Right now, there is a, to put it mildly, ongoing discussion between proponents of coercion and deterrence in cyber policy, and adherents of a new theory, called *persistent engagement.* Maybe the sum total of the people in the argument is less than a thousand, but as academic circles go, it heavily influences the US Defense Department and IC, and through that, the rest of the world, so it is fun to watch. Also obviously it has added to infosec Twitter drama, which of course is the most important thing in the whole Universe.
But while I try to keep this list technical, I wanted to put it into context for people here, so they can better appreciate the Twitter drama. But before I do that, I want to talk about a Defcon talk I attended. I'm not going to say WHICH talk, since it was under Chatham House Rule, but it was about cyber policy. When I pressed someone on an aspect of their policy efforts and how it implicated technical experts without involving their feedback (export control around penetration testing tools) they said "Well, that was more an expression of our country's VALUES and so we didn't need to listen to our technical experts".
And I thought that was very interesting! Because the technical community is highly connected and paying attention to these sorts of things in a way that didn't used to be the case. If your message on one issue is going to be "When our values and the technical community's values don't align, we don't bother listening to them" then they will all know immediately, and all your other outreach efforts might as well be wasted air.
And this is true across the board - disintermediation via cyber is now a universal truth.
I believe you can come at the theories of persistent engagement by looking at it from a different perspective: Instead of saying "Here's a bunch of data about what we see in cyber, and it looks a certain way, and that way requires a new way of thinking" you ask yourself whether the fundamental way of dealing with conflict in international relations literature can be simplified down to coercion and deterrence when the system is a highly connected network. In other words, the game theory math you would use for dyads and bilateral relationships is great for looking at nuclear conflict because that's how the problem is presented, but doesn't scale to the problems we have for cyber conflicts, which are about emergent effects of much more complicated systems.
That's why it's not just different, but downright wrong, to talk about offense-defense balances when we look at cyber or cyber-enabled conflicts. It's why the previous international relations work on deterrence and coercion just doesn't apply cleanly, if at all. On one side (the wrong side) you have people saying "Cyber is not strategic because it cannot hold ground like infantry can!" and on the other side you have people building international relations theories based on cycles of attack, on responses and counter-responses to aggression in the cyber domain because you can lead an entire country around by the nose ring that is TikTok.
At some level, we are going to have to stop talking about offensive cyber operations as a corollary of SIGINT capability, and going to look more holistically at COGINT.
To sum it up: Complexity in connectivity introduces phase changes in systems. We now live in a highly connected world, and this means we need new paradigms of international relations, whether you are under Chatham House Rule or not.
-dave
I am one of those people who find this problem so pressing that I have side-lined my SIEM engineering job to pursue an international relations degree. It has been an epiphany to say the least.
- The lack of empiricism in cyber policy has transformed it into a credibility problem, centred around personalities. This problem is not going away anytime soon.
- If it is going to remain a subjective discipline, then there are techniques like Process Tracing – well known in public policy which also struggles with empiricism and emergent properties – that could be applied than invoking the spirit of John Nash (RIP).
- The offence-defence discourse is soul-suckingly banal. It boggles me that we choose to completely ignore disciplines like political economy[1] as they are not as hot as cyber offence.
- I am not sure what Dave meant by COGINT but we need to start looking at cyber policy papers and policies that have aged well.[2] It may bring the doctrinal focus back on things like information operations or lead to a Socratic first-principles assessment.[3]
- Look, I understand that exploit writers and hackers feel like Oppenheimer when he paraphrased the Sanskrit quote: “Now I am become death, the destroyer of worlds”. But the technologist, liberalist and realist sides need to know that their perspectives do not apply in absolute terms in cyber policy.[4] Weird machines and national power are reflexive.
- One thing is for sure: cyber policy has slipped out of the hands of norm entrepreneurs. We really need to stop talking about norms, normative frameworks and Tallinn Manual for a while now.
Best, Pukhraj ________________________________
[1] Shawn M. Powers and Michael Jablonski, The Real Cyber War: The Political Economy of Internet Freedom (University of Illinois Press, 2015).
[2] Erik Gartzske, ‘The Myth of Cyberwar: Bringing War in Cyberspace Back Down to Earth’, International Security 38, no. 2 (2013): 41–73; Michael Monte, Network Attacks and Exploitation: A Framework (Wiley, 2015).
[3] David Ormrod and Benjamin Turnbull, ‘The Cyber Conceptual Framework for Developing Military Doctrine’, Defence Studies 16, no. 3 (2016): 277–80.
[4] Jon R. Lindsay and Derek S. Reveron, ‘Conclusion’, in China and Cybersecurity: Espionage, Strategy, and Politics in the Digital Domain (Oxford Scholarship Online, 2015), 334–52.
William Gibson’s transition from the bridge cycle and Johnny Mnemonic with its meta verse-cyberspace to Blue Ant cycle with it’s careful amplification of trends through nudges etc captures this beautifully
On Tue, 23 Aug 2022, at 09:27, Pukhraj Singh via Dailydave wrote:
I am one of those people who find this problem so pressing that I have side-lined my SIEM engineering job to pursue an international relations degree. It has been an epiphany to say the least.
The lack of empiricism in cyber policy has transformed itinto a credibility problem, centred around personalities. This problem is not going away anytime soon.
If it is going to remain a subjective discipline, thenthere are techniques like Process Tracing – well known in public policy which also struggles with empiricism and emergent properties – that could be applied than invoking the spirit of John Nash (RIP).
The offence-defence discourse is soul-suckingly banal. Itboggles me that we choose to completely ignore disciplines like political economy[1] as they are not as hot as cyber offence.
I am not sure what Dave meant by COGINT but we need tostart looking at cyber policy papers and policies that have aged well.[2] It may bring the doctrinal focus back on things like information operations or lead to a Socratic first-principles assessment.[3]
Look, I understand that exploit writers and hackers feellike Oppenheimer when he paraphrased the Sanskrit quote: “Now I am become death, the destroyer of worlds”. But the technologist, liberalist and realist sides need to know that their perspectives do not apply in absolute terms in cyber policy.[4] Weird machines and national power are reflexive.
One thing is for sure: cyber policy has slipped out of thehands of norm entrepreneurs. We really need to stop talking about norms, normative frameworks and Tallinn Manual for a while now.
Best, Pukhraj ________________________________
[1] Shawn M. Powers and Michael Jablonski, The Real Cyber War: The Political Economy of Internet Freedom (University of Illinois Press, 2015).
[2] Erik Gartzske, ‘The Myth of Cyberwar: Bringing War in Cyberspace Back Down to Earth’, International Security 38, no. 2 (2013): 41–73; Michael Monte, Network Attacks and Exploitation: A Framework (Wiley, 2015).
[3] David Ormrod and Benjamin Turnbull, ‘The Cyber Conceptual Framework for Developing Military Doctrine’, Defence Studies 16, no. 3 (2016): 277–80.
[4] Jon R. Lindsay and Derek S. Reveron, ‘Conclusion’, in China and Cybersecurity: Espionage, Strategy, and Politics in the Digital Domain (Oxford Scholarship Online, 2015), 334–52. _______________________________________________ Dailydave mailing list -- dailydave@lists.aitelfoundation.org To unsubscribe send an email to dailydave-leave@lists.aitelfoundation.org
dailydave@lists.aitelfoundation.org
-
Dave Aitel -
Konrads Klints -
Pukhraj Singh