The Cybersecurity Canon: Cyberspace and the State: Toward a Strategy for Cyber-power

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite. 

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Book Review by Canon Committee Member, Christina Ayiotis: Cyberspace and the State: Toward a Strategy for Cyber-power (2011) by David J. Betz and Tim Stevens

EXECUTIVE SUMMARY

Over the past several years and even in these last few months, we have seen real live examples of nation-states using cyber means as a way of influencing, even disrupting, industry and the political process.¹ The 2011 book Cyberspace and the State: Toward a Strategy for Cyber-power, “a strategic primer on the new reality of the Information Age, of which cyberspace is a preeminent part,”² provides great historical context for understanding how we got to where we are today.

The Cybersecurity Canon provides a list of must-read books for the cyber professional. This short (157-page) book enables readers to review historical constructs of power and war to come out with a better understanding of why we have needed a shift in strategy. Providing rigorous analysis regarding what power means generally, and how that concept translates into a new paradigm in our interconnected world, along with chapters on sovereignty, war and dominion, the book concludes with some hope that “[a] grand strategic vision of cyberspace can assist states in navigating the informational turbulence in which contemporary politics appears to find itself.”³ Cybersecurity professionals benefit greatly from understanding not only their immediate security environments but also from placing their individual and organizational roles into the bigger geopolitical context (including over time). For these reasons, I recommend Cyberspace and the State: Toward a Strategy for Cyber-power be part of the Cybersecurity Canon.

REVIEW

I attended Cyberspace and the State’s book launch event at IISS’s Washington, D.C. offices. Like many others present, I purchased a copy. Given pressing professional and parental responsibilities, I put it on the shelf to get to “when I had time.” Five years later, when deciding on a book to review, it was an easy choice—cyber statecraft issues had become critically important, and I wanted to see how it would stand up over time. The beginning sentences of each chapter—a mechanism, I assume, to whet your appetite, give a good flavor of the authors’ writing style.

As someone who literally reads books cover to cover (including footnotes), I appreciate that the Acknowledgements page provides (full?) disclosure regarding funding sources—especially since it highlights the necessity of a collaborative, public-private approach. I will dispense, immediately, with my only real criticism—sloppy editing—so I can get to the substantive review. Spellcheck should have caught the various typos, and there is no excuse for citing Colin Powell as a “former US Defense Secretary,”⁴ regardless of how many different roles he played in the military.

This is book about strategy. The authors walk through the important concepts of power, sovereignty, war and dominion to get the reader to an understanding of their interplay, as well as an appreciation of the complexity of the larger cyber environment. It is an effective mechanism to incentivize members of relevant communities to work together. The Introduction sets the stage by examining common terminology (including the distinctions between cyberspace, the internet, and the World Wide Web); the impact of terminology (who is a hacker); and the challenge of attribution (which the authors contend is a strategic,⁵ not legal matter). This level-setting leads into the discussion of power, starting with how power translates in the cyber arena in different ways (e.g., compulsory, institutional, structural and productive). The discussion of productive cyber-power seems quite prescient:

Productive cyber-power also connects the military and political realms in war and aims to mould discourse to the advantage of the strategic actor. This is particularly apparent in the use of ‘soft’ power to win hearts and minds, either during conflict, or before it. In an inclusive model of cyberspace, the ‘uppermost’ semantic layer is the principal space in which political struggles are manifest. In an era of ‘strategic communication’ and ‘public diplomacy’, productive cyber-power is perhaps the most important form of cyber-power.⁶

The next logical topic in any discussion of cyberspace (at least, to those of us who are lawyers) is sovereignty; in this case, split into sections on international legal sovereignty, Westphalian sovereignty, domestic sovereignty, and interdependence sovereignty. Among other things, reading this chapter enables readers to appreciate why the imposition of unfettered domestic sovereignty (including by U.S. allies7) can raise concerns.

Following the discussion of sovereignty is the chapter on war. (As a proponent of accuracy in terminology, I must highlight that the authors use the term “cyberwar” as they understood it in 2011. Subsequent to the publication of this book, many authors, scholars and lawyers have sought to encourage a more measured use of the term, given the legal implications whenever the term “war” or “warfare” is used.) This chapter uses the example of the rise of airpower as a mechanism to provide context around how we should think about cyberwar. It also highlights the danger of conflating activities as varied as “espionage, crime, hacking and breaches of intellectual property.”8 It proposes a framework of cyber-skirmishes, “a more or less constant hum of low-level activity over a wide ‘virtual landscape’, often conducted by irregular actors, with few or no single engagements of strategic consequence, however weighty in aggregate the stakes may be.”⁹

The final (substantive) chapter on dominion focuses on how important the security (not just military) of cyberspace, as the global commons, is. Here is where readers will appreciate how much international order is affected by the flattening of the world by digital interconnectedness. Electronic media, especially sound and image-based¹⁰ “are qualitatively different than text because they convey a functional facsimile of reality as opposed to a mere description of it.” This difference has been exploited by a variety of bad actors, especially terrorist groups like al-Qaeda. The authors highlight Fourth Generation Warfare theorists’ work on insurgency demonstrating terrorists’ ability to have global impact.

Despite the morbid tone of some of the case studies provided, the authors believe states can adapt to this new world order, acknowledging that “[o]pen, democratic, law- and norm-governed” ¹¹ ones will be in a better position to do so:

. . . [S]tates can remain relevant actors by becoming ‘network states’: ‘nation-states, despite their multidimensional crises, do not disappear; they transform themselves to adapt to the new context’. They form networks amongst themselves to share sovereignty; they support and sponsor international institutions and supranational organisations to tackle global issues; they devolve authority to local governance structures and intergovernmental networks.¹²

It is up to all of us to do our part. It is also incumbent upon all of us to be continuous learners who explore different facets of this field in which we live, work and play. Understanding global geopolitical context, especially in our completely interconnected world, is crucial. This book can shed light on the challenges we face today, including cyber activities affecting our upcoming U.S. presidential election. It provides valuable historical context about cyber statecraft and should be included in the Cybersecurity Canon.

Sources:

• [1] Adam Segal, After Attributing a Cyberattack to Russia, the Most Likely Response Is Non Cyber (October 10, 2016) Net Politics—Council on Foreign Relations.
• [2] Cyberspace and the State: Toward a Strategy for Cyber-power, Acknowledgements page.
• [3] , p.139.
• [4] Ibid., p. 78.
• [5] Ibid., p. 32.
• [6] Ibid., p. 51.
• [7] Turkey blocks web drives after email leak (October 10, 2016) BBC News.
• [8] Cyberspace and the State, p. 81.
• [9] Ibid., p. 97.
• [10] “There’s a powerful impact to hearing . . . ” David A. Graham, Trump Brags About Groping Women (October 7, 2016) The Atlantic.
• [11] Cyberspace and the State, p. 134.
• [12] Ibid., p. 138.