Cyberwarfare and Deterrence
It is tempting to consider the dominant strategy of cyberwarfare as roughly analogous to that of mutually assured destruction. After all, global supply chains are such that computers across the world will have parts of widely varied provenance. American-written operating systems, Thai-fabricated microchips, Chinese-assembled circuit boards, pre-installed software of god-knows-what origin, and of course ubiquitous Internet access guaranteeing that every computer is exposed to a constant blast of malware from across the world. The probability that there are logic bombs, back doors, and kill switches hidden in every bit of the modern computing world is…unknowable, but I’d be more surprised if that weren’t the case. This is in addition to the formal “cyberwarfare” units incorporated in the militaries of at least 20 nations ranging from the US to Russia to France to North Korea (yes, really). Presumably all of these nations could do extremely serious strategic-level damage to each other. So they don’t, because of MAD. Having thought it through, I think this is bunk. There are two major factors driving the game-theoretical problem here.
Problems of attribution: A strategic cyber attack doesn’t have a trivially obvious source the way that an ICBM does. It’s fairly easy to completely obscure the source of an attack, and the proximate source doesn’t necessarily give the attacked any useful information as to the source. For example, I personally suspect a large amount of the cyberespionage emanating out of China has approximately nothing to do with Chinese surveillance. For example, the Israelis have a large and active intelligence operation targeting the United States and are well aware that the Pentagon is naturally looking to China first as a “cyber adversary”. So…where should Mossad look to establish botnets for targeting the US?*
While the “mutual destruction” part of MAD seems possible, there is at least one key assumption for MAD that is missing here, the idea that agents will be able to identify and retaliate against hostile action. But that actually isn’t the most severe problem for analogizing cyberwarfare to nuclear threats…just look back at the previous sentence. Who is an “agent” here?
Proliferation Run Amok: The most relevant difference from the MAD paradigm is that thousands of actors across the globe have access to weapons of mass destruction. If that sounds alarmist, let me assure you – it sounds that way because it is alarming. The United States military can wreak strategic, society-crippling damage on an adversary with computer viruses – so can a bunch of Russian teenagers huddled over laptops in a basement in Ekaterinaburg. It may sound ridiculous, but some combination of Russian intelligence and netizen Fifth Columnists have done just that to Estonia and Georgia.
Nation-states cannot hope to control their cyber-brigades. In fact, they to some degree vulnerable to them – China’s PSB would be helpless to exert prior restraint if some angry netizens took down Japan’s network backbone tomorrow. They could find and punish, probably, but no prior restraint. The computer revolution puts a weapon of mass destruction in the hands of every world citizen who cares to learn how to use it.** Even if we grant world leaders the assumption of rationality, we are moving towards a world where foreign policy can be effectively held hostage by the most extreme elements that are able to recruit skilled hackers. I don’t think deterrence can hold up under those assumptions.
So we have two compelling reasons why cyberwarfare should be impossible to deter, and can cause significant harm. So the question of why it’s not happening becomes a key mystery, from a game-theoretical perspective. Some hypotheses:
· It happens all the time, on a sub rosa level.
- · Cybersecurity is substantially better than is widely believed.
- · Anyone sufficiently skilled is picked up by the “pros”.
- · Hacker communities are terrified of foreign retaliation.
- · Hacker communities are terrified of their national law enforcement.
- · Key strategic systems like power grids are sufficiently primitive to provide the protection of backwardness.
- · There is a secret détente between major powers.
- · The most potent weapons are too valuable to risk being deployed, caught, and reverse-engineered unless there is a truly pressing need.
Most of these fail due to the conditions of dispersion and anonymity, and I think the answer that clearly has the most explanatory power is that cyberwar is all around us.
*: Hint – it’s China.
**: Underappreciated, but this is kind of incredible.