The Internet is history’s biggest and most complex system but it wasn’t designed for security. It was intended to be open and engaging - a platform for sharing and collaboration that was accessible to everyone everywhere.
But the door we’ve opened to innovation and sharing comes with unintended consequences, and living with a serious cyber threat is our new global reality: The book The Starfish and The Spider: the Unstoppable Power Of Leaderless (Beckstrom & Brafman; 2006) introduced a model for thinking about decentralized networks, organizational leadership, strategy, competition and evolution. And it is helpful to consider the growing cyber threat in a comparable framework.
Beckstrom’s Law of Cybersecurity
- Anything attached to a network can be hacked.
- Everything is being attached to networks.
- Everything is vulnerable.
My cybersecurity model relates to what is really going on in our new, more vulnerable world - from a systems perspective, and from a realpolitik perspective. And it starts with a basic fact. Through the impact and reach of the Internet, the world of power and politics has changed forever. We now live in a MAD, MAD, MAD cyber world.
First, let’s look at the classic MAD: nuclear Mutually Assured Destruction. Nuclear MAD evolved from the development and proliferation of nuclear weapons after World War II. It changed the nature of war and geopolitics and helped secure the precarious peace among superpowers that has held for almost seventy years while countless small regional wars have been fought.
The second MAD is cyber MAD, or Mutually Assured Disruption. It echoes the underlying concept of nuclear MAD: nation states and others have the ability to cripple each other’s power systems, industries and economies through broad-scale cyber attacks (Stuxnet is the most salient case). And like nuclear MAD, cyber MAD leads to some level of deterrence among nation states. If one government launches a full-scale cyber attack on another, they or the people in their country are likely to receive the same back. And they know it. But cyber MAD is fundamentally different from nuclear MAD. Nuclear weapons have not been used in war since 1945. But cyber weapons are used millions of times every second. Nuclear weapons are discrete, identifiable and easy to detect if detonated. Cyber weapons are pervasive, unidentified and often difficult or impossible to detect and attribute. So some of the lessons the Cold War taught to many of our current government policymakers are radically inapplicable to cyber MAD.
The third MAD is Mutually Assured Dependence on the Internet, or simply Internet MAD, reflecting our shared reliance on the Internet, and upon each other through the Internet, for communications, commerce, power, travel, shipping, infrastructure – in fact, for almost everything we do. That makes Internet MAD a positive force that delivers incredible benefits to mankind. Most individuals and countries could not function very well without it, and our reliance is growing. A recent survey showed that 57 percent of American women would give up sex for a week before they would give up their smartphones. If that’s not a sign of Internet addiction, I don’t know what is.
The Internet creates benefit for the human mankind
The Internet benefits all nations, no matter their political orientation, and though they may disagree on some aspects of its use, most of them recognize the importance of keeping it working. Internet MAD helps hold our world together. There are significant implications for nation states and for citizens of the world in this MAD, MAD, MAD cyber world. Governments and societies must evolve to cope with a new reality, just as the world learned to cope with nuclear MAD after World War II. There are many motivations for attacking systems: obtaining state secrets, accessing commercially sensitive information, stealing assets, political activism. But even those who hack and attack want the Internet to work. They know that without it, they couldn’t achieve their broader goals, whatever they may be. Nonetheless, about 70,000 new strains of malware appear every day.
The growth of nuclear weapons was contained first by non-proliferation - limiting the number of nations with weapons - and then by arms negotiations to limit the number of weapons. In cyber space, there are no effective containment policies and the scale, diversity, and growth rate of the Internet mean that none are likely to emerge in the near future. And the current rapid pace of tech development is far beyond that of nuclear development when nuclear MAD was in full play. According to reports, more than 100 nations are investing in offensive cyber capabilities. Relationships among cyber attackers – where they even exist - lack trust, engagement and cohesion, and an atmosphere of retaliation prevails. It’s like the Wild West - except that it engulfs the planet.
This produces a very different set of challenges for those who seek to contain the growing cyber threat. As we learn to live in this MAD cyber world, we must work together to create a more stable and secure Internet, because the downside of Internet MAD’s positive mutual dependence is that the capacity for destruction at the hands of cyber attackers is immense. Some might propose breaking up the Internet to protect their national interests, creating separate and self-contained national networks (think of the recurrent debate in the EU in the NSA scandal aftermath). But as we move steadily closer to connecting every person in the world, our economic future will depend even more on maintaining a unified global Internet. It is the foundation for continued innovation and economic growth and a platform for communication across cultural borders and political boundaries. Its unity is essential to our collective future.
So how do we defend ourselves against cyber attack?
In the spirit of collaboration, I have some ideas to contribute.
First, we must develop global definitions, norms and standards for cybersecurity. Second, we must build global trust. Third, we need to use transparency and economic incentives to drive to a higher level of security. Lastly, we must build better security into the Internet itself.
These ideas are just a beginning, a means of starting this crucial global discussion. The Internet is one of mankind’s greatest collective achievements and protecting it is fundamental to our future. The moment has come to bring sanity back to our MAD, MAD, MAD cyber world.