Stanford University

An Evolving Research Agenda in Cyber Policy and Security

An Evolving Research Agenda in Cyber Policy and Security

herb boot camp

By Herb Lin

 

Characterizing problems in cyber policy and security

Problems in cyber policy and security pose many challenges that are worthy of research.  Some specifics are provided below, but first it is helpful consider the nature of these problems from a more abstract perspective.  These problems share several characteristics.

Cyber policy and security generally require multidisciplinary thought and expertise.  It is axiomatic that problems in cyber policy and security have some technical content, but it is essentially a myth that cyber policy and security is a field that is primarily a technical one that requires a degree in computer science or communications engineering. For many cyber policy problems, the necessary technical knowledge – judiciously applied with reason and logic – can be found in science and technology popularizations intended for nontechnical audiences.  But because of the ubiquity of information technology in nearly all aspects of modern human endeavor, the other disciplines used to understand these aspects are relevant as well.  Thus, problems in cyber policy and security often require knowledge from some combination of economics, psychology, sociology, anthropology, law, organizational theory, engineering, political science, and government, among others.

  1. Problems in cyber policy and security are themselves embedded in a milieu of rapid technological change. Though the fundamental principles of information technology change slowly, new information technology applications are quick to appear. Every new application is an     opportunity for cyber mischief, or worse, thus the relevant context of any problem in cyber policy and security is highly dynamic.
  2. What is known from history and experience – that is, the metaphors, analogies and precedents with which policymakers are familiar – may break down when applied to the cyber domain. For example, a nuclear analogy for cyber policy and security is tempting, and brings to mind many ideas that can be used for understanding problems in cyber policy and security. Although there are a number of useful analogies between the nuclear and cyber domains, they may not provide useful guidance for very long. In many cases, the most that can be said about the relevance of these other domains is that many important questions arise in both cyber and the “other” domain (hence knowledge of the “other” domain is helpful), but most answers to these questions are very different (hence one should not push the analogy beyond the point of reasonable utility). For example, questions about scale of effect, attribution, tactical warning and attack assessment, attack planning, reconstitution and recovery, and command and control are central to understanding a number of important scenarios in nuclear conflict and in cyber conflict – but the nature of the answers to these questions are dramatically different.
  3. The framing of problems in cyber policy and security profoundly affects how one might approach solutions. For example, many problems can be viewed from national security perspectives, environmental perspectives, law enforcement perspectives, perspectives from civil rights and liberties. Each of these fields has its own distinct set of problem-solving tools and intellectual approaches, and the tools and approaches of one field may provide advantages (and disadvantages) as contrasted to those of another field.

 

dhs cyber U.S. Department of Homeland Security employees work in front of U.S. threat level displays inside the National Cybersecurity and Communications Integration Center in Arlington, Va, June 26, 2014.

 

Identifying “good” and “important” problems in cyber policy and security

What makes a good research problem in cyber policy and security? From an academic research perspective, the traditional answer is a reasonable place to start – a good problem is one that is new; whose analysis provides relevant insight and knowledge, and leads to more good problems as well as the accumulation of knowledge over time.

From a policy perspective, an important problem is one that is relevant to the concerns of the policymaker and that addresses a known or future issue. In this context, consider three distinct categories of relevance.

  1. Category A: Problems whose relevance is known to the policymaker and for which the policymaker needs solutions. Research on Category A problems often develops new solutions, critiques existing solutions, or even reframes known problems from new or different perspectives. These problems also include problems with solutions that are not as effective as they may seem or as conventional wisdom believes. For example, pointing out non-obvious weaknesses, unintended consequences, or perverse incentives in seemingly obvious solutions falls into this category of research.
  2. Category B: Problems whose relevance to the policymaker is not known or understood today but which should be relevant or which may become relevant in the future. Research on Category B problems often explicates the nature of such problems and explains why they should be important to a policymaker.
  3. Category C: Problems whose relevance is known to the policymaker and for which solutions are already known but may not be remembered or otherwise used. Analyses of Category C problems often remind the policymaker of knowledge that is known in principle, but has been ignored or forgotten.

It should be possible to make meaningful progress on important problems in a reasonable amount of time. Thus, an important issue is the extent to which those working on a particular problem can draw on prior background and expertise that might be relevant. For example, cyber researchers wishing to work on problems related to cybersecurity in the financial sector would find their work much easier if they (or their home institutions) have good intellectual and substantive connections to firms providing financial services. Those working on the psychology of decision-making during a cyber crisis would benefit greatly from experience with decision-making during crises involving other situations characterized by time urgency, severe information gaps and high degrees of uncertainty.

 

Cybersecurity Research

Structuring a taxonomy of research problems

A rich universe of research problems is only one element of a comprehensive program on cyber policy and security, though it is undeniably critical.  Two other critical elements include education and outreach.

Education involves a variety of opportunities for individuals to learn about cyber policy and security at a variety of different levels of involvement and intensity, including 30-minute podcasts or lectures on video; weeklong boot camps; semester-length courses (online and in-class); and thesis projects at the bachelor’s, master’s, and doctoral levels.

Outreach involves efforts to promote discussion and understanding among parties with different views.  Even if these efforts do not result in the solution of specific problems, they can enhance mutual understanding that can be helpful in managing future disagreements.

Any taxonomy of problems can be structured in many ways, and the choice of a structuring principle for any given taxonomy is to a certain extent arbitrary. The broad taxonomy below is structured by field of relevant expertise. That is, application of a given field of expertise to problems in cyber policy and security will help to advance the state of knowledge.  (Also, in many cases, the necessary expertise will require collaboration between experts in multiple fields.) This particular approach to structuring has the major advantage of being friendly to individual researchers who may wish to enter the field of cyber policy and security but are uncertain about how their expertise may be relevant. Everyone knows his or her own expertise and a list structured according to expertise is much easier for such researchers to peruse.

Within each field of expertise are some key phrases suggesting different problem areas where new knowledge and insight are needed. Further iterations of this page will add new problem areas; explain why these problem areas are useful foci of research; describe, contrast and compare the main perspectives that have so far emerged; and provide example questions for each that might form the basis for specific research topics.

A taxonomy of problems in cyber policy and security

A worked example of what it means to say that a problem area is a useful focus of research; to describe, contrast and compare the main perspectives that have so far emerged; and to provide example questions for each that might form the basis for specific research topics. 

International security and cooperation

  1. Active defense
  2. Escalation dynamics and termination
  3. Differentiation between types of cyber activities, e.g., espionage vs. attack
  4. National security and law enforcement boundaries
  5. Arms control, treaties, conventions, codes of conduct and international norms of behavior in cyberspace
  6. Regional cooperation, e.g., in the Asian Pacific Rim, NATO
  7. Regional cybersecurity issues, e.g., Africa, Asia
  8. Deterrence within and across domains, e.g., within the cyber domain alone, between cyber and kinetic domains
  9. Responses to adversary cyber activity that falls below the threshold of “use of force” or “armed attack”
  10. Role of offensive operations in promoting national interests
  11. Cross-sector interaction in cyber
  12. Analogies for cybersecurity (military, public health, environmental)
  13. Military doctrines for cyber
  14. Cyber indications and warning, attack assessment
  15. Export of offensive cyber capabilities
  16. Cyber targeting policy and strategy

Critical infrastructure – domain-specific cybersecurity issues

  1. Avionics
  2. Electric grids such as bulk power systems and the smart grid
  3. Medical records and devices
  4. Land vehicles, e.g., cars, trucks, and rail
  5. Industrial production facilities such as chemical plants
  6. The financial markets
  7. Mobile phone networks
  8. Water distribution systems
  9. Transition planning for moving from insecure information technologies in wide use to more secure technologies, e.g., when quantum computing renders RSA impotent; when new security-oriented Internet architectures have been developed. Transition planning identifies and assesses issues likely to arise in any contemplated transition, evaluation of various approaches managing such issues.

Private sector concerns

  1. Current best practices and standards of protection and evolution into the future
  2. Legal rights of self-defense and self-help
  3. Offensive operations to help private sector
  4. Personnel needs
  5. Cyber crisis management within private firms

Economics

  1. Incentives to strengthen cybersecurity
  2. Market opportunities in cybersecurity
  3. Useful metrics for cybersecurity
  4. Supply and demand for cybersecurity workers at different levels
  5. Cyber insurance

Psychology and Education

  1. Cyber decision-making during times of uncertainty
  2. National confidence
  3. Psychological effects of cyber warfare
  4. Cybersecurity awareness
  5. Usability

Sociology, Anthropology and Organization

  1. Cyber narratives and cross-cultural views of the U.S.
  2. Hacker cultures
  3. Successful cyber-aware organizations
  4. Organizational dynamics in cyber security
  5. Role of NGOs
  6. Command and control of offensive operations
  7. Private cybersecurity companies, e.g. a cyber Blackwater
  8. Organization of the U.S. government for cybersecurity

Law

Domestic

  1. Computer Fraud and Abuse Act
  2. Surveillance
  3. Liability
  4. Regulation
  5. Cybercrime

International

  1. Law of armed conflict
  2. Human rights law
  3. Trade law
  4. Bilateral arrangements, e.g., mutual legal assistance treaties

Ethical and Societal Implications of Cybersecurity

  1. Ethics of cyber conflict
  2. Philosophical implications of attacks on knowledge
  3. Civil liberties and cybersecurity
  4. Division of responsibility between the government and private sector at all levels

Tools

  1. Systems analysis for cybersecurity
  2. Science of cybersecurity
  3. Game theory
  4. Cost effectiveness ratios for understanding the offense-defense relationship

 

 

[[{"fid":"215156","view_mode":"crop_870xauto","fields":{"format":"crop_870xauto","field_file_image_description[und][0][value]":"","field_file_image_alt_text[und][0][value]":false,"field_file_image_title_text[und][0][value]":"Facebook CSO Joe Sullivan addresses Stanford's cyber boot camp, Aug. 20, 2014.","field_credit[und][0][value]":"Rod Searcey","field_caption[und][0][value]":"Facebook CSO Joe Sullivan addresses Stanford's cyber boot camp, Aug. 20, 2014.","field_related_image_aspect[und][0][value]":"","thumbnails":"crop_870xauto","pp_lightbox":"","pp_description":true},"type":"media","field_deltas":{"4":{"format":"crop_870xauto","field_file_image_description[und][0][value]":"","field_file_image_alt_text[und][0][value]":false,"field_file_image_title_text[und][0][value]":"Facebook CSO Joe Sullivan addresses Stanford's cyber boot camp, Aug. 20, 2014.","field_credit[und][0][value]":"Rod Searcey","field_caption[und][0][value]":"Facebook CSO Joe Sullivan addresses Stanford's cyber boot camp, Aug. 20, 2014.","field_related_image_aspect[und][0][value]":"","thumbnails":"crop_870xauto","pp_lightbox":"","pp_description":true}},"attributes":{"title":"Facebook CSO Joe Sullivan addresses Stanford's cyber boot camp, Aug. 20, 2014.","height":"575","width":"870","style":"line-height: 1.538em;","class":"media-element file-crop-870xauto","data-delta":"4"}}]]

 

 

A Worked Example: Escalation Dynamics and Conflict Termination in Cyberspace

In recent years, planning for U.S. national security has contemplated the possibility that the United States might be engaged in conflict of various kinds in cyberspace. Such engagement could entail the United States as the target of hostile cyber operations, as the initiator of cyber operations against adversaries, or some combination of the two.

Much of the serious analytical work related to cyber conflict to date focuses on the initial transition from a pre-conflict environment to an environment in which cyber conflict is known to be taking place. Little work has been done on three key issues: How the initial stages of conflict in cyberspace might evolve or escalate (and what might be done to prevent or deter such escalation); how cyber conflict at any given level might be de-escalated or terminated (and what might be done to facilitate de-escalation or termination); and how cyber conflict might escalate into kinetic conflict (and what might be done to prevent kinetic escalation). Each of these issues is important to policymakers, both in managing a crisis and in preparing for it.

The phenomenon of escalation in conflict is a change in the level of conflict (defined in terms of scope, intensity, or both) from a lower (perhaps non-existent) level to a higher level. Escalation is a fundamentally interactive concept, in which actions by one party trigger other actions by another party to the conflict. Of particular concern is a chain-reaction in which these actions feed off of one another, thus raising the level of conflict to a level not initially considered.

Theories of escalation dynamics have been most elaborated in the nuclear domain. But the deep and profound differences between the nuclear and cyber domains suggest that any theory of escalation dynamics in the cyber domain would require far more than small perturbations in theories of nuclear escalation dynamics, though such theories might be useful points of departure for the development of new theory applicable to cyberspace.  Some of these differences include the greater uncertainties in attribution of cyber actors; the broad proliferation of significant capabilities for cyber operations to a multitude of states and to a variety of nonstate actors as well; and the inherent ambiguities of cyber operations as compared to the very distinct threshold of nuclear weapons explosions.

Conflict termination presumes the existence of an ongoing conflict to which the participants desire an end. Conflict termination requires several elements:

  1. A reliable and trustworthy mechanism that can be used by the involved parties to negotiate the terms of an agreement to terminate a conflict. 
  2. A clear understanding on all sides about what the terms of any agreement require each side to do. 
  3. Assurance that all parties to an agreement will adhere to the terms of any such agreement. 
  4. Capabilities for each party that can ensure that all entities taking action on behalf of that party adhere to the terms of any such agreement. 
  5. How and to what extent should the electronic channels with which national leaders will be communicating be reliable in the midst of certain kinds of cyber conflict?

Issues of escalation and conflict termination in cyberspace are complicated by the fact that there may be cross-domain linkages. Although conflict might, in principle, be limited to hostile operations in cyberspace alone, there is no reason that this is necessarily so, and policymakers must contemplate the possibility that conflict in cyberspace might spill over into physical space, and might even lead to kinetic actions. 

U.S. military doctrine for taking advantage of cyberspace seems to emphasize the utility of early use, that is, early in a conflict that will eventually entail kinetic operations. In addition, the logic of offensive cyber operations suggests that such operations are likely to be most successful when the initiator of these operations has the time to gather intelligence on likely targets; such intelligence-gathering is obviously time-limited once overt conflict does break out.

On the other hand, the use of kinetic operations during an ostensibly cyber-only conflict is an important threshold. Nations involved in a cyber-only conflict may have an interest in refraining from a kinetic response. For example, they may believe that kinetic operations would be too provocative and might result in an undesired escalation of the conflict.

If understanding the dynamics of cyber-only conflict is difficult, understanding the dynamics of cyber conflict when kinetic operations may be involved is doubly so.

Key research questions regarding escalation dynamics in cyberspace:

  1. How and to what extent can the parties to a negotiation share an understanding of key concepts, e.g., what constitutes an “attack” in cyberspace?  How can differences in understanding best be resolved?
  2. How can one party know that the other party has ceased hostile activity in cyberspace, given difficulties in attribution, in distinguishing between cyber operations for attack and exploitation, and in the lack of national technical means that can verify a stand-down of cyber forces?
  3. How can a nation manage its own “patriotic hackers”, who might otherwise cause an adversary to misperceive their national government’s intent?
  4. What thresholds of unacceptable activity might be created in cyberspace and how might these be communicated to an adversary? 
  5. How might the United States deter escalation when it arguably has more at stake in cyberspace than its adversaries?
  6. What means are available to signal intent to adversaries in cyberspace, and how might those means be used?
  7. How might nations reassure each other about their intentions in cyberspace, especially during times of tension or conflict?  What, if any, is the role of confidence-building measures?  What steps can feasibly be taken to improve transparency in cyberspace that will improve the prospects for managing cyber conflict successfully?
  8. How can national authorities exercise effective command and control of cyber forces in a rapidly evolving unfolding conflict environment?  (Cyber forces necessarily include software-based or hardware-based agents that may be operating autonomously or semi-autonomously.  Note also that during conflict, various communications paths used prior to conflict may be compromised or unavailable.)
  9. What is the scope and nature of national capabilities – technological, command-and-control, law enforcement and legal capabilities – needed to implement any approach to escalation management and conflict termination in cyberspace? How can each side obtain realistic assessments of an adversary’s cyber state and condition, e.g., heavily or damaged?
  10. How might other resources and capabilities available to a nation such as the United States be used to manage escalation of conflict in cyberspace?
  11. How and to what extent, if any, do force employment concepts such as counterforce and countervalue targeting remain useful in a cyber context for thinking about escalation dynamics?
  12. How might cyber conflict result in kinetic conflict? What might be done to forestall such escalation?