There is a consistent theme in every zombie film or television show. The real enemy is not the rampaging hordes of brain eating monsters, but the human individual. We look in the mirror and see ourselves as the real threat.
I think we need to be reminded on this discourse in the context of the cyber security debate. More often than not, the threat is not external, but ourselves. We debate over and over again who the true cyber threat is, but rarely do we look within. In this piece I will evaluate the various cyber threats, which some say is the most pressing international threat and discuss the merits of the various ideas.
Most would assume that the main cyber threat is from states. This is the cyber revolution hypothesis, and as I have recounted before, it is intellectually dubious. All the evidence we have so far is that states are both restrained in the use of cyber technologies and fearful of retribution if they do so because the tactic is not limited to the military domain. Stuxnet got out into the wild (i.e. civilian space), even though the target was a closed site. Cyber weapons are not precision weapons, but shotguns spraying metal everywhere. The idea that you an surgical with a cyber strike is a myth.
I do not think future trends will be any different, if anything we will see less cyber used by governments because of the consequences in the evolving view of how threats are handled by the legal domain and the foreign policy domain. Collateral damage is not acceptable. The reputation effects for causing a digital catastrophe would be devastating.
State based cyber threats are red herrings. We use this fear to give us something to worry about or buildup the military, but all evidence to date shows it is a tactic almost strictly limited to espionage and deception, not offensive actions. So I do not worry too much about cyber actions. The recent conflict in Ukraine demonstrates that even Russia is now restrained in the use of the technology. If Russia can act in a restrained manner during what amounts to a quick grab of territory, we have hope for the future.
This then might leave non-state actors and cyber criminals as the main threat. Luckily, it is tough for a non-state actor to marshal the resources needed to launch a devastating cyber attack. For Stuxnet to work, you needed the cooperation of the US, Israeli agents, someone in the inside in Iran to be willing to help, unwitting cooperation from the German cyber firm, and the Libyans to have their centrifuges intercepted so the malware could be tested on those P-1s. Too many things had to go right; it is almost unreasonable to believe that a non-state actor could achieve such heights. Even through all this, Stuxnet was largely a complete failure.
We also have little evidence that non-state actors or cyber terrorists are effective in their use of cyber power. A major section of my forthcoming book will evaluate this issue. Most cases to this point do demonstrate this trend. While strong claims are made about the power of a cyber action by a non-state actor, little actual proof exists they have an impact on security.
So that possibly leaves cyber crime as the main threat, but I suggest here that we need to use the concept of shrinkage to help think about what proper visions of loss might be in cyber crime. A big box store like Best Buy accepts a certain amount of loss with volume, why should cyber economic transactions be any different?
Cyber criminals are a real threat, but they can be managed and accounted for. We have to move beyond this unrealistic expectation of total security. Physical stores assume a certain amount of loss, why would the cyber world be any different? Cyber hygiene is important, protect your own networks from internal error and internal threats, but beyond this we need to reconceptualise how we evaluate cyber threats.
We must then ask if there really is a threat? Is our conception of what a threat is and its expectation not shaped too much by what we expect to see? We are looking for patterns and threats where they do not exist. Instead we should be focused on building bigger, larger, resilient systems. When you build a new state, you don’t worry about the threats from within. That orientation would destroy any ability for forward progress. So why do we do this in the cyber domain? Security is all about perceptions, and I argue our perceptions of the cyber threat are woefully misguided, inaccurate, and based on interpretations of ongoing events that do not match reality.
The Real Enemy is….Us!
Oh DARPA, America’s HYDRA or Cobra Command. The Department of Defense organization Defense Advanced Research Projects Agency (DARPA) has brought the U.S. many great tools and toys. From them we get sniper sights that need no correction for distance or wind, lasers, the love bomb, planes that fly at 300 knots and can maneuver on the pin of a needle, and sonic weapons that can be used to control domestic populations. Now they are adapting Oculus Rift, virtual reality headgear, to make launching cyber attacks even easier. Cyber actions are already easy, we do not need to make them easier to launch and improve their success rate.
Our cyber future is dangerous. By making cyber actions even simpler the risk is increased that an individual could act since they are not restrained as a state would be. Luckily cyber anarchists are few and far between. Instead many people who participate in black hat hacking eventually move over to the good side, the white hats. DARPA is not going to make this process any easier with their Dr. Strangelovian invention. Our cyber future is bright, digital connections improve communication, research, democracy, social bonds, but inhibiting these processes by securitizing the domain any further can be devastating for progress.