By Robert Dewar for Center for Security Studies (CSS)
Robert Dewar contends that cyberspace does not exist. As a result, it is a misconception for states to treat cyberspace as an existent domain of warfare alongside land, sea, air and outer space. In response, politicians and academics should acknowledge that this virtual domain is just that—virtual. By doing so, states will see they already have the norms and legal frameworks in place to deal with a range of cybersecurity threats and risks. Cyberspace – an important part of modern life and the source of numerous modern security concerns – is being treated as a domain where the usual rules do not apply, a position stemming from a fundamental misconception: cyberspace does not exist.
In the last 30 years, the virtual domain known as “cyberspace” has enjoyed increasing recognition from political and military actors. Malicious and weaponized code such as viruses and worms emerged as annoyances in the 1980s, and developed into sophisticated tools capable of disabling equipment in nuclear facilities, as Stuxnet did in 2010. Specially designed DDoS attacks have targeted state infrastructures, as was the case in Estonia in 2007. On the political side, seven countries opened embassies in the virtual platform Second Life between 2007 and 2008. The rise of cyber-crime and cyber-terrorism has captured popular, journalistic, and political imagination and, due to the ever increasing level of technical sophistication of malicious digital tools, security and military policy is struggling to keep up. Politicians and theorists speak of a revolution in military affairs and the imminent outbreak of cyberwar, with battles being fought in cyberspace. As a result, not only has cyberspace become a domain in which personal and commercial transactions take place, but it has been described as the fifth domain of warfare alongside land, sea, air and outer space.
Key Points
What is labelled “cyberspace” is a combination of physical devices connected to each other and the information these devices store and share.
There is a two-fold misconceptualisation of cyberspace: first as a domain in which action can take place; and second as one where current, longstanding rules and norms do not apply
By moving away from the mistaken conceptualization of cyberspace as an existent domain, states can see that they already have frameworks in place to more effectively secure themselves against a range of cybersecurity threats and risks
All of these normative changes, policy developments, publications, legal formulations, strategies and prognostications of doom are, however, built around a fundamental misunderstanding: cyberspace is not a place, conceptual or actual, in which a fight, let alone a war, can take place or be fought. It is, as Gibson1 described it in his 1984 novel “Neuromancer”, a “consensual hallucination”: a made-up, quasi-fictional entity being considered real. This poses a number of problems for policy-makers and researchers. As land, sea air and outer space evolved into battlegrounds, new processes were developed to fight in these domains. Should the same be true for cyberspace? Should new political theories, regulatory systems or social norms be developed to address the very real security challenges of the cyber-age, or are these challenges simply older, long-standing issues wrapped up in new digital and online jargon? To paraphrase Saalman2, should new wine be poured into new bottles, or are the bottles not new at all? To overcome this misconception, politicians and academics should acknowledge that the virtual domain is just that – virtual – and does not exist. Then it will be clearer that the security challenges faced in the digital age are not new and that current frameworks can be applied to “cyber” issues: old wine can be poured into old bottles.
LAN network cables plugged into a Bitcoin mining computer server are pictured in Bitminer Factory in Florence, Italy, April 6, 2018. Picture taken April 6, 2018. Alessandro Bianchi / Reuters
Inventing a digital domain
The concept described as “cyberspace” in political and academic debate is in actuality a gestalt entity made up of two separate constructs, one physical, the other digital and “virtual”. The physical entity is the Internet, an interconnected network of digital devices which communicate with each other over wired or wireless connections. These physical pieces of technology include smartphones, tablets, routers, computers and “smart” devices such as Internet-enabled TVs. The Internet hosts an additional virtual entity called the World Wide Web. The Web is a vast and continually growing collection of inter-referencing pieces of information produced in a digital format commonly called “webpages”. These webpages are complex pieces of computer code, stored collectively on large digital repositories (servers). When a user of the Internet requests information from the Web, their device communicates with a series of other devices to access that information in a digital form, usually through browsers such as Firefox or Chrome.
The devices which make up the network, and the information they host, are increasing exponentially in technological complexity, diversity and volume. However, the fundamental description above remains the same one now as was the case in the 1960s with the development of ARPANET, the precursor to the modern Internet. To describe this vast system of interconnected technologies and computer code as an existent place is a conceptual error more at home in science-fiction (such as the Matrix or Tron’s “grid”) than in policy development or academic research. “Cyberspace” is therefore a social construct. Language and speech acts are being used to describe and hence bring into being a completely non-existent entity. This socio-linguistic construction poses problems for policy-making and academic study, particularly in the fields of security and defense.
New wine into new bottles?
Despite the simple technical reality of the nature of its digital networks, cyberspace is treated as though it is a realm where normal, or at least longstanding rules don’t apply. In 1993 Arquilla and Ronfeldt3 declared that cyber war was coming. They wrote that the development of new digital weapons, coupled with an increasingly networked and digitalized society meant that cyberspace would be the new battleground. This quasi-military language established a conceptual path dependency with the result that, in 2010, then-US Deputy Secretary of Defense William J. Lynn III declared that cyberspace was the fifth domain of warfare after land, sea, air and outer space4. Military strategists and government policy-makers leapt on this description and a wealth of policy has been produced from this viewpoint, one which argues that the advent of the cyber-age is creating a revolution in military affairs which requires new ways of waging war, new strategic theories, new social norms of acceptable behavior and new safeguards, particularly given the increase in state use of cybertools and techniques against perceived adversaries. There is an increasing body of academic opinion calling for cyber arms-control regulation and non-proliferation treaties similar to those in place for nuclear, biological and chemical weapons, as well as calling for new civilian legislation to be established to ensure the safe usage of cyberspace, or at the very least to minimize malicious actions.
The practical problem for law- and policy makers is that the speed of digitalization and penetration of Internet-enabled smart technology into every aspect of human life and discourse means that regulatory and legislative systems around the world are struggling to keep up with new technology. The ongoing debate around reconciling personal rights to privacy with the commercial needs of social media platforms and the law-enforcement needs of police forces and state security agencies always appears to be several steps behind the curve. Politicians and academics alike are therefore seeking to develop bespoke solutions to these cyber-problems: new wine is being developed to fill new bottles. A new area in which human interaction takes place has evolved – cyberspace – and with it has come new normative requirements and regulatory idiosyncrasies.
This is the crux of the problem. When developing policy and legislation politicians, law-makers and a number of academics are treating cyberspace as though it were a domain in which the usual rules of law enforcement and armed conflict do not apply. The reality is very different. The tools malicious actors are using may have evolved and become more complex given the advent of the digital age, but the motivations and goals of those actors have not changed. Cyber-crime such as hacking into banks and stealing customer data or funds is still crime and subject to law enforcement; cyber-espionage such as accessing classified government systems is still espionage and subject to international law and existent conventions. Cyber-warfare is simply the conduct of conflict operations using the latest technology available, something the military has done for centuries. The security challenges faced before the cyber-age remain the same, irrespective of the addition of a “cyber” prefix. Accepting or acknowledging that cyberspace is not an actual domain enables us to realize this.
It should be pointed out, however, that this trend of misconceptualisation is not universal. From a military, cyberdefense perspective this conundrum has been inadvertently addressed by the publication in 2013 of the Tallinn Manual on The International Law Applicable to Cyber Operations. This is a collection of legal opinion applying established international humanitarian law (IHL) and the laws of armed conflict (LOAC) to cyberwarfare operations with the aim of codifying and clarifying rules of engagement and action. Crucially, IHL and LOAC were applied to cyberwarfare not because warfare conducted in cyberspace was a new issue which needed new rules, but because the issues, motivations, goals of combatants and questions regarding the nature of an armed attack were unchanged regardless of the use of new technology. There needed to be no new international law; current frameworks simply needed to be more effectively applied. Such was the goal of the panel of experts who produced the Tallinn Manual and its successive editions.
Why we should wake from the consensual hallucination
One question remains, however: does it matter how cyberspace is perceived? The empirical reality is that cyberspace is being treated as a specific existent domain like land, sea, air and space. This mantra has been repeated so many times by so many people, including people of influence, that it has gone viral and is now being accepted as fact. No amount of disagreement with that conceptualization is going to change global collective views.
There are two reasons why this misconceptualisation is important. The first is simply that it is always better to have an accurate description of an entity than a mistaken one. Given that the Internet has facilitated the spread of inaccuracies and falsehoods such as fake news stories, striving for correct, accurate information is becoming ever more important. The second reason is that the drive to develop new policy, laws and social regulation (the Tallinn Manual notwithstanding) has come at a high cost in time and resources, costs which can be better allocated to tackling the actual social and security problems being faced such as online criminal activity. States should follow the precedent set by the Tallinn Manual and not rush to create new solutions for cyber-problems. Those problems are not new simply by virtue of being digital. Only the tools involved have changed.
The solution to these two issues is relatively simple: acknowledging that cyberspace is not real, and therefore is not a place where different social, political or military rules or laws apply. One way to achieve this digital Weltanschauung is to move away from the focus on a fictional place, cyberspace, in which the action occurs and instead pay closer attention to the goals and motivations of malicious actors. This would show that the intent behind the action is the same as in the real world (be that espionage, crime or warfare) and policy-makers will find that there are already established normative and legal frameworks for dealing with these issues. Tweaks to ensure relevance may be required, such as ensuring that citizens are aware that illegal activities such as harassment are still illegal whether they are conducted online or not, but new norms are not the answer.
If this is achieved then responding effectively to security threats and risks highlighted by the exponential increase in the complexity and penetration of digital technology into all aspects of human life will be made much easier. Law and policy makers would see that this is not a matter old wine into new bottles, or even of “new” wine into new bottles, but of old wine into old bottles.
Selected Sources
1 W. Gibson, Neuromancer (London: Victor Gollancz, 1984), 67.
2 Lora Saalman, “Pouring New Wine into New Bottles: China-US Deterrence Relations in Cyberspace,” Whitehead J. Dipl. & Int’l Rel. 17 (2015): 23.
3 John Arquilla and David Ronfeldt, “Cyberwar Is Coming!,” Comparative Strategy 12, no. 2 (1993): 141 – 65, https://doi. org/10.1080/01495939308402915.
4 William J. Lynn III, “Defending a New Domain,” Foreign Affairs, September 1, 2010, http://www.foreignaffairs.com/articles/66552/william-j-lynn-iii/defending-a-new-domain.
Further Reading
Cyber War Will Not Take Place Thomas Rid, Journal of Strategic Studies, 35:1, 5 – 32 (2012) Original article (later a book) presenting a critical examination of the concept of cyberwar, arguing that it does not and will not exist, and that the actions described as “cyberwar” are more accurately described as espionage, sabotage and crime.
Cyber War Will Take Place! John Stone, Journal of Strategic Studies, 36:1, 101 – 108 (2013) A response to Rid’s original article in the Journal for Strategic Studies, arguing that cyber war is possible.
“Cyberwar is Coming!” John Arquilla and David Ronfeldt, Comparative Strategy, Vol 12, No. 2, pp. 141 – 165 (Spring 1993) Arquilla and Ronfeldt’s original and oft-cited article of 1993 warning against the imminent development of cyberwar.
Tallinn Manual on International Law Applicable to Cyber Operations A collected body of eminent legal opinion applying the Laws of Armed Conflict and International Humanitarian Law to cyber conflict.
About the Author
Dr. Robert Dewar is a Senior Researcher in the Cyber Defense Team of the Center for Security Studies at ETH Zurich. His research interests include cyber security and cyber defense policy, security studies, the European Union and historical institutionalism
25 May 2018
By Robert Dewar for Center for Security Studies (CSS)
Robert Dewar contends that cyberspace does not exist. As a result, it is a misconception for states to treat cyberspace as an existent domain of warfare alongside land, sea, air and outer space. In response, politicians and academics should acknowledge that this virtual domain is just that—virtual. By doing so, states will see they already have the norms and legal frameworks in place to deal with a range of cybersecurity threats and risks.
This CSS Policy Perspective was originally published in May 2018 by the Center for Security Studies.
Cyberspace – an important part of modern life and the source of numerous modern security concerns – is being treated as a domain where the usual rules do not apply, a position stemming from a fundamental misconception: cyberspace does not exist.
In the last 30 years, the virtual domain known as “cyberspace” has enjoyed increasing recognition from political and military actors. Malicious and weaponized code such as viruses and worms emerged as annoyances in the 1980s, and developed into sophisticated tools capable of disabling equipment in nuclear facilities, as Stuxnet did in 2010. Specially designed DDoS attacks have targeted state infrastructures, as was the case in Estonia in 2007. On the political side, seven countries opened embassies in the virtual platform Second Life between 2007 and 2008. The rise of cyber-crime and cyber-terrorism has captured popular, journalistic, and political imagination and, due to the ever increasing level of technical sophistication of malicious digital tools, security and military policy is struggling to keep up. Politicians and theorists speak of a revolution in military affairs and the imminent outbreak of cyberwar, with battles being fought in cyberspace. As a result, not only has cyberspace become a domain in which personal and commercial transactions take place, but it has been described as the fifth domain of warfare alongside land, sea, air and outer space.
Key Points
What is labelled “cyberspace” is a combination of physical devices connected to each other and the information these devices store and share.
There is a two-fold misconceptualisation of cyberspace: first as a domain in which action can take place; and second as one where current, longstanding rules and norms do not apply
By moving away from the mistaken conceptualization of cyberspace as an existent domain, states can see that they already have frameworks in place to more effectively secure themselves against a range of cybersecurity threats and risks
All of these normative changes, policy developments, publications, legal formulations, strategies and prognostications of doom are, however, built around a fundamental misunderstanding: cyberspace is not a place, conceptual or actual, in which a fight, let alone a war, can take place or be fought. It is, as Gibson1 described it in his 1984 novel “Neuromancer”, a “consensual hallucination”: a made-up, quasi-fictional entity being considered real. This poses a number of problems for policy-makers and researchers. As land, sea air and outer space evolved into battlegrounds, new processes were developed to fight in these domains. Should the same be true for cyberspace? Should new political theories, regulatory systems or social norms be developed to address the very real security challenges of the cyber-age, or are these challenges simply older, long-standing issues wrapped up in new digital and online jargon? To paraphrase Saalman2, should new wine be poured into new bottles, or are the bottles not new at all? To overcome this misconception, politicians and academics should acknowledge that the virtual domain is just that – virtual – and does not exist. Then it will be clearer that the security challenges faced in the digital age are not new and that current frameworks can be applied to “cyber” issues: old wine can be poured into old bottles.
LAN network cables plugged into a Bitcoin mining computer server are pictured in Bitminer Factory in Florence, Italy, April 6, 2018. Picture taken April 6, 2018. Alessandro Bianchi / Reuters
Inventing a digital domain
The concept described as “cyberspace” in political and academic debate is in actuality a gestalt entity made up of two separate constructs, one physical, the other digital and “virtual”. The physical entity is the Internet, an interconnected network of digital devices which communicate with each other over wired or wireless connections. These physical pieces of technology include smartphones, tablets, routers, computers and “smart” devices such as Internet-enabled TVs. The Internet hosts an additional virtual entity called the World Wide Web. The Web is a vast and continually growing collection of inter-referencing pieces of information produced in a digital format commonly called “webpages”. These webpages are complex pieces of computer code, stored collectively on large digital repositories (servers). When a user of the Internet requests information from the Web, their device communicates with a series of other devices to access that information in a digital form, usually through browsers such as Firefox or Chrome.
The devices which make up the network, and the information they host, are increasing exponentially in technological complexity, diversity and volume. However, the fundamental description above remains the same one now as was the case in the 1960s with the development of ARPANET, the precursor to the modern Internet. To describe this vast system of interconnected technologies and computer code as an existent place is a conceptual error more at home in science-fiction (such as the Matrix or Tron’s “grid”) than in policy development or academic research. “Cyberspace” is therefore a social construct. Language and speech acts are being used to describe and hence bring into being a completely non-existent entity. This socio-linguistic construction poses problems for policy-making and academic study, particularly in the fields of security and defense.
New wine into new bottles?
Despite the simple technical reality of the nature of its digital networks, cyberspace is treated as though it is a realm where normal, or at least longstanding rules don’t apply. In 1993 Arquilla and Ronfeldt3 declared that cyber war was coming. They wrote that the development of new digital weapons, coupled with an increasingly networked and digitalized society meant that cyberspace would be the new battleground. This quasi-military language established a conceptual path dependency with the result that, in 2010, then-US Deputy Secretary of Defense William J. Lynn III declared that cyberspace was the fifth domain of warfare after land, sea, air and outer space4. Military strategists and government policy-makers leapt on this description and a wealth of policy has been produced from this viewpoint, one which argues that the advent of the cyber-age is creating a revolution in military affairs which requires new ways of waging war, new strategic theories, new social norms of acceptable behavior and new safeguards, particularly given the increase in state use of cybertools and techniques against perceived adversaries. There is an increasing body of academic opinion calling for cyber arms-control regulation and non-proliferation treaties similar to those in place for nuclear, biological and chemical weapons, as well as calling for new civilian legislation to be established to ensure the safe usage of cyberspace, or at the very least to minimize malicious actions.
The practical problem for law- and policy makers is that the speed of digitalization and penetration of Internet-enabled smart technology into every aspect of human life and discourse means that regulatory and legislative systems around the world are struggling to keep up with new technology. The ongoing debate around reconciling personal rights to privacy with the commercial needs of social media platforms and the law-enforcement needs of police forces and state security agencies always appears to be several steps behind the curve. Politicians and academics alike are therefore seeking to develop bespoke solutions to these cyber-problems: new wine is being developed to fill new bottles. A new area in which human interaction takes place has evolved – cyberspace – and with it has come new normative requirements and regulatory idiosyncrasies.
This is the crux of the problem. When developing policy and legislation politicians, law-makers and a number of academics are treating cyberspace as though it were a domain in which the usual rules of law enforcement and armed conflict do not apply. The reality is very different. The tools malicious actors are using may have evolved and become more complex given the advent of the digital age, but the motivations and goals of those actors have not changed. Cyber-crime such as hacking into banks and stealing customer data or funds is still crime and subject to law enforcement; cyber-espionage such as accessing classified government systems is still espionage and subject to international law and existent conventions. Cyber-warfare is simply the conduct of conflict operations using the latest technology available, something the military has done for centuries. The security challenges faced before the cyber-age remain the same, irrespective of the addition of a “cyber” prefix. Accepting or acknowledging that cyberspace is not an actual domain enables us to realize this.
It should be pointed out, however, that this trend of misconceptualisation is not universal. From a military, cyberdefense perspective this conundrum has been inadvertently addressed by the publication in 2013 of the Tallinn Manual on The International Law Applicable to Cyber Operations. This is a collection of legal opinion applying established international humanitarian law (IHL) and the laws of armed conflict (LOAC) to cyberwarfare operations with the aim of codifying and clarifying rules of engagement and action. Crucially, IHL and LOAC were applied to cyberwarfare not because warfare conducted in cyberspace was a new issue which needed new rules, but because the issues, motivations, goals of combatants and questions regarding the nature of an armed attack were unchanged regardless of the use of new technology. There needed to be no new international law; current frameworks simply needed to be more effectively applied. Such was the goal of the panel of experts who produced the Tallinn Manual and its successive editions.
Why we should wake from the consensual hallucination
One question remains, however: does it matter how cyberspace is perceived? The empirical reality is that cyberspace is being treated as a specific existent domain like land, sea, air and space. This mantra has been repeated so many times by so many people, including people of influence, that it has gone viral and is now being accepted as fact. No amount of disagreement with that conceptualization is going to change global collective views.
There are two reasons why this misconceptualisation is important. The first is simply that it is always better to have an accurate description of an entity than a mistaken one. Given that the Internet has facilitated the spread of inaccuracies and falsehoods such as fake news stories, striving for correct, accurate information is becoming ever more important. The second reason is that the drive to develop new policy, laws and social regulation (the Tallinn Manual notwithstanding) has come at a high cost in time and resources, costs which can be better allocated to tackling the actual social and security problems being faced such as online criminal activity. States should follow the precedent set by the Tallinn Manual and not rush to create new solutions for cyber-problems. Those problems are not new simply by virtue of being digital. Only the tools involved have changed.
The solution to these two issues is relatively simple: acknowledging that cyberspace is not real, and therefore is not a place where different social, political or military rules or laws apply. One way to achieve this digital Weltanschauung is to move away from the focus on a fictional place, cyberspace, in which the action occurs and instead pay closer attention to the goals and motivations of malicious actors. This would show that the intent behind the action is the same as in the real world (be that espionage, crime or warfare) and policy-makers will find that there are already established normative and legal frameworks for dealing with these issues. Tweaks to ensure relevance may be required, such as ensuring that citizens are aware that illegal activities such as harassment are still illegal whether they are conducted online or not, but new norms are not the answer.
If this is achieved then responding effectively to security threats and risks highlighted by the exponential increase in the complexity and penetration of digital technology into all aspects of human life will be made much easier. Law and policy makers would see that this is not a matter old wine into new bottles, or even of “new” wine into new bottles, but of old wine into old bottles.
Selected Sources
1 W. Gibson, Neuromancer (London: Victor Gollancz, 1984), 67.
2 Lora Saalman, “Pouring New Wine into New Bottles: China-US Deterrence Relations in Cyberspace,” Whitehead J. Dipl. & Int’l Rel. 17 (2015): 23.
3 John Arquilla and David Ronfeldt, “Cyberwar Is Coming!,” Comparative Strategy 12, no. 2 (1993): 141 – 65, https://doi. org/10.1080/01495939308402915.
4 William J. Lynn III, “Defending a New Domain,” Foreign Affairs, September 1, 2010, http://www.foreignaffairs.com/articles/66552/william-j-lynn-iii/defending-a-new-domain.
Further Reading
Cyber War Will Not Take Place Thomas Rid, Journal of Strategic Studies, 35:1, 5 – 32 (2012) Original article (later a book) presenting a critical examination of the concept of cyberwar, arguing that it does not and will not exist, and that the actions described as “cyberwar” are more accurately described as espionage, sabotage and crime.
Cyber War Will Take Place! John Stone, Journal of Strategic Studies, 36:1, 101 – 108 (2013) A response to Rid’s original article in the Journal for Strategic Studies, arguing that cyber war is possible.
“Cyberwar is Coming!” John Arquilla and David Ronfeldt, Comparative Strategy, Vol 12, No. 2, pp. 141 – 165 (Spring 1993) Arquilla and Ronfeldt’s original and oft-cited article of 1993 warning against the imminent development of cyberwar.
Tallinn Manual on International Law Applicable to Cyber Operations A collected body of eminent legal opinion applying the Laws of Armed Conflict and International Humanitarian Law to cyber conflict.
About the Author
Dr. Robert Dewar is a Senior Researcher in the Cyber Defense Team of the Center for Security Studies at ETH Zurich. His research interests include cyber security and cyber defense policy, security studies, the European Union and historical institutionalism
No comments:
Post a Comment