In Cyber (Governance) We Trust
| Published date | 01 February 2016 |
| Author | Mark T. Fliegauf |
| DOI | http://doi.org/10.1111/1758-5899.12310 |
| Date | 01 February 2016 |
In Cyber (Governance) We Trust
Mark T. Fliegauf
stiftung neue verantwortung, Berlin
1. Securing cyber –a Catch-22
When the Obama administration grudgingly announced a
massive data leak in the Office of Personnel Management
(OPM) in of 2015, an all too familiar pattern ensued: news
that hackers had retrieved personal –and in many cases
highly sensitive –information of more than 21 million indi-
viduals was accompanied by suspicions (Director of National
Intelligence James Clapper) and accusations (Hillary Clinton)
that the perpetrators were to be found in Beijing. Only for
the Chinese government to vehemently deny any involve-
ment and to dismiss the American claims as ‘unscientific
and irresponsible’.
1
The Sino–American exchange highlights simultaneously
the need for global cyber security governance and the chal-
lenges any meaningful international arrangements face. It
also raises two fundamental questions: Why have we made
so little progress in the realm of cyber security governance?
And what can we do about it?
Aiming to provide tentative answers to these two ques-
tions, I argue that states face an incentive problem. They are
prone to exploit digital vulnerabilities to access sensitive
data (cyber espionage) and/or to gain strategic advantages
in a militarized conflict by, for example, temporarily incapac-
itating an opponent’s communication infrastructure. There-
fore, they generally prefer private rent-seeking over the
production of a public good (international cyber security)
which has lead to the securitization, militarization and
increasingly fragmentation of the Internet. The consequence:
a negative spiral of suspicion, mistrust and balkanization
that threatens the domain in toto. As of today, states’
national securitization efforts have primarily diminished the
scale returns of networks (see Rose, 1986, pp. 768–770)
rather than their own insecurity.
Something needs to change. We need common norms
and codes of conduct to govern the use and application of
cyber espionage and cyber conflict. International institutions
and organisations could provide those ‘rules of the game’
and reduce the current cyber trust gap. Yet their establish-
ment requires trust in the first place –a classic Catch-22 –
which is even more difficult to establish under the condition
of a security dilemma.
2. Cyberspace meets realpolitik
Like most other technologies, the Internet and the artificial
domain it created are double-sided in nature. Despite its ori-
gins in the Pentagon’s Advanced Research Projects Agency
(ARPA), cyberspace has never been designed with security
in mind (Ryan, 2013, pp. 11–44). And thus ubiquitous loop-
holes have been exploited by criminals, terrorists and, as the
revelations over the past two year have strikingly shown,
governments alike.
State agencies face dual incentives: on the one hand to
exploit vulnerabilities for the sake of espionage and in case
of a military confrontation, on the other to secure national
infrastructures and prevent attacks not only from criminals
and terrorists but also from foreign intelligence services and
militaries. State governments have amply proven their desire
and capacity to utilise cyberspace to these ends. Armed
forces, defence departments, and intelligence agencies all
over the world have stressed the role of cyber in national
defence over the years –and by reverse logic, their own role
in cyberspace (Fliegauf, 2012; van Eeten and Mueller, 2013, p.
730). The process of securitization or militarization is particu-
larly transparent in the US where various administrations
have continuously highlighted the dangers of a potential
cyber attack over the years with the ‘catch phrase’of a cyber
Pearl Harbor (see Arquilla, 2012; Nakashima, 2012; Rid, 2013)
while casting a wide net of digital surveillance schemes and
programs.
2
Yet we observe similar developments in China,
France, Germany, Russia and the UK. Overall, almost 50 states
have devised national cyber military strategies and several
countries have created military infrastructures (Lewis and
Neuneck, 2013, p. 1) from which the US Cyber Command
stands out. Meanwhile the American National Security
Agency (NSA), the British Government Communications
Headquarters (GCHQ) and other intelligence services have
tapped into the data resources provided by cyberspace via
the use and abuse of surveillance programs such as PRISM,
Tempora, XKeyscore and similar programs simply because
they have both the incentive and the ability to do so. In
short: cyberspace meets realpolitik.
Moreover, and not least as a consequence of the milita-
rization of cyberspace, national governments have engaged
in considerable efforts to re-nationalize the Internet and
related cyber infrastructures to either keep information out
of their countries or to prevent it from leaving. Russia and
China have long championed the concept of ‘digital sover-
eignty’but countries like France and Germany do now too,
thus laying the ideological foundation for the digital disinte-
gration of the North Atlantic region. France’s national inno-
vation program, introduced by President Francßois Hollande
in the autumn of 2013, states the explicit goal of ‘build[ing]
a France of digital sovereignty’(Chander and Le, 2014, p.
12). And the German government’s coalition agreement has
Global Policy (2016) 7:1 doi: 10.1111/1758-5899.12310 ©2016 University of Durham and John Wiley & Sons, Ltd.
Global Policy Volume 7 . Issue 1 . February 2016 79
Special Section Article
To continue reading
Request your trial