Intrusions initiated by nation states against companies and governments of other countries are motivated by political and economic reasons, much like the traditional form of warfare. My hypothesis is that a country looking to safeguard its own cyber interests has no choice but to engage in a systemic campaign to compromise IT assets of its adversaries. One goal of such offensive operations is the condition of mutually-assured destruction, which deters each party in the conflict from taking advantage of the IT assets it compromised.
The Need for Mutually-Assured Destruction
Public accounts of intrusions conducted or supported by state actors highlight the importance that military and government organizations place on cyber warfare. Those without access to privileged information about such campaigns have been speculating about the principles that shape cyber warfare policies and mechanics. Here's why I believe the notion of mutually-assured destruction is a significant aspect of modern cyber warfare:
- There is presently no practical way to defend IT infrastructure of any nation against intrusions, be they commercial or government assets. If there was, we wouldn't be experiencing so many breaches.
- As the result, a country needs to assume that an adversarial nation state will be able to compromise a significant number of the country's critical IT assets. Many of these intrusions will be undetected.
- Therefore, the country will need to find a way to deter the adversary from taking aggressive actions against a significant number of the IT assets it illicitly controls.
- One way to accomplish this is for the country to compromise a meaningful amount of the adversary's critical IT assets, establishing the statee of mutually-assured destruction as a deterrent.
Deterrence as a Way of Stabilizing the Internet
In a 2001 paper, Matthew D. Crosston proposed that "it is logically more stable and potentially peaceful to have a system of deterrence that is structured mutually across major powers, giving no one state the ability to disrupt cyber equilibrium." Matthew envisioned a situation where:
"Each major player in the global system would come to fear debilitation equally and therefore would not risk being the first-strike initiator. By capitalizing on this shared vulnerability to attack and propagandizing the open buildup of offensive capabilities, there would arguably be a greater system of cyber deterrence keeping the virtual commons safe."
The idea of deterrence in cyberspace was later brought up at an RSA Conference panel in 2012. According to the Threatpost's article that described that panel discussion:
"Deterrence will play an important role in avoiding conflict, as it did in the Cold War with Russia.The Chinese military appreciates that both it and the U.S. have cyber offensive capabilities and defensive vulnerabilities—'big stones, and plate glass windows,' said Lewis. 'We're back to mutually assured destruction.'"
In an April 2009 paper on the topic, David A. Gale discussed mutually-assured destruction as requiring the capability and commitment to destroy all Internet-connected assets, rather than those belonging to a sole adversary. He wrote, if "the US can credibly vow to destroy cyberspace, thus destroying world economies, the US can deter an adversary from launching an attack."
David acknowledged that this approach, like the nuclear mutually-assured destruction doctrine, would not deter non-state actors. He also confirmed the challenges of reliable attack attribution in this context. Regardless, David advocated the need for developing the capability while leaving it up to the politicians to decide on the conditions of utilizing it. Yeah, it sounds scary, but...
Everyone with the Right Skills is Probably Doing It
If the reasons above persuade the US government to adopt the dogma of mutually-assured destruction in cyberspace, other countries with can do so as well. Nations with the interest, expertise and budget to conduct offensive cyber operations are probably busy hacking each other to establish the condition of mutually-assured destruction and avoid being outpaced in this process by their adversaries. Such activities might allow these countries to deter each other from launching large-scale cyber attacks with major "real world" repercussions. Perhaps such aggressive tactics just might contribute towards maintaining the relative peace and stability of the Internet?