by Nazli Choucri

By now everyone recognizes the salience of cyberspace in the world today. With the Internet at its core, cyberspace has become a “fact” of daily life for almost everyone everywhere.  While there is an increasing awareness of threats to cybersecurity, matters of malware, intrusions, breaches, and the like resonate poorly, if at all. Less appreciated still are the intents and impacts associated with different forms of unauthorized access.  But “espionage” captures attention, due less to its manifestation in the cyber domain than to our familiarity with the phenomenon.

Espionage is undoubtedly one of the earliest forms of advanced “undetected intelligence” in organized societies.  As a political practice it is does not usually violate any international law and—within certain bounds—can be an acknowledged and respected skill. Traditionally, state-sourced espionage has been for political purposes, with the intent to obtain information about motives and capabilities of adversaries. Theft of industrial or intellectual property and the like—through whatever means—violates generally acceptable practice pursued for economic gain. In general, economic espionage is for economic and industrial advantage as well as for unauthorized access to intellectual property.

At the global level, this practice may result in facilitating something like “technology leapfrogging” whereby this practice reduces innovation time by technologies at the frontier. Clearly this is deemed “unacceptable” in traditional centers of economic and political power worldwide, nonetheless, it is on the rise. But we do not quite know how much, by whom, when, how, as well as other specifics. But there are central tendencies with strong foundations.

Prevailing evidence—in metric, narrative, case, or other form—points to China as a major practitioner tending to a wide range of targets worldwide. It is not alone as a state-based source of economic espionage. In addition to attendant opportunity costs incurred by the target entity, that form of technology leapfrogging was not what was intended when industrial countries argued for various forms of development assistance.

What can we do about this? At this point, we can do very little. We have no agreed upon means of metricizing, testing, evaluating, and understanding the size scale and scope of cyber intrusions. We think we know how frequent these attacks are, who attacks whom, and how dangerous are the attacks. We have lots of data points based on various firms and state agencies announcing that they have located “espionage,” but little systemic evidence that these attacks go beyond probing and are damaging.  Despite U.S. requirements that firms report unauthorized cyber intrusions—espionage or other—many are reluctant to comply until the attack is especially damaging.

Even less appreciated, is the underlying paradox created by early investigations, a paradox that impedes sustained advances in our understandings of the challenges at hand—let alone effective responses.

This situation can be framed as a simple paradox. On the one hand, a large number of institutions and research initiatives—private and public—have been devoted to identifying and metricizing cyber threats incidents. The metricizing of security threats is already generating a large “industry” of cyber security firms—national and international—each with its individual “products.” On the other hand, there is little advance toward a consensus about the nature, let alone the specifics, of the overall evidence. There are no agreed upon ways of combining metrics that were generated according to different principles, different labels, different categories, and so forth, and thus prevents the effective use of this seemingly “data-rich” situation.

To address this paradox, three relatively distinct actions are imperative. These pertain to meta-level frameworks, malware systems, and analytical capability.

A first imperative is to construct a meta-level view of the current data on intrusions and instances of “espionage” with its great diversity, different foundations, and various mode of compilation. This will help us combine seemingly idiosyncratic observations into more aggregate, even generic, types. If we had a generic meta-level data product, then we could situate the individual intrusions (and efforts to protect) in a common context.

The second imperative is to examine the data on malware currently available and organize these in terms of their damage capabilities in general, as well as by type of damage targeted to specific situations or contexts. Simply put, this means that we must exploit the knowledge and information currently available about diverse types of intrusion tools, instruments, and targets in order to extract knowledge.

The last imperative is to concentrate on strengthening analytical capabilities for cyber threat assessment. Rates of cyber threats are growing faster than our ability to understand, respond or manage these undesirables. First, we must identify system-wide changes overall, as well as those derived from sub-system elements (i.e. the “bottom-up”), and then explore the cross-level feedback (i.e. the “top-down”). The second priority is to construct a system representation that allows us to address and model the reality, as well as the dynamics, of change.  To be effective, capabilities of this type must take into account contending actors, with diverse culture and preferences, whose behaviors over time will affect not only each other but the system as a whole. Third, we need to systematically explore the potential effects of potential intrusions and examine various “what if” contingencies.

Under the best of circumstances, all this takes time. Sooner or later these imperatives will be addressed in a collective context. Meanwhile we can share insights—between the private and public sectors— about the advantages of exploring different short-term strategies to help manage the espionage issue in its many facets.

About the Author