Competing academic approaches to cyber security

Abstract

Introduction Ever since science-fiction writer William Gibson coined the term “cyberspace” in his seminal novel Neuromancer we have waited in anticipation for how the information revolution would change society (Gibson 1984). It took a decade for the change to manifest itself in the form of the Internet, but over the past forty years information communication technology (ICT) has steadily changed the economy, civil society and also the military. The social and financial dividends of the revolution seem clearer now than they did in the 1990s, but the security implications of a society dependent on ICT for so many functions remain largely obscured. The promise of cyber wars has not (yet) been fulfilled, and both scholars and practitioners alike have struggled to define, much less agree on, what conflict in the wake of the information revolution will look like. There is a wide range of literature on the subject, ranging from conceptualization of potential technology to operational analysis of current capabilities. However, there is severe disagreement on both the theoretical and conceptual foundations of cyber security. At the heart of this debate is a deceptively simple question: how can actors leverage ICT to achieve political goals? For both technical and functional reasons, this technology is largely framed as a source of vulnerability, rather than a source of strength. Unlike kinetic energy, cyber weapons cannot blow up a building. Rather, they are dependent on technological vulnerabilities to be effective. In essence, the object of analysis is power, cyber power, and how actors can utilize their own cyber capabilities and exploit others’ vulnerabilities. What this power looks like in practice is a source of contention across various epistemic communities, because we are still trying to determine rudimentary questions of how effective cyber weapons are, but also how vulnerable we are, in both a technical and political sense. This chapter will discuss how cyber power is framed and discussed academically. The literature covering cyber security is disparate and covers a wide range of epistemic approaches and ontological subjects. However, there are some key questions common throughout, mostly concerning cyber power, and particularly coercive cyber power (Betz and Stevens 2011). In order to impose some intellectualorder on the myriad texts, I have divided the literature into three schools of thought. Though the schools overlap in some ways, and sometimes in authors, they have distinct approaches to how to understand cyber power. In one way, this is also an historical, albeit brief, account of the academic field as it has developed over the past four decades or so. The three schools of thought represent eras as much as they represent epistemic communities, though as will become clear later on reality is seldom as neatly organized as one wants it to be. The typology suggested here should therefore serve only as a guide for future discussion. The first section of this chapter will discuss the oldest school of cyber security, the Revolutionist school, which holds an expansive view of ICT and how it can change conflict. To illustrate the core ideas of this school, I present some selected central texts, showing how these ideas have influenced current thinking on cyber policy, and particularly the potential for cyber war. The next section presents the Traditionalist school. This school is largely defined by its function as a corrective to the more expansive claims of the Revolutionists, so many of its core texts and ideas have been written in response to Revolutionist thinking. The chapter will point to several weaknesses and shortcomings of both these “schools,” arguing that the Revolutionists tend to see possibilities without empirics, while Traditionalists tend to see only as far as the empirics go. To overcome these shortcomings I will argue that we need to focus on the specific nature of cyber space and cyber power. To this I suggest an alternative, “environmental” approach. The last section will synthesize the few texts already published within this approach, and suggest possible ways forward.