The New MAD World: A Cold War Strategy for Cyberwar
In his memoir, retired U.S. Air Force Lieutenant General Glenn Kent details how he and a team of researchers at the RAND Corp developed the concept of Mutually Assured Destruction (MAD) in the early 1960s. As Kent tells the story, his team of researchers was tasked with identifying those systems the Department of Defense (DoD) should invest in to protect the population from Soviet nuclear weapons. The choices ranged from expensive ballistic missile defenses to inexpensive civil defense programs—those that taught children to hide under their desks, for example.
To ensure that 70 percent of Americans would survive a Soviet attack, Kent’s team calculated it would cost $28 billion in 1964 and similar sums in the years thereafter. At that time, the defense budget was $300 billion, making the cost of defending against Soviet attack significant. Here’s the rub, when the Soviets found out what we were doing, they understood that they could increase their offensive capability and impose a 2:1 cost ratio on the United States if we sought to match them with additional defenses. That means for every two dollars of defense, the enemy only had to spend one dollar on offense to defeat it. If we wanted to protect 90 percent of the American population it became an astronomical 6:1 ratio.
Thus MAD ultimately became American policy not because President Lyndon Johnson was a foolish or heartless president, but because he understood that building an effective nuclear defense would bankrupt the nation. Our official policy said that a nuclear strike against the United States would be met with an overwhelming retaliatory second strike. With some degree of certainty, we can say that MAD was an effective approach to deterring nuclear adversaries. While not in name, MAD still remains the bedrock of nuclear deterrence even to the present.
The Cyber Challenge
In looking at defending the United States against cyber-crime, cyber espionage and cyber-attack today, the economic dynamics of cyber defense are even worse. While nailing down the exact cost for all government and private sector cyber defenses—particularly the cost for effective cyber defense—in the United States is difficult, but what we do know is that Cyberspace Operations accounted for $5.5 Billion in the president’s FY16 budget request. Most likely this does not account for all DoD expenses, as budgets are fragmented. It is also important that we distinguish between cyber-crime, something that will continue to be a feature of the cyber domain, cyber espionage, and cyber-attack, which could disrupt physical infrastructure and thereby endanger property and lives.
If media accounts are to be believed, cyber-espionage, as it relates to the federal government, involves the theft of vast quantities of information ranging from confidential to top secret documents stolen from government networks over the past decade from both insiders and outsiders—with Bradley Manning, Edward Snowden, and the five Chinese PLA officers indicted for espionage among the many examples.
The private sector is in even worse shape and faces a challenge from both cyber-crime (credit card date, customer info, etc…) and cyber espionage (plans for advanced weapons systems, for example). According to the Computer Security Institute’s latest survey[ZK1] , 90 percent of respondents detected computer intrusions in their corporate networks within the last twelve months and 80 percent acknowledged financial losses. Of the 44 percent of respondents (223 companies) who provided data on the value of financial losses, those losses were valued at almost $450,000,000. Other estimates suggest [ZK2] American companies have lost up to four trillion dollars of intellectual property to Chinese hackers alone. This says nothing of what state and non-state sponsored hackers could do if they sought to destroy rather than steal.
If the focus were on destruction rather than theft or espionage, we could look at the number of infrastructure systems that monitor and control everything from railways, to power plants, to water treatment facilities, to hospitals and see that the numbers are staggering and the potential property damage and loss of life are significant. A number of studies have repeatedly suggested that America’s infrastructure is under extreme danger from a catastrophic cyber-attack. The cost of effectively securing all of these cyber-reliant systems is staggering and would require many magnitudes greater expenditures than what we see within the Department of Defense or the private sector.
Yet, in spite of this known danger, we are plowing ahead into a digital future. Our digitally enabled knowledge economy is improving lives and solving major problems for the world’s population and it is powered by technological leaps like those that spawned “Moore’s Law.” That means that while cyber defenders play catch up to defend systems we already use (and were not built with security as a paramount concern), new systems are being added even faster. Each comes with its own cyber defense challenges. Unfortunately, there is no one size fits all solution that will make cyber-crime, cyber espionage, and cyber-attack obsolete, as it was believed President Ronald Reagan’s Strategic Defense Initiative could possibly do to the Soviet nuclear arsenal. The bottom line is rather straight forward; these cyber challenges are here to stay.
The Cyber Solution–Deterrence
First of all we must acknowledge that you cannot eliminate cyber-crime. It is a feature of the digital world, and must be countered like other criminal acts. While the United States could make it a policy to fight state-sponsored cyber-crime with economic sanctions, that may bring more harm than good. Efforts like data encryption, cyber hygiene, and criminal penalties are available now to address cyber-crime. Cyber espionage will also prove difficult to completely eliminate and offers no solutions that are a silver bullet. The most intriguing area where solutions are plausible is in dealing with potential cyber-attacks.
From a societal perspective, it is time to realize that the digital world has become as important to us as the air we breathe, the land we inhabit, and the water we drink. While no society can tolerate the pollution or fouling of air and water that would cause massive loss of life or property, cyber-attacks have the potential to cross the digital divide and do just that.
Because American society is so dependent on the digital world, an attack on our cyber infrastructure could lead to destruction of our physical infrastructure. Stuxnet provides one example of how a malicious virus can create physical destruction. Such attacks must be considered an act of war. As an act of war that portends the widespread loss of life or property, such an attack could, in many instances, be deterred by the threat of a military retaliatory response.
Since the United States has the ability to deter physical attacks on the country, what if anything is missing in the cyber realm? The solution can be found in the components of nuclear deterrence.
First, the ability to ascertain the attacker’s identity is paramount. Contrary to those who suggest that the “cyber attribution challenge” is difficult if not impossible to overcome, Pano Yannakogeorgos offers a framework that could assist policymakers in making carrot and stick decisions based on a states’ involvement in cyber-enabled malicious activities that originate or transit through their borders. Such norm enforcement could induce states to take a more active role in preventing acts of cyber-attack from originating within their borders—unless those acts are specifically state sponsored.
The United States and the Soviet Union were able to both prevent unauthorized access/use of nuclear weapons and develop space-based and forensic capabilities that allowed for understanding where a nuclear attack originated. This system of capabilities, since it allowed for a timely response, is one of the things that cannot be attacked without triggering a retaliatory response. While cyber is not quite there, we are getting closer, as exemplified by the indictments of five PLA officers for cyber-crimes. When we have a system of capabilities in place, a clear declaratory policy that holds states responsible for any cyber-attacks against the United States launched from their soil would go a long way toward forcing states to take responsibility for the cyber activities of those within their borders.
It is also plausible that designing such a system could be part of the internet infrastructure itself. A set of internationally recognized norms that clearly define large scale cyber-based attacks as “crimes against humanity,” thus permanently building in identification of cyber-attacks that target infrastructure. At a minimum, the United States should be able to establish such a policy at much less cost than that required to secure all infrastructure from attack, which is probably impossible anyway.
Second, a policy would have to state that any cyber-attack against the United States that has the intent to kill or destroy property will be met by the United States’ full retaliatory capability—cyber, conventional, and nuclear. The great thing about this is that it costs nothing. The current DoD budget certainly packs enough punch to let any would-be adversary know that such a claim can be backed-up.
Where Does This Leave Cyber Security?
In the coming decades the United States government and private sector will spend in excess of a trillion dollars on cyber security. Some spending is needed, but in light of other approaches to dealing with cyber threats, perhaps there is another way. The ease with which hobbyist, criminal, and state-sponsored hackers can infiltrate complex computer systems with millions or billions of dollars’ worth of advanced cyber security indicates that we are not on an economically sustainable path. It would be better that we deter a would-be cyber-attack on the country through a declared policy of mutually assured destruction, and spend the money we would have spent on impenetrable cyber defenses elsewhere. Granted a cyber-MAD policy will not solve the cyber-crime or cyber-espionage problem, but like its nuclear counterpart, it should go a long way to deterring destructive cyber-attacks against the United States.
There are those who will suggest that a MAD policy for cyberspace is a bad idea. Just as arms manufacturers in the 1960s opposed MAD because it called for not building the weapon systems needed to defend against a Soviet attack, cyber-security firms will oppose a cyber MAD policy. Cyber security is big business. The media also thrives on the sordid details of high profile cyber intrusions. However, it is time we set such concerns aside and take a new look at an old problem. What we are currently doing is not working.
Colonel Robert Spalding, PhD (USAF) was an Air Force Fellow at the Council on Foreign Relations and flew the B-2 bomber. Dr. Adam Lowther was a petty officer in the U.S. Navy and serves as a research professor at the Air Force Research Institute.
Image: Flickr/Georgia National Guard