Below is a “reasoning exercise” designed to help clarify some of the more fundamental elements that constitute the emergent challenge of defining cyber –IR domain and its security. Undertaken in the context of a new course on Cybersecurity in the Department of Political Science at MIT, this initiative spans a wide range of fundamental issues.
In this introduction, we begin with a simple example to illustrate the reasons surrounding ambiguity or absence of definition, as well as what might be some attendant implications. Then we highlight, in a sentence or two, the contributions of each of the essays that follow.
Our “reasoning excessive” was designed as a multidisciplinary and multidimensional initiative and, to the extent possible, empirical grounded and policy relevant. In the absence of a viable starting point, we fell back on the most obvious, namely, the nature of the cyber domain. It became immediately clear that, even in this small group, the diversity of views were such as to reinforce the cleavages in prevailing knowledge rather than the commonalities.
Put differently, at least three different “definitions” of cyberspace were put forth. Here we do not intend to argue that one was correct or that others were not. Rather our purpose is to signal that, given the derivative nature of cybersecurity, how we begin to address this complex issue might well shape what we “see” and decide to “do” about it. What we “see” is inevitably embedded in our understanding of cyberspace.
We now highlight the three views, with all the accompanying caveats and qualifications. But the underlying logic for the comparison remains important for the remainder of the “reasoning exercise”
First is the technical focus, put forth as the engineer’s view, in Figure below. All of the properties noted are critical and relevant. These may be necessary but are they sufficient to help shape effective framing of “cybersecurity”. If so how? If not why not?
Second is the content focus. Without undermining the technical infrastructure and underpinnings, this perspective on cyberspace broadens the framing and structures it around matters of information.
Third is the global view this view sees cyberspace as a constructed domain of interaction. Shown below its scale and scope is greater than the first and second views. But we must still ask the question: These features are all necessary but are they sufficient to help frame “cybersecurity?
Global View of Cyberspace.
Each of these perspectives focuses on different manifestations of the cyber experience. It should come as no surprise that there are differences, or that the in the best of all possible worlds, the conception of cybersecurity derived from each of the above should be mutually supportive and integrative rather than mutually exclusive and competitive. Interestingly, each appears to be predicated on different phases in the construction and diffusion of the internet worldwide.
The first view is clearly architecture based. It implies that the “solution” to the cybersecurity problem (however defined) is to be found in the design itself and that the “flaws” can be corrected in that context thus reduce threats to cybersecurity. This is a view that minimizes the human or the institutional and organizational elements, but it reminds us that during the early d e sign phase of the Internet matters of security were not salient. Of importance was building an operational global networld rather than a network that is operational, global, as well as secure.
Implied in the above is something of an explicit trade-off. But there was no tradeoff at the time, as there was no security issue at stake then. Interestingly, cybersecurity became an issue as the global network extended its scale and scope, and users with different norms, values, and preferences took stock of the cyber possibilities and potential “venues” for pursuing their objectives. None of this reduces the value of the first view, rather it provides a contest for its importance.
The second view reflects the phase at which the Internet became reliable worldwide – at least relative to earlier experience – and content rather than reliability is viewed by users to be the central value. With increasing evidence on unauthorized access – and the apparent ease with which this can be done – an added dimension of concern emerged, namely the protection of content. At this point, the Internet is no longer in “US hands” so to speak, but it’s very success as a revolutionary technology empowers others in ways that were not possible earlier.
And this leads to the consolidation of the third view. The proverbial “others” are conceivably anyone that has access to the Internet. And with this eventuality can a concern about the intent of those “others” as well as the sanctity of the global network and the reliability of the institutions established to manage different parts of the Internet and sustain its globalization.
All of the above generate the following proposition: a coherent view of cybersecurity is one that spans conditions in the technical and operational domain, incorporates all matters of content, and extends its scope throughout the “supply chain”. Here the notion supply chain is used in a figurative rather than literal sense. It refers, at a very minimum, to the properties of both structure and process “turned on” by user in the course of engaging in unauthorized access, the intents of the user, and the nature of the content accessed.