Right now, there is a, to put it mildly, ongoing discussion between proponents of coercion and deterrence in cyber policy, and adherents of a new theory, called *persistent engagement.* Maybe the sum total of the people in the argument is less than a thousand, but as academic circles go, it heavily influences the US Defense Department and IC, and through that, the rest of the world, so it is fun to watch. Also obviously it has added to infosec Twitter drama, which of course is the most important thing in the whole Universe.
But while I try to keep this list technical, I wanted to put it into context for people here, so they can better appreciate the Twitter drama. But before I do that, I want to talk about a Defcon talk I attended. I'm not going to say WHICH talk, since it was under Chatham House Rule, but it was about cyber policy. When I pressed someone on an aspect of their policy efforts and how it implicated technical experts without involving their feedback (export control around penetration testing tools) they said "Well, that was more an expression of our country's VALUES and so we didn't need to listen to our technical experts".
And I thought that was very interesting! Because the technical community is highly connected and paying attention to these sorts of things in a way that didn't used to be the case. If your message on one issue is going to be "When our values and the technical community's values don't align, we don't bother listening to them" then they will all know immediately, and all your other outreach efforts might as well be wasted air.
And this is true across the board - disintermediation via cyber is now a universal truth.
I believe you can come at the theories of persistent engagement by looking at it from a different perspective: Instead of saying "Here's a bunch of data about what we see in cyber, and it looks a certain way, and that way requires a new way of thinking" you ask yourself whether the fundamental way of dealing with conflict in international relations literature can be simplified down to coercion and deterrence when the system is a highly connected network. In other words, the game theory math you would use for dyads and bilateral relationships is great for looking at nuclear conflict because that's how the problem is presented, but doesn't scale to the problems we have for cyber conflicts, which are about emergent effects of much more complicated systems.
That's why it's not just different, but downright wrong, to talk about offense-defense balances when we look at cyber or cyber-enabled conflicts. It's why the previous international relations work on deterrence and coercion just doesn't apply cleanly, if at all. On one side (the wrong side) you have people saying "Cyber is not strategic because it cannot hold ground like infantry can!" and on the other side you have people building international relations theories based on cycles of attack, on responses and counter-responses to aggression in the cyber domain because you can lead an entire country around by the nose ring that is TikTok.
At some level, we are going to have to stop talking about offensive cyber operations as a corollary of SIGINT capability, and going to look more holistically at COGINT.
To sum it up: Complexity in connectivity introduces phase changes in systems. We now live in a highly connected world, and this means we need new paradigms of international relations, whether you are under Chatham House Rule or not.
-dave