The Briefing

Governing a World of Many-to-Many Threats and Defenses

Thursday, January 24, 2013

Imagine a world in which you can attack anyone—anywhere—and in which anyone, anywhere, can attack you. Imagine a world in which you might pose a strategic threat to an established government, and in which governments might require your assistance to provide basic security goods to their citizens. Imagine a world in which the basic premise of Hobbes—that empowered government can protect you—were no longer clearly true, a world in which even radically-empowered government proved hapless before more numerous empowered citizens . . . citizens like you.

This is the world the march of technology is quickly building. And we have no idea how to govern it. Even just beginning the daunting process of grappling with this governance problem constitutes a major challenge for the Obama administration in its second term.

The emergence of what I call the world of many-to-many threats and many-to-many defenses is already starkly visible in cyberspace—with its strange mélange of international crime, vigilantism, government enforcement, espionage, and sabotage. But it is a grave, if common, mistake to think about the problem narrowly as one of cybersecurity. Cyberspace, after all, is merely the platform on which the many-to-many threat and defense environment has developed the furthest to date. So when dealing with networked computers, we are shocked—but not too shocked—that Anonymous can take on major corporations. And we are shocked—but not too shocked—that Wikileaks can take on the US government. And we are shocked—but apparently not too shocked, since the case only merits in-passing news coverage—that a fellow in California can write malware to turn the web cameras of hundreds of women and girls on them, take compromising pictures of them, and then use those images to extort them into making pornographic videos for him.[1]

But the focus on cybersecurity obscures a larger truth: the very features of the cyber domain that enable these most asymmetric of attacks across great distances exist on other platforms too. The key features of these technologies of mass empowerment include development in the unclassified sector for non-military or dual-use purposes, wide public dissemination both of the core insights in the field and of the key technological components and materials, the resulting low cost of entry to new comers who want to engage the technology, and a certain quality of networking that creates difficulty tracing and attributing attacks quickly and authoritatively. All of these factors already exist in the life sciences, where individuals can manipulate and enhance—even create from scratch—viruses and bacteria. They are fast developing in robotics, which governments already use to conduct highly-lethal remote attacks, and to which individuals have ever-increasing access. How long do we really think it will take before a gun enthusiast arms a remotely-piloted robotic aircraft with his favorite handgun (very doable by a competent layperson with a few thousand dollars to burn)—or before a very scary person of one sort or another arms a crop-dusting drone (which already exist) with aerosolized anthrax. Thinking narrowly in cybersecurity terms is a little like conceiving of the problem of climate change in terms of highly localized impacts and adaptations. Doing so may be necessary to break the problem down to a manageable size, but it also risks obscuring the larger picture.

The challenge of addressing this larger picture is not a discrete policy puzzle, but a larger problem of governance of a world in which power gets distributed quite differently from the ways we are accustomed to seeing it dealt out. To put the matter another way, governance in this space is undertheorized. With policy problems—even very difficult ones—we might say that the Obama administration should take this course or that course so as to avoid a particular bad set of outcomes or to encourage a particular good set of outcomes. Here, however, we are talking about something more tectonic, something that touches the very reasons we have governments at all. And it is probably not reasonable to expect the Obama administration to spend its second-term energy refining our ideas about liberal democracy to enable us to prevent technologies of mass empowerment from creating a global state of nature. The short-term policy problems—from America’s fiscal crisis to immigration reform to defeating the remains of al Qaeda—will fully consume the administration. This governance challenge is a generational one, one that no single administration can address fully.

But neither can the Obama administration ignore the problem. And cybersecurity offers one avenue into the broader conversation the administration should lead. The security challenges and opportunities associated with technologies of mass empowerment have already reached critical mass in this area, after all, and cannot be ignored. But it is crucial for policymakers as they address them to avoid stovepiped thinking and understand that they are also creating models for evaluating a broader array of security challenges we are sure to see over the coming years and decades. The principles we establish for issues such as jurisdiction, sovereignty, attribution, civil liberties and surveillance, liability, regulation, and the relationship between the public and private sector will matter enormously as we begin mentally applying the model we develop in cyberspace to other more-incipient platforms. Furthermore, and perhaps more fundamentally, it is urgently necessary to begin integrating an utterly changed threat and defense environment into our strategic thinking about what threatens us, what protects us, and how both law and doctrine can encourage or inhibit key actors from playing constructive roles in making our environment more secure. Presidential rhetoric has a role to play here in conditioning us to begin thinking differently about what security is and where it originates.

President Obama is not going to solve this problem in his second term, but he can start a conversation about it. History will not remember kindly leaders who—as so many presidents have with climate change—decide that the problem is simply too big to address and therefore ignore it.

[1] The horrifying case of Luis Mijangos has received only scattered press coverage, most notably a lengthy story in GQ magazine. See David Kushner, “The Hacker Is Watching,” GQ, January 2012, available at