Author Archives: smeetsmwe

US Cyber Command: An Assiduous Actor, Not a Warmongering Bully

Jason Healey recently posted an interesting piece on The Cipher Brief, US Cyber Command: “When faced with a bully…hit him harder.” Healey writes: “Cyber Command’s new strategy demands that, ‘We must not cede cyberspace superiority.’ The goal is ‘superiority’ through ‘persistent, integrated operations [to] demonstrate our resolve” even at “below the threshold of armed conflict.’….Despite being the right move, however, it is also an incredibly risky one.”

I largely agree with Healey’s account of the first U.S. Cyber Command Symposium. As the United States is moving away from a strategy of deterrence to a strategy of persistence, it has to be careful that it is not creating the opposite effect of what it intends to do.

Indeed, one concern that could be raised is that this new strategy might be dangerously escalatory. The statement was made that, “It might get worse, before it gets better.” When do we reach the tipping point, if there is one? And how can we know? Cyber Command’s view is that it has learned over time through observation, and believes that their strategy will lead to stabilization. This needs to be scrutinized and studied.

Yet, my take away from the U.S. Cyber Command symposium is also different from Healey’s in a several important ways: I didn’t sense the same level of emotion and warmongering from the speakers and panelists as Healey does.

U.S. Cyber Command does not ask for “looser rules of engagement” as per Healey – it asks for ‘closer organization integration’ and a better understanding of the ‘box’ in which it is allowed to operate. Healey suggests, that “The gold medal will go to the nation prepared to be the most ruthless and audacious.” U.S. Cyber Command rather argued that advantage lies in the initiative.  (Indeed, as someone noted at the event, “In cyberspace, it is not the big that eat the small; it is the fast that eat the slow.”)

“Seizing the initiative” – a phrase frequently used at the conference – is not about “hitting back harder” as Healey writes. Instead, it is as much about prevention and control as it is about post-action. And I didn’t hear them talking about “lethality” nor about “revenge.”

As Henry Kissinger observed in World Order: “Internet technology has outstripped strategy or doctrine – at least for the time being. In the new era, capabilities exist for which there is as yet no common interpretation – or even understanding. Few if any limits exist among those wielding them to define either explicit or tacit restraints.” For any country, it requires significant efforts to articulate a strategy, align interests and coordinate around these new capabilities.

A more positive account of the U.S. Cyber Command is that the organization is continuing to explore new approaches to ‘maneuver’ in this new ‘domain of warfare.’ In doing so, it is willing to also open up to a broader community – as this inaugural annual symposium indicates – and talk about how to interpret and understand the explicit and tacit restraints of wielding these capabilities.

Another way to describe the Command’s new efforts is that it intends to be assiduous in this new domain of warfare: In an environment of constant contact, it aims to constantly (or ‘persistently’ as conference speakers would say) engage with the adversary – both defensively and offensively, if these can be separated in this domain – whilst doing so in a planned, diligent manner.

Finally, there were several other interesting takeaways from this event which deserve attention.

First, more insight was provided on the current progress within the organization. The goal of Cyber Command is to have 133 operational units. Officials revealed that they currently have 128.

Second, ‘agile’ was indeed a widely used buzzword, almost seen as a panacea against all organizational problems. For example, it was said by one of the speakers, “We need to combine maintenance and maneuver. Agile is the solution.” Yet, its meaning in this context remains vague.

Third, while former U.S. Secretary of Defense Ash Carter recently expressed his disappointment at the U.S. military’s failure to integrate cyberattacks into its war-fighting against ISIS, U.S. Cyber Command provided, unsurprisingly, a more positive account at the conference. This was repeated in NSA & Cyber commander Adm. Mike Roger’s Senate testimony: “Today, ISIS’s so-called ‘Caliphate’ is crumbling….Cyberspace operations played an important role in this campaign, with USCYBERCOM supporting the successful offensive by U.S. Central Command, U.S. Special Operations Command, and our Coalition partners.”

This article was first published by The Cipher Brief

Dutch Hacking: The Rise of a New Cyber Power?

The world opened its eyes to a new cyber power. Last month, Dutch reporters from Nieuwsuur and de Volkskrant revealed that in mid-2014 the Dutch Joint Sigint Cyber Unit (JSCU) infiltrated the computer networks of the infamous Russian hacker group “Cozy Bear.”

By sharing information with their U.S. counterparts, JSCU helped oust the Russian government-linked group thought to be responsible for the Democratic National Committee breach during the 2016 U.S. presidential campaign.

Hacking by its very nature is a secretive business. Although numerous states reportedly are interested in the development of offensive cybercapabilities, we typically hear about only a small set of state actors conducting operations. The public disclosure of Dutch intelligence success — based on leaked information — has important signaling effects, both internationally and domestically. And it bumps the Netherlands high in the world pecking order of offensive cyber-capability.

There’s a paradox about signaling offensive cyber-capability

It is difficult for an actor to prove its offensive cyber-capability without playing its hand — and losing this advantage. This is in part because cyber-capabilities are difficult to showcase — other than waving your hand with a USB stick containing malicious code. As strategic studies scholar Thomas Rid notes, “You can’t parade a code on the streets of Moscow.”

My research on the transitory nature of cyberweapons also explains that once a country’s cyber-capability is exposed, the adversary can often relatively easily adapt its systems to avert intrusion. Revelations about a country’s cyber capability after the fact are therefore essential to gauge an actor’s ability to conduct cyber-operations. 

These factors create a number of paradoxical dynamics. The release of classified NSA documents by Edward Snowden was perhaps the most embarrassing episode in the history of the intelligence agency. Yet the Snowden disclosures also exposed the U.S. government’s impressive arsenal, including at least 231 offensive cyber-operations in 2011. As RAND Corporation scholars David Gompert and Martin Libicki point out, the leaks ironically “broadcast how deeply the NSA can supposedly burrow into the systems of others.”

After Kaspersky Lab, a Russian anti-virus company, reported in 2014 on the espionage platform “Animal Farm,” many analysts believed the French government to be behind the sophisticated intel capabilities embedded in the malware. The French government initially denied any role.

During a lecture in mid-2016, however, Bernard Barbier, the former technical head of France’s external intelligence agency, admitted his agency had developed the malware. Security blogger Bruce Schneier points out Barbier “talked about a lot of things he probably shouldn’t have.” But for France, this post-hoc confirmation of capabilities likely enhanced the government’s reputation in this new area of conflict.

A well-placed leak — or just lucky timing? 

It remains unclear whether the signaling was intentional in the Dutch case. Access to the computer networks of Cozy Bear was already lost — perhaps because the Russians were alerted after earlier Washington Post revelations. And the Dutch government may see a diplomatic backlash from the Trump administration as the intelligence helps the FBI investigation — similar to what some say happened to Australia after officials passed information about Trump’s possible campaign links to Moscow, triggering the initial Russia inquiry.

There were certainly gains at home from this type of signaling. Last Friday, Dutch Prime Minister Mark Rutte didn’t go into any detail about the case but told members of the media he was “immensely proud” of the intelligence unit’s success. And Rutte used the occasion to stress the importance of a controversial Dutch intelligence law from June 2017 that would allow the government to conduct large-scale, untargeted tapping of Internet traffic. Even though it is certain the law will come into effect on May 1, critics were able to enforce a national “advisory referendum” on the issue this March. With the government under pressure, the achievement of the Dutch intelligence apparatus is a very welcome PR success. 

What’s next for the Netherlands?

As of now, Dutch cyber-capability has yet to produce a major military activity. It remains to be seen just how the JSCU, a relatively small unit, is organized within the General Intelligence and Security Service and the Military Intelligence and Security Service.

The two Dutch reporters who broke the case mistakenly wrote that JSCU has the authority to conduct computer networks attacks. This is not the case; the JSCU cannot“disrupt, deny, degrade, or destroy.” It can, however, conduct computer network exploitation — that is, espionage.

Of course, network exploitation and network attacks can be quite similar. As former NSA and CIA director Michael Hayden states in his book, “Playing the Edge”: “Reconnaissance should come first in the cyber-domain. … How else would you know what to hit, how, when — without collateral damage?”

At the moment, it remains unclear to what degree the JSCU capabilities support the maturation of the Dutch military cyber-command — which does have full authority to attack computer networks. Although organizational integration and coordination between network espionage and network attacks may be beneficial — increasing the opportunity for knowledge transfer and more efficient allocation of resources — my research on organizational integration indicates it is not a given within any government.

In the U.S. government, for instance, NSA and U.S. Cyber Command have numerous coordination problems. Not least among them is the fact that the NSA is not always willing to share capabilities with the military as it increases the risk that its espionage efforts — exploiting the same vulnerabilities and following similar coding procedures — also are exposed. Dutch cyber-capabilities historically reside in the intelligence community, as well. It would be hardly surprising if the Dutch government is dealing with similar organizational problems.

Finally, (cyber) power comes with a price. Russian hackers — and other actors — may now see the Dutch intelligence services as a more interesting target. Russia may retaliate accordingly — and publicly — against the Dutch to signal mutual vulnerability. At least the Dutch government seems to have taken precautions, choosing to tabulate election results by hand earlier this year.

This article is an edited version of my op-ed published by the Washington Post, The Monkey Cage

Why We Are Unconvinced NATO’s Cyber Policy Is More Aggressive, and That’s a Good Thing

Written together with Daniel Moore.

Retired U.S. Air Force Colonel Rizwan Ali, who helped to establish NATO’s cyber program, makes that case in a recent article in Foreign Policy that NATO has “embraced” a more “aggressive” stance with respect to “the use of cyber weaponry” when it recently established a Cyber Operations Center. The article provides valuable policy insights and highlights an important set of issues which have frequently been overlooked, including international cooperation on cyber capabilities and the (evolving) role of NATO in the cyber domain. It may also help to signal to a broad audience that NATO takes the ‘cyber domain’ seriously.

Yet, we are critical of his remarks and would like to pose two basic questions. First, should NATO want to be aggressive? Second, does the operations center truly mark a radical shift in policy?

First, an individual state or alliance may resort to the use of military force to pursue a range of objectives, such as defending a territory, deterring an adversary, or compelling a rival to do something. As a result, states try to be predictable in their actions or signal their credibility to follow through on a threat. All of these things are hard to do in cyberspace, making it prone to conflict and escalation. For example, states have a hard time assessing each other’s relative strength and capabilities, increasing the likelihood that offensive actions on either side could spiral out of control. As Ben Buchanan’s Cybersecuirty Dilemma shows, even routine intelligence operations can be misinterpreted as aggressive intent.

Second, (luckily) there is also little evidence to suggest that NATO has become more aggressive. It’s worth citing Secretary General Stoltenberg’s briefing following the Defense Ministers meeting held in November, which Col. Ali refers to, at length here:

Finally, we discussed ways to strengthen our cyber defense. We must be as effective in the cyber domain as we are on land, at sea, and in the air, with real-time understanding of the threats we face and the ability to respond however and whenever we choose. Today, ministers agreed on the creation of a new Cyber Operations Centre as part of the outline design for the adapted NATO Command Structure. This will strengthen our cyber defenses, and help integrate cyber into NATO planning and operations at all levels. We also agreed that we will be able to integrate Allies’ national capabilities into NATO missions and operations. While nations maintain full ownership of those capabilities. Just as Allies own the tanks, the ships and aircraft in NATO missions. NATO is a defensive alliance, whose actions are always subject to strict political oversight and always act in accordance with international law.

It might be that the prepared statements are an ill-reflection of what’s happening behind the scenes. Yet, from what’s known, NATO’s initiative to create of a new cyber operations center can equally be characterized as a new effort to solve internal integration problems or as a way for NATO to provide a more credible deterrence posture. From this perspective, the new center seems to represent both a consolidation of efforts that began with the establishing the Tallinn-based Cooperative Cyber Defense Centre of Excellence in 2008 and continued with the acknowledgement of “cyber” as a warfighting domain in 2017.

Individual NATO member states have a hard enough time articulating a defense strategy, aligning interests, developing and coordinating new capabilities among military branches and government departments. Although states have the intent to develop cyber weapons, very few actually possess a meaningful capability. Even states that can conduct military cyber operations, like the United States, have faced significant challenges in making them effective.

Between NATO member states, these issues are equally relevant and perhaps even more daunting. Hyping up NATO’s efforts does nothing to promote a better understanding of how states operate in cyberspace, or of how state interactions in cyberspace work.

This article was first published on the Net Politics Blog of the Council on Foreign Relations

When Routine Isn’t Enough: Why Military Cyber Commands Need Human Creativity

Former Secretary of Defense Ashton Carter recently published a report on the campaign to destroy ISIL. Particularly notable was what Carter said about the “cyber component” (or lack thereof) of the U.S. efforts:

I was largely disappointed in Cyber Command’s effectiveness against ISIS. It never really produced any effective cyber weapons or techniques. When CYBERCOM did produce something useful, the intelligence community tended to delay or try to prevent its use, claiming cyber operations would hinder intelligence collection. This would be understandable if we had been getting a steady stream of actionable intel, but we weren’t. The State Department, for its part, was unable to cut through the thicket of diplomatic issues involved in working through the host of foreign services that constitute the Internet. In short, none of our agencies showed very well in the cyber fight.

The statement sounds alarm bells about the current organizational efforts of U.S. Cyber Command. In fact, the United States is not the only one struggling. A growing number of countries are said to be establishing military cyber commands or equivalent units to develop offensive cyber capabilities, and they all seem to have their growing pains stemming from the unique nature and requirements of offensive cyber operations.

Carter’s statement primarily refers to interagency problems, for instance, on how the use of militarized cyber operations by CYBERCOM may endanger current or future intelligence collection operations by the NSA. But the problems with successfully carrying out offensive cyber operations are deeper and more complicated. Specifically, military cyber commands require individual creativity — which is too often is sacrificed on the altar of organizational routines.

Routines are considered to be the oil that keeps government institutions running. In the academic literature, routines are defined as ‘‘an executable capability for repeated performance in some context that has been learned by an organization in response to selective pressures.” One benefit of routines is that they provide stability, which in turn leads to predictability. In the cyber domain, where there is already considerable uncertain and imprecise information, predictability of actions is certainly a welcome asset.

Yet offensive cyber capabilities are inherently based on unpredictability. As the RAND Corporation’s Martin Libicki observes, there is no “forced entry” when it comes to offensive cyber operations. “If someone has gotten into a system from the outside, it is because that someone has persuaded the system to do what its users did not really want done and what its designers believed they had built the system to prevent,” Libicki argues. Thus, to ensure repeated success, one must find different ways to fool a system administrator. Repetition of an established organizational routine is likely to be insufficient when conducting military cyber operations. The command must foster an environment in which operators can depart from routine and nimbly adapt their actions to stay ahead of their adversaries.

More specifically, Jon Lindsay and Erik Gartzke note that “cyber operations alone lack the insurance policy of hard military power, so their success depends on the success of deception.” Deception as a strategy is based on two tactics: dissimulation, or hiding what’s there; and simulation, or showing something that’s not. The cyber weapon Stuxnet, for example, utilized both tactics. Through what is known as a “man-in-the-middle attack,” Stuxnet intercepted and manipulated the input and output signals from the control logic of the nuclear centrifuge system in Natanz, Iran. In this way, it was able to hide its malicious payload (simulation) and instead replayed a loop of 21 seconds of older process input signals to the control room, suggesting a normal operation to the operators (dissimulation). To ensure that an offensive cyber attack is successful, the attacker needs to constantly find innovative ways to mislead the enemy — which may mean deviating from routines, or crafting routines that permit individuals to make adjustments at their discretion.

There is no easy resolution of this dilemma. Few of the mechanisms organizations use to encourage creative behavior can be applied to military cyber commands. Instead, what governments can focus on to foster creativity in these organizations is workforce diversification and purpose creation.

First, a common form of encouragement is to reward risk-takers in the organization. Yet military cyber commands need to be risk-averse and cautious. It is essential for “cyber soldiers” to stick to the rules to avoid escalation and possible violation of the laws of armed conflict, just as it is for more traditional soldiers. Despite the need for unpredictable and deceptive responses, military cyber commands cannot simply try things out and see what happens. Indeed, though offensive cyber capabilities are not inherently indiscriminate, without careful design and deployment there is a high potential for severe collateral damage. The Morris Worm of 1988 is an illustrative case in this regard. Robert Morris “brought the internet to its knees” due to a supposed error in the worm’s spreading mechanism. The worm illustrated the potential of butterfly effects in cyberspace – small changes in code can escalate into large-scale crises.

Similarly, military cyber commands will find it more difficult than private companies to grant autonomy to individuals. The underlying management logic for granting personal autonomy was perhaps most famously spelled out (and radically implemented) by Brazilian entrepreneur Ricardo Semler: Let employees decide how to get something done, and they will naturally find the best way to do it. For cyber operations, while outcomes are important, precisely how the job gets done is equally relevant. After all, unlike most conventional capabilities, the modus operandi of one cyber operation may greatly affect the effectiveness of other operations.

This is partially due to what’s known as the “transitory nature” of cyber weapons. Cyber weapons are often described as having “single-use” capabilities. The idea is that once a zero-day vulnerability – that is, a publicly undisclosed vulnerability – has been exploited and becomes known to the public, the weapon loses its utility. Although I’ve argued before that this view lacks nuance – as in reality it often still takes time before patches are installed and vulnerabilities closed (and only the minority of cyber weapons exploit zero-days) – the likelihood of successfully accessing the target system does nonetheless reduce after initial use. In other words, the use of a zero-day exploit by one operator may complicate efforts for other operators.

So, what can be done? At a minimum, military commands should make sure they attract a diverse group of people. Only recruiting people within government organizations for the command, as for example the Netherlands supposedly does, should be discouraged. Conventional human resource matrices (i.e., the candidate should have a university bachelor’s degree, good grades, courses in certain areas etc.) should be reconsidered too.

We have already seen various encouraging initiatives on this front. The U.S. Army recently launched the cyber direct commissioning program, so (qualified) civilians can now directly apply to become officers. Countries like the United Kingdom, the Netherlands, and Estonia are also setting up cyber reserve units to attract civilians with the right skill set. Yet these programs are not yet widely adopted across states, nor do they tend to extend far enough (the responsibilities of reserve officers are often unclear).

Military cyber commands should also make sure they create an inspiring workplace to capitalize on people’s intrinsic motivation. Senior leaders have generally been good at providing a vision for their cyber command; this is normally expressed as a desire to become a world leader in offensive cyber operations (see, for instance, the UK’s cyber security strategy). They are also explicit about their mission. Yet, hardly ever do they provide purpose: how does the command fit into the big picture, and what is the strategic framework being followed? Jim Ellis, the former commander of U.S. Strategic Command, has noted the shortcomings of the cybersecurity discourse, saying the debate is “like the Rio Grande, a mile wide and an inch deep.” A deeper focus on purpose-driven values is needed to motivate people to enter a field like cyber operations.

As more countries look to get into the business of offensive cyber operations, the inherent tension between the requirements of these operations and the regimented tendencies of national security bureaucracies will become starker and starker. If governments want to bring together different minds, inspire creativity, and maximize human performance, they need to clearly communicate the value of cyber commands to their people.

This article was first published @WarontheRocks

Contesting “Cyber”

Here are the links to all the New America blog posts:

Part I: Cyber: not just a confused but also a contested concept.

Part II: The Connotations of “Cyberspace” Shift From Opportunity to Threat

Part III: Substantive vs. implied definitions: A Mundane stuff or the Wild West?

Part IV: “Cyber Exceptionalism”

Part V:  ARPANET; Where did it all start again?

Part VI: Exit, Voice, and Cyberspace

Contesting “Cyber” – Introduction and Part I

By Max Smeets and James Shires. More info about the series here


Over the last few decades there has been a proliferation of the term “cyber”, and commensurate levels of inconsistency. This series argues that the inconsistent application of the prefix “cyber” stems not only from confusion, as some scholars and policymakers have proposed, but also from contest. Our goal of this series is not to resolve conceptual disputes, but instead to understand how and why contests occur, and whether, once the lines along which contests occur are identified, resolution is possible.

As the prefix “cyber” has rarely been used alone, we place the concept of cyberspace at the centre of analysis, for two reasons. First, it is considered to be the “elemental” concept in the field, and demarcates the boundaries of relevant technical and social activity through an intuitive geographical metaphor. Second, selecting the concept “cyberspace” for analysis can be considered a least-likely (or least-obvious) study of contest. The attachment of the prefix “cyber” to various nouns has left cyber-related concepts with a variety of underlying normative connotations. On the one side, some concepts describe a clear activity or state of affairs, which are prima facie undesirable, like “cyber warfare” or “cyber threat”. On the other side, various concepts reflect a more positive degree of attractiveness—“cyber democracy” is a good example of this. The obvious normative aspects of these terms to which the cyber prefix is attached make these likely sites for contest, whereas “cyberspace” is seemingly more neutral. We suggest instead that it is the ominous calm at the heart of the storm, providing an excellent case in which to study the tension regarding the prefix more broadly.

Over the next six days, we will publish a series of blog post that show that cyberspace is contested in a number of ways: through its change in connotations from opportunity to threat; through the existence of substantive and implied definitions, with different rhetorical functions; and through competing understandings of the key historical exemplar for cyberspace: that of ARPANET. We therefore note that the prospects for agreement regarding cyberspace are low. Overall, this presents the choice of what we term, following Hirschman, an ‘exit’ rather than ‘voice’ strategy, to use other concepts instead. An initial post in this series was published last Friday at Slate’s Future Tense and can be found here.

PART 1. Cyber: not just a confused but also a contested concept.

Since the early 1990s the prefix “cyber” has become widespread. As often noted, its use stretches back to Norbert Wiener’s coinage of “cybernetics” from its Greek equivalent in the 1940s. It is similarly canonical to cite novelist William Gibson as creating the “ur” metaphor for this prefix in the early 1980s by combining it with “space”. Almost three decades later in an interview with The A.V. Club, Gibson argued that “‘cyberspace’ as a term is sort of over. It’s over in the way that after a certain time, people stopped using the prefix ‘-electro’ to make things cool, because everything was electrical. ‘Electro’ was all over the early twentieth century, and now it’s gone. I think ‘cyber’ is sort of the same way”.

In contrast to Gibson’s prediction, a simple automated content analysis using Google Trends indicates that the popularity of the prefix “cyber” has remained stable (with a spike in November each year for “cyber Monday”). There are ever more applications of this prefix, to words such as crime, law, cafe, hate, bullying, attack, war, vandalism, politics, dating, security, and power. Today, more people enter the search term “cyber” into Google than the term “democracy” or “terrorist”. Needless to say, the term “cyber” has also gained in prominence in academia and policymaking.

The proliferation of this prefix has, inevitably, led to substantial inconsistencies in its use. On one level, these contradictions may stem from simple confusion. As Michael Hayden, former director of the CIA and NSA, remarked: “rarely has something been so important and so talked about with less clarity and apparent understanding than this phenomenon.” Scholars and policy-makers, among others, are not always consistent in their own usage of cyber-related concepts, and they sometimes reinterpret the definitions employed by others, especially when given a liberal dose of cross-disciplinary fertilization.

Many hold that such disagreement is primarily caused by the apparently abstruse and multifaceted nature of the phenomenon. For example, in a Foreign Policy article, Stephen Walt notes that “the whole issue is highly esoteric—you really need to know a great deal about computer networks, software, encryption, etc., to know how serious the danger might be,” concluding that “here are lots of different problems being lumped under a single banner, whether the label is ‘cyber-terror’ or ‘cyber-war’. If this is the case, more research can iron out the lack of clarity surrounding this relatively young concept, and then we can get to the one and only “meaning of the cyber revolution,” as Lucas Kello emphasizes in his recent book (and earlier article). However, in this article series we argue that the inconsistent application of the prefix “cyber” stems not only from confusion, but also from contestation.

In other words, the roots of disagreement are deeper than a mere struggle to absorb the collective knowledge of another discipline, but stem from underlying normative disagreements.

Understanding the nature and extent of this contestation of “cyber” is important for both policy-making and academic research. For policy-makers, the promise of what Joseph Nye Jr. calls “rules of the road” in cyberspace is much diminished if the very domain itself remains in question (also see the UK government strategy). Constructing effective international cyber-governance becomes more difficult—although not impossible—if the scope of what to be governed is fundamentally disputed.

For academics, if the roots of disagreement are deeper, then faith in a unified understanding of the cyber-issue is utopic; and further investigation of why and how broader political disputes are translated into problems with this proliferating prefix is urgently required.

Here we will explore what it means when we talk about cyber, and address the nature of contestation from various angles.

This article was originally posted @NewAmerica

The Word Cyber Now Means Everything—and Nothing At All

By James Shires and Max Smeets

In early October, at the launch of Stanford’s Global Digital Policy Incubator, Secretary Hillary Clinton said, “We need to get serious on cybersecurity.”

It’s hard to argue with the sentiment, but what does it actually mean? Is she suggesting that companies should invest in data breach insurance? That governments should build new weapons? That police should have better decryption tools? That tech companies should write safer code, especially for critical infrastructure? That international differences in internet governance must be resolved? That individual citizens should review their online behavior? Or all of the above?

The problem is in the word cyber. At first, the word’s flexibility was a good thing—it helped raise awareness and offered an accessible gateway to discussing all kinds of security. But it has now become an obstacle to articulating credible solutions.

The term cyber has been around for decades, stretching back to MIT mathematician Norbert Wiener’s coinage of cybernetics in the 1940s. Wiener borrowed the ancient Greek adjective ‘kubernētikós’, meaning governing,piloting, or skilled in steering, to describe then futuristic idea that one day we would have a self-regulating computing system, solely running on information feedback. In the 1980s, novelist William Gibson married the prefix to space, creating the term so ubiquitous today. Since then, cyber has been used by anarchists and policymakers, scholars and laymen, artists and spies. It has been attached to concepts ranging from warfare to shopping, and it can denote opportunity as well as threat.

Yet, cyber is, in a way, empty: It acts like a sponge for meaning, soaking up whatever content is nearby. Gibson described this nicely in an interview with the Paris Review: “The first thing I did was to sit down with a yellow pad and a Sharpie and start scribbling—infospace, dataspace. I think I got cyberspace on the third try, and I thought, oh, that’s a really weird word. I liked the way it felt in the mouth—I thought it sounded like it meant something while still being essentially hollow.”

The hollow aesthetic captured by Gibson—the peculiar position of being both intuitively meaningful and a self-consciously strange word—is part of the appeal of cyber. The prefix is popular, and growing in use, not despite its hollowness, which is bemoaned by many, but because of it.

Thomas Rid, in his book Rise of the Machines, shows how various narratives have accompanied the prefix cyber since World War II, all of which cross boundaries between technology and society, between science and culture, and between the impetus created by war and security and more benign visions.

As Rid explains in the preface, the cyber idea is “self-adapting, ever expanding its scope and reach, unpredictable, yet threatening, yet seductive, full of promise and hope, and always escaping into the future.” In short, it is a sponge—but one that fails to clean up the conceptual problems of its terrain.

We can see this clearly in recent events. With new information seeping in on an almost daily basis about the Russian meddling in the 2016 elections, the cyber sponge has been absorbing everything related to disinformation campaigns, information warfare, social media bots, and election hacking.

Clinton’s talk demonstrates all of this. “In the 21st century, war will increasingly be fought in cyberspace. As Americans we need to approach this new threat with focus and resolve. Our security, physical or otherwise can’t be taken for granted,” she said. She went on to discuss the various new “weapons of choice” coming from “the highest bowels of the Kremlin”: email releases, probing voting systems, the industrialization of fake news, targeted use of Facebook ads, and more.

She isn’t wrong about these things, but speaking about them in this manner mashes them together with previous uses of the term in relation to militarized cyber operations, critical infrastructure attacks, DDoS attacks against Estonia and Georgia, and Stuxnet. In this case, the cyber label doesn’t improve our understanding of this influence. Instead, the generic term flattens the terrain by conflating the potential hacking of critical infrastructure systems and the buying of advertisements by foreign nations. This incorrectly implies similarities in response, suggesting that we can handle all of these things in a similar manner. But ensuring that the industrial control systems of a power plant will not be accessed by a malicious actor requires a very different set of actions than curbing the spread of fake news. Labeling both actions as cyber encourages the inappropriate transplant of policies and technologies across these issues.

Finally, cyber also masks significant political and organizational hurdles. Clinton speaks about “the need for public and private cooperation,” but this cooperation takes very different forms for critical infrastructure and social media, not to mention questions of state and commercial offensive actions—yet all fall ostensibly under the rubric of cybersecurity.

We’ve wrung all the utility we can out of the cybersecurity sponge. To address the “serious and urgent challenges” of our time, we need to acknowledge that they are indeed challenges plural—not one single, monolithic domain.

This article was first published @ Slate Future Tense.  Future Tense is a partnership of Slate, New America, and Arizona State University.


Europe Slowly Starts to Talk Openly About Offensive Cyber Operations

Europe is finally starting to talk more publicly and candidly offensive cyber operations.

Two weeks ago, the Dutch Ministry of Defense hosted the Third International Cyber Operations Symposium. In conference hand-outs, the commander of Dutch Defense Cyber Command, Hans Folmer, said he hoped to “foster a shared and realistic understanding of the role of cyber capabilities in future operations, while facilitating the opportunity to develop and strengthen relationships among all participants.” One senior participant at the conference observed: “speaking at NATO about offensive cyber was blasphemy a few years ago. We have advanced.”

At the same conference last year, former UK Defense Minister Michael Fallon acknowledged that states “must have the capability to project power in cyberspace as in other domains” and confirmed that the United Kingdom was using “offensive cyber” against the self-declared Islamic State group. This year, participants discussed lessons learned from those operations, and explored how and when cyber tools could be the most useful against an adversary.

However, based on the discussions this year, there seemed to be less excitement about the potential of offensive cyber tools. In Europe, cyber capabilities were once seen as a silver bullet for Europe’s defense problems—chronically low defense budgets and outdated materiel could be replaced with an asymmetric capability that could improve Europe’s ability to deter adversaries and project power. Now, as one participant said, “cyber is no longer something special.” There was a more honest and open debate about how cyber capabilities can be used, the challenges with developing and maintaining them, and understanding their strategic effects.

Nevertheless, Europe will continue to struggle with at least three issues.

First, not all European cyber commands are created equal. In fact, the diversity of capability in Europe makes it difficult to compare them in theory, and probably even more difficult to coordinate efforts in practice. Whereas Germany is said to have thousands of ‘information and cyber officers’, you can count the people working at cyber defense units in other European countries on two hands. Also, all states are in need of technical personnel, but not all have the resources to attract them. Although many European countries started building a cyber offensive capability almost a decade ago, many states are still far away from a meaningful capability.

Second, Europe is still searching for a strategic objective for its offensive cyber capability. Every scholar or policymaker at the conference noted that deterrence was a flawed strategy to pursue in cyberspace—either partially or completely. Yet, there remains a lack of alternatives and policymakers at the conference seemed unaware of ideas raised in the academic literature about the strategic value of offensive cyber capabilities, such as Kello’s cumulative deterrence, Harknett’s notion of persistence, or Lindsay and Gartzke’s discussion of deception.

Third, Europe lacks a common doctrine on the use of offensive cyber operations. NATO recently finished a first draft of its own cyber operations doctrine, and is going through the process of addressing comments made by member states and invited observers. Europe will need a common doctrine, or at least a common lexicon that can be used by military planners, if it wants to take a coordinated approach to cyber operations. Doctrine normally tries to link theory and practice. Yet, cyber operations in a military context are still fairly new and the lack of practice means that policymakers tend to concentrate primarily on theory, making the development of doctrine a difficult exercise.

This article was first published on the Net Politics Blog of the Council on Foreign Relations


Cyber References Project

I started my graduate studies a few years ago thinking not much was published in the field of cyber conflict. I quickly found my assumption was wrong when I optimistically began a systematic literature review of ‘all’ the relevant works in the field. It was a project I had to abandon after a few weeks (although I do believe that more reviews like this should be conducted).

Even though it is true that still not enough has been published in the top academic journals, one can hardly say that people don’t write on ‘cyber’. With relevant readings currently being scattered across journal articles, books, blog posts, news articles, cyber security firm reports, and more, it becomes increasingly difficult to know what’s out there and build upon earlier insights and arguments published by others.

Whereas this has led some ( Oxford Bibliographies Project and State of the Field of Conference 2016) to direct efforts towards finding the ‘core’ of the field – focusing on key readings –  I have started a complimentary ‘Cyber References Project with as aim to be much more inclusive.

The database currently includes about 800-1000 readings (and also lists a few podcasts and documentaries), which I have sorted into 48 categories. The categories are not mutually exclusive. The goal is not to search based on author (or title) like conventional search engines.

This database includes the references listed on various cyber security course syllabi, State of the Field of Conference 2016,  Oxford Bibliographies Project, SSRN, Google Scholar, Oxford SOLO, PhD-Manuscripts, and think-tank search engines.

Where I see this project going: I plan to include another 150+ academic articles & 200+ blog posts in the near future. I also hope to improve formatting and sort the current list of readings (by year & add categories). In addition, Olivia Lau maintains a great notes/summary pool of key readings on International Relations. It would be great if we could establish something similar for cyber conflict.

Please let me know if readings are missing or categorized incorrectly. Of course, any ideas on how to make this platform easier to use are also very welcome.