With cyberattacks gaining increasing media attention, it soon becomes apparent that our language does not quite match reality. War, for example, is understood to be state-directed violence to achieve political purposes. Adding a qualifier like a “one thousand battle deaths annually” certainly excludes every reported incident of cyberwar, which more closely resembles espionage, sabotage, or propaganda. Attributed to sensational media coverage, Brandon Valeriano sees more cyber hype than cyberwar.
My colleague Chris Demchak prefers cybered conflict. She argues that,
Cybered conflict is the better name for the national security dilemma today. Any given conflict can involve all sorts of systems of people, things, processes, and perceptions that are computer-related but not necessarily purely computerized…[A] ‘cybered’ conflict is any conflict of national significance in which success or failure for major participants is critically dependent on computerized key activities along the path of events. As long as the global web remains as open as it is today, human conflicts across large-scale complex, digitally connected systems will be cybered at key junctures in streams of joined outcomes.
As the lexicon settles and we develop new vocabularies or agree on the application of old terms, bureaucracies are moving in the space we access through a keyboard. In the United States, for example, Congress recently provided legal authorities in the 2012 Defense Authorization where the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, Allies and interests.
The authorities are non-specific, but General Keith Alexander, the head of the National Security Agency and US Cyber Command, explained:
We at Cyber Command are responsible day to day for directing the operations and defense of the Department of Defense information networks and for the systemic and adaptive planning, integration and synchronization of cyber-activities, and when directed under the authority of the president, the secretary of defense and the commander of U.S. STRATCOM, for conducting full-spectrum military cyberspace operation to ensure U.S. and allied freedom of action in cyberspace.
As Cyber Command matures, it tends to dominate national cybersecurity discussions. Ellen Nakashima’s reporting notes coordination across the government occurs, but an anonymous official sees “DOD has the responsibility to defend the nation” crowding out the civilian departments of the government. Given how military commanders are as much policy entrepreneurs as warfighters, we should expect to see the military lead on cyber issues.
As cyber issues are increasingly securitized through law and integrated into national security bureaucracies, we must not overlook how cyberspace is different from land, air, and sea. The most important distinction is the essential role the private sector plays in creating, sustaining, and innovating in the cyber field. The world largely runs on Windows, people connect through Facebook, and Google is both a multi-billion dollar company and a verb. In spite of this, Jason Healey notes that governments must:
Break the fifteen-year public-sector/private sector stalemate.The need for information sharing and trust between the government and private sectors has been well known since before 1998, when US President Clinton issued a decision directive calling for cooperation. Yet nearly fifteen years later, the same findings surface in every exercise and report and are met with the same platitudes and saccharine commitments and action plans.
Recognizing the centrality of the private sector is fundamental. While cyber offense is king, cyber defense can be improved through better cyber hygiene by users and changing the incentive structure to reduce software vulnerabilities by producers. Just as there are regulations and fines governing use of the environment to reduce pollution, it might be time to explore ways for governments to impose costs on companies that enable intrusions through vulnerable software. Allowing the military or national security bureaucracy to dominate policy discussions will likely be insufficient in the cyber age.
Derek S. Reveron, an Atlantic Council contributing editor, is a Professor of National Security Affairs and the EMC Informationist Chair at the U.S. Naval War College in Newport, Rhode Island. Photo Credit: Reuters Pictures