The asymmetry of digital war

Countries should start making sure their populations can survive for three days with no digital systems.

The asymmetry of digital war
Photo by Chuanchai Pundej on Unsplash

TL;DR: Countries should start making sure their populations can survive for three days with no digital systems.

I debated writing this, because it might seem alarmist or anti-government. I'm pretty sure it's neither.

On April 1st, four humans climbed into a capsule the size of a campervan and headed for the moon. It was the first crewed lunar mission since 1972, with a Canadian aboard.

At the height of the cold war, kids got the day off school to watch.

Australian kids watch the moon landing in 1969.

This time, there was so much happening we barely noticed. In the same week:

We're in a digital cold war that's escalating fast, but we're still thinking about it as if it's a traditional war.

Digital war is not physical war

Physical war has two clear sides, and a front line. Our tanks versus their tanks, our troops against their troops. It's east to think about cybersecurity this way too: Nation-states with their weapons and security agencies. But digital warfare doesn't look like that.

Online is the front line

In kinetic warfare (the kind we fight with atoms) there's a line between the military and civilians. Armies fight armies. In digital warfare (the kind we fight with bits) that line doesn't exist. The front runs through your home router, your parent's email account, the teenager who borrows a USB drive.

Iran hacked Kash Patel not by breaching the Pentagon, but by targeting his personal digital footprint. The attack surface isn't your office firewall. It's everyone you've ever communicated with, every device you've ever connected.

Digital is asymmetric

Infosec teams talk about the "red team" (attacker) and "blue team" (defender.) The blue team has to be right all the time; the red team only has to be right once. You're only as strong as your weakest link.

Digital attacks were once costly and risky. They took time and preparation, and you might get caught. But with AI and automation, that's no longer the case. Autonomous agents can keep trying to find a way in, running somewhere in the cloud that's hard to trace. The friction that prevented many attacks is gone.

We're making the attack surface bigger

And now, every piece of software running on your behalf.

Hundreds of thousands of people are now installing autonomous agents on their home computers. We're giving it our bank accounts and ID and calendars and emails. These software agents, called "claws", write and run code on your behalf. It uses software (like Axios) from developers you've never met. Agents create new places for someone to attack, and because they're easy to install (they'll do it for you!) people with very little security background are installing them on their home machines.

Anyone can be hacked

Hacking has always seemed non-violent. Sometimes, Hollywood even makes it look glamourous. When a prominent public figure gets hacked, we usually assume they did something dumb with their password. But the reality is, when someone skilled wants to hack you, they'll succeed. To compromise the developer behind axios, hackers created a fake company, a fake slack channel, and a fake Microsoft Teams platform that required he update some software.

@mattjayy breaks down the hack (did you catch the "microscell.com" in the URL?)

Watch that video and tell me you wouldn't have fallen for that too. Most people do not have the kind of operational security needed to be a difficult target. Our digital footprints are too large, too connected.

Hacking's violent now

Despite the Hollywood portrayal, hacking is not a mild crime any more. We already see how scammers destroy people's lives.

Now consider what happens when there's a widespread outage. Banking stops, which means Interac and tap-to-pay and ATMs and payroll go dark for days. If phones aren't working, there's no GPS, no Uber or Lyft, no home delivery. Ambulances can't find homes, and if they get a patient to hospital, the records aren't available.

We built a civilization stack that runs on networked software, which runs on dependencies maintained by volunteers, deployed with configurations nobody's checked, communicating through libraries like axios.

But we have plans for this, right?

We used to prepare for bad things

Contingency plans do exist. Canada's Federal Cyber Incident Response Plan defines a catastrophic event as one causing widespread loss of life, major long-term damage to the economy, or severe impediment to national security. It gets invoked by a committee, and it can trigger the Emergencies Act.

The Act—as many protesters learned during COVID when it was invoked for the first time to quell a trucker rally in Ottawa—lets the government direct essential services, assume control of utilities, and in an international emergency, start rationing and using force to maintain order. Notably, it prohibits the government from censoring communications even during a declared emergency.

They are, simply, orders to maintain order. Citizens don't appear much in these plans.

During the Cold War, we ran civil defence exercises. People knew where to go and what to bring. We kept emergency supplies. Some countries issued their citizens gas masks. We prepared. In border countries like Finland, military service was mandatory, and citizens rehearsed defending their villages and towns.

They made comics for kids in the fifties. (https://civildefensearchives.org/)

We once prepared for bad things. Shouldn't we be doing that now? We are undoubtedly in a time of elevated threats, but we're acting like nothing is happening. Do you own a map? Have cash on hand? Remember your neighbor's phone number? Have a printed copy of your ID and medical records?

These seem like pretty basic things. Mostly, we're just hoping. Hoping everything works out; hoping someone else has thought this through for us; and hoping and that everyone will follow the plan when the time comes.

Hope, like nostalgia, is not a strategy.

I'm pretty certain that we live in a world that will—a few times this decade—be offline. If governments shared these plans today, and worked to prepare us for this new reality, lives would be saved. We could be helping our country—and one other—to prepare. It might be uncomfortable, or scary. That's not a reason to avoid it.

Here's a bold suggestion: We should schedule an analog day. A drill where we try to survive for 24 hours as a country without touching a digital device, and write down every time we do. The 2026 equivalent of duck-and-cover, or air raid drills.

We can handle the truth, and we'll be better prepared for it.