The Cheapest Defense

John Boyd spent his career studying why some fighters won and others died. The Air Force colonel, who earned the nickname "Forty Second Boyd" for defeating any opponent in simulated combat within forty seconds, distilled his insights into what became known as the OODA loop: Observe, Orient, Decide, Act. The pilot who cycled through this loop faster disrupted his enemy's decision-making, generating confusion and exploiting the resulting hesitation.

Boyd's framework found applications far beyond the cockpit. Business strategists adopted it for competitive positioning. Military planners used it to design doctrine around tempo and initiative. The common interpretation emphasizes speed: cycle faster than your opponent, get inside their loop, keep them perpetually reacting rather than acting.

But there is a more fundamental insight buried in Boyd's work, one that matters more than mere speed. The entire loop depends on the first step. Without observation, there is nothing to orient toward, no decision to make, no action to take. An enemy who cannot observe is not slow; he is paralyzed. The most devastating attack on an adversary's OODA loop is not outpacing him but blinding him entirely.

This is what privacy accomplishes. Encryption does not make you faster than your adversary. It makes your adversary unable to begin.

Consider the economics of surveillance. Mass observation works when data flows freely, when communications cross networks in plaintext and metadata accumulates in centralized databases. Under these conditions, watchers enjoy economies of scale. The marginal cost of adding one more target to the surveillance apparatus approaches zero. One analyst can monitor thousands; one algorithm can process millions.

Encryption shatters this economy. When communications are encrypted end-to-end, the watcher no longer observes content. He sees only ciphertext, indistinguishable from random noise without the key. The marginal cost of surveillance does not approach zero; it approaches infinity. Each target becomes a separate cryptographic problem, requiring either key compromise through targeted attack or computational resources that exceed what the universe will provide before heat death.

The numbers are stark. Encrypting a message costs a few milliseconds of computation, often hardware-accelerated to the point of invisibility. Breaking that encryption through brute force is not expensive; it is impossible. A 256-bit key represents more possible combinations than atoms in the observable universe. Clever attacks can reduce this margin, but they require specific conditions: known plaintext, implementation flaws, side-channel access. They require, in other words, targeting. And targeting is exactly what mass surveillance cannot afford.

Government programs designed around bulk collection have discovered this the hard way. The Privacy and Civil Liberties Oversight Board examined the NSA's phone metadata program and found it delivered little to no counterterrorism benefit. Congressional reviews of fusion centers concluded they produced no valuable intelligence. Post-mortems of attacks like Fort Hood revealed that threat information was buried in data floods, invisible not because of insufficient collection but because of insufficient filtering. Mass surveillance generates haystacks; it does not find needles.

The mathematics are worse than merely disappointing. When searching for rare events, even highly accurate detection systems drown in false positives. A test that correctly identifies 99.9 percent of threats, applied to 330 million people, generates 330,000 false alarms for every actual threat detected. The analysts who must investigate these leads are not merely inefficient; they are consumed by noise while signals slip past.

Meanwhile, the defender's economics improve with every adoption. VPN services cost a few dollars monthly. Signal protocol costs nothing. Full-disk encryption ships standard on modern devices. Each deployment raises the attacker's costs while keeping the defender's costs near zero. The asymmetry compounds.

The implications extend beyond frustrating intelligence agencies. Adversarial OODA loops are not limited to state surveillance. Commercial data harvesters build profiles for advertising, pricing discrimination, and influence operations. Criminal enterprises pursue financial fraud, identity theft, and ransomware deployment. Each adversary relies on observation as the foundation of their operations. Each faces the same wall when targets encrypt.

Boyd understood that victory came not from attrition but from collapsing the opponent's ability to function coherently. Deprived of observation, adversaries cannot orient to circumstances, cannot decide on courses of action, cannot act with purpose. They flail. They exhaust resources investigating noise. They reallocate effort toward softer targets.

This is the strategic logic of privacy: not hiding wrongdoing, but imposing costs so extreme that surveillance becomes economically irrational. The adversary who cannot afford to observe you is an adversary who will stop trying. Not because you convinced him you have nothing worth seeing, but because you made seeing you unprofitable.

The cypherpunks understood this thirty years ago when Eric Hughes wrote that the act of encryption removes information from the public realm. They built tools to make this removal routine, automatic, ubiquitous. They understood that code enforces in ways that law cannot, that mathematics does not bend to jurisdiction or warrant.

The fight is not won. Governments press for backdoors. Corporations resist encrypting by default. Most people still communicate in plaintext because convenience outweighs abstract threat assessment. But the economics have not changed. Defense through privacy remains the cheapest defense available, and attack through surveillance remains expensive, scaling poorly, and increasingly futile against populations that adopt the available tools.

Boyd's fighter pilots won not because their aircraft were superior, but because their cockpit visibility and control responsiveness let them cycle faster than opponents who were still orienting. Privacy offers something better than faster cycling. It offers the end of cycling entirely, for your adversary. Blinded, he can spend whatever he wishes on Orient, Decide, and Act. Without Observe, he will never reach them.