Cyber Inertia: Destruction by Stagnation?
For years, American society has suffered from a serious bout of cyber inertia. That is, while some great thinkers have done much to advance cyber thought—in academia, government, and industry—many within and outside cyber circles remain fixed in place, thinking about “cyber” largely in the same way they have for decades. Despite intelligent work on cyber issues, from governance to deterrence to education, the optimal solutions simply aren’t in place.
These problems occur within the “cyber community” itself, where a largely-homogeneous group delivers, often, repetitive outcomes. Numerous articles (here, here, and here, for instance) highlight the repetitiveness, such as the New York Cyber Task Force’s report on leverage, which concluded that organizations are developing innovative technologies yet failing to change the fundamental, asymmetric advantage held by attackers, and again during my recent interview with a security executive.
Inertia of thought continues through the treatment of “cyber” itself: as a separate discipline, often locked away within the computer or information sciences, rarely to make contact with academic coursework in ethics or business or healthcare. Western nation-states are only beginning to realize the value of information control in cyberspace while countries like China have known this for decades. And private-sector security firms are just now waking up to the notion of human-centered design despite its notable history in the startup world.
The problem of semi-stagnant thought exists both inside and outside the cyber community. Rather than just complain, however, we as a society—meaning federal, state, and local governments, schools and universities, and private-sector corporations—need to fight this inertia by empowering and encouraging diverse thinking.
First, the government must stop treating cybersecurity as the purview of just “cyber people,” a point mentioned in my recent interview with a future of war strategist. While the U.S. military view of cyber as a domain is perhaps an easy “out,” it seriously hampers how strategists and key decision-makers discuss cyberspace itself. There are challenging jurisdictional questions that must be answered, yes—such as the division of authority between NSA and CYBERCOM or deciding whether DHS or DOE has authority over protecting critical infrastructure—but that doesn’t excuse the segmentation and isolation of cyber discussions. Interdisciplinary workshops and collaborative policy projects on how to approach “cyber issues,” bringing in everyone from diplomats to development strategists, will broaden the perspective with which policymakers approach digital challenges. This is especially true at the state and local levels of government.
Second, educational institutions must dedicate resources to teaching cyber, and not just through the lens of computer and information science. As I recently argued, all students—from business to policy to healthcare to media—need a “Tech 101” education that prepares tomorrow’s leaders to face the challenges of digitization. Looking to cybersecurity, in particular, we not only need awareness beyond the circle of developers and hackers that maintain security in code; we also need diverse individuals to enter the field in the first place. This simply cannot happen without appropriate coursework in elementary schools, middle schools, high schools, and colleges, or without certificate or apprenticeship programs that provide alternative forms of learning. The diverse teaching of diverse students will empower diverse thinking—fighting this cyber inertia by involving a greater breadth and volume of stakeholders.
Third, organizations (especially corporations) must put actual time, money, and resources into hiring more diverse people for cyber-related roles. The area remains extremely homogeneous, as anyone who has ever stepped foot in a conference or cybersecurity workplace can tell you, and there is clear data that this lack of diversity is making us less safe. Different people approach problems in different ways, which means they think about cyber differently—again, thrusting against the inertia that keeps cyber conversations so stagnant. Within cybersecurity specifically, having diverse backgrounds leads to diverse forms of risk management, which can directly affect how organizations plan for and respond to security threats and system breaches. Organizations must, therefore, take clear steps to hire diverse individuals, looking to databases like Sourcelist, such events as Europe’s first all-female cybersecurity conference, or disciplines like psychology and philosophy. If we want better strategies and policies around cyberspace, hiring different types of people (really, anyone outside the current frame of thinking) is a necessary step forward.
It’s too easy for cyber discussions to stagnate. We obsess about compliance while ignoring strategy and risk management; we stick to boring and ineffective cyber education without psychological optimization. We approach internet governance only through the lens of standards and neglect myriad other factors; we assume our Western-centric definition of “information security” objectively holds throughout the world. We refuse to make digital trust a key part of cybersecurity discussions. While this persists, the longer cyberspace remains insecure; the longer attackers maintain their fundamental advantage. And the longer our nation produces unclear or suboptimal policies on using digital technology for the better.
To truly accelerate and broaden the realm of cyber thinking, from technical issues of network defense and exploit hunting to strategic questions of internet governance and attack attribution, we need to bring in diverse ideas and diverse forms of thinking that resist this cyber inertia.
Justin Sherman is an Interact Fellow studying Computer Science and Political Science at Duke University, focused on cybersecurity, warfare, and governance. Justin is a Cyber Policy Researcher at the Department of Defense- and NSA-backed Laboratory for Analytic Sciences, where his work focuses on federal cybersecurity policy, industry security benchmarks, and national cyber strategy. The views expressed here are his own.