Understanding basic cybered conflict begins first with two critical adages for the cyberspace user at any organizational scale: ‘user beware’ and ‘user prepare’.
Societies and institutions determinedly staying so deeply interconnected must now consider distrust and surprise as much as efficiencies and speed. This is a world of what one could call ‘trust-less operations’. Beware and prepare for nations means their cyber power depends not only on being able to strike digitally, but being able to survive well in the face of attacks and their follow-on assaults. Just like individuals, leaders and institutions facing cybered conflict will have to keep the uncertainty of the overall national systems down at tolerable levels. They will find themselves managing distrust and sustaining redundancy, slack, and continuous trial-and-error learning as much as identifying specific hostile actors and attacking or negotiating with them.
At the end of the day, cybered conflict begins like most struggles: actors dispute the allocation or access to resources including prestige. It is not, as the cyber-prophets persuaded us, about the desire of information ‘to be free’ and of its floating in a sort of information-enabled Eden filled with nice, sharing people. Rather, the modern cyberspace that critically sustains most of your living is more like an enormous, muddy, colorful, moderately chaotic, medieval annual fair. While offering great and new resources, it is also replete with tons of paupers (script kiddies), pickpockets (small time credit card thieves), con artists (phishers, social engineers, ID thieves), and organized competing gangs of muggers (huge professional botnet masters), along with occasional wholesale attacks by armed brigands (organized cyber gangs, national level covert cyber units).
Human greed, pathologies, and cruelty historically pushed the limits of acceptable insecurity in the days before the emergence of the modern state just as they are pushing the limits acceptable from the cyber frontier. Pickpockets are cybercriminals in your bank account. Mafia are the thieves’ guilds fixing prices and goods, and harm is or is not relevant to their choices. They make, buy, and sell the hidden applications inserted on millions of your machines that secretly connect to the internet, and in large numbers (botnets) attack other computers to steal or disrupt. Their efforts inform or train groups of mercenaries hired to take down one or other groups of fair goers (organizations or you) or traders in their stalls (locations like cities or nations). Sometimes they come in the night, sneaking along the road like Native American raids for prestige-enhancing scalps and wives (denial of service DOS), and sometimes they run in during the day like Vikings raiding from seaside encampments (multilevel campaigns such as Estonia 2007). Some traders begin to sell weapons for defense (firewalls and filters) or guard services (antivirus companies). Groups of wealthier fair citizens hire guards collectively to hold main intersections, filtering who comes in and with what (ISPs, passworded servers).
Historically, victim groups in such a messy uncertain area tended to band together to survive in a protection organization that became a society. This process is beginning in cyberspace. The medieval victims’ resulted with nations as largescale collective protection pacts expressed in institutions like monarchies. Eventually the modern democratic state evolved with rules of behavior mostly observed or usually enforced, ending the frontier nature of great medieval fair. This eternal orchestrating struggle is beginning in the controls of cyberspace. In struggling over who gets to make and enforce the rules of protection in the exchanges today, we are at the point of organizing the cybered world. Cyberspace now underlies and deeply links nations, organizations, and individual citizens, wittingly or unwittingly. All organized players including national governments, criminals and their guilds, possibly your home networked computer, and maybe that of your bank are involved at one or more levels. As long as we live in the middle of this global medieval fair, we and our respective national governments will be involved in this competition as both predator and prey.
Cybered conflict is part and parcel of this frontier-dismantling struggle. In history, repeatedly and eventually the ability to both disrupt attackers and be resilient to their attacks becomes concentrated in a handful of key groups. The winners get organized, usually becoming increasingly more overt (thought not always) in their struggles for control of parts and possibly all of the fair.
Cybered conflict is emerging and will be critical to deciding the come-all battle over the wealth being displayed in this global fair. In ten or fifteen years, all this transition will be obvious; nations will declare or iterate to cybered security resilient strategies involving both striking to disrupt what they can foresee and to be resilient to what they cannot. The sorting will have been underway for nearly a generation and there will be rules and borders, and consequences, and air gaps, and resilience services, and, still, places to enjoy the fair. But, for now, much needs to deliberately or organically emerge, and there be many surprising monsters yet to be revealed in the rollicking global human-machine-network systems. The next blogs will address many of these emerging or not yet obvious issues of cybered conflict, nations, and the evolutions of their socio-technical systems.
Chris Demchak is an Associate Professor at the US Naval War College and at the University of Arizona. The views expressed are her own and do not reflect those of the Navy or the U.S. government. This article is the second in a series titled Cybered Conflict.