Cybersecurity is presented as the antidote to a host of problems emerging from the deepening interconnectivity of global digital transformation. Covering issues from cybercrime and cyberwarfare to cyberespionage and threats to critical infrastructure, cybersecurity has developed from its technical origins into a mainstay of national and international public policy. But what is it and where is it going?
From a technical perspective, cybersecurity is mainly defensive. It is about protecting digital assets from subversion, disruption, damage and destruction. Its millions of practitioners keep digital networks like the internet and business systems running, to ensure that populations worldwide can enjoy the benefits of digital goods and services. They monitor networks and systems in real time to develop a picture of operating threats and adjust their defensive strategies. When data breaches do happen, like the theft of millions of Britons’ private records held by credit company Equifax in 2017, they fix the problems and try to prevent their reoccurrence.
There are few social and economic activities untouched by the shift from analogue to digital, so this protective function increases in importance every year. It is also more difficult all the time, as those seeking to disturb digital security for economic or political purposes find new tools and avenues for exploitation in an ecosystem riddled with holes and vulnerabilities.
The cast list of threat actors is long: criminals, hacktivists, hackers, corporate spies, leakers and whistle-blowers and, of course, military and intelligence agencies. All seek to gain advantage by exploiting vulnerabilities in digital systems and by manipulating end users (you and me) through forms of social engineering. Cybercrime sucks trillions of dollars from the global economy each year and causes significant harm to its victims. Cyberwarfare is part of interstate military operations, as in Russia’s war on Ukraine. Cyberespionage causes tensions between nations ostensibly at peace.
Their end goals are diverse, but all these activities threaten the security and stability of cyberspace. Cybersecurity’s ambition, however, is not just to secure cyberspace but to secure the societies and individuals that depend upon it. A multi-billion dollar industry has grown to provide this, accompanied by cybersecurity policies at every level in the international system, from the least well-resourced country to the great powers, and from domestic standards bodies to the United Nations.
However, as every cybersecurity professional will tell you: it just isn’t working. Or, more accurately, it isn’t working well enough to claim convincing results. The threats keep adapting, the losses keep coming, and harm continues. Shifting to a risk mindset is illustrative of this: instead of seeking to eliminate or neutralise threats, most organisations will prepare for worst-case scenarios in a risk-management framework, build resilience, buy cyber insurance and train their staff what to do if a crisis occurs.
There is no easy fix for this situation and anyone telling you otherwise is selling snake oil. Three factors illustrate the magnitude of the problem.
The first is the nature of the environment itself. Cyberspace is built on software and hardware, none of which can be proven 100 per cent secure. All have vulnerabilities that can be exploited and there are plenty of people able and willing to do so. This is a persistent engineering problem that is unlikely to be fixed soon. Nor will the human nature that drives malicious behaviours.
The second is related to the first in that the incentives to build secure products are limited. Few firms want to pay upfront for security if others will get it for free. So, demonstrably insecure products are marketed cheaply and at scale, which creates a larger attack surface for potential miscreants. Manufacturers are weakly regulated in most jurisdictions, and they see little point in changing their behaviours. Additionally, if customers don’t demand secure products, the market will not provide them.
The third point is even more difficult to address. All states capable of using cyber capabilities for offensive purposes in peace and war will tend to do so, including those countries leading international efforts to clean up cyberspace and encourage responsible state behaviours. Countries like the US and UK tend to be quite measured in their offensive cyber operations, although there is a valid question about whether they should be used at all. The related problem is that their possession and avowal of these abilities is used by less responsible countries either to claim equivalency – “you do it, so why shouldn’t we?” – or to accuse Western powers of militarism while denying their own corrosive actions in and through cyberspace. This hinders the development of global rules around how cyber capabilities should and should not be used in pursuit of national and collective interests.
On 2 March 2023, the White House released the latest version of the US National Cybersecurity Strategy. This was covered extensively in the international tech and security media and occasioned a flurry of broadly supportive analysis and commentary. The strategy outlined proposals to improve US approaches to defensive cybersecurity, resilience and market incentives, including the prospect of enhanced regulation. It did not mention US offensive cyber capabilities, which is the subject of separate policy. This is in contrast to the UK approach, which combines defensive and offensive cybersecurity in national strategy. Which approach is correct is moot – neither claims to be the final word on the matter – but each tries to balance cybersecurity ‘roles, responsibilities and resources’ through a risk-management lens and within an overall framework of domestic and international cooperation.
How these and dozens of other initiatives will fare over the short to medium term is unknown. It is probably not too pessimistic to suggest that none will achieve quite their stated ambitions, although there are likely to be gains along the way. Cyberspace is a dynamic environment and cybersecurity policy and strategy need to be too. The potential for artificial intelligence to generate new forms of cyber threat, for instance, is of grave concern to many. So too the proliferation of actors and tools that are simply not being deterred by extant cybersecurity practices and policies.
How will being proactive about rooting out these threats affect cyber stability and security? How far can a risk-management approach achieve notable gains in cybersecurity? Are we, as respondents to a recent World Economic Forum survey suggested, headed for a cyber ‘catastrophe’ in the next two years, whatever we do? Is serious harm to economic wellbeing, perhaps even loss of life, that such catastrophic scenarios imply, an inevitable product of intense global interconnectivity?
We cannot know. What we can say for sure is that cybersecurity is much more than just computers and data. It is a key facet of global digital transformation and a contested political issue. Watch this (cyber)space.
Tim Stevens is Reader in International Security at the Department of War Studies, King’s College London.
What Is Cybersecurity For? by Tim Stevens is available on the Bristol University Press website. Pre-order here for £8.99.
Bristol University Press/Policy Press newsletter subscribers receive a 25% discount – sign up here.
Follow Transforming Society so we can let you know when new articles publish.
The views and opinions expressed on this blog site are solely those of the original blog post authors and other contributors. These views and opinions do not necessarily represent those of the Policy Press and/or any/all contributors to this site.
Image umby via Unsplash