threats that war in Ukraine has only exacerbated.
Original analysis by Gilles A. Paché from Global Security Review. Republished with additional research and verification by ThinkTanksMonitor.
