The decades-long effort to develop solutions to cyber insecurity has been led by the usual suspects drawn from the policy and legal community. That’s not the only reason why cyberspace is still a global ungoverned area, but it’s a big one. An injection of social science thinking probably can’t hurt, but it is not the one move that could substantially help.
The general process for creating policy involves people trained in how to make policy talking to people who know more about the issue than they do, and having their input ‘inform’ the policy making process. There are a couple of problems with this model when the topic is cybersecurity or conflict. A big one is that you rarely have a policymaker in place who fully understands the details of the subject matter. This is not a situation that is getting better at an acceptable rate. Most people in the process are much closer to ‘tubes’ than they are assembly.
This leads to a situation where the people crafting and approving policy are making decisions that fail to address the issue’s true nature. When you can’t understand something to an adequate degree you lean on abstractions and analogies, which depending on your level of ignorance, takes you further from ground silicon-level truth. Building a mental model to help decision-making is fine until you remember that all models are wrong, and they go sideways in spectacular fashion when the topic involves the Internet. These are points on which the social science wonks and I agree.
But the solution to this situation is not to educate policy wonks on the hazards of “drawing inferences about causal relationships” or the “perils of reasoning by analogy,” it is to train people who understand technology in policy-making, and then put them in positions where they can actually make it. When you can deal with the world (virtual or its physical underpinnings) as it is, the need to avoid intellectual fallacies and tiger pits falls away. We’ve understood the core problems for decades, what’s needed is clear thinking action, not more or more refined or nuanced discussion.
Nerds trained and placed in policy making positions will not entertain approaches to problems that fly in the face of the cold hard binary reality. Norms, rights, conventions, compliance regimes, treaties . . . these are all social constructs the hopeful wish would influence a structure and components that simply do not support such aspirations, at least as currently designed and configured. The kind of change being aspired to would require a whole-of-planet effort (not to mention economy-breaking expense), and it remains an open question whether or not doing so would eliminate all the features that make cyberspace a net positive in our lives.
If we define better cyber policy as the best courses of action for more peace, security, and prosperity consistent with the current operating parameters of the Internet, nerds are your only real option. Their solutions will fall short of the sunshine and lollipop fueled optimism of the day, but they won’t spend a couple decades pretending to be able to manifest Froopyland.