Camus is not a sociologist, of course. With The Stranger, he wanted to write a novel about a person who believes in nothing. The novel is a thought experiment, a philosophical exercise. Meursault, the protagonist, is deliberately pared down to a man who believes in nothing more than his senses.

Camus based his descriptions of Meursault on real experience. He had spent several years as a newspaper reporter, covering the crime news and court trials in an Algerian city and he used real incidents he had covered as the basis for his book. One in particular: A tough guy Camus knew told him about a friend who took him along when he tracked down a man who had knifed him over a dispute. The friend brought a revolver. But in reality, no shot was fired—the confrontation wound down. Most such incidents do.

What makes the difference in those cases where violence, especially deadly violence, breaks out? This is the province of micro-sociology, which studies how people affect each other and set off new patterns that emerge in the interaction. From studies of violent situations, we have learned that face-to-face conflict raises bodily tension. At high levels of tension, opponents become clumsy and inaccurate. They experience sudden increases in levels of adrenaline and cortisol, which is the stress hormone triggered by the primitive fight-or-flight center of the lower brain, an undifferentiated arousal for rapid action that can go either way.

French writer Albert Caumus, after he was announced as the winner of the Nobel Prize for literature, with the French actor Madeleine Renaud, in Paris on Oct. 17, 1957. Photo by Godot/Associate Press.

Without being a social scientist, Camus shows us how this happens. He is an excellent observer of the small details of how people interact in particular situations, especially what consciousness feels or looks like at each moment in one’s body. After agreeing to get involved in the conflict, Meursault stands alone in the hallway, unthinking but hearing “nothing but the blood throbbing in my ears, and for a while I stood still, listening to it.” Another character tells a police officer that, “when I see you standing there looking at me, I can’t help trembling. That’s only natural.” The blood pounding in his ears, and the trembling, are the result of increased adrenaline.

The effect is easily measured. Ordinary resting heart rate is about 60 BPM (beats per minute) in adults and about 100 BPM in moderate exercise. During athletic performance, the heart rate goes up to about 115-145 as big muscle groups are energized. The heart rate also goes up when adrenaline is activated. The effect of emotional tension and fear are stronger than vigorous exercise alone. And at higher BPM levels, fine muscle coordination is progressively lost. Try writing with a pen when your exercise machine says your heart rate is 145 or more. At levels around 150-175 BPM, perceptual distortions start to happen. Time becomes distorted—it seems sped up, or slowed down to a dreamlike, walking-under-water pace. Vision becomes blurred, surroundings are lost, tunnel vision narrows in. Hearing tends to shut down, a cocoon-like experience in which one can’t hear the sounds of one’s own gun or the voices of people around you.

These effects are particularly important in understanding police shootings—a tragic, and unreasonably common, example of unnecessary violence. Virtually all controversial police shootings show signs of these perceptual distortions. In the Tulsa, Oklahoma shooting of Terence Crutcher in September 2016, the officer said she temporarily lost her hearing just before she fired—even though there were sounds of sirens and a police helicopter overhead. In the cocoon of high tension, voices disappear. The more persons who are present—cops, suspects, friends and family, bystanders—the more likely sounds blur into a babble of raised voices. Clear communications break down. And having more police on the scene increases the chances of uncontrolled shooting. Tension is contagious. Cops who are tense tend to make officers around them tense.

One clear sign that a shooting is caused by out-of-control adrenaline is overkill: when an officer fires many more shots than necessary to disable the apparently threatening suspect. Which brings us back to Camus and the mystery of why Meursault fires those four extra shots. Before the shooting, Meursault shows all the acute symptoms of perceptual distortion. “For two hours,” Camus tells us, “the sun seemed to have made no progress.” Meursault’s heart beat is pulsing in his forehead, although he attributes it to the sun; he feels “the whole beach pulsing with heat” and “cymbals of the sun clashing on my skull.” Camus reports on the phenomenology of losing control in a violent confrontation, what I have described as a “forward panic.” Hence those four superfluous shots. Camus took a little-noticed reality of violence, and built a shocking climax out of it.

Camus’s book uses this climax to suggest the absurdity of the universe, the lack of goodness or divinity. He implies that the act is random and could not be avoided or predicted. As a sociologist I see it differently: It’s an example of a phenomenon I’ve studied in real life. With understanding of what causes such unnecessarily violent actions, we can use that knowledge to prevent them.

This is especially important because of the racism that runs through Camus’s story and much contemporary police violence. These findings can leave us in despair—felled not by existentialism or nihilism, but by the magnitude of biases that run through our society and the seeming impossibility of fixing them all. As a society we need to address racism and political gridlock. But the physiology of violence reveals that we can take other direct steps to decrease police shootings.

We should focus our efforts on heart rate. U.S. Army psychologist Dave Grossman has developed a four-part exercise to reduce heart rate via breathing in slowly, holding one’s breath, then breathing out slowly and holding—and repeating as necessary. Cops should practice this or a similar protocol. They should also wear a monitor, which would tell them when it’s necessary. This practice does not require deep introspection on the part of an officer, or evaluation of one’s motives—it’s a purely physiological assessment. But it would allow cops and others in tense situations to check their biological responses before perceptions become distorted and unnecessary violence happens. Thus a key tool might be a heart rate monitor in addition to a body camera. And rather than relying on the threat of criminal prosecution to deter police shootings, we offer proactive training to bring down heart rates and adrenaline levels.

Certainly, some confrontations develop so quickly that the people involved might not have the chance to breathe deeply. But such situations do not arise very often. Many instances of police shootings—and especially those which turn out to be based on misperceptions—take time to develop. Sometimes officers speed up the situation unnecessarily; in Cleveland in November 2014, the officer who shot a black adolescent carrying a toy gun on a playground raced to the scene and fired within two seconds after jumping from his car.

Better trained officers would be aware of their own body signs and the danger zone of perceptual distortion, and would not attempt to fire until they had a clear view of the situation. Research by sociologists Geoffrey Alpert and Roger Dunham on escalated police encounters found that cops who handle situations better have a better sense of timing. More experienced cops are less likely to scuffle with resisting suspects, and spend more time attempting to control the situation by talking them down and presenting a strong demeanor; when they do use their weapons, they are more decisive.

What about Meursault; would such awareness have saved him? Perhaps. Which would, of course, have ruined Camus’s drama, as well as its symbolic resonance. It might have robbed us of great literature. But great literature is great, in part, because it builds on acute observations of real life. Those observations have a lot to teach us.

The post How Solving the Mystery of a Classic French Novel Could Curb Police Violence appeared first on Zócalo Public Square.

The fact that “barbarian” survives intact in modern English suggests that we still tend to see foreigners in a negative light. Controversy over immigration, that is, connects our time to that of the ancient Greeks. But as a professor of classics at the University of Colorado, Boulder, I hear deeper, and very different, echoes. If we read Greek culture correctly, it’s not just bequeathing us a hatred of foreigners. Rather, it offers peculiar contradictions in its attitude toward immigrants, which reveal a lot about the contradictions and myths of our own country and time.

The most interesting attitudes come from Athens, since Athenians wanted to think of themselves as sophisticated, worldly, and welcoming of immigrants. In a famous speech, the historian Thucydides has the political leader Pericles characterize the Athenians as a people whose city-state is open to the world even though, he explains, such unhindered openness may allow the enemy to profit from state secrets. This in contrast with Spartans, who are represented by Pericles as close-minded and unsophisticated.

But Athenians also had an origin myth that helped them to distinguish themselves from foreigners—a story of autochthony, or being born from the earth. Athenians said that Hephaestus (or in some versions, Poseidon) wanted to have sex with Athena. Athena, however, was an eternal virgin, so Hephaestus’ desire could not be satisfied. He tried anyway and ejaculated onto Athena’s leg. Athena wiped off the semen with a piece of wool and threw the wool onto the earth. Earth, harboring the sperm, nurtured a baby to term and then handed the child over to Athena to rear. He became the first king of Athens. In the myth, all Athenians are descended from him and other ancient kings also imagined to be born of the earth. Since ancient kings created institutions, like marriage and the Panathenaic festival (an important civic festival in honor of Athena), civilizing customs were also closely tied to the land.

At first this origin story sounds profoundly alien to American ears accustomed to tales of Thanksgiving day feasts involving maize, or of Grandma landing at Ellis Island with nothing but a samovar. Yet we have our own version of American autochthony in current claims that some citizens are “real Americans,” with deep roots in their native soil, and some are not. We also pride ourselves on openness, like Pericles in Athens, saying that we are a “nation of immigrants”—while also making sure to distinguish the “real” citizens from supposedly illegitimate ones.

Athens’ dirty secret, which wasn’t much of a secret, was that it depended on foreigners to do things Athenians didn’t do. In and around Athens there were tens of thousands of resident foreigners, known as metics. Some were non-Athenian Greeks. (Since there was no Greek “nation,” and Greeks instead identified with their city-state, Athenians considered all Greeks who weren’t from Athens to be foreigners.) Others were economically motivated Egyptians, Thracians, and Phoenicians, as well as many people from an area that lies within present-day Turkey (Phrygians, Lydians, Scythians). Metics had a citizen sponsor, registered with the authorities, and paid taxes. They received some legal protection, but they did not enjoy full citizen rights, such as voting and owning land.

Metics had occupations that were thought to be un-Athenian, like trade and commerce. A common smear of them was that they did not care about the state, but about themselves and their own personal gain. Metics are described in comedy as dishonest. Sound familiar?

One funny thing about these supposedly dishonest and disloyal workers is that the word metoikos includes the word oikos, “household,” which indicates the most intimate part of Greek life. The prefix meta could mean either “with” or “change,” so metics were “livers with” or “changers of households.” In practice, Athenian metics were not necessarily connected to the household, though they could be—women might be employed as wet-nurses. But today we can see a (different kind of) connection between immigrants and the oikos in immigrants who make their living by cleaning houses or working in childcare.

For me, though, the most interesting lesson of Athenian immigration is not the conjunction of openness and autochthony, or the reliance on foreigners. It’s the way Greek tragedies treat foreigners as both dangerous and magical, strange but offering mythic powers to the city-states who manage to keep them.

Tragedies were staged at the annual Great Dionysia festival, which was more like a State of the Union address than a Broadway play. The festival played out with pomp, circumstance, and celebration of Athenian ideology. Before the performances began, tribute from Athenian allies (or Athenian subjects, depending upon your perspective) was brought into the theater. The names of those who had benefited the state were read, and war orphans who had been raised at state expense were paraded before the crowd. From this psychologically comforting perch, Athenian citizens watched tragedies about terrible dysfunction (like a wife who kills her husband when he comes home from war) and ideas that conflicted with Athenian ideology. But they also watched tragedies that celebrated Athens as a highly functional polis, a place where difficult problems are set right.

In these latter plays, foreigners could be depicted as almost magical. In Sophocles’ tragedy “Oedipus at Colonus,” the formerly accursed king Oedipus is a “foreigner” from Thebes who arrives in Colonus, a small town on the outskirts of Athens; he is so unfamiliar with its customs that he walks right into a sacred grove. When elders appear shouting—“You cannot walk there! That space belongs to goddesses!”—Oedipus explains that he is an exile and that he would like to be admitted into their community. At first he does not tell them his name; when he finally does, the elders are horrified. Oedipus killed his father and slept with his mother. His actions are utterly barbaric.

Yet, over the course of the play, the elders teach Oedipus how to act properly in Colonus, because a prophecy from the god Apollo has indicated that if they get his body after his death it will offer protective powers. They give him detailed instructions about how to perform a ritual to appease the goddesses he has offended; they sing a sorrow-filled song together with him, in which they mourn for his traumatic past. When the king, Theseus, appears, he immediately announces that he will allow Oedipus to dwell in the land. Oedipus, for his part, explains that he is going to be a “savior” for the Athenians, because his dead body will offer them military protection.

Aeschylus’ “Eumenides” features a different sort of scary outsider–the Furies, a band of goddesses hell-bent on vengeance. The Furies are not easygoing ladies. They are terrifying, Gorgon-like creatures that slurp the blood of humans; Apollo describes them as monsters who belong where beheadings and eye-gougings take place. When they first arrive in Athens, they insist that they are going to bring a plague on Athens and destroy the land and the people. But by the end, persuaded by the goddess Athena, they agree to go beneath the earth, live there, and bring blessings. Donning the crimson robes of metics, the Furies become Kindly Ones (Eumenides). Like Oedipus (though different because he dies and they are immortal goddesses), they are incorporated into Athens in order to protect the polis.

Both of these plays suggest that integrating the most frightening of foreigners offers safety and protection—even military protection—for a powerful city-state. They also demonstrate that the polis can handle and even neutralize the potential threat of foreigners via its rules for accepting exiles and its well-run court system. In this way, Greek tragedies taught Athenians that their institutions could help the whole population benefit from the presence of foreigners. Institutions could take the worst—a man who had married his mother and killed his father, or those loose-cannon goddesses—and not only train them to be model citizens, but make them pay a dividend!

Until very recently, this was the story America told itself, and it has paid well: 51 percent of the country’s billion dollar tech startups were founded by immigrants. Rich American men have brought more than one good luck charm Slovenian model home to the pent-oikos. At the heart of successful, aggressive states is a paradox: They need a distinct identity and they need lots of merchants and wet nurses and “barbarians” to make the state more powerful. How they solve that paradox is how history remembers them.

The post For the Ancient Greeks, Immigrants Were Both a Boon and Threat to Homeland Security appeared first on Zócalo Public Square.

When you’re talking about information that can be used, or useful, in conducting cyberwarfare, that type of data is different from the conventional identification data, which when released is an invasion of a person’s privacy, or could be used in a fraudulent manner. The missing cyberwarfare data is the data of companies like utilities, hospitals, ports, and other sorts of critical infrastructure.

The most feared and plausible cyberwarfare scenario is the crippling of the nation’s electric grid, which is the basis for the way we live our lives every day, especially insofar as it is the basis for providing critical healthcare needs of patients in medical facilities. About 85 percent of our vital national infrastructure—dams, highways, tunnels, bridges, electrical grid, sewers—is owned privately.

So any attempt to mandate the provision of that data, either to the United States government to develop counter-measures to cyberwarfare, or even to states and localities, has been strenuously resisted by the private sector. It has been resisted both as a knowing obstacle that is being set up to protect things like trade secrets and intellectual property; and it’s being resisted in an unknowing way, a knee-jerk adverse reaction to turning over any private commercial data to government institutions.

The government’s inability to access private sector data is probably the most fundamental weakness of our ability to fend off cyberwarfare attacks. The methodology that is in place now is, at best, based on incentive-driven cyber regulation, which tries to make it attractive to private organizations to turn data over to allow that data to be protected. However, volunteerism clearly is not working here, and it is therefore not enough to set up a defense to a full-scale, damaging infrastructure cyberattack.

Protecting the privacy of individual U.S. citizen data, where the government wants to collect mass amounts of private information, raises different kinds of issues. At the University of Maryland Carey Law School, I taught a class on “National Secrets, Foreign Intelligence and Privacy.” That entire course was driven by the Edward Snowden security leaks in June of 2013. Snowden demonstrated that there were various avenues the United States government was using to access private information of United States citizens.

The two central legal authorities that the United States was relying on were Section 215 of the Patriotic Act and Section 702 of the Foreign Intelligence Surveillance Act Amendments of 2008. Nobody outside of the federal government—and I would say most of the federal government itself—understood that these kind of surveillance activities were being undertaken.

Section 215 was the vehicle through which the National Security Agency vacuumed up so-called metadata, which is information about who a citizen calls. The data shows both the phone number of the arranger of the call, and the number of the person to whom the arranger places his call, as well as the amount of time that the call lasts.

It is not a content-driven, wiretapping surveillance—in other words, you do not know the substance or content of the call. But an outsider can tell a lot about somebody’s private life by knowing who they call on a regular basis and how long that call lasts. Knowledge of frequent calls to an HIV/AIDS advice line, Planned Parenthood, or a psychiatrist, tells the reviewer of this data important information that the caller would otherwise clearly want to be private.

This collection of metadata was further aggravated by the fact that when the metadata was accessed by the National Security Agency, if it dipped into the metadata, it could not only look at the telephone traffic between one caller and another caller, but it could search “three hops” of the data.

The first hop is “A calls B,” and the NSA could get that metadata; then the NSA could get the metadata of everybody that B calls. That’s hop #2. Then hop #3 is the metadata of everybody receiving calls from B. Therefore, with three hops you have a spider web of the metadata of hundreds of thousands of calls. When the program was made public in June of 2013 by the Snowden leaks, President Obama pledged soon thereafter: “We’re only going to collect two hops, not three hops.”

Then the next question becomes: How does the NSA access the details of the metadata it has collected? Originally, experienced intelligence officers supervised requests to access the specifics of the metadata. That was considered quite troublesome legally, because one basic tenet of a constitutional search is that a warrant is obtained from an independent court. By having intelligence officers decide whether the metadata could be searched, that tenet was violated.

One of the first things President Obama did in January 2014, besides eliminating three “hops,” was to impose the requirement that if the metadata was to be searched, the NSA, through the Justice Department, had to get a foreign intelligence surveillance warrant from the Foreign Intelligence Surveillance Court showing that there was probable cause that searching the metadata would concern an agent of a foreign power.

Even with President Obama’s adjustments, Section 215 was criticized broadly, both from the left by civil libertarians and from the right by libertarians.

The USA Freedom Act in 2015 repealed Section 215. However, that statute required phone service providers to hold onto their metadata records for a longer period of time, and if the NSA needed access to that metadata, it could go to the Foreign Intelligence Surveillance Court to obtain a warrant to examine the metadata if it showed that there was reasonable, articulable suspicion (“RAS”) that the metadata would lead to, inter alia, terrorist activity. Of course, showing RAS is, in legal terms, not “probable cause” of criminal activity, the classic threshold for a lawful search and seizure under the Fourth Amendment. At some point, therefore, the constitutionality of this new metadata provision may be challenged.

Section 215 was the legal basis of the first of the two legs of the surveillance revealed by the Snowden leaks. The other is based on Section 702 of the Foreign Intelligence Surveillance Act Amendments of 2008. Section 702 is driven by the fact that the target of the requested surveillance is reasonably believed to be outside the United States and is not a U.S. citizen, circumstances under which the Fourth Amendment would not apply.

But, in operation, Section 702 surveillance need only look to whether the communication at any time left the United States. Any email that at any time is routed outside our country—as many emails are—is subject to Section 702 surveillance. So that raises a very deep concern, because domestic emails are therefore subject to an NSA Section 702 search.

Our government is always quick to say: “We do not surveil United States citizens and only do so with a warrant.” Well, the 702 is not a warrant-driven mechanism as a predicate to the search. (The government needs to get FISA court clearance on a yearly basis for the methodology of 702 searches, but it is not required to get a warrant on a case-by-case basis.)

The NSA and the Justice Department are also quick to say that if, through Section 702 surveillance, they pick up anything that is entirely domestic, the government “minimizes” the search, or does not allow it into the intelligence inventory. However, the 702 exceptions to minimization are so broad that they swallow up the entire concept of minimization. The 702 statutory authority is set to expire later this year, and there is going to be a major debate over whether it should be extended. Section 702 has many supporters.

The Supreme Court has not ruled definitively on these surveillance issues. Even among the present eight Supreme Court justices, there is a likely majority who have signaled their doubts about surveillance that does not strictly follow Fourth Amendment “probable cause” jurisprudence. Even Justice Antonin Scalia, before his passing, was a strict enforcer of classic Fourth Amendment search and seizure doctrine. Moreover, there is evidence that Judge Gorsuch, if confirmed, will follow Scalia’s lead in this regard.

To date, the failure of challenges to these kinds of surveillances is the inability to demonstrate in court “standing” (or precise injury from the surveillance). The one Section 702 case to reach the Supreme Court in 2013 foundered on the inability of the plaintiffs to show with certitude that their communications had been read or heard. However, standing will doubtless be established in a case where evidence obtained under Section 702 is used to convict a criminal defendant. The defendant will have likely failed to suppress introduction of the evidence on grounds that it was obtained without a showing of probable cause. That criminal defendant will doubtless have standing and, if the case reaches the Supreme Court, that court will likely be able to resolve these issues on the merits.

In the end, one of the biggest cybersecurity problems is that the U.S. military-intelligence complex has far too easy access to private information that can be damaging to oneself, information that we reasonably expect to be kept private, and not put into the hands of the government without some showing that it’s directly related to a critical national need. The government has just too-ready access to far too much of everyone’s private information, and that access can be gotten without demonstrating to an independent court that there is a strong national need.

Another major cyber problem is that too many U.S. commercial interests are not using best cyber practices, best cyber technology, to protect sensitive data that, if stolen, enables crippling cyberwarfare against the United States. I do not think that failure has been given a serious enough concern. So losing your credit card information, your passport information, and other forms of privacy happens too easily. This is troublesome and worrying. But it is not the clear and present danger to our collective security of having our infrastructure data hacked and having a broad-based infrastructure break down.

The attempt to minimize the government’s access to personal private information is not a partisan issue. Libertarians on the right and civil libertarians on the left feel strongly that the government’s ability to invade privacy must be limited. However, it is hand-to-hand combat in Washington on these issues, and should there be another devastating terror attack, I think the scales will tip to the side of the government being able to collect whatever it wants, whenever it wants it.

The post What Happens When Personal Information Gets Weaponized appeared first on Zócalo Public Square.

For the U.S. military, the manifestations of this revolution have covered the full spectrum from the dramatic to the prosaic. Unmanned aerial vehicles, ships, and ground systems now carry increasingly sophisticated surveillance capabilities and precision guided weapons. Less visible, but also hugely important, has been development of the ability to integrate and analyze vast quantities of intelligence from all sources and determine precise locations of friendly and enemy elements. Finally, we cannot overlook growth of the seemingly matter-of-fact but nonetheless essential reliance on email, video teleconferences, and applications like PowerPoint to communicate, share information, plan, and perform the tasks of command and control.

Information technologies that did not exist at the time of the first Gulf War are now so fundamental to the conduct of military operations that it is difficult to imagine functioning without them. And the growth of the internet, social media, and now the “Internet of Things” represents a further stage in the information technology revolution whose full consequences are still unfolding. Nonetheless, some preliminary implications of such cyber capabilities for warfare are already clear.

First, cyberspace is itself now an entire new battlefield domain, adding to the existing domains of land, sea, air, subsea, and space. This reality has enormous ramifications for military doctrine, operations, organizational structures, training, materiel, leadership development, personnel requirements, and military facilities. Most significantly, it adds a powerful new element to the challenges of the simultaneous “multi-domain warfare” in which we are now already engaged and for which we need to do more to prepare in the future.

Second, cyber technology is adding another element to the already ongoing dispersion and fragmentation of global power. While no nation has contributed more to the growth of the internet and the digitized world than the United States (and no nation has developed more sophisticated cyber military capabilities), the nature of these technologies ultimately presents one more disruptive challenge to the preeminence that the U.S. has enjoyed since the end of the Cold War, as others exploit the potential of offensive cyber capabilities in new and increasingly sophisticated and diabolical ways. Examples of this include the use of cyberspace by extremist networks like ISIS and Al-Qaeda to inspire far-flung terrorist strikes; by Russia to wage ideological and political warfare that seeks to undermine the cohesion and self-confidence of the Western democracies; and by China to collect the technological know-how that is speeding its already rapid rise and undercutting America’s conventional military edge and industrial advantages.

Third, cyber capabilities are further blurring the boundaries between wartime and peacetime, and between civilian and military spaces. These are distinctions that have, for various reasons, been eroding in recent decades and which technological developments are now accelerating. At present, it is likewise clear that offensive capabilities are outstripping defensive and retaliatory options. And as long as difficulties in identifying and attributing responsibility for cyberattacks persist, that reality is likely to undercut deterrence and encourage aggression in cyberspace.

Yet even as technological changes inspire us to speculate on the future of warfare, perhaps the most important insights about the implications of the cyber age can be gleaned from the past.

While technology promises to disrupt the conduct of war, it is equally important to recognize what it will not alter—namely, the causes of war, which continue to lie in the character of humanity. As Thucydides documented more than two millennia ago, it is the elemental forces of fear, honor, and interest that are the wellsprings of conflict, and it is often the choices of individual leaders that determine how conflicts develop. It was for this reason, in fact, that, when I was in uniform, I argued against the concept of “network-centric warfare”—put forward in the late 1990s—and instead contended that a better formulation would be “network-enabled, leadership-centric warfare.” It is, after all, still leaders who determine strategies and make the key decisions. And even as development of autonomous weapons systems and other such capabilities proceeds, parameters for actions by such systems will continue to be established by human beings.

Furthermore, history suggests that humanity’s capacity for technical innovation often outpaces our strategic thinking and development of ethical norms. Indeed, the methodical development of doctrine around nuclear weapons by the “Wizards of Armageddon” in the 1950s and 1960s, which did much to help prevent a nuclear apocalypse, appears to have been the exception rather than the norm. More typical is the experience of the European powers of the early 20th century, which failed to recognize that the mass industrialized armies they were constructing were the components of a doomsday machine that would unleash a civilizational slaughter that none of the combatants had previously considered possible. As we and other major powers race to develop cutting-edge cyber capabilities—expanding swiftly into realms such as robotics, bioengineering, and artificial intelligence—we would be wise to devote equal energy and attention to considering the full implications of our ingenuity. Security in the century ahead will depend more on our moral imagination—and with it, the ability to develop concepts of restraint—than it will on amazing technological breakthroughs.

This in turn suggests a final reality about warfare in the age of cyber. Regardless of the innovations that lie ahead, technology by itself will neither doom nor rescue the world. Responsibility for our fate, for better or worse, will remain stubbornly human.

The post As Machines Wage War, Human Nature Endures appeared first on Zócalo Public Square.

At the same time, cyberattackers, and their rising diversity and sophistication, offer an opportunity to innovate and grow new markets. You can see what that looks like in San Diego, where I live and work.

San Diego has long been a center of America’s national defense, and the infrastructure and businesses that support it. The cyber age—and San Diego’s savvy response to it—has changed the nature of that defense. San Diego is now home to more than 100 cybersecurity companies that employ 4,230 people in the region. That’s on top of the 3,390 employees who work at the U.S. Navy’s Space and Naval Warfare Command (SPAWAR). And those numbers are growing rapidly.

In just two years, between 2013 and 2015, information security analysts grew by 13.9 percent per year on average in San Diego, nearly double the national 7 percent average, and employers expect their cybersecurity workforce to grow by an additional 13 percent in the coming year, according to a 2016 study for which my nonprofit and other San Diego institutions conducted research. The annual economic impact of the industry is already estimated at $1.9 billion—that’s the equivalent of hosting four Super Bowls each year—and puts San Diego on par with sister cyber hubs in Silicon Valley and Maryland.

This rapid growth is not merely a matter of technological change. It reflects strategic efforts by people and sectors across San Diego—the military and intelligence community, high tech industries, academia, municipalities, utilities, transportation agencies, and the region’s various governments—to become a leader in cybersecurity.

I play a role as leader of the San Diego Cyber Center of Excellence (CCOE), a nonprofit established in 2014 by cyber industry, higher education, and government leaders to address cybersecurity challenges here. To become a center of this new line of defense, the region has had to tackle three tasks crucial to the sector’s success. San Diego is cultivating a cyber workforce, showcasing its successes in cutting-edge technologies, and fostering a more secure cyber environment across the region’s institutions. (Being a leader in cybersecurity can make you a bigger target to attack.)

These challenges resulted from regional economic planning, in particular the San Diego Regional Economic Development Corporation’s cybersecurity economic impact study. In some places, regional economic reports get dismissed, but not this report and not here. The report identified a clear top challenge: the sourcing and development of a cyber workforce. This is what drew me to this work and the CCOE—the opportunity to help find and secure the next generation of cyberwarriors was too good to pass up.

To start, our team convened leaders in industry, government, and all 15 of the cybersecurity, computer science, and engineering deans from regional universities, colleges, and extended studies programs to discuss greater alignment between academic supply and industry demand. The collaboration has been highly productive. It helped create a catalogue of courses that universities and programs offered, or could add, to meet the skill sets sought by the industry. It also generated a regional cyber Job Board, as well as an Internship Pipeline and Link2Cyber programs that connect students, recent graduates, veterans, and seasoned professionals with career opportunities in the region. 

Not only are these cybersecurity positions in demand, but the average annual salary for analysts, computer scientists, and software developers is six figures, according to that 2016 economic impact study that CCOE helped conduct.

The combination of wages and opportunity have made San Diego a hotspot for talent, investment, and research and development. The region’s universities and colleges annually graduate 3,000 students in the computer science and engineering fields. The University of San Diego and California State University San Marcos recently launched cybersecurity masters programs with industry-driven curricula to help feed the pipelines. The region’s higher education sector also supports trailblazing research at facilities like the Super Computing Center at UC San Diego and the Advanced Computing Environments Laboratory at San Diego State University.

Demand for talent is being driven by a convergence of commercial security and defense security. This creates a real community around cybersecurity. Industry leaders such as Qualcomm, ESET, ViaSat, and iboss call San Diego home, citing access to clients, customers, vendors, suppliers, and proximity to SPAWAR as the region’s greatest strengths.

San Diego is likely to see more growth as the industry moves toward private sector customers. The share of firms focused primarily on the commercial market (as opposed to military and defense) has grown substantially, now constituting 47 percent of the sector in San Diego. This shift reflects the importance of practical applications of cybersecurity, like protecting healthcare and financial data, and energy and water grids. This is good news in an age where the Internet of Things (IoT), electromagnetic pulse (EMP) blasts, mass grid outages, and ransomware attacks are no longer just Marvel Comics storylines.

San Diego as a regional hub is also mobilizing to address potential threats to its own infrastructure. The Secure San Diego initiative, launched earlier this year, is, among other things, generating a regional cyber response map for businesses and a regional incident response management plan similar to state of emergency protocols used in natural disasters.

Sometimes I marvel at how threats and defense strategies have evolved since my time as commander of SPAWAR, but the one constant of war remains: You can’t go it alone. While San Diego has developed a cybersecurity sector, cyber threats have no geographic or industry bounds, and the need for qualified cybersecurity workers is increasing. My hope is that San Diego can serve as a template to mobilize other regions to adopt best practices and grow our nation’s next generation of cyberwarriors, defenses, and innovations.

The post In San Diego, Building a Cybersecurity State Is Good Business appeared first on Zócalo Public Square.

On March 1, 2017, Singer testified in front of the House Armed Services Committee on what steps the country should take to prepare to take on decades of cyber mischief and worse. 

Q: In your testimony to Congress on March 1 you said that the war now involving cyber is the inverse of the Cold War. Can you talk about what this means—the inverse of the Cold War—and what its implications are?

A: The argument that I was making was that there are apt parallels with the Cold War and also fundamental differences. An apt parallel would be that, contrary to the visions of cyberwar in movies and in D.C. policy circles of power grids going down in a fiery “cyber Pearl Harbor,” what we are seeing is a competition more akin to the Cold War’s pre-digital battles, where you saw a cross between influence and subversion operations with espionage. That’s particularly true with what Russia has been up to.

This means we need to take new approaches to deterrence, reflecting the dual goal of both preventing an ongoing conflict from escalating, but also responding and better defending ourselves.

Yet, there are also fundamental differences with the Cold War, particularly in how we establish what the norms are. If you go back to the Cold War, everyone was concerned with just one kind of attack, a nuclear one. It was very clear whether it happened or not, and it was very clear who would be behind it. In contrast, now we have multiple different types of cyberattacks, with goals ranging from stealing information to blocking information to changing information. The attribution problem is fundamentally different, not just who did the attack, but even your awareness that you are under attack. There is not a clear cloud of smoke coming after the missiles launch, so we often don’t even know when a cyberattack has occurred.

But also some of the normative questions are different. In the Cold War we were weirdly okay with the Soviets targeting everything from a missile base to a city, but it was known they couldn’t actually cross the line and conduct the attack. If you hit anything, war is on.

In contrast, in cyber conflict, we’re not going to stop all types of cyberattacks, but there are some types of targets that we all have to agree to keep off the table. So stealing information from each other is something that states have always done, throughout history, and now they’re just doing it through digital means. So it’s okay if you steal information, weirdly enough, from one of our government agencies. We may not like it, but that’s within the rules of the game. So for example, the OPM (Office of Personnel Management) breach—which reportedly originated in China—is a not story of “shame on them” but “shame on us” for not securing the information better.

On the other hand, we may say stealing information from a private business violates the rules of international trade. So if you’re stealing a design from a car company and then copying and building that car, that’s a violation of the rules of that game.

Or, a new kind of norm might be that there are some types of targets that are off the table because they’re too clearly escalatory, or too prone to confusion and mistakes. So don’t go monkeying around with nuclear power plant control systems. The consequences of us finding you, or you making a mistake, are too great. That target should be off the table completely.

Q: What you’re describing is a free for all. These norms you’re talking about are counterintuitive and weird.

A: They may have once been weird, but they are now the new normal. If you go back in time to the Cold War, the very idea of Russia directly influencing the U.S. political system and that then a substantial portion of the government, including the president himself, would just shrug it off? They’d have said it sounds like the plot of that movie starring Frank Sinatra, The Manchurian Candidate. That’s absurd! But yet, that is exactly what is happening now.

Look, we’re down the rabbit hole in a lot of different ways. But again, there are fundamental lessons we should be following. As an example, if you want to establish deterrence, if you want to build norms, then clearly what threatens to undermine your position is inaction when an adversary clearly violates those norms.

Q: The timeline for reaction during the Cold War was the time the missile was in the air. Now, potentially, we don’t know when the breach happens, but we have an infinite amount of time to respond.

A: Yes, the timeline is extended out in both directions. Much of Cold War deterrent strategy was determined basically by physics, the roughly 30-minute window that it took a ballistic missile to arc across the globe and hit another continent. We had to be able to prove that we could hit that missile within that window. Proving that it could be done deterred the other side from a preemptive strike.

In contrast, in this space, in the corporate sector the average time between when a victim is attacked and when they know they’ve been attacked is between 160 to 205 days, depending on the study.

But today your ability to respond doesn’t have to happen within that window. It also doesn’t even have to be a like response. Today, if you cyberattack me, I can respond either through cyber means or I could use all of my other tools of power to find your leverage points.

As an example: Russia. I would argue that their pressure points are a rickety economy with oligarchic structures. It’s the 13th largest economy in the world and falling. So go after that.

You also have to keep in mind that you’re setting examples that everyone else is going to watch. That is again another of these downsides to us just looking the other way to arguably what is the most important cyberattack in history. And I don’t say that lightly.

By looking away, by not responding, to the Russia campaign against our election, we are telling Russia, “Hey, this works for you.” And as we can see they’ve moved on to similar tactics against our allies, with examples ranging from Great Britain to Norway to the current elections in France, Germany, and the Netherlands. But also, in addition to Russia, other actors out there are watching and learning. One of the underlying lessons of deterrence is that it’s not about punishment for punishment’s sake, it’s about influencing the other actors.

Q: Are we coming to a place where we define cyberattacks as war?

A: I’d put it this way: “cyberwar” is as abused a term as “war” is. We use war to describe everything from a state of armed conflict between nations, like World War II, to a state of strategic competition between nations that never turns to outright conflict, like the Cold War, to political campaigns against everything from poverty to sugar.

I don’t like to use the term cyberwar unless you’re talking about the classic definition of a state of armed conflict where there is actual violence, in which the internet is used not just to steal information but to conduct attacks that would have physical damage. That’s what we’re talking about in war.

But where I especially don’t like to see it is when people say, “Oh, the OPM breach, that was an act of war.” No, no it wasn’t. It was stealing information. Nations have always stolen information. No nation has ever gone to war over stealing information.

Others will say, “It’s a facility breach, North Korea conducted an act of war!” No, they attacked Sony, they outed its secrets but it’s not in the same category as when North Korean troops murdered, in plain sight, U.S. troops with axes in the 1970s and we didn’t go to war with them over that. And you’re saying that we would go to war over the fact that now we can read Angelina Jolie’s emails? We need to be precise in what we talk about, what we care about, and what we’re trying to stop.

Q: You’ve mentioned that hacking is an entry point to hearts and minds. In the past, the sphere of attack was mostly governments. But this is now something that individuals feel and that individuals have the ability to respond.

A: Yeah, I think you’re combining two different things there. The argument back in the Cold War was that the individual was not the target and had no great ability to contribute to the defense. No matter how hard you tried, you were not going to be able to dig a good enough bomb shelter in your backyard that would mean that Russia would count it as a reason not to attack.

In cybersecurity, there’s a lot going on, but individuals matter. They are often what are being attacked and, importantly, can undertake a set of cyber hygiene measures that will go an incredibly long way to preventing, deterring and discouraging those attacks.

Cyber hygiene won’t solve everything, but—whether we’re talking about political leaders, army officers or someone working at a furniture company—if we raise our game, if we don’t click that link we ought not to, we make the attacker’s job so much harder. We make it so much more difficult for them to succeed.

This is a space where you can build what’s called deterrence by denial or resilience. This is different but related to what you were asking about. During the Cold War, nations tried to subvert and undermine the politics and culture of their adversaries. We’re seeing that play out today, but through digital means. Russia is far more successful than they ever dreamed would be possible back in the Cold War. Sometimes it’s overt on social media, and other times there is a link to the cybersecurity side. So the cyberattacks and the influence operations are related but different.

To give an illustration related to campaigns: Political campaigns have long been targeted by hackers. In the 2008 and 2012 elections, the Obama, McCain, and Romney campaigns were all targeted by foreign state actors that wanted to penetrate and gain insights into what these campaigns and, more importantly, the people who were in them and were going to move into government, were thinking about policy. That’s always happened.

The difference in 2016 is that instead of merely just stealing the secrets, they were then exposed in a way that was designed to embarrass the target. The DNC breach had less in common with the OPM breach than it did with, for example, the Ashley Madison and Sony breaches. The hack was not to steal, the hack was to influence others.

So what are things we can do? They range from setting up better means to defend our elections, not just the voting machines as usually is talked about, but the political organizations that were actually the target. And learn from the past. Back in the Cold War, they created a group to respond to Soviet information warfare called the Active Measures Working Group. It was an interagency group that essentially identified Russian misinformation campaigns so that we could then respond to them. The Soviet Union, for example, was spreading false stories like we were using the 1984 Olympic Games as a way to secretly spread AIDS and stuff like that. We need a similar entity right now that can identify those misinformation campaigns online, out them, and allow us to respond to them.

Such an effort would be important not just in dealing with what Russia is doing, but it will also debunk the activity of what in Russian translates as ‘useful idiots’—aka people inside our own society, who are happy to spread lies and misinformation.

But it also involves actors outside of government, who have to take a long and hard look at themselves. That is everything from the social media companies that need to understand that their platforms are being used to take advantage of their customers. We’ve seen bot campaigns that swing from target to target, from trying to influence the Brexit Campaign to trying to influence American voters. Obviously the social media company can respond.

Also, the media needs to take a long, hard look in the mirror. I think it’s fascinating to compare how the media handled the Ashley Madison breach with how it handled the Sony and DNC breaches. Ashley Madison was about people cheating on their spouses. For the most part, the media reported the breaches but not the fruits of the crime, the individuals and what they were doing.

But when it came to Sony and the DNC the media reported the breach as well as the fruits of the crime. You could say that these two incidents involved people of public interest. Sorry! There were people like that in the Ashley Madison set, too. “But Sony involved a state actor!” Oh, because it was a foreign government influence operation, you played a role in spreading the information they got?

If the media says these things get reported case by case, then they’re being inconsistent. My point is that this isn’t only a government issue.

Q: It really does seem to me that what’s different here is the role of individuals to prevent, or foil, these attacks by exercising internet hygiene or not forwarding Facebook posts that look like trash.

A: Exactly, it also goes all the way to the individual. Am I going to play a role in poisoning the system further? And this includes learning to be more discerning. Just because it’s on Facebook doesn’t make it true.

Q: You’ve talked about punishment, having an anti-propaganda agency, but you’ve also talked about a kind of CDC that looks at breaches, reinforcing standards and metrics, offering bug bounties, and other things. Do you have a favorite in there?

A: No, because we need a wide array of activities. I think that there’s a feeling of helplessness, what can we do? Actually, there’s a set of identifiable actions we can do. And, importantly, as my testimony laid out, they’re non- or bipartisan. This doesn’t have to be a R vs. D space. To give an example, during the Obama Administration, a report identified the best practices in the private sector that could be brought into government. Now that we have a Republican president and Congress, they could adopt these suggestions. Ideas from business to aid government is a very Republican theme, so use them. Alternatively, being strong on national defense and deterrence and standing up to Moscow is in the very pedigree of the party of Reagan and Eisenhower. So, do it and be within your own party’s best traditions. The point is that there are a range of things we can and should be doing. History, however, is going to judge us on whether we act or not.

Q: Why won’t they act? Why hasn’t there been more action?

A: Good question.

The post Is the Cyber Era the New Cold War? appeared first on Zócalo Public Square.

Anybody seeking to understand what war might look like in the cyber age should consider the disruptive force of air power and the revolution it wrought. One lasting lesson: War has the power to quickly transform our technological fantasies and anxieties into devastating, hard-to-control realities.

Even before the Wright Brothers launched at Kitty Hawk in 1903, fantasies about what the industrial revolution meant for the future of warfare became etched in Western culture. From Ignatius Donnelly’s 1890 Caesar’s Column to H.G. Wells’ 1897 The War of the Worlds to Mark Twain’s 1899 A Connecticut Yankee in King Arthur’s Court, turn-of-the-century novelists imagined apocalyptic machines reaping vast destruction on dense urban populations. In 1898, one Polish military leader described how future war would involve balloons dropping “explosive substances” on unsuspecting people far removed from any front.

“Le Combat dans la riviere” (1906). Illustration by Alvim Corrêa (1876-1910) for a work by science fiction author H.G. (Herbert George) Wells (1866-1946). Image courtesy of the Spencer Collection of the New York Public Library Digital Archive.

Michael Sherry, a leading historian of air power in the 20th century, has argued that while early aviation technologies had limited practical applications, those limitations were not always understood by military commanders and political leaders. Fantasies about air power’s destructive potential outstripped the reality of air power.

But before long, the experiences of war enabled military planners and national leaders to experiment with air power, giving the world an early taste of the terror. World War I introduced the practice of air raids on something approaching a mass scale, as dozens of German “Gotha” and “Zeppelin” raids on London killed an estimated 1,413 civilians.

The experimenting with air power in World War I led to a growing fascination with its destructive potential. In 1921, Italian military theorist Giulio Douhet published The Command of the Air. He argued that in any future wars air power would be decisive. Generals and statesmen would target civilian populations with heavy bombing, seeking to destroy the enemy’s military-industrial capacity and weaken the enemy’s civilian morale. Future battlefields, Douhet predicted, will no “longer be limited to actual combatants. On the contrary, the battlefield will be limited only by the boundaries of the nations at war, and all of their citizens will become combatants, since all of them will be exposed to the aerial offensives of the enemy.”

The world, he concluded, was entering an age of “total war,” with civilians the prime target of any offensive military operation. Similarly, cyberwarfare adds a whole other dimension to the concept of total war, using unseen tools almost anywhere on earth to cause mass civilian casualties and mass panic.

The coming of World War II put many of the post-WWI predictions to the test. And tragically, many proved prescient. Advanced aviation technologies coupled with fascist militarism helped warfare assume an unprecedented destructive scale. During Spain’s Civil War, Franco’s bombers killed thousands of civilians in attacks on Barcelona, Guernica, and other Spanish cities. In Canton, China, Japan’s air raids killed thousands of civilians in the mid-1930s.

Air power altered people’s conceptions about the constraints of time and space during military conflicts. Abraham Lincoln had once predicted that “the armies of Europe and Asia … could not by force take a drink from the Ohio River or make a track on the Blue Ridge in the trial of a thousand years.” The United States had long seen itself as immune from the military calamities that had befallen other nations, whose borders were in proximity to one another. The twin-ocean barriers on America’s coasts no longer appeared to protect the United States from the advances in air power. Fears of bombs falling on the continental United States soared in the 1930s and early 1940s.

President Franklin D. Roosevelt, who had served as Assistant Secretary of the Navy during World War I and had long admired sea power, concluded that modern aviation had upended military doctrine and put millions of U.S. civilians in harm’s way in their homes. The advances in aviation technologies meant that “so-called impregnable fortifications no longer exist,” FDR warned Americans in May 1940. (Cyberwarfare and online recruitment of potential terrorists have further lowered the protective walls of fortress America).

FDR’s repeated warnings did not prevent Pearl Harbor. But the war that ensued—which included the Allied firebombing of Dresden and Tokyo, where hundreds of thousands of civilians died, followed by the atomic bombing of Hiroshima and Nagasaki—matched some of the most horrific nightmares of early fantasists about air power.

In the years since World War II, air power has not always proven decisive, of course. During the Vietnam War, the United States dropped more tonnage of bombs than had been dropped by all combatants in World War II. Yet the most powerful military on earth lost to a determined, fierce guerrilla army fighting to defend its native soil.

The Bush Administration’s “shock and awe” air campaign at the start of the 2003 Iraq War wrought so much destruction that it arguably set the stage for the Iraqi Civil War that ensued two years later.

This history should provide this cold reassurance: It is highly unlikely that any single technology—including cyberwarfare—will prove decisive in military campaigns of the future.

But the history of air power also strongly suggests that at some point in the future, fantasies about cyberwar and the actual practice of cyberwar will merge.

So human beings, in contemplating how cyberwar may change the character of warfare itself, will be better off if we allow our fears to inspire our thinking, and anticipate new perils and consequences before they show up at all of our doorsteps.

The post To Understand the Future of Cyber Power, Look to the Past of Air Power appeared first on Zócalo Public Square.

You will not find it in the Oxford English Dictionary, but “cyberwar” made its first inauspicious appearance in 1987 when an anonymous editor from Omni—Bob Guccione’s other magazine—attached the neologism as a title for an article by Owen Davies, an Omni editor. Although he never used the word or developed the idea of cyberwar, Davies pretty much nailed the coming of robotic warfare.

But something was in the air. In 1987 and avant la lettre, cyberwar in the narrow sense of an attack by malicious code on a computer system, communications network, or critical infrastructure, had a more plausible debut as the “Jerusalem virus” aka the “PLO virus,” a logic bomb that would pop up on any given Friday the 13th. Top that, Jason.

The next recorded use of “cyberwar” was in 1991. A young academic steeped in too much William Gibson and Bruce Sterling, after watching way too much of the 24/7 coverage of the first Iraq war, delivered a paper at the Second Annual Cyberspace Conference in Santa Cruz California: “Cyberwar, Videogames and the Gulf War.” Shortly afterward he was asked by the short-lived PBS television show Late City to distill the 100-hour TV war into a two-minute video buzz clip (set to Sweet Bird of Truth by The The). He gave the concept its first definition: “a new virtual and consensual reality, the first cyberwar, in the sense of a technologically generated, televisually linked and strategically gamed form of violence.”

Both were promptly forgotten. I took some solace in Nietzsche, who said only that which has no history can be defined.

But then history responded with a vengeance: Just about every major war since Iraq had a cyber edge to it. To be sure, acts of primal if not always organized violence would continue—all too often in the name of creation myths that would not be out of place in the Stone or Bronze ages—on a daily basis by and against tribes, nations, and superpowers.

Many of these acts of organized violence continue to fit the classical definitions presented early in the 19th century by the Prussian Carl von Clausewitz, who variously defined war as a duel on a larger scale, a forceful act to compel others to do our will, and a continuation of politics by other means. The contemporary landscape of world politics is littered with casus belli that would not be unfamiliar to Clausewitz, or for that matter, to his eminent precursors like Machiavelli and Hobbes, who identified wars of gain (produced by imperial, economic, and military struggles for dominance), wars of fear (prompted by perceptions of a rising power or threatening evil), and wars of doctrine (caused by the clash of monolithic faiths and universalist ideologies).

But Al Qaeda, ISIS, and other non- and wannabe-state actors keep crashing the Westphalian system. Today’s new warriors intent on challenging the state’s monopoly on violence—like the insurgent, jihadist, or private militia—are not that far removed from their earlier counterparts, like the pirate, mercenary, and holy crusader. Even the guerre du jour of “hybrid war,” the corrosive mix of private criminality, public bellicosity, and authoritarian politics that scars the residual borders of the Cold War, has more than a hint of the medieval in the interplay of overlapping sovereignties, polymorphous combatants, and clashing cosmologies.

As long as global violence remains a viable, sometimes the only option in the face of intractable political differences, social injustices, and cultural struggles for recognition, war in one form or another will find a way. States, democratic or not, might be less inclined to initiate violence, but non-, para-, and anti-state actors have proven to be willing as well as able to use networked technology to wage asymmetric warfare—which in turn prompts over-reactions by states and furthers cycles of mimetic violence.

Classical war persists, as does the effort by new actors to offset disadvantages through new technologies. Even Clausewitz, ever the dialectician, acknowledged that “every age had its own peculiar forms of war, its own restrictive conditions, and its own prejudices.”

What is most peculiar about war in a “cyber age?” Depending on whether one goes back to the Greek (kubernētēs or “steersman”), Norbert Weiner (“cybernetics,” 1948), or William Gibson (“cyberspace,” 1984), “cyber” suggests everything from a control system with a feedback capacity, to a technologically-induced consensual hallucination, to a 400-pound hacker (pace Trump) subverting the U.S. elections.

Dating the cyber age is no easier. Someday archeologists will sift through the ruins of Bell Labs, find wire etchings in germanium and silicon and declare 1947, give or take a year, as point zero, from which microprocessors, packet switches, and fiber optics as well as digital code, information theory, and networked systems soon followed.

However, science will not capture the ghost in the machine. For that, we best go back to the originating myths. Cyber is, literally, as old as the Bible and other holy texts in which gods “steer” or “govern” the universe. In the Judeo-Christian version, those “who have no direction (kubernēsis) fall like leaves” (Proverbs 11:14); those who prosper understand that “with strategic planning (meta kubernēseōs) war is conducted” (Proverbs 24:6). Leaping a millennia or two forward, our techno-deities might not be as omniscient or omnipotent as past gods; but, weaponized and sanctioned by national security, they deter, disrupt, and if necessary destroy our enemies with relative impunity to us. Obama got religion, ordering 10 times the number of drone attacks executed by Bush; barely two months in office, President Trump increased them by another 432% over Obama.

Perhaps the most peculiar characteristic of war in a cyber age is how well it resists the traditional restrictions of warfare. As everything and everyone becomes connected, it’s very hard to confine cyberwar to a discrete place or bounded time. A few clicks, several thousand shares, and an incident escalates from a local to regional to international crisis. This is the force-multiplier effect of the cyber age, with 9/11 as the most seminal and inspirational example. Access to the internet and flight simulators made it possible for Osama bin Laden and 19 kamikaze fanatics to topple the World Trade Center, hit the Pentagon, kill nearly 3,000 people, and cause billions of dollars in damages (trillions if we include second-order effects, like the Iraq War and the rise of ISIS).

If there is a prejudice to war in the cyber age, it can be found in the conceit that virtualization makes war more virtuous. Rather than resorting to the convention of bombs, the United States and Israel inserted the Stuxnet virus to degrade the Iranian nuclear weapon program; no matter that the virus proved to be less than a precise munition and rapidly spread to non-targeted industrial platforms. Wikileaks hacked thousands of embassy cables to make U.S. diplomacy more transparent and democratic; no matter the collateral damage done to alliances and coalition efforts to restrain anti-democratic regimes. Drones pursue a cleaner kill; no matter the virtual terror induced upon whole populations.

Thirty years on, I think it is safe to say that we have not seen the worst of war in the cyber age. With so many networked actors operating simultaneously across multiple levels of power, prediction, pre-emption, or restriction of cyberwar is exceptionally difficult. Distinguishing intentional from accidental acts is hard. Knock-on effects will grow.

The cyber advantage might now go to the most technologically advanced powers, but the law of uneven development gives latecomers the edge. Which is why we should be asking now, before rather than after the Owl of Minerva takes flight at dusk, what war will look like in the quantum age.

The post The Cyber Age Demands a New Understanding of War—but We’d Better Hurry appeared first on Zócalo Public Square.

While Donald Trump at first denied that the Russian intervention had occurred at all and still denies that it had any impact on the election, its significance can be judged from the fact that during the last month of the campaign he mentioned WikiLeaks at virtually every stop. In an election decided by just 70,000 votes in three states, it is hard to dismiss the possibility that the Russian intervention could, in fact, have tilted the outcome. That would make this the most consequential computer hack in history, but was it an act of war?

Certainly not in the classic sense. The Kremlin did not, after all, transgress America’s borders or the borders of an ally the United States is pledged to protect. It did not shoot down an American aircraft or sink an American ship. Those are the classic kinds of casus belli that have traditionally sparked hostilities. But such old-fashioned definitions of aggression do not seem fully adequate to deal with the cyber age, in which computers can be a far more potent weapon of war than a machine gun or a mortar.

Protesters stand around the statue of a Red Army soldier to prevent the Estonian government’s plan to move the Soviet-era monument honoring in Tallinn, April 22, 2007. The statue was subsequently removed, and Russian hackers are suspected of having temporarily disabled Estonia’s access to the internet with denial-of-service attacks in retaliation. Photo by NIPA, Timur Nisametdinov/Associated Press.

How should one treat incidents such as the one that occurred in 2007 when Russian hackers are suspected of having temporarily disabled Estonia’s access to the Internet with denial-of-service attacks in retaliation for the removal of a statue in Tallinn honoring World War II Soviet soldiers? Or the 2010 Stuxnet virus used by Israeli and U.S. intelligence to disable a thousand Iranian centrifuges? Or the 2012 attack, blamed on Iran, which disabled 30,000 computers belonging to the Saudi state oil company? Or the 2014 North Korean attack on Sony Pictures in retaliation for the release of a movie parodying North Korea? As the Harvard strategist Joseph Nye notes in the journal International Security, these events, and others like them, do not fall neatly into “the classic duality between war and peace,” occurring instead in a “gray zone” that defies an easy definition or response.

It is possible, to be sure, to imagine more severe cyberattacks that would more easily cross the threshold of open hostilities. “Talk of a ‘cyber Pearl Harbor’ first appeared in the 1990s,” Nye notes. “Since then, there have been warnings that hackers could contaminate the water supply, disrupt the financial system, and send airplanes on collision courses. In 2012 Secretary of Defense Leon Panetta cautioned that attackers could ‘shut down the power grid across large parts of the country.’” If such a massive attack were to occur—and if responsibility for it could be attributed with a high degree of certainty—one could imagine treating that as a casus belli requiring a response not just with computer viruses but with actual firepower.

But attacks such as Putin’s hacking of the 2016 election fall below that threshold, which is part of what makes them so attractive to relatively weak states such as Russia or North Korea: It allows them to maximize their ability to disrupt their enemies while minimizing the backlash. In fact, what consequence has Russia suffered for intervening in the U.S. election? Nothing beyond the expulsion of a few diplomats, which is hardly enough to make Putin rethink the efficacy of these tactics. Indeed, even the impact of those last-minute Obama sanctions was probably undermined by the conversations that Michael Flynn, Trump’s first national security adviser, secretly had with the Russian ambassador prior to the inauguration—talks in which he is suspected to have asked Putin to hold off on any retaliation in the expectation that once Trump became president he would ease tensions. Flynn subsequently had to resign after lying about those conversations. But even the growing Kremlin-gate scandal has not been enough to dissuade Putin from meddling in similar fashion in the Dutch, French, and German elections to support pro-Russian and anti-EU candidates.

While no one is suggesting that the U.S. should have started World War III over the Russian interference in our election, a more serious response was in order. It’s not hard to think of a range of appropriate responses: As I have suggested before, Obama could have asked the NSA to disclose embarrassing communications between Putin and his aides or details about all of the billions they are suspected of looting. Or he could have simply asked the NSA to fry Kremlin computer networks. A range of non-cyber responses could also have been entertained, such as providing arms to Ukraine to defend itself from Russian aggression or ratcheting up sanctions on Russia by kicking it out of the SWIFT system of inter-bank transfers. Of course now that Trump is president, there is scant hope of any response at all; the only issue is whether Trump will lift existing sanctions on Russia.

Obama hesitated to do more against Putin because every action carried the risk of unintended consequences and of sparking greater hostilities. But the greatest risk of all is relative inaction. By failing to respond more strongly to Russia’s election intervention, the U.S. risks legitimizing such “gray zone” attacks. Thus we can expect more of them in the future. They may not exactly be “acts of war,” but they can cause more damage than many kinetic attacks—and it can be much harder to know how to respond. Figuring out a doctrine of cyber war that includes everything from such low-level strikes to “cyber Pearl Harbors” will be one of the signal challenges for military and intelligence strategists in the 21st century.

The post Why Didn’t the U.S. React More Forcefully to the DNC Hacking? appeared first on Zócalo Public Square.

The first question that policymakers might debate is whether such an attack deserves a military response. But several problems immediately arise. First, would the U.S. government—and specifically the National Security Agency—know for certain who had conducted the attack? 

Without being able to attribute the attack, or if there were some uncertainty about who was responsible, it would be very hard to strike back. Unlike conventional attacks, cyberattacks can be difficult to attribute with precision to specific actors. In the event of a major cyberattack, pressure to respond would be immediate—and probably intense. But if a country strikes back and the forensics are erroneous, then the retaliation will have unnecessarily and inadvertently started a war.

Russia’s alleged meddling in the 2016 U.S. presidential elections has brought the issue of cyberwar again to the top of the news, but the possibilities it raises are only the tip of the iceberg when it comes to the role of cyber operations in modern warfare. Most—although not all—analysts agree that cyber will be a key domain in the conflicts of the future. Exactly how cyber will impact these future conflicts, however, is hard to say with any certainty. Cyber weapons are not like missiles or tanks; because their initial impact is in the information domain, their effects are much harder to judge.

Even in cases where an attack is linked to one specific country—say, Russia—it could be hard to know for sure whether it was directed by the Russian government. 

This is because governments like the Russian government appear to rely heavily on third parties to develop their cyber weapons and conduct their attacks. This offers them many benefits—deniability being one of them—but it also offers them less control over what their cyber warriors actually do – creating a so called “principle agent problem.”

Wearing sailor’s uniform Russian Defense Minister Sergei Ivanov, left, and President Vladimir Putin, third from left, watch a missile launch aboard the nuclear-powered misile cruiser Peter the Great, while observing naval maneuvers of Russia’s Northern Fleet in the Barents Sea, Aug. 2005. Photo by Alexei Panov, ITAR-TASS, Presidential Press Service/Associated Press.

In other words, an attack that originates from within the Russian cyber world might be the work of the Kremlin—or it might not. This further complicates the choice of response.

Sometimes, the culprit will be clear, of course. But in these cases, the question is how, specifically, to respond. 

Some advisors might push for a cyber counter-attack that inflicts equal damage on the guilty party. But this isn’t always possible. If the perpetrator is a party like North Korea, then there is no equivalent financial system to target. But should the United States instead use conventional military weapons like a cruise missile, perhaps on Pyongyang’s cyber training facilities? A strike like that would clearly risk serious escalation of the conflict. It might be seen as disproportionate if the U.S. financial system had recovered in the interim with relatively minimal real damage.

Imagine, however, that the attack is against the U.S. power grid or oil and gas infrastructure. This kind of attack could easily have military consequences if it were extensive. The U.S. military has backup power generation capability as well as stocks of fuel reserves, but these stores are not infinite. If such an attack on U.S. infrastructure has military consequences, the case for a cyber retaliation—or even a Tomahawk cruise missile strike—starts looking a lot stronger.

Even if the U.S. power grid were seriously affected by a cyberattack, however, and the United States knew with a high degree of confidence who the guilty party was, there would be reasons for caution—especially if the attack was an isolated incident and there were no other signs of aggression or malign intent.

This is because cyberattacks can have unanticipated consequences. With any military strike, collateral damage is always possible, but with most conventional attacks, methods of assessing and avoiding collateral damage are well-developed, and based on well-established physics principles and observational experience.

But cyber weapons don’t operate like missiles or tanks. They attack the underlying network or computer systems. The possibility of unexpected effects in the cyber world is much greater.

For example, a cyberattack on an electrical grid might be intended to knock out the lights in a specific location, but end up affecting a whole region’s energy supply. The world saw this potential with the Stuxnet worm: Apparently intended for a very specific, isolated network (an Iranian control system), the worm was discovered precisely because it spread beyond its intended target into other related networked systems. Stuxnet did not attack other control systems, but only because the designers programmed in a self-destruct date. If the designers had been less cautious, its effects would have been much more widespread.

Therefore, before targeting a cruise missile at that (hypothetical) cyber hub in Pyongyang, the U.S. president would want to have at least some knowledge of both the intentions of the attacker and the consequences (including secondary effects) of the response—otherwise the United States might be starting a war by accident.

But a desperate foreign leader might miscalculate that he can get away with a surreptitious attack on U.S. infrastructure for exactly these reasons—and that in and of itself is cause for concern.

This is why context will make a big difference. It’s relatively easy to assess the damage done by an attack on America’s infrastructure, but less easy to assess the intent of that attack. If the U.S. power grid is seriously disrupted by a cyberattack during an ongoing war with a known aggressor it will be much easier to strike back—with kinetic (i.e. physical) force or with cyber weapons—simply because it will be easy to assume the attack was intentional.

Alternatively, a fearful foreign leader might lash out at the United States if she or he fears the United States is on the verge of conducting a devastating cyberattack. The hostility might come in the form of a massive, pre-emptive cyberattack, a conventional attack, or in the extreme, even a nuclear salvo.

Since the ability to mount cyberattacks depends on keeping targeted vulnerabilities secret, both sides may fear that their adversaries possess capabilities that have far-reaching destructive potential – even when they don’t. This fear in turn could increase the tendency toward pre-emptive action and hence escalation.

Cyber adds new and significant uncertainty to warfare, making it difficult both to deter and respond. It will take time and a great deal more research and analysis before the problem is fully understood.

The post Why It’s So Hard to Stop a Cyberattack—and Even Harder to Fight Back appeared first on Zócalo Public Square.