The premise of nuclear deterrence is based on Mutually Assured Destruction (MAD). In hindsight, this success of this framework seems apparent and is widely taken for granted. But, at the time of its creation, a great deal of effort went into its formulation, and many debated its effectiveness.
With the advent of new destructive capabilities comes the need for additional means of deterrence. And, as the world economy has come to depend on cyberspace, the need to deter nefarious actors from attacking in cyberspace is paramount. Furthermore, much (if not most) of the other forms of deterrence is reliant on cyberspace operations.
Game theoretic principles form the basis of MAD. But, many of these principles do not hold in cyber deterrence. In the spirit of game theory, let’s examine MAD using backward induction.
- Destruction: To deter, each player needs a strategy that includes the capability to Destroy the other. While it is clear that cyber attacks can be quite destructive, the extent to which these attacks harm others varies. Additionally, cyber attacks need not be indiscriminate.
- Assured: For the optimal strategy to be Not Destroy, it is necessary for each actor to:
a) know that it has the ability to Destroy, and
b) know that the other player has the ability to Destroy
For this reason, much of the nuclear testing which led up to the MAD strategy was conducted openly so that each knew the other’s capability to Destroy. This alone is not sufficient. For sufficiency, each player must also be willing to Destroy. Willingness makes the strategy of Destroy credible. Both the necessary and sufficient conditions are difficult to meet in regards to cyber. Revealing cyber capability renders that capability moot in most circumstances. Once an exploit is known, the other player will update their systems to preclude its use. Hence, players’ strategies to date have been to signal capability without specificity. More concerning is the inability to meet the sufficiency condition. The key concern is attribution. In nuclear deterrence, the players are known and monitoring is in place to detect actions. But, in cyber, attribution is difficult (if not impossible) and not timely. Without attribution, a player under attack may not respond in kind (or in proportion).
- Mutual: The failings in this area are a result of the conditions above. Players are both known and unknown; willingness and ability are unclear; and destructive outcomes are not guaranteed. This makes it difficult to reach an equilibrium where no player is willing to employ the Destroy strategy.
Just as the rise of nuclear capability led to advancements in game theoretic thinking underpinning the MAD strategy, growing cyber threats will drive strategic thinkers to develop new frameworks for deterrence under these new dynamics.