By Prof. Keith Martin
I have just finished reading Fred Kaplan’s Dark Territory: The secret history of cyber war (Simon & Schuster, 2016). This book is primarily a history of the approaches taken by the US government and military to dealing with the threats and opportunities presented by what we now describe as cyberspace. It covers the evolution of concerns, policies, organisational structuring, and responses to major incidents, as the nation that led the development of the Internet slowly grew wise to the implications of increasingly relying on a digital network that was shared by both friends and enemies.
Within the blizzard of acronyms and failed policies, what emerges during the narrative is a procession of players, each with their own extraordinary backgrounds, visions and agendas, who attempt to make sense of where technology was taking the world. We meet generals who shunned information warfare, hackers who testified in congress, and presidents with varying cyber attention spans. And throughout the story we learn, at least a bit, about the strategies and leadership of the National Security Agency (NSA) and the role it continues to play in cyberspace.
There were two emerging issues that particularly resonated with me:
The first was the role that the ‘BIG’ questions have played in defining policy and influencing subsequent events. By this, I mean those questions that researchers of geopolitics and security so love to grapple with. What kind of a space is cyberspace? Where are the borders in cyberspace? Can a cyberattack become an attack of war? Is it possible to have a meaningful notion of deterrence in cyberspace? What is the relationship between attack and defence in cyberspace?
Many of the actors in Dark Territory spent their careers trying to make sense of these questions, as well as trying to persuade others that they were inquiries that urgently needed serious contemplation. Policies ebbed and flowed, heads rolled, depending on whose voice was loudest in the complex debates. Just as in a lively geopolitics class, everybody had something to contribute, but nobody had a definitive answer.
Because, of course, there are no answers. However, the history of US cybersecurity policy demonstrates what geopoliticians know all too well: it’s not pointless to ask questions which have no answers – it’s even more important to raise them, precisely because they don’t.
The second issue of interest involves recent events. We all know, and have views, about Ed Snowden and what he did (“naughty step or pedestal?”). The NSA dropped off everyone’s Christmas card list, and most of us grimace slightly when we’re told to trust in a provider of technology. What I was less aware of was what has happened since the Snowden revelations. In 2013, President Obama commissioned a review group to look into alleged abuses of power by the NSA. Five experts in various fields, representing both the intelligence community and civil society, were given extensive access to the various government agencies involved in cyber intelligence gathering. Whilst coming from very different sides of the security versus privacy debate, the “five guys” were unanimous in their verdict. They felt that rather than being the “evil big brother”, the NSA was broadly a well-meaning agency that had, both inadvertently and a little bit by design, acquired extraordinary powers. Almost fifty recommendations were made to reduce these powers somewhat. Most of these related to adding in some level of scrutiny and accountability. As Geoffrey Stone, an academic lawyer and member of the panel put it:
“I found to my surprise, that the NSA deserves the appreciation of the American people. But it should never, ever, be trusted.”
Here’s the chilling point. The “five guys” 2014 conclusion was that the NSA had generally been behaving well. However, they wondered, what might happen if the NSA retained existing powers under the influence of a less stable and “democratic” national leadership? Three years and one presidential election later, one thing is clear. That’s another of these BIG questions, which is why it certainly needs to be asked.
Professor Keith Martin is part of the Information Security Group (ISG) here at Royal Holloway. Keith’s broad interests lie in cryptography and cyber security, whilst also co-supervising five (soon to be six) students here in the Geopolitics and Security group (part of the Centre for Doctoral Training in Cyber Security).