The Fastest Way to a Safer Internet? Cyberwar!

If we assume that a safer and more secure cyberspace is a globally-desired goal, then what is the fastest way to achieve that goal? The approach we have been taking to date has not produced meaningful results, so perhaps a more radical approach is in order. In contemporary times, what follows wide-spread and long-lasting armed conflict tends to be an extended period of relative peace and stability. If we want the cyberspace of our dreams to become reality, perhaps we need to live through a nightmare to get it.

Decades have passed and hundreds of billions of dollars have been spent trying to make the Internet a less hospitable place for malicious actors. Technical solutions have not kept pace with threats, and related legislation is outdated as soon as it is voted on. The highways we drive on may be safer today thanks to advances in engineering and the political process, but the information super highway has heretofore defied all efforts to eliminate those things that are “unsafe at any speed.”

War is the one thing we know brings about rapid and dramatic change, both in how it is waged and what happens in the aftermath. The whole world is not entirely at peace, but warfare like our grandfathers fought in Europe, North Africa, Asia and the Pacific – that also impacts multiple home fronts – hasn’t taken place in decades.[1] It is a scenario that is both global in scale and granular in impact that I am talking about here.

In this scenario actors are unidentifiable in any timely or meaningful way (just like real life). Instead we focus on actions and impacts: For several months, cyber attacks have left large numbers of people worldwide dealing with irregular access to capabilities and services that they have come to take for granted. Targets are indiscriminant with regards to geography or politics. The digital “war of inconvenience?” When you have become dependent upon convenience, and lack the skills or material to overcome your dependence, things could become quite grave fairly quickly. [2]

Unlike planes-falling-from-the-sky scenarios peddled by the professional fear-mongering crowd, what I’m envisioning is actually being played out (in short form) right now in large swaths of Maryland, Virginia, Ohio and D.C., and in the northeast U.S. every winter, and western states during heat waves. These situations do not lead to a live-action version of Mad Max because they are relatively brief (few in the DC area who vow to lead a more resilient life after this week will actually do so), but when large numbers of people have been suffering for an extended period of time, they are unlikely to take it lying down.

What we should expect to see then, is the rise of the political will necessary to enact meaningful change that would bring about the return to “normal.” What could this change look like?

In the short term we could see a quick and powerful alliance of convenience. The great technical and political powers joining forces to stop the source of attacks, reboot and harden vulnerable systems, and bring long-suffering back to a known-good state, so to speak.

International cooperation on high-level policy issues could then finally come to fruition. Attempts to implement treaties regarding cyberspace security have been proposed – and languished – for years. But an international regime could be implemented that normalized acceptable behavior and the penalties (however potentially unenforceable) for non-compliance.

On a national- and corporate-level risks are now more completely understood and reforms demand that only the most catastrophic risks be deferred. We see a serious shift to counter malicious activity by organs of the state and corporate security, which are now properly incentivized to collaborate. This is the end of security-as-witchcraft or the mindless adherence to dogma, and the beginning of a time when data drives decisions about what works and where investments should be made.

You will still be able to have children without a license, but you won’t be able to get online without one, or something functionally similar. The online equivalent of speeding, rolling stops and tailgating will not going away, but effective enforcement of serious violations cannot take place unless the authorities can identify suspects in a meaningful timeframe. No one wants digital Big Brother, but by the same token no one wants a repeat of life in Colonial House.

Of course things could turn out very differently. We could see the rise of a few major powers (political-technical alliances) behind which the rest of the world falls in line. iNATO vs. eWarsaw Pact, if you will. Balkanization. Freedom of movement between the two systems is limited if not impossible, and technological advancements are closely husbanded. This may bring about lasting respite from “hot” war, but leave us in a cold war (something first recognized in the 80s that continues today).

This brings us full circle: Is a nirvana-like cyberspace a globally-desired goal? Like a big city, cyberspace has its dodgy neighborhoods and unsavory characters, but by and large everything works. The vast majority of people work and play in safety, and malicious and illicit activity – when and where it occurs – does not have a widespread impact. As long as you’re OK with the Internet-as-New-York-City then why compel change? Maybe to keep the Internet from becoming Sarajevo circa 1993.

[1] This not a dismissal of any contemporary conflict, merely a delineation between those that were largely limited in their geographic scope and how far and deep primary and secondary effects on civilian populations was compared to a conflict that was basically global in scope and had a negative impact far from the battlefield.

[2] To be clear, I’m not advocating for cyber war, merely trying to think through if every cloud does indeed have a silver lining.