Cyber security would probably be attained in a situation where any netizen could trust at the same time machines, memories and people.
"Trusting" implies here that they would be dully convinced that :
- - Information systems will work (including the so called critical infrastructures which are digitally monitored)
- - Data will be safely stored and remain confidential
- - The people they are interacting with are be what they pretend to be and will act accordingly
Security in the cyberworld can be threatened not only by technical or human mistakes but also by deliberate attacks motivated by the lust for :
- - goods (or valuable Informations like industrial secrets which can provide an economical advantage)
- - power i.e. the capacity to exert a constraint on someone's political will
- - symbolic rewards.
Symbolic rewards are for instance prestige (demonstrating that you are a brilliant hacker) or revenge (punishing and humiliating a company or a government considered as responsible for some injustice).
- Attacks and achievments
As long as they take place in the cyberspace, attacks could include any activity intended to get data and knowledge (and to deprive the enemy or the rival of it) for strategic means, either by systems (vectors and means of processing the information), or by content, or any brutal or treacherous attempt to ensure informational domination. Under its offensive perspective, it could include operations resorting to rumor, propaganda, computer viruses which corrupt or hijack an opponent’s information or data flow, whether this is a State, an army, or a political or economic entity. The field is therefore extremely large.
As attacks are deliberate and aimed at achieving some sort of superiority (we could simply call it "victory"), in the perspective of reaching security, a Nation does not only need technical tools to ensure maximum protection or resilience of it's computers and networks, nor even juridical solutions, it needs a real strategy, it's own "art of wining".
- The difficulties of conceiving a strategy
Wining by deterring or disarming the opponent's hostility, shattering its willingness to reiterate attacks, is certainly a hard task for severals reasons :
- - difficulty of adapting to perpetual technical change
- - difficulty of relying on experience (finding similar solutions to similar challenges)
- - difficulty of being certain of the attacker's identity, i.e. the famous problem of attribution
- - difficulty of distinguishing between a military operation, an act of war, a criminal act, and between a politically, ideologically, criminal or playfully motivated action. Not to mention that some actors might temporarily hire mercenaries for certain tasks and that they are transnational ideologically motivated groups which do not obey to any State.
- But the greatest difficulty could lie in our minds. How to think a cyberstrategy ?
It should at the same time take into account the totally innovative dimension of technology and the eternal dimension of conflict. It includes information as something desirable to get or to protect, and something which can alter human beliefs and behavior.
In classical strategy there is no equivalent to the power of a virus which spreads over the borders, or to an attack by "divided denial of access", nor to the capacity of the social media to suddenly agglutinate angry crowds in "in real life" the way it happened during the so called Arab spring. Reading Sun Zi is no help against botnets.
But classical strategy and philosophy teached us that information can be used according to what we could call the "four martial arts" of
- achieving intelligence,
- hiding one's secret,
- creating misperception and havoc in the opponent's mind
- and motivating people to support your cause (or being hostile to your opponent)..
We could support the fact that there has never been a conflict without an information strategy, and that each time we must answer the questions which already preoccupied Greek and Chinese generals:
How do we make the other believe what we desire, whether it is a matter of persuading them through reasoning, or deceiving them by a stratagem ?
How can we know what he does not know? Or how do we know what he does not know, but what we do know?
How do we make the other predictable and elusive?
Therefore the very ancient and very modern art of cyber strategy has still to find it's equivalents or Ulysses or Sun Zi. We just started learning.
- Strategy and security in the cyber world
- Cybersecurity has a past
- Waiting for the barbarians
The fear of the "big one", the great criminal or political a attack which would provoke total havoc in our societies relying on their technological prostheses, is anything but new.
- When security becomes global
Including Cybersecurity among various systemic dangers ( with asymmetric wars, terrorism or ecological catastrophes...) is also a general tendency. We tend therefore to consider the technological, economical and political dimensions on the same level.
- Inherent danger
- When we rely on technology so heavily, there has to be a pricepay for it
The more we entrust numerical devices with our wealth, our memories our mental processes, the more we discover the risk of a conflict based on knowledge.
The knowledge we should protect (precious data for instance)
The knowledge which should have protected us and often turns out to be insufficient for an effective defense.
The opponent's knowledge which allows him to perform his attack.
The knowledge we don't want to be spread including the false knowledge which is called disinformation
- Technological evolution and the quest for total safety
Can we rely on technological and defensive solutions when our Informations systems become more and more complex ?
- What do we fear ?
- Losing our secrets
Digital attacks are a modern form of espionage : stealing secrets which are supposed to be protected by secrecy and through clandestine maneuvers.
- Paralyzing systems
Like sabotage, a digital attack is aimed at creating a contagious chaos.
- Power of opinion
Like ancient disinformation, cyberattack might also be targeting human beliefs - leader's judgment or public opinion's convictions - to weaken a Nation. Therefore the distinction between a pure data oriented attack and propaganda, cyber dissent or the expression of opinion, and any form of ideological rivalry in general is crucial.
- Who's the ennemy ? is it a war ?
Using the right words : teems like cyberterrorist or cyberwar are not to be used lightly
War is about killing people in an organized and "legal" manner for political purposes, which is much more than just spying, sabotaging or propaganda.
Before considering any cyberattack as an act of war, we should refer to the classical definition of war as collective and temporary bloodstream for political purposes lead by sovereign actors on a physical territory
Confucius said : "to establish order in the Empire, I would start by establishing order in the denominations.". Terms like "cyberwar" or "cyberterrorism" (just to refer to the fact that terrorists use Internet for recuiting or messaging) are to be used with greatest precaution.
- Thinking a new strategy
Borders are not obsolete
The idea of a borderless Internet should not induce us to neglect the problem of the location of material infrastructures and therefore sovereignty Attacks are launched from somewhere, traval through supports and affect their victims (men, informations and machines) somewhere.
Gainin and losing time
Time -gaining time in competition or slowing down the opponent's reaction - is a fundamental factor of cyber attacks.
Napoleon said "Losing a battle always brings back to being 15 minutes late"
- Strenghts and weakenesses
Prevailing and deterring
The reevaluation of classical notions - estimating actual or potential gains and looses- has to be reinterpreted in the cyber world. And the "strong" in terms of hard power is the more exposed to the attacks of the "weak".
Lawrence said " Every strength contains its weakness, every weakness San turn into a strength"
When do we know that we achieved success ?
Due to anonymity of attacks, evaluating how much they succeeded and if their objectives were reached is a fundamental difficulty.
Clausewitz used to make a distinction between "Zweck" (the military objective of war : weakening and disarming the opponent) and "Ziel" (the political purpose of the war"). What are the Zweck and Ziel as far as cyberattacks are concernced.
Future cyberstrategy should both include a political decision and a rethinking of the rules of communication in this new field of conflict.
Alliance Géostratégique Stratégies dans le cyberespace, l'esprit du livre 2011
Arquilla J., Ronfeldt D., Cyberwar is coming. Comparative Strategy, vol. 12, n°2, p. 141-165, Spring 1993.
Arquilla J., Ronfeldt D., «In Athena’s camp: Preparing for Conflict in the Information Age», Rand Monograph Report, Rand, Santa Monica, USA , 1997.
Breton Th., Beneich D., Soft war, Robert Laffont, Paris, 1984.
Brown D., Digital Fortress, St Martin’s Press, London, 1998.
Brunner J., The shockwave rider, Harper & Row, New York, 1975.
Conesa P., « La fabrication de l’ennemi, Réflexions sur un processus stratégique », Revue Internationale et Stratégique, n° 65, p. 35 à 44, Dalloz, Paris, 2010.
Csis (Center for Strategic International Studies), Securing Cyberspace for the 44th Presidency, Commission Cybersecurity, Washington, USA , December, 2008.
De Durand E., « Révolution dans les affaires militaires. Révolution ou transformation ? », 109, Hérodote, Paris, 2003.
Gray C. S., Another Bloody Century: Future Warfare, Weinfeld & Nicholson, London, 2005.
Gray C. S., La guerre au xxi siècle, Economica, Paris, 2007.
Huyghe F. B., L’ennemi à l’ère numérique, PUF, Paris, 2001.
Gouvernement Français, Le Livre Blanc sur la Défense et la sécurité nationale, Odile Jacob, Paris, 2008.
Levy P., Cyberculture, report for the European Council, Odile Jacob, Paris, 1998.
Libicki M., Cyberdeterrence and Cyberwar, www.rand.org/pubs/monographs/ 2009/RAND_MG877.pdf., Rand, Santa Monica, USA, 2009.
De La Maisonneuve E., Stratégie Crise et Chaos, Economica, Paris, 2005.
Monod J.C., Penser l’ennemi, affronter l’exception, réflexions critiques su l’actualité de Carl Schmitt, col. Armillaire, La Découverte, Paris, 2007.
Schmitt C., La notion de politique (1932) and Théorie du partisan, Calmann Lévy, Paris, 1972
Ventre D. (dir) Cyberwar and Information Warfare, Wiley 2011
Walzer M., Guerres justes et injustes, Gallimard, Paris, 2006.
Zarka Y.C. (dir.), Carl Schmitt ou le mythe du politique, PUF, Paris, 2009.