I was recently sent a short paper for review by an analyst at a well-known US think tank, in which the author referred to something called "cyberdiplomacy". I scribbled digitally in the margin something along the lines of "isn't this just diplomacy?". The subject under review was the strain between the US and China following the Google affair that broke out in January. Elsewhere, I’ve been quite insistent that it behoves us to be very cautious about, for instance, declaring a de facto global "cyberwar", as some members of the security community would have the US do. A few days ago, a senior UK civil servant revealed there is currently a project underway to produce a "national lexicon" of cyber-related nomenclature, which can be interpreted in part as a bulwark against media hyperbole and the kind of discursive badgering that has been ubiquitous of late. At the same time, there are concerns elsewhere that the lack of precise legal definitions is hampering cybersecurity legislation in the US, let alone the delivery of security solutions. Other security bloggers have also pointed out the conceptual slippage resulting from the use of trendy but specific terms like Advanced Persistent Threat (APT) to describe any "bad thing from the internet."
In a sense, this is all standard stuff. Many authors have made clear that there is still no standard definition of terrorism, but some claim we can adopt a "consensus definition" that enables academics, politicians, practitioners, and the general public to stay more-or-less on the same page when we are confronted with it. This goes some way beyond Justice Potter Stewart’s famous statement on pornography―“I know it when I see it”―but possibly not far enough to please everyone, particularly those academics for whom consensus is analytically unsatisfactory. The lack of a specific definition did not prevent the US from declaring war on "terror(ism)" but we should perhaps think twice about declaring "cyberwar" when, unlike terrorism, we have even less understanding of the phenomenon, or indeed a demonstrable exemplar around which to garner public support. Like the "war on terror", though, we have little idea of the effects of a global "cyberwar footing". The argument is often made that things are so damned nasty out there in cyberspace that a determined and hard response is required now, with immediate effect, and we should brook no dilly-dallying. This is an old rhetorical trick, and one to which we should be very careful not to fall victim.
No one with any real sense doubts that there are some very pressing problems that require multi-sector cooperation and action. Cybercrime is massively increasing, and business, government, consumers, and law enforcement will have to work together to devise technical and non-technical solutions to address the problems that fall beneath this broad terminological umbrella. Cyberespionage is clearly of great concern to government and the commercial sector, and they are already spending huge sums to secure sensitive data and systems. The facts of cyberterrorism, or state-sponsored cyberattacks, are heavily-guarded by national security protocols, but the case has yet to be made that these are really significant risks, despite what you hear senior officials say. And this is the point: you cannot use the darkest imaginings of those with high-level security clearances to promote ends with little consideration of the ethical and practical implications of the means of achieving them. Crime and espionage are not necessarily acts of war, and the fact that they are being subsumed under the rubric of "war" should worry those who care about international relations, diplomacy, the role of security agencies, the relationship between state and industry, and about the constitutional contracts between the individual and the state.
Critics of my position point to the fact that war has changed: it isn't tanks rumbling across the North European plain anymore, or a nuclear stalemate played out beneath the Arctic icecap. They're right. War in the modern world is a messy and complex business, in which identities and boundaries are blurred and subverted, in which states are as much concerned about the enemy within as the enemy without, and which is, after the demise of the Soviet Union, not only multipolar, but multimodal and multinodal. Whether we talk of hybrid warfare, asymmetric warfare, the "war of ideas", or a dozen other attempts to characterise the battlespace, at the heart of it all is Rupert Smith’s statement that the "dynamic of confrontation and conflict, rather than war and peace, [is] at the heart of war amongst the people." How absurd calls to monolithic cyberwar sound when we keep this in mind. How odd too that militaries understand that the operating environment is different this time around, yet the politics of representation are more-or-less the same: secure or die.
Words reveal deeper truths about the processes, structures and institutions that are fuelling the current cybersecurity panic. Critical analysts like James Der Derian have long noted the existence of a military-industrial-media-entertainment network (MIME-NET), a thesis it is more and more difficult to write off as paranoid post-structuralism. Events like the CNN-mediated Cyber ShockWave exercise of February 2010 do nothing to dispel unease about these relationships. From a critical security perspective, the state is emerging once more as the primary referent for cybersecurity. Despite the big nods to consumers and "internet freedom", the state is reasserting its political-philosophical muscle in cyberspace: a neorealist reflex to the realist perception of cyberspace as an anarchic wasteland. A recent Center for a New American Security (CNAS) report states that cyberspace "resembles the American Wild West of the 1870s and 1880s, with limited governmental authority and engagement", and repeatedly calls for control of this environment, with US national interest the sole governing principle for doing so. Although it is unfair to single out CNAS, the Wild West trope is not only one of the founding myths of modern American culture but also of anti-authoritarian cyber-utopian groups like the Electronic Frontier Foundation. What CNAS and the EFF share is a teleological view of cyberspace but whilst the EFF’s technological determinism leads to a bright future, adherents of statism only seem to see a dark one.
In a recent issue of Race & Class, journalist and writer Matt Carr tackles this phenomenon head-on, in a readable and non-academic article, Slouching Towards Dystopia: the New Military Futurism. Carr claims that "a new genre of military futurology has emerged which owes as much to apocalyptic Hollywood movies as it does to the cold war tradition of 'scenario planning'." A week’s worth of Danger Room posts would illustrate this nicely, keeping tabs as they do on organisations like the Pentagon’s Defense and Advanced Research Projects Agency (DARPA), who crop up often in Carr’s account too. Reading through the article, I was reminded of the CNAS report’s epidemiological approach to cybersecurity: "the disease of malicious activity", "methods of transmission", "the duration of infectiousness", "interval from infection to display of symptoms", and so on. The remedies are presented as "universal sanitisation", "inoculation", and "quarantine and isolation". Back when I was an archaeologist, local authorities often referred to sub-surface archaeology as "cultural deposits"; the developers paying for the fieldwork would refer to them as "cultural contaminants", to be "remediated". A similar ontology is at work here, particularly when we stray into the realm of ideas that underpins the strategies of both sides in the "war on terror".
Carr interprets this as a sign that institutions like the US military perceive themselves as "the last bastion of civilisation against encroaching chaos and disorder. The worse the future is perceived to be, the more these dark visions of chaos and disorder serve to justify limitless military 'interventions', techno-warfare, techno-surveillance and weapons procurement programmes, and the predictions of the military futurists are often very grim indeed." I’ve sat in enough horizon-scanning workshops to have some sympathy for this view―little positive emerges from these discussions, and the outcome is almost always appeals for more regulation, bigger budgets, and better tools for the projection of power. This is not to say that such exercises do not serve some public good. In the modern global media environment, woe betide the country that has not attempted to mitigate every conceivable threat to its national security. We are perhaps as culpable as states for this line of thinking, although it is hard to see how this will change, especially given that trust in government is at particularly low ebb.
Just as states can be criticised for rather dyspeptic views of the present, and for pessimistic attitudes to a dystopian future, it is not wise for us to assume those views will always win out. Such fatalism excuses the degradation of our own sense of agency, and of the alternative possibilities for promoting something as complex and dynamic as security in cyberspace. Some form of cybersecurity is necessary, in order to ensure that the internet in particular is maintained as a true global commons. It is not possible to tell where cybersecurity will be as a concept and practice in, say, ten years time, but we should hope, rather than expect, that it remains both "global" and a "commons". It is up to states to work out how best to operate in that environment, not for them to bend cyberspace to their will and national interests alone. The right words can greatly enhance efforts to develop better cybersecurity; the wrong ones can damage these prospects irrevocably.