Is there anything like MAD for cyber warfare between nations? (Non-governmental cyber-criminality is a different matter and does not, currently, seem to admit MAD outcomes (with the emphasis on the M)).
Should nations develop and possess the cyber equivalent of MAD capability?
In its absence, I see no escape from a devastating first strike happening eventually. One nation just has to believe itself to have too much to gain by a first strike to resist the temptation (and I would bet that game theory modeling would confirm that that speculation actually applies in the real world (whenever one of the nations has certain ‘parameters’ for temptation so to speak)).
On the other hand, would limited cyber warfare be like ‘limited nuclear warfare’, where it may not stop once it passed some level?
Not really. The closest thing would be EMP devices, but I assume that’s outside the scope of your question.
For the most part, cyber attacks are based on exploiting flaws in people’s code. No flaws, no attack. There’s no guarantee that a flaw exists, that you can find the flaw, that the flaw opens up a vector of attack, nor that the vector, if successfully exploited, gives you anything of value. It’s all sort of random. And, of course, all it takes is for the enemy to discover the flaw and patch it to render all of your work finding the flaw pointless. And that’s before getting to the issue of dealing with a non-homogenous set of hardware and software. Every different thing you want to attack is going to have to be approached uniquely, on its own.
Now there are some physical realities of the internet. There’s only so much bandwidth and so many cables. You can physically cut people off from the Internet (in theory) and you can swamp them with more traffic than they can handle. But, all it takes to handle a traffic attack is to block off traffic from outside the country. And neither of these really serves as anything other than an annoyance. Maybe at some point the economies and lifestyle of people will become so dependent on the good service of the Internet and a guaranteed global connection to everyone else, but that’s not the case today.
And there’s always the ability to exploit the flaws of humanity. You can trick them into giving you passwords and access to information that you shouldn’t have, but that’s basically just modern spycraft. We had, purportedly, one of the top generals of the USSR on our side, sending us information in order to prevent a MAD scenario from ever occurring. In a sense, that sort of access is an “ultimate, indefensible weapon”. But it’s very specific. Like, in that example, it’s the ultimate weapon, but only in the realm of defense. There’s no offensive way to use it. And, of course, there’s no way to guarantee that you can get that sort of capability. That’s just random luck, not some super technology you can develop.
How about things like an attack on various critical parts of the infrastructure - like the economy, ‘the energy grid’, etc.? While not total destruction, such attacks could be catastrophic and effectively change (in a fundamental way) the attacked nation, and change it to a situation that advantages the attacking nation (or so the attacking nation believes)
Disabling infrastructure via cyber is the same as bombing it physically. The response to such an attack on the US by a state would probably be with hardware and software simultaneously.
For that matter, a first strike probably would pretty much be the same, except software first by a few minutes.
The problem with MAD is that nuclear weapons are hard to develop. So only a handful of nations had them.
Cyber attack capabilities are not nearly as hard to develop. Having a MAD system when you can have proxy wars, plausible deniability and 50+ nations all with advanced capabilities is totally different from when it was NATO countries vs the USSR regarding nuclear weapons.
I did see a documentary about a year ago about this. I believe it was called Zero Days. It talked about the US battle against the Iranian nuclear program. How the stuxnet program was just a tiny part of the US’s capabilities against Iran and they had set cyber assault tools up to grind their entire country to a halt if actual war broke out. It essentially ended with a bunch of whistleblowers from groups like the NSA saying we need some kind of treaty to restrict the possible damage done by cyber capabilities (the same way we have treaties regarding chemical weapons, biological weapons, nuclear weapons, etc).
Well so yes, my answer was sort of thinking of terms of whether there is something like a silver bullet - a guaranteed, unquestionable ability to take the other person out that can never be defended against. That doesn’t exist.
On the other hand, since we live in reality, it is conceivable that the US and Russia (or whatever other target nation) have both scoped each other out, found innumerable flaws, have plenty of fallback attack vectors that they know of, and can basically take out everything that the other side has which is connected to the Internet, and maybe even has successfully installed physical connections to non-public networks that allows them to apply cyber-attacks to things which aren’t on the Internet.
How do you prove this to the other side? You can know it, but it proving it to the enemy would give the enemy the ability to defend against it since the only way to prove it is either by doing it or by giving them the information on exactly what your attack vector is.
Now if you do know that you can destroy everything they have, then that probably gives you a sense of how much of your own stuff they are liable to have attack vectors on. Fundamentally, the total number of attack vectors is just a function of manpower, computing power, and “sniffs” (i.e. hitting their machine with some information to see how it responds, in the hopes that it reveals something about the internal workings). So if you know how much work it takes to break X number of devices and you know how many devices your own side has and roughly how much manpower, etc. the other side has, you can guesstimate how much stuff they’ve probably broken into.
At that point, conceivably, you can say that you’re in MAD territory.
But if you’re in MAD territory, then your first priority is to get out of MAD territory. This is where we come back to the silver bullet thing. There’s no defense against nukes and so MAD can exist. But MAD falls apart the instant that nuclear shields are developed. If you’re getting into MAD territory, you just build a nuclear shield and life is all good again. Destruction no longer assured.
And with cyber, you can just start putting resources into sniffing your own stuff and patching it. You just go defensive and, suddenly, the enemy is screwed.
If you can dump so many resources into cyberwarfare then you can detect and protect nearly all of your own flaws and find and exploit almost all of your enemy’s (in theory), then you can be in a position to completely obliterate the enemy through cyber. But that’s not MAD. There’s no “mutual” in that. If you’re both in the same range of capability, then you’re not going to have a MAD scenario, because you’re going to be spending resources on both offense and defense, and you’re going to spend on defense enough to ensure that you’re not screwed entirely before you put any resources into offense.
Cyber attacks will cause certain hardware to fail out. For example, you’ve got a device that has a hard drive on which the OS is installed. If you can cause the hard drive to spin so fast that it overheats and freezes up, then all you have to do is force the device to reboot and it will fail to come back up. All of the rest of the device is in perfect condition, it’s just the one component, the hard drive, that is busted. As such, you are spared the cost of replacing everything, you just need a new hard drive.
Whereas, with an explosive, you’re destroying big masses of stuff, all of which needs to be replaced.
So it would seem like the explosive is worse.
But there’s a concept in infrastructure development (blue sky? green pasture? I forget the word), that it’s cheap to build something if you’re the first thing ever built in that place. Like, if we’re building a bridge across a river for the first time, super cheap. But once you have that bridge and you want to replace it, then you have to figure out how to route traffic around your construction effort while under construction, how to move traffic over to the new bridge once it’s done, how to deconstruct the old one safely, and maybe you’re going to be dealing with artifacts from the previous build effort - underwater foundations for cranes that were installed to build the first bridge, that are now in the way for the bridge you want to build, and hard to access because they’re under water, and yet they need to be removed.
So you could end up with some similar artifacts that if everything was destroyed, you could just know that it’s all toast and replace it in bulk. But if things have been selectively taken out, then you’re going to be spending a lot more effort diagnosing what is broken and how to fix it, and also be putting effort into working around the stuff that’s still functional and necessary for the community. Like, you want to replace that hard drive, but there’s a different device in the way and people depend on its continued operation. How do you get through it to the hard drive?
My intuition is that the bomb is probably worse in most situations, but there could be cases where it actually makes life easier if you can just write everything off.
I just watched Zero Day and, although a bit melodramatic, ultimately it came to a conclusion. Or at least an admonition.
To paraphrase Michael Hayden (former CIA and NSA chief), cyber is “hideously over-classified” and that makes any meaningful public discourse about the issue impossible, a discourse that one might think is essential in a democracy. Especially in a democracy like the US, a country that is, by far, the most vulnerable to cyber war (by virtue of its advanced technological base and its society’s dependence on it.
Other points that while perhaps obvious to some, were new to me. I found the realization that there is an utter absence of treaties, standards, and “international norms” for cyber warfare, unsettling.
What about the issue of attribution? With nuclear weapons, if one side sees a bunch of missiles taking off from North Dakota/Siberia and headed our way, it’s pretty obvious the USA/USSR just launched an attack. (Submarine-launched missiles complicate that a bit, but during the Cold War there really were for the most part two “sides”: If a bunch of missiles come up out of the ocean headed for Washington D.C. and North Dakota/Moscow and Siberia, it’s still pretty obvious that the USSR/USA just launched an attack.)
Now, imagine a cyber-attack: Our electrical grid/banking system/porn video sites are all suddenly crippled. Who exactly are we supposed to retaliate against? You could wind up with a scenario whereby the USA gets hit by a cyber-attack, we turn around and fuck up Russia with a cyber-retaliation, and meanwhile…the Latverians or somebody are sitting there laughing to themselves (“Yes! Our plan worked!”) and preparing to swoop in and pick up the pieces of World Domination.
To the extent that there are limitations on traditional warfare, in my understanding, they generally fall on things that are not practical in actual use. Chemical warfare isn’t particularly effective as a weapon, so it’s banned. Other things which are far more devastating remain legal, because no one wanted to trade those in for humanitarian brownie points.