In my previous article, I discussed the clash of systems we currently are in. Super quick recap: in one corner, we have the Westphalian nation-state system that’s been around since 1648 and is built on the principles of sovereignty, legal equality and a policy of non-interventionism; in the other corner, we have the Internet, which has no established sovereignty, is marred by legal blurring, and by virtue is interventionist and disruptive in nature.Ultimately, what we have is a system clash where our original intent – free flow of information but with positive control of the Internet in our lives – has been flipped on its head, where the Internet effectively controls our lives.I closed the article by stating that national interests will continue to take precedence over any other interest for the foreseeable future. I will now try to illustrate to you that that’s the case in this article. I begin from two nuanced comments, which are both related to Section 702 of the FISA Amendments Act that then FBI Director James Comey made during his May 3, 2017, testimony in front of the Senate Judiciary Committee.The first comment, in response to a question from Senator Orrin Hatch (R-UT):“We need this to protect the country. This should be an easy conversation to have, but often people get confused about the details and mix it up with other things. So it’s our job to make sure we explain it clearly.”And the second comment, in response to a question from Senator John Cornyn (R-TX):“Thank you, Senator. The — every time I talk about this publicly I wince a little bit because I don’t want bad people around the world to focus on this too much. But really bad people around the world, because of the genius of American innovation, use our products and infrastructure for their emails, for their communications.”These two comments may come across as fairly benign, straightforward and even expected. But in their simplicity, they say one thing: my interest first. And just as important is what Comey did not say. Anybody that understands operational security 101 knows not to talk about methods unless circumstances explicitly require you to do so.Why not? Because of the need to protect the national interest, that’s why.Even simple confirmations or denials give “bad people” insight. This is why the British Defence Secretary Michael Fallon refused to deny that Britain’s nuclear submarines used the outdated Windows XP operating system after the global WannaCry attack. Answering the question, one way or another, compromises the UK national interest because it gives an adversary insight.Even at the micro scale, strong encryption schemes spit back randomized dummy data during a data decryption failure. Why randomized dummy data? Because even giving the adversary a response of a “wrong answer” gives them insight on how to adjust their attacks. Say nothing or give back meaningless garble.Therefore, not only was Comey perfectly correct to say these things, but anybody in his position could not have said otherwise because they could have potentially compromised the United States’ national interest.Do Not Look to Make Your Life More Difficult When the Answer is SimpleSet aside all politics and details for a moment and begin with this premise: are my interests being met? If you take that as your starting point, the fog will begin to clear for you. Of course, reasonable people can have an informed debate over what “correct” interests are, but that is what we try to do in democracies. Interest is the overriding factor here.For example, I can have a particular stance on issue X, and infosec news website’s editors could have a contrarian position. As reasonable actors, we will work towards a solution that meets our mutual interests, as the news website would never publish an article that harms their interests, and I would never agree to author an article that harms my own interests. This is all pretty straight forward stuff so far.But when we apply these straight forward concepts to complex problems, such as geopolitics or cybersecurity, it seems as though the interaction between parties goes from respectful conversation in the tea house to royal rumble in the streets. My own observation is as follows: to my knowledge, no precondition exists where a complex problem requires a complex solution.This is why much of my own cybersecurity work focuses on the basics. If you cannot get the basics right (such as avoiding phishing attempts, patching/updating your system, backing up your data, segregating certain items, knowing what type of services you are using, and so on), you set yourself up for getting the tough stuff wrong.So, let us go back to the systems clash. Any effective cybersecurity solution that is to stand the test of time must take into account the national interest regardless of nation.Perhaps I am being too much of a pragmatist here, but we are a long way off from achieving the internal harmony and peace of the United Federation of Planets (and even then, you still have Klingons, Romulans and the Borg to worry about). Therefore, for the foreseeable future, expect any cybersecurity decisions made – especially at the geopolitical level – to focus on national interest in much the same way that any decision is designed to serve the best private or corporate interest. This is textbook fiduciary duty here.And because that is the case, the notion that the cybersecurity challenge can be solved primarily through technological measures becomes shattered.The Economy, StupidI know everybody is probably exhausted by election talk, but James Carville’s three words during the 1992 U.S. Presidential election continue to capture the essence of the challenge we face: the economy. With all apologies to my IT friends and vendors in the field, the cybersecurity challenge is really not about you anymore; the cybersecurity challenge is about which worldview will dominate and, more importantly, which worldview offers a more prosperous life to its citizens.Therefore, the cybersecurity challenges we face today are a direct extension of the clash of systems we see elsewhere in policy: a worldview that looks towards “taking care of your house,” which focuses on individual interest (more nationalist), versus one that looks towards “one big tent for all,” which focuses more on redistributive interest (more globalist).This looks an awful lot like the clash of systems I was describing in the previous article, doesn’t it?I am pretty sure proper network configuration will not answer that question, specifically because the cybersecurity challenge has resulted in a convergence of issues that slice through disciplines, thereby affecting social, technological, economic, environmental, political, and legal domains.I really wish our cybersecurity problems could all be fixed by some simple technical solution, but as Paul Ferrillo and I say here, the abundance of big data we are working with makes that task impossible for humans to manage alone.“But, George, you said simple answers!” Yes, I did. My simple answer is: know your interests. And that brings me to the title of this piece: before you declare your enemy, be sure of your interests.Only a Contrast Concept that is Better to the Status Quo Can Change the System ClashInterests can be a tricky thing because they change, especially over time. So before you decide to torch a bridge, make sure you will NEVER need it (something not easily done) and only light the match after you have crossed that bridge at least once.Consider for a moment that both the Internet and the globalist movement are relatively new phenomena in our history. For argument’s sake, let us just say both are about 50-ish years old. That is comparatively young to a system that has been the norm for nearly 370 years and is generally accepted to serve most interests.The Westphalian model, whether you are in favor of it or not, has at least done a relatively good job in defining this construct we call sovereignty. Therefore, do not be surprised if the power brokers have a natural reluctance to surrender that sovereignty, even if the result could be a safer and more secure cyber domain.So, your question may now be: under what conditions would the nation state give up some sovereignty for a more safe and secure cyber domain?Simple answer: a contrasting concept, which is easy to understand and potentially executable, where X (a globalist Internet) serves a greater national interest than Y (a nationalist Internet). “Safer and more secure” is not easy to understand and almost impossible to execute under the current conditions, so scratch that as a contrasting concept.And quite candidly, with so many actors, I do not see a contrasting concept that would enrich the personal prosperity of those who currently enjoy the nation state system as it is.If you accept that security and economy are inextricably linked (they are), then you understand their direct ties to national prosperity. And if you understand that, you will also understand that national prosperity at least increases the potential for greater personal prosperity. People buy into that idea, especially if somebody believes in self-determination and the ability to chart their own path through life.Therefore, whether it is “the economy, stupid” or “make America great again,” both comments, whether overtly or covertly, underscore the prioritization and precedence of national interest above all other interests, particularly through economic strength. Take this to the micro level: you need to give me a better deal than the one I have if you want me to give up what I have.Nation states are no different. They want a better deal than the one they currently have. And admittedly, that is easier said than done.In my next article, I will focus on why determining interests within the context of cybersecurity at the international level is so difficult, reinforcing that we require a much deeper understanding of human interactions and expectations if cyberspace is to be secured. About the Author: George Platsis
has worked in the United States, Canada, Asia, and Europe, as a consultant and an educator and is a current member of the SDI Cyber Team (www.sdicyber.com). For over 15 years, he has worked with the private, public, and non-profit sectors to address their strategic, operational, and training needs, in the fields of: business development, risk/crisis management, and cultural relations. His current professional efforts focus on human factor vulnerabilities related to cybersecurity, information security, and data security by separating the network and information risk areas.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.