Here Be Dragons
A Review of Adam Segal's The Hacked World Order (PublicAffairs, 2016).
There have been many books written on cybersecurity over the last several years—this is by far the best. People will disagree with it—there are claims and arguments that I certainly do not agree with—but everyone who is interested in these questions will have to engage with it.
There are two big reasons why cybersecurity debates are terrible: cybersecurity is highly technical across multiple dimensions, but it is also a topic that inspires high passions. The first problem means that different kinds of expertise—computer science, legal reasoning, strategic thinking, civil liberties activism—regularly collide with each other, and the crashes can be ugly. The second leads to clashes over ethical positions. There are few more politically charged questions than the conflict between national security and civil liberties, and cybersecurity remakes this conflict in new and complicated ways. The result is that few people understand cybersecurity comprehensively (most understand one or two dimensions better than the others), but many people have strong opinions. This leads to vexing and fruitless debates, where prominent pundits are able to get away with technically illiterate and excitable nonsense.
Segal’s book is not a complete overview of everything to do with cybersecurity—I do not know that anyone could possibly write one. It does cover an enormous amount of ground, and even better, it stakes out a clear and interesting position. Segal argues that power politics are crucial—the states that are able to use or threaten offensive actions in cyberspace are the states that count. However, these power politics are enormously complicated by the growth of interdependence and the crucial importance of the private sector. As the US has found out to its dismay, cyber-enabled espionage and covert action is having unexpected ramifications. Large scale surveillance is leading to counter-reactions in Europe and other friendly parts of the world. Building domestic defenses against spying and covert action is hard when the crucial resources reside in private, rather than public, hands. Finally, US firms’ dominance of e-commerce and the Internet can be a weapon when it allows for easier surveillance, but a weakness when these firms’ international business interests lead them to split from the US security state.
For sure, this position has clear political implications. Segal is a Senior Fellow at the Council on Foreign Relations, and his book reflects the Council’s brief to help US policy actors and citizens “better understand the world and the foreign policy choices facing the United States and other countries.” Yet even if it is clearly written from a US-centric perspective, it takes a quite dispassionate view of US interests, and explicitly describes US mistakes as well as successes. Both NSA officials and civil liberties activists will recognize the world it portrays (while chafing at the parts with which they disagree).
The argument is straightforward, but touches on many questions that are poorly understood. Segal agrees with many elements of what might be called the Pentagon View of cybersecurity, arguing that cyber threats are real, that the really problematic ones tend to emanate from nation states, and that power politics dominate. Yet he also emphasizes how the US is itself perceived by other countries as an exceptionally aggressive adversary in cyberspace, and correctly so—the NSA is believed to be the biggest customer on the semi-clandestine market for zero day exploits, and has been the most ambitious state using cyber-espionage. Most interesting of all, Segal provides a novel and provocative argument about how great power politics has become intertwined with commercial relations such that the private sector is important, as well as the public sector.
In Segal’s account, international power politics set the agenda for cybersecurity. Those states that have capacity—in particular the capacity to engage in offensive cyber operations—dominate, while those who do not suffer as they must. Only two states—the US and China—are true superpowers in cyberspace. A small number of other countries—Russia, the UK, Israel, Germany, France, Iran and North Korea—are either actual or potential players. These are the states with significant capacity to engage in offensive cyber operations, which mostly involve espionage and exploitation, but also include covert operations that can have physical consequences, as witnessed by the Stuxnet/Olympic Games attack on Iran’s nuclear program. Other actors, whether states with underdeveloped cyber capacity, businesses or members of the public, do not have the capacity to fight these clandestine battles. Often, they are not even able to defend themselves well against concerted attacks by powerful adversaries, and are caught in the fallout.
Yet even if the politics of cybersecurity is driven by power relations, it does not operate as it did during the Cold War. Both the threats and vulnerabilities are more complicated. Back then, governments controlled the relevant weapons systems, the relevant infrastructures to support these weapon systems and the relevant means of defending against hostile incursions, such as they were. Non-state actors played a largely passive or responsive role, whether they were civilian populations that could be held hostage for the behavior of their states (much Cold War deterrence was based on the threat of ‘countervalue’ attacks against large cities), or military contractors that helped develop new weapons systems and defenses.
Now, governments are no longer the only major players, and power politics is playing out under conditions of interdependence. Segal argues that a state’s cyber-power depends “critically” on the government’s ability to work with the private sector. Businesses are important not only because they can contract with the federal government, but because they run the infrastructure that is vulnerable to external cyber-attack. For example, most advanced industrialized democracies have either privatized the power grid or never operated it in the first place. If this grid comes under attack, who defends it? The government may not have access to it or detailed technical knowledge about how it works. The private sector companies running the grid may not be aware of the risks of attack, or understand how best to defend against one. And in most countries, neither state nor business has any very good idea of how to communicate with the other in the event of an attack.
This leads, as Segal puts it, to “a central paradox for the United States: economic and technological sophistication are” not only sources of power and domination, but “also sources of vulnerability.” However, it is tough for the US to address these vulnerabilities. Industry does not want to pay the cost of expensive and uncertain cyber-defenses, while conservatives are skeptical that the government can help. This has led politicians to focus more on information-sharing between the government and the private sector—but that has led to outrage from proponents of civil liberties, who fear that this information may be used against innocents and civilians.
Nor are the problems limited to domestic politics. The US has to think about international politics too—and in particular about how interdependence constricts great power maneuvering. Again, the relationship between states and private actors has become far more complicated. In the past, the NSA benefited greatly from its dominance of US technology companies; Segal quotes then-NSA Director Michael Hayden as saying that surveillance is a “home game for us,” since so much international data passes through places like Redmond, Washington. There used to be an apparent happy coincidence between US security interests and the forces of gravity shaping the open Internet so that US firms predominated.
Segal argues persuasively that this made the US myopic. US policy makers thought that they could have their cake and eat it too, building an Internet that was open simultaneously to US companies and to US efforts to manipulate it for security purposes. After the Snowden revelations, that looks to have been a bad bet. US businesses are suffering, as they are now seen as intimately associated with US surveillance efforts, while civil liberties advocates and judges in US allies are looking to use these businesses’ commercial interests as leverage to push back against US surveillance.
Hence, Segal’s description of our current state: we are blundering around in territory that is only sketchily mapped out. Our charts have warnings—cave hic dragones—but do not provide specific guidance as to how the dragons might be placated or avoided.
The imperatives of national security are still there. States are going to spy on each other and engage in covert action when they think they can get away with it. Among adversaries at least, the most we can expect are norms or agreements to limit the very worst behavior. Yet a singular focus on national security is just what blinded the US to how others would perceive its actions. Business interests are also crucially important—and are increasingly becoming ‘unzipped’ (as Segal describes it) from national security imperatives. Large US e-commerce firms have to work across multiple jurisdictions, exposing them to cross-pressures that are only going to get more intense over time. Civil liberties activists have clearly identified how the blurring of the boundaries between domestic and international are weakening protections, as spying technologies become less narrowly focused on individuals and better able to gather vast amounts of communications data in order to identify the interesting messages later. Yet how to resolve these problems—even between North American and European states that share a lot in common—is murky and harder to achieve.
Segal does not have grand solutions for these problems. Instead, he offers proposals that might mitigate them in a world where states still clash, where it is increasingly more difficult to identify where national politics stops and international politics begins, and where US influence is likely gradually waning. People from different perspectives are likely to find the solutions he offers unambitious. I too am doubtful that the US can do much to reassure other democracies about surveillance without a fundamental rethinking of how to make civil liberties as interdependent as the flows of data that implicate them. I imagine that other people, who might disagree starkly with me on civil liberties questions, might be skeptical from the contrary perspective. But they, like me, will have to grapple with the fractured policy realm that Segal depicts, one where actions taken to reassure domestic constituencies can have negative international repercussions and vice versa, and where conflicting priorities of security, civil liberties and technology have become so entangled as to become very nearly inseparable.
Henry Farrell is associate professor of political science and international affairs at George Washington University. He blogs at Crooked Timber and the Monkey Cage.