The Hobbesian world of cybersecurity
Two experts’ views on the digital war surrounding us, and how to fight back
The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age, David Sanger, Crown, 384 pages, $28.00
Click Here to Kill Everybody: Security and Survival in a Hyper-Connected World, Bruce Schneier, W. W. Norton & Company, 288 pages, $27.95
We live in a digital state of nature, a war of all against all. As more and more facets of our daily lives move online, the Internet gains a greater foothold in our physical existence. Multiple actors spar across these domains: regular people and techies; petty thieves and organized crime; small businesses and multinational corporations; middling states and superpowers. This Hobbesian world is becoming increasingly unstable and insecure in a way that challenges not just the foundations of the Internet, but also those of our society.
David Sanger and Bruce Schneier converge on this critical subject from their respective fields. In The Perfect Weapon Sanger, a national-security correspondent for the New York Times, weaves together the history of state-level cyberoperations from Russia’s first forays into Pentagon systems in the 1990s to ongoing digital skirmishes in Iran, North Korea, and the United States. A cryptographer and cybersecurity expert, Schneier instead takes a ground-up view in Click Here to Kill Everybody. In his book, Schneier breaks down how everyday devices are increasingly integrated into the so-called Internet of Things to form a complex and insecure system capable of wreaking physical harm. Their complementary analyses provide an understanding of how the status quo endangers everyone and what governments, companies, and citizens can do to change that.
Both Sanger and Schneier argue that governments shape this environment in a way that prioritizes offensive cyberoperations to the detriment of digital security, both for critical infrastructure (the power grid or healthcare system) and for the things we use every day (our cell phones or cars). Rather than setting standards and norms to protect systems and data, governments prefer to foster vulnerabilities that allow them to surveil and attack all internet users — from their citizens to foreign states.
This tension, which is especially evident in Sanger’s book, resembles the one Eric Schlosser traces in Command and Control. Schlosser vividly portrays the battle between generals and scientists in the U.S. nuclear-weapons program. The former wanted a guarantee that warheads would always detonate when fired. The latter wanted safeguards that they would never go off accidentally. This struggle, which began with the Trinity test and continues today, parallels modern debates between military and intelligence heads who advocate against restraints to their cyberweapons and others who push back in the name of safety.
A second important similarity to the Cold War arms race are the tradeoffs that security and stability require. The U.S. and the Soviet Union were able to reduce warhead stockpiles and ban weapons classes. They gave up strategic and tactical options, and sacrificed secrecy under inspection and verification agreements. Today, these compromises might take the form of giving up surveillance capabilities (by promoting devices and software without backdoors, say) or foregoing potential targets (for example, by establishing norms against attacks on civilian infrastructure). It took decades and several close calls for Soviet and American leaders to step back from the nuclear brink. As Sanger implies, generals and spy chiefs should make similar concessions today without needing a digital Cuban Missile Crisis to spur them.
It would be myopic, however, to focus entirely on the national-security apparatus. Politics matters, too. This concern is twofold. First, political principals are the ones who ultimately determine policy and, by consequence, what cyber tools and techniques are permitted. Just as elected heads of government typically wield the authority and criteria for special-forces, drone, and nuclear strikes, they should do the same for cyberoperations as well. Second, the agencies’ contingency plans are futile without political will to underpin them. As Sanger and others observe, opposition from Republican congressional leaders and presidential candidate Donald Trump hamstrung the Obama administration’s hesitant plans to counteract Russia’s interference in the 2016 U.S. elections. No matter how prepared cyber units might be, states will not be able to defend against such attacks and mitigate their consequences if their political class is divided.
But issues of cybersecurity also extend into industry and economics. Schneier breaks down how surveillance capitalism degrades privacy and safety, and how the former is a prerequisite to the latter. He also illuminates how device manufacturers’ economics encourage building cheap, vulnerable connected widgets rather than secure ones. The drive to embed internet connectivity and sensors in everyday devices — which in turn capture more and more personal data — allows malicious actors to spy on, steal from, and even physically harm consumers. Schneier points out that when everything is Internet-connected, “Computer security will become everything security.” As long as economic incentives reward these corporate models, the private sector will continue to shape a world where vulnerability remains the default.
The private sector’s relationship with government constitutes a further issue. During the Cold War, Sanger notes, technology firms worked with the U.S. government to address national-security and scientific challenges. By contrast, today’s tech giants actively distance themselves from it. Perversely, Google may be refusing to assist U.S. intelligence while simultaneously developing a censored search product for the Chinese market. In deploying this product, Google would join the ranks of Chinese tech firms that are actively working with Beijing to develop intrusive tools for social control and repression like the ones deployed against the Uyghur population of Xinjiang.
All these examples illustrate the many forms of cyber threats. Spying on a foreign government is different from turning off its electric grid. Tapping a terrorist’s phone isn’t the same as monitoring dissidents. And then there’s also hacking for profit, information operations, and much more. Software implants for any one of these missions can resemble those used for other purposes, further complicating the scenario. While both Sanger and Schneier explain this accessibly for a lay audience, their books lack some of the more technical details that could have allowed for a deeper exploration of the subject.
It is also worth interrogating what effects cyber tools can actually accomplish. Schneier’s title clearly conveys his warning about the potential threat to bodily harm. Sanger’s, on the other hand, is misleading: The Perfect Weapon raises as many doubts about the efficacy of cyberoperations as it does list their successes. He argues that cyber’s true effectiveness might be its psychological effects — fear, uncertainty — on target populations, rather than any information stolen or systems disabled. There is also the question of for whom cyber is “the perfect weapon.” Sanger suggests that it is more suitable as an asymmetric weapon for states lacking soft and hard power (in relative terms) like Russia or, especially, North Korea. In this view, the digital domain allows them to operate as insurgents against more potent rivals. This perspective clashes with Erik Gartzke’s, a skeptic on the power of cyber who argues that it will continue to favor major actors, like the U.S. Schneier instead sees ordinary people as the ultimate losers because insecurity in digital devices primarily benefits malicious actors and authoritarian governments.
Sanger and Schneier agree that we currently exist in a grey zone, “unpeace,” where peace and war are indistinguishable. This is bad for governments, firms, and citizens. The solutions both offer are systemic: Sanger calls for a “Digital Geneva Convention,” while Schneier advocates for the creation of a U.S. National Cyber Office to regulate in favor of a more secure cyberspace. “As with fighting terrorism, our goal isn’t to play whack-a-mole and stop a few particularly salient threats, but to design systems from the start that are less likely to be successfully attacked,” Schneier insists. A pax cyberspatialis might be utopic, but Sanger and Schneier offer plenty of warnings and advice to transform today’s digital state of nature into a more civil connected world.
