Max Smeets is a cybersecurity fellow at Stanford University’s Center for International Security and Cooperation (CISAC), a Research Associate at the Centre for Technology & Global Affairs, University of Oxford, and a non-resident cybersecurity policy fellow at New America. In 2018, he was awarded the Journal of Strategic Studies’ prestigious Amos Perlmutter Prize for the most outstanding publication by a junior faculty member.
This interview originally appeared on Global Policy: Next Generation-- a new annual issue from the journal Global Policy.
First, can you briefly describe your work and your interest in the field of cybersecurity?
I am currently finishing up my book manuscript on the dynamics of cyber proliferation. For at least a decade, policymakers and analysts have made explicit statements about the spread of what some call ‘cyberweapons’. Some senior officials argue that well over 30 nation-states are capable of launching cyber attacks; others are less conservative in their estimates. But, like much of the early nuclear thinking, no explicit basis for these estimates and forecasts is provided. Indeed, variations of the ‘domino effect’ logic -- when one goes cyber, all go cyber -- seem to implicitly dominate thinking.
There is a lack of attentiveness to the theoretical assumptions behind why governments are setting up these military units to conduct offensive cyber operations, and there is a need for more social science scholarship on this topic. The main argument of my book is that the world is not at the brink of ‘mass cyber proliferation’.
How much do existing theories of international security contribute to understandings of the dynamics of cyber proliferation? Are other proliferation theories still useful for understanding this new space?
They contribute a lot. Scott Sagan’s classic study identifies three ‘models’ (international security, domestic politics, and identity politics/symbolism), in the informal sense of the term, to explain states’ willingness to go for the nuclear option. I also use these ‘models’ to better understand the motivations of states to go cyber. But we have to be very careful here. The fundamental dynamics of cyber proliferation are different in a number of ways. For example, non-state actors play a much bigger role in enabling states to develop these capabilities. The Russian government, perhaps most prominently, is known to rely on cyber criminals and other patriotic hackers to conduct cyber operations. For a good overview, see this piece in Meduza.
You have also published on other topics, including your prize-winning article in the Journal of Strategic Studies. The article argues that the “transitory” nature of cyberweapons is an underappreciated dimension of cybersecurity. What do you mean by this?
Formally, the transitory nature of cyberweapons (a term which I actually do not use in my forthcoming publications) refers to ‘the temporary ability to access a computer system or network to cause harm or damage to living and material entities’.
Less formally, we can draw an analogy with food and cooking. Food is perishable. And we have a pretty good sense of ‘best-before dates’ of different types of food. The perishability of food likely affects our decision-making: when you have a delicious piece of salmon in the fridge which goes off tomorrow, you’re more likely to eat it today.
For cyber, when a new ‘exploit’ is developed for a certain vulnerability, we do not have a good sense of the practices which affect the exploit’s ‘best-before date’. Equally, there is little research which explains how these time dynamics affect the decision-making of offensive actors, and so my article in JSS sought to provide some insights.
In what ways might appreciating the transitory nature of cyber capabilities change policymakers’ approach to cyber policy?
Offensive cyber programs potentially require a different approach to budgeting, at least when compared with conventional weapon programs. For conventional weapon programs, (government) institutions can come up with a relatively good cost estimate as to what is required to maintain a certain capability; a typical budget proposal would say ‘in X years’ time, the following capability needs to be replaced/upgraded. Hence, we project to spend …’. Conventional weapons’ ageing is generally modeled as a gradual (log-linear) deterioration.
This approach, however, does not hold up for cyber. Instead, governments only have the ability to use a certain ‘exploit’ or weapon for a certain period of time, and its usability rapidly declines when it is discovered. What this means is that more flexible budgets (and hiring procedures) are recommended to cope with potentially prompt fluctuations in overall capability.
Which books have proved influential for your work?
I have been impressed by Ben Buchanan’s book The Cybersecurity Dilemma published last year. As the title suggests, the book argues that the security dilemma also holds great relevance in cybersecurity. More specifically, Buchanan’s argument is that states are incentivized to launch intrusions into others’ networks to enhance their own security, but in the process risk escalating tensions.
There are not many books in the field which combine IR theory with ‘cyber’, but this book is one of them and does it well. Also, it is pretty difficult to write a book on cyber conflict which stands the test of time, as the dynamics are changing so quickly and our understanding too. But I believe that Buchanan’s book - describing a fundamental dynamic of this ‘domain’ - will still be on course syllabi 10+ years from now.
What other disciplines should people in your subfield learn more about in order to better understand cybersecurity? Or what other disciplines do you find it valuable to draw on in your research?
Some have argued that cyber studies can be split up into different wings, in which political scientists, computer scientists, legal scholars, etc. would each contribute their own share to understanding different aspects of the cyber issue. I, however, am a big believer in interdisciplinary research and think trying to split up the field would quickly lead to a similar situation as the attempt of the blind men to discover the nature of the elephant: the one who touches its leg calls it a tree, another who touches its tail calls it a rope, and so on.
I am currently reading a lot of organizational management literature. Scholars who set out to explain the conduct of cyber operations normally focus on argument related to the ‘nature’ or ‘meaning’ of cyberspace. Yet, we cannot fully understand the use of cyber capabilities without studying the organisational structure in which its use of these capabilities is embedded. For example, in previous work I have argued that organizational integration between intelligence and military activities can both enable and constrain the conduct of cyber operations.
What piece of advice have you found most helpful as an early career researcher?
There is this great twitter account called “Lego Grad Student”. One of the tweets is a picture of 'Lego Grad Student' in a bathroom, and says: “Washing up for bed after accomplishing nothing that day, the grad student instinctively refuses to look at himself in the mirror.”
What I believe should be avoided during the PhD is a perfect correlation between ‘happiness’ and ‘PhD progress’: e.g. when research goes well I’m happy; when research goes badly I’m not happy (and don’t want look at myself in the mirror). That’s dangerous - although, of course, some correlation is inevitable and cannot be avoided.
It is likely there will be (sometimes long) stretches of time that you are not happy with your research. It is hard to break the negative cycle if there is ‘perfect’ correlation. I think a key strategy to managing this issue is setting goals that have nothing to do with your research, for instance joining a sports team or becoming a Trivial Pursuit expert. The key is finding other opportunities to generate a sense of accomplishment that can tide you over during challenging periods in your research.
What advice would you give to students just beginning their doctoral research?
We all talk about finding the supervisor who is the perfect research fit. Supervisors are important. But I would say peers are more important. Who is sitting next to in your office/open desk space changes your day, week, and PhD-life completely. Having people with whom you can share your writing and your successes or failures is also critical.
Emma Lecavalier is the Deputy Editor of Global Policy: Next Generation.