Cyberpower, Cybersecurity and Cyberconflict

The second core theme or research challenge focused on power, influence and security. The results include the construction of new methods, the development of new knowledge materials, and the convergence of new answers to emergent puzzles about cyber power and threats to security. More specifically, results pertain to:

Cyber Power in International Relations

We have identified the scale, scope, and domain of cyber “power,” the leverages and actions–for different types of actors and motivations. The results include:

  • Identifying and understanding the drivers for the diffusion of public and private cyber power and influence (Nye, Sewell)
  • Clarifying the mechanisms shaping people power and social networking, how mobile technologies create pressures on state control, and how the state responds to such pressures (Goldsmith and Siegel)
  • Capturing the collective insights and evidence about social media impacts derived from ECIR Workshop on People, Power, and Cyber Politics with respect to:
    • How we listen to messages
    • New threats and opportunities for governance
    • Effects of cyberpolitics on democracies
    • What can we learn from uses social media and social action.
    • New visions for the future

Control Point Analysis

We developed a process-based method (we call control point analysis) to identify the actions and actors involved in executing a user request. To demonstrate its effectiveness, we illustrate with cases such as to “create a web-page,” “search across web-pages” and “retrieve information” and the like. There results include:

  • Specific applications to show how to identify actors, actions, potential locations, and expected outcomes at each control point throughout the entire cyber-IR space (Clark)
  • Comparative investigations show differences in control policies and mechanisms for states (USA vs. China) and for a dominant cyber entity (Google).  Figure below shows the application to China.
Control points in China to retrieve a webpage.
Control points in China to retrieve a webpage.
Source: Clark (2012).

When applied to the case of Google, a private sector actor, we determined how this entity exerts its control and influence. These results provide a detailed view of who controls a cyber access, how, where, and with what effect.  In a sense, this represents the view from the “top”.

Cybersecurity - New Tool for Knowledge Analysis

We have constructed a new tool for extracting knowledge from large-scale repositories. Results include construction of a new computer based technology for comprehensive analysis of massive materials (“big data”), reporting on the issue of “cybersecurity”

  • Application of the methods provided a “proof of concept” for a new research tool based on a close examination of a large corpus of scholarly knowledge, to generate new knowledge about cybersecurity, notably about the multidimensionality thereof (Choucri, Daw Elbait, Madnick).

The Figure below shows the profile of the automated system developed for this purpose. Later in this Report, we shall present the results of the application to cybersecurity.

New method for automated knowledge generation.
New method for automated knowledge generation.
Source: Elbeit, Madnick, Choucri (2012)

System Dynamics - Modelling Cyber Threats and Corporate Responses

Development of a system dynamics simulation models of the cyber organizational “ecosystem applied to a set of challenges. The research focused on two questions:

The first question is: What are corporate responses to cyber attacks? This model highlights the “sluggish” reactions whereby patching is used “after the fact” with little anticipatory actions.  The basic model is shown in Figure below.

Patching not solving security breaches.
Patching not solving security breaches.
Source: Siegel and Houghton (2015).

The next question is: How can we model the complexity of cyber security? The answer to this question is shown in Figure below showing the first order segmentation used to address this question. Several different threat systems examined illustrate the diversity of the underlying dynamics.

Select “whole” of the cybersecurity problem.
Select “whole” of the cybersecurity problem.
Source: Siegel and Houghton (2015).

Such in models help us to investigate the nature and requirements of effective deterrence in the cyber domain. Moving forward from a nuclear-era doctrine, cyber strategy must be encompass a broad spectrum of options for deterrence rather than a stand-alone strategy for cyber, applying not just elements of punishment and denial but also of entanglement, and soft power.

Modelling the vulnerability of the undersea cable system

Very little is known about the vulnerabilities of undersea cables.  For this reason, we developed a model to represent the sources, the interconnections, and the effects of different forms of intrusions on cyber-based operations (Siechrist, Vaishnav, Goldsmith).

Modelling the vulnerability of undersea cables - dynamic process.
Modelling the vulnerability of undersea cables - dynamic process.
Source: Siechrist, Vaishnav, Goldsmith, & Choucri (2012).

Comparative Analysis of Cyber Conflicts

ECIR conducted a systematic re-analysis of cases developed by the Atlantic Council yielded information about the targeted layers of the Internet and attendant implications.  Based on materials from the Atlantic Council, we developed a case study for each conflict based on a common framework designed to facilitate comparison. These are in Table 1 below.

Comparative analysis of cyber conflicts.
Comparative analysis of cyber conflicts.
Source: Based on Gamero-Garrido (2014).

Perspectives on Cybersecurity

Almost everyone recognizes the emergence of a new challenge in the cyber domain, namely increased threats to the security of the Internet and its various uses.  Seldom does a day go by without dire reports and hair raising narratives about unauthorized intrusions, access to content, or damage to systems, or operations. And, of course, a close correlate is the loss of value. An entire industry is around threats to cyber security, prompting technological innovations and operational strategies that promise to prevent damage and destruction. 

Explanations as why cybersecurity has attained such a high degree of salience are far greater than is our understanding of the basic parameters in any matter touching on security, at all levels of analysis, namely: who does what, when, why, how, and with what effect.   Most of the time it is possible to reconstruct the damage-episode and develop some hypotheses about several of the basic factors. But seldom, if ever, do we obtain a full reconstruction of the episode in all of its manifestations.

A “reasoning exercise” undertaken by students in the new class at MIT, on Cybersecurity, in the Department of Political Science at MIT examined this issue from multiple perspective.  Click here for details of this collaborative study.

In this introduction we begin with a simple example to illustrate the reasons surrounding ambiguity or absence of definition, as well as what might be some attendant implications.  Then we highlights, in a sentence or two, the contributions of each of the essays that follow.

     The Cyber Domain: Alternative Views

Our “reasoning exersice” was designed as a multidisciplinary and multidimensional initiative and, to the extent possible, empirical grounded and policy relevant. At least three different “definitions” of cyberspace were put forth.

First is the technical focus, put forth as the engineer’s view, in Figure below.  All of the properties noted are critical and relevant.  These may be necessary but are they sufficient to help shape effective framing of “cybersecurity”. If so how? If not why not?

Cyberspace technical definition.
Cyberspace technical definition.
Source: George Wren. MIT Cybersecurity Seminar, (Spring 2015).

Second is the content focus. Without undermining the technical infrastructure and underpinnings, this perspective on cyberspace broadens the framing and structures it around matters of information.  As with the first focus, it is reasonable to state that all the features in future may be necessary, but are they sufficient to help framing cybersecurity? If so how? If not why not?

Content focus.
Content focus.
Source: Lyla Fisher, Cybersecurity Seminar, (Spring 2015).

Third is the global view this view sees cyberspace as a constructed domain of interaction. Shown in Figure 11 its scale and scope is greater than the first and second views.  But we must still ask the question: These features are all necessary but are they sufficient to help frame “cybersecurity?

The overarching question. Source: Choucri & Clark (2019).
Global view of cyberspace.
Source: Nazli Choucri, MIT Cybersecurity Seminar, (Spring 2015).

     Implications

Each of these perspectives focuses on different manifestations of the cyber experience. It should come as no surprise that there are differences, or that the in the best of all possible worlds, the conception of cybersecurity derived from each of the above should be mutually supportive and integrative rather than mutually exclusive and competitive. Interestingly, each appears to be predicated on different phases in the construction and diffusion of the internet worldwide. 

The first view is clearly architecture based. It implies that the “solution” to the cybersecurity problem (however defined) is to be found in the design itself and that the “flaws” can be corrected in that context thus reduce threats to cybersecurity.  This is a view that minimizes the human or the institutional and organizational elements, but it reminds us that during the early design phase of the Internet matters of security were not salient. Of importance was building an operational global network rather than a network that is operational, global, as well as secure.

Implied in the above is something of an explicit trade-off.  But there was no tradeoff at the time, as there was no security issue at stake then. Interestingly, cybersecurity became an issue as the global network extended its scale and scope, and users with different norms, values, and preferences took stock of the cyber possibilities and potential “venues” for pursuing their objectives. None of this reduces the value of the first view, rather it provides a contest for its importance.

The second view reflects the phase at which the Internet became reliable worldwide – at least relative to earlier experience – and content rather than reliability is viewed by users to be the central value.  With increasing evidence unauthorized access – and the apparent ease with which this can be done – an added dimension of concern emerged, namely the protection of content.  At this point, the Internet is no longer in “US hands” so to speak, but its very success as a revolutionary technology empowers others in ways that were not possible earlier.

And this leads to the consolidation of the third view.  The proverbial “others” are conceivably anyone that has access to the Internet. And with this eventuality can a concern about the intent of those “others” as well as the sanctity of the global network and the reliability of the institutions established to manage different parts of the Internet and sustain its globalization.

The following proposition is put forth: a coherent view of cybersecurity is one that spans conditions in the technical and operational domain, incorporates all matters of content, and extends its scope throughout the “supply chain”.  Here the notion supply chain is used in a figurative rather than literal sense. It refers, at a very minimum, to the properties of both structure and process “turned on” by user  in the course of engaging in unauthorized access, the intents of the user, and the nature of the content accessed.

It goes without saying that concerns for cybersecurity are driven by the need to protect our own security in the cyber domain. Thus it may be important to distinguish between cybersecurity as the attribute of an actor versus an attribute of the global network as a whole. States and firms generally place their own self-interest first and foremost, and only if necessary do they find it relevant to adopt a broader perspective.

The one critical implication of the above is that different actors are likely to view cybersecurity in different terms.  The set of “ingredients” in the overall “mix” of concerns shaping their own conception of cybersecurity may have a common or shared core, or they might not. It is less important to resolve this matter than it is to better understand what might be the perspective of other actors.  At this point in time, the salient “other” is China. It intents are suspicious and its capabilities are growing.