Cyber War
Cyber War is a convergence of my major, Cybersecurity, and my minor, Political Science, where we mostly engaged in discussions about how cyberwarfare and cybersecurity are engaged with on the global level. This unlocks the element how cybersecurity relates to national security and how cybersecurity is used during times of peace and during times of kinetic, or physical, warfare.
The first week explored the different interpretations of cyberwarfare and how cybersecurity needs to be viewed in an interdisciplinary light. The landscape of cyberspace changes rapidly from year to year, and many of the hypotheticals that were imagined a decade ago have either come to fruition or become complete fantasy as we are finding out what is actually capable in cyber operations and with the development of AI. Cyberwarfare needs to be looked at in an interdisciplinary light because of how it can impact different areas of study, like economics, politics, and, in some cases, its physical impact on attacked areas.
The first assignment was to respond to the question: Matthew Monte, in the introduction to his book Network Attacks and Exploitation: A Framework, claims that “depending on what definition you use and who you ask, Cyberwar will never happen, is about to happen, or is already happening.” Which is it, in your opinion? To what extent is Lucas Kello right? Or do Jon Lindsay and Erik Gartzke have the right of it?
My response:
While there is trouble trying to get cybersecurity to fit into international relations, I do think there is room to at least discuss the potential implications of cybersecurity and cyberwarfare as it relates to the international community. Arguably, cybersecurity fits into the complicated nuances of international relations because it lies somewhere between hard power, such as military force, and soft power, like negotiations and diplomacy. A realist would believe that cybersecurity cannot really fit into hard power because cyberwarfare, and protecting against it, isn’t really an example of kinetic warfare; even though cyberattacks can be used preemptively as a deterrent or in the midst of kinetic warfare, there are few cases where cyberattacks lead directly to physical harm. Although realists may also believe that cybersecurity could fit into international relations because it does have national security implications. Cybersecurity cannot really fit in with soft power either because soft power implies being able to find common ground through negotiations. If liberalism prioritizes soft power over hard power, cybersecurity may not matter as much because it has little influence over diplomacy and culture; however, even though cybersecurity doesn’t completely align with the definition of hard power, it would remain something for them to address because cyberwarfare can exist within hard power. A constructivist may hold similar beliefs to Kello: believing that the issues surrounding cybersecurity internationally may be socially constructed, and not an issue relevant to the international community. However, cybersecurity and cyberwarfare would be an issue for the international relations community to discuss because they do not adhere to state boundaries. Cyberspace has made attacking other countries widely accessible and has created an issue regarding participation, transparency, and accountability. These issues would also come with trying to govern cyberspace; while international organizations, like NATO and the ICC, already face an enforcement issue, trying to govern actions in cyberspace may prove to be even more unenforceable than physical governance. Even though various issues arise when trying to fit cybersecurity into international relations, it is still an aspect to be considered as technology continues to be integrated into warfare.
Week two was an introduction to how the United States responded to the expanding threat of cyberwarfare and the need for increased cybersecurity. We looked at how different presidents used executive orders to shape the cybersecurity landscape and how the government worked with the private sector for security and the development of AI.
The second assignment was to respond to the question: Between Biden and Trump’s Executive Orders on cybersecurity, there is slightly more emphasis placed on private sector initiatives in the Trump EO, particularly relating to AI development. Should there be more of this? Less? How much of a part should the private sector play in defining cybersecurity priorities in the U.S.?
My response:
The difference between Biden and Trump’s Executive Orders, particularly regarding AI, highlights the rapid development of AI and how the two political parties choose to regulate it. Historically, democrats championed regulation and believed that security issues come from a lack of government regulations in the private sector, and remedied those security issues by creating a partnership between the federal government and the private sector; on the other hand, republicans tend to emphasize the role of the private sector while giving the federal government the role of aiding the private sector’s endeavors. Ultimately, as the parties of the executive branch switch over the years, each administration builds on the others, which is partially why the Trump EO has more on AI development. With the government implementing private sector initiatives, particularly AI initiatives, I think it makes sense that slightly more emphasis is being placed on the private sector; however, I also think that because the government is implementing private sector initiatives, they may need more regulation for security reasons.
We have more information now than we did in the past about how cyberattacks may be used to impact an entire nation, and we should use that history as guidance for how to handle cyberattacks in the future. The Colonial Pipeline Ransomware Attack is an example of how a private sector attack can cause enough damage to warrant government action, and the SolarWinds attack is an example of how an attack on a private sector corporation can directly impact the government itself. Given the fact that the private sector has been targeted and will continue to be targeted by foreign adversaries, it shows that they do play a part in cybersecurity and should therefore be involved in policy-making. I think Chris Inglis’s idea on how the public and private sectors should interact regarding cybersecurity makes sense because it allows for the public and private sectors to work and build from each other’s policies. Ideally, this would harden both sector’s defenses but still allow the private sector to prioritize what may be weak in their own defenses. With how likely private sector companies are to be victims of cyberattacks, their possible weaknesses should definitely be a priority for the federal government.
References:
https://attack.mitre.org/campaigns/C0024/Links to an external site.
Week Three was an overview of China and how it has become one of the United States’ major adversaries in cyberspace. This module ranged from the Chinese mindset, which led them to becoming and economic and technological global superpower, and how it has used its technological capabilities against its own adversaries.
The third assignment was to respond to the question: Considering China’s cyber espionage activities, do you think it is justifiable to hack businesses in hopes of providing competitive advantages for your own nation’s companies? Should the United States have done more to respond to these hacks?
My response:
I do not think it is justifiable to hack businesses in hopes of providing a competitive advantage. The US and China have had a complicated relationship over the years, and China is one of the US’s leading cyber threats, but when it comes to how businesses operate, hacking other businesses is a crime that may not reap any benefits. While it is not really clear that China’s cyber espionage activities impacted American businesses in any way, it is also important to note that China’s economy is run differently from the US economy, so something that may work for Chinese businesses may not work for US businesses. While I still wouldn’t believe it is justifiable to hack another business for competitive advantages, it would make more sense for a US-based business to hack another US-based business because they are both operating within the same economy and would potentially be able to offer better competitive insights.
Given the fact that China attacked the US to gain information on US military technology, I do believe that more should have been done, but strengthening the response to those cyberattacks could have led to conflict, like kinetic warfare or increased cyberwarfare, between the two countries. There are many hypothetical situations that could have happened if the US responded more strongly to those attacks, and the best decision may have been the actions already taken.