March 28, 2012

MAD About Cyber-Security

While the decades of the Cold War were witness to various and sundry proxy fights in discrete, far-flung battlefields, as well as rare moments of frightening brinksmanship, the relationship between the U.S and the Soviet Union was largely governed by the very real-world military doctrine of mutually assured destruction (MAD). Simply put, given the massive nuclear arsenals on both sides, it would have been, well, mad, to contemplate mutual annihilation - neither side had any rational incentive to initiate a full-scale conflict because retaliation would ensure that victory was utterly unachievable.

Key to the tacit superpower “agreement” was the need to ensure that the precarious balance not be upended, for instance, by the spread of the technology capable of enabling unstable powers to enter the game. With NATO and the Soviets and Satellites in an effective stand-off (excepting “controllable” proxy spats), the imperative was to manage proliferation, hence the 1970 Non-Proliferation Treaty (NPT). While history has demonstrated that the NPT was only marginally effective, it complemented MAD in precluding escalation to any world-devastating conflict.

Flash forward to today’s era of cyber-insecurity. While the landscape is not as well-defined as during the black and white, us-vs.-them Cold War days (State and non-State sponsored cyber activity is common worldwide), the two biggest actors, the U.S. and China, are caught up in a maddening (as it were) dance. While various States and non-States – Russia, Israel, Anonymous, WikiLeaks (to name a few) - are wielding their cyber-tools with only sporadic and superficial notice, the U.S. and China are ratcheting up their bilateral cyber-tension, in terms of both action and rhetoric.

Not a day goes by that we don’t read of Chinese cyber-incursions into U.S. networks. Not a week passes that we don’t hear one or another strident Government Agency or Congressional voice decrying Chinese theft of secrets and threats to U.S. critical infrastructure. Presumably, the Chinese have the same concerns about American activity inside their cyber-borders and networks – they are perhaps just less publicly vocal on the topic. In Washington, however, cyber has become the scare de jour.

What’s lost in the fear-mongering hullaballoo is the fact that both sides are mutually vulnerable, to each other, and to other actors in what is essentially a borderless cyber-world. National governments and globalized industry struggle – in frustrating fits and starts - to define best practices to secure supply chains and to develop technologies and tools to monitor and analyze digital traffic to detect, quarantine and quash the potentially nefarious. Flash back to the early Cold War: Would the signatories to the NPT have even had a treaty to sign in the absence of Superpower MADness?

Fragmented (national) solutions to cyber-threats will not effectively address what is intrinsically a global phenomenon. Indeed, beyond being ineffective in managing cyber-threats, such initiatives will ultimately result in further fragmentation and disruption – in terms of global information and communications technology (ICT) supply chains, digital commerce, and, ultimately, innovation and economic recovery and growth.

The facts are – as anyone engaged in any intellectually honest discussion must acknowledge – that effective solutions to cyber-security concerns must be universal because cyber-vulnerabilities are shared across the entire ICT industry and every country because the ICT industry – ALL players – is transnational. But, until and unless the U.S. and China come to some accord in terms of acceptable ("controllable") cyber behavior, a fact-based, rational and effective solution to our cyber-worries may well remain elusive. MADdening isn’t it?

It’s time to borrow from the past, and not in terms of Cold War, knee-jerk, “they’re all evil” sentiments, but, rather, in terms of settling into a MAD-like Nash Equilibrium. The U.S. and China must agree to certain behaviors, and then project adherence to those behaviors via some latter-day NPT-like global cyber regime. (Please don’t read that wrong – it’s obviously too late to stop proliferation of tools of digital mischief, if it was ever possible. And, just as the criminalization of hacking is a pipe dream - which even if achieved would fall flat in terms of enforcement - so too are UN cyber-inspectors).

Bottom line: All of today's inflammatory cyber-rhetoric and cyber-political flailing about is serving no-one’s true cyber-interests. Globalization is real. The ICT industry is global. Our digital economies are increasingly interdependent. Cyber-threats do not respect - or even recognize - national borders (e.g. Stuxnet did some collateral damage outside Iran). Today's superpowers must acknowledge that their bilateral (and mutual multilateral) tension and conflict are not going away and, as such, should at the very least strive to manage common vulnerabilities in such a manner that both sides can continue to maintain their respective national AND economic securities, to their mutual benefit.

Just sayin'...