by Ian Wallace
Around the world governments are experiencing a growing sense of cyber insecurity. The threat is real, and few nations are adequately prepared. Progress is being made. But the overall sense of insecurity still seems to be growing, not helped by the light shone by Edward Snowden on to what is possible through this domain. Wherever you stand on Snowden or any of the other vexed questions of international cybersecurity, it is hard to deny the sense of vulnerability felt by many governments. And the trouble with governments that feel scared, confused, and helpless is that, just like people, they are prone to do foolish things.
Three trends serve to illustrate this point:
The first trend relates to a tendency to over-militarize responses to overseas cyber threats. There is undoubtedly an “in extremis” cyber defense role for the military, to prevent attacks aimed at causing physical damage and loss of life. In fact, however, the world’s most troublesome cyber operators—like the groups responsible for the attacks to the U.S. financial system—seem adept at calibrating their attacks in a way that falls in the grey area above traditional law enforcement and below the justification for a military response. By looking to militaries to “defend” this space though, governments risk missing the true national security challenge of the information age: working out how the government can best support cyber defenders working in the private sector.
A second trend, which parallels the tendency to over-militarize government’s bureaucratic responses to cyber threats, is the tendency to apply an offensive mindset. This is best characterized by statements such as, “a good offense is the best defense.” That may well not be the case. Given the advantages in favor of cyber attackers—the low cost of developing such offensive capabilities and the extent of our vulnerabilities—providing potential adversaries with both the ideas and the moral license to attack you back is a questionable long-term strategy. More work needs to be done on the dynamics of deterrence in the cyber context, and it might well be that an implied willingness to deploy conventional military capability could be the best way to deter a very serious cyber attack. Nevertheless, given the general state of cyber defense, most governments are well advised to strongly resist calls to “hack-back” against cyber intruders in all but the most egregious circumstances.
A third trend is the rise of “cyber-nationalism” based on the idea of technical “border” defenses. This is perhaps the biggest threat to the international order, because it threatens a “fragmentation” of the Internet. Until recently, people concerned about fragmentation have focused on authoritarian regimes—that see the Internet as subversive and want to constrain it—and developing nations—that simply fear being overwhelmed by cyber threats. More recently, post-Snowden, even more liberal regimes, especially in Europe, have discussed restricting the flow of data (at least ostensibly) as a better way to protect their citizens’ rights. While many of these measures reflect a poor understanding of the actual issues and of the way the global Internet operates, the risk to the international economy and, by extension, global stability is real.
Of course, the common thread that connects these responses is the implicit assumption that the security solutions of the last century will work for this century. True, cyber activity is at root a human activity. Since ultimately there are real people behind those threats, timeless truths about the nature of conflict and strategy can be applied. There is no reason to think that we have to start with a blank sheet of paper. As the authors of the Tallinn Manual have shown, for example, in many cases international laws can be applied perfectly well to the cyber context. Nevertheless, we are long past the era where we can be reassured that a strong, offensively-minded military will be sufficient to defend us against all foreign foes.
So new thinking will be required. And part of that new thinking, at least until many more governments feel comfortable with the new technologies, will be to adopt policies that help prevent or mitigate the fear and confusion they engender. Some nations will seek to exploit that fear and confusion, and that will need to be managed too. But that just makes it more important for countries that appreciate the economic and social value of a free and open Internet to consciously seek to ensure favorable conditions for it. No doubt for some, especially in national security establishments of countries like the United States who see the threats more clearly than most, that will require tough trade-offs. But it is a transition that must be made. The alternative may be worse.
About the Author
Ian Wallace is a visiting fellow in cyber security with the Center for 21st Century Security and Intelligence in the Foreign Policy program at Brookings. He was previously a senior official at the British Ministry of Defence where he helped develop U.K. cyber strategy as well as the U.K.’s cyber relationship with the United States. His research is focused on the international dimensions of cyber security policy, including the implications of cyber for military forces and the appropriate roles of the public and private sectors.