Cyber Deterrence Theory – Why Cyber Weapons Are More Dangerous Than Nuclear Weapons
Deterrence in the Nuclear Age
Deterrence is found between nation states when an aggressive action by any nation is discouraged because of doubt or fear of the consequences.
Figure 1 – Cover page of the 1958 RAND report on Deterrence written by Bernard Brodie.
The concept of deterrence was created in the late 1950’s by analysts such as Bernard Brodie who was working at the RAND Corporation “think tank” in Santa Monica, California. He and his colleague Herman Kahn was developing a system of theoretical frameworks that could be used to understand the implication of thermonuclear war using Intercontinental Ballistic Missiles (ICBMs) and other delivery systems.
At that point in time, the United States was reeling from the psychological shock of Sputnik 1 (Простейший Спутник-1), a satellite that the Soviet Union placed into an elliptical Earth orbit in October 1957. The “Space Race” was on, and the Soviet Union had a substantial lead over the United States.
Although Sputnik was designed to orbit the earth and emit a 20 and 40 MHz signal, the shock to the United States was not caused merely by the Soviet Union’s ability to place a small radio transmitter in orbit to broadcast for 21 days.
This was 1957, there were no computers, no electronic calculators. All mathematical calculations were made using slide rules. There was no CAD-CAM; all engineering work was done on paper. Engineers used drafting tables.
The shock was in the accuracy. If the Soviet Union could manage to be precise enough to place a small radio broadcasting satellite into a stable orbit, then it had the skills to be accurate enough to send a thermonuclear weapon to the mainland of the United States. The accuracy was enough to place Sputnik into orbit, and enough to drop an atomic bomb on a U.S. metropolitan area.
Shortly thereafter, the United States and the Soviet Union greatly increased production of nuclear weapons and ICBMs. The number of atomic bombs became so great that it would have been possible for the Soviet Union easily to extinguish all life on planet earth.
That is, in the mid-1960s, the United States had deployed approximately 31,000 nuclear bombs. By the late 1980s, the Soviet Union had deployed 40,000 nuclear bombs. Considering that there are only 260 or so large cities in the United States, the threat of 40,000 nuclear bombs was overwhelming.
In today’s world, people do not think much about nuclear weapons. Countries such as Iran that are engaged in violating its treaty obligations and developing nuclear weapons argue that they have a “right” to do so, but they have no such right.
This is because nuclear weapons are too dangerous to allow them to spread. Here is an example that frequently was given by Professor Geoffrey Kemp in his lectures at the Fletcher School of Law and Diplomacy. For some reason, he always like to use the MIT swimming pool in his story.
“It is an October day. The beautiful New England sky is clear and dark blue. Not a cloud to be seen. A nuclear weapon explodes approximately 20,000 feet above the MIT swimming pool. What would be the consequences? Let us first think of only the heat. Take a compass and a map. Draw a circle around the MIT swimming pool. Go out 235 miles as a radius in every direction. The heat of the explosion alone would cause everything within that circle to spontaneously burst into flames. And that is before any of the blast effects were felt.”
With a radius of 235 miles, this blast area would be 173,494 square miles. The United States is 3.797 million square miles. Incredibly, it would take the Soviet Union only 22 weapons to burn the entire surface of the United States. That would leave it with 39,980 weapons remaining. We could do the same math with the Soviet Union. With its size of 8.65 million square miles, it would cost the United States only 50 bombs to burn the entire surface of the Soviet Union, leaving it with 30,950 weapons remaining.
Now these calculations could be a little off, but you should get the point.
So in the nuclear age the theoretical question being considered in sunny Santa Monica was how to avoid having the United States destroyed. The larger question was how to avoid having the entire earth incinerated.
Mutually Assured Destruction (MAD)
Eventually the superpowers settled on a type of balance of power. It was not the “classic” balance of power that had been re-established at the Congress of Vienna (Wiener Kongress) in 1815 after the trauma of the Napoleonic wars. The nuclear age was to have a different balance of power. Each nation would know that if it attacked another, then there would remain enough thermonuclear weapons on the other side to assure that the attacker themselves would be destroyed in retaliation.
This is guaranteed by the “triad” of delivery systems: The Air Force, the fleet of Intercontinental Ballistic Missiles (ICBMs), and the Navy’s Submarine Launched Ballistic Missiles (SLBMs). In a worst case scenario, if the entire continent of the United States were incinerated and every human being killed, still the U.S. Navy’s nuclear submarine fleet hiding always in the ocean would be able to launch a devastating counter-strike against the Soviet Union. And the USSR built a submarine fleet to provide it with the same retaliatory capability.
And that is the essence of “deterrence”. Neither side will attack the other with nuclear weapons, because it is reasonable certain that it will get the same back. Like the final statement of the computer in the movie “War Games”, the best move is not to play at all.
So we should be thankful about nuclear weapons. Because they have kept the peace and ensured that there was no outbreak of war between the superpowers.
Applying Deterrence Theory to Cyber Warfare
Is it possible to have deterrence in the cyber arena? First, we need to think about a few of the differences between nuclear and cyber weapons.
Destructive Capability. The destructive capabilities of nuclear weapons are well known. They have kinetic blast effects, heat effects, and radiation poisoning effects. They are designed to destroy infrastructure, or other weapons systems. The calculation of destructive capabilities is well understood. The “Circular Error Probable” (CEP) value which measures the probability that the weapon will explode within a certain range of its target is almost as important as the strength of the blast, since proximity can leverage the inverse square law. In contrast, cyber weapons can have both logical and kinetic effects. By “logic” effects, we refer to destruction or alteration of programmable code or other data, and then the secondary “downstream” effects that are generated. In cyber, a “kinetic” effect is a downstream effect of a cyber event. For example, the Stuxnet virus is said to have caused Siemens programmable logic controllers to trigger a destruction of the Iranian centrifuge machines.
Attack Focus. In nuclear weapons, the kinetic, heat, and radiation effects are centered around the impact point of the explosion. Anything, any system either mechanical or biological within the effect range will sustain damage. The degree of damage falls off exponentially as we move away from the site of the explosion. In contrast, cyber weapons do not necessarily have a point of impact. They can have similar effects across very large geographical areas. As long the system is compatible in logic with the cyber weapon’s capabilities, they be anywhere. So for example, a nuclear weapon can destroy an electricity production complex; but a cyber weapon can cause destruction or disruption across a geographically distributed electricity or banking grid. A nuclear weapon will destroy everything within its range; a cyber weapon can reap massive destruction to a specific system, but leave everything else in the area untouched.
Visibility of Attack Delivery Phase. Apart from a hidden “suitcase bomb”, the delivery of strategic nuclear weapons is visible. Aircraft (strategic bombers) and ICBMs or nuclear cruise missiles can be detected by radar, although stealth aircraft are more difficult to see. Of course the “reaction time” for responding is a considerable problem. For an SLBM attack against the United States, there may be only 10 minutes or so to respond. The visibility, however limited, probably allows the receiving state to determine the origin of the weapon, and this enables it to target its response and retaliation. So there is a delivery phase of a nuclear attack. With cyber weapons, this delivery phase is not visible. There are two aspects to this: First, it is possible to disguise cyber weapons so that even when they are identified, their source is not known; Second, an additional factor is that with nuclear weapons, there is a delivery time governed by the physics of moving a bomb across the planet. With cyber weapons, delivery takes place more or less instantaneously.
Covert Cyber Weapons Caches. During the Cold War, it was said that the Soviet Union had pre-positioned caches of arms or other destructive items in various places across the United States. These were designed to be available to Non-Official Cover (NOC) agents who would be “activated” in case of a war. This tactic is also said to have been used by the Soviet Union against European targets in the interwar period, and also by the United States. With cyber weapons, the pre-positioning of malicious code means in essence that the payload already has been delivered. There is no delivery phase, and it certainly is not visible. So it is reasonable to assume that any cyber-superpower already has positioned significant numbers of cyber weapons inside the infrastructure of its potential enemies. Therefore, the weapons should be able to attack without warning.
Destructive Effects. Nuclear weapons: (1) kinetic; (2) heat; (3) radiation poisoning. Cyber weapons: (1) kinetic; (2) logical.
Level of Uncertainty. The level of uncertainty for strategists is greater for cyber than for nuclear. This not to discount the considerable uncertainty surrounding a scenario of thermonuclear war. Nevertheless, we can say that the Mutually Assured Destruction (MAD) principle means we can be sure that if a major confrontation breaks out, then both sides will sustain unacceptable levels of damage, regardless of who was the aggressor. In contrast, there is no such certainty with cyber weapons.
To quote Brodie:
“It is a truistic statement that by deterrence we mean obliging the opponent to consider, in an environment of great uncertainty, the probable cost to him of attacking us against the expected gain thereof.” (p.11)
If the Russian Federation makes a decision to launch a cyber attack against the United States, then given the great amount of uncertainty, how can it estimate what the U.S. response will be, and how much “cost” or damage it will be required to suffer, and after that, what will be its expected gain? The same is true for the United States. It if decides to launch a cyber attack against China, then how does it estimate what the Chinese are capable of doing in retaliation, and after that, how can it assess the potential gain?
Conclusion – Cyber Weapons Are More Dangerous Than Nuclear Weapons
Cyber War is Mutually Un-Assured Destruction (MUD). We only can conclude that the level of uncertainty is so great in cyber that there is no assurance of destruction of the attacking party, and no way to estimate how much “cost” would need to be paid by the attacker as it weathers the retaliation of its victim; thus there is no way to understand whether or not there would be any potential gain.
So the implication of this is that cyber weapons appear to be more dangerous that nuclear weapons because of the level of uncertainty inherent in their deployment and potential use. This means by extension that at least for the time being, the concept of “balance of cyber power” is not a feasible concept.
In future posts, we will examine a number of cyber-war scenarios.