The New MAD World: A Cold War Strategy for Cyberwar

Many will argue that cyber MAD is a bad idea. Here's why they're wrong.

First of all we must acknowledge that you cannot eliminate cyber-crime. It is a feature of the digital world, and must be countered like other criminal acts. While the United States could make it a policy to fight state-sponsored cyber-crime with economic sanctions, that may bring more harm than good. Efforts like data encryption, cyber hygiene, and criminal penalties are available now to address cyber-crime. Cyber espionage will also prove difficult to completely eliminate and offers no solutions that are a silver bullet. The most intriguing area where solutions are plausible is in dealing with potential cyber-attacks.

From a societal perspective, it is time to realize that the digital world has become as important to us as the air we breathe, the land we inhabit, and the water we drink. While no society can tolerate the pollution or fouling of air and water that would cause massive loss of life or property, cyber-attacks have the potential to cross the digital divide and do just that.

Because American society is so dependent on the digital world, an attack on our cyber infrastructure could lead to destruction of our physical infrastructure. Stuxnet provides one example of how a malicious virus can create physical destruction. Such attacks must be considered an act of war. As an act of war that portends the widespread loss of life or property, such an attack could, in many instances, be deterred by the threat of a military retaliatory response.

Since the United States has the ability to deter physical attacks on the country, what if anything is missing in the cyber realm? The solution can be found in the components of nuclear deterrence.

First, the ability to ascertain the attacker’s identity is paramount. Contrary to those who suggest that the “cyber attribution challenge” is difficult if not impossible to overcome, Pano Yannakogeorgos offers a framework that could assist policymakers in making carrot and stick decisions based on a states’ involvement in cyber-enabled malicious activities that originate or transit through their borders. Such norm enforcement could induce states to take a more active role in preventing acts of cyber-attack from originating within their borders—unless those acts are specifically state sponsored.

The United States and the Soviet Union were able to both prevent unauthorized access/use of nuclear weapons and develop space-based and forensic capabilities that allowed for understanding where a nuclear attack originated. This system of capabilities, since it allowed for a timely response, is one of the things that cannot be attacked without triggering a retaliatory response. While cyber is not quite there, we are getting closer, as exemplified by the indictments of five PLA officers for cyber-crimes. When we have a system of capabilities in place, a clear declaratory policy that holds states responsible for any cyber-attacks against the United States launched from their soil would go a long way toward forcing states to take responsibility for the cyber activities of those within their borders.

It is also plausible that designing such a system could be part of the internet infrastructure itself. A set of internationally recognized norms that clearly define large scale cyber-based attacks as “crimes against humanity,” thus permanently building in identification of cyber-attacks that target infrastructure. At a minimum, the United States should be able to establish such a policy at much less cost than that required to secure all infrastructure from attack, which is probably impossible anyway.

Second, a policy would have to state that any cyber-attack against the United States that has the intent to kill or destroy property will be met by the United States’ full retaliatory capability—cyber, conventional, and nuclear. The great thing about this is that it costs nothing. The current DoD budget certainly packs enough punch to let any would-be adversary know that such a claim can be backed-up.

Where Does This Leave Cyber Security?

In the coming decades the United States government and private sector will spend in excess of a trillion dollars on cyber security. Some spending is needed, but in light of other approaches to dealing with cyber threats, perhaps there is another way. The ease with which hobbyist, criminal, and state-sponsored hackers can infiltrate complex computer systems with millions or billions of dollars’ worth of advanced cyber security indicates that we are not on an economically sustainable path. It would be better that we deter a would-be cyber-attack on the country through a declared policy of mutually assured destruction, and spend the money we would have spent on impenetrable cyber defenses elsewhere. Granted a cyber-MAD policy will not solve the cyber-crime or cyber-espionage problem, but like its nuclear counterpart, it should go a long way to deterring destructive cyber-attacks against the United States.

There are those who will suggest that a MAD policy for cyberspace is a bad idea. Just as arms manufacturers in the 1960s opposed MAD because it called for not building the weapon systems needed to defend against a Soviet attack, cyber-security firms will oppose a cyber MAD policy. Cyber security is big business. The media also thrives on the sordid details of high profile cyber intrusions. However, it is time we set such concerns aside and take a new look at an old problem. What we are currently doing is not working.

Colonel Robert Spalding, PhD (USAF) was an Air Force Fellow at the Council on Foreign Relations and flew the B-2 bomber. Dr. Adam Lowther was a petty officer in the U.S. Navy and serves as a research professor at the Air Force Research Institute.