With Cold War 2.0 in full swing with Russia, it’s time to revisit the idea of “mutually assured destruction” (M.A.D.). In June, Axios referred to two New York Times articles that openly talked about US Cyber Command activities against Iran and Russia. They referred to it as “a lower-level 21st century version of the ‘mutually assured destruction’ policy between the U.S. and the Soviets that prevailed during the Cold War.” What does this term “mutually assured destruction” mean and how does our current cyber stance with Russia compare?
“Mutually assured destruction” is a concept that came into prominence during the Cold War between the United States and the Soviet Union after World War One. By 1949 the Soviets had tested their first nuclear weapon and the US felt they needed to defend themselves against the growing threat of a Communist invasion. Both countries began stockpiling nuclear weapons. As more time passed, both nations developed intercontinental ballistic missile technology that could deliver nuclear weapons from Asia to North America and vice versa easily. Both nations placed these missiles all over both countries, to ensure their entire nuclear capability could not be completely destroyed at once. Advances in radar technology meant that if either country launched a first strike, the other could detect it and launch their own missiles before the initial targets were hit. No matter how an attack was initiated, both countries would end up destroyed. This idea was referred to as “mutually assured destruction” and in the 70s and 80s it kept the US and USSR in an unspoken arm’s length stalemate, where both countries used proxies to attack each other’s ideologies rather than fighting directly.
How does this concept apply to cyber activities? Both the United States and Russia claim to have the ability to remotely deactivate power grids in the other country. We are again at a stalemate where if one country deactivates power first, the other will likely respond in the same way. Both countries depend highly on the internet for business, and both have an advanced cadre of cyber capabilities. If we assume that the Russian government has anything near the arsenal of US cyber capabilities leaked by Shadow Brokers back in 2014, and that the US government has managed to get past said leak, both sides are well stocked with capabilities that would give them the access necessary to carry this out. These cyber attacks could also include disrupting traffic signals, cutting off communications and more.
One of the reasons the M.A.D. doctrine worked in the past was because there was no way to avoid collateral damage. Nuclear weapons at the height of the Cold War would have destroyed entire towns including civilians, children, even the sick in hospitals. One key difference between nuclear M.A.D. and cyber M.A.D. is that cyber capabilities are not as destructive as kinetic attacks (explosives) are. In many cases, disruption or degradation would be much more effective that destruction. Imagine you lost internet access. You go restart your cable modem and wait for it to come back. What if your internet was intermittent? One second a site loads, next one doesn’t, then the third one is slow, but the fourth is back to normal. You would likely sit and wait to see what happens next. No calling the cable company, just frustration and waste of time. Disruption also avoids the need to rebuild, which is one of the most expensive parts of a war. If a nation’s power lines and water treatment facilities are destroyed they have to rebuild them so the population does not die. But if the enemy switches off these facilities, once the war is over they can be turned back on (depending on the techniques used to disrupt them in the first place). Even if a cyber attack damages a specific piece of equipment in a power plant, or deletes the software used to control it, replacing one part of a system or restoring one piece of software will be much less expensive than building an entirely new facility. This ability for cyber capabilities to be more surgical is an important difference between the M.A.D. situation now and the situation during the Cold War.
That said, turning off power still has consequences. Once the power goes out, the sick that depend on medical devices will be in trouble. Traffic signals would go out, causing accidents in the streets. The phones would stop working so people would not be able to call 911. Turning off power to a city will result in less collateral damage than bombing it, but there are still moral ramifications to this action that should be carefully considered. There’s also the chance of escalation. If Russia were to enact their capability and attack the US power grid, we would likely do the same to them. But what happens after that? Both countries have an extensive military capability and they could easily escalate past cyber capabilities. This brings us right back to the beginning of the M.A.D. scenario where fear of the other party’s escalation puts us at an arm’s length stalemate.
While we are clearly in a Cold War 2.0 mode, there is one aspect of the previous state of M.A.D that has not surfaced yet. That is the exhibition of capability. In 1945 the US dropped a nuclear weapon on Hiroshima and the world clearly saw how bad it could get. Cyber-wise, no one has actually taken that first step to show off how bad it could actually get. That rings true especially here in the US. While there have been a few technical glitches with power grids over the years that show how damaging a cyber attack on our grid could be, they were not carried out by an enemy with malicious intent. This is required to M.A.D to work. Therefore, while the current state of US-Russia relations may resemble Cold War-era M.A.D. I do not believe we are quite there yet. That could change in an instant, though. All it would take is a borderline dictator in power to claim credit for a massive power outage in the opposing country.
Unfortunately, ending the first Cold War took almost 40 years of proxy hostilities, diplomacy and economic pressure. Luckily the same technology that makes us vulnerable to attack could be our salvation. Just as social pressure can take down industries and powerful people, our collective sense of social justice broadcast globally over our technology could have the power to sway other countries to halt hostilities. Look at how social media has amplified and focused public opinion in the last ten years in the Arab Spring or the #MeToo movement. But then again, our dependence on cyberspace might just be our own undoing. Only time will tell if cyber M.A.D. becomes our new norm.