by Justin Sherman
In philosophy and psychology, the naturalistic fallacy refers to an often incorrect inference: that because something is natural, it is therefore good or morally acceptable. Marketers use this to their advantage (e.g., think organic food products), and it also influences our personal lives. A similar phenomenon occurs with digital technology. Just as we tend to romanticize Silicon Valley as a progressive utopia focused on social good, we also tend to classify any and all digital innovation (and "innovation") as inherently positive. When the Internet went global, it was perceived -- by many Western democracies -- as an inherently democratic system that pushed free, open discourse regardless of end user. When smartphones went mainstream, they were heralded as uplifters of all persons across societies, from the rural farmer in a developing country to the businessman in an urban metropolis. Even modern advancements in machine learning, the blockchain, and quantum computing are often portrayed as purely-positive game-changers. As with any element of society, the best policymakers are -- and will be -- the ones who realize that not all cyber innovation is inherently good, and not all digital technology is going to revolutionize humanity for the better. The approach is best when practical, not idealistic. The Internet has enabled the spread of hate speech, malware, disinformation, and child pornography alongside free press. Smartphones have caused disruptions to sleep patterns and possible addiction in teenagers just as much as they have enhanced global communication. Machine learning carries with it enormous bias that can, for instance, disparately sentence black and Hispanic men to longer stays in prison; blockchain systems have produced, in some cases, extremely adverse impacts on the global climate; and quantum computing threatens to break all public key encryption that holds the Internet together. And this is barely scratching the surface of the ethical issues that come with tech innovation and respective policies. We should not be technophobic -- not by any means -- but we don't need policymakers in shock that Facebook disrespected user privacy, either. Thus, we can no longer afford to teach the leaders of tomorrow -- in elementary school, middle school, high school, college, and beyond -- only about the purely beneficial sides of technology. We must teach about security and ethics; we must incorporate discussions of mental and bodily health; we must evaluate digital innovation's impacts on climate change, political stability, and social justice. In order to prepare tomorrow's leaders for the cyber challenges we face, education must accept and address that not all cyber "innovation" is inherently good. We need pragmatic policies towards innovation. by Justin Sherman
For years, the cybersecurity industry -- and, more broadly, the field of cyber strategy -- has suffered from a serious bout of inertia. That is, while many great thinkers have done much to advance the field, many more remain firmly planted, holding the same positions and ways of thinking that they have for decades. This is highlighted by many thoughtful articles; this was highlighted in the New York Cyber Task Force's report on leverage, which found that organizations are developing innovative technologies yet failing to change the fundamental, asymmetric advantage held by attackers; and this is highlighted in my forthcoming conversations with cybersecurity executives and senior cyber strategists who say the same. Inertia of thought is further evidenced by a mere examination of how "cyber" itself is treated: as its own discipline, often locked away within the computer or information sciences, never to make contact with academic coursework in ethics or business or healthcare. And private-sector organizations are just now waking up to the notion of human-centered design, despite its long history in the startup world. Rather than complain about this issue, we as a society -- meaning state and federal governments, schools and universities, and private-sector corporations -- need to fight this inertia by empowering and encouraging diverse thinking. First, the government must stop treating cybersecurity as the purview of just "cyber people," a point that future of war strategist Lydia Kostopoulos highlighted in our recent interview. While the U.S. military view of cyber as a domain is perhaps an easy "out," it seriously hampers the ways in which strategists and key decision-makers discuss cyberspace itself. There are challenging jurisdictional questions that must be answered, yes -- such as the division of authority between NSA and CYBERCOMM, or deciding whether DHS or DOE has authority over protecting critical infrastructure -- but that doesn't excuse the segmentation and isolation of cyber discussions. This is especially an issue at state and local levels of government. Second, educational institutions must dedicate resources to teaching cyber, and not just through the lens of computer and information science. As I recently argued, all students -- from business to policy to healthcare to media -- need a "Tech 101" education that prepares tomorrow's leaders to face the challenges of digitization. Looking to cybersecurity in particular, we not only need awareness beyond the circle of developers and hackers that maintain security in code; we also need diverse individuals to enter the field in the first place. This simply cannot happen without appropriate coursework in elementary schools, middle schools, high schools, and colleges, or without certificate programs that provide alternative forms of learning. As New America's Laura Bate has written, "for scalable solutions to the cybersecurity workforce shortage, the U.S. government will need to look beyond just higher education." Diverse teaching will empower diverse thinking -- fighting this cyber inertia. Third, organizations must work harder to hire more diverse people. The field remains extremely homogeneous, as anyone who has ever stepped foot in a conference or cybersecurity workplace can tell you, and there is clear data that this lack of diversity is making us less safe. Different people handle risk in different ways, which means they think about cyber differently -- again, thrusting against the inertia that keeps cybersecurity conversations so stagnant. Organizations must therefore take clear steps to hire diverse individuals, looking to such groups as "Women in Homeland Security" and "Help a Sister Up" or such events as Europe's first all-female cybersecurity conference. If we want better strategies and policies around cyberspace, hiring different types of people (really, anyone outside the current frame of thinking) is a necessary step forward. We will never attain total security in cyberspace, as such a state doesn't exist. However, we can fight the inertia of thought we currently face -- and it starts with bringing in new thinkers who will challenge existing assumptions. by Justin Sherman
Cyber, herein referring broadly to the digital and online space, does not operate in isolation from "conventional" elements that affect foreign policy. Geopolitical economy has a direct role in shaping the physical infrastructure behind the Internet, which in turn impacts everything from browsing speeds to content censorship. Philosophical works on deterrence and honor still hold enormous value in the digital era. And as the last two weeks have already shown me, the same goes for semantic understanding. To use a demonstrative anecdote: I'm reminded of Duke University's 2018 Winter Forum, "Crisis Near Fiery Cross Reef," during which Georgetown's Dr. Oriana Mastro gave a fascinating talk on the thought process (and actual logistics) behind Chinese military decision-making. Chinese military leadership, Dr. Mastro discussed, sees deterrence in quite a different way than their American counterparts -- which, perhaps obviously, leads to some tangible misunderstandings in the international arena. Now, these misunderstandings of course have their enormous complexities (which I am not qualified to fully understand myself), but they are in some way caused by semantics: two nation-states using the same terminology, but thinking and meaning fundamentally different things. Cyber is not exempt from this reality. Much of the West thinks of "information security" as the ability to ensure the confidentiality, integrity, and availability (CIA) of information; the tech community even uses the abbreviation "InfoSec" in this regard. Encryption, hashing, and data segmentation are just some of the techniques that fall under this "information security" umbrella, as are standards compliance, breach reporting, and crisis management. Despite our enormous reliance on what many to assume to be a technically-objective definition, other nation-states do not hold the same exact understanding. Perhaps most notably, Russia sees "information security" in a different light -- related to the government's ability to control the flow of information (e.g., as they do with television) in order to maintain national sovereignty and political order. While data security is encapsulated in this idea, it arguably refers more to censorship, surveillance, and control of the Internet than anything else; its meaning isn't just technical and operational, but philosophical and deeply political as well. What many think of as a clear term, it turns out, is quite semantically ambiguous. The same semantic issues occur with other powerful nation-states like China, whose ideas of "cultural security" and "innovation security" might not resound with the West as-is, let alone when taken in a cyber context; these challenges arise when trying to translate English cyber terminology into other languages; they even occur within our own country, where debates over the difference between cybersecurity, cyber-security, and cyber security are quite contentious. Cyberspace is not immune from semantics, and just as two physicians should be on the same semantic page when discussing a patient, cyber strategists need to think more carefully about the words they use and try to come to consensus definitions. Because as nation-states begin to develop their international cyber strategies and their domestic cyber laws, such as with Russia and China's 2015 International Code of Conduct for Information Security, we're going to need to speak in cyber terms without losing total meaning. This is just another reason for collaboration and consensus-building in the digital era. (We also need to teach students more about this: hence my first article for New America's Cybersecurity Initiative, entitled "Colleges, It's Time for a General Technology Class.") by Justin Sherman
I'm thrilled to be a 2018 Summer Fellow for the Duke Program in American Grand Strategy! As described in my homepage bio, I'm interning in Washington, D.C. at New America's Cybersecurity Initiative -- a group focused on one of the most pressing issues of our time. I'm working on Internet governance, international cybersecurity policy, and bolstering the cybersecurity workforce through increased diversity and improved education. Generally speaking: I'm a rising junior double-majoring in Computer Science and Political Science, focused on cyber security, warfare, and governance. I'm a member of the IEEE Internet Initiative and the IEEE Global Initiative on Ethics of Autonomous and Intelligent Systems; I'm the co-founder of Duke's newfound Cyber Team and the creator of "Cyber and Global Security," Duke's first undergraduate cyber strategy class; and I'm a Cyber Policy Researcher at the Department of Defense- and NSA-backed Laboratory for Analytic Sciences, where I work with academia, industry, and the intelligence community on federal cybersecurity policy, industry security benchmarks, and national cyber strategy. I've had pieces published or upcoming in Real Clear Defense, The Strategy Bridge, Divergent Options, The Cyber Defense Review, Journal of Cyber Policy, The State of Security, and on the cover of Cybersecurity Trends Magazine (among others), and I hold over a dozen cyber- and security-related certifications, from FEMA and NIH to the Naval Postgraduate School and the U.S. Department of Defense. Much of my research to date has focused on the technical and policy sides of cyber, and it's only recently that I've begun to look at cyber even more broadly -- from a strategic perspective. This is exactly what I'm excited to delve into this summer. Our views of technology are so greatly impacted by our cultures. In one setting, digital could refer to information and communications technology (ICT) like telephones and radios. In another, it might imply social media platforms and e-governance software. For some, Internet conjures up images of cyber crime and intellectual property theft. For others, it inspires and empowers, connecting entire societies to a global network of information. Even within specific technical communities, the word cybersecurity (or is it cyber security?) means very different things to very different people. The term cyber attack holds quite a different meaning for a risk analyst than it does for a lawyer, just as cyber war is processed one way by a diplomat and in quite another by an economist. Conversely, our treatment of technology -- our crafting of policy, our thinking about norms, our understanding of its impact -- is tangibly influenced by these perspectives. Through my work at New America, I will examine these perspectives on the international stage in the context of existing trends: rising states clashing with failing states, non-state actors engaging in quasi-political activities, global business intersecting with diplomatic strife, and more. I will aim to better understand the interplay of trade and decisions about Internet censorship and content moderation; to study workforce development and public education in the context of national and international security; to reason about negotiation and treaty-making in a world where traditional definitions of territory mean less and less; to challenge conventional thinking and bring a young person's perspective to an area in its infancy. I am, in short, quite excited for my own intro to cyber strategy -- an opportunity not just for policy analysis, but for strategic creation. |
Proudly powered by Weebly