On Friday, February 15, 2015, President Obama signed an executive order creating the Cyber Threat Intelligence Integration Center (CTIIC). The CTIIC will serve as a fusion center for information about cyber threats and attacks, synthesizing intelligence from a range of government agencies and the private sector. It is the next manifestation of the White House’s growing concern with cybersecurity, following in the steps of the Comprehensive National Cybersecurity Initiative of 2008 and the Presidential Policy Directive on Critical Infrastructure Security and Resilience of 2013. It is clear that many people, including prominent policymakers, view cybersecurity as a major—if not potentially existential—threat to the United States; the Director of National Intelligence recently declared cyberattacks to be the single biggest threat facing the economy and national security. There is certainly reason for the United States to pay increasing attention to cybersecurity—corporate and government cyberattacks have increased markedly over the past several years. It is, however, not as obvious as policymakers seem to believe that cyberattacks pose a catastrophic threat to any group of people. Many cybersecurity experts believe that the threat of cyberattacks is greatly exaggerated. Specifically, there is good reason to believe that something as serious as a cyber-war would never take place, and that the effects of individual attacks—acts of sabotage, espionage and subversion instead of war—will remain contained and non-lethal. Given the increasingly important role the Internet is playing in international politics, it is worth understanding the implications of how it is represented in the media and by politicians. Current rhetoric surrounding cybersecurity is dominated by geopolitical and Cold War metaphors that frame the Internet in terms of national security, which is used to justify the militarization of cyberspace and state surveillance. Such militarization needlessly increases the likelihood of US mismanagement in cyber matters
The terms cyberattack and cybersecurity are umbrella terms applied to a broad range of situations that vary widely in terms of severity. In general, cyberattacks can be understood as specific crimes designed to compromise the integrity of a computer system or network; importantly, this does not include crimes merely facilitated by computers, such as online hate speech. Instead, cyberattacks cluster around two basic objectives: to retrieve information stored on computers (such as personal and corporate data, communications and money) or to shut down parts of a network (think energy, financial, medical or transit systems). Importantly, cyberattacks and their targets can be anywhere along the spectrum from individual computers to corporate networks to government and military databases and communications. Because of the high variance in the severity of cyberattacks, it is extremely important to be context-specific when discussing cybersecurity approaches. Without careful analysis of cyber risks, different types and levels of risk are invariably conflated in policy analysis. Thus, policy approaches to cybersecurity tend to grant the government undue and overly broad power, justifying broad surveillance and control under the grand enigma of cyber threats.
A crucial component in the justification of surveillance and the militarization of the Internet is the manner in which the United States has framed cybersecurity as a looming and potentially catastrophic national security issue. Understanding the Internet in terms of national security brings it under the purview of the US intelligence services and armed forces. In turn, fending off “existential” cyber threats tends to eclipse individual rights in policymakers’ analyses, and government agencies come to hold almost absolute power. Individual privacy and freedom, along with international law, are readily sacrificed under the banner of national protection. In addition, the combination of apocalyptic national security rhetoric around cyberattacks invites the military to develop and use overly offensive cyberattack capabilities, causing international antagonism and setting the precedent for the Internet to be used as a realm for military conflict. For example, the Stuxnet worm, developed by the United States and Israel, was used to infiltrate the computers running Iran’s nuclear facilities and destroy a fifth of their uranium refinement centrifuges. Intelligence agencies, on the other hand, strive to develop methods for circumventing and undermining cybersecurity systems in order to more easily gather information. Consider the NSA funded projects to undermine corporate data encryption standards, build in backdoors—loopholes that allow access without proper authentication—to common and supposedly secure hardware and software and discover vulnerabilities in software that it could exploit. Hyperbolic, nationalist, cybersecurity rhetoric ultimately serves as a justification of the militarization of the Internet, and makes individuals, corporations and other nations less safe. The metaphors that politicians and the media use when talking about cybersecurity both reflect and shape how it is thought about, and ought to be given particular attention.
Hyperbolic, nationalist cybersecurity rhetoric ultimately serves as a justification of the militarization of the Internet, and makes individuals, corporations and other nations less safe.
The spatial metaphor for the Internet, for example, is useful for understanding how and why the Internet became a domain for military conflict. The spatial metaphor, made explicit in the term “cyberspace,” analogizes computer networks to real-world domains for armed conflict. This metaphor is so fundamental to the common understanding of the Internet that it explicitly informs government policy—the Department of Defense considers the Internet to be the fifth domain of military intervention, following land, sea, air, and outer space. Thinking of the Internet as physical space evokes an image of the unexplored, lawless, and free frontier. This imagining of the Internet makes it tempting to map it onto modern geopolitics. For example, the tool IPViking provides a real-time visual representation of cyberattacks, representing each attack as a projectile of light traveling over the map. It is not clear, however, that this understanding of cyberattacks is a useful one: National borders do not map onto the Internet, and the originating location of a cyberattack is nearly always irrelevant to its purpose. When cyberattacks are understood as spatial invasions, they become a question of national—instead of organizational or individual—security, begging the involvement of the military.
The Cold War provides another common set of cybersecurity metaphors; cyberattacks are likened to nuclear weapons in an accelerating cyber-arms race. This 21st century “arms race” is frequently cast in terms of conflict between the United States and China, with many analysts pointing to an “asymmetrical” advantage of the Chinese. One journalist went so far as to call the Stuxnet virus the “Hiroshima of cyber-war.” The problem, however, is that cyberattacks are drastically different from nuclear weapons, and the doctrine of deterrence is not as neatly applicable as it may at first seem. For one, cyber retaliation suffers from a problem of attribution—it is frequently difficult to determine the aggressor in cyberattacks – making credible deterrence impossible. What is more, it is unlikely that any cyberattack or cyber-retaliation would be decisive like a nuclear weapon. Hence, cyberattacks do not have a strong “mutually assured destruction” element, meaning that they can be more regularly deployed. This is especially true for frequent, small-scale cyberattacks that do not justify massive retaliation—aggressors merely launch constant attacks just below the threshold that would trigger a meaningful response. Taken together, Cold War metaphors for cybersecurity are inapplicable at best and counterproductive at worst, since they emphasize a faulty deterrence-based strategy against cyberattacks. If policymakers are duped by these doomsday projections, they will unnecessarily violate civil liberties while looking past the real problem: regular, smaller scale cyberattacks. If the United States only looks at these lesser attacks through the lens of total war, it might overreact and foment military conflict.
In light of these spatial and Cold War metaphors for cybersecurity that frame the Internet as an object of national security, thereby increasing the risk of conflict while decreasing individual rights, it is important to reconsider how US policymakers talk about cyberattacks. There has been some academic discussion of possible alternative metaphors to use when talking about cybersecurity, but none of them are perfect. Using biological metaphors—describing the Internet as an ecosystem instead of a new spatial frontier and cybersecurity approaches as an immune system instead of deterrence—has been commonly suggested as an antidote to many of the problems of our current metaphors. For example, thinking about computers in a network as individual cells of a body highlights the common biological response to infected cells—apoptosis, or programmed cell death—as a possible solution in computer networks. Biological framing of cyberattacks, however, does not escape the problem of militaristic, national security framework. In fact, descriptions of the immune system are full of martial metaphors, commonly likening it to the body’s army to fight off foreign invasion. In addition, biological metaphors have their own set of problems, tending to naturalize historical organizations and create very deterministic understandings of the world. While metaphors are inevitable in understanding cybersecurity, it is probably impossible to find an infallible one. Instead, policymakers and academics should attempt to diversify their range of metaphors and carefully think through the theoretical baggage of each one, making their analysis as precise and context-specific as possible. The success or failure of the US national security apparatus in protecting American citizens, companies and agencies from cyberattack will ultimately depend on the metaphors it uses to understand cybersecurity; while the quest for a single, perfect metaphor may be fraught, it is clear the current ones are counterproductive, and ought to be abandoned.