Taking the cyberwar challenge seriously requires thinking outside our comfortable technology or national security boxes. Unfortunately—regardless of the lip service many decision makers pay to cybersecurity—this ability is a rare quality. What the world needs is strategic leadership in navigating the murky waters of cyberspace. The digital world, as well as the threats and opportunities in it, is not “out there,” but part of our making.
The value of cyberspace arises from its close connection to the physical world. The Gains we achieve through the digital realm—efficiency, near simultaneity, global reach, cost reductions, new opportunities for business and civil society—are meaningful only when they improve the quality of our lives. Unfortunately, owning anything valuable also encompasses the fear of losing it. We are afraid of losing the functions that cyberspace enables, as well as the functions controlled by it. Because we are not sure how different functions relate to one another or affect the physical world, confusion prevails.
Moreover, we do not really know our potential enemies, their capabilities and vulnerabilities, logic, or willingness to do harm. We don’t know what to defend against, which makes us concentrate on the technologically possible instead of the politically feasible. By designing, constructing or acquiring, disregarding, and using technological capabilities, we build the future operating environment and the future world. This responsibility is huge and should not be carried out technology in the lead. Strategic thinking and the skill to effectively use our current capabilities have often proven to be the key to success.
Thus far technology has prevailed in cyberspace while our strategies have been reactionary. The voices of warning have existed for years. Still, we seem to take steps only after we see a disaster. For enhanced security we should learn to make decisions based on sensory information other than visibility—and not only on tactical and operational levels, but also on a strategic level. In addition, we must plan, build, and execute on the assumption that we can never reach perfect visibility.
The basic problem in strategic thinking about cyber-physical reality is that we try to apply concepts and logic drawn from the physical world to the digital world without modification. Thus we expect to recognize our opponents (or construct them in fierce naming and shaming campaigns), count stockpiled cyber weapons (and verify their existence), attribute attacks (and possibly retaliate), and deter (though effective deterrence requires a known enemy). We also try to conduct information operations in the era of Web 2.0 as if we were living in a world in which major media companies or national news broadcasts control the information sphere.
The aforementioned are only a few examples of flaws that dominate security thinking. Old-fashioned ideas prevail in public and private sectors alike. Both participate in contemporary security production and are stakeholders in cyberwar. The tendency to rely on familiar frameworks in the face of something unexperienced is understandable, yet it may hinder our attempts to scrutinize cyber-physical reality as it is and learn to live in it. The contemporary world is our creation, but it may not suit preexisting security frameworks.
How about starting with our cyber-physical reality? We must learn its basics and conceptualize it without prior frameworks, and learn to live in a multiphase reality in which we may not be able to know our enemies, build a strong security posture alone, or enjoy unambiguous truths. We cannot control cyberspace (although we try to) and must learn to live with its malleability and unpredictability. Absolute security is unattainable. Thus resilience should become the prime driver in security thinking. And that warfare should remain only a feature of politics.
Cyberspace and the changes it has brought about in warfare and security production do not represent a revolution. They cannot be addressed by those currently in decision-making positions. Rather, they are a phase in our normal evolution and should not be deferred to future generations who might better understand them. By then it may be too late.
The post Thinking About Next-Generation Security and Cyberwarfare appeared first on McAfee.