Cold War-era ‘deterrence’ won’t prevent the coming cyberwar

(Cyberwar.news) During the Cold War, the threat of MAD – Mutually-Assured Destruction – kept the world’s two superpowers, the U.S. and the USSR, from launching nuclear weapons at each other, so the theory went. But some geopolitical analysts aren’t so sure that MAD applies when it comes to total cyberwar.

As reported by Foreign Policy, cybersecurity has become the number one national security issue of the 21^st century, but too many believe the way to solve it is to rely on deterrence as a way of keeping the nation’s cyber-infrastructure and government systems safe.

“This rhetoric of Cold War deterrence by retaliation is appealing not just in its simplicity, but also because it seemingly demonstrates strength and resolve,” the magazine reported in online editions.

“There are just two problems with returning to old school models of deterrence for the new school problem of cybersecurity. First, that model has the utterly unrealistic goal of a world without cyberattacks. And second, no matter how mad the United States gets, MAD — or mutually assured destruction — in cybersecurity isn’t going to happen,” the magazine noted.

The principle reason is because a potential adversary likely won’t have as much to lose. Consider that, during the Cold War, both sides possessed about the same number of nuclear weapons along with the systems to deliver them. The use of such weapons would have also had roughly the same destructive effect on both nations.

Today, however, in the cyber world there is no “mutual” balance, nor is there assured destruction. The U.S. is arguably more vulnerable to cyber attack than many adversaries, mostly because of our wide commercial and cultural dependence on the Internet. By comparison, a country like North Korea is one of the least vulnerable nations on earth that possesses an offensive cyberwar capability, though that has come at a price – namely the lack of modernity, a viable economy and global isolation.

As the magazine noted further:

There is also an inverse relationship to conventional strengths. Underpinning Cold War deterrence strategy was that the United States perceived itself weaker than the Soviet Union in conventional warfighting, and so relied on the threat of nuclear response to avoid an unequal conventional war. Today, it is the United States that has the conventional edge on its adversaries, and thus many of its attackers see cyberattacks as their asymmetric way to work around a power imbalance.

Speed of attack has also made a difference. Intercontinental ballistic missiles from the other side of the world take about 30 minutes to reach their targets; cyberattacks occur instantaneously, thereby changing the defensive dynamic. What’s more, the time it takes to actually detect a cyber attack is averaging about 205 days – plenty of time for an adversary to plant malicious code, steal data or otherwise disrupt systems.

Still, the U.S. has a massive advantage already in cyberspace, as noted by the introduction of the Stuxnet malicious code responsible for slowing Iran’s nuclear weapons development and the NSA’s exotic capabilities, as divulged by former contractor Edward Snowden.

That said, despite the United States’ cyber-superiority, attacks on our systems have only grown. Some complain that is because the U.S. does not hit back or otherwise make cyber-intrusions mutually painful for the offending party, but others say that is, in part, because cyber attacks are often disguised and it is difficult to locate the point of origin.

So, what would be a better strategy? Foreign Policy lists three policy changes that would be more effective in preventing cyberattacks and espionage:

— Set norms: “There is a huge value in delineating clear lines of behavior. During the height of the Cold War, the superpowers may have been a button press away from thermonuclear annihilation, but they still found a way to agree on certain norms…

Rather than a treaty or agreement that unrealistically tries to create a Cold War-style regime of deterrence or arms control, the two sides need to flesh out a mutual understanding of the new rules of the game. Each side must understand that its opponent will continue to conduct cyber-activities ranging from espionage to theft. The most important goal is not to stop every cyberattack, but to keep them from escalating into something far more dangerous.”

— Deterrence through diversity: “Nothing above argues against building up offensive capabilities for cyberspace…

The United States will have to game out not merely the first two moves of the response — the simple “shoot and shoot back” dynamic that was the whole of a nuclear exchange — but also multiple stages after that by multiple actors. … The goal of these measures is not to prevent all attacks, like MAD did with nuclear weapons, but to change the calculus on whether an individual cyberattack is useful.”

— Shake it off: “The third, most apt lesson from a deeper dive into the Cold War deterrence debates is the value not just in raising the costs, but also in limiting the adversary’s potential gains. This is known as ‘deterrence by denial’ — making attacks less probable by reducing their likely value. In cybersecurity, this is the magic idea of resilience.”

Read the full Foreign Policy report here.

See also:

Foreign Policy

Cyberwar.news