Sun Tzu advised, “Remove the firewood under the cooking pot . . . When faced with an enemy too powerful to engage directly you must first weaken him by undermining his foundation and attacking his source of power.” In our networked cyberworld, that strategy might mean cyber-to-conventional attacks, even temporarily shutting down communications, infrastructure, logistics, or any combination of the three. Confusion follows. Cybersecurity is important. But in a Cold Cyber War, response may be the most effective deterrent.
When we most feared nuclear attack, deterrence—mutually assured destruction as horrific as it was—kept missile silos in check. More conventional operations and tactics continued, but none dared cross that line that would inevitably end in all-out war. In our inarguably gradually expanding Cyber Cold War with Russia, Quartz contributor Nicole Softness argues that just as in last century’s Cold War, deterrence is most effective. “Historically, [Russia] has avoided attacks that could trigger a full-scale military response,” Softness writes, “preferring to intensify the fog of war and cause maximum confusion.” The way to deter these attacks isn’t so much cybersecurity (cyber defense), but cyber response, some sort of mutually assured cyber destruction capacity.
LEVELS OF RESPONSE
Softness imagines three levels of cyberwarfare that may have a deterrent effect while falling just short of sparking an all-out conventional war: simple cyberintrusions, more complex cyber infrastructure attacks, and the most dangerous cyberattacks on military resources. “As a minimal option,” Softness writes, “the US could respond to a Russian cyberattack by conducting simple cyberintrusions against Russian internet networks, government websites, and communications services . . . .” If we haven’t yet moved into this phase of response, we’re likely very close. “A more aggressive response would involve conducting operations against Russia’s own critical infrastructure networks,” Softness writes. Theoretically, if Russia attacks our communications, we either counter-attack with a similar attack of our own, or we escalate. “The most aggressive response,” Softness explains, “would involve directly attacking Russian military targets by shutting off power at a nuclear facility or an airfield.” That sort of response, of course, coming from either direction, could very well be the proverbial last straw.
Softness’ recommendation makes complete sense. Planning and preparing for proportional responses to attacks on U.S. government and infrastructure is the certain outcome of the Cyber Cold War in which we find ourselves, and it might just head off significant sorts of attacks before they happen. According to Softness, preparing for these sorts of OPLANS wouldn’t be terribly difficult: “Many Russian industrial networks run on Windows XP, a very old system, while remaining connected to the internet. Not only are these systems extremely vulnerable to attack, the US has already shown it has the ability to do so.” However, just as with old-school Cold War, Cyber Cold War risks the worst case scenario. “The problem with these cyberattacks is that the potential for counter attacks is infinite. Russia attacks the US communications grid. The US does the same. And on it would go, potentially until a physical war was started,” she acknowledges.
Escalation of cyber-response does make sense. But that’s a very Cold War way of thinking. Perhaps instead of repeating old patterns, we imagine a more futuristic and more effective sort of deterrence.