Cyberspace, a domain created not by nature but by human beings, has emerged to provide tremendous benefits, but also to present new risks. Recently, cyber security has become a national policy issue. Driven predominantly by national security concerns, democracies have formulated national cyber strategies.
Consistent definitions are essential. Cyberspace refers to inter-connected information technology infrastructures comprising computers, computer-embedded systems, telecommunication networks, the world wide web and the internet, including the information transmitted and processed within these systems. The public internet is only one part of cyberspace. Other parts include mission-specific systems that vary widely in size and complexity and control the function of various obscure processes; these control functions gradually become computerised. The term “cyber,” derived from the Greek, refers to the control element.
For over two decades we have been hearing: “Cyberwar is coming!” To the surprise of scholars familiar with the Realist theory of International Relations, the idea of Cyber War emerged alongside cyberspace conceptualisation and then realisation. History and philosophy show that scientific developments do not alter human nature enough to eradicate violent conflict. While the potential for using cyberspace in a conflict is obvious, the currently prevailing properties of cyberspace make fundamental concepts of attack, defence, and ultimately war inadequate. However, even experienced defence and IT professionals all too often confuse acts of cyber crime and espionage with cyber attacks. Failing to conceptualise what cyber warfare is and, more importantly, what it is not, skews perception and results in faulty policymaking. Let us now turn to a critical examination of the major issues in the cyber war debate. This article will discuss the significance of threats, the adequacy of the cyber war metaphor, the promise and problems of emergent responses and the securitisation critique. Finally, the article will outline a future approach.
RISKS AND MATERIALISATION
Technologically identical methods are used to gain unauthorised access to computer resources for most cyber operations, regardless of the intended purpose: crime, terrorism, industrial espionage, military espionage, or warfare. Indeed, novel cyber attacks on critical national infrastructure are likely to severely disrupt social activities if successful. It has become theoretically possible to exploit the properties of today’s cyberspace to attack strategic targets remotely. Furthermore, the attacker risks significantly less in cyberspace due to the widespread use of vulnerable commercial off-the-shelf technologies, the difficulty of distinguishing a glitch from malicious action, and the challenges of identifying the attackers.
The discovery of “Stuxnet” was the major driver for national cyber security. The threshold leading from cyber exploitation (espionage and criminal data theft) to physically destructive, politically motivated cyber attack was crossed in a spectacular manner. It remains the only known manifestation of a novel phenomenon: successful exploitation of cyberspace to target the control layer of a complex industrial process in order to achieve a destructive goal, all while avoiding military confrontation.
The unique properties of information and cyberspace make some of the familiar concepts inadequate. This paradoxical state of affairs testifies to the fundamental novelty of cyberspace that renders even millennia-old concepts unsatisfactory. Stuxnet demonstrated just how sophisticated and precise cyber weapons could be, but to evaluate all cyber weapons’ strategic effectiveness according to this specific case assumes too narrow a perspective. Website defacement, distributed denial-of-service (DDoS), massive cyber espionage – all are labelled “attacks”; some espionage operations are often upgraded to the “advanced persistent threat” moniker, and the whole scene is called “cyberwar.” War is a central experience of mankind that always had gruesome properties. “War is an act of force to compel the enemy to do our will”; it consists of several universal elements, famously formulated by Clausewitz. Centrally, war is a violent act, where the threat of force and violence is instrumental to achieving a political goal. Neither denial-of-service, web hacking, nor espionage are even potentially violent, even when Stuxnet is considered – no cyber incident has yet been violent nor caused loss of human life. Since none of the cyber events have yet met the requirements to constitute a war, the “cyberwar” metaphor should be relinquished, at least for the time being.
NATIONAL INTERVENTIONS INCYBERSPACE
The proponents of the internet as a self-organising global commons met national security strategies, along with the accompanying regulations and surveillance, with disapproval. Perhaps unsurprisingly, reliable evidence shows that the global commons ideal shunning state-led interventions is very remote from reality. Even liberal democracies employ domestic measures, such as content filtering and persistent surveillance for national policy ends, while confronting some opposition on legal, civil liberty and privacy grounds. The recent official national cyber strategies in developed democracies demonstrate a retreat from the long-term libertarian ideology that originally had shaped internet policy.
The idea of the internet delimited into national sovereign networks was disdained in the West, with pundits labelling this scenario with the unambiguously negative term “balkanization.” However, the trend of national intervention in cyber is inevitable: once the crucial importance of cyberspace is acknowledged, no state can stay away from trying to assert cyber power. A constructive debate should focus on the decision-making process and the character of actions selected by national governments, instead of decrying the loss of an ideal.
MILITARISATION OF CYBERSPACE: MEANINGS AND OUTCOMES
Developed states have recognised the inadequacy of a laissez faire approach to cyber, but only after repeated cyber breaches had increased perceived insecurity did national cyber security policies became politically feasible. Analysing the national responses to cyber security challenges reveals a pronounced trend towards the concentration of capacity in defence and intelligence circles. The accompanying over classification of the decision-making process regarding the means, goals, strategies and activities severely stifles the public voice, increasing the conflict with the citizens’ civil liberties. The severe suppression of public participation in the unfolding policy debate is anti-democratic. In practice, over-classification will be counter-productive. Cyber security is one of the pronounced cases of multi-stakeholder governance where a subordination of all its facets to the national security establishment’s perspective cannot provide a net-benefit outcome.
Acknowledging this problem does not necessarily lead to the securitisation interpretation to which the critical security studies scholars adhere. For the “Copenhagen School,” securitisation is an extreme version of politicisation that enables the use of extraordinary means in the name of security. But what if the strategic environment has undergone such a technology-driven change that methods previously considered extraordinary become vital? The vulnerabilities of cyberspace can be attributed to a protracted market failure of the IT industry. The business sector is justly recognised as essential for many facets of cyber security – but cannot go it alone. It also should not: just as we do not expect citizens or companies to defend from air-to-surface missiles by themselves, we cannot reasonably expect cyber security without a national security effort.
The defence apparatus has an indispensable role to play in national cyber security and resilience, but it should be more closely controlled by democratic mechanisms.
CYBER SECURITY: FROM A TECHNICAL-MILITARY TO A DEMOCRATIC APPROACH
We cannot afford blissful ignorance regarding our changing environment. This essay started with a brief conceptualisation of the central phenomena and then critically assessed three major issues in the cyber debate. These points are stressed.
The new risks and threats are real, making cyber security necessary. We, as individuals as well as societies, cannot go on unprotected. “Cyberwar,” however, appears to be an inappropriate analogy.
The idea of cyberspace as global commons has been mostly forsaken. A significant national intervention in cyberspace, including the Web, is inevitable. Yet this in itself is not a negative phenomenon.
The concentration of power in the defence establishment is detrimental to cyber power because of the accompanying damage to civil liberties, the democratic process and long-term effectiveness. The national cyber strategies, as well as the practice of liberal democracies, have indeed come into conflict with civil liberties. This does not necessarily have to be the case. However, adopting the securitisation perspective is not an appropriate way towards balancing the values for societal resilience.
Cyber security is not simply a clear-cut technical issue. It is a strategic, political, and social phenomenon with all the accompanying messy nuances. Therefore, cyber reality must be examined with a scientific rigour by all disciplines, enabling an informed public debate. It is both morally essential and rationally effective for the responses to be formulated through a democratic process.
Hopefully, the current volume will contribute to this effort.
– Prabhu Mani