Deterrence under Uncertainty

Edward Geist works at the RAND Corporation, where his earlier research focused on Soviet and post-Soviet nuclear history — including a book on the civil-defence programmes the United States and the USSR built against each other during the Cold War. Deterrence under Uncertainty: Artificial Intelligence and Nuclear Warfare, published by Oxford University Press in 2023, takes that historical grounding and turns it on a question that had been moving from think-tank panels into doctrinal documents through the late 2010s and early 2020s: what does the machine-learning revolution mean when the system in question is the one that ends civilisation if it fails?

The book arrives into a crowded conversation. Vincent Boulanin’s SIPRI volumes on AI and strategic stability, Paul Scharre’s Army of None and later Four Battlegrounds, James Johnson’s work on AI and crisis stability, Andrew Futter’s writing on cyber threats to nuclear command and control, and a stream of arms-control papers from the Nautilus Institute and the Stockholm group had already mapped the rough terrain. What separates Geist’s contribution is the angle of attack. He approaches the problem as a historian and a technologist at once, less interested in predicting whether some future AI will start a war than in asking what kinds of mistakes a partially automated nuclear posture is prone to make, and why those mistakes are harder to anticipate than the older catalogue of false alarms suggests.

Geist’s central argument is that the debate about AI and nuclear weapons has been miscast. Public discussion tends to oscillate between two cartoons: an autonomous system that seizes the launch codes in some self-directed apocalypse, and a benevolent optimiser that makes early warning more accurate and reduces the chance of miscalculation. Geist argues the real problem lies underneath both pictures, and it is epistemic. Nuclear deterrence has always depended on adversaries forming roughly accurate beliefs about each other’s capabilities, intentions, and resolve. The credibility of the threat — what makes deterrence work at all — is a function of legibility. Each side has to be able to read the other’s posture well enough to know what would provoke retaliation and what would not. Modern machine-learning systems are unusually bad at making their own behaviour legible. They are pattern-matchers built on training data, often opaque even to their operators, and frequently brittle in ways their developers do not detect until something has gone wrong. When the inputs that feed a deterrent posture become opaque, brittle, or spoofable, the architecture of deterrence wobbles even if no algorithm ever fires a weapon.

The book is organised to lead the reader through this argument by way of history before pressing on the present. Early chapters set out the long lineage of computers inside the nuclear command chain. Geist traces it back to SAGE, the Semi-Automatic Ground Environment radar network the United States built in the 1950s to coordinate air defence against Soviet bombers — a machine that filled an entire building, drew enormous quantities of power, and pioneered ideas about real-time data fusion that would later shape every command-and-control system to follow. He moves through the development of the Ballistic Missile Early Warning System, the integration of computing into Strategic Air Command, and the parallel Soviet investments in automated detection and the eventual creation of the Perimeter system in the 1980s — the so-called Dead Hand, designed to ensure that a Soviet nuclear response could still be launched after a decapitating strike on Moscow. Each of these systems automated some part of the chain, and each produced incidents that taught operators to distrust the machines as much as they relied on them.

Those incidents form the connective tissue of the early book. Geist returns repeatedly to the canonical false alarms — the 1979 NORAD episode in which a training tape was loaded into a live early-warning computer, the 1980 incident in which a faulty 46-cent chip generated phantom warheads on American displays, and most famously the September 1983 case in which Soviet duty officer Stanislav Petrov decided that the five missiles his Oko satellite system had flagged were a system error rather than the opening of an American first strike. Petrov’s judgement, Geist points out, was not the product of a procedure; it was the product of a man pattern-matching against the implausibility of a five-missile attack and choosing to take the risk that his system was lying to him. The question Geist puts to the reader is what that judgement looks like in a future where the screen in front of the duty officer is the output of an opaque classifier rather than a deterministic signal-processing chain. If Petrov had been looking at a high-confidence detection from a neural network, with no clear way to interrogate why the model was so certain, the human-in-the-loop framing that the policy community has clung to for forty years may not actually do the work it is asked to do.

From these historical foundations the book moves into current proposals. Geist surveys the now-routine pitches for AI-assisted decision support inside command centres, for automated target recognition in counterforce planning, for pattern-of-life analysis built on satellite imagery, and for autonomy in delivery platforms ranging from cruise missiles to underwater vehicles. He treats the United States Department of Defense’s broader push into machine learning — including the Joint Artificial Intelligence Center, Project Maven’s image-recognition work, and the various Joint All-Domain Command and Control efforts to fuse sensors across services — as the conventional-warfare ancestor of what is now being proposed for the nuclear enterprise. The book is careful here. Geist does not claim that anyone in Washington, Moscow, or Beijing is currently delegating nuclear release authority to a model. The argument is subtler: that the same pressures which drove automation deeper into conventional command-and-control — speed, data volume, the difficulty of finding qualified analysts — will drive it into nuclear systems in ways that may not be visible until something goes wrong.

Two threads receive particular attention. The first is the survivability of second-strike forces. The whole edifice of mutual assured destruction depends on each side believing that some meaningful portion of the other’s retaliatory force would survive a first strike. Ballistic-missile submarines on patrol and road-mobile intercontinental missiles in remote terrain are the two systems most relied upon to provide that assurance. Geist takes seriously the prospect that machine learning applied to remote sensing — synthetic-aperture radar from orbit, persistent surveillance from constellations of small satellites, oceanographic models trained on bathymetric and acoustic data — could erode the assumption that those forces are hidden. He does not predict that submarines will become trivially detectable next year. He argues instead that the perception of detectability matters as much as the reality, because deterrent posture is built on belief; if either side comes to believe its retaliatory force is at risk, the incentives to launch early grow regardless of what the underlying physics says.

The second thread is adversarial machine learning. A deterrent posture that depends on a model an opponent can fool is not actually a deterrent. Geist walks through the research literature on adversarial examples, data poisoning, and model evasion, and asks what it would mean if a sensor-fusion algorithm responsible for distinguishing decoys from real warheads could be reliably tricked by an adversary that understood its training data well enough. The implications cut both ways: defenders can poison their own training pipelines and force opponents to make assumptions that turn out to be wrong, while attackers can do the same in reverse, and neither side can be sure which game it is playing on any given day. This, Geist argues, is the territory that the next generation of nuclear-strategic competition will play out on, and very little of the existing arms-control vocabulary is well equipped to describe it.

The book closes with chapters that turn from the technical to the institutional. Geist surveys the arms-control conversations underway at the United Nations, the work of the Group of Governmental Experts on autonomous weapons, the various Track II dialogues between American and Chinese researchers, and the question of whether any formal agreement on AI in nuclear command and control is plausible in the present geopolitical climate. His assessment is sober. The verification problems that have always plagued nuclear arms control are amplified by AI, because what needs to be verified is now not just the number of warheads or the throw-weight of a missile but the behaviour of software systems that none of the signatories wants to expose. The book does not propose a treaty or a moratorium. It argues, more modestly, that the people who design and deploy these systems should be honest about what they cannot prove, and that the people who write doctrine around them should not assume that the human-in-the-loop language of the 2010s will continue to do meaningful work.

Reception in the strategic-studies field has been broadly serious. Deterrence under Uncertainty has been read alongside James Johnson’s AI and the Bomb, which appeared in the same period, and the two books are often paired as the technical-and-doctrinal entry points into the topic — Johnson tends to push harder on the escalation-dynamics side, where Geist sticks closer to the question of what the technology actually does and does not do. Reviewers from the arms-control community have welcomed the refusal to grandstand, while a few have pushed back that Geist is too cautious about prescription, noting that policymakers want to know what to do, not only what to worry about. From the technical side, machine-learning researchers have noted that the treatment of model brittleness is accurate without being alarmist, which is not always how this material is rendered when it is translated for a strategic-affairs audience. The book sits comfortably on reading lists at the Naval War College, at King’s College London’s defence-studies programme, and inside the RAND library where it was written.

For someone working through the literature on AI in war today, Deterrence under Uncertainty plays a particular role. It is the book that resets the vocabulary of the debate before any specific procurement decision gets made. It pairs well with Scharre’s Army of None — which covers autonomous conventional weapons and is the obvious place to start — and with the Boulanin volumes from SIPRI, which provide more comprehensive technical surveys but less narrative drive. It does not cover the conventional drone war in Ukraine, the use of commercial AI by non-state actors, or the question of whether large language models change anything material about command-and-control; readers looking for that material need to go elsewhere. What Geist offers is depth rather than breadth: a careful study of one domain where the stakes of getting it wrong are highest, written by someone who understands both the technology and the history of the people who built the systems being modified.

What is likely to age well in the book is the framing — the insistence that the problem is epistemic, that legibility is the load-bearing virtue of deterrence, and that machine learning’s opacity is therefore the structural threat. That argument does not depend on any particular system being fielded. What is likely to age less well are the specific technical references, which were already moving when the book went to press and have moved further since. The deeper claim — that nuclear stability has always rested on shared understanding, and that automation can corrode shared understanding faster than it can correct it — looks set to outlast the current generation of models entirely, and probably the next one too.