3

During the Cold War, the U.S. and the former Soviet Union pursued a policy of mutually assured destruction (MAD). I am wondering if it is safe to assume that organizations such as the National Security Administration and its counterparts in Russia are now pursuing a similar strategy vis-a-vis cyber warfare. I read in the newspapers about the vulnerability of the electrical grid and the banking system. Could it already be true that both the Russian and the U.S. governments have the capability of taking down each others' electrical grids and banking systems?

user2309840
  • 131
  • 2
  • 1
    Any answer would require a lot of speculation. – schroeder Jan 02 '17 at 18:57
  • I guess I'm looking for reassurance from an expert that, no, security is good enough that not even governments will have such capability. Unless they get lucky, at best what they can do is fairly limited in scope... – user2309840 Jan 02 '17 at 19:00
  • 1
    Sorry, security is nowhere *near* good enough. We can only speculate on how bad it really is. – schroeder Jan 02 '17 at 19:01
  • Given the recent spate of airplane incidents, I should probably also add airplane computer systems to the question above. – user2309840 Jan 02 '17 at 19:06
  • 1
    MAD doesn't really exist in the cyber realm. It is much more difficult to trace a digital attack to its origin with certainty, and there's no clear definition of what constitutes "cyber-warfare." In the physical world attacks are obvious when they occur, the damages are clear, and the origins are easy to trace. None of that is true in the digital world. – tlng05 Jan 02 '17 at 19:15
  • @drewbenn I believe there are similar problems with isolating targets in nuclear warfare, e.g. the nuclear winter. – user2309840 Jan 02 '17 at 19:24
  • @ting05 In a cyber attack, I would have thought damage can be completely clear, e.g. I can't access my computer files because they are being held for ransom. In a nuclear attack, it may not be clear where the missiles are coming from, for example if they are launched from the Chinese-Russian border and one has only 20 minutes to respond. – user2309840 Jan 02 '17 at 20:31

2 Answers2

4

While, as others have said, Mutually Assured Destruction is not something that could apply to Cyber Security, it is certainly true that tit-for-tat cyber aggression has been going on for quite a while and has been pretty nasty over the last few years between the main government supported hacking groups.

Indeed, I believe that the USA did a deal with a large competitive country around 18m or maybe a bit less ago to get them to calm things down.

One of the issues with cyber warfare of course is that it is very difficult to attribute so those of us not involved with cyber military/intelligence can never be sure who is doing what.

The bottom line, though, is that security is certainly not "good enough", not in any industry sector - even a few days ago, one of the US electricity companies found some malware on an offline computer though thankfully not one (at least that they admit to) that was controlling the grid.

Anyone following the cyber security news will painfully be aware of the vulnerabilities in many industries including critical ones such as government, health, city control ("smart" cities), power, ...

However, I do not believe that the capability exists currently for one attacker to take down an entire power grid in any of the major, large, countries. In general, they are too fragmented to be brought down in a single attack.

Similarly, banking is very tightly controlled and banks are very cautious about their systems and how they are interacted with. They have numerous interlocking safety mechanisms to prevent mass fraud or other manipulations. Indeed, the biggest worry with banking is attacks undermining public confidence rather than actual failure of the systems.

UPDATE: MAD does not exist in the cyber realm because of the vast complexity involved and because the physical world is relatively unimpacted (compared to nuclear holocaust).

You can take down a network maybe, a website for a while, you can steal lots of data. But most systems have backups and are quickly restored with new patches and security added.

The worst cyber attacks so far have taken down an organisation for a few days. Sony Pictures may have been the worst admitted too, they were off for a couple of weeks I think but they had appalling security!

One of the biggest current fears in cyber security is un-noticed changes to data rather than mass encryption or theft. We've yet to see a big example of that but I know that there are lots of experts who are worried about that. But even that doesn't amount to world destruction, the worst that is likely to happen is that a government would fail - maybe some lives lost (if certain industries were impacted, like health). Understand that I'm not dismissing such impacts, they are certainly severe, but they don't rank amongst impacts like MAD.

In regard to your comment about banking. Whilst nobody in their right mind would consider banks as entirely "good" actors after the litany of bad things that have happened over the last decade. Most countries have remarkably tight rules regarding banking for this very reason. In any case, most banks carry their own liabilities - even though they may be bailed out by governments, it comes at a terrific price to the people in charge. They are so carefully inspected in the majority of countries that wrong-doings inevitably are found out in the end. There are also too many people involved inside the banks for such things to be well hidden - the well-known banking issues were mainly caused in areas where a relatively few people control everything.

Julian Knight
  • 7,092
  • 17
  • 23
  • Can you expand on why MAD does not exist in the cyber realm? I remain unconvinced. – user2309840 Jan 02 '17 at 20:44
  • One more comment: I worry that banks are not necessarily "good" actors. It's really a separate question, but I can imagine a type of computer hacking which a bank might find to its advantage and allow to happen-- something that would simultaneously improve the state of their account books and give them plausible deniability. – user2309840 Jan 02 '17 at 20:48
  • 1
    I've added a comment to explain about MAD & to address your comment on banking. I'm afraid that there are far bigger things to worry about than the ones you've picked on. The risks you mention are not inconsiderate but pale into insignificance against rising nationalism, climate change and extremism. **But** both people and the world are amazingly resilient and inventive, New Year is a time to be optimistic not frightened for the future. – Julian Knight Jan 02 '17 at 21:01
  • 1
    @drewbenn, indeed, cascades are an issue and, as I said, I don't want to imply that havoc couldn't be caused. But the question was about **destruction** which is an altogether different thing. – Julian Knight Jan 02 '17 at 21:23
1

I would argue that the poster stating that MAD does not apply in cyberwarfare is inaccurate, in that systems are not nearly isolated enough from one another to prevent countries from attacking and destroying a significant portion of internet and other infrastructure. One of my best examples would be to point you to the massive cyberattack in 2007 on the Estonian internet infrastructure.

If the Russians can take down a small country's infrastructure for whom they do not spend significant amounts of time devising an attack strategy, just wonder what the US and Russia could do to each other with the thirty odd years they have been preparing for war with one another.

Even more interesting is the case of military cyberattack preparation of the Chinese during Operation Titan Rain. They, I would assume, have as much capability as the Russians to create widespread disruption/destruction.

I can safely say that cyberwarfare becomes an ever more dangerous way for nation-states to attack one another, even if it does not yet reach the level of MAD.

Community
  • 1
DeepS1X
  • 321
  • 1
  • 5