Crossroads Blog | CYBER SECURITY LAW AND POLICY

Cyberwar, National Security

In an Asymmetrical World: Mutually Assured Destruction Means Developed Nations are Disadvantaged

According to an article by Niall Ferguson which appeared in the Boston Globe, we are currently in a state of Cyber War.  This article, entitled “Cyber War I Has Already Begun,” discusses the the Russian hacks surrounding election time in the United States and posits that the largest issue is not whether or not Russia was able to affect the outcome of the election but rather the fact that Russian hackers were able to launch cyber incursions effectively unchecked.

The article quotes Adm. Michael S. Rogers (head of the National Security Agency and US Cyber Command), as saying that “[The Nation is] … at a tipping point.”  Cyber-centric threats are now number one on the Director of National Intelligence’s (DNI) list, the article further states that the Pentagon reports over 10M intrusion attempts per day.  The full text of the article is here.


<opinion>

Thus, the concept of mutually assured destruction (MAD) which has its roots in cold-war nuclear rhetoric is unlikely to prove reliable to maintain any sort of status quo.  Under MAD, nuclear-capable Nations all realized that given the number of nuclear weapons within arsenals throughout the world that any nation that launched a nuclear attack would receive an in-kind response which would trigger additional attacks and counter-attacks which would ultimately result in global thermonuclear war with mankind itself being the ultimate loser.  Due to the fact that the barriers to entry into the  “nuclear-club” were so high and required extensive research and development which could only be funded and maintained in an advanced nation-state context MAD both in theory and as applied prevented the use of nuclear devices in a post World-War II context.

However, those same barriers to entry do not exist in the realm of cyber and thus it is both likely and possible that bad actors who are not necessarily supported by a nation-state could initiate a cyberattack against a developed nation’s cyber resources and in such a scenario the concept of MAD is meaningless given the lack of symmetry.  For instance, while the US could arguably cripple Chinese or Russian infrastructure (and they could, in turn, do the same to the US), no similar offensive could be launched against a single person or even a group of hackers with no direct nation-state ties (obviously a kinetic operation could be launched against either type of group, however that raises a whole other set of issues especially if the only “offense” was cyber in nature).

In short, these are scary times and we may want to consider the relevance of smaller groups or factions that operate outside the context of a traditional nation-state and thus any virtual or kinetic offensive operations launched against such groups may be limited in both reach and effect.  This is somewhat analogous to the early American raids against the British Regular Army, with small incursions designed to hit-and-run, maximize impact and minimize exposure. Thus, a numerically inferior force may wreak havoc amongst a far larger force which does not bode well for the developed world in the realm of cyber.  If this maxim holds true then we will continue to face cyber attacks from a wide-ranging base of potential bad actors, all of whom may find solace in the fact that even if we solve the issue of attribution, retribution will be muted given the nature of the target (and the fact that a group/persons do not possess critical infrastructure or other such target-rich entities).

This should concern all of us, since a lack of a MAD-inspired détente means the world is full of potential threats, many of which have no regard for the cyber or kinetic capabilities of so-called Superpowers. Consequently, as the article quoted Robert Morris Sr., the only “safe” computing device is one that is not in use and is in fact not even powered on (of course Morris, may not have fully factored in the smartphone and IoT variants as some of these devices may continue to be insecure even when powered off by a user).  There may therefore be no such thing as a “safe” computing device — users beware.

Leave a Reply