U.S. Cyber Policy, Beyond Ones and Zeros
Critics have derided the White House’s decision this past May to scrap its Cyber Coordinator post—created by the Obama administration to consolidate policy courses of action on cybersecurity issues—as short-sighted and tone-deaf, particularly at the height of concern over Russia’s nefarious activity toward U.S. political processes. However, the move creates an opportunity to examine whether the overall U.S. approach to cybersecurity has been overly narrow relative to the Russian threat—which itself has demonstrated the need for Washington to forge partnerships with industry and to expand beyond the network-centric aspects of information warfare.
Since the onset of Internet ubiquity in the early 1990s, Moscow has sought agreement with the U.S. to avoid a digital arms race, finding little receptivity on the U.S. side. However, in the early stages of the Obama and Medvedev administrations, the “reset” atmosphere found envoys locked in extensive bilateral consultations on cybersecurity. Despite some initial optimism, by 2012 the primary fruit of these consultations was a better grasp of the intractable differences in how Russia and the U.S. defined the cyber problem and its corollaries. On one hand, the U.S. has held the free flow of information to be sacrosanct—an extension of human rights, critical to innovation—while emphasizing the security of digital networks against intrusion. On the other side, Russia has claimed nations’ sovereign “information space” inviolate, seeking to legitimize their exertion of broad control over how the Internet and media can be used within their own borders—to include blocking “undesirable” content. Despite the ongoing debate in the UN and other multilateral fora, bilateral talks on the issue have languished since Putin’s 2012 return to the presidency, as overall relations with the U.S. deteriorated.
Judging by 2018 standards, this philosophical deadlock appears both prescient and ironic. In the intervening years, Russia would go on to become the world’s foremost transgressor of sovereignty in the information space, flooding the marketplace of ideas with distortion, falsehood, and propaganda. As a result, the laissez faire approach to Internet governance once advocated by the U.S. appeared significantly less advisable; the Council on Foreign Relations last October went so far as to advocate for abandoning it as a strategy. Meanwhile, prospects for increased Internet regulation in both countries have been tempered by Russian authorities’ embarrassing inability to sustain it, and U.S. lawmakers’ woeful inability to conceptualize it. This state of play likely equates to an inability on either side to conclude, much less ensure compliance to, any meaningful pact on rules and norms in the cyber realm.
In addition to these irreconcilable terms of reference, the impasse has become even more complicated by the inexorable rise to power of a third party: the tech sector. In key aspects, the Internet has become as much a party to the negotiations as it ever was the subject. Giants like Facebook, Twitter, Google, Apple (and Russia’s own Telegram) maintain access to incalculable stores of data on American and Russian citizens, commanding trillions of dollars in market share, and technical prowess that increasingly outpaces governance. This data includes models meticulously designed to cater to the psychologies of designated populations—both to drive ad revenues and to influence voting preferences.
In several key aspects, the “information space” can exercise more organic sovereignty than the U.S. or Russia could impose upon it. Professor Joseph Nye of Harvard—a preeminent international relations theorist and former U.S. Assistant Secretary of Defense—proclaimed in 2011 that “states will remain the dominant actor on the world stage, but they will find [it] far more crowded and difficult to control.” The resultant “sovereignty gap”—as termed by Lucas Kello, director of Oxford University’s Centre for Technology and Global Affairs, argues that the tech sector be viewed and courted by U.S. policymakers as a peer and partner, less a competitor or adversary, in countering the scourge of disinformation. (Ambassador Dan Fried and Alina Polyakova of the Atlantic Council recently proposed just such a public-private coalition.) Such partnership might also engender a greater sense of civic responsibility amongst the tech sector and incentivize innovative solutions to the use of online platforms for malign behavior.
Russia’s interference in the 2016 elections fused traditional digital hacking and a discipline which Dartmouth researchers in 2003 dubbed “cognitive hacking”—referring to “an attack that relies on changing human users’ perceptions and corresponding behaviors in order to be successful.” By marshaling its political and military capital to prioritize digital security above all else, Washington’s capacity to foresee, much less counter, the weaponization of pilfered, fabricated, distorted, or artificially-amplified information has proven grossly insufficient. To make up for lost ground, U.S. cyber policy should begin to measure its efficacy not only by how vulnerable its digital infrastructure is to intrusion by external actors, but also how vulnerable its public is to manipulation by those same actors.
In addition, the approach taken by some European allies—for whom Russian information warfare poses an existential threat—serves as a model to follow. Harvard University researcher Jed Willard recently contrasted U.S. and European conceptions of that threat, noting that relative to “the emphasis on cyber defenses and social-media algorithms in many American conversations…how rarely northeast-European officials emphasized technical solutions to the problem…Most were far more focused on their populations’ psychological resilience.” Baltic States like Estonia, Latvia, and Finland are all too keenly aware that the very narratives that hold nations together—the institutional confidence, core beliefs, and foundational truths underpinning them—are prime Russian targets. This stands in stark contrast with heretofore prevalent U.S. concepts, in which the key battlefields are net-based. These concepts, however, must now evolve, as Dmitri Teperik, head of Estonia’s International Centre for Defence and Security recently wrote, toward the space “where the cognitive, online, and real worlds meet up.”
This space—the battlefield of the mind—is the focal point of Russian cyber policy and doctrine, as examined by the Swedish Defence Research Agency (FOI) in March 2015: “Under this definition, the cognitive domain is fully subsumed into cyberspace.” This, however, is not a new development for Moscow, which has long drawn on its unique geopolitical and historical perspective to hone its information warfare strategy. Each modern technological advance – from the photocopier to the smartphone – has been assessed by Russian officialdom for its prospective impact on human psychology and ideology. Sergey Rastorguyev, a pioneer in Russian information warfare theory in the 1990s, focused extensively on sociology, cognition, and consciousness—the processes by which humans construct and shape their realities. The defining characteristic of the information age, in Rastorguyev’s telling, is the ease it affords these processes.
Fortunately, U.S. views appear to be evolving, and advocacy for an expanded focus has increased of late. Former Deputy Assistant Secretary of Defense Linton Wells II, who has written extensively on how technological advances intersect with national security policy, recently characterized gaps in the U.S. conceptual framework as a key disadvantage—noting that the U.S. is “not organized, trained, [or] equipped to be agile and effective” in cognitive conflicts. In testimony to the Senate Armed Services Committee in April 2017, RAND Corporation Senior Information Scientist Rand Waltzman decried a myopic focus on the technical dimensions of a problem-set that extends well into the psychosocial dimensions, advocating for a strategic infusion of political capital into the field of “cognitive security…[which] focuses on the exploitation of cognitive biases in large public groups [and] social influence as an end unto itself.” This past March, the same committee rightly questioned whether the Department of Defense was properly arrayed to address the threat, with Senator Bill Nelson (D-Fla.) noting that “Russia’s information operations troops conduct technical and cognitive operations in an integrated way.” Meanwhile, U.S. Cyber Command’s newly-released strategy connotes positive shifts—including the recognition that American social cohesion stands at risk from cyber operations, and that, “along with government resiliency, better alignment between private sector technology development and national security goals…can render adversarial activities inconsequential.”
Columbia University’s James Bone, founder of the first cognitive risk-management consultancy and author of Cognitive Hack: The New Battleground in Cybersecurity, asserts that “a greater, conscientious effort is needed to raise awareness by every organization [and] government official.” Expanding the cybersecurity framework to encompass cognitive security will enable policymakers to forge partnerships and initiatives “to better understand these threats, identify and assess new variants of the attack, and develop contingencies rapidly.” Bone’s proclamation reads like an updated mission statement for a wide range of U.S. political, military, and intelligence officials engaged in cyber issues—a call to scope the problem more broadly than they have to date.