Today we live in a world linked by “cyberspace”, a word created in the 1980s but only ten years in common use. It stands for the completely man-made substrate we all share intimately on our smart phones, tablets and desktops, and that pervades the operations of banks, airlines, electrical grids and even manufacturing plants. It stretches under and into all the relatively instantaneous (and profitable) communication, cooperation and coordination that sustain our modern quality of life. So much modern wealth now relies on cyberspace that, increasingly, groups and nations are beginning to fight in it and over it as well.
A new variant of warfare has emerged through cyberspace, one that is formally undeclared, long-term and widely variable in its tempo and day-to-day effects. Who wins, loses or merely stays the course will be determined more by the effectiveness of the means of disruption and resilience of critical national systems than by the outright “kinetic” destruction of discrete targets by military forces. This environment advantages those who have best prepared their systems to gain surreptitious control of everything from access points to knowledge stocks to economic or other resource flows in their opponents’ critical civilian and military systems, while simultaneously denying the same control to their known or unknown adversaries. This form of human struggle is “cybered conflict”, meaning the struggles inside cyber systems that routinely spill out of deeply embedded, globally connected networks to harm the rest of the society. Cybered threats are now so penetrating of heretofore well-defined and defended borders and strategic buffers (such as oceans) that we may have to look far back through history—well past the Peace of Westphalia—to the highly uncertain times of vulnerable ancient or medieval city-states to find appropriate analogies for what we face today.
Globalization and cyberspace are deeply intertwined. Cybered conflict has emerged in large part because successive waves of globalization gradually transformed classic independent, territorially buffered, autarkic states into openness-dependent, wealth-obsessed and war-averse digitized democratic commercial trading states. Nations from the European Union to South America to the democratic Asian tigers act more like the city-states of long past than early modern autarkic states capable of going to war to defend their interests. Their political leaders focus on facilitating aggressive trading benefits and forging international rules of exchange, not on preparing for destructive conflicts. Since World War II, they have built, institutionalized and lived by openness—to global commerce, finance and knowledge flows. These states now internally and legally enforce shared, relatively compatible rules on their subordinate groups and citizens. Even when international members violate the rules, no one threatens war to recoup material damages. Globalization has domesticated, as well as made more porous, the warring nation-state into a relatively defanged modern city-state dependent on the civil behaviors of other states and their citizens in the international system.
In this relatively stable, economics-led international system, these modern, usually democratic trading states followed the lead of the United States to deeply embrace its internet within their own critical national economic systems. As the web extended across the globe, it traveled along economic paths to gain enormous value widely seen at first to be unrelated to conflicts or militaries. With the rise of the global web during mid-1990s, it seemed natural to cyber-prophets, e-commerce promoters and the intellectual elite of the international trading states that trading states would use the new technology to simply enhance wealth without incurring national conflicts, and that new participants would automatically adapt to established rules of the road. These rules supported social trust, the security of property and the primacy of states as the ultimate arbiters of differences between parties. The rules were taken as so immutable that the largely ungoverned cyberspace communications were not seen as a threat to the international system of stable economic exchanges. In a 1996 “Declaration of Independence of Cyberspace”, an anonymous author (later revealed to be John Perry Barlow) suggested that cyberspace was somehow a new human/machine space beyond any government’s control and hence immune from the social corruptions that had led to crime and war in the past.
What was forgotten, however, is that where great value in goods, knowledge and funds flows without societal protection, so grows great potential for conflict, even in cyberspace. The new globally open, deeply digitized traders, epitomized by the post-politics EU elite, did not deny that many states did not fit, or did not yet fit, the description of a post-nationalist, debellicized trading state. Rather, what mattered was that the center of the international order was increasingly composed of such creative, wealthy, powerful actors such that the disruptive or corrupt laggards and reprobates were contained in the relatively feckless periphery. This periphery could stage occasionally spectacular acts of protest against the center, such as 9/11, but it could not muster an existential threat to it. What this thinking neglected, of course, is that this periphery, in its state and non-state incarnations, could master the new “atmosphere” of cyberspace on the cheap, in mass scale and around the clock where the international trading rules did not work.
This mastery is growing exponentially now. The modernized democratic trading states now find themselves with massively undermined geographic borders and stable, law-abiding economic and social systems now face uncertainties unimaginable just thirty years ago. The relatively organized and civil landscape of independent states has become more like a surprise-prone medieval muddle. Like-minded civil and peaceful trading societies are now deeply penetrable by masses of uncontrolled predatory “bad actors” operating from semi-governed or autocratic regions (“badlands”), able to inflict harm at the deepest levels of digital societies. The world’s major trading states have been caught off-guard by the free-for-all, frontier nature of cyberspace. They have not prepared their societies, strategies or home institutions, much less their heretofore well-ordered international economic system, for the emerging diversity, frequency and scale of threats from a globally shared open web.
The fundamental misperception was that nothing in the initial design of the cyberspace substrate actually intrinsically forces adherence to any of the civil society rules fashioned by the dominant trading states. The basic stabilizing layer of the original internet, now extended around the globe, is profoundly insecure. Core commands at the heart of key systems are open to anyone who can winnow in to access them; they require no external vetting process to be changed. The basic network structures and software designs built to ensure the reliability of email delivery and data exchanges do not secure the contents nor ensure resilience of the overall systems linking critical societal functions. Control-program designers did not even consider who might want to deliberately harm their huge critical system machines or distort the software when they hardwired simple passwords now obtainable over the internet.
Today national leaders realize that their naive city-state trust in the internet is misplaced, and that the basic designs underpinning the web are built on presumptions of good intentions natural to small communities of well-intentioned colleagues but unwise beyond them. The original internet inventors, developers and planners feared only the puzzling surprises normal for complex systems and accidents, not malevolent sabotage. They included passwords, if any, only to keep the poorly trained from making casual mistakes. Developers typically added unprotected networked backdoors to make remote assistance easy. Even simple programs that run many large-scale nuclear power or other manufacturing plants still have simple passwords designed for ease of maintenance.
This situation has already produced unnerving surprises. The Stuxnet malware that disrupted Iranian nuclear plants in 2010 was able to do so largely because it took advantage of the simplicity and trust embedded in basic designs. Indeed, most malicious behavior in cyberspace rests on finding and then accessing deeply hidden but simple code manipulations, or on default or neglected but non-obvious remote access exploits. The backbone big junctions of the global internet have critical junctures—called border gateway protocol sites, or BPGs—that rely on trust and contracts to send along traffic as intended. Several times in recent years, virtual strangers or unexpectedly distorting software has violated this trust by diverting whole swathes of internet traffic for short periods into such places as China or Pakistan.
Because of the global pervasiveness of cyberspace and the avenues for malicious harm it offers, all serious societal conflicts will now be “cybered” from their outset and in any major state-level struggle significant critical events will occur solely thanks to the availability of underlying cyber mechanisms. Rule-oriented trading states will find it particularly difficult to recognize or easily prevail in this kind of conflict because their rules of war require identifying opponents, their locations, goals, tools, motivations or propensities to act before, during or even after major cybered events. The globally open web makes this critical distinction between combatant and innocent civilian extremely hard. From persistent proxy warriors-of-state to transnational criminal gangs to opportunistic hacking activists in small groups, conflicts now occur along whatever pathways and actors are enabled by cyberspace. Across the remarkably level playing field of cyberspace, exploiting or harming remote strangers in the digitized democracies requires only a reliable internet connection to a foreign, open-bordered state and time to roam freely and maliciously at will. The globally open web freely provides the kinds of signals intelligence and cheap tools previously available only to superpowers. The variety of possible malicious actions across a globally open web is staggering, and bad actors need only keep trying until one or another attack succeeds somewhere.
Complicating the problem for law-abiding civil societies is the variety of potential bad actors who could be acting at any given moment. From the single individual, group or state, or a combination of all three, they can be proxy actors for autocratic states such as North Korea, or a dispersed group of malcontents such as “Anonymous.” They can be religious extremists, international criminal gangs, bored but technologically savvy teenagers, or some opportunistic collaborative venture among them all. They can use the same tools as legitimate users, but they can also access a hidden cybercrime market to find upgrades and like-minded associates. They can insert their logic bombs, engage disruptive access tools or succeed in massive, enfeebling thefts of knowledge for a long time undetected. They can operate sporadically or continuously, remotely burrowing into a wide array of targeted critical systems in government, corporations, infrastructure and even homes.
The result is unprecedented levels of insecurity, but often without the traditional means of response like force or criminal prosecutions. The “noise” of anonymous traffic across the global web is so vast that attackers remain anonymous and victims often do not even realize they are being attacked. In a matter of moments, firms, government agencies and military units can see years of R&D stolen, data altered, or essential operations stalled or stopped by hidden triggers laid months before by malicious applications or through hidden backdoors to the web. Many governments and companies will not publicly admit that their systems have been breached, and with no shared announcement about a threat, similar attacks go undetected as well. In some cases, an institution has become so critical to many other systems that security breaches directly result in a cascade of malicious access to a multitude of its partners, as happened in 2010 to Google China and in 2011 to the cyber security firm RSA. More frequently, security breaches are recognized only after stolen data or products undercut the owner’s markets, income, reputation or even its ability to use its own internal systems or data to recover or trace losses.
A National Strategy for Cyber Power and Protection
Under these circumstances, the modern digital state has much to learn from its city-state forebears about how to protect societal well-being in a world full of such uncertainties. The leaders of 6th-century BCE Athens or medieval Venice prepared their cities for nasty surprises like invaders suddenly appearing at the gates. Yet they also managed to keep their markets and people open to and engaged with the wider world. They built resilience into their daily lives: cisterns for water, granaries for food, and stout gates and walls behind which to take refuge. They learned that resilience could solve most threats, especially if they developed ways to surge their resilience capacities when needed. But they learned that they also needed to disrupt some threats before they arrived at the city gates. Successful leaders developed troops to police their highways and roving navy patrols to ensure that their lifeblood in commerce was not stolen just outside their walls.
We have reasonably good records of these efforts. Athens had its spies, its protected trading “long wall” to the port of Piraeus and its navy; Venice had its mercenary captains, spies and an experienced navy. City-states that did not observe these rules survived only by luck, or not at all. Florence only intermittently observed these rules when under threat. Before the rise of the Medicis and the loss of Florentine democracy, only serendipitous outbreaks of plague removed invading forces on a number of occasions. The key lesson we should take from these ancient and medieval trading states is “resilience always, disruption as needed.” The modern digital trading states need similar strategies to protect their national well-being in a deeply cybered and uncertain world.
The challenge to American leaders is to ensure national well-being by integrating resilience and disruption across national security strategies and institutions. This goal is complicated by current attitudes toward security. We typically think of security in terms of the regulated destruction of adversaries by militaries, with resilience being only a low-level operational concern of single institutions or units. We need instead a strategy of “security resilience” for the nation as a whole.1 The term combines security in its more modern sense of disruption with the ancient city-state’s need for resilience—a quality now in short supply in the digitized nations.
Resilience must be the basis of strategy because the cybered systems on which we now depend are all large, complex and connected to the global web. Even if bad actors do not harm them, large complex critical systems could face routine surprise, some of which will inevitably be cascading and disabling events. In 2006, Hurricane Katrina destroyed infrastructure ranging from electricity to cell phone towers to transport lanes to ATMs. Despite four decades of empirical research on the need to prepare for situations precisely like Katrina, key vulnerabilities remained unredressed. It is entirely possible to avoid or minimize routine nasty surprises like Katrina if key institutions continuously and collectively develop redundancy in stocks and forms of knowledge. That means routinely practicing inter-organizational collaboration in order to be able to respond quickly and creatively in an emergency, and to learn from mistakes and oversights in order to be prepared for the next disaster, whether from cyberspace or from hurricanes.
Cybered resilience is a critical national security concern today. Bad actors residing anywhere in the world can anonymously strike through cyberspace and start or make much worse any “normal” surprise, like a hurricane or an earthquake, by disrupting key systems at such vulnerable times. Modern trading states already face millions of efforts each day to harm key institutions via cyberspace. Any one of these could constitute the lucky or exceptionally malicious success that produces a major systems failure cascade. Since no nation can respond to every single such assault, only raising the general level of cybered resilience along all critical pathways can prevent major attacks from cascading by accident or intention.
Where premodern city-states had cisterns, granaries and stout palisades, modern trading states will need nationwide programs of cybered resilience. These measures must range from the simple such as detecting, cleaning and protecting individual computers to the more complex task of researching a more secure basic internet technology. Resilience must be built into the security standards required for any commercial cloud of any size or critical system significance. Commercial firms cannot just bolt on layers of new encryptions without repairing the underlying design flaws and abiding by privacy and legal surveillance laws as well.
Furthermore, security means re-establishing strategic buffers in cyberspace in order to provide some breathing space to slow down or deflect the disabling effects of a cybered conflict campaign or accidental cascade. As the older city-state experiences suggest, these digitized buffers must include key points of national regulatory protection that in effect form virtual borders in a cyber Westphalian world to defend critical systems or their connected systems. Pericles built the long wall to protect Athens’s portal to the sea so that he would have time to decide, with plenty of food and water at hand, whether to do anything but watch from the walls when the attacking Spartans arrived.
All these efforts need be part of an integrated national resilience strategy. Some efforts are already underway in many states, albeit in a highly fragmented fashion. From rising state control of ISPs in Europe to a massive reduction of open portals to the global web being undertaken by individual institutions, enterprises and agencies are trying both to deflect incoming threats and to give themselves more time to react to those threats that get through anyway. Resilience serves to reduce the chances of success by “everyday” sorts of attackers; it works for the mass of opportunistic, low-skilled bad actors in cyberspace. The hacker community, so called, is especially vulnerable to being physically located and arrested, for example. Thus, to the extent that states mutually enact and enforce comprehensive, standardized jurisdictional societal policing of malicious actors, resilience increases among the modernized democratic nations. The takedown of one major illegal botnet purveyor in the past few years reduced malware on U.S. and EU sites by a third for months.
Resilience alone, however, is insufficient cybered protection for the modern trading state; its cybersecurity strategy must include capacities for legally guided forward disruption of national cyberspace. The massive global bad actor community also includes a smaller group of exceptionally skilled ”wicked actors” who cannot be deterred or foiled by hygiene, redesigned base technologies or rising cybered borders. Security thus requires the capacity for targeted, highly selective operations beyond national jurisdictions to preempt wicked actor operations before they are at the periphery of or inside targeted systems. Ancient city-state leaders would have understood the need to disrupt such actors as a means of augmenting security resilience. If there were pirates lurking outside the harbor, then those pirates should be attacked at times and places of the city-state’s choosing. Disruption is just as essential a part of a modern digital state’s security resilience strategy today.
Like resilience in the cybered conflict age, the strategic and operational demands of disruption as a component of survival strategy are more complex than those of the past. Such operations require comprehensive, precise, continuous and near-real time data about the attackers, defenders and their shared systems. Targeting itself is an intensive challenge because it requires narrowing the masses of bad actors down to a much smaller, clearly identifiable set of particularly dangerous entities. This and any subsequent information has to be gathered legally, processed collectively and systemically, and acted upon intelligently and adaptively. It takes time, much human and technological skill and tools, and clear oversight.
Disruption must remain a complement to general national resilience because it cannot be scaled up to deal with the masses of routine bad actors. Its techniques differ from those of resilience, which limit the opportunistic, low-skilled attacks of the mass of bad actors by large-scale standardized responses. Truly skilled wicked actors are not sensitive to mass calls for delegitimization and they cannot be easily frustrated by modestly higher costs of internet access or tools. Most operate in some organizational framework that pays them well to just keep trying. For example, skilled folks that work during the day for the transnational cyber mafia called the RBN (Russian Business Network) and moonlight in cybercrime on their own at night are undoubtedly paid well. Some wicked actors work for ideological reasons, making their persistence a product of income and personal legitimacy. Disrupting these actors and their campaigns requires fairly specific knowledge of why and how they operate, which cannot be scaled up easily into general cyber security protocols necessary for resilience.
A national security resilience strategy must blend the complementary aspects of resilience and disruption for the variety of threats facing the whole society. Resilience, for instance, would not have stopped the insertion of Stuxnet into Iran’s nuclear reactors, and only the disruption of wicked actors with demonstrated behaviors of that skill can stop future Stuxnet-type viruses aimed at modern democracies. Conversely, disruption could not have helped lower the estimated $130 billion lost to cybercrime by six major U.S. corporations in 2010, since these threats were so wide-ranging and diverse that no reasonable means of disruption could have been made available to stop them. However, more resilience in national systems could have reduced the flood of assaults and eased the pressure on these firms. Without such a balanced strategy, it is easy for human operators in large-scale systems to be surprised and to make mistakes. Of the five major undersea cables that broke in 2010, cutting the internet in Iran and India, the fifth occurred because an overeager but also possibly undertrained technician inadvertently brought down his cable while trying to prevent just such an eventuality.
Institutional Adaptations for Security Resilience
Strategies need institutions that support their implementation, and new strategies often need new or redesigned institutions to accommodate them. We need three institutional adaptations in particular to institutionalize security resilience as a strategy: the “knowledge nexus”, behavior-based privacy, and the “Atrium” organizational model for accommodating surprise. No mere essay can explain these adaptations in full, but a brief discussion can highlight the differences between where things stand and where they need to stand.
Resilience and disruption require better collective mechanisms across authorities and knowledge sets in order to accommodate surprise across essential large-scale integrated systems. We are organizationally balkanized, and if we cannot eliminate stovepiped arrays of organizational domains, then we need at least to create and exercise a continuous “knowledge nexus” among them, especially across intelligence, military, police, private critical infrastructure, the ISP and IT capital goods industries, and local community structures. Continuous collaborative interactions are necessary to build consensus before any surprises emerge. This nexus cannot operate intermittently, as its barebones equivalents are today. If cyberspace is not bounded by time or domain, and if malicious actors are similarly unbounded, then response capabilities need to be as well.
Second, the whole-of-nation aspect of blending resilience and disruption capabilities requires an ability to cull, preserve and focus comprehensive data on threatening behaviors inside as well as outside national borders. We need a way to view behaviors comprehensively to determine bad actors’ behavior patterns even as we keep everyday citizens’ personal information secure. One way to do this is to harness the power of the technology to devise a “behavior-based privacy” system, complete with an integrated legal regime for validation and appeal in cases of error. Such a system could allow authorities to distinguish dangerous behaviors while maintaining anonymity enforced by shared encryption. Individuals would be traceable only with a warrant and probable cause, and robustly protected with easy validation and appeals processes.
Third, an effective security resilience strategy demands that security organizations responsible for protecting against systemic surprise (and for carefully tailored disruption) achieve a higher standard of learning and operating collectively. It would not be wise to overcentralize the U.S. capacity to deal with cyberspace by shoving various military and intelligence organizations together with the FBI, the DEA and elements of the Department of Homeland Security, but all such organizations must learn how to bring their assets into concert and to trust each other long before urgent major surprises emerge. One way to advance that learning is by using advanced game-like simulations, shared and continuously available across all the critical organizations likely to be involved in a cybered nationally critical crisis. The technology is currently largely available from today’s massively multiplayer online gaming industry. The tools thus need more to be gathered than invented. They can be embedded in an “Atrium” organizational model that would guide preparations for the rapid, accurate actions necessary to derail, mitigate and innovate around devastating surprises in critical systems.
Unfortunately, few of the strategic or institutional support elements of a security resilience strategy are in place today, either within or across the various democratic trading states. The U.S. model of a national “cyber command” is narrowly focused on state-level bad actors, on the protection of domain-centric military networks, and on matching adversary advanced use of cybered attacks during a (highly unlikely) formally declared war.
Furthermore, despite the laudable knowledge-sharing and rapid-action innovation encouraged by the dual-hatting of the Director of the NSA and Commander of the U.S. Cyber Command, the overall model is tied to the dot-mil domain. Unless national command authorities request the direct help of this small knowledge nexus, NSA/U.S. Cyber is not authorized to routinely and proactively help the rest of the U.S. government or the nation’s privately owned critical systems. This model separates by law and inclination the most skilled of public entities from developing national resilience more broadly among the private corporations whose vulnerable systems can affect the homeland, and who are not amenable to paying in advance for security.
This strict separation of domestic from national security by policy and institutions worked tolerably well during the Cold War. Today, however, bad actors tunnel into the nation around NSA or Cyber Command and weaken the resilience resources of the entire national system through cybercrime or deliberate theft and other control exploits. Today, in a world of connected cross-border easy access, this military-versus-civilian separation ensures that both domestic and national institutions will lack the consensus, shared data analysis and collective learning needed to avoid being paralyzed or panicked after a surprise.
Also unlikely to adequately implement an effective security resilience strategy is the purely resilience-focused “key firm” model emerging largely in Europe. This strategy is built on national concerns for economic or privacy losses due to massive onslaughts of cybercrime. The European model of national cyber defense rests on using internet service providers as the key firms whose technological skills can be called upon to derail cybered bad actors as they enter home systems or once they are identified within the ISPs’ networks. While the key firm model provides more systemic national resilience than the U.S. cyber command model, it leaves these deeply digitized nations with few legal ways to disrupt persistent bad actors. Disrupting bad actors outside of these jurisdictions is not publicly endorsed or discussed as legally acceptable.
Beyond organizational and legal deficiencies, we face a range of attitudes that hinder appropriate responses to cyber threats. Nine seem most germane.
• We focus on unlikely interstate war while neglecting the society-wide enfeebling effects from waves of non-wartime cyber attacks inside the homeland’s critical socio-technical-economic systems.
• We separate resilience from disruption, which causes imbalances and incoherence when we allocate strategic resources to deal with sources of cybered surprise.
• We focus on protecting only military or governmental systems in cyber command, or equivalent structures in the private sector, while leaving critical systems that enable our economy to function wide open to attack. This imbalance encourages bad actors to target our weaker points.
• We neglect the crucial role played by the vast global and opaque cybercrime community in threatening the entire nation by innovating new techniques and access points, new methods of attracting and training opportunist or full-time cyber criminals, and new “noise” and cover for criminal or state-run operations.
• We avoid investments in fundamentally redesigning the insecure base layers of the global internet out of deference to private industry, instead pouring investment funds into layer upon layer of technological fixes easily defeated by thousands of underemployed bad actors with time to tinker.
• We approach securing the national well-being as a purely technological challenge. We fail to grasp the interaction of the social with the technological aspects of critical national systems, ignoring how human cognitive function can cause surprise to leap to technical system failures or erratic behaviors and back again.
• We calculate resilience and disruption costs in short-term budgets and ignore the long-term, episodic and systemic threats of the cybered conflict campaigns likely to be conducted by major adversaries and opportunistic allies. This encourages systemic national and global weaknesses that can be exploited in future international crises.
• We use the insurance model of risk calculations and its presumptions of one-off disabling events, thus relying on allies to provide aid in a crisis and encouraging adversaries to target many states at once.
• We underinvest nationally in basic research, leaving the technological redesign of a more secure web to the narrow, near-term perspectives in corporate investments and ensuring public institutions will lag in appropriate human capital when new threats emerge from the convergence of cyberspace and new technologies like nanotechnology, genetics or robotics. Corporate interests infrequently take a whole-of-society or long-term perspective, and tend to ignore new knowledge related to cyber threats if it seems to challenge near-term returns on investment or to promise expensive proprietary uncertainties. Right now, a key large and growing peer competitor to the United States in cyberspace and science in general is massively subsidizing and outstripping U.S. public research investments in wide-ranging basic nanotechnology research, supercomputing and other cutting-edge scientific and engineering fields.
The resources needed by the trading states to maintain their well being are at stake. Modern trading democracies now face increasing and broadening levels of insecurity through a massively complex cybered international system that is no longer stabilized by one or two superpowers’ rules and their power to punish. The frontier free-for-all that marked the two early decades of cyberspace is ending, but the fight over how it will change the international system developed by the trading states has just begun. Amid the inevitable uncertainties of the future, those nations that most effectively develop careful long-term internal resilience and external targeted disruption capacities will be the most powerful, sustainable and materially healthy in the long run. As things stand now, the United States may not be among them.
1I detail this argument in Wars of Disruption and Resilience (University of Georgia Press, 2011).