Do we all need a cyber fallout shelter?

Anyone born before 1960 has memories of something called a “fallout shelter” (No, not the video game.) These were underground emergency living quarters (based on European experience with World War II bomb shelters) that were built by the federal government and some private interests beneath many large public buildings, notable by their black and yellow signs. They were also underground bunkers built beneath thousands of American homes. Some of these aging, underground living quarters are still around, and they are popular within the “prepper” community.

The story of these 1960s fallout shelters is relevant to the story of cybersecurity today.

President Dwight Eisenhower established a secret project called “Project Solarium” (named after the solarium room in the White House) in 1953 to evaluate the overall American approach to its rivalry with the Soviet Union. The project was historic, not least because it established that there would be a permanent potential for nuclear war between the United States and the USSR and that the Soviets would be deterred from attacking the U.S. by our massive nuclear retaliation. Almost as important, the project introduced into mainstream American policy-making the idea that nuclear war with the Soviet Union just might be unavoidable. This gave rise during the late 1950s, and particularly after the arrival of President Kennedy in 1961, to the notion that the American people needed to be prepared for the possibility of a nuclear war.

Which, of course, is where fallout shelters came in. 

Fallout is the poisonous, radioactive dust that spreads out after a nuclear explosion. It can remain poisonous for weeks, months or years. President Kennedy’s 1961 letter to all Americans in Life Magazine, effectively calling on homeowners to build fallout shelters, set the stage for the notion that we must be prepared to live through nuclear Armageddon. Although Kennedy insisted that the main form of deterrence of a Soviet attack was our retaliation, it was widely reported, and promoted by many military authorities, that America’s ability to survive a nuclear war was actually an important deterrent to a Soviet nuclear attack. To oversimplify a bit, America’s publicized fallout shelter program would ensure that the Soviets knew that in a nuclear war, the Soviets might kill more than 100 million Americans, but because of America’s fallout shelters, the United States would at least survive a nuclear war; and the Soviets could not. For many reasons, our nuclear fallout shelter programs gradually faded and effectively disappeared by the 1980s. But the underlying concept of civilian survivability as a means of deterring an attack remained alive, although dormant, into 2020.

When Congress decided in the 2019 Defense Authorization bill to establish a commission to examine the full range of cyber threats, they named it the Cyberspace Solarium Commission (CSC), using Eisenhower’s term for a comprehensive security assessment. The CSC issued its quite thorough report in March, and many of its recommendations are in the current House and Senate versions of the 2021 Defense Authorization bills. Because the commission’s work is so comprehensive, its work has been the subject of debate among cybersecurity experts. However, with all eyes on topics such as the pandemic, protests, the economy and the elections, the CSC’s work has not gotten anywhere near the attention that it deserves.

While the commission’s report addresses big issues such as government organization and government/industry cooperation, it also makes an important, but little-noticed point that echoes President Kennedy’s pronouncements of almost 70 years ago: The American people need to be prepared for Armageddon… this time cyber — not nuclear — Armageddon. In what the commission describes as “Promote National Resilience and Deny an Adversary Benefits,” it explains that “The nation must be sufficiently prepared to… recover from an attack, sustain critical functions… and, in some cases, restart critical functionality after disruption.” Importantly, it explains “But, as is also true of natural disaster preparedness, the American people do not need to be helpless. DHS… should expand citizen preparedness efforts…” and “the capacity to withstand and quickly recover from attacks… is key to denying adversaries the benefits of their operations and reducing confidence in their ability to achieve their strategic ends.”

Here, President Kennedy and the CSC align in the thoughts that: (1) average Americans need to be prepared for a catastrophe — then nuclear, now cyber; and (2) our preparedness is actually a means to deter attacks.

Can a cyber fallout shelter actually deter a cyber attack?

However complicated the 1960s notion that a fallout shelter would deter the Soviets from attacking the United States, it is simple compared to calculating the deterrent effect of a cyber fallout shelter today. Thousands of American nuclear fallout shelters as a deterrent was a short-lived policy aimed at a few dozen Soviet leaders, intended to convince them that the United States would “win” a nuclear war. Experts have many reasons why they believe the “fallout shelter as a deterrent” or the “fallout shelter as humanitarian protection” theories were abandoned, but the most persuasive are that few believed that they would actually work — either to deter Soviet leaders or to genuinely protect American families. Similarly, an important question raised by the CSC is whether American cyber resilience in the form of complicated and costly “continuity of operations” arrangements would actually deter adversaries from launching a cyberattack.

Few experts believe that agencies, companies and families investing in back-up arrangements so that life can go on after a cyberattack would actually deter such attacks. Although there are important steps that can reduce the likelihood of successful cyberattacks, the potential attackers are so numerous, so diverse and so easily hidden that few of them would fear retaliation. And very few attackers would avoid attempting a cyberattack simply because they believed the victim might be able to go on with life.

On the other hand, although 1960s fallout shelters were mostly useless in protecting families from long-term fallout, cyber fallout shelters could probably work and allow life to go on. As the CSC points out, just as we prepare to live off the grid after a natural disaster, we must now prepare to live off the grid after a massive cyberattack.

Depending on how one counts them, the CSC is at least the sixth major high-level panel to examine cybersecurity since the 1990s. Nearly all agree on the simple fact that absolute cybersecurity is not possible. If the world’s wealthiest person, the CIA, the Democratic Party, the Office of Personnel Management, Garmin GPS, Twitter, Target and thousands of other very sophisticated entities can be hacked, everyone using the open internet must recognize their — and our — collective vulnerability to a cyberattack. Core problems are the staggering number and range of attack surfaces and the ease with which human beings can be deceived into leaving a cyber gate open. This vulnerability applies to individuals as much as it does institutions and governments.

Which brings us back to whether or not we (agencies, companies, families, individuals) all need to plan on how to survive a successful cyberattack. Do we all need our own cyber fallout shelters?

By almost any measure, although it will have little impact on deterring cyberattacks, the answer is yes: We all need a cyber fallout shelter. For example, many election authorities have abandoned any links with the internet and now rely on paper ballots. Similarly, it has been reported that the U.S. Navy has begun to enable celestial navigation once again. These are examples of 21^st century cyber fallout shelters.

As we all become more and more dependent upon internet connections and services for national defense, public services, employment, education, entertainment, banking, bill-paying, human relationships, and much more, we are increasingly vulnerable to various and growing cyber threats from thousands, if not millions, of sources. Even if back-up arrangements do little to deter cyberattacks, our being prepared for periodic life without the internet is our 2020s version of President Kennedy’s 1960s fallout shelters. But this time, our back-up arrangements could and should work.

Roger Cochetti provides consulting and advisory services in Washington, D.C.  He was a senior executive with Communications Satellite Corporation (COMSAT) from 1981 through 1994. He also directed internet public policy for IBM from 1994 through 2000 and later served as Senior Vice-President & Chief Policy Officer for VeriSign and Group Policy Director for CompTIA. He served on the State Department’s Advisory Committee on International Communications and Information Policy during the Bush and Obama administrations, has testified on internet policy issues numerous times and served on advisory committees to the FTC and various UN agencies. He is the author of the Mobile Satellite Communications Handbook.