Gaming out cyber-attacks

The Cold War and nuclearisation provided new impetus for game theory. Between 1950 and 1991, eyeball-to-eyeball situations that almost triggered a nuclear war occurred every so often, during the Korean War and the Cuban Missile Crisis, for instance. There was also a significant chance of launching nukes by accident, or in error, after mistakenly assuming the adversary had launched.

Even 75 years after Hiroshima, nobody has a credible defence against nuclear strikes. If nukes are ever used, they guarantee huge loss of life and utter physical destruction. Mutually assured destruction (MAD) became a catchphrase once both sides possessed three-strike capability (the third strike being delivered by nuclear submarines hiding under polar ice) and enough firepower to destroy Earth many times over.

Apart from gaming scenarios of attack, escalation and retaliation, the Cold War strategists figured out it was useful to share some information, and to talk to adversaries. A shoot-out is less likely if both parties know the other is capable of massive retaliation. Letting the adversary know what the lines in the sand are is also useful. The legendary hotline between the Kremlin and the White House, and the Strategic Arms Limitation Talks were other safeguards against an accidental World War.

Cyber-warfare adds a new dimension. Unlike nuclear weapons, anybody can build a cyber-arsenal on the cheap. People everywhere use the same operating systems for computers and smartphones, and hardware is also standardised. Any smart kid who fiddles with code, or takes apart off-the-shelf hardware can craft cyber-exploits.

It takes highly technical analysis to figure out the perpetrators of a well-obfuscated cyber-attack, if at all it is possible. This also makes state-sponsored cyber-attacks diplomatically deniable. Many government agencies have built capacities for cyber-espionage and surveillance, and for destructive exploits. Some have also tapped into private capacities by recruiting hackers to do the dirty work. At least one rogue state — North Korea — seems to have used cybercrime as a revenue-stream. 

While cyber-attacks don’t directly kill people, they can destroy infrastructure. Ukraine has had its power systems shut down several times. Banking systems have been hit. Ports have been hit. The British National Health Service has been hit. Hundreds of municipalities have been hacked and forced to pay ransomware. Traffic management systems have been hijacked. Metro systems have been shut down. Critical data has been deleted from government servers in the Ukraine, and Georgia. Attempts have been made to directly hack election infrastructure in several cases (quite apart from using social media to influence voters).

One key point of similarity with nukes is that there are no fool-proof defences against cyber-attacks. Specific systems can be hardened. But even air-gapped, highly protected systems like the Iranian nuclear establishment have been targeted successfully.

It is impossible to harden everything in a highly connected society where every individual, more or less, uses digital services and even household appliances are net-connected. Given trillions of lines of code embedded in devices, which run on highly complex hardware, it is impossible to even figure out how compromised or vulnerable a given system might be. 

In her recent book on the cyber arms race, Nicole Perlroth claims US budgets for the offensive use of cyber-tools far exceeds budgets for defence against cyber-attacks. This is a feature, rather than a bug: Building an offensive cyber-arsenal is much easier than building defences.

This is a new area where game theory must be applied to understand new paradigms. In any modern conflict, the cyber element will be crucial and cyber-attacks certainly won’t be restricted to targeting conventional military capacity.

Strategic thinkers will have to game scenarios of cyber-attacks, escalation and retaliation. Nations will have to build the equivalent of second-strike, and third-strike cyber-capability and they’ll have to convince potential adversaries that they have credible ability to retaliate.

Einstein said, “I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones”. He could well be proved right if WWIII is fought with cyber-weapons.

Business Standard is now on Telegram.
For insightful reports and views on business, markets, politics and other issues, subscribe to our official Telegram channel