Next Generation Security Thinking

Taking the cyber warfare challenge seriously requires thinking outside the comfortable security box (either technological or national). Unfortunately ‒ regardless of the lip service many decision makers pay to cyber security ‒ this ability is a rare quality. What the world needs is strategic leadership in navigating in the murky waters of cyberspace. The digital world, as well as the threats and opportunities residing in it, is not “out there” but in our making.

The value of cyberspace arises from its close connection to the physical world. Gains achieved through the utilization of the digital world ‒ efficiency, near simultaneity, global reach, cost reductions, new opportunities for business and civil society ‒ are only meaningful when improving the quality of our lives. Unfortunately, something valuable always exists with the fear of losing it. We are afraid of losing the functions that cyberspace enables, but also those controlled through it. Because we are not sure how different functions relate to one another or affect the physical world, confusion prevails.

Moreover, we do not really know our potential enemies, their capabilities and vulnerabilities, logic of action or willingness to do harm. We don’t know what to defend against, which makes us concentrate on technologically possible instead of politically feasible. By designing, constructing or otherwise acquiring, disregarding and using capabilities we build the future operating environment, the future world. The responsibility is huge and should not be carried out with the lead of technology. Strategic thinking and skill to use existing capabilities effectively have often proven to be the key to success.

Thus far technology has prevailed in cyberspace while strategy has been reactionary. Voices giving early warning have existed for years. Still measures seem to be taken only when something disastrous becomes eye-witnessed. For enhanced security we should learn to make decisions based on other sensory information than visibility ‒ not only on tactical and operational levels, but also on strategic level. Next to that, and without underrating the importance of comprehensive situational awareness, how about planning, building and executing on the assumption that perfect visibility can never be reached?

The basic problem in strategic thinking in the cyber-physical reality is that we try to apply concepts and logics drawn from the physical world to the digital world without modification. Therefore, we wish to know our opponents (if not otherwise, then by constructing them in fierce naming and shaming campaigns), count stockpiled cyber weapons (and verify their existence in the first place) in order to learn about opponents’ capabilities, attribute attacks (and possibly retaliate) and deter (yet effective deterrence requires a known enemy). We also try to conduct information operations in the era of Web2.0 as if we were living in a world in which major media companies or national news broadcasts control the information sphere.

The aforementioned are only a few examples of flaws in dominating security thinking. Old-fashionedness prevails in public and private sectors alike which both participate in contemporary security production. And are stakeholders in cyberwar. Tendency to resort to familiar frameworks in the face of something previously unexperienced is understandable, yet it may hinder our attempts to scrutinize the cyber-physical reality as it is ‒ and to learn to live in it. The contemporary world is our creation but may not yield to pre-existing security frameworks.

How about starting with the cyber-physical reality? Learning the basics of it and trying to conceptualize it without prior frameworks; learning to live in a multipolar reality in which there may not be need to know one’s enemies, build a strong security posture alone or have unambiguous truths. How about not trying to get a hold of or control over cyberspace (like the current trend is) but learning to live with its malleability and unpredictability? Absolute security is unattainable for which reason resilience should become the prime driver in security thinking. Resilience, and the fact that warfare should always remain only a continuation of politics by other means.

Cyberspace and the changes it has brought forth in warfare and security production in general are not a revolution and hence non-addressable by those currently in decision making positions. Instead, they are a phase in normal evolution and should not be left for the future generations who are believed to know cyberspace better. Then it may be too late already.

Find Jarno on LinkedIn

Start a conversation with Jarno on Twitter

Read previous content from Jarno