Japan: Leading the Way for MAD Doctrine for the Cyber World
Frequent readers of my blogs will know that I have a passion for information security. Unless a reader reviewed my LinkedIn profile in detail, they would have missed the fact that my undergraduate studies were in the field of political science and international relations (IR). One of the most heavily used case studies in IR and how different nations interact is the Cold War between the United States (US) and the Soviet Union (USSR). A highly cited reason of why the Cold War never turned hot was that both the US and USSR both possessed enough nuclear weapons to ensure that even if one side won, the opposing side would lose. This intersection of game theory and international relations became known as the MAD doctrine - Mutually Assured Destruction.
Unless the one side destroyed every single nuclear missile silo and mobile launch site in the opposing nation before the other side realized what was happening, the opposing nation would retaliate and launch nuclear weapons back at the first-strike country, missiles would be flying by each other in the atmosphere, and eventually decimate both countries. The consequences of such action were so devastating that each country had to exercise extreme restraint and leave “the nuclear option” as a very last resort. Thankfully, the Cold War ended without turning hot, and the number of nuclear arms in the world is steadily declining thanks to START (STrategic Arms Reduction Treaty) and SALT (Strategic Arms Limitation Treaty) treaties. There are currently 190 nations in the world that have signed on to the Non-Proliferation of Nuclear Weapons Treaty (NPT) ensuring that no new signatories would gain access to nuclear weapons while ensuring they will have access to nuclear technology for peaceful, non-violent purposes (medical, power generation, and the like)
Last week, Japan announced that they are the first nation to develop “defensive” malware in their 21st-century version of the MAD Doctrine. While many cyber armies have developed malware for offensive capabilities such as surveillance, intellectual property theft, and the disruption of critical infrastructure, this is the first time a nation has restrained their cyber-weapon use to only when they have first been the victim of a cyber attack and only used against the attackers. Beyond cyber capabilities, Japan has been in a unique position after the end of World War II in that they are one of the nations that are not allowed to have a traditional standing army or use any force internationally for any reason. In its constitution ratified in 1947, Japan is only allowed to possess a Self-Defense Force (SDF) to protect the Japanese mainland. With the self-defense framework in mind, Japan has embraced and applied this thinking to the cyber world, which NATO formally declared as an official battlefield in 2016, and pledged not to use their newly created malware offensively.
The development of cyber weapons for defensive capabilities comes as part of a broader Japanese military modernization campaign to keep pace with increasing hostilities from China and North Korea; both nations are known to have superior offensive cyber capabilities. Hosting the 2020 Winter Olympics in Tokyo will also paint a giant target on the nation’s cyber capabilities since the recent Olympic Games in Brazil were the target of the Olympic Destroyer malware campaign. This announcement comes on the heels of another significant announcement from Japan that its government is planning to conduct a nationwide vulnerability assessment on its citizens IoT devices and to notify those in possession of vulnerable devices with weak or hard-coded credentials.
Japan is only the fourth nation to admit publicly that they develop cyber weapons. While countries like Israel, Iran, and Syria have developed and aggressively used malware, they have never formally acknowledged it. “Hacking back” has also been discouraged (and illegal in many cases) as it could lead to an unnecessary escalation of an attack, but using malware against an attacker goes into a legal grey area. Tokyo is hoping that merely having these cyber weapons will deter attackers from harming their cyber infrastructure or interfering with the 2020 Olympic Games, but using the United States as an example will show that this is wishful thinking. The United States has a vast arsenal of cyber weapons as seen in the Shadow Brokers and Vault 7 leaks, yet it is continuously under cyber attack from other nations including nation-state actors.
The problem of attribution has to be taken into account when considering cyber adversaries, as it took weeks to months to determine that the Wannacry ransomware outbreak was the result of a North Korean hacking team. Even then, it is increasingly difficult to determine if this was the work of state-sponsored actors or if it was the result of the North Korean private sector. In the Cold War example, it would be reasonably easy for a nation to determine the origin of a missile launch and only governments could afford the hefty price tags of nuclear arms. In today’s cyber world, an attacker can purchase an exploit kit on the dark web for a few hundred dollars which can be used against nation states. The problem of attribution comes up when trying to determine if an individual acted alone, with the help of a nation state, or is staging a false flag attack. These questions will have to be answered before Japan can safely retaliate without leaving much collateral damage.
Just like the Strategic Defense Initiative missile defense system during the Cold War protecting the US and its interests abroad, cyber defenses can significantly assist in preventing the next cyber war. As nations take steps and measures to protect their systems, they become less vulnerable and exploited for other nation states to attack. Using an always-on security solution that protects users on and off the corporate network will ensure users receive protection wherever they go. The ability to inspect SSL and TLS traffic is increasingly important as more traffic on the internet becomes encrypted and nation-states take advantage of the fact that many organizations are not decrypting SSL and TLS encrypted traffic for threats. It has been said that the best defense is a good offense. However, Japan has taken the opposite stance that the best offense is a good defense. Only time will tell if they made the right choice.