Understanding the implications and evolution of today’s cybersecurity landscape is a tall order, both for those new to the field and those well-established. I’ve been fortunate to work with some of the industry’s finest cybersecurity research and development professionals at ICF, some of the brightest young minds of our generation at Georgetown University, and individuals spanning cybersecurity’s range of disciplines at professional associations and societies. This level of exposure presents cybersecurity in ways that go beyond purely technical and operational, asking not just what things are happening but why.
Until recently, the U.S. Department of Defense (DOD) guarded the interests of four classical domains in which warfare could be waged: land, air, sea, and space. As the information technology field has expanded, however, so too has the battlefield, and cyberspace has become the fifth domain. With over 3.7 billion people online, it's almost impossible to conceive of cyberspace as anything other than its own domain, one that has more people "living" at risk in it than three of the other four domains combined.
The implications of this vast domain are unprecedented but not surprising. Experts, academics, and theorists have long prophesied the immense cultural shifts that would come with expanded information technology. As early as 1994, Arturo Escobar's Welcome to Cyberia: Notes on the Anthropology of Cyberculture, challenged researchers to theorize on the emergence and mediation of culture in cyberspace. Today, the call-to-action stands: we need to move well beyond the technical and operational evolution of cyberspace, and think critically about why that evolution is happening and who or what is catalyzing it.
The Meaning of the Term "Computer Networks" Is Changing
Today, we think about cybersecurity as composed principally of the three classic disciplines:
- Computer network defense (protection)
- Computer network exploitation (taking information)
- Computer network attack (damaging information, IT systems, or the infrastructures that depend on IT systems)
But what do we think about countries that employ all three of these disciplines in a coordinated, mutually reinforcing manner? What are they trying to accomplish?
To answer that question, let’s think about the term “computer network,” common to all aspects of cybersecurity. It describes modern information systems in which transactional information (information in motion) is exchanged and managed in relation to referential information, i.e., databases and environments (information at rest). Only in the last few decades have the information theories that underpin these networks been joined with the cheap, ubiquitous, standards-based technology necessary to make them real.
I’d argue that cyberspace as we know it today was built on such computer networks. Yes, we previously used electromagnetic energy to send and receive information (telegraphs, phone calls, images) and these, in turn, gave rise to modern computer systems. But the sheer scope and reach of today’s networks, which encompass every continent and almost every country, have created a cyberspace environment that affects every sphere of human existence. Economies depend on the global IT infrastructure; some regimes govern through the Internet; military operations depend on information technology. Indeed, the expeditionary forces of the near future will quickly establish battlefield cloud environments and depend on pre-positioned logistics coordinated through the global internet.
The Arab Spring generally—and events in Egypt in particular—offer testimony to the power of this domain. Egyptian protesters operated in cyberspace to organize rallies; the Egyptian government's attempt to shut down access to cyberspace enraged Egyptians, who depend on the internet for daily living, more than it diminished the power of the protesters.
What's the point? Cyberspace is no longer just a place in which computer operations (defense, exploitation, and attack) take place. It may have become a domain in which we see efforts to exercise all of these disciplines together, to conduct, in other words, "computer network control." Other countries, notably Russia and China, offer evidence that they see cyberspace as an environment to be influenced, governed, and controlled.
Governance and Control in Cyberspace
If cyberspace is connected intimately to the systems on which our government, economy, military, and critical infrastructure depend, might it be possible that other countries will seek to extend their control through conquest?
Perhaps, but we don't know…yet. We might take a cue from the former Premier of the People's Republic of China Zhou Enlai. In 1972, Zhou was asked his opinion of the French Revolution (of 1789 to 1799). Despite the fact that the revolution had taken place almost two hundred years earlier, the Premier is reported to have replied: "too early to say." (Some believe he was replying to a question about French protests in 1968; in any case, it's a great quote.)
Though it may be too early to say for sure, the varying behaviors of countries like China and Russia has raised serious questions about the meaning of control in cyberspace. China, for instance, has given evidence of its view that cybersecurity exists principally to safeguard the sovereign prerogatives of government. China is a rising power seeking to alter the international system to accommodate its interests, but not necessarily to overthrow that system. Russia, however, is acting more as an insurgent, violating post-WWII territorial borders, giving evidence of willingness to interfere in the elections of other countries. Russia might be considering ways in which to "conquer," govern, and control the internet on which other countries depend, or at least to diminish their control. Russia's hybrid approach to warfare, one that combines cyber operations with military, political, and other activities, represents, certainly, a willingness to manipulate cyberspace in a way that diminishes the security of other countries (most notably Ukraine).
The job of theorists, statesmen, and other leaders is to think about what might be to come, and to help us prepare. If other countries think cyberspace is a domain to be controlled and possibly governed, we must consider the implications for our own country, our economy, and our society. Our relationship with cyberspace will grow in importance; we cannot leave to chance how it’s governed and controlled, and to what ends. U.S. policymakers should debate, discuss, and prepare for this challenge in collaboration with the very civil society that depends so greatly on the cyberspace domain. It may be “too early to say” how cybersecurity will evolve in precise terms, but it’s by no means too early to start trying to understand that process and what it means for our country.