I’ve been reading an interesting book by Ben Buchanan entitled The Cybersecurity Dilemma: Hacking, Trust and Fear Between Nations. He begins with a discussion of a concept called “the Security Dilemma,” also know as the “spiral model” taught in International Relations courses. Thucydides had proposed centuries ago that one reason for the Peloponnesian War was Sparta's fear of Athens’ development of what the Athenians thought were defensive capabilities. So this model proposes that “actions by a state intended to heighten its security, such as increasing its military strength, committing to use weapons or making alliances, can lead other states to respond with similar measures, producing increased tensions that create conflict, even when no side really desires it,” ,i.e. Wars often begin even though neither side wants one. As one state increases its security needs, other states become more insecure, interpreting those defensive measures as threatening, encouraging an attack before they become too strong. That was the missile defense dilemma of Reagan. The only way to avoid this, according to Functionalists, is through the use of communication and proper signaling. Misunderstanding doesn’t necessarily always lead to war, it’s just a common thread. (It might be useful to think of this concept while viewing our current relationship with Iran and their signaled need to build a nuclear weapon. Trump’s failure to recognize the importance of diplomats and diplomacy is discouraging.)
Buchanan examines cybersecurity in this context and discusses its relevance. One huge problem is the gulf between those developing policy and those in the operational world, i.e. Those guys with their hands on the keyboards. How that all gets done is really important. Strategy often outruns operations. In the cyber world one often doesn’t know what’s being done, who’s doing it, and whether it’s even being done. The security dilemma is fueled by a failure to recognize and understand the opposition’s intentions. In cyberspace you may discover a piece of malware code but you usually don’t know what its purpose might be, nor even what its capabilities might be. Something that looks defensive may even be offensive. The default is always that “since we can’t figure it out, we’re going to keep everyone out of our network. In the international sphere there are no rules, so we have nations breaking into other nations’ networks to see what they might be doing in regard to our networks, using offensive capabilities for defensive purposes. For example, the U.S. could penetrate the Chinese networks purely to make sure the Chinese have no offensive intent, but to the Chinese, should that be discovered, it will most likely be viewed as a hostile act as they will be unable to determine the motives.
One issue is that in order to develop offensive capability like Stuxnet you need to have years of development and it has to be done within the antagonist’s network unlike physical weapons where development is done in your own sphere. He describes our situation with regard terrorist groups in cyberspace as “having the nicest rocks, but living in the glassiest of houses.” An impediment to developing a strong defensive network is that most American networks don’t reside in the hands of the American government, but rather international corporations.
No comments:
Post a Comment