Right now, there is a, to put it mildly, ongoing discussion between
proponents of coercion and deterrence in cyber policy, and adherents of a
new theory, called *persistent engagement.* Maybe the sum total of the
people in the argument is less than a thousand, but as academic circles go,
it heavily influences the US Defense Department and IC, and through that,
the rest of the world, so it is fun to watch. Also obviously it has added
to infosec Twitter drama, which of course is the most important thing in
the whole Universe.
But while I try to keep this list technical, I wanted to put it into
context for people here, so they can better appreciate the Twitter drama.
But before I do that, I want to talk about a Defcon talk I attended. I'm
not going to say WHICH talk, since it was under Chatham House Rule, but it
was about cyber policy. When I pressed someone on an aspect of their policy
efforts and how it implicated technical experts without involving their
feedback (export control around penetration testing tools) they said "Well,
that was more an expression of our country's VALUES and so we didn't need
to listen to our technical experts".
And I thought that was very interesting! Because the technical community is
highly connected and paying attention to these sorts of things in a way
that didn't used to be the case. If your message on one issue is going to
be "When our values and the technical community's values don't align, we
don't bother listening to them" then they will all know immediately, and
all your other outreach efforts might as well be wasted air.
And this is true across the board - disintermediation via cyber is now a
I believe you can come at the theories of persistent engagement by looking
at it from a different perspective: Instead of saying "Here's a bunch of
data about what we see in cyber, and it looks a certain way, and that way
requires a new way of thinking" you ask yourself whether the fundamental
way of dealing with conflict in international relations literature can be
simplified down to coercion and deterrence when the system is a highly
connected network. In other words, the game theory math you would use for
dyads and bilateral relationships is great for looking at nuclear conflict
because that's how the problem is presented, but doesn't scale to the
problems we have for cyber conflicts, which are about emergent effects of
much more complicated systems.
That's why it's not just different, but downright wrong, to talk about
offense-defense balances when we look at cyber or cyber-enabled conflicts.
It's why the previous international relations work on deterrence and
coercion just doesn't apply cleanly, if at all. On one side (the wrong
side) you have people saying "Cyber is not strategic because it cannot hold
ground like infantry can!" and on the other side you have people building
international relations theories based on cycles of attack, on responses
and counter-responses to aggression in the cyber domain because you can
lead an entire country around by the nose ring that is TikTok.
At some level, we are going to have to stop talking about offensive cyber
operations as a corollary of SIGINT capability, and going to look more
holistically at COGINT.
To sum it up: Complexity in connectivity introduces phase changes in
systems. We now live in a highly connected world, and this means we need
new paradigms of international relations, whether you are under Chatham
House Rule or not.