A Non-State Strategy for Saving Cyberspace
This article appeared in The Cyber Issue in Winter 2016. This is an excerpt from a longer report due to be published by the Atlantic Council’s Brent Scowcroft Center on International Security in January 2017 as part of their strategy papers series.
America’s future, and that of other nations and peoples, will be most secure in the long term with an emphasis on future prosperity unlocked by the Internet.
The Internet may have surpassed Johannes Gutenberg’s printing press as history’s most transformative invention because of how it has spawned parallel and simultaneous revolutions across other technologies. By making information so cheap to produce, compute, and share, the Internet enabled rapid advances in technologies as far afield as manufacturing and genetics.
The problem is that there is no guarantee the future of the Internet, and the larger entirety of cyberspace, will be as rosy as its past. It is possible, even likely, that the Internet will not remain as resilient, free, secure, and awesome for future generations as it has been for ours.
Imagine that twenty years after the invention of the printing press, the pope and the princes of Europe—in fact, anyone who had some basic skills and desire to do so—had the ability to determine exactly what was being printed, exactly who was printing it, and exactly to whom they were sending it. Worrying about intellectual property theft, privacy, or civil rights (had those concepts existed) would have missed the bigger picture. With no trust in the underlying communication medium, the future of Europe and the future of humanity would have been profoundly changed—not just for five years, but for 500. If the printing press was so easily compromised as computers are today, could there even have been a Renaissance or an Enlightenment?
This amazing transformative technology, the Internet, is unsustainable unless we make sweeping changes. We are all becoming absolutely dependent on an unknowably complex system where threats are growing far faster than the Internet’s own defenses and resilience.
The Internet is under grave threat from data breaches (for example, Target and Home Depot), theft of commercial secrets (like the blueprints to the F-35 Joint Strike Fighter), the opportunity for widespread disruptive attacks (the digital takedown of Estonia in 2007 or of Sony in 2014) and systemic failures (the Heartbleed and Shellshock vulnerabilities), the erection of sovereign borders (the Great Firewall of China), and mass surveillance (as we learned of through the Snowden revelations). For example, the Heartbleed and Shellshock bugs, discovered in 2014, affected underlying Internet technologies. These technologies in turn were only a part of vast technological systems, each with countless sub-components. Every part of that system is vulnerable, hence a disruption to any one of them might ripple through the entire system via hyper-complex interactions. It is a situation that will become orders of magnitude worse with the coming “Internet of Things.”
As President Obama has said, cyberspace is a lawless Wild West.[1] Because the Internet was built on trust, not security, it is easier to attack others online than to defend against those attacks. This is a decades-old trend dating back to at least the late 1970s. If the attackers retain the advantage over defenders year after year, then over time the Internet could pass a tipping point. At that point, the Internet would become far less useful and critical than it is today. Perhaps someday soon, there will be too many predators and not enough prey.
Unfortunately, when it comes to cyberspace, governments pursue contradictory ends. On the one hand, they want to protect the prey—Internet users—in order to enhance prosperity. But on the other hand, this end is clearly outweighed by their ability and willingness to be voracious predators and to use the Internet as a means to attack those actors they see as working against their national interests. Therefore, if we are not careful, the metaphor for cyberspace will go from bad (the Wild West) to worse (Somalia). Every time we try to secure the Internet there is—and will be—some new threat to drag it down into chaos with devastating consequences to America’s cyber-dependent economy and those of us who have come to cherish our online lives.
Technologies that seem so promising today, such as online voting or the smart grid, might never materialize if together we cannot overcome these security challenges. Our children and grandchildren may look back and wonder why anyone would feel safe buying something online, or how online videos survived without quickly getting hacked.
How many future Renaissances or Enlightenments will never occur simply because we treated the Internet as a place for crime, spying, and warfare (“everyone does it,” after all), rather than the most innovative and transformative product of human minds in five-hundred years? Will we soon reach “peak Internet”?
The reason why we have arrived at this state of affairs is because the Internet is a type of global commons. All actors benefit from protection of the commons, but all actors also have an incentive to abuse it as well. Governments are often the only actors who can sustainably protect and defend commons. Yet at the same time, governments also often abuse the commons to push their own national security interests in a zero-sum fashion. The result is the degradation of the commons itself. Although the commons analogy is not perfect, it nonetheless works because it highlights a contradiction between protection of a public good, the safety and integrity of the Internet for innovation and the economy, and a Hobbesian security dilemma, the perceived need to use the Internet for military and intelligence purposes in a dangerous world. This contradiction is at the heart of the problem.
The only way to ensure cyberspace remains as free, resilient, secure, and awesome for future generations is to flip the historic relationship between attackers and defenders of the Internet. We should give those who have an interest in protecting cyberspace an advantage over those who want to use it to attack others (or the Internet itself). This idea of getting cyber defenders the advantage over those attacking with cyber offense can be summed up with a simple formula: D > O.
Giving cyber defenders the advantage over the offense is imaginable with new technology, policy, and practice that is applied patiently, internationally, at scale, and with the private sector at the fore. It is not imaginable if nations continue to escalate large-scale espionage or mass surveillance, subvert cyber companies, engage in shadowy wars against real adversaries, or coerce former satellite states.
Prosperity for the United States and the global economy is only assured if the United States and like-minded nations, civil society, and other non-state actors all work toward a goal of making defense easier than attack.
At the same time, non-state actors (not least the information technology and cybersecurity companies themselves) are increasingly powerful. However, just as fishermen might deplete a fish stock to maximize short-term profits at the expense of the fishery itself, corporate interests do not always align with their own longer-term economic interests. The best public policies must shape the situation to get the best out of both governments and non-state actors so that they become stewards of humanity’s most dynamic creation and create a sustainable cyberspace.
Current U.S. cyber policymaking is characterized by a number of shortcomings:
- No single U.S. digital strategy, so no way to balance competing priorities;
- Long-standing and increasing militarization of cyber policy where the Department of Defense is the main player, rather than an agency that focuses on innovation and the economy instead of national security, such as the Department of Commerce;
- Misunderstanding of the dynamics of cyber conflict, leading to an overemphasis of the tactical and technical tides instead of the longer-term and more strategic undercurrents;
- Persistent short-term view of U.S. national security thinking;
- Overestimation of the effectiveness of public-sector action to solve cyber problems;
- Lack of attention to the central problem: that the Internet remains offense dominant and could be far worse than it is today; and
- An unpreparedness for global cyber shocks.
To address these shortcomings, the United States must build a strategy centered on a sustainable balance in U.S. government decisionmaking that is built around three key ends: advancing prosperity, being emblematic of America and its values, and providing new tools for pursuing traditional national security.
Advancing Prosperity: First and foremost, U.S. policy must ensure that cyberspace and the Internet advance American and global prosperity, not least through continuous and accelerating innovation. Other priorities are important but subordinate.
Being Emblematic of America and its Values: Cyberspace and the Internet are American inventions, reflecting American values, which are used in all nations by all generations. American policy should cherish this opportunity for soft power and be careful not to squander this astounding once-in-a-generation national advantage.
Providing New Tools for Pursuing Traditional National Security: Of course, U.S. military and intelligence agencies must use these new technologies as well, not least because the world is becoming more dangerous and unpredictable. But they need to be developed and used with extreme caution when they conflict with other goals, especially America’s long-term Internet-fueled prosperity.
To meet these objectives, U.S. policy should pursue two overlapping goals. First, it should make the Internet defense dominant (D > O) so cyber defenders have the advantage. Second, it should add a time component to security concerns by aiming for a sustainable cyberspace, one that is as safe, resilient, and awesome for future generations as it was for its pioneers.
Together these goals define the large-scale vision that should drive an American non-state-centric strategy. The only way to achieve a sustainable defense-dominant Internet is to build a strategy around the private sector, America’s true cyber power, and other non-state actors. Few if any major Internet crises have ever been decisively resolved by any government. Rather, it has been non-state actors like cybersecurity companies, major technology companies, and volunteer response groups that have played the key role. As argued in “Dynamic Stability,” the first Atlantic Council strategy paper, U.S. leaders must become more comfortable playing a multilevel game, working with non-state actors “who possess a greater range of capabilities than at any time in history.”[2]
A successful cyber strategy must therefore accept this central role of the non-state actors and the private sector and then work outwards from that core U.S. strength. Wherever possible, solutions to governance, regulation, protection, and response must stem from this core.
Creating a sustainable cyberspace, where defense has the advantage over offense, will be extremely difficult, but it is still possible if the United States pursues the following recommendations.
It is far too cumbersome to balance priorities and set a common set of goals with the current approach of separate strategies to cover innovation, national security, intelligence, or Internet freedom. The single most important recommendation therefore is for the White House to issue a single overarching national cyber strategy to balance competing priorities. This strategy should be based on the vision of giving defenders the long-term advantage, a vision implemented through a non-state-centric approach. After all, few if any major Internet crises have ever been decisively resolved by any government anywhere. Rather, it is non-state actors that have been most critical. A successful cyber strategy must therefore accept this central role of the private sector and then work outwards from that core U.S. strength. Better yet, neither Russia nor China—and certainly not Iran or North Korea—can match the dynamic power of the U.S. private sector so this strategy can asymmetrically advance U.S. power.
Another key recommendation is for the U.S. government and cyberspace companies to prioritize solutions that scale, so that a dollar of defense buys far more than a dollar of attack. Currently, a New York Cyber Task Force, run by the School of International and Public Affairs at Columbia University, is compiling a list of past policy, operational, and technology solutions that have most allowed defenders to outpace attackers. These solutions, including encryption and the launch of Microsoft’s Windows Update to easily update computers with more secure software, had one thing in common: they scaled massively and easily so that one relatively inexpensive action protected millions or billions of computers, shifting the “key terrain” of cyberspace to be far more defensible.
A final recommendation is to seek new policies based on “sustainability” as a rich source of new solutions. Cybersecurity on its own has no time horizon, no easy way to make tradeoffs between today’s needs and those of the future. Sustainability or wanting future generations to have an Internet that is as rich, open, and secure as ours today, is the easiest way to address these issues. It also equates the Internet not as a “domain” or “global commons” but the more straightforward vision of an environment. A mutual goal of a sustainable cyberspace could snap us out of today’s debate over the unproductive deadlock of security versus privacy. Large-scale surveillance or erecting Internet borders might be seen as unsustainable practices, just as clear-cutting tropical forests or emitting endless carbon dioxide. It could be a true game changer if nations could agree on a basic promise, such as “clean food, clean water, and clean Internet” to bring together thinking on development and security.
As the world becomes increasingly more tumultuous, so too will cyberspace unless the United States adopts a private-sector-centric strategy. It is up to America to ensure that its ideals prevail online to keep the Internet and information and communications technology open to all, safe to use, and as awesome and ever growing as before. As much as the public sector can do to use military tactics to fight off adversaries in cyberspace, it cannot take on the entirety of the gargantuan task at hand to secure the entire domain. Therefore, the private sector must not only be brought in, but it must lead.
The United States, and all of those who use any device connected to cyberspace, should never lose sight of the fact that our increased interconnectivity is the single best way to advance prosperity, democratic values, and individual empowerment around the world. Should anything come to harm the Internet or cyberspace, or even marginally increase the risk of increased connectivity, all of this potential goes away.
Government certainly has a role to play. Yet, to save cyberspace—and, thereby, the future—the public sector must step aside to let the private sector take control. Should this approach be brought into a single, overarching national cyber strategy, the United States can maintain its online leadership while being transparent. This, above all, is critical to the betterment of our world.
Jason Healey is a senior research scholar at Columbia University’s School of International and Public Affairs and senior fellow at the Atlantic Council.