By Eric B. Schnurer
The very distinction between the virtual and physical worlds is itself dissolving. Is it time we started thinking about security in the physical world as we do in cyber? Successful attacks cannot be entirely prevented but can be survived by building multiple pathways so the enemy cannot take down the entire system. Every point in the network has access to the information, so it can, as a practical matter, never be destroyed or altered, something like a hologram. In that way, blockchain essentially models the logic of “defense” as dispersion and redundancy. "Distributed" rather than concentrated systems are more survivable and secure in the real world, not just the virtual: To the extent that our concern is purely physical survival, even then, the more dispersed or redundant a population, an economy or a culture, the less a physical attack on it will make any sense.
Cyberattack is slowly becoming the preeminent form of international engagement, so much so that it's simply been assumed that current U.S. retaliation against Iran includes cyberattacks. That just makes it part of an ongoing, "larger pattern of cyber exchanges" between the two adversaries, as Brandon Valeriano and Benjamin Jensen phrased it recently in The Washington Post — and of the growing presence of cyber operations in global conflict.
The cyber world is dissolving distinctions between war and non-war, between what's "inside" a country and what's outside it, between the state and society. In fact, the very distinction between the virtual and physical worlds is itself dissolving. So perhaps we ought to be thinking about security in the physical world as we do in cyber.
North Korea's hack of Sony, the U.S.-Israeli Stuxnet attack on Iran's nuclear centrifuges and Russia's shutting down a civilian Ukrainian power plant through hacking as part of its invasion of Crimea all produced real-world, physical damage. Russia and the Islamic State have penetrated U.S. computer systems to explore the possibility of hacking dams to implode them or nuclear plants to explode them. Additionally, The New York Times recently reported that the United States is striking an increasingly offensive cyber stance by implanting sleeper code deep into the control systems of the Russian grid in case of future hostilities. Simply knocking out the internet, without any other direct physical violence, would disrupt practically every aspect of modern life, causing untold deaths and physical suffering. In sum, it's not at all clear that there's a meaningful distinction to be made anymore between "security" and "cybersecurity" — or "defense" and "cyberdefense."
One result is that cyberwar and cyberdefense are not just military, or even public sector, issues. As Benjamin Wittes and Gabriella Blum argue in The Future of Violence, the technology democratizing threats also democratizes defense, "distributing" the nation-state's activities across a wider range of actors — notably private sector providers of the "pipes," both traditional utilities and information technology, upon which modern society now depends. "It's very difficult to draw the line," Liina Areng, who helped oversee the cybersecurity of the entire cyber-dependent Estonian government, told me. Technology has not just expanded the battlefield to all actors in all places, as Wittes and Blum describe, destroying the distinctions between what's a military and a nonmilitary asset — and what's "inside" a country and what's not — it has also diluted time, making every moment an opportunity for, and threat of, conflict. Because cyberattacks can occur without invoking the same responses as physical attacks and incursions, they are occurring right now between global combatants, constantly, as you read this.
Virtual conflict, in short, is occurring everywhere, all the time.
A Lesson From a Former Soviet Republic
Once a small independent country until forcibly incorporated into the Soviet Union in the mid-20th century, Estonia reestablished its independence in 1991 as the Soviet Union imploded. It found itself, like many former Soviet republics, with a moribund economy and antiquated infrastructure. But, fatefully, Estonia set a goal of becoming the world leader in information technology by the end of the decade. Today, Estonia has the world's fastest and most widespread Wi-Fi, and almost the entire economy and all government services — from elections to tax collections, to the national health care plan — are online. Its "e-resident" program allows it essentially to export its government worldwide to virtual Estonians.
Being the most virtual country in the world, however, also made Estonia the most vulnerable to a virtual attack. Such an attack, widely regarded as the world's first, came in early 2007, with Russian hackers disrupting the country's public and private sectors for several days before order was restored. Estonians still anticipate further attacks from Russia — including outright invasion. The government, therefore, has placed all its operations on servers throughout the world — and is looking to move them to satellites beyond earth — so that it could continue operating as a country "in the cloud" without a physical foothold in Estonia. For all these reasons, Estonia has become the world leader in cybersecurity and home to NATO's cyber defense center of excellence.
Successful attacks cannot be entirely prevented but can be survived by building multiple pathways so the enemy cannot take down the entire system.
Both military and civil defense, Areng said, "are really about resiliency, building redundancy and information-sharing." In our conversation, Areng returned repeatedly to redundancy and resiliency as the keystones of both cyber and physical security: the idea that successful attacks cannot be entirely prevented but can be survived by building multiple pathways so the enemy cannot take down the entire system.
This concept, now common in the cyber world, goes back to the Cold War: The U.S. telecommunications system stood out as a likely target in the event of war with the Soviet Union. The traditional approach called for "hardening" the target — for instance, investing in "a nuclear-resistant buried cable network (costing) $2.4 billion," writes Andrew Keen in his book, The Internet Is Not the Answer. However, a young Rand analyst named Paul Baran had a different idea, a "user-to-user rather than … center-to-center operation," a "distributed network" that "would be survivable in a nuclear attack because it … would have no heart, no hierarchy, no central dot."
The answer was the internet, the title of Keen's book notwithstanding. Societies tend to conceptualize their worlds based on their technologies: In an age of increasingly precise machinery, social and economic activity was conceived as mechanistic, and both corporate and government entities came to reflect the factory; in the postwar era, not just the technology of the computer but a philosophy of computer-like analysis increasingly gained ascendance over economic and political decision-making and structures. The internet and, consequently, the economics of networks, networks as decision-making systems and netwar as the framework of conflict, structure today's thinking.
Rendering an Attack Pointless
The next model is, likely, blockchain technology, in which information is distributed across millions of computers — every point in the network has access to the information, so it can, as a practical matter, never be destroyed or altered, something like a hologram. In that way, blockchain essentially models the logic of "defense" as dispersion and redundancy. Increasingly, then, dispersion — making potential targets "softer," or more ephemeral and diffuse, rather than "harder" — is becoming the modern strategy to render attack pointless.
Physical destruction matters less and less in an increasingly virtual economy. Killing people and occupying their territory are not the most productive economic or military objectives anymore. Many future-of-war theorists believe that conflict will rarely involve the physical any longer, but rather attempts to "win" by controlling virtually either their rivals' politics (as Russia has arguably succeeded in doing to the United States since 2016) or their economies without seizing direct physical control over people and territory. As Lauri Aasmann, chief of the NATO cyberwar center's law and policy branch, told me, "there's a disincentive for taking down an entire cyber system." As an aggressor, eventually "you want to use it (yourself) for propaganda and espionage purposes."
"Distributed" rather than concentrated systems are more survivable and secure in the real world, not just the virtual: To the extent that our concern is purely physical survival, even then, the more dispersed or redundant a population, an economy or a culture, the less a physical attack on it will make any sense.
American culture, values and economic products are increasingly difficult to destroy. The United States is the epitome of the "holographic" society.
Can one, in any event, actually "virtualize" or "distribute" a country? Estonia is sure trying. But to a greater extent than we generally appreciate, the United States already has done so: American culture and values are ever more broadly dispersed, having essentially conquered the world. The great global conflict today is not between countries so much as between two cultures that cross, and coexist within, existing national borders — one culture is as fluid and amebic as the technology on which it rests, while the other is based on "harder" technologies and harder borders and is reacting against the spread of the former. The United States is not only the nation most enmeshed in this emerging supranational world: It is the one that has done the most to create and shape it — and has done so largely in its own image.
A physical attack on the United States might lower the quality of cinema worldwide, depending on whether the gap is filled primarily by France or Bollywood, but it's hard to see how it would stop all the other ways in which "America" largely dominates the world. Even if the United States were destroyed as a physical or governmental entity, American culture, values and economic products are increasingly difficult to destroy. The United States is the epitome of the "holographic" society.
In the siege mentality sweeping much of the world, including President Donald Trump's "American carnage" worldview, safety lies only within territorially defined, demographically homogeneous nations with autochthonous economies and not just firm, but also largely impenetrable, borders that keep all threats at bay. This outlook may have it backward, however, putting America and its interests at greater risk. Physical security as well as cybersecurity in the 21st century increasingly lie not in becoming a fortress nation, but in doubling down on being a holographic one: promoting greater global integration, sending our people and products abroad more aggressively, and welcoming a more diverse array of the rest of the world's peoples and products within our national borders.
No comments:
Post a Comment