Which Cyber Side Are You On?

In August 2016, the director of the National Security Agency’s Information Assurance Directorate (IAD) told reporters that his division—responsible for cybersecurity in government and, to a degree, the private sector—would soon merge with the NSA’s other, much larger division, Signals Intelligence (SIGINT).

Since IAD was responsible, in general terms, for defense, and SIGINT for offense, their two missions had been kept distinct since the agency’s founding under President Truman in 1952. The distinction was always delicate, because vulnerabilities discovered by IAD could, if kept secret, be used by SIGINT to penetrate target networks. But this delicacy was a sign of its importance. If an American company, for example, had a vulnerability that IAD discovered, the company would want to know about it—so that it could be fixed, and not left open for SIGINT to exploit. (Remember, foreign governments that the U.S. spied on, as well as foreign companies, were purchasers of the same software that American companies used and sold.) The NSA had a responsibility to help American companies defend themselves.

Earlier that same month, it happened to be leaked that the NSA had been holding onto several vulnerabilities it had discovered in the systems of Cisco, an American multinational, and other U.S. companies. Cisco’s technology is used around the world, so for the NSA it could well be very useful to keep Cisco and its many customers in the dark. However, once Cisco learned, through the leak, of the vulnerabilities, it moved to patch them. It is a tribute to Fred Kaplan’s fifth book, Dark Territory: The Secret History of Cyber War, that while neither of these developments is in the book—they are too recent— both are illuminated by it. He describes how, for many years, IAD and its information security predecessor agencies were not even housed in the NSA’s headquarters at Fort Meade. More importantly, he puts the offense-defense conundrum at the center of his very valuable history. For example, Kaplan reports, IAD had “found fifteen hundred points of vulnerability in Microsoft’s first Windows system. And, by an agreement much welcomed by the software industry at the time, they routinely told them about their findings—most of the findings, anyway: they always left a few holes for the agency’s SIGINT teams to exploit.” Kaplan adds, parenthetically, “Usually, the Silicon Valley firms were complicit in leaving back doors open.”

The merging of IAD and SIGINT, Kaplan shows, had been mulled over since the 1970s and gained momentum in the mid-1990s, as (mostly) American private technology spread around the world and the (mostly) American Internet became a global platform for commerce, politics, spying, and much else. Kaplan writes:

Since people (and military establishments) around the world were using the same Western software, the Information Assurance specialists possessed knowledge that would be useful to the SIGINT crews. At the same time, the SIGINT crews had knowledge about adversaries’ networks—what they were doing, what kinds of attacks they were planning and testing—that would be valuable to the Information Assurance specialists. Sharing this knowledge, on the offense and the defense, required mixing the agency’s two distinct cultures.

Such discussions were, of course, top secret, opaque even to many in the intelligence community. As Kaplan notes, the first NSA head to have a sophisticated grasp of technology took office only in 2005.

Government’s hold on the cyber world has been tenuous for decades, mainly because most technological innovations are dual-use: immense commercial enterprises are built around technologies (think mini-satellites, or for that matter social networks) that have—potentially—direct political, military, and intelligence uses. Cyber world is run by a unique public-private subculture that is more private at some times, more public at others. Kaplan’s focus is very much on the public side and in particular on the U.S. military and its intellectuals, as it has been since his landmark study of nuclear policymaking, The Wizards of Armageddon (1983). Dark Territory is the best book on this topic since Shane Harris’s @War: The Rise of the Military-Internet Complex (2014) and builds ably on the work of Michael Warner, Jason Healey, Peter W. Singer, and many others. The cyber library is finally taking shape.

Dark Territory makes an excellent companion to Adam Segal’s The Hacked World Order: How Nations Fight, Trade, Maneuver, and Manipulate in the Digital Age (also 2016), which covers some similar ground—one cannot really avoid having a chapter on Stuxnet (a computer virus that was deployed to wipe out many of Iran’s nuclear centrifuges in 2010) or a discussion of Edward Snowden—but also treats the crucial, vexed topics of Internet governance, Silicon Valley relations with government, and how states other than the U.S. might see their own cyber futures. Segal writes: 

The stark division between public and private was temporary, if not illusionary, as was the idea that the two were separable when it comes to cyberspace. . . . Almost everything the United States does in cyberspace requires a blurring of the line between public and private. Private firms own the networks necessary for attacking and defending the telecommunications, energy, and financial sectors. More than 90 percent of American military and intelligence communications travel over privately owned backbone telecommunications networks. Many of the most talented programmers are in the private sector or academia. . . . The demands nation-states make on the technology companies are ever expanding. Not only do these companies innovate, commercialize technologies, and provide new services, but they also defend against cyberattacks, uncover espionage campaigns, and help the Pentagon become cooler. And now, US and European governments expect tech companies to help them deliver their diplomatic messages and disrupt those of extremists, jihadists, and rogue states.

Of course, we are not talking about just the U.S. and European governments, as Segal, a China expert before he turned to cyber issues, well knows. Russia and China even held a joint conference earlier this year to compare notes on Internet control. The game is not limited to major powers. Ethiopia switched Internet access on and off with shifts in the political winds. Iran has launched its own “bordered” Internet. 

The critical point is that the breakdown of the public-private distinction in cyberspace, and the blurring of offense and defense as described by Kaplan, are taking place at the same time and for much the same reason. Put simply, if a nation wishes to participate in the global economy, it needs to enter into open networks; it if wants to maximize political control, it cannot enter open networks. So the blurring of offense and defense, of public and private, is an effect of the network architecture. 

Currently, the control (security) side of the balance is reasserting itself after a period of commercial dominance; an analysis of this resurgence is at the core of Segal’s book. As Chris Demchak wrote in her contribution to the Cyber Conflict Studies Association collection Cyber Conflict After Stuxnet, “The institutional and technological building blocks of national virtual borders are rising across cyberspace. . . . If current trends hold, and there is every reason to believe they will, eventually a ‘Cyber Westphalia’ of national jurisdictions parsing the global web will emerge.” 

That may be, but there are also strong forces pushing for openness. (In this respect, it might count as good news that cutting-edge militaries, ever in search of greater resilience, are developing ways to remove their systems from as many networks as possible.) There is still a global open-source/hacker subculture committed to an open network, and that fact should not be dismissed even if it is unquantifiable. Nor should one discount the expectations of a global generation (or two) that believes they have a right to unmediated information.

Beyond that, a security-driven cyber Westphalian order is unlikely to produce the levels of innovation that are possible with more open networks—the innovation that drives growth. It is a peculiarity of the cyber literature that while everyone (including in government) recognizes the centrality—even the supremacy—of the private sector, few delve into how commercial innovation really works.

This may be partly explained by the Internet’s military roots, which can make its post-1995 commercialization seem like a long but exceptional interlude, and by a Silicon Valley boosterism in which dewy entrepreneurial geniuses kissed by sunshine inevitably become nature’s designated disrupters. The reality is a good deal more complicated and, for the early days, is captured very well by Shane Greenstein in How the Internet Became Commercial: Innovation, Privatization, and the Birth of a New Network (2015). There is ample room for further work, not least in the academy, on how private and public, companies and nation-states have interacted and should interact in the cyber realm. Regardless of how much states want to assert a monopoly on cyber violence, any future conflict—and most conflicts are simultaneously becoming cyber conflicts—will be as much in the private sector as in the public. 

The most likely near-term scenario is that tech companies, caught between the demands of states and their own ambitions (which do not include baking lots of security into immature products), will establish areas of cooperation with government. They will also fight to carve out extra-governmental spaces, through encryption or even legislation, to preserve the freedom of maneuver that has led to such spectacular innovation. This could work, as it would preserve the core interests of the main parties.

What any of this will not do is prevent cyber war. In one of his best detective moments, Kaplan unearths two documents, one from 1995 and the other from 1997, establishing the point that the U.S. has been engaged in cyber offense for as long as the term has existed. Moreover, Russia and China were well into catching up more than a decade ago. The capabilities exist and have proliferated. They have been used: against Serbia in the Balkan War, against Iran with Stuxnet and Flame, against Saudi Arabia and Ukraine. More recently, cyber groups allegedly tied to the governments of Russia and China have targeted U.S. governmental, political, and business institutions.

And yet, capabilities have not risen to the level of ongoing cyber war, and as Kaplan suggests in his final chapters, this is partly because cyber war itself eludes definition. The reality is that cyber weapons, like other weapons, are there for states to use when they decide to make war. So far, initial fears that cyberspace would become a virtual battlefield, where wars could start all too easily, have proved unfounded. However, for years now, cyber powers large and small have also demonstrated their willingness to engage in cyber-skirmishing on a daily basis.

Could this constant low-grade conflict, made possible by cyberspace, inure decision makers to the danger of real war, making the “real thing” all the more likely? Certainly the lubricating language of “win-win cooperation” has long since given way to what seems to be a chronic irritability and tetchiness among world leaders. Cyber is part of that, this new period of anxious vulnerability and a lack of endings; cyber undermines the state without replacing it. As Kaplan concludes, in a rather anguished passage on cyber deterrence, “The fact was, no one in a position of power or high-level influence had thought this through.”