In the 1983 movie WarGames, a curious teenager with a penchant for computer games accidently hacks into a US nuclear weapons command and control system, bringing the United States and the Soviet Union to the brink of thermonuclear war. The movie inspired Ronald Reagan to conduct a major review of digital vulnerabilities in the United States’ nuclear command, control, and communications (NC3) and ultimately led to the first major warning about cyber operations and nuclear stability.Footnote 1 The subsequent National Security Decision Directive, published in 1984, cautioned that “recent advances in microelectronics technology have stimulated an unprecedented growth in the supply of telecommunications and information processing services … Although this trend promises greatly improved efficiency and effectiveness, it also poses significant security challenges … The technology to exploit these electronic systems is widespread and is used extensively by foreign nations.”Footnote 2
Despite the early warning, almost thirty years later states have doubled down on digital technologies within their NC3. Most notably, the United States embarked on a major nuclear modernization effort in 2017, with over USD 77 billion devoted to replacing legacy analog systems with state-of-the-art digital computing and communications technologies.Footnote 3 This modernization is a top priority for US strategic decision makers, who testified that NC3 digitization is essential for the United States’ nuclear deterrence.Footnote 4 The NC3 modernization was also a centerpiece of the 2018 National Defense Strategy and Nuclear Posture Review, which both heralded the modernization of the NC3 as key pillars of effective US nuclear deterrence.Footnote 5
Implicit in this testimony and in the US defense strategies is an assumption about NC3 and stability: that the benefits of digital components will outweigh the risk of novel cyber vulnerabilities. This is a remarkable assumption because, in a field with little agreement, a majority of scholarship on cybersecurity and nuclear stability argues that cyber vulnerabilities in the NC3 are the most dangerous implications of the digital revolution.Footnote 6 Further, most of the strategic-stability literature about NC3 argues that vulnerabilities in command and control both increase incentives for first strike and decrease states’ ability to control nuclear escalation once nuclear war begins.Footnote 7 Even the Nuclear Posture Review warns that “the NC3 system is now subject to challenges from both aging system components and new, growing twenty-first century threats. Of particular concern are expanding threats in space and cyberspace.”Footnote 8
So why pursue digital modernization of the nuclear arsenal if the cyber risks are so high? Here is where a scholarly puzzle converges with real-world application because underlying all of these decisions about digital modernization is a question about how emerging technologies impact strategic stability. Do these technologies increase uncertainty and the risk of escalation? Does their novelty lead to restraint and deterrence? Or might the introduction of new technologies create asymmetries of certainty that push an overconfident state to adopt dangerous nuclear force postures?
While the cyber-nuclear literature might largely agree that cyber creates dangerous incentives for nuclear use, it cannot yet answer these larger questions about pathways from technology to instability. Are some pathways more likely than others? How will decision makers frame the threat (and promise) of cyberspace during nuclear crises? Answering these questions is difficult. In a world of emerging and prolific cyber threats, there is still no large-N database of cases of cyber exploits or vulnerabilities of NC3 to analyze, nor do we necessarily have the technical data to assess the probability or scope of successful (likely highly classified) cyber attacks against the United States’ or adversaries’ NC3. What we can do, however, is try to understand how humans may react, given assumptions about cyber technology and NC3, to the threat of cyber attacks against NC3. Are there generalizable reactions that can help us understand the impact of this emerging technology on strategic stability?
Normally this would be an almost impossible question to answer. The data simply do not exist, and the dominant synthetic-data-generation methods can struggle with external validity, especially for high-stakes scenarios. However, recent innovations in experimental wargaming have introduced a novel opportunity to understand human reactions to rare and dangerous scenarios. We therefore turned to this methodology to explore the impact of cyber capabilities on nuclear decision making, placing players in two crises (one of low intensity and one of higher intensity) between comparable nuclear states and varying only their cyber vulnerabilities and exploits within NC3.Footnote 9
After running the game with 115 teams and 580 players, we find it is not uncertainty and fear about cyber vulnerabilities that create the most dangerous incentives for nuclear use. Instead, it is overconfidence produced by the cyber exploit that incentivizes the riskiest behaviors, including aggressive counterforce campaigns and nuclear alerts. Counterintuitively, it is players’ confidence in their ability to mitigate cyber vulnerabilities by predelegating nuclear use to a lower level of command or relying on automation to launch nuclear weapons that increases the danger of accidental or inadvertent nuclear use. Together, these findings reveal the complicated relationship between emerging technologies and nuclear use, highlighting the role of confidence and perhaps-misplaced certainty—versus uncertainty and fear—in strategic stability.
This exploration first introduces theories of strategic stability and emerging technology, outlining how foundational assumptions about uncertainty drive opposing hypotheses about how technologies like cyber impact strategic stability. We then describe the quasi-experimental method and wargame design before exploring the findings from the data for both cyber operations and nuclear use. Finally, we explore what the game reveals about strategic stability writ large and the impact of cyber operations on nuclear stability, and conclude with recommendations for further research on escalation, the use of wargames, and implications for current cyber and nuclear policy.
Strategic Stability and Emerging Technology: Certainty versus Uncertainty
The impact on conflict of emerging technology, or systems that may have been invented and integrated into militaries but not yet used extensively in conflict, is a foundational puzzle of international relations. Do new technologies lead to escalation and nuclear use?Footnote 10 Do they create incentives for deterrence and restraint?Footnote 11 Or are they merely an intervening variable to larger issues of strategy or politics?Footnote 12 While the matter is still hotly contested, decades of debate reveal that one foundational assumption fissures the field: how uncertainty affects the likelihood of nuclear use or arms races. Some scholars have argued that technological uncertainty creates strategic instability, while others look at that same uncertainty and argue that emerging technologies can create restraint and deterrence. And for a third group of scholars, it is certainty (often misplaced) in emerging technologies that has the most dangerous implications for strategic stability.
For those who believe that uncertainty creates incentives for instability,Footnote 13 emerging technologies are more likely to lead to nuclear use when they create uncertainty about regime intentions,Footnote 14 capabilities,Footnote 15 or the overall balance of power.Footnote 16 This technological uncertainty leads to security dilemmas,Footnote 17 arms races,Footnote 18 cults of the offensive,Footnote 19 and asymmetries of informationFootnote 20—all of which increase the incentives for nuclear use.
This happens in a few ways. First, technological uncertainty increases the chance of preemptive nuclear use by creating the fear that first movers will win a conflict.Footnote 21 The best illustration of this for strategic stability is the survivability of a second-strike arsenal. If a state believes that a first mover would decimate its ability to launch a nuclear response, it may be incentivized to launch preemptively. Further, in the quest to maintain deterrence in the midst of a first mover advantage, states have incentives to adopt first strike policies and aggressive nuclear force postures.Footnote 22 Vulnerabilities in NC3 could be especially dangerous for a state worried about assured control to launch a second (or even first) strike. Practitioners at the dawn of the information age, faced with the uncertainty around emerging threats like electronic warfare, wrote pointedly about their concern that threats to NC3 from emerging technologies could create incentives for preemptive strike. As Ashton Carter warned, “faced with alarming analyses, the superpower command systems can come to fear their vulnerability so much that they take seriously the need to strike first.”Footnote 23
Technological uncertainty also increases the chance of inadvertent or accidental escalation by incentivizing states to build dangerous offense-dominant weapons, campaigns, and force postures.Footnote 24 Famously, Jervis argued that uncertainty about whether a weapon was designed for offensive or defensive campaigns could led to security dilemmas in which even status quo states could find themselves at war.Footnote 25 Here—as opposed to the logics of preemption—the danger of uncertainty is how states hedge their nuclear vulnerabilities, with nuclear alert, predelegation of launch authority, or automation, which then increases the chance of inadvertent or accidental escalation to nuclear use.Footnote 26 In this pathway from technological uncertainty to nuclear use, states’ attempts to mitigate uncertainty about vulnerabilities may ease the pressure for preemptive use of nuclear weapons (warned of earlier), but at the expense of safety and control.
Not surprisingly, the application of these theories of technological uncertainty and escalation to the cyber domain predicts instability with greater incentives for nuclear use.Footnote 27 Scholars point to uncertainty about cyber attribution, effects, and offense–defense differentiation to paint a warning for future nuclear conflict.Footnote 28 A strong focus in this conversation is how cyber uncertainty creates incentives for preemption and early nuclear use,Footnote 29 largely building on assumptions from the larger literature about how uncertainty creates fear and an impetus for action. As a 2021 Carnegie Endowment paper concluded, “Cyber-attacks against a nuclear command and control system would expose the attacked state to significant pressure to escalate conflict and even use nuclear weapons before its nuclear capabilities are compromised.”Footnote 30 Secondarily, the cyber-nuclear literature also warns of inadvertent and accidental nuclear use driven by the uncertainty that cyber operations may create about targeting, early warning, and control of nuclear forces.Footnote 31
But while the cyber-nuclear literature may lean heavily on assumptions about uncertainty's central role in provoking nuclear war, uncertainty is often what states make of it. Indeed, scholars examining how states respond to uncertainty suggest that some theories of conflict may be overly deterministic about the impact of uncertainty on war.Footnote 32 A rich literature explores how both context and individual-level variables interact with uncertainty to mediate its impact on war onset.Footnote 33 And other scholars question the assumption that uncertainty necessarily leads to warFootnote 34—providing theoretical and empirical evidence for the role of certainty (as opposed to uncertainty) in strategic instability.
Mitzen and Schweller provide one of the most direct responses to theories that assume uncertainty drives conflict, presenting an alternative model of misplaced certainty and war in which overconfidence (often driven by a yearning for certainty in dangerous situations) creates pathways to both preemption and inadvertent escalation.Footnote 35 Altman applies a similar argument to military campaign assessments, arguing there are cognitive and organizational incentives for false optimism about the success of military campaigns.Footnote 36 Meanwhile, explorations of individual foreign policy decision making provide evidence that personality traits and risk proclivities shape how leaders deal with uncertainty in crisis decisions, with those more prone to cognitive closure and risk acceptance more likely to use military force earlier in a crisis.Footnote 37 Perhaps most compellingly, evidence from wargames suggests that war onset is determined more by individuals’ overconfidence, willingness, and desire to create certainty through aggression than by any fear created by uncertainty.Footnote 38 Johnson explains that this trait, overconfidence, evolved as a means of survival, suggesting that the path from misplaced certainty to war has strong and powerful roots in humans.Footnote 39 He links this evolutionary trait to a Rubicon theory of war onset in which overconfidence can induce a state to move from status quo restrainers to attackers.Footnote 40 For these theories, emerging technology is not necessarily dangerous to nuclear stability when it makes states uncertain about victory, but when it imparts confidence or certainty for more aggressive campaigns, whether that be nuclear use or counterforce initiatives.
These alternative theories about uncertainty and conflict could explain a significant empirical puzzle about cyber and escalation that has divided the scholarly community. Despite the dominance of hypotheses linking cyber with escalation, a burgeoning literature suggests cyber operations are not only not destabilizing, but in some instances can create incentives for restraint. Across case studies, experiments, and wargames this work finds little or no evidence of cyber operations increasing violence within crises.Footnote 41 Meanwhile, more theoretical work in this vein questions previous hypotheses about uncertainty and the offensive nature of cyberspace. It argues that cyberspace is not as offensively dominated as previously believed and that the uncertainty that does exist might incentivize restraint instead of escalation.Footnote 42
While this literature throws doubt on theories that link cyber uncertainty with escalation, it does find evidence of misplaced certainty and overconfidence. Experiments and content analysis find a tendency to overestimate cyber capabilities, even while underestimating cyber vulnerabilities.Footnote 43 This overconfidence in cyber capabilities, especially against nuclear networks, could (as Carter described in 1987) “encourage deliberate, direct attack intended to achieve purely military rather than politico-diplomatic objectives.”Footnote 44 Gartzke and Lindsay explain this logic as a cyber commitment problem in which there is “a logical possibility for creating a window of opportunity for using particular cyber operations. . . . It would be important to exploit this fleeting advantage via other credible military threats (e.g., forces mobilized on visible alert or deployed into the crisis area) before the window closes.”Footnote 45 The cyber commitment problem becomes most dangerous when incentives to use cyber exploits create the impetus for otherwise risky counterforce strategies paired with conventional capabilities like air, missile, or naval attacks on nuclear arsenals.Footnote 46
Together, these theories of uncertainty (and certainty), technology, and war lead to three competing hypotheses about cyber operations and nuclear use. The first, drawing from assumptions that link uncertainty with war, predicts that cyber vulnerabilities create fear, which leads to preemptive nuclear use and tactics that minimize the vulnerability of first strike at the expense of safety and control. This includes nuclear alert, predelegation, and automation. The second hypothesis is that uncertainty creates incentives for deterrence and restraint, suggesting that uncertainty about cyber effects and vulnerabilities leads to cyber restraint against an enemy's NC3, decreases incentives for states to use their nuclear arsenal, and ultimately decreases the willingness of states to commit to risky campaigns against nuclear adversaries. The third hypothesis focuses on misplaced certainty, suggesting that misplaced certainty in cyber capabilities incentivizes cyber attacks against nuclear networks and engenders an overconfidence that could also lead to counterforce campaigns in other domains.
Wargame Design
To test these hypotheses about cyber and nuclear stability, we developed a quasi-experimental wargame. Wargames are useful mechanisms with which to study crisis decision making, and in particular to look at the impact of emerging technologies on nuclear use.Footnote 47 First, like survey experiments, games and the use of hypothetical scenarios let us collect data on incidents that are rare, have bad data, or look to the future. Similarly, games and experiments are particularly useful methodologies to look at decision making and human behaviors—both important variables in crisis stability. Games go beyond survey experiments, however, both in the use of groups in some games and in the ability to immerse players in the game environment for an extended period. Together, these characteristics make games an extraordinarily useful methodological alternative to historical case studies, big data, or even survey experiments because they may provide greater external validity and novel data for rare or future events.Footnote 48
These advantages make wargaming ideal as a way to address our research question. First, decisions about cyber operations and nuclear events are both rare and highly classified. This means that case studies and large-N databases are both extremely limited and potentially biased toward public events. Further, because our hypotheses are about how humans react to certainty and uncertainty in high-stakes scenarios, other behavioral synthetic data generation methods (like surveys or lab experiments) may struggle with external (or ecological) validity.Footnote 49 While there is debate about how immersive and externally valid games can be, features of games like multi-hour durations, deliberative discussions, and rich scenarios create the conditions for a more immersive environment than surveys. Schelling, for example, recounts that games were so immersive that participants began to see the game as “either real or as one that could be real.”Footnote 50 This immersion also helps build rich qualitative data through narratives written into response plans, facilitator notes, and transcripts—all of which help us understand the “why” behind game outcomes, which is especially useful for evaluating hypotheses about the motivations behind human behaviors. Finally, groups used as decision-making units in wargames can more accurately represent the important mediating role of advisors and group dynamics in complicated decisions like cyber or nuclear use.Footnote 51
Game Design
The game is designed to look at how two independent variables, having a cyber exploit in an adversary's NC3 and having a cyber vulnerability in your own NC3, affect a dependent variable, strategic stability.Footnote 52 In this game we use a narrow scope for strategic stability (or crisis stability), which is defined by Acton as “the absence of incentives to use nuclear weapons first.”Footnote 53 We operationalize it as not only binary use of nuclear weapons but also whether teams put forces on nuclear alert, predelegated authority, used automated systems, or launched counterforce campaigns. We hypothesize that uncertainty and overconfidence explain how our independent variables affect strategic stability, so we introduce uncertainty within our cyber exploit and vulnerability treatments and use group- and individual-level data to trace uncertainty and certainty to decisions about nuclear weapons, cyber use, and campaign strategies.
Given our research question, we sought to design a wargame that allowed us to control for our variables of interest while creating an immersive and engaging experience that would induce players to behave as closely as possible to how they might in a real crisis. The wargame, which includes two related but independent scenarios—one of low intensity and one of high intensityFootnote 54—pits two strictly comparable states (Our State and Other State) against each other over a contested territory (Gray Region). Teams play a notional cabinet for Our State and are randomly assigned to one of four treatment groups, which vary as to whether teams have cyber exploits and/or cyber vulnerabilities.
Condition 1 is our full treatment. These players are given both an exploit into the adversary's NC3 and a vulnerability in their own NC3 (Table 1). Condition 2 is the first of our asymmetric treatments: the group is given an exploit into the adversary's NC3 and told they have no vulnerability in their own NC3. The third group and second asymmetric treatment gives the team a vulnerability in their own NC3 but no exploit into the adversary's NC3. The fourth group is a control group; they have neither an exploit nor a vulnerability. This allows us to control for differences in crisis outcomes based on the cyber treatment.
According to our first hypothesis, that uncertainty and fear about cyber vulnerabilities lead to nuclear preemption, we would expect that the asymmetric vulnerability group, followed by our full treatment group, would be the most likely to use nuclear weapons, go on nuclear alert, and predelegate launch authority. The logic here is that uncertainty about the vulnerability would create fear about second strike survival and therefore incentivize early use of nuclear weapons. In contrast, our second hypothesis, that uncertainty about cyber operations creates incentives for restraint and deterrence, suggests that the groups with the cyber vulnerability will be less likely to use nuclear weapons than our control group or exploit-only group. Finally, the hypothesis about misplaced certainty suggests that it is the exploit that drives differences in our groups—with exploit groups not only more likely to use the capabilities but also the most likely to use nuclear weapons and launch counterforce campaigns.
Playing both scenarios in the game takes about three hours. All players are given an initial scenario brief and instructions about how to complete the response plan. Players are then divided into their separate teams to discuss the scenario and their response.Footnote 55 Teams are made up of four to six players who are randomly assigned to work together in a rough approximation of a national security cabinet. They are asked to choose roles among themselves, including head of state, minister of defense, minister of state, economic advisor, intelligence advisor, and national security advisor (if there are six). They are then given separate but identical pamphlets with the information from the initial brief as well as details about the economy, military, and cyber capabilities of both Our State and Other State. Teams fill out a response plan for each of the scenarios and take individual surveys after each of the scenario turns are completed. There is no adjudication or opponent for teams between or after the scenarios, which allowed us to directly compare game outcomes across iterations. Players are told that scenario 2, while being thematically an extension of scenario 1, is not contingent on the actions they took in scenario 1.
The Scenario
The scenario presented to players involves two neighboring peer adversaries, Our State and Other State, which contest territory in the Gray Region.Footnote 56 Both states have nuclear capability (a triad of delivery platforms), a strong military, and an advanced economy. Allies are not overtly included in the scenario, though the scenario brief and background information mention the UN Security Council. The crisis begins when Other State foments an uprising in the Gray Region, a semi-autonomous region within the territorial boundaries of Our State that includes a large population of individuals ethnically Other State (Figure 1). Other State security forces are spotted in the Gray Region, while Other State mobilizes its land and naval assets and announces: “In defense of our brothers and sisters in Gray Region, we have acted decisively. … The Gray Region is now under Other State rule … We will use any means to protect our territory, including the nuclear option.”
Scenario 2 picks up at the end of scenario 1 with a significant escalation of violence and threat (Figure 2). Other State invades Our State and mobilizes nuclear forces. Players are told that Other State is considering the “preemptive use of nuclear weapons.” By varying the intensity of these two scenarios, the game is able to explore how cyber vulnerabilities and exploits affect incentives for nuclear use in two distinct phases of crisis escalation.
The Treatment
Teams received two handouts representing their treatment after the collective scenario brief (see the online supplement for the facilitator guide and details about game facilitation). One slide detailed whether they had a cyber exploit, and the other detailed whether they had a vulnerability. Every team received both handouts, regardless of whether or not they had the exploit or the vulnerability.
Players with the exploit treatment were told that they had “a new cyber exploit/access to attack Other State's NC3” (Figure 3). The “exploit has a high probability of success,” “cuts off Other State's ability to launch nuclear attacks; effective for an undetermined amount of time; relatively covert, but full attribution may be possible in the long run,” and it is “unclear how long this exploit/access against NC3 will exist.” To make the exploit and vulnerability treatments as symmetrical as possible, the vulnerability treatment uses nearly identical language: “intel reports Other State has a cyber exploit/access against Our State's NC3; Other State assesses the NC3 cyber attack would have a high probability of success; cuts off Our State's ability to launch nuclear attacks; effective for an undetermined amount of time; relatively covert, but attribution may be possible in the long run,” and it is “unclear how to mitigate the NC3 vulnerability.” Teams without these treatments were told either that they had “no access to Other State's NC3” or that there was “no vulnerability within Our State's NC3.”
Both the access/exploit treatment and the vulnerability treatment were designed to evoke a highly effective cyber tool (in fact, this kind of capability is unlikely unless a state built a highly centralized NC3 with very few redundancies). Empirical work has found that cyber operations rarely have an effect on behaviors.Footnote 57 We wanted a treatment that biased against these findings so that, if we still found no effect from cyber operations even with an extremely significant exploit and vulnerability, then we would be able to say that even if cyber could create large effects, it still would not play a large role in the crisis dynamics. If we designed the treatment in the other direction, with limited effectiveness or vulnerability, then we wouldn't be able to rule out whether cyber would have mattered if it had been able to create more significant effects. We are therefore simulating the worst-case scenario—again, gaming has the advantage of being able to generate synthetic data about even rare circumstances. Despite the bias toward a significant cyber capability/vulnerability, we still believed that unique characteristics about cyber operations (uncertainty about effectiveness, uncertainty about how long the effect or the access would last, uncertainty about where the vulnerability exists) mattered to these decisions and integrated those characteristics into the treatment. Therefore, players had to deal with inherent uncertainty for both the cyber vulnerability and the cyber exploit as they debated whether and how to use and respond to the cyber treatments.
The Sample
The International Crisis Wargame was played in eleven different locations and twelve different iterations, including the Naval War College, Thailand, the Harvard Belfer Center, Norway, Argentina, Sandia National Labs, Tufts University, the Naval Postgraduate School, MIT, Stanford University, and a virtual interface.Footnote 58 A total of 580 players have taken part (Table 2).Footnote 59 Of those players, 71 percent listed themselves as Americans and 29 percent as other nationalities.Footnote 60 Similarly, the participants skewed male, with about 73 percent identifying as male and 27 percent as female. Players spanned the age spectrum, with 19 percent under thirty, 25 percent between thirty and thirty-nine, 28 percent forty to forty-nine, 17 percent fifty to fifty-nine, and 11 percent over sixty years old. Expertise was also heterogeneous, with 37 percent having private industry or military experience, 27 percent government experience, 27 percent academic experience, and 13 percent NGO experience. Most (56%) identified as a senior professional, with fifteen or more years of experience; 26 percent as mid-level, and 18 percent as student or entry level. Looking more granularly at specific experience, 15 percent identified themselves as either a technical or policy cyber expert, and 16 percent identified with similar nuclear expertise (see the online supplement for a breakdown of demographic variables).
*Groups played only scenario 1.
Data Collection
Data were collected in the game in three ways. The primary method of outcome measurement was the response plan, written by each group collectively (Figure 4). They described their overall plan, chose their response actions (from a preset list of sixteen possible actions), and then described their end state and prioritized objectives. The crisis response plan collected data on the outcome variable, but surveys—the second form of data collection—were used to measure individual behaviors and motivations behind response plans. Finally, facilitator and plenary notes were used in some games to capture group dynamics, conversations within the game, and lessons learned from players.
Based on our game design, what evidence would support or disprove the three hypotheses about technology and strategic stability? First, for the hypothesis that uncertainty leads to preemption, we would expect teams with cyber vulnerabilities to be more likely to launch nuclear weapons or place them in their response plan. We would expect also that teams with vulnerability are more likely to predelegate control, automate, and place forces on nuclear alert. In the survey and the response plan, we would expect players to explain their choices by discussing the uncertainty of controlling their nuclear forces given the adversary's cyber exploit and uncertainty about solving the vulnerability. Alternatively, if (per the second hypothesis) cyber uncertainty leads to restraint and deterrence, we would expect teams with vulnerability not to use nuclear weapons and teams with both the vulnerability and the exploit to restrain their own use of NC3 exploits. These teams would also be less likely to take risky counterforce strategies, and in surveys they would provide evidence that they were uncertain of both their vulnerabilities and their cyber capabilities. Finally, if decisions are driven instead by misplaced certainty (per the third hypothesis), we would expect the cyber exploit to correlate with nuclear use, as well as campaigns of counterforce, and potentially even nuclear alert and predelegation to support those campaigns. Teams would be more likely to use the cyber exploit, with evidence from surveys that players were confident of their cyber capabilities.
Game Campaign Strategies
What did two years of wargames across 580 players and 115 games reveal about emerging technologies and strategic stability? What was the effect of NC3 cyber exploits and vulnerabilities on nuclear use? How did having and responding to these cyber threats affect the crisis response options that players crafted? What differences did we see between our low-intensity scenario 1 and the higher-intensity scenario 2? Finally, what role did uncertainty play in our game?
First, looking at crisis response plans across both scenarios, we noticed patterns of behavior regardless of treatment condition. In particular, in scenario 1, teams were most likely to rely on diplomacy and sanctions while using the military for defensive or hedging means, such as mobilizing forces (instead of launching a counter-attack), fortifying defenses, conducting intelligence and information operations, and to a somewhat lesser extent conducting special forces operations. Many of these games (though not most) also included cyber attacks on civilian (30%) and military targets (40%), as well as nuclear alert (33%). No team in scenario 1 chose to launch a nuclear attack.
Player behavior in scenario 1 generally reflected hedging, or restraint. In describing their desired end state, players often used phrases like “return to status quo”Footnote 61 or “deescalating tension,”Footnote 62 all while “garnering international support.”Footnote 63 In surveys, players used similar language, explaining that they developed crisis strategies with the intent to “return to status quo,”Footnote 64 while focusing on “non-escalation, give diplomacy a chance”Footnote 65 and “immediate conflict de-escalation and invocation of international pressure/intervention.”Footnote 66 Players in the first scenario generally believed that, despite the Other State invasion, the crisis could be managed without significant use of military force. For example, one team explained that they intended to “recapture control of grey zone principally through economic and political pressure while ensuring that other state cannot coerce us or dominate us militarily.”Footnote 67
In this attempt to manage the crisis and avoid escalation, teams focused on information strategies and controlling narratives to garner international support. Players said they “needed international support” and to “increase outreach to international community.”Footnote 68 In their crisis response plans, one team said that they aimed to “create leverage over Other State by having a stronger narrative. ‘Other State intentionally escalated the situation in Gray Region through organizing a riot.’ We set up a campaign of diplomatic pressure, isolate and drain them economically. Military we are merely posturing defensively along the border, we are not (yet) hitting back.”Footnote 69 All of these actions were below the use of force, aiming to deter further aggression, control escalation to more violent uses of conventional military power, and avoid nuclear use. As one player explained in the survey, the team developed their strategy “looking to engage in peaceful/diplomatic discussions first.”Footnote 70 Another team wrote that their desired end state included “retaking Gray Region and returning it to autonomy without us escalating the conflict, avoiding nuclear especially.”Footnote 71 Interestingly, many of the responses also discussed the role of a port in the Gray Zone and its importance to their desired end state. This is remarkable, given that this port is only mentioned in the players’ briefing booklets and is not briefed or highlighted.Footnote 72
As expected, strategies changed in the second scenario. Teams transitioned from hedging strategies to more active measures, including maritime (78%) and air attacks (85%), special forces operations (88%), and increases in cyber attacks on military, civilian, and NC3 targets. As one player explained, “We choose to leverage conventional strikes to alter the balance of power if possible.”Footnote 73 But despite the overall trend toward more active measures, most games still featured some restraint, with only a minority of games (37%) including a counter-invasion of territory. And while nuclear alert increased to 81 percent of the scenario 2 games, only 9 percent featured the use of nuclear weapons. As in scenario 1, teams focused on returning to the status quo, but with a stronger focus on avoiding nuclear use. This sentiment was best illustrated by one of the groups in the August 2019 Naval War College iteration, who wrote in their crisis response plan that they wanted to “defend and take back homeland (inclusive of Gray Region) while reducing loses to civilian lives and military personnel without nuclear impact.”Footnote 74 Players also explicitly identified this desire in surveys. When asked why they chose not to use nuclear weapons in the second scenario, they responded that they “wanted to avoid nuclear use if possible,”Footnote 75 “avoid nuclear war at all cost,”Footnote 76 and “avoid catastrophic losses and deaths.”Footnote 77
Only a minority of teams wanted to change the status quo territorial borders. Few sought either to surrender Gray Region territory or to use the crisis as an opportunity to take Other State territory. Across these desired end states, however, there was a focus on counterforce efforts to disable Other State's ability to use nuclear weapons. Both team response plans and individual surveys spoke often about this desire to destroy the adversary's first strike capability. For example, in one survey, an individual wrote that they intended to use their cross-domain conventional and nuclear capabilities to “create opening to destroy nuclear capabilities.”Footnote 78 While cyber attacks on NC3 were the preferred option for these counterforce attempts, groups also discussed special operations attacks and air strikes (Figure 5).
Nuclear Use
The discussion so far looked at outcomes across groups, but were our treatment and control groups more likely to opt for nuclear alert or nuclear use? Secondarily, did teams with the NC3 exploit use it? And how did having both the exploit and the vulnerability affect these dynamics?
In scenario 1, no team chose nuclear attack, regardless of treatment (Figure 6). However, we did see variance in teams that chose to put forces on nuclear alert. Groups with a cyber exploit were more likely to do so; 38 percent of our groups with both an exploit and a vulnerability chose to, and 41 percent of the exploit-only groups did. This is in contrast to our control and vulnerability groups, with 28 percent of the teams in both these groups electing to put forces on nuclear alert. Thus, contrary to hypotheses that might link cyber vulnerabilities with fear and nuclear alert, in our games it was the cyber exploits that had a larger effect on nuclear alert decisions.
This relationship between cyber exploits and nuclear instability continued in the second scenario (Figure 7). Teams given just the vulnerability were the least likely to put their forces on nuclear alert, while almost 90 percent of the teams with exploits did. The group most likely to use nuclear weapons in the second scenario was the exploit-and-no-vulnerability group (21%); the only other group to use nuclear weapons was the full treatment group with both the exploit and vulnerability (11%). No teams without an exploit used nuclear weapons.
But why would the exploit be more important than the vulnerability to both nuclear alert and nuclear use? Hypotheses about technology and uncertainty would suggest that perceptions of vulnerability lead states to either increase their nuclear readiness or preemptively use nuclear weapons. However, in our game, windows of vulnerability had little impact on preemptive nuclear use and a complicated relationship with nuclear readiness. Indeed, when we asked the players with a cyber vulnerability how it affected what means they used during the game, many indicated that it restrained their nuclear use—evidence for the second (uncertainty and restraint) hypothesis. This was especially the case for groups with a vulnerability and no exploit. Across both scenarios, many of the players in those groups (60% in the first scenario and 48% in the second scenario) believed that cyber vulnerability led to greater nuclear restraint. For example, one asymmetric vulnerability team noted in their response plan that they must “avoid nuclear war if possible as they have access to our C3, but we can't access theirs.”Footnote 79 This was a sentiment we found echoed in the players’ surveys, in which players explained they chose not to use their nuclear weapons because they “thought NC3 might be compromised.”Footnote 80 Another player explained that “we didn't think we'd be able to with their cyber exploit,”Footnote 81 and most succinctly, a player reported that there were “doubts on [whether] our nuclear deterrence was real.”Footnote 82
In contrast, almost none of the response plans indicated that the vulnerability incentivized nuclear use. No crisis response plan tied a team's decision to use nuclear weapons with fear about cyber vulnerabilities. Only a single group with a vulnerability had a majority of players indicate in their surveys that the vulnerability incentivized nuclear use. However, this group had an exploit as well, which the majority of the team also said influenced decisions for nuclear use. Simply put, for the teams given cyber vulnerabilities, uncertainty mattered. But it didn't create preemption or escalation. Instead, it created incentives for restraint.
While cyber vulnerabilities did not create incentives for preemption, they did have a more insidious effect on nuclear stability. To negate the vulnerability, many teams decided to turn to predelegation of nuclear use to lower levels of command, or even to automate nuclear use. Latent within the crisis response plans we found evidence that players were willing to sacrifice safety and control to limit the potential effect of the NC3 vulnerabilities on second strike. Remarkably, players were willing to remove the human from the loop, substituting the uncertainty about the extent of cyber vulnerabilities within NC3 with a (perhaps misplaced) certainty in autonomous nuclear launch decisions. Further, teams suggested that this automation or predelegation could be a deterrent signal, designed to decrease the adversary's confidence in their own NC3 cyber exploit. For example, one team explained that they would “emphasize dead hand orders to our strategic nuclear forces; emphasize preemption is a way of getting them killed as well.”Footnote 83 Another asymmetric vulnerability team wrote that they would “protect our NC3 by disabling to bring to an autonomous level.”Footnote 84 Perhaps most alarmingly, one of the full treatment groups in scenario 1 predelegated nuclear use to lower echelons, and charged these commanders with launching a nuclear retaliation in the case of either nuclear attack or an attack on NC3. The group wrote that they planned to “separate part of our nuclear deterrence from our NC3 system by delegating authority to lower level commanders to mount a nuclear retaliation to either a nuclear attack or successful attack on our NC3, inform Other State of this.”Footnote 85
The role of the cyber vulnerability, versus the exploit, becomes more apparent when looking at survey responses from players asked what role having an NC3 vulnerability played in their response plan (Figure 8). For the teams with no exploit, the vulnerability overwhelmingly incentivized nuclear restraint; almost 60 percent of the teams in the first scenario answered that the vulnerability led to nuclear restraint. Even in scenario 2, most reported that vulnerability incentivized restraint, whether nuclear or cyber. In contrast, teams with the vulnerability and the exploit were less likely to say that the vulnerability led to nuclear restraint, though it did restrain cyber use (especially in scenario 2). When it came to restraint, the vulnerability was more important than the exploit.
Cyber Exploit Use
If cyber vulnerabilities aren't driving nuclear use in these games, what role are the exploits playing? One of the most interesting findings of this game series is how many teams chose to use the NC3 cyber exploit—suggesting that players viewed their capabilities quite differently from their vulnerabilities. They may have been uncertain about their own vulnerabilities, leading to restraint, but they were perhaps overconfident in their cyber capabilities, with dangerous implications for strategic stability.
In scenario 1, 45 percent of the teams with the exploit and no vulnerability chose to use their cyber weapons. By the second scenario, 82 percent of the asymmetric exploit groups chose to use their cyber exploit; 92 percent of the exploit/vulnerability groups did the same. Most remarkably, the exploit was so popular in the second scenario that a little over 30 percent of the groups that were not given a NC3 cyber exploit treatment added the cyber-NC3 exploit into their crisis response plan—many making it a linchpin of the plan. This is all the more fascinating because those who wrote in a NC3 exploit were given no details in the order of battle about the ability or extent of any potential cyber weapon against nuclear targets. Therefore, they were bringing into the game their own beliefs about cyber exploit effectiveness—beliefs that seemed to skew toward overconfidence.
Why was the exploit used so much in the game? For some teams, it countered the NC3 vulnerability. For example, one team with both the exploit and the vulnerability explained they used the exploit because of a concern about their NC3 vulnerability, writing in their crisis plan, “We must assume our NC3 system is compromised; therefore, we will use cyber attack against Other State NC3 to buy time in preventing nuclear attack.”Footnote 86 When we asked players in the survey why they used the exploit, one explained they were motivated by “concern that Other State was about to launch nuclear attack, not deterred by Our State nuclear capability.”Footnote 87 Indeed, many of the dual treatment groups suggested that they felt pressure to use their exploit because of the vulnerability—explaining, for instance, that they needed to “conduct cyber attack on NC3 and military C2 to gain advantage.”Footnote 88 This is a remarkable finding for cyber deterrence, suggesting that (especially in high-stakes scenarios) the threat of cyber vulnerabilities may not be powerful enough to deter cyber attacks.Footnote 89
But deciding to use the exploit was more than just a response to the vulnerability; it was also a covetable counterforce option and a new foreign policy tool for teams to exercise. Often, teams with the exploit viewed the cyber weapon as both a signaling mechanism and a useful counterforce option. As one asymmetric vulnerability exploit team explained, “We are going with the cyber attacks on nuclear C3. Try to keep undercover, but our goal is to show we can defend ourselves.”Footnote 90 Given that Our State and Other State were otherwise symmetrical, the inclusion of the cyber exploit appeared to tip the perceived balance of power in the crisis for many of the teams. This made the cyber exploit a more credible and useful signaling tool and incentivized more assertive counterforce strategies (especially in scenario 2).
Many respondents explained that they chose to use the cyber exploit because it represented a “less escalatory option.” This seems to support suggestions in other cyber literature that cyber operations are viewed differently than conventional military options and are therefore more likely to be used to increase the bargaining space and foreign policy options in crises. Players seemed to believe that cyber operations were less escalatory than other options, particularly because they were considered less visible or more covert. Many teams rationalized that cyber attacks on NC3 might not be attributable (or at least were less likely to be attributed than other means). For example, one team used their NC3 exploit, but stipulated that it was “covert.”Footnote 91 Other teams lumped cyber exploits against NC3 with special operations counterforce missions, perhaps signaling a belief that these operations were similarly less escalatory than air strikes, maritime strikes, or invasions of territory.Footnote 92
Most importantly for the overall crisis outcomes, the cyber exploit appeared to embolden counterforce initiatives, especially for the asymmetric exploit groups. In fact, when we asked players why they chose to use the exploit, the dominant response in both scenarios was that it was part of a counterforce strategy, a “desire to limit Other State's ability to launch a nuclear attack.” When we coded response plans for either cross-domain or cyber counterforce efforts, we found that forty-three teams explicitly discussed counterforce campaigns in the written description of their crisis response plan for scenario 2.Footnote 93 Of those forty-three teams, twenty discussed using the cyber NC3 exploit to counter Other State's nuclear strike capability; nineteen used it with a complementary cross-domain counterforce campaign. Only four said they would conduct cross-domain counterforce against Other State without the cyber exploit, and none of these had been given the NC3 cyber exploit in the game setup. This evidence points to Gartzke and Lindsay's cyber commitment problem and suggests that one of the primary dangers of cyber exploits for nuclear stability is that they create incentives for offensive campaigns in other domains.
This remarkable relationship between the cyber exploit and cross-domain counterforce campaigns was evident throughout the crisis response plans coded for counterforce. For example, one team with an asymmetric exploit treatment said that their crisis response plan in scenario 2 involved “cyber attack on nuclear C3 and come out to them. Give them three hours to move back and leave the territory. Communications to the world that we are pressuring Other State to hold the invasion or else we are going to move with the nuclear attack.”Footnote 94 Other teams explicitly linked the cyber exploit to counterforce campaigns in other domains, sometimes also pairing these cyber attacks on the NC3 with cyber attacks on military and civilian infrastructure. For instance, an asymmetric exploit team developed a crisis response plan that would “employ NC3 cyber attack, use conventional attacks to destroy Other Country's nuclear weapons, then retake lost territory and compel Other Country to surrender.”Footnote 95 Another asymmetric group proposed “cyber attack on N3 combined with air strike on their nuclear capabilities,” while also hedging by placing their forces on “nuclear alert.”Footnote 96 Indeed, in these asymmetric exploit plans, alert seems to be an attempt to prepare for potential adversary retaliation after the emboldened counterforce campaign. One team said they would “(1) Alert nuclear forces to reduce vulnerability to preemption but do not initiate nuclear employment (2) trigger exploit to pressure them.”Footnote 97
Part of why exploits may have led to greater use of counterforce campaigns (or even nuclear use in some groups) is that players tended to believe in the efficacy of the cyber exploit (while sometimes downplaying the vulnerability).Footnote 98 It is extraordinary how much confidence players had in this cyber exploit (especially given that the cyber exploit treatment used the same uncertainty language as the vulnerability treatment). Nowhere was this more evident than in the crisis response plans of teams that were not given the exploit but still wrote it into their crisis response plan. For example, for scenario 2 one control group (no exploit or vulnerability) wrote in their crisis response plan that they would “deter nuclear attack by cyber attack on nuclear C3.”Footnote 99 Another team that had a vulnerability but no exploit centered their whole scenario 2 response plan strategy on exploiting Other State's NC3, proposing to “cut off NC3 and publicly ‘announce’ that every nuclear site including submarines have [autonomic] authority to launch a retaliation strike in case: (a) we are attacked nuclearly, (b) we lose the war.”Footnote 100
That's not to say that cyber exploits were always used. For the minority of teams that chose not to use them, their restraint revealed when and why cyber operations might induce caution for users. While many teams chose to “reserve” the NC3 exploit for scenario 2,Footnote 101 many others cited concerns about adversary nuclear retaliation in response (and a desire to use the exploit later in the crisis). As one dual-treatment group explained, despite having a cyber exploit they chose to “maintain Other State's C3 (to avoid unintended effects).”Footnote 102 Perceptions of cyber asymmetry also mattered, at least in the first scenario. In scenario 1, the percentage of exploit/vulnerability teams that used the exploit was approximately half the asymmetric group. This large delta suggests that having the vulnerability did create incentives for cyber restraint for some groups. Further, when asked about the impact of the vulnerability on their overall crisis response plan, 23 percent of the exploit/vulnerability group in scenario 1 answered that it restrained their cyber use. Thus, while cyber deterrence failed in high-stakes scenario 2, in scenario 1 cyber vulnerabilities deterred some actors from using the exploit.
Conclusion
Our game-based study suggests that an emerging technology, cyber operations, plays a complicated role in nuclear stability—with implications not only for understanding how cyber operations might affect near-term crises, but also for understanding emerging technology and stability decisions. Cyber weapons are an interesting case with which to explore hypotheses about technology and stability because they are known for their uncertainty. Early work suggested that the uncertainty inherent in cyber technologies would lead to security dilemmas, arms races, and potentially even nuclear use. However, the work described here suggests that cyber uncertainty is what players make of it. The uncertainties of cyber vulnerabilities led not to escalation or preemption (hypothesis 1), but instead to restraint (hypothesis 2). Finally, it was certainty about cyber exploit effectiveness (hypothesis 3)—not uncertainty about cyber vulnerabilities—that led to more aggressive counterforce campaigns, nuclear alert, and even in some cases nuclear use. Where cyber uncertainty was dangerous was when it created incentives for strategies—like predelegation or automation—that replaced safety and control with preemption and escalation.
While nuclear restraint was not a direct focus of the research, it is noteworthy how little nuclear use we saw in the game despite scenarios that put the teams right on the brink of nuclear war. The player surveys and response plans provide evidence that in our sample the nuclear taboo remains strong and limits the tendency toward nuclear preemption. As players in a NC3 vulnerability team explained, “The actual firing of nuclear weapons is a Rubicon we did not want to cross first.”Footnote 103 In some situations when a player did advocate for nuclear use, they were overruled by their group—as one individual wrote, “overruled and impeached as head of executive for pushing to use nuclear arsenal.”Footnote 104 Ultimately, the nuclear taboo held in the vast majority of cases, even for asymmetrically vulnerable groups. As one survey respondent mentioned, the players thought about nuclear weapons for “second strike only.”Footnote 105 The continued evidence for the strength of the nuclear taboo is important for those worried that cyber vulnerabilities might exacerbate the security dilemma and incentivize nuclear first strike.Footnote 106
The implications for cyber and other pathways to nuclear use are less comforting. First, though nuclear experts may have believed the nuclear taboo and other norms of nuclear restraint would easily extend to cyber exploits against NC3, our game demonstrates the strong incentives states have to use cyber exploits against NC3, especially when they provide an advantage in an otherwise symmetrical fight. Players who used their NC3 exploit included nuclear and cyber experts, as well as lay citizens and students. The pressure to use the exploit only went up as we increased the intensity of the scenario, and even a reciprocal vulnerability could not alleviate the attraction of the NC3 exploit. What is most interesting is the potential overconfidence in the NC3 exploit. Despite similar hedging language regarding the exploit on the one hand and vulnerability to the exploit on the other hand, players tended to overemphasize the capability and underemphasize the vulnerability. This was unexpected for us, and future work should test how changes in the exploit treatment might affect players’ willingness to use the exploit. It appeared that cyber operations’ being covert, virtual, and perhaps deniable convinced players that this was a low-escalation-risk option, too valuable to leave on the table (especially given the time-sensitive nature of cyber exploits). What this game suggests, at the very least, is that states may value highly effective cyber exploits against NC3 and so will likely attempt to develop the cyber capabilities to attack these systems. If practitioners believe that a norm of restraint regarding cyber attacks on NC3 is important for nuclear stability, they should be aware that it may be difficult to reach.
The relationship between the exploit (especially without the vulnerability) and more aggressive counterforce campaigns is perhaps the most troubling of our findings for nuclear stability. Buoyed by exploit-induced overconfidence, groups with an asymmetric exploit were more likely to opt for air or maritime counterforce strikes. This is part of a larger incentive structure toward counterforce campaigns which is only exacerbated by perceptions of asymmetric cyber advantages.Footnote 107 The ability to temporarily pacify Other State's nuclear capabilities opened a window of opportunity for aggression, a concept explicitly identified in surveys when players spoke of cyber exploits as an “open possibility to disable nuclear forces conventionally.”Footnote 108 Although eventually overruled by their group, another player proposed to “use cyber to remove their second strike capabilities and overwhelm them with our nuke.”Footnote 109 This aligns, at least partially, with Lieber and Press, who found that new capabilities make counterforce viable (or appear viable) and nuclear capabilities appear less assured.
Also of concern is the potential relationship between cyber operations and decisions for predelegation and nuclear alert. Teams with the exploits were more likely to go to nuclear alert, probably as a preemptive hedging response related to their more aggressive planned counterforce campaigns. Groups with the asymmetric vulnerability also had incentives to opt for more dangerous nuclear strategies. The most concerning campaign plans were those that discussed automation, a “dead hand,” or predelegation in response to cyber vulnerabilities—perhaps best illustrated by one survey explanation of how cyber vulnerabilities affected their crisis response plan: that they “incentivized devolution and autonomy of nuclear command. Incentivized de-digitization and movement to analogue NC2.”Footnote 110 Previous research has concluded that decisions to put forces on nuclear alert or to automate nuclear decision making also increase the chance of accidental or inadvertent escalation to nuclear use, so these choices are concerning for nuclear stability.Footnote 111
While this exploration was scoped to explore the impact of cyber operations on a large population's willingness to use nuclear weapons, the game series suggests a series of contextual extensions of this research on the role of expertise or the impact of balance of power. For example, the International Crisis Wargame Series was played over multiple years and with an extremely heterogeneous sample of 580 participants. Future research could disaggregate this population to examine the role of expertise at a much more granular level. How do different cultures, different types of expertise, and different levels of expertise lead to different outcomes or deliberations within the game series?
We also want to highlight the importance of the design choice to focus on strictly symmetrical states. Our game presented players with a strictly symmetric balance of power, varying only cyber exploits and vulnerabilities into NC3. However, we wondered whether asymmetries in power could impact final outcomes. While we couldn't introduce this as a separate treatment in the game series (due to concerns about iteration and sample size), we included a survey question on how players' crisis response plans would change if the adversary were either more or less capable. In scenario 1, most responses suggested asymmetry would increase incentives for conventional attack, though the number fell in scenario 2. Perhaps most interesting for questions about the use and impact of cyber operations in future crises, across both scenarios and more and less capable adversaries, 40 percent or more of respondents believed that asymmetry would have increased their cyber activity. This suggests that cyber operations are perceived as valuable tools for asymmetric conflict (in both directions). More research should explore how asymmetries would affect the impact of cyber vulnerabilities on nuclear crises.
Methodologically, this paper presents one of the first large-N quasi-experimental wargame series. Despite a long history of wargaming in both political science and defense planning, we have very little empirical work on the methodology of wargames—or what makes some games better than others. In the absence of this work, we had to make choices about moves, sides, and abstraction that drew from social-scientific use of experiments. Future work should look at how wargames may differ from pure experiments—including explorations of the impact of immersion, design choices that affect external validity, the role of expertise, and the intervening role of the group on game behaviors and outcomes. We hope that future researchers use wargames not only to shed light on tough empirical questions like the impact of nuclear or cyber weapons, but also to refine methodological choices within wargames.
Most importantly, this game series has implications for states’ choices about NC3 modernization, nuclear strategy, and cyber operations against nuclear-armed adversaries. As states’ NC3 become more digital, more centralized, and more automated it becomes more likely that during crises adversary states will look to NC3 vulnerabilities as an opportunity to shift the balance of power.Footnote 112 Our research suggests there is already a tendency toward overconfidence when it comes to offensive cyber capabilities, and if decision makers believe they have a highly effective exploit against NC3, it could increase the chance of both conventional and nuclear counterforce campaigns. Further, some answers to NC3 vulnerabilities—delegating launch authorities, placing platforms on alert, and automating decision making—are prone to dangerous mistakes. This leaves policymakers in the uncomfortable position of restraining their own use of cyber counterforce for the sake of strategic stability, but having to do so without any real ability to verify whether adversaries are upholding the same norms.
Is there a solution? Can nuclear arsenals just go back to the days of the floppy disk? The answer is not to avoid all digital modernization. It is likely impossible for all cyber vulnerabilities to be mitigated. However, states can invest more in resilient network architectures, limiting centralized hubs, distributing nodes, and creating more linkages and pathways between control loci. By making systems less vulnerable to systemic outages, states may be less confident in their offensive capabilities, deeming it too difficult, too expensive, and not beneficial enough to launch cyber attacks. Our research shows that uncertainty in the cyber context creates incentives for restraint, and so investments in defense and resilience for nuclear networks may increase attacker uncertainty to a point that could disincentivize NC3 exploits. Further, states need to have more pointed discussions about the dangers of automation, digital manipulation, and predelegation. Our research demonstrated the lack of shared norms around digital safety and the dangers of cyber overconfidence; states will need to build shared understandings about these accident and inadvertent-escalation dangers, both in digital modernization and in cyber attacks. Finally, so much of the focus on cyber operations and nuclear stability has been on rational impetuses for preemption, but this research shows how subrational decision making and biases can distort beliefs about crises. This is where cyber is most dangerous, and decision makers should be wary of how cyber threats and capabilities might lead to unexpected pathways for nuclear use.
Data Availability Statement
Replication files for this article may be found at <https://dataverse.harvard.edu/dataset.xhtml?persistentId=doi:10.7910/DVN/KHXMM6>.
Supplementary Material
Supplementary material for this article is available at <https://doi.org/10.1017/S0020818323000115>.
Acknowledgments
We thank the Naval War College, Hoover Institution, Naval Postgraduate School, Tufts University, Georgetown University, Harvard Belfer Center, Sandia National Laboratories, and CSIS for contributing time and participants for this research. We also thank the anonymous reviewers, Erik Lin-Greenberg, Reid Pauly, Peter Dombrowski, Andrew Winner, Andrew Reddie, and members of MIT SSP, Stanford CISAC, and the Middlebury Institute for helpful comments on earlier drafts. Portions of this research were approved under protocol 53626 by Stanford University's Institutional Review Board.