Sixty years ago an outgoing, conservative American president warned both his more liberal successor and his fellow citizens to guard against a worrying trend he saw emerging during his time in office. President Eisenhower’s farewell address made infamous the term “military-industrial complex” as a summation of the rapidly increasing reliance of a peacetime economy on government contracts to develop military-grade machines, weapons, and information systems. He worried that the short-term benefits brought on by increased military investment in the private economy could blind public decision-makers and American society to the perverse incentives of greater, even continuous, involvement in violent conflict. Bidding adieu, Eisenhower asserted “the technological revolution during recent decades” was “akin to, and largely responsible for the sweeping changes in our industrial-military posture.”
Ike’s concerns remain relevant at this moment of transition, but in a new domain. Cybersecurity – cyber “defense” – presents a seemingly obvious need in this digital age. As the need for bigger, more connected, and integrated digital systems rises, so too will the risks associated with our reliance on those globally interconnected systems. Responsible governments must develop, promote, and maintain robust capabilities and sound approaches for deploying digital weaponry to defend themselves and their citizens from malicious actors, and they must rely on the aid and leadership of the world’s most innovative companies to do so.
Yet we must ask ourselves what kinds of cyber creatures we are comfortable introducing into the digital ecosystem, and whether those are preferable to more traditional forms of deterrence. Fear of vulnerabilities and the risks associated with interconnected networks is understandable, but governments and industry leaders need to take a longer-term view of the implications new cyber capabilities might hold for the future digital landscape.
Such a sustained and steady increase in cyber defenses has led to creeping calls from leaders in government and industry for what many trendily term cyber “offense.” Eisenhower might have predicted that those shouting loudest for the advancement of cyber offensive capabilities are the same institutions that view these tools as fundamental to their operational and tactical missions, as well as their budget lines.
It should be clear that these short-term motivations are entirely logical, but solutions to near-term problems should not be our only guides when it comes to strategic decisions about the cyber-industrial future.
A truly global cyber war would be more devastating than any traditional war ever could because it would not be confined to a physical battlefield. It might literally be waged on the devices in our pockets. Encouragingly, some thought-leaders are already pushing back on the race toward cyber “offense,” or are calling for a more intentional balance between the two functions. That said, their arguments are not necessarily any more tailored to the cyber realm than those they might normally make to oppose interventionist strikes on land, air, or sea. Framing the discussion of cyber “offense” along these familiar lines loses sight of what Eisenhower called “the total influence – economic, political, even spiritual” that peacetime economic dependence on wartime machinery could hold in “every city, every state house, every office of the federal government.” And, ironically, the very desire to pivot toward increasingly diversified digital security capabilities may ultimately leave militaries with fewer tools at their disposal to handle future conflicts. Cyberwarfare may someday become the best option for ensuring national security, but it should never become the only option.
Lest this concern be cast as an esoteric matter of federal budgetary priorities, we should return to Eisenhower’s warning that without national attention “public policy could itself become the captive of a scientific-technological elite.” While eyes may roll at the thought of a five-star general and two-term president worrying about the advancement of any too-powerful elite, his worries could just as easily apply to the tools of cyberwarfare as to guns and bombs.
While Eisenhower forcefully noted the necessity of military-funded innovation, he also reminded us of the correct order of operations for policy making. We ought to build the tools we want to ensure the security we need, not settle for the best security policy for which our tools allow.
Geopolitical strategy aside, the biggest problem with the enthusiasm for cyber “offensive” tools to complement those on cyber “defense” is a technical one. Words like offense and defense make as much sense in cyberspace as they do describing the relationship between a plug prong and an outlet.
Many if not most of the world’s most devastating cyber attacks have been propagated by bad actors who used tools initially developed for defensive purposes in offensive ways. A standard “ransomware” attack, for instance, involves a bad actor (often depicted wearing a black or red hat) using a form of encryption to steal data and hold it “ransom” from its rightful owner. Encryption in this case is an “offensive” capability, but it is generally a form of “defense” in most contexts. That is, encryption is the primary way in which systems prevent data from falling into the wrong hands. Thus even the simplistic, familiar dichotomy of “offense versus defense” breaks down in cyberspace, where tools are perpetually utilized beyond their intended purposes. Indeed, the internet and computers themselves – originally military innovations – are now used to perpetrate more heinous global crimes than any other tools in existence.
Foraging through other traditional frameworks to formulate global strategy is similarly unrewarding. Isolationism versus interventionism, realism versus idealism, and all the other lenses through which we might consider national security, allude to, but fall short of, a clear framework for the cyber age. Without picking sides, and more to illustrate the uselessness of these outmoded spectra, a true cyber “isolationist” would need a lot of home-grown servers to simply get through the day, and a cyber “idealist” would make a most juicy target for any number of phishing or social engineering hacks and scams.
And yet, perhaps the best guide to governing our current acceleration of cyber capabilities is still the sage advice of a 20th century president who was born in the 19th. In the same address in which President Eisenhower cautioned against the influx of military funding into US manufacturing and academia, he also noted: “Only an alert and knowledgeable citizenry can compel the proper meshing of the huge industrial and military machinery of defense with our peaceful methods and goals, so that security and liberty may prosper together.”
If digital weaponry cannot be so easily classified into the formal categories of offensive or defensive, good or bad, then we must begin with labels like “understood,” or more simply, “accounted for.” Moreover, if cyber tools are the world’s newest weapons, then cyber talent is the world’s newest, most valuable resource. Only through the education and cultivation of prepared, informed, and responsible digital citizens will the future of cyberspace be the secure, liberated, and prosperous world so many have fought so hard to make this one.
Benjamin Verdi is YPFP’s 2020 Cybersecurity & Technology Fellow, and a Global Innovation Manager with Grant Thornton International Ltd.
The views expressed in this article are those of the authors alone and do not necessarily reflect those of Geopoliticalmonitor.com or any institutions with which the authors are associated.