The managing and shaping of the offerings for a cybersecurity business and the teaching of an undergraduate course on cybersecurity policy, operations, and technology present a dual challenge. This challenge imposes the need to understand what is happening on the cybersecurity landscape, how the forces shaping that landscape relate to each other, and how governments and other enterprises should respond to those forces. This challenge has also impelled the author to attempt to describe to students these forces in a coherent fashion.
The media focuses on the dramatic consequences of recent cybersecurity breaches (e.g., Sony, Anthem, the U.S. Government’s Office of Personnel Management, and other incidents). At the same time, our understanding of the cybersecurity landscape is often fragmented, which cybersecurity industry and its practitioners fail to relate. For example, why are our information technology infrastructures continuing to demonstrate significant vulnerability? Are the steps we might take to reduce that vulnerability likely to remain effective as these infrastructures change? If we do a more complete job of sharing threat intelligence, what privacy implications must we face? Are the breaches with which we’re contending “merely” the result of cybercrime, or are we seeing emerge a new component of statecraft, one that must become part of our international relations calculus?
The speed with we must address these questions and the changes associated with some of the underlying factors calls for a more coherent cybersecurity framework. We need a framework that allows us to analyze events and develop courses of action within an ever-changing cybersecurity environment. Because these factors are changing so rapidly and simultaneously, the term cybersecurity “storm front” applies—a turbulent place that changes rapidly, with potentially disruptive consequences for those over whom the storm front passes. While the term “storm front” may appear hyperbolic, the need to improve analysis and generate more useful hypotheses deserves as much attention as the cybersecurity profession can allow, and it is to the confluence of these forces that the paper refers, and not necessarily to the effects of any specific cybersecurity event. This article discusses five prominent factors shaping this storm front:
- The growing importance of the information managed by increasingly complex IT infrastructures
- The technology and structure of the IT infrastructures we seek to safeguard
- The changing technological and operational nature of the threat that jeopardizes those infrastructures and the information they manage
- The changing role of cybersecurity as an instrument of statecraft
- The changing privacy relationship of citizens to the enterprises that employ complex IT infrastructures.
Taken together, these factors can be used to analyze cybersecurity developments; identify and analyze the consequences of these developments; and, hopefully, aid the development of policies, doctrines, and resources to help us manage these consequences.
What We Must Protect
Well documented and broadly discussed in policy and current cybersecurity literature are both the various domains we seek to protect in the United States and elsewhere and the domains subject to exploitation (stealing of information) and attack (damage to information, information systems, and the infrastructures that depend on information). In brief, in the United States, these domains are described by the Comprehensive National Cybersecurity Initiative (CNCI), signed by former President Bush in 2006 and supported by President Obama. CNCI defined those domains in which cybersecurity disciplines are exercised as .gov, .mil, companies comprising the defense industrial base, owners and operators of critical infrastructure, and certain key manufacturers. A number of CNCI initiatives followed, as well as a series of Presidential Executive Orders (EOs). Most notable was EO 13636, which named the sectors of critical infrastructure, sectors the cybersecurity of which represent a significant public interest.
Important to understand and consider are the cybersecurity consequences of changes in the information technology on which government, military, the defense industrial base, critical infrastructures, and other enterprises depend. These changes are far reaching. Defending the enterprises that depend on them presents new challenges, because these technologies are shaping infrastructures more complex and more dynamic than those that preceded them.
The Rising Importance of Information
The role of information within enterprises is changing, growing more important, and helping shape our view of cybersecurity. The importance of information can be viewed as an enterprise’s “information intensity.” In the general economy, information—and by extension, its security—is recognized as an essential aspect of corporate strategy and, more importantly, as an enterprise’s overarching value proposition. The concept of information intensity reflects the recognized value of information. This concept has existed for decades, but gained currency in the 1980s, and has experienced rising importance through the present day. Two types of information intensity were defined in the 1980s and both are vital to today’s enterprise: product information intensity and value chain information intensity.
Product information intensity measures the extent to which a product is information-based (i.e., information-as-product), which is increasingly the case in today’s global economy in general and in the United States and other advanced economies in particular. Any business that provides information-for-value (e.g., financial reporting and transactions, media, and social networking) delivers one or more products that comprise principally (or solely) information. For such enterprises, the security of the information they employ and provide affects materially the value of the product they convey to their customers. Their value proposition can exist and thrive only to the extent cybersecurity and information assurance (relating to provenance, processing, and delivery) are present.
Value chain information intensity describes the extent to which information contributes to the production and delivery of non-information products. Global supply chains for the manufacture of aircraft, for example, rely on a complex web of information ranging from specifications and test data, to pricing and delivery schedules. Every element of this information is crucial to production. In fact, many of the processes used in manufacturing are information-technology controlled, enhancing the level of information intensity on which these products and their value chains rely. Cybersecurity failure in these value chains can result in faulty parts, dangerous industrial operations, loss of intellectual property, and non-delivery of the product as promised.
Linked to value-chain intensity is the extent to which many physical products (e.g., airliners) are characterized by an increasing proportion of information technologies. Today’s Boeing Dreamliner, for example, uses computer-based “fly-by-wire” technologies to control critical flight systems. It possesses Internet-based architectures for other systems ranging from avionics to passenger entertainment subsystems. In many ways, the Dreamliner is a computer around which someone designed an airplane. In Boeing’s own parlance:
The 787 Dreamliner, the world’s first “e-Enabled commercial airplane, combines the power of integrated information and communications systems to drive operational efficiency, enhance revenue, and streamline airplane maintenance.
Boeing also notes:
These tools promise to change the flow of information and create a new level of situational awareness that airlines can use to improve operations. At the same time, the extensive e-Enabling on the 787 increases the need for network connectivity, hardware and software improvements, and systems management practices.
The importance of the concept of information intensity is not new. Compelling work by Michael E. Porter and Victor A. Miller in 1985 described the value of information in both information-as-product and in value chains. The authors defined the concept of manufacturing information and distribution systems (MIDS), noting that “an information intensive MIDS will generally bring value to a company if it adds high value to the product.” In today’s world, such systems are of vital importance.
Whether an enterprise delivers information itself as a product or products that rely on information to empower and mediate their value chains, cybersecurity clearly bears directly on information intensity and on corporate strategy and the value proposition an enterprise delivers. Indeed, the cybersecurity of information-intensive products is intrinsic to the value of those products and rises, therefore, to the level of a corporate strategic issue.
Recent research makes even more important the concept of information intensity and more urgent the focus on cybersecurity. For example, this research provides powerful evidence about information-intensive businesses that produce information-as-product: These businesses should use information technology to disaggregate for the purpose of efficiency their production, just as value-chain information-intensive manufacturers are building global IT-enabled value and production chains.
Such disaggregation is an important component of corporate strategy designed to take advantage of regional and local specialization and cost structures. At the same time, securing the IT infrastructures involved is essential for every aspect of development, production, integration, and delivery. Indeed, in all of these cases, the ability to provide effective cybersecurity is an essential enabling element of strategy. It can even be a competitive discriminator vis-á-vis competitors for which product quality (e.g., provenance and test data) and the integrity of information can be enhanced by cybersecurity.
The publication of Porter and Miller’s work came, perhaps, too early for the application of the term “big data” used frequently today. Had the term been in vogue, Porter and Miller might have added information analysis value.
This term describes the ability of today’s analytic tools to aggregate data from many sources (and of many types, i.e., heterogeneous data) in a homogeneous environment to create decisions of significant value. Some examples are what products to offer specific consumers at specific prices and times, how to deploy valuable medical research and development resources, what crop futures the market might expect, or the likely progression of a dangerous epidemic. Tools applied from disciplines such as “business intelligence,” “enterprise resource management,” and “data mining” amplify considerably the value of information.
Overall, no surprise occurs when the rise in the importance of information—and the need to secure it—is followed closely by these concerns: the attempts globally to steal intellectual property, to gain illegal access to information-as-product, and to enter value chains and achieve the ability to damage the information on which those chains rely.
A New Information Infrastructure
Changes in the information technology infrastructures we must protect are far reaching and include increased and ubiquitous use of mobile devices, advances in cloud technology (and changes in cloud business models), and the ongoing transition worldwide to Internet protocol version 6 (IPv6). We rely increasingly on mobile (physically untethered) devices for the bulk of our information technology needs. These devices, smartphones and tablets, have become “convergence platforms” that serve all our digital needs, including telephony, email, tweets and text messages, audio and video media, online commerce, financial transactions, and even supply chain management. Mobile devices are used to facilitate meetings and online conferences. They are sources of entertainment. They help us build and shape virtual communities worldwide. With the means to deploy more powerful applications, they support us in managing business.
Cost and efficiency drivers have made the transition to cloud architectures swifter than many foresaw. More and more enterprises are moving vital workloads to public clouds, private sectors, and “hybrid” cloud models. These workloads include enterprise resource management (ERM) and customer relations management (CRM) applications; development and test (devtest) environments, back-office, and enterprise applications; conferencing and multimedia applications; desktop applications; and supply chain management. Cloud cost models have become competitive and compelling. The ubiquity of cloud capacity has made cloud infrastructure “plastic,” allowing enterprise to shift their workload from one cloud provider to another, depending on requirements, cost, and availability.
This “cloud orchestration” model was pioneered by companies such as CSC through its acquisition of ServiceMesh. While offering an ever-more-efficient mechanism for managing availability and cost, the model complicates the association of data with any specific physical location, already a challenge in a world of complex cloud infrastructures hosted on myriad vast server farms. The recent European Commission decision to invalidate the 2000 Safe Harbor decision (allowing U.S.-based processing of European citizens’ information) thrusts privacy concerns at the heart of the global cloud model. The decision relates to the ongoing rise of privacy as an issue shaping cybersecurity discussed below.
Complicating this situation is the rise of IPv6 and the “Internet of Things” (IoT) that it makes possible. We are reaching the limits under the preceding Internet Protocol Version 4 (IPv4) of the number of devices (approximately four billion) that we can attach to the Internet with identifiable addresses. IPv6 will allow the connection and addressing of a number of devices that can be described as greater than the number of stars in the known universe, squared! Other aspects of IPv6 make this protocol more efficient. Its adoption will create new and complex infrastructures that extend from our mobile devices through a “plastic” cloud to the very devices on which our lives depend.
The adoption of IPv6 will allow for a more or less unfettered convergence of today’s enterprise information technology (IT), and the operational technology (OT) that control physical infrastructures (e.g., energy, transportation, water, health care, etc.). Components of these infrastructures (turbines, valves, railway switches) are instrumented with IP-enabled devices that allow for the collection of data and more efficient and distributed command and control. Information can be used to mediate the resources associated with the emerging “smart grid,” for example. For the electrical power sector, the Department of Energy describes such infrastructures as follows:
“Smart grid” generally refers to a class of technology people are using to bring utility electricity delivery systems into the 21st century, using computer-based remote control and automation. These systems are made possible by two-way communication technology and computer processing that has been used for decades in other industries. They are beginning to be used on electricity networks, from the power plants and wind farms all the way to the consumers of electricity in homes and businesses. They offer many benefits to utilities and consumers—mostly seen in big improvements in energy efficiency on the electricity grid and in the energy users’ homes and offices.
It likely that the emergence of IP-enabled, information-mediated infrastructures will allow for the “smart” management of combined systems, e.g., electrical energy (for rechargeable, electric cars) and intelligence roadways serving self-driving cars. Such technology could allow drivers to make cost- and time-efficient decisions about when to recharge their cars, and when to run routine errands, combining an understanding of electrical power costs with regional transportation congestion.
This article offers a framework for analysis regarding the evolving cybersecurity landscape. However, the author’s business background makes irresistible a few words on the likely implications of these infrastructure changes on the nature of the cybersecurity business. The management of cybersecurity on an enterprise basis is something many enterprises undertake for themselves, either by constituting their own cybersecurity workforce or by using a cybersecurity services provider to manage the various cybersecurity tools and technologies (e.g., firewalls, governance/risk/compliance tools, intrusion detection/protection systems, antivirus tools, security information, and event management systems, etc.) in which the enterprise has invested. Some enterprises are outsourcing their cybersecurity, in whole or in part, to commercial managed security services providers (MSSPs), acquiring (cyber)security-as-a-service (or SaaS).
The model of cybersecurity managed internally is likely to become more difficult to implement, particularly given the “plastic” nature of the infrastructures being safeguarded, the shift to multiple cloud backbones on which they will rely, the interconnected nature of these infrastructures (e.g., connected to suppliers, partners and customers), and the extension of these network to IPv6-enabled manufacturing and critical infrastructure appliances. Enterprises will be hard pressed to maintain an accurate infrastructure topology, much less deploying to these infrastructures and managing the cybersecurity tools and technologies they elect to use.
MSSPs specializing in cybersecurity are more likely to have the expertise requisite to meeting this challenge. They will be required to develop business models, metrics (and associated service-level-agreements), and pricing models that reflect shifting and interconnected infrastructures. They will need to manage cybersecurity devices in both the enterprises for which they are taking responsibility and to understand and help protect other infrastructures on which their clients’ infrastructures depend. In effect, as information technology capacity becomes a managed commodity, so too might become the cybersecurity needed to safeguard that capacity.
The implications of this change in the infrastructure landscape are important to consider. More complex infrastructures will be more difficult to characterize. Anomalous behavior caused by cyber exploits and attacks may be more difficult to detect. Shared infrastructures complicate the challenge of monitoring and managing cybersecurity by any one enterprise or MSSP. Infrastructures that change quickly will need cybersecurity management tools and technologies that can characterize and assess and mitigate dynamically cybersecurity vulnerabilities, incidents, and consequences. Overall, our ability to understand complex, changing systems will require cybersecurity tools for monitoring, analysis, and response that exceed current cybersecurity technology.
The Threat Changes
Changes in the threat landscape have resulted in breaches that have become larger both in the number of people whose information has been compromised and the depth of that compromise (i.e., the range of attributes reflecting personal information, including social security numbers, financial information, security clearance information, and even biometric data such as fingerprints). Foreign intelligence organizations and cybercriminals have demonstrated impressive access to and use of sophisticated cyber exploit technologies. In the case of Stuxnet and possibly a German steel manufacturing plant, cyber attack technologies can penetrate the industrial control systems (ICS) that connect physical systems with information technology infrastructures.
New malware can exhibit no known signature (prior to its first use). It is polymorphic (adept in changing its appearance once rooted in a target infrastructure), able to hide and evade the “sandboxing” used to isolate it within a target infrastructure, stealthy, and capable of “beaconing” to and responding effective command and control by its handlers. Stuxnet malware purportedly targeted Iranian centrifuges used to produce highly enriched uranium. It supposedly consisted of numerous “zero-day” modules (not seen before) and was capable of identifying specific components of the ICS used by Iranian centrifuges. It tricked those systems into spinning the centrifuges at incorrect rotations, while informing the workstations used to monitor them that the centrifuges’ operation was normal. Such malware is indeed “advanced.”
Perhaps more troubling is the advance in operational expertise or “tradecraft” exhibited by cyber exploiters and attackers. This tradecraft is characterized by formal information requirements, well-defined doctrine and operational concepts, thorough reconnaissance and intelligence characterization of the targeted infrastructure, dedicated resources capable of treating the infrastructures to be penetrated as formal intelligence targets, and impressive persistence—lasting almost 10 years (and possibly more), and the malware posed by organizations that possess this tradecraft can be characterized as “persistent.” In other words, malware and the operations that employ it can be called “advanced persistent threats” or APTs.
The use of operational expertise extends to clever social network analysis (to identify users with administrative privileges, for example) and well-targeted spear-phishing that can result in the compromise of privileged information by even well-trained IT professionals. The use of witting and unwitting insiders whose administrative privileges can be compromised can undermine network defenses significantly. Of equal importance, constant changes in the IT infrastructures we seek to defend leave defenders unable to characterize accurately their own networks. On the other hand, exploiters and attackers can operate with the discipline of well-established intelligence services. They can form a more accurate view of the networks they threaten than the view held by the networks’ owners.
Reporting abounds that characterizes the manner in which cybersecurity threats have become technically advanced and operationally efficient. Employees of the author’s company, ICF International, working with the Army’s Research Laboratory’s Threat Cell, see evidence of the increased technical sophistication of today’s malware. Mandiant, a cybersecurity professional services subsidiary of FireEye, publishes an annual report that provides a year-over-year view of the technical and operational cybersecurity threat landscape. Mandiant’s report paints an alarming picture of the cybersecurity challenges facing modern, information-intensive enterprises, including the difficulty in finding malware before law enforcement or social media becomes aware of these enterprises’ breaches. Mandiant noted:
[In 2014] attackers still had a free rein in breached environments far too long before being detected—a median of 205 days in 2014 compared with 229 days in 2013. At the same time, the number of organizations discovering these intrusions on their own remained largely unchanged. Sixty-nine percent learned of the breach from an outside entity such as law enforcement. That’s up from 67 percent in 2013 and 63 percent in 2012.
Mandiant’s report added that at least one breach had remained undetected for 2,982 days, a time period consistent with the author’s own experience dealing with a breach that had been undetected (and unmitigated) for approximately nine years. Speaking to the adaptability of today’s cyber adversaries, Mandiant also noted:
As security teams deploy new defenses, attackers are evolving their tactics. We saw that dynamic in full force over the past year as attackers employed new tactics (or in some cases sharpened tried-and-true techniques from the past) to hijack virtual private networking security, evade detection, steal credentials; and maintain a stealthy, persistent foothold in compromised environments.
The report reflects eloquently both the technical prowess and operational cunning with which today’s cybersecurity professionals must contend.
Perhaps no cybersecurity incident illustrates the convergence of technology and tradecraft as the reported 2010/2011 compromise of the algorithm used in RSA’s SecurID key fobs, employed by many organizations to govern access to sensitive IT systems. Wired magazine and others reported that the RSA breach was followed in swift order by compromises at a number of defense contractors (e.g., L-3 and Lockheed) that employ RSA’s technology. This set of incidents reflects a well-elaborated plan that defined the information the exploiter desired, determined where that information was managed and how it was protected, and compromised the technology used to protect that information. More importantly, this plan used that compromise swiftly—and before it could be detected and mitigated—to steal sensitive defense information. Such an operation reflects planning, discipline, readiness, and polished execution. The intellect and resources associated with such incidents represent a difficult challenge for any targeted enterprise.
The implications of the evolving threat landscape will force information technology executives and operators to become more vigilant regarding the vulnerabilities of their enterprises. It will compel better threat information sharing and may prove an impetus to the formation of new information sharing and advisory organizations, as described by a 2015 Presidential Executive Order. Enterprises of all types will be forced to consider the strategies they need to defend themselves against threats posed in the past by nation-state actors against national security targets only. Even smaller enterprises may be subject to sophisticated cyber attacks and exploits by adversaries attempting to test their capabilities on such targets as a way of avoiding detection.
Cybersecurity in Peace, in War, and in-Between
Much has been written regarding the continuing efforts of the United States and others to achieve effective cyber defense in light of unending work by other countries and cybercriminals to exploit and damage sensitive information and achieve the ability to attack critical, information technology-dependent infrastructures. In a previous article in the Georgetown Journal on International Affairs, the author contrasted the views of the United States and other Western democracies of cybersecurity as a discipline safeguarding intellectual property, infrastructures, and private information within a global commons (i.e., global cyberspace).
Russia and China, by contrast, view cybersecurity as the exercise of government authority within portions of cyberspace. These governments seek to exercise the prerogatives of sovereignty—principally to safeguard social stability and limit the effects of religious, political, and other movements these governments regard as illegitimate. Additional articles in the current volume of the Georgetown Journal of International Affairs and others describe the evolution of cybersecurity as an element of warfare and statecraft, evidence of the rising importance of cybersecurity (and cyberspace) as elements to which international relations theorists must pay attention. Indeed, rising importance to international relations and the functioning of the international system is one of the principal dynamics shaping the cybersecurity landscape.
The evolution of this dynamic, however, appears to be tending toward a situation in which cybersecurity challenges (exploits and attacks) are a constant concern. Rather than concerns about a “cyberwar,” we are witnessing cyber attacks and exploits as a component of statecraft in peacetime. They are tools “short of war” and components of hybrid warfare operations (e.g., Russia’s campaign against the Ukraine) that constitute neither peace nor war but allow countries to engage in conflict while maintaining diplomatic and economic relations. Efforts to steal and alter information, damage information infrastructures and IT-dependent critical infrastructures, and shape information conveyed through social and online media are ever present.
Theorists such as Lucas Kello deride the term “cyberwar” while seeking to describe this new state of affairs. These efforts also challenge IR theorists generally to model cybersecurity challenges as factors modulating ongoing relations between among countries and between countries and non-state actors. International relations practitioners now consider what behavioral norms are required to accommodate these challenges, while protecting the stability of the international system (and avoiding destabilizing surprises). Behavioral norms do not eliminate all behavior deemed objectionable by all actors, but they can constrain provocative behavior and non-proportional responses.
A survey of the field of the emerging role of cybersecurity as a component of the international system is not provided here. However, prominent IR theorists are seeking to describe that role. Erik Gartzke’s 2013 article, “The Myth of Cyberwar,” notes that cyberwar is “unlikely to prove particularly potent in grand strategic terms…” Gartzke challenges various cyberwar concepts and notes:
- Cyber damage can be more easily repaired than damage to physical infrastructures.
- Countries that are the victims of covert cyber attack cannot acquiesce to attackers they do not know.
- Some cyber attack capabilities risk being made ineffective after their first use.
Gartzke’s article provides evidence that cyber attack as a challenge to cybersecurity is assuming its logical place alongside other tools in the exercise of power and influence, rather than as a decisive mode of combat.
The 2013 article by Lucas Kello, “The Meaning of the Cyber Revolution,” offers a challenge to study the effects on the international system of cyber attacks and exploits. Kello regards the term “cyberwar” as overused. He suggests assets used in the research methodologies to analyze international relations can and should be applied to the study of cybersecurity challenges. Kello quotes former NSA Director and Commander of the USCYBERCOM, General Keith Alexander, who stated that “no consensus exists” regarding how to characterize the destabilizing effects of cyber attack. Kello’s work represents, as does Gartzke’s, a challenge to theorists to replace speculation with useful research.
What might this research show? Recent events support the hypothesis that efforts are under way to establish norms as well as the diplomatic and political mechanisms required to react to normative transgressions. Although more research is necessary to convert this hypothesis to theory, recent events are noteworthy, perhaps none more so that the recent cybersecurity agreement between President Obama and Chinese President Xi Jinping. An attempt at normative behavior can be seen in the following: the United States and China agree that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.
Although the agreement attempts to constrain the theft of intellectual property, it does not define the sanctions that might follow such theft. It is silent regarding cyber exploits by one government against the other, reflecting perhaps acceptance of such acts. Indeed, former Central Intelligence Agency and National Security Agency (NSA) Director Michael Hayden has called the recent breach (possibly by China) of personal records held by the U.S. Office of Personal Management as “honorable espionage work” against a “legitimate intelligence target.”
In other words, the state of affairs in which the agreement was drafted reflects efforts to define normative behavior, although recognizing that some acts, while unpalatable, are not necessarily unacceptable. This agreement also represents, perhaps, an effort by the United States and China to interact in cyberspace without dangerous conflict, even in the presence of very different concepts of cybersecurity (“global commons” rather than “sovereign cyberspace”).
For theorists of international relations, governments, non-state actors, warriors, and even the private sector, the implications of efforts to achieve and describe normative behavior are likely to be significant. The existence of norms recognizes that the behavior associated with those norms will be present under day-to-day circumstances. Government departments and agencies—and their industrial partners—will need to detect, fend off, and mitigate foreign cyber exploits that do not reflect the theft of intellectual property intended to create commercial advantage. Defense contractors, for example, may find that exploits against their systems, while unfortunate, do not violate necessarily emerging norms, thus making more likely such exploits and more important the need to deal with them. If this trend holds, we are likely to see a continuing shift from concerns about “cyberwar” to recognition that some level of cyber exploit is part of the “new normal.”
The same may be true regarding cyber attack. Sascha Dov Bachmann and Håkan Gunneriusson argue in a 2015 article that Russia has built a hybrid warfare doctrine that incorporates attacks against another country’s infrastructure into an operational approach that falls just short of war. Russia is using this doctrine in the Ukraine. The country is combining cyber attacks, efforts to shape online and social media discussions, support to Ukrainian separatists, deployment of Russian irregulars, and the unacknowledged use of Russian soldiers into an effective campaign, one that is eroding the Ukrainian Government’s effectiveness while corroding the integrity of Ukraine’s border with Russia. Again, the implications are likely to be significant. Russia’s doctrine represents the use of force “short of war” and drives those affected (government, nongovernment, commercial entities, and others) to exist in a state in which attacks against their IT infrastructures are unpalatable but not regarded as acts of war and not compelling a vigorous, warlike response.
Overall, the international system will need to adjust to accommodate cybersecurity challenges as a factor that is both constantly present—and constantly changing. Low barriers to entry, difficulties with attribution (of exploits and attacks), and modest consequences (to date) faced by the perpetrators of cyber attacks and exploits are likely to make these activities a long-term aspect of the international system.
Privacy Dominates—for Now
The 2006 CNCI defines cybersecurity as a national security imperative, one that unites the public and private sectors. From a policy perspective, CNCI makes clear that an enduring public interest exists in the cybersecurity of the defense industrial base, critical infrastructure, and parts of the nation’s manufacturing base as well as the national defense, intelligence, and civil government establishment.
Things have changed.
Today’s cybersecurity environment is defined increasingly by concerns about privacy and a perceived need to protect private information from government authorities. Examples abound, and one can speculate as to the reasons for this shift, though Edward Snowden’s activities appear to be the most influential.
Three examples cast into sharp relief this change in the cybersecurity narrative. First, the 2000 Safe Harbor decision by the European Commission indicated that U.S. data protection standards are adequate for European Union citizens. The intervening years, however, have wrought visible change in the European political situation vis a vis U.S. data privacy, as reflected in an October 2015 decision by the Commission that U.S. data protection standards are not sufficient.
Taking place against the backdrop of enduring European concerns over the purported activities of the U.S. intelligence community and a case brought in 2013 by an Austrian citizen, the court’s ruling invalidated the 2000 U.S.-EU Safe Harbor Agreement. It also determined that member countries’ data protection authorities are not bound by the Commission, allowing for further challenges. Although the U.S. government is working vigorously to restore Safe Harbor, this ruling reflects a trans-Atlantic cybersecurity relationship defined as much by privacy concerns as by the needs for mutual defense.
Second, broad agreement appears to exist on the need to improve public and private cybersecurity threat and incident information sharing. However, successive bills brought forward in the U.S. House and Senate (the Cybersecurity Information Sharing and Protection Act [CISPA] and the Cybersecurity Information Sharing Act [CISA], respectively), have foundered on the rocks of concerns raised by privacy and civil liberties advocates. The bills did not advance to the President’s desk from 2010 to 2014. Indeed, rumors abounded in Washington that the President would veto an information-sharing bill that risked the unauthorized (even mistaken) disclosure of private information to the government generally and the intelligence community specifically.
In addition, members of the IT industry feared the potential liability that could result should such a disclosure take place, reflecting their customers’ private information. Only in October 2015 was a Senate bill presented that appeared capable of gaining White House support. The Senate bill is prescriptive in its protections of information considered private. Conditional Administration support was signaled in a Statement of Administration Policy, although that statement emphasizes that information sharing must be mediated through the Department of Homeland Security. Although not entirely satisfactory to the civil liberties community, the bill passed both houses and gained Presidential signature.
Finally, one notes that conservative congressional leaders, including two reported candidates for the position of Speaker of the House of Representatives—a position to which Congressman Paul Ryan (R-Wisconsin) has been elected, are known more for their concerns regarding cybersecurity privacy than for cybersecurity as a national security issue. Congressman Darrell Issa (R-California) has made clear his view that NSA’s bulk collection programs (specifically, the program authorized by Section 215 of the Patriot Act) should be limited. Congressman Jason Chaffetz (R-Utah) and Issa both support the Email Privacy Act, which would close a loophole Electronic Communication Privacy Act that “allows the government to subpoena emails from Internet service providers after they’re 180-days old.”
Taken together, these examples point to a cybersecurity landscape domestically that is influenced more powerfully by privacy concerns than in the past. They represent a likely reaction to the purported actions of the government in cyberspace as well as a change internationally. They also reflect a clear division between the United States and many of its partners. This division, defined by privacy concerns, stands in contrast to the continuing but now less prominent efforts to work together in support of common cyber defense. Whether privacy will trump national security in defining the cybersecurity relationship between the United States and its European allies (and other countries) remains to be seen. National security may reassert itself (particularly in the wake of the November 2015 terrorist attacks in Paris), or a new accommodation between national security and privacy may be struck. In any case, the cybersecurity landscape with which policy makers and operators will be forced to deal will be shaped by these parallel, often entwined considerations as will the relations among allies and between allies and other countries.
Some Progress is Evident
While this article proposes an analytical framework, it is worth noting that progress has been made, particularly on the part of the U.S. government. This progress, which is itself a framework, consists of:
- A Presidential Policy Directive (21) that identify 16 critical infrastructure standards that require stronger cybersecurity.
- A Presidential Executive Order (EO 13636) mandating the creation by the National Institutes of Standards and Technology (NIST) a cybersecurity framework that identifies best practices, provides a means for critical infrastructure self-assessment, and conveys a mechanisms for sector-specific cybersecurity standards.
- An additional Executive Order that mandates the creation of Information Sharing and Advisory Organizations (ISAOs) to improve cybersecurity threat and best-practice information sharing within specific sectors and for specialized needs (e.g., the operational technology used in industrial control systems).
Another framework of which we should account is the Tallinn Manual, a NATO-sponsored effort that seeks to codify the rules of conduct of offensive cyber operations. The Manual represents an effort to impose on nation states a set of behavior norms, improving transparency and predictability, and may serve to improve our understanding of the role of cybersecurity in the international system.
While useful, this progress should be accompany by a stronger understanding of the larger context of information value, global policy, and operations shaping cyberspace today and tomorrow and the cybersecurity challenge we face.
The cybersecurity field is changing swiftly. The swiftness of this change makes difficult the detachment useful generally to gain perspective and balance, to generate hypotheses, and collect the data necessary to theorize. At the same time, the swiftness of these changes poses challenges to policy makers, operators, technologists, and practitioners. This article identifies major categories of change and provides the means to describe the evolving cybersecurity landscape in a manner that is both lucid and practical.
Governments and commercial enterprises must shape policies that reflect the concerns of citizens and customers alike. Governments and commercial enterprises must recognize the ever-present threats that are likely to endure and grow more serious in a world where cyber exploits and cyber attacks can take place at any time and may become regarded as “peacetime,” normative behavior. Defending against these attacks and exploits will be made more difficult by the rising value of the information at risk and the complexity of the infrastructures by which this information is managed and which this information helps control. The framework provided, framed by salient issues, represents a useful starting point for the further analysis of cyber developments—and possibly a challenge to develop stronger and more useful frameworks in future.