With incoming cyber attacks rising in frequency and severity, the US is considering adopting “mutually assured destruction” (MAD) as a method of deterrence.
Mutually assured destruction is the military concept that promises severe attacks be met with equally devastating counterstrikes. This retaliatory warning was a pivotal measure that kept the Cold War from going nuclear, and has deterred nuclear weapon usage for decades since.
So what does MAD mean in the 21st century, when the weapon of choice is cyber?
MAD for Cyber
So far, the US has suffered a startling tidal wave of attacks on the government, private corporations, businesses, healthcare providers and more, resulting in unprecedented theft of sensitive information. Analysts think data deletions and manipulations could be next.
[contextly_sidebar id=”uR9AWNs6mvvJiCCeDe8Zimfn3wytGBgc”]But cyber attacks can be even more dangerous, with the potential to shut down entire electrical grids or damage critical infrastructure. Pew research indicates this could lead to widespread harm, but the response, so far, has not been to strike back.
The concept of a digital 9/11 is of increasing concern, and a lack of a tactical action plan for such a possibility is worrying to Pentagon insiders.
“If we do nothing, then one of the potential unintended consequences of this could be, does this send a signal to other nation states, other groups, other actors that this kind of behavior is OK and that you can do this without generating any kind of response?” Admiral Mike Rogers, head of US Cyber Command, said in a recent speech.
Adopting a MAD-like approach would mean that any attack on the US with the intent to kill or destroy property be met with the nation’s full retaliatory ability, a response of proportions that would debilitate the attacker’s cyber assets. Such an assurance would cut the costs of defense, and in theory deter attackers out of the fear of US reprisal.
This could entail building a strong new cyber deterrent, or an entire stock of cyber weapons — and threatening to use them if necessary.
Would it work?
There are several issues with this approach as it stands.
When MAD applies to cyber warfare, the “D” may not refer to “destruction” as much as “debilitation” or “disruption.” And that’s a potential problem: when annihilation is a threat, it’s avoided at all costs. But disruption is unlikely to inspire the same reluctance to strike as an atomic bomb.
What could result from mandated counterstrikes, some say, is a spectacle in which two countries do a back-and-forth cyber dance with no real goal or resolution, causing ongoing damage instead of respite.
Another issue is that, to enforce retaliation, the offense has to be clearly defined. With cyberwar, it can be difficult to pinpoint exactly where attacks originate from, and therefore hard to know who to hit back. What actually qualifies as cyber warfare is also not wholly agreed upon.
Defense first, offense later?
Cyber-war theorist John Arquilla likens the current state of cyber war to pre-MAD warfare, in which attacks are free to proceed in the absence of the threat of annihilation. But instead of creating a cyber weapon on par with nuclear, he suggests a focus on defense.
That’s because even if retaliation could work in a sense, due to the ambiguity of cyberwarfare, there are complications and complexities that make offense tricky. But if defense tactics are robust enough to stop attacks in their tracks, retaliation wouldn’t be necessary in the first place.
To address both defense and offense, the DoD plans to spend $17.5 billion on cyber security in the next five years, with the Cyber Command growing in number from 900 personnel to 5,000 in three years.
So far, defense planners have had trouble developing a viable strategy, so the interest in applying the tried and tested MAD model to digital remains a tempting alternative.
In the meantime, the internal debate over retaliatory illustration and policy continues, and the stakes remain high.