Over the next two months, I’ll be doing a series of posts on the political science of cybersecurity, building on a cybersecurity course that I’ve been teaching over the last four years at George Washington University’s Elliott School of International Affairs. These posts aren’t intended as an introduction for people who don’t really know anything about cybersecurity — if that’s what you’re looking for, you should read Allan Friedman and Peter Singer’s recent book. Nor will they be laying out my own opinions on cybersecurity topics (which is certainly not to say that I don’t have ‘em). Instead, they’ll be looking at some of the major debates in cybersecurity policy, and whether political science has anything useful to say about them. The first two posts will be introductory — they will describe some of the key disagreements, and their historical origins. The remainder of these posts will start to bring in the political science analysis.
Arguments over cybersecurity tend to be highly contentious. On one side, advocates of stronger cybersecurity warn that we are at risk of a “digital Pearl Harbor” in which the U.S. power system, financial system and other parts of “critical infrastructure” could be attacked and seriously damaged by foreign hackers. On the other, open Internet advocates are highly skeptical that there is any real likelihood of attack. Instead, they see the real risk as coming from a U.S. security establishment that wants limitless powers to gather information and restrict freedom. Security advocates depict open Internet advocates as dangerously naive, while open Internet advocates see security advocates as sinister power grabbers.
This 2010 Intelligence Squared debate over the threat of cyberwar gives a good flavor of the arguments of both sides. Marc Rotenberg, president of the privacy nonprofit EPIC, and renowned cryptographer Bruce Schneier both depict the history of the threat of cyberwar as one of continuous exaggerations by the U.S. government. They suggest that the real threat comes from the efforts of agencies like the NSA to control the Internet, and big contracting firms looking for their share of the cybersecurity defense budget. Mike McConnell, former director of the NSA, unsurprisingly disagrees, arguing that the U.S. economy is enormously and increasingly vulnerable to cyberthreats, and that the government needs to keep many of its countermeasures secret if it is to protect against these threats.
The two sides disagree over the facts. Rotenberg and Schneier think that the Internet is relatively robust, and can recover quickly from cyberattacks. McConnell and his debate partner Jonathan Zittrain think that the Internet is very vulnerable. Zittrain, a left-leaning law professor argues that the Internet is far more fragile than people generally understand.
Yet there’s also a difference of understandings. You could say that Rotenberg and Schneier emphasize the importance of civil rights, while McConnell and Zittrain emphasize the importance of security. This captures some of the basic differences between their perspectives and political values. Yet they also disagree more subtly about the nature of security. Schneier, as a cryptographer and security consultant, obviously doesn’t think that security is completely unimportant. Yet his understanding of security, and how to achieve it, differs dramatically from McConnell’s. So what’s going on?
This article by Helen Nissenbaum, at New York University, provides some clues. Nissenbaum suggests that these disagreements are partly rooted in the differences between what she calls ‘technical computer security,’ a perspective that originates from computer science, and ‘cybersecurity,’ which reflects the traditional ideas and values of national security. The technical computer security approach understands security as involving the use of appropriate technologies to secure individual computer systems (or individuals, or agencies) from attacks by adversaries, whoever they may be. The cybersecurity approach, in contrast, sees the problem as a new version of the traditional problem of protecting the national space against foreign hostiles. The technical computer security perspective sees cyberrisks as varied, and often not particularly worrisome (computer administrators can often treat them as nuisances). The national security/cybersecurity perspective, in contrast, tends to see cyberthreats as dire and existential, challenging the health and existence of the country itself.
This disagreement is reflected in the argument between Rotenberg, Schneier and McConnell. Rotenberg and Schneier believe that there are threats, but that most of the time, it is pretty easy for businesses to deal with them. Hence, it would be nonsensical and self-defeating to treat these threats as analogous to war. McConnell, in contrast, believes that we are engaged in a quiet conflict that is somewhat analogous to the Cold War. This implies that we should be on a war footing, and investing in clandestine defensive and offensive resources to defend against our enemies and deter them from attacking.
What this means is that even apart from disagreements over civil liberties, cybersecurity is riven by disagreements over what security is in the first place. Is it a technical problem (which could be solved by computer system administrators, working alone or quietly coordinating with each other)? Or is it a national security problem (which requires a large scale collective effort, organized by the U.S. government, to defend against existential threats to the homeland)? Obviously, these different understandings of security have very different policy implications. Next week — how debates over cryptography in the 1990s set the stage for controversies today.