Characterizing problems in cyber policy and security
Problems in cyber policy and security pose many challenges that are worthy of research. Some specifics are provided below, but first it is helpful consider the nature of these problems from a more abstract perspective. These problems share several characteristics.
Cyber policy and security generally require multidisciplinary thought and expertise. It is axiomatic that problems in cyber policy and security have some technical content, but it is essentially a myth that cyber policy and security is a field that is primarily a technical one that requires a degree in computer science or communications engineering. For many cyber policy problems, the necessary technical knowledge – judiciously applied with reason and logic – can be found in science and technology popularizations intended for nontechnical audiences. But because of the ubiquity of information technology in nearly all aspects of modern human endeavor, the other disciplines used to understand these aspects are relevant as well. Thus, problems in cyber policy and security often require knowledge from some combination of economics, psychology, sociology, anthropology, law, organizational theory, engineering, political science, and government, among others.
Identifying “good” and “important” problems in cyber policy and security
What makes a good research problem in cyber policy and security? From an academic research perspective, the traditional answer is a reasonable place to start – a good problem is one that is new; whose analysis provides relevant insight and knowledge, and leads to more good problems as well as the accumulation of knowledge over time.
From a policy perspective, an important problem is one that is relevant to the concerns of the policymaker and that addresses a known or future issue. In this context, consider three distinct categories of relevance.
Category A: Problems whose relevance is known to the policymaker and for which the policymaker needs solutions. Research on Category A problems often develops new solutions, critiques existing solutions, or even reframes known problems from new or different perspectives. These problems also include problems with solutions that are not as effective as they may seem or as conventional wisdom believes. For example, pointing out non-obvious weaknesses, unintended consequences, or perverse incentives in seemingly obvious solutions falls into this category of research.
Category B: Problems whose relevance to the policymaker is not known or understood today but which should be relevant or which may become relevant in the future. Research on Category B problems often explicates the nature of such problems and explains why they should be important to a policymaker.
Category C: Problems whose relevance is known to the policymaker and for which solutions are already known but may not be remembered or otherwise used. Analyses of Category C problems often remind the policymaker of knowledge that is known in principle, but has been ignored or forgotten.
It should be possible to make meaningful progress on important problems in a reasonable amount of time. Thus, an important issue is the extent to which those working on a particular problem can draw on prior background and expertise that might be relevant. For example, cyber researchers wishing to work on problems related to cybersecurity in the financial sector would find their work much easier if they (or their home institutions) have good intellectual and substantive connections to firms providing financial services. Those working on the psychology of decision-making during a cyber crisis would benefit greatly from experience with decision-making during crises involving other situations characterized by time urgency, severe information gaps and high degrees of uncertainty.
Structuring a taxonomy of research problems
A rich universe of research problems is only one element of a comprehensive program on cyber policy and security, though it is undeniably critical. Two other critical elements include education and outreach.
Education involves a variety of opportunities for individuals to learn about cyber policy and security at a variety of different levels of involvement and intensity, including 30-minute podcasts or lectures on video; weeklong boot camps; semester-length courses (online and in-class); and thesis projects at the bachelor’s, master’s, and doctoral levels.
Outreach involves efforts to promote discussion and understanding among parties with different views. Even if these efforts do not result in the solution of specific problems, they can enhance mutual understanding that can be helpful in managing future disagreements.
Any taxonomy of problems can be structured in many ways, and the choice of a structuring principle for any given taxonomy is to a certain extent arbitrary. The broad taxonomy below is structured by field of relevant expertise. That is, application of a given field of expertise to problems in cyber policy and security will help to advance the state of knowledge. (Also, in many cases, the necessary expertise will require collaboration between experts in multiple fields.) This particular approach to structuring has the major advantage of being friendly to individual researchers who may wish to enter the field of cyber policy and security but are uncertain about how their expertise may be relevant. Everyone knows his or her own expertise and a list structured according to expertise is much easier for such researchers to peruse.
Within each field of expertise are some key phrases suggesting different problem areas where new knowledge and insight are needed. Further iterations of this page will add new problem areas; explain why these problem areas are useful foci of research; describe, contrast and compare the main perspectives that have so far emerged; and provide example questions for each that might form the basis for specific research topics.
A taxonomy of problems in cyber policy and security
A worked example of what it means to say that a problem area is a useful focus of research; to describe, contrast and compare the main perspectives that have so far emerged; and to provide example questions for each that might form the basis for specific research topics.
International security and cooperation
Critical infrastructure – domain-specific cybersecurity issues
Private sector concerns
Psychology and Education
Sociology, Anthropology and Organization
Ethical and Societal Implications of Cybersecurity
A Worked Example: Escalation Dynamics and Conflict Termination in Cyberspace
In recent years, planning for U.S. national security has contemplated the possibility that the United States might be engaged in conflict of various kinds in cyberspace. Such engagement could entail the United States as the target of hostile cyber operations, as the initiator of cyber operations against adversaries, or some combination of the two.
Much of the serious analytical work related to cyber conflict to date focuses on the initial transition from a pre-conflict environment to an environment in which cyber conflict is known to be taking place. Little work has been done on three key issues: How the initial stages of conflict in cyberspace might evolve or escalate (and what might be done to prevent or deter such escalation); how cyber conflict at any given level might be de-escalated or terminated (and what might be done to facilitate de-escalation or termination); and how cyber conflict might escalate into kinetic conflict (and what might be done to prevent kinetic escalation). Each of these issues is important to policymakers, both in managing a crisis and in preparing for it.
The phenomenon of escalation in conflict is a change in the level of conflict (defined in terms of scope, intensity, or both) from a lower (perhaps non-existent) level to a higher level. Escalation is a fundamentally interactive concept, in which actions by one party trigger other actions by another party to the conflict. Of particular concern is a chain-reaction in which these actions feed off of one another, thus raising the level of conflict to a level not initially considered.
Theories of escalation dynamics have been most elaborated in the nuclear domain. But the deep and profound differences between the nuclear and cyber domains suggest that any theory of escalation dynamics in the cyber domain would require far more than small perturbations in theories of nuclear escalation dynamics, though such theories might be useful points of departure for the development of new theory applicable to cyberspace. Some of these differences include the greater uncertainties in attribution of cyber actors; the broad proliferation of significant capabilities for cyber operations to a multitude of states and to a variety of nonstate actors as well; and the inherent ambiguities of cyber operations as compared to the very distinct threshold of nuclear weapons explosions.
Conflict termination presumes the existence of an ongoing conflict to which the participants desire an end. Conflict termination requires several elements:
Issues of escalation and conflict termination in cyberspace are complicated by the fact that there may be cross-domain linkages. Although conflict might, in principle, be limited to hostile operations in cyberspace alone, there is no reason that this is necessarily so, and policymakers must contemplate the possibility that conflict in cyberspace might spill over into physical space, and might even lead to kinetic actions.
U.S. military doctrine for taking advantage of cyberspace seems to emphasize the utility of early use, that is, early in a conflict that will eventually entail kinetic operations. In addition, the logic of offensive cyber operations suggests that such operations are likely to be most successful when the initiator of these operations has the time to gather intelligence on likely targets; such intelligence-gathering is obviously time-limited once overt conflict does break out.
On the other hand, the use of kinetic operations during an ostensibly cyber-only conflict is an important threshold. Nations involved in a cyber-only conflict may have an interest in refraining from a kinetic response. For example, they may believe that kinetic operations would be too provocative and might result in an undesired escalation of the conflict.
If understanding the dynamics of cyber-only conflict is difficult, understanding the dynamics of cyber conflict when kinetic operations may be involved is doubly so.
Key research questions regarding escalation dynamics in cyberspace: