The New MAD World: A Cold War Strategy for Cyberwar

Many will argue that cyber MAD is a bad idea. Here's why they're wrong.

In his memoir, retired U.S. Air Force Lieutenant General Glenn Kent details how he and a team of researchers at the RAND Corp developed the concept of Mutually Assured Destruction (MAD) in the early 1960s. As Kent tells the story, his team of researchers was tasked with identifying those systems the Department of Defense (DoD) should invest in to protect the population from Soviet nuclear weapons. The choices ranged from expensive ballistic missile defenses to inexpensive civil defense programs—those that taught children to hide under their desks, for example.

To ensure that 70 percent of Americans would survive a Soviet attack, Kent’s team calculated it would cost $28 billion in 1964 and similar sums in the years thereafter. At that time, the defense budget was $300 billion, making the cost of defending against Soviet attack significant. Here’s the rub, when the Soviets found out what we were doing, they understood that they could increase their offensive capability and impose a 2:1 cost ratio on the United States if we sought to match them with additional defenses. That means for every two dollars of defense, the enemy only had to spend one dollar on offense to defeat it. If we wanted to protect 90 percent of the American population it became an astronomical 6:1 ratio.

Thus MAD ultimately became American policy not because President Lyndon Johnson was a foolish or heartless president, but because he understood that building an effective nuclear defense would bankrupt the nation. Our official policy said that a nuclear strike against the United States would be met with an overwhelming retaliatory second strike. With some degree of certainty, we can say that MAD was an effective approach to deterring nuclear adversaries. While not in name, MAD still remains the bedrock of nuclear deterrence even to the present.

The Cyber Challenge

In looking at defending the United States against cyber-crime, cyber espionage and cyber-attack today, the economic dynamics of cyber defense are even worse. While nailing down the exact cost for all government and private sector cyber defenses—particularly the cost for effective cyber defense—in the United States is difficult, but what we do know is that Cyberspace Operations accounted for $5.5 Billion in the president’s FY16 budget request. Most likely this does not account for all DoD expenses, as budgets are fragmented. It is also important that we distinguish between cyber-crime, something that will continue to be a feature of the cyber domain, cyber espionage, and cyber-attack, which could disrupt physical infrastructure and thereby endanger property and lives.

If media accounts are to be believed, cyber-espionage, as it relates to the federal government, involves the theft of vast quantities of information ranging from confidential to top secret documents stolen from government networks over the past decade from both insiders and outsiders—with Bradley Manning, Edward Snowden, and the five Chinese PLA officers indicted for espionage among the many examples.

The private sector is in even worse shape and faces a challenge from both cyber-crime (credit card date, customer info, etc…) and cyber espionage (plans for advanced weapons systems, for example). According to the Computer Security Institute’s latest survey[ZK1] , 90 percent of respondents detected computer intrusions in their corporate networks within the last twelve months and 80 percent acknowledged financial losses. Of the 44 percent of respondents (223 companies) who provided data on the value of financial losses, those losses were valued at almost $450,000,000. Other estimates suggest [ZK2] American companies have lost up to four trillion dollars of intellectual property to Chinese hackers alone. This says nothing of what state and non-state sponsored hackers could do if they sought to destroy rather than steal.

If the focus were on destruction rather than theft or espionage, we could look at the number of infrastructure systems that monitor and control everything from railways, to power plants, to water treatment facilities, to hospitals and see that the numbers are staggering and the potential property damage and loss of life are significant. A number of studies have repeatedly suggested that America’s infrastructure is under extreme danger from a catastrophic cyber-attack. The cost of effectively securing all of these cyber-reliant systems is staggering and would require many magnitudes greater expenditures than what we see within the Department of Defense or the private sector.

Yet, in spite of this known danger, we are plowing ahead into a digital future. Our digitally enabled knowledge economy is improving lives and solving major problems for the world’s population and it is powered by technological leaps like those that spawned “Moore’s Law.” That means that while cyber defenders play catch up to defend systems we already use (and were not built with security as a paramount concern), new systems are being added even faster. Each comes with its own cyber defense challenges. Unfortunately, there is no one size fits all solution that will make cyber-crime, cyber espionage, and cyber-attack obsolete, as it was believed President Ronald Reagan’s Strategic Defense Initiative could possibly do to the Soviet nuclear arsenal. The bottom line is rather straight forward; these cyber challenges are here to stay.

The Cyber Solution–Deterrence