Myriam Dunn Cavelty is a senior lecturer for security studies and deputy for research and teaching at the Center for Security Studies (CSS), based at the Swiss university ETH Zurich. Her research focuses on the politics of risk and uncertainty in security politics and changing conceptions of national and international security due to issues such as cybersecurity, cyber-war, and critical infrastructure protection. She also advises governments, international institutions and companies in the areas of risk analysis and strategic foresight.
She recently spoke to The Innovator about how cyber warfare is increasingly focused on disinformation campaigns.
Q: When did we first begin to see information become central to the notion of cyber warfare?
MDC: In the 1990s, it really started to come up on the American agenda. If you think back to the Kosovo conflict, the Americans tried out their new doctrine there. Its military called it “information operations.” The hacking aspect was a very small part of it. And there were a lot of stories about how they tried to hack into Milosevic’s bank accounts, etc. But the focus was also on this influence of hearts and minds to win the population. Then the West started to focus on hacking of critical infrastructures as the top threat. And cybersecurity really became this kind of idea of somebody hacking into the power grid and bringing you to your knees out of the blue. And that was what people started thinking about almost exclusively.
Q: So after the U.S. moved away from disinformation, what happened?
MDC: The Russians and the Chinese never just focused on the hacking into systems. If you look at their ideas of information warfare, it’s always been this much broader idea of having the human mind at the center. So this meddling with perceptions, this need of an autocratic regime to make sure that the population’s ideas are shaped so that they don’t get the wrong ideas, that was always there.
And it was mainly internal, for their own regimes’ stability. But for a variety of reasons, it became an idea to export that outside, to actually start influencing the information sphere much more broadly.
Q: What factors made this broader effort more effective?
MDC: I think we have to look at how social media developed. This was an opportunity, with algorithms that can be manipulated very easily. So you have a technical development there, plus an idea that was fairly old. And so we saw this idea that you can start influencing the infosphere outside of your country.
What we are seeing now is kind of a natural development of opportunity atrelatively low cost, with fairly high gains. It’s debatable what,in the end, it really brings. But since it’s so low cost, why not try it? And you see them trying to just kind of stir this division we have in society, to seed doubt. It’s enough, to confuse the enemy. These are old ideas. But modern communication technology does this really well.
Q: How difficult is this to fix?
MDC: It has gone way beyond what we consider the core cybersecurity issues, the security of systems. That makes it so difficult in terms of countermeasures. If you want to secure and harden systems, you can buy solutions. But how can you try and harden your society? How do you make sure that people don’t turn away from politics or become almost radicalized?
I think it just kind of goes into this overall tendency that authority is eroded nowadays. It’s very hard because now people start to catch on to things like fake news and fake accounts andattempts to influence them. So suddenly, there is a distrust in anything that actually comes with truth claims, and that makes it difficult politically and democratically. When you are in a democracy, and you want to have a political discourse about things, how can you ensure that you have a position of authority, or at least trust, with the people, so that they listen to you?
I think this is the destabilizing effect that we are seeing. And it’s a long-term strategy to go and destroy everything that people believed in, and are certain that they can believe. If you have enough doubt, then you have a problem in a democracy because then suddenly, everything that you see, you start to question, and I think that is problematic.
Q: Is there any solution?
MDC: This new type of threat, like stealing information from politicians, that we’re now seeing, this destabilizing effort, is super easy, and we won’t fix it. You can’t educate people enough so that they don’t click on links, because some of them are so well done, you just need one person in an organization that clicks and then you’re in.
On the technical side, you could try to separate very important information from servers that are easily accessible. But even then, if somebody tries long enough, they will get in. If the information they want to get is really valuable to them, they’ll just try for a year or two. We used to talk about cyber attacks. Now, we talk about cyber campaigns. Because it’s not the attack that matters. It’s the long-term planning behind it. I don’t think it’s going to go away.
Q: How should governments and policy makers respond when it’s their credibility under attack?
MDC: It’s definitely not governments in the West that can reestablish the truth and make sure that everybody believes them. Having societies that are somehow divided due to economic issues, etc, that also is not going to go away. So I think what we need is a discourse that addresses these issues in an honest way. Governments, first of all, should stop pretending that they can fix cybersecurity issues, because they can’t.
It’s much smarter to shift the focus away from prevention to the resilience aspect. How can we make sure that even if we have incidents that we are back up on our feet, that we can ensure that the most important services are running. It’s very hard politically to do that.
Q: Are governments being aggressive enough in responding to outside attacks?
MDC: This public attribution, when a state actually accuses another state, is a fairly new development. And we’ve seen a lot of resources, both in terms of the technical resources, the intelligence resources, but also political and communication resources ,going into being able to credibly call out a threat. And it has consequences. It’s almost like a deterrence measure. Because you begin to actually make clear what the costs are, you start to draw these red lines. So you say, ‘You can go until here, but if you step over, these are the repercussions.’ And I think this is, in the end, going to bring some kind of stability back to this field. Because at the moment, at least, it is very much a great power politics game.
Q: What role are cybersecurity companies playing in this battle?
MDC: A lot of people that have commercial interests are also the ones that talk about the threat landscape, and that is not good. We don’t have a lot of independent voices that would be able to actually tell us whether there are back doors in products, or whether and how we could measure the risk. There is no good data at all. So we have a bit of an issue again of who do I believe? Where do I get my information from?
There’s some idea of trying to strengthen maybe academia or NGOs, to be able to get better threat information to get a better picture of what is really going on but we are far away from that.
The role of threat intelligence companies is hugely influential, because they’ve been shaping our perception of the threat. It’s a market. And they sit on data that is very expensive, so it’s not publicly available. So there’s not a lot of transparency out there. And I think it’s even being reduced, because they don’t release data as freely as they used to. It was much easier to get information on threats before, but because the market has just grown so much, it’s harder. It goes back to this question of what the truth is, and how we can get an idea of of how dangerous it really is, and what the interests of people are in this game.