Does 'Mutually Assured Destruction Apply in Cyberspace?

Whatever happened to the notion of 'mutually assured destruction'?

Surely the concept is not gone forever. The mere thought of, 'we better not do it to them, because they can do the same thing to us' kept the United States and the Soviet Union from trading nuclear attacks throughout the Cold War. Why? Because both nations recognized the other's capabilities and knew that if either launched, both would be destroyed. Strength deterring strength.

So, does that same concept translate in cyberspace? While Russia is a formidable adversary in terms of cyber capabilities, the most prominent, repeatedly demonstrated nation-state threat is likely China. A day rarely passes that we don't hear about China hacking a prominent U.S. entity, often threatening our national security interests.

Likewise, you don't have to be an Intelligence or Defense Community' insider' to know that the U.S. has the same offensive cyber capabilities and is capable of launching them against Chinese national interests at any given moment. Tit-for-tat is fine in some circumstances, but where does this game of cat and mouse end? More importantly, will it (or has it already) push past the implicit norms and boundaries of cyberspace? In the physical world, we know precisely where those things are, but in cyberspace, they are not clear.

The physical world is much easier to navigate. It is pretty simple to differentiate posturing from a real attack. Testing the newest long-range ICBM in your own airspace or building a new nuclear submarine is far different from launching a missile at another sovereign nation. A flex is clearly a flex, and an attack is clearly an attack. There is no real need to define a boundary between the two.

Cyberspace is different. Bad actors can obfuscate their identity in sophisticated ways when undertaking malicious activity – making attribution harder. Worse – activities in the virtual and physical realms no longer exist in isolation. It's been over a decade since we saw their convergence. Offensive cyber operators have demonstrated the ability to impact the physical world time and again, and we can only keep these lines from perpetual ambiguity by establishing rules and norms to govern actions in cyberspace.

The United Nations recognized this need and, over the last decade, established and subsequently reaffirmed 11 norms. While this is a definitive step in the right direction, the cited 'norms' are still too murky to have teeth. Even the ones that are clear—like "Do not damage critical infrastructure"—are most often ignored.

Russia preceded its invasion of Georgia in 2008 by bringing down large sections of the Georgian critical infrastructure. They did it again in Ukraine before that invasion. Before we cast stones, we have to acknowledge that our hands may not be clean either. While never 'officially' attributed, it is widely known that the U.S. and Israel launched the Stuxnet attack against Iran that disabled their nuclear centrifuges.

And of course, there is China. They bring portions of U.S. power grids down for sport, they hack major U.S. telecoms, and they infiltrate our water treatment plants. In short, their touch and presence are nearly ubiquitous across U.S. critical infrastructure.

Of course, this is a new activity, right? Not so fast. Twenty-five years ago, then-National Security Agency Director Michael Hayden said the thing that kept him up at night was the threat to our critical infrastructure. That was in the 90s! Twenty-five years later, Dave Frederick, NSA's assistant deputy director for China, told an audience at a recent cybersecurity conference that China's People's Liberation Army had its 'longest arm' in cyberspace and was ensuring it had "attack capability" inside our critical infrastructure.

What does this all mean? Nearly every nation-state understands that, in conflicts to come, cyber warfare and kinetic warfare will be complementary components of any battle plan. Suppose you can bring down the other guy's power grid or disrupt their command-and-control operations via a cyberattack. In that case, you can significantly degrade their capability to conduct any conventional warfare, providing your side with the most significant force multiplier in history. It is the proverbial 'magic bullet'.

The fact that most incursions of another nation's critical infrastructure via cyberattack in the U.S. have not risen above 'nuisance' to this point is telling. It could mean that nation-states are laying the groundwork for bigger and more impactful operations to come. Or, a more positive interpretation might be that the notion of 'mutually assured destruction' is alive and well. We could bring your power grid down, but we won't, because we believe you can do the same to us. But we want you to know that we can!

Which is it? The correct answer right now is probably 'both'. But it only takes one bad actor to take a step too far and provoke an escalated response, potentially sparking a global conflict. The only thing we can do is to continue to do our part to bolster our collective national cyber defense capabilities, and trust that our leaders and leaders of other nations – friends and adversaries alike – do the right thing. Mutually assured destruction must remain as real in the cyber realm as it is in the physical world. Without it, the reality introduced by the ongoing convergence between our physical and cyber worlds grows exponentially as a threat to the security of every nation.