Thursday, January 11, 2018

Rethinking Rethinking Security

It's worth reading Jim Lewis's paper from this week on the CSIS website. That said, I can also summarize it polemically by paraphrasing it as "Westphalian states remain the only players that really matter, and cyberwar won't change how they interact that much."

Needless to say, I think he's very very wrong in ways that are important enough to write a blog post about.

We haven't seen a cyber 9/11 only if you refuse to recognize a cyber 9/11 when it is the headline of every politico article for the past two years!

He thinks that if we define "attack" to be equivalent to "coercion against a state to achieve political effect" that it's not happened and all any of us can do is look around and see it happening in real time! Likewise, his claims of states being robust organizations that shake cyber operations off is totally true except that really Westphalian states are giant balloons made of reputation and shared mythos and cyber seems like a bullet created to pop exactly that sort of thing!

My S4 talk, which is what I'm supposed to be working on right now, is the exact opposite of this position. But it's that way not because I feel like aggrandizing cyber operations, but because I have seen a different history and I honestly believe it is impossible to analyze the strategic impact of Mendez's little creation without having that whole picture. Jim says in his paper that the Internet is a creation of Millenial ideals, but the 90's hackers have had a massively larger impact on it. What does he think w00w00 is doing right now?

Where is Dug Song when you need him?

To me, not understanding click-scripts and why they are used and still doing strategic analysis is the same as not understanding the longbow but still trying to understand the battle of Agincourt. This, of course, is the kind of opinion that gets you not invited to write Lawfare pieces. :)

I'm not saying states are powerless, but if he was hanging around inside the NSA while cyber started, and then watched it grow, he'd probably believe the river of talent and technology was mostly running the opposite way, that non-nation-states may have capabilities that rival or eclipse EVEN THE MOST ADVANCED NATION STATES, and to think otherwise is to continue to develop the same cyber policy that has led to us wandering the cyber desert for forty years and I for one think it's time to hire a cartographer or two!

I mean if he thinks nation states are so resilient as an institution, then why exactly? Has he noticed that his barber and taxi driver are both pretty invested in bitcoin right now? Does he know a state with a unvarnished reputation for truthfulness that could withstand all forms of cyber coercion right now? Did he just watch the US govt come out with an attribution of Wannacry that was several months after Google's and backed up with basically the same stuff?

As far as I can tell the argument is this:

  • Cyber operations have had limited impact on states
  • What impact they HAVE had is beyond reach of non-state players
  • Conclusion: Don't Panic

I just think those things are so obviously false that to me the whole concept of the conclusion falls into wishful thinking. It's not just him, of course, I think there's a massive element of cognitive dissonance in a lot of people who do cyber policy. Partially because, unlike other areas of policy, a lot of people (NOT EVERYONE) just don't want to read the source material, which in this case, is often source code.

Coming back to S4, which is a conference mostly about ICS - you get the feeling from reading Jim's paper that he thinks non-nation-state hackers cannot really do the complicated modeling and physical-cyber coordination to cause physical effects. Look, the real reason, is they don't feel like it.


No comments:

Post a Comment