India’s premier security think tank, the Institute for Strategic and Defence Analysis (IDSA), just held its first major international conference on cyber security. Its focus on Asian and international perspectives has delivered distinctly Un-American perspectives on security in cyber space.
The three-day meeting coincided with the release by President Obama on February 9 of a bold new initiative, the Cybersecurity National Action Plan (CNAP). The gulf between the concepts and programs elaborated in the U.S. plan and those of several Asian or Asia Pacific states (India, Japan, China, Pakistan) and Taiwan, revealed at the IDSA meeting has been stark indeed.
The richest and most technologically advanced country in the world announced a new spend in the budget sent to Congress of $19 billion for additional cyber security policies, a 35 percent increase over the previous Fiscal Year. This included a Technological Modernization Fund of $3 billion just to upgrade government IT systems, the establishment of a new National Center for Cyber Security Resilience, and a new Cyber Reserve Force.
The same day, Obama released the 2016 Federal Plan for Research and Development in Cyber Security. One day earlier, the Administration opened a new National Cyber Security Centre of Excellence, an innovative combination of the private sector and national research capabilities.
The most telling aspect of the Obama announcement was the creation of a Commission on Enhancing National Cybersecurity, to report to the President by the end of 2016 on what more the United States needed to do to address the challenges. This was a direct admission that even the richest, most powerful country on the planet cannot deliver even a medium level of cyber security. This was made plain yet again just days before the announcement with news that the names and personal details of 20,000 FBI personnel had been leaked by a hacker.
So if the United States cannot deliver a medium level of cyber security, what hope do other states with less wealth and technological depth have?
We need to bear in mind that it was less than twelve months ago that the United States released a new cyber military strategy, a new Cyber Command vision statement (cyber weapons for all phases of operations), and a new Laws of War Manual saying pre-emplacement of logic bombs in adversary state information systems is lawful.
Thus, the main message I took away from the IDSA conference and the big international news swirling around it was that in peace as in war, the cyber attacker has a clear advantage over the defense. This means that small and middle powers are almost defenseless in cyber space against powerful states, such as the United States (or China). As my paper pointed out, China hopes to be as powerful in military uses of cyber space as the United States within several decades.
This asymmetry of cyber power is well understood by specialists and governments.
The more surprising aspect of the presentations at the IDSA conference was how far the mindset of people from Asian countries and Eastern Europe on cyber space issues differed from those I had been so consistently exposed to in the United States, the United Kingdom and Australia.
I had studied Russian and Chinese positions very closely for more than six years and I had seen the differences in approach to security in cyber space largely in terms of the explicit policy differences of the countries concerned and the large gap between them in terms of technological development. I was also prepared to credit the constraining influence of bureaucratic influences in both Russia and China as part of the cause of their cyber backwardness relative to the United States and each other. But I was premising my approach on what appeared to be a strong trend towards followership (copying the United States) or convergence (similar security needs and common technologies should dictate similar institutional responses).
Another equally powerful explanation was on display at the IDSA conference. This is the concept of strategic culture. Many countries simply do not see or feel cyber space in the same way as the United States or even each other. This was visible in the freshness of thinking in the papers for the conference. There were many un-American ideas which were as appealing for their novelty as they were credible.
One of the most interesting was the proposition from India’s Amit Sharma that creation by governments of cyber militias in peace time can be a powerful element of deterrence of war. He made this observation as part of a well-constructed presentation on new strategic approaches to the military aspect of cyber space. Another insightful gem from him was that specialists may have not realized how much the sensory relationship between a government and its citizens for wartime was now conditioned by cyber technologies to the extent that cascading attacks on the communications infrastructure of the population during a war or in preparation for it could degrade the target country’s war effort.
The presentation from Taiwan’s Colonel Li-chung Yuan was remarkable for its main thesis that setting up national cyber defenses under the auspices of the Ministry of National Defense was inappropriate. One reason he gave was that in most countries, the armed forces had no legal remit or experience for managing domestic communications and civil infrastructure.
A tantalizing observation came from Lieutenant General (ret.) Prakash Menon who suggested that in cyber war, the distinction between a military person and a civilian would disintegrate.
It may be time to see in what ways the concept of strategic culture can be used in understanding national approaches to security in cyber space. [By strategic culture, I mean the contemporary organizational, ideological and political culture of a country as it affects war planning. I do not accept the idea that country’s strategic culture is inherited from centuries old tomes on the art of war or its philosophical traditions.]
A closer focus on differences in the way countries see and feel cyber space from the perspective of strategic culture as opposed to a near exclusive focus on their hard political objectives may yield some fruit in international efforts for crafting an architecture of cooperative military restraint in cyber space.