Mutually Assured Disruption: Framing Cybersecurity in Nuclear Terms

National Committee on American Foreign Policy (NCAFP)

12 October 2017

(Dimensions in Nuclear – vs – Cyber Domain Comparison)

David Mussington PhD CISSP

Professor of the Practice and Director

Center for Public Policy and Private Enterprise

University of Maryland College Park

ABSTRACT

Analogies can be helpful, but also potentially misleading. This is especially true in international security poses problems, where some seek to simplify complex social, political, economic and technological factors in search of parsimonious explanations. Taking a technology as a given, and tracing its impact on interstate military and economic interactions over decades is especially tricky. Treating that technology’s influence as a platform for analogies relevant to a likely successor revolution in military affairs (RMA) leads to expectations likely to be falsified by history – and to misinterpretation of what actually constitutes “the New Thing”.

OVERVIEW

Nuclear and Cyber capabilities share a number of common attributes, but also differ from one another in important and less obvious ways. For this brief framework, the focus is on factors that differentiate the two issue domains, albeit in the context of an acknowledgment of some similarities. The argument here is that the differentiating factors make even the most persuasive analogies false. The two domains are different, and understanding of the divergence is key to a correct understanding of the significance of cyber effects on international security and stability.

A BASIC COMPARATIVE FRAMEWORK

Below is a table comparing nuclear capabilities and attributes of cyber weapons – or effects. This table is illustrative, not exhaustive. Additionally, each dimension of comparison could merit paragraphs unpacking the complexity and granular detail of military strategic or political impacts. The overarching picture is key, however, and merits a brief discussion of key factors.

Table 1. Cyber and Nuclear Effects – Comparative Dimensions

Nuclear / Cyber
Weapon of Mass Effect / Y / Y* / U
Rapid and Persistent Impact / Y / U
Clear Attribution / Y / N
Barriers to Entry / Hi / Lo
Nation State Monopoly / Y / N
Ecosystem Impact (of Use) / Y / Hi / Y* / U (qualified)
Offense Dominance / Defense Infeasibility / Y / Y*
Centralized Innovation / Y / N
Cost of Basic Capabilities / Hi / Lo
Pace of Technology Development / Lo / Hi
Status under LOAC / — / U
Clarity of Military Impact / Hi / Lo / U
Impact on Crisis Stability/Strategic Stability / Hi / Hi / U / Hi

Key: U – Uncertain, Y – Yes, N – No,

Weapons of Mass Effect

The destructive nature of nuclear weapons is clear, as is the variation in their yields and modes of delivery. Since 1945 significant innovation has occurred in the integration of nuclear weapons on to defense platforms – in the air (via manned bombers), on land (ICBMs), and at sea (SLBMs and for a short time, Sea-Launched Cruise Missiles). The transition from atomic to thermonuclear weapons added an order of magnitude increase in the destructive yields of the weapons, with miniaturization of warheads making them deliverable over continental distances. A revolution in guidance technologies (inertial, star-sighted and satellite-enabled) further highlighted the unique character of the weapons.

For cyber weapons, their effects transmitted over communications networks, via air-gapped devices (e.g., USB or network devices inserted into isolated systems), or through effects produced by network traffic manipulation (e.g., DDOS, Ransomware) – mass impact is possible, but more easily mitigated. Techniques exist to deflect problematic traffic, “black hole” domains, conceal IP (internet protocol) addresses and generally to obfuscate the authorship of communications and the content of data. This is not an exhaustive list of technique (obviously), but it makes the point that – while mass effects are possible, assets and services rendered inaccessible due to adversary actions can be made resilient and linked systems recoverable.

Clear Attribution

During the Cold War both Superpowers spent considerable sums (and many decades) deploying early warning infrastructures designed to ensure early warning (and to a degree attack assessment) of strategic missile launches against their territory, allies, or other vital interests. While these systems could be spoofed or attacked directly, their redundancy provided a high degree of confidence in determination of the actor responsible for a launch (or launches).

For cyber effects, technical attribution is a challenge, though not an insuperable one. Imitating the Tactics, Techniques, and Procedures (TTPs) of a threat actor is a useful way of avoiding detection for cyber operations. Malware used for targeted cyber effects (e.g., network or system intrusions and persistent access, data manipulation, destruction, or obfuscation) is itself a target of theft (e.g., the Shadow brokers cyber tool theft). Theft of critical data is frequently “laundered” through third parties – with the provenance of primary leakers rendered that much more difficult to determine.

Political attribution of cyber activity is a different matter, subject to all of the risk calculus and collateral impacts characteristic of judgments made by governments where diverse interests and imperatives must be reconciled in policy. For international relations, it is this difficulty in weighing net interests and composite risks that creates uncertainties regarding the cost-benefit judgments in play.

Ecosystem Impact (of Use)

For nuclear weapons, the ecosystem impact is massive – calculable in terms of populations directly impacted, effects on fixed and mobile structures – and most importantly – on the persistence of effects visible in the environment (land, sea or air) where detonations occur. Added to this effect, however is the environmental impact of maintaining a nuclear complex able to fabricate, maintain, and secure large numbers of nuclear weapons. Contamination of industrial facilities and waste management infrastructure is both expensive to manage, and intolerant of lax security. A commitment to maintain a nuclear arsenal involves a long-term commitment to effective waste management and physical security of the involved infrastructure – from fuel cycle maintenance to weapon disassembly or de-activation.

Cyber effects are clearly not exactly analogous in ecosystem terms (though there are environmental impacts from ICT production and trade). The infrastructure of ICT products and services, however, can be characterized according to its resilience and soundness. Many commentators refer to the current generation of general purpose computers and industrial control systems – and the digital COTS technologies comprising their core – as basically insecurable. Even if one denies this extreme position, it must be acknowledged that modern computing and communications technologies (hardware and software) are prone to widespread exploitation and disruption. Viewed this way, the cyber ecosystem that provides critical services and data for a myriad of social and economic purposes is itself a threat to world order, one that for many reasons has yet to be fully confronted.

Offense Dominance

Effective defenses for massive use of nuclear weapons against terrestrial targets are so far unavailable. More limited defenses against single or “small-N” uses (from missile, air-borne platforms) are under development – but even these are vulnerable to being overwhelmed by a determined attacker. Mutual Assured Destruction (MAD) enshrines this observation for analysts and political leaders alike.

For cyber effects, attackers appear capable of overwhelming most computer systems and networks – once they achieve persistent access. The virtuosity of attackers appears unbounded, as evidenced by the breach activity at even the most well-defended establishments – whether they are governmental or private critical infrastructure in nature.

The cyber and nuclear cases differ, however, in that – in principle – it may be possible to achieve much higher levels of protection for critical data, systems, and systems of systems from cyber threats than is true for nuclear ones. To this extent the cyber environment is simply more “plastic” as a human-made domain – rather than a naturally occurring one (e.g., the other four domains -- land, sea, air, outer space). Domain plasticity is not a guarantee of the eventual overcoming of offense dominance, however. What it does provide is a puzzle – to which considerable material and cognitive resources will be directed over time.

Impact on Crisis Stability/Strategic Stability

For nuclear weapons, crisis stability is fostered where incentives to strike first in a tense situation are countered by the near certainty of a retaliatory and overwhelming response. MAD enshrines this principle, and it is argued that – with redundant second-strike capabilities – actors mutually deter one another because of the certainty of denied gains along a broad spectrum of strategic engagement. This kind of stability is reinforced by effective concealment of a credibly protected retaliatory reserve and/or through redundancy in survivable retaliatory forces provided by heterogeneous weapon platforms (land, sea, air deliverable forces – independently survivable – such as the US’ Nuclear Triad). Strategic Stability represents an institutionalization of geopolitical relationships around redundantly survivable nuclear arsenals with strong positive and negative control.

Cyber effects can undermine crisis and strategic stability in two ways: (1) By achieving mass effects that convince an opponent to seek cessation of hostilities on the initiator’s terms; or (2) through disruption in the assumed availability or concealment of nuclear weapons and/or attacks on the infrastructures providing early warning of their possible use. (2) appears more central as a source of cyber-induced instability, and has been the subject of a number of analyses in both government and academia.

COMPARATIVE DIMENSIONS AND DETERRENCE

One of the most frequently used frameworks comparing nuclear and cyber “worlds” is the proposition that cyber deterrence is possible and achievable, and its corollary, that the weakness of a deterrent posture (however specified) is a possible source of inadvertent escalation and conflict (cyber or otherwise). Deterrence in this case is achieved either through punishment (retribution) – or holding an adversary’s high value assets at risk, or denial through cost-imposition – destroying the potential for an adversary to make positive gains through conflict initiation (across a spectrum of outcomes). How credible is this concept for cyberspace? The answers to this question are partially provided by a quick review of the comparative framework above.

Cyberspace is a domain with limited levels of actor attribution. The impact of cyber effects in a given scenario against specified systems may be short-lived or persistent. Context is key. Levels of vulnerability in ICT systems are high, and resistant to quick remediation. Indeed, pervasive vulnerability is a commonly acknowledged attribute of critical information infrastructures. Hence an assumption of “safety” for one’s own systems is unlikely – even as one contemplates an assault on adversary systems. Offense dominance in cyberspace – the view that attack is easier than defense – is another commonly observed feature of the cyber domain. This creates “use them or lose-them” pressures, but these are countered by the real-world fact that cyber systems exist in a cross-domain world. Conventional and nuclear stability reduces any incentives to initiate massive cyber-attacks as a “stand-alone” action – at least in situations describable by mutual deterrence. This leaves open a finite probability that a weaker actor may seek to use the asymmetric potential of cyber effects to counter an adversary’s superior military potential. The balance of stakes in a conflict will determine the viability and likelihood of this type of scenario.

SOME INTERIM CONCLUSIONS

The framework aligns factors in the nuclear and cyber domains, and compares their similarity and likely impact on security conditions. Selecting from among these factors the arguments presented suggest that cyber effects have the potential to destabilize nuclear deterrence – but that this situation is likely to pertain mostly in situations where mutual assured destruction (MAD) is absent. For regional arms races, or regions where nuclear proliferation might occur, this conclusion is alarming – and argues for the continued relevance of non-proliferation and proliferation control regimes. The cyber domain is corrosive of currently stable security relationships. By undermining the certainties of decades long indications and warning, and by providing limited (but possibly persuasive) asymmetric options to weaker states, cyber capabilities may increase the likelihood of unwise risk taking during crisis. Most importantly, absent an institutionalization of stability-enhancing situational awareness on cyber risks and mitigations among states - and the parallel growth of norms constraining cyber conflict - cyber effects have the potential to erode trust and undermine crisis stability.

1