Like my co-blogger Matt Fay, I too have been absent from this blog for far too long. Work and grad school applications (Iâ€™ll be attending the LBJ School at UT Austin starting this fall) became a veritable time vortex, but I am hoping to (albeit slowly) get back to blogging now. I will probably post more quick hits rather than lengthy analyses, since I am in fact going to grad school, but hopefully the blog will pick up pace over the summer. Since this is a comeback post of sorts it is only appropriate that it involves my work over the past year or so.
While working on two consecutive multinational, military concept development campaigns (MNE7 and currently MCDC), I have spent much time doing research on cyber security, and particularly the strategic utility of cyberspace as it pertains to coercion.* After a whole lot of tinkering and neverending citation chases, I finally put out two working papers based on this work. They are companion pieces, so if you are into that kinda thing (being cyber security) I recommend reading them both.
The first working paper is titled Slaying Cyber Dragons: Competing Academic Approaches to Cyber Security. In simple terms this is a rather comprehensive literature review of the field of cyber security. Why do I need to read a literature review, you might ask. Well, as I discovered early on the academic field of cyber security is far from uniform. It is a fragmented field (if you can even call it a field) consisting of a hodgepodge of approaches and conceptual understandings. Heck, most scholars can not even agree on the meaning and implications of key terms such as cyberwar or cyberspace. Realizing this, I decided a good place to start making my own little contribution to this field would be to do a sort of epistemological sorting. While any kind of grouping or categorization would entail simplification and a certain degree of fuzziness, I have defined what I see as three distinct schools of thought on cyber security. They are: the Revolutionist, Traditionalist and Environmentalist schools of cyber security.
The Revolutionist school consists of some of the earliest texts on information warfareÂ and cyber warfare, and they represent an expansive view of the role of technology in conflict. Thomas P. Rona and Roger C. Molander have written formative texts on the strategic potential of cyber operations, while John Arquilla and David Ronfeldt spent the 1990s discussing how the information revolution would change warfare, and perhaps even war itself, by marrying new technology with organization and doctrine. The idea was that information had become a material asset, so control over information while disrupting the opponentâ€™s information would achieve battlefield supremacy, and ultimately victory. These notions are the source of some of the most prevalent myths today regarding cyber securityâ€”namely the impending doom of a Cyber Pearl Harbor or Cyber 9/11. In a society where information and communication technology (ICT) runs everything, we have made ourselves extremely vulnerable. And since the core assumption in Revolutionist thinking is that offense has the advantage over the defense, we are in serious trouble.
Of course, not everyone believes this, and this is where the second school of thought comes in. The Traditionalists are the inevitable reaction to the expansive and poorly supported claims of the Revolutionists (or technically speaking their policymaking adherents the Alarmists). The most famous of these would be Thomas Rid, but many others have also voiced their skepticism about the â€œnewnessâ€ and danger of cyberspace. Their main criticisms are two-fold: Revolutionist ideas of strategic information warfare and cyberwar lack any kind of empirical proof (show me the data!), and the ideas are both semantically and conceptually confused. In a nutshell, large-scale cyber attacks are not very easy to pull off (empirical issue), and even if they were they would not rise to the level of standalone warfare because they would not happen in a vacuum outside of political context.
The Revolutionists and Traditionalists have dominated the discourse on cyber security for quite some time now, but both sides make serious errors of analysis. While the Revolutionists offer little empirical data to support their claims (they are in fact doing concept development rather than empirical studies), the Traditionalists draw too many conclusions from a very limited data set. In other fields that could work, but cyberspace is not a static environment. It is in its nascent stage, and we do not fully understand its utility in relation to conflict. Therefore it is quite dangerous to draw inference and generalize based on a few very distinct, context-based events such as Estonia and Georgia.
So what are we to do? Well, there is a third school of cyber security that offers a better way of understanding cyberspace and its political and strategic utility. I call this the Environmentalist school. These texts are primarily interested in cyber power (either explicitly or implicitly), but they approach this issue through an environmental analysis (Rattrayâ€™s chapter) of cyberspace. This means they approach cyberspace as a distinct environment or system and from there discuss any political or military implications (Traditionalists usually do the opposite, causing all sorts of conceptual confusion). By understanding cyberspace itself it is easier to deduce what kind of actions are possible to take, which in turn gives us a better understanding of cyberspaceâ€™s impact on conflict. Alas, there is still much work to be done. The Environmentalist texts are not sufficiently systematic and often focus on one or two specific qualities of cyberspace, while ignoring others. Further more, some texts conflate cyberspaceâ€™s defining characteristics with their security implications, confusing the issue of causality.
Now, this is where my second working paper comes in (yes, Iâ€™m being terribly modest here). It is called The limits of compulsory cyber power: Assessing ecological potential and restraints in the digital domain and tried to articulate a more systematic framework of analysis for the political utility of cyberspace. It approaches cyberspace as a distinct ecological system (not environmental) that consists of both a â€œterrainâ€ and actors that influence each other (though it is primarily an issue of actors influencing the terrain). The best and most comprehensive way of understanding the utility of cyberspace is to define cyber power, and in this particular instance compulsory cyber power. But in order to do that, you first have to define cyberspace itself. This working paper does so by identifying and defining what I call the four defining characteristics of cyberspace. I spent a lot of time in the paper doing this, but the four characteristics are cyberspaceâ€™s malleability, collapse of speed, networked nature and software and power diffusion. Having defined these I then discuss their resulting security implications and end up with a fairly nuanced picture of compulsory cyber power. I donâ€™t want to spoil the ending, but suffice it to say there are some quite significant limits to compulsory cyber power. Large-scale attacks can be achieved, but their effects are fleeting and more disruptive than destructive. Further more, despite the hype cyberspace still favors the great powers, though as the malleability of cyberspace tells us, much can change.
Obviously these two papers are not the final answer to the many problems vexing policymakers and academics over the past two decades. They offer up an approach to understanding the challenges ahead, but much work remains to be done. The very rudimentary model I propose does not measure the value of each variable; nor is it a probabilistic model for conflict involving cyber operations. More empirical testing is required (when that is possible), and the relationship between this technological system and politics remains woefully understudied. Perhaps for another time.
*MNE7 and its sequel MCDC are part of a concept development series led by the U.S. Joint Staff with participation by 16 countries and NATO ACT. I was part of the Norwegian delegation to both campaigns, focusing primarily on the cyber security components of them. MNE7 focused on security issues related to the global commons, while MCDC is focused on joint entry operations.