Restrained by design: the political economy of cybersecurity
| Pages | 493-514 |
| DOI | https://doi.org/10.1108/DPRG-05-2017-0023 |
| Date | 11 September 2017 |
| Published date | 11 September 2017 |
| Author | Jon Randall Lindsay |
| Subject Matter | Information & knowledge management,Information management & governance,Information policy |
Restrained by design: the political
economy of cybersecurity
Jon Randall Lindsay
Jon Randall Lindsay is
Assistant Professor of
Digital Media and Global
Affairs at the Munk
School of Global Affairs,
University of Toronto,
Ontario, Canada.
Abstract
Purpose –The empirical record of cyberattacks features much computer crime, espionage and
hacktivism, but none of the major damage feared in prevalent threat narratives. The purpose of this
article is to explain the absence of serious adverse consequences to date and the durability of this trend.
Design/methodology/approach –This paper combines concepts from international relations theory
and new institutional economics to understand cyberspace as a complex global institution with
contracts embodied in both software code and human practice. Constitutive inefficiencies (market and
regulatory failure) and incomplete contracts (generative features and unintended flaws) create the
vulnerabilities that hackers exploit. Cyber conflict is a form of cheating within the rules, rather than an
anarchic struggle, more like an intelligence-counterintelligence contest than traditional war.
Findings –Cyber conflict is restrained by the collective sociotechnical constitution of cyberspace,
where actors must cooperate to compete. Maintenance of common protocols and open access is a
condition for the possibility of attack, and successful deceptive exploitation of these connections
becomes more difficult in politically sensitive situations as defense and deterrence become more
feasible. The distribution of cyber conflict is, thus, bounded vertically in severity but unbounded
horizontally in the potential for creative exploitation.
Originality/value –Cyber conflict can be understood with familiar political economic concepts applied
in fresh ways. This application provides counterintuitive insights at odds with prevalent threat narratives
about the likelihood and magnitude of cyber conflict. It also highlights the important advantages of
strong states over the weaker non-state actors widely thought to be empowered by cyberspace.
Keywords International relations, Political economy, Intelligence, Conflict, Data security
Paper type Research paper
Introduction
President Obama wrote, “the cyber threat to our nation is one of the most serious economic
and national security challenges we face [. . .]. In a future conflict, an adversary unable to
match our military supremacy on the battlefield might seek to exploit our computer
vulnerabilities here at home. Taking down vital banking systems could trigger a financial
crisis. The lack of clean water or functioning hospitals could spark a public health
emergency. And as we’ve seen in past blackouts, the loss of electricity can bring
businesses, cities and entire regions to a standstill” (Obama, 2012). Indeed, cyber
catastrophe cannot be eliminated as a technological possibility so long as every aspect of
modern life depends on interconnected and reconfigurable machinery (Borg, 2005;Clarke
and Knake, 2010;Kello, 2013;Peterson, 2013;Rattray, 2001;Weiss, 2010).
Yet, for a technology oft described as offense-dominant and undeterrable, there is a
conspicuous historical absence of the most feared scenarios, despite epidemics of
computer crime, espionage and hacktivism (Asal et al., 2016;Gartzke and Lindsay, 2015;
Healey, 2013;Rid, 2012;Valeriano and Maness, 2014). The cases of cyber-physical
disruption that are known, furthermore, are notable for their restraint. Stuxnet did not create
catastrophic failure in Iran’s enrichment program, but rather aimed to slightly raise the
Received 15 May 2017
Revised 22 June 2017
Accepted 27 June 2017
DOI 10.1108/DPRG-05-2017-0023 VOL. 19 NO. 6 2017, pp. 493-514, © Emerald Publishing Limited, ISSN 2398-5038 DIGITAL POLICY, REGULATION AND GOVERNANCE PAGE 493
centrifuge breakage rate; after an error in the code compromised the operation to the
world, enrichment recovered and then increased (Lindsay, 2013;Slayton, 2017). Russian
disruptions of Ukraine’s electrical grid in 2015 and 2016 relied on extensive prior probing,
refrained from inflicting serious damage and were mitigated within hours (Zetter, 2016;
Cherepanov, 2017). Russian influence operations targeting the 2016 US election unfolded
over many months with at best ambiguous effectiveness (Sanger et al., 2016;Rovner et al.,
2017). Meanwhile, despite the steady drumbeat of threat rhetoric, firms and utilities around
the world continue to invest more of their value into digital networks. Either they negligently
tempt fate or the profitability of interconnection exceeds their perception of the risk (Lindsay
and Cheung, 2015).
What explains the absence of serious consequences to date and how durable is this trend?
Perhaps, we have simply been lucky that widespread complacency has not yet been
punished. Another possibility is that weaponizing cyberspace may be beyond the capacity
of many terrorists or even state actors (Benson, 2014;Buchanan, 2017;Herrick and Herr,
2016;Slayton, 2017). Those actors who can overcome the barriers to entry may lack the
motivation to inflict harm via surprise attack, or they may be deterred by the prospect of
military or economic retaliation (Gartzke, 2013;Libicki, 2009;Liff, 2012;Lindsay, 2015;
Lindsay and Gartzke, 2017). At the same time, many government agencies and defense
firms have a political or financial interest in peddling exaggerated narratives of cyber doom
(Lawson, 2013;Brito and Watkins, 2011;Dunn Cavelty, 2008). These complementary
explanations are empirically supported (Healey, 2013;Valeriano and Maness, 2015), but
perhaps future conditions will change. Costs could decline and interests could change,
making destructive hacking attractive and vindicating alarmists. I argue deductively, however,
that restraint in cyberspace is not just an historical accident. On the contrary, incentives for
moderation are built into its cooperatively constructed infrastructure, and these incentives grow
stronger as more economic and administrative functionality moves online[1].
“Cyberspace” shares its Greek root with “government” and should be understood
accordingly as not just an engineering artifact but, quite literally, as “control space” that
extends governance via technical means (Beniger, 1986;Kline, 2015;Rid, 2016). People
adopt information technology to reduce the transaction costs of measurement, coordination
and enforcement, thereby enhancing control over organized behavior. Not only does
cyberspace have institutions like internet firms and the Internet Corporation for Assigned
Names and Numbers (ICANN), but also, in a much more fundamental sense, cyberspace
is an institution. One implication is we can make sense of this sprawling sociotechnical
assemblage with familiar political economic concepts; cf. (Choucri, 2012;Eriksson and
Giacomello, 2006;Kello, 2013). Another is that, to the extent that institutions create
disincentives for conflict in international relations, we should expect the stakeholders in a
complex sociotechnical system to refrain from inflicting great harm on one another.
The relationship between institutions and war is, of course, one of the most enduring and
controversial topics in international relations (Carr, 1939;Deudney, 2007;Keohane, 1986;
Keohane and Martin, 1995;Mearsheimer, 1994). The traditional debate asks whether
normative laws and values can restrain military power and physical violence. Yet, in
the case of cyberspace, the substantive difference between the means of restraint and the
means of aggression diminishes. Participation in the institution is the condition for the
possibility of conflict within it, and this makes all the difference. Actors adopt common
technical standards and protocols to maintain the connections they need to engage in
beneficial exchange or deceptive exploitation, but voluntary connections can be
withdrawn. Cyber operations work by cheating at the margins of the cooperative
agreements that make cyberspace work, not by breaking them altogether, as happens in
confrontational warfare. Of course, states can always resort to violence as the ultimate
arbiter of disagreement, and cyber operations can, indeed, support the use of force by
military means, for example, by shutting down enemy air defenses to create a window for
PAGE 494 DIGITAL POLICY, REGULATION AND GOVERNANCE VOL. 19 NO. 6 2017
To continue reading
Request your trial