Cyber-war/Cyber-security (I)



The very idea of Cybernetics


Macy Conferences 1946--53



Attended by some of the best thinkers on the nature of communications as a SYSTEM


notable participants: Norbert Wiener, Claude E Shannon; Margaret Mead; Gregory Bateson; Donald Mackay; Warren McCulloch...


Especially focused on the (inter-) relation between Human and Machine


Key concepts: Entropy; noise; recursion; feedback; information


Wiener coined the term 'cybernetics'. It was derived from the greek word 'kybernetes' referring to the steersman who used a long oar to steer a boat.


Thus it 'in-formed' the boat - set its path, purpose, organised its relation to the sea and the land. Gave it a role and maintained its meaning inside a complex system of interacting parts


Wiener was interested in the organisation, integrity and stability of meaning.


This project of providing an understanding of meaning stability in a complex system (e.g. the world) was the heart of the matter



That is to say negentropy


But Bateson, Mead, and Lawrence Kubie came at the problems not from an engineering background as had Wiener and Shannon, but from an anthropology, psychoanalytical. and psychiatric background.


Their kind of work as it affected Cybernetics challenged the hopes of the techno-science approach that thought with good coding and diffusion one could control the flows of communications to ensure the emergence of stable global society improving knowledge


Bateson et al recognised that internalised cultural differences and complexity sometimes made translation and codification between cultures - systems of belief insuperable.


Kubie pointed at the distinction between the manifest and the latent layers of meaning and information where the former affirms agreement in meaning whilst the latter is the personalised meaning that is at variance...and this is characteristic of humans



This seeming digression from contemporary matters of cyber-security and cyber-wars, for my money actually historically kicks off the very mapping of CS and CW


What these famous debates did was open up the arena of informational hegemony (negentropy) and its internal condition for subversion - for entropy



That is to say that the very systems and structures that enable NegE also are the things that give rise to Entropy



And this may be the issue of CW and CS


Let us look at the following:


The information revolution is altering the nature of conflict across the spectrum. We call attention to two developments in particular.


First, this revolution is favouring and strengthening network forms of organization, often giving them an advantage over hierarchical forms.


The rise of networks means that power is migrating to non-state actors, because they are able to organize into sprawling multi-organizational networks (especially “all-channel” networks, in which every node is connected to every other node) more readily than can traditional, hierarchical, state actors.


This means that conflicts may increasingly be waged by “networks,” perhaps more than by “hierarchies.” It also means that whoever masters the network form stands to gain the advantage.



Second, as the information revolution deepens, the conduct and outcome of conflicts increasingly depend on information and  communications. More than ever before, conflicts revolve around “knowledge”.


Adversaries are learning to emphasize “information operations” and “perception management”—that is, media-oriented measures that aim to attract or disorient rather than coerce, and that affect how secure a society, a military, or other actor feels about its knowledge of itself and of its adversaries.


Psychological disruption may become as important a goal as physical destruction. These propositions cut across the entire conflict spectrum. Major transformations are thus coming in the nature of adversaries, in the type of threats they may pose, and in how conflicts can be waged.


Information-age threats are likely to be more diffuse, dispersed, multidimensional nonlinear, and ambiguous than industrial-age threats.


(John Arquilla and David Ronfeldt; THE ADVENT OF NETWAR REVISITED)




If you had a look at the Nye paper you would see there that he draws on Regime Theory to provide an optimistic gloss on the control of the flows of information. His Figure 1 maps out the complex regime system under which not only the Internet is governed but all flows of communication. And in this Nye yes - rejects a realist hegemonic player i.e. US shaping of the Net etc, but  suggests that various bi- or multi-lateral regime formations can provide a metastable negentropic system Or as he identifies matters, a loose fabric which will see increasing compliance over time as the public commons of the net becomes obvious to even the most unilateral players.



"The United Nations Charter, the Laws of Armed Conflict

(LOAC) and various regional organizations provide a

general overarching framework as national governments

try to manage problems of security and espionage. The

Council of Europe’s Convention on Cybercrime (2014) in

Budapest provides a legal framework that has been ratified

by 42 states. Incident response teams (computer emergency

response teams [CERTs] and CSIRTs [Computer Security

Incident Response Teams]) cooperate regionally and

globally to share information about disruptions. Bilateral

negotiations, track two dialogues, regular forums and

independent commissions strive to develop norms and

confidence-building measures. Much of the governance

efforts occur within national legal frameworks, although

the technological volatility of the cyber domain means that

laws and regulations are always chasing a moving target" (Nye, p.6)




But as we have already said, the problems raised by the early social science  and psychologically minded cyberneticians suggests that regime theory may not provide us with a model by which to understand the dialectic of entropy and negentropy in cyber-systems.


Rather than global agreements, like-minded states may

act together to avoid destabilizing behaviour, and later

try to generalize such behaviour to a broader group of

actors through means ranging from formal negotiation to

development assistance. (Nye, p.13)




Perhaps currently that dialectic is rather one-sided


there exists no systematic, quantitative scheme to detect and

disseminate information about cyber security threats. Neither

national nor inter-national institutions have the technical

capabilities or the legal competences required to register

all Internet-based attacks on businesses, government

agencies and private accounts. Any assessment of the

nature and degree of cyber risk will thus largely have

to rely on expert analysis and government reports.

(Euro cybersecurity report, p.7)




Having outlined some broad theoretical issues we might ask what are the empirical items that fall in to the categories of CS and CW.




I guess you have good idea of the things to be mentioned given the last week wherein Trump was tweeting furiously that he did not believe all of the US (and UK - GCHQ) intel agencies who were asserting that the Russian Government were behind the DNC hacking campaign during the election season.




Let us attend to the Euro Cyber-security Policy report:


"....these reports commonly divide cyber security threats into three categories: cybercrime, cyber espionage and cyber war.


(but)...the international community  has so far failed to reach a consensus on a definition of these three concepts. However, cybercrime can be defined roughly as involving offences against property rights of non-state actors (e.g. phishing), whereas cyber espionage stands for breaches in the databases of governmental or non-state enterprises by foreign government agencies. The term cyber war covers attempts of a state to harm another state by attacking it via the Internet. However, all of these working definitions remain ambiguous. There are, further-more, no clearly defined political or legal boundaries for differentiating between cybercrime, cyber espionage and cyber war, which makes classification all the more difficult.



and Brice Schneier has summed up the forms of cyberwar thus:


In the literature, the following four categories are often used:


Cyberwar – Warfare in cyberspace. This includes war-fare attacks against a nation’s military – forcing critical communications channels to fail, for example – and attacks against the civilian population.


Cyberterrorism – The use of cyberspace to commit terrorist acts. An example might be hacking into a computer system to cause a nuclear power plant to melt down, a dam to open, or two airplanes to collide. […]


Cybercrime – Crime in cyberspace. This includes much of what we’ve already experienced: theft of intellectual property, extortion based on the threat of DDOS attacks, fraud based on identity theft, and so on.


Cyber-vandalism – The script kiddies who deface websites for fun are technically criminals, but I think of them more as vandals or hooligans”.  




The aims of a cyber-security policy

European security policy is changing in fundamental ways. The old threat scenario involving tank divisions from the East has been replaced by the challenge posed by invisible adversaries whose geographical source can often not be determined. Virtual attacks threatening critical infrastructure, government institutions and personal data form one of the key challenges to security policy in the 21st century. A secure Internet is essential to the protection of individual liberties, the right to informational self-determination and democracy as a whole.


The gradually developing European cyber security policy tries to establish minimum standards in all EU member states with regard to prevention, resilience and international cooperation. It aims to foster national security without compromising democratic principles or unduly violating individual liberties. However, it is hard to find a balance between these goals, and the EU’s measures thus inevitably raise questions about the democratic implications of European cyber security policy: are the institutional structures and instruments of European cyber security policy compatible with the criteria of democratic governance?


....European cyber security policy is formulated and implemented in a global multi-level, multi-stakeholder structure




Problems for democratic governance:


The blurring of the boundaries between internal and external policies: In the area of cyber security, it is almost impossible to maintain the traditional division into internal and external policies. Internet-based attacks can originate in Ghana, Russia or right next door, and it is often difficult (if not impossible) to identify the source of the attack. As a result, the boundaries between justice and home affairs policy on the one hand and foreign policy on the other become increasingly blurred. Threats can no longer be clearly defined as belonging to the area of responsibility of either policy field



Securitisation: The EU used to have the goal to create a common “area of freedom, security and justice”. However, at the face of new threats, the Commission and the member states tend to emphasize security over freedom, stressing the importance of introducing new security policy measures. In addition, private security companies have gained more and more influence in this policy field.



Privatisation of governance: Also the traditional distinction between the private sector and the public sector is increasingly fading in the emerging political structure. Without the technological expertise of private companies, it is difficult to identify the rele-vant threats and respond to them accordingly. Many private companies are also responsible for critical infrastructure in energy, health or transportation.