Ironically, Mike McConnell’s recent op-ed in the Washington Post, which called for “re-engineering the Internet” in an effort to gain ground in the “cyberwar” that he claims the United States is currently losing, may have been the best thing to happen in the ongoing debate about cybersecurity. First, it has sparked more discussion of and resistance to the “discursive excesses” of the current discourse, in which everything from terrorist use of the Internet, to DDoS used for extortion, to still-hypothetical cyberattacks bringing down critical infrastructures, are all lumped under the increasingly-ambiguous term “cyberwar,” many of whose chief proponents seem reluctant at best to define clearly. (Tim Stevens of the blog, ubiwar, has done a great job of documenting and contributing to the debate [or lack thereof] over the excesses of cyberwar discourse.) Second, it has resulted in more attention being paid to the personal and institutional interests behind the voices dominating the public discourse and policymaking about cybersecurity, with special attention paid to McConnell as an example of the “revolving door” between government national security agencies and the private national security industry. In short, McConnell’s own discursive excesses have resulted in growing (and healthy) skepticism about both the claims being made, as well as those making the claims.
One of the most recent entrants into this discussion is Harvard professor of international relations, Stephen Walt. For anyone who has taken a graduate-level course in IR theory in the last 20 years, you’ve probably read Walt’s work, in particular his book, The Origin of Alliances. Agree or disagree, love it or hate it, Walt’s work is pretty standard reading today. So when he speaks, folks tend to take notice, or at least they probably should take notice. So when Walt this week raised serious concerns about whether the “cyber threat is overblown”–which he thought likely–Stevens wrote: “This is close to saying to the cybercoterie manipulating the debate thus far: you’ve been rumbled. By a distinguished Harvard professor.” While I agree with Stevens that they have been rumbled, I’m not sure that the “cybercoterie manipulating the debate” will recognize that they have been “rumbled,” in part because the cybercoterie is disproportionately composed of tech types and IT industry or government executives.
And this brings me to my one main critique of Walt’s essay: His model for addressing the objectivity deficit in the current debate is actually an example of the problem, not the solution. After noting correctly that “a lot of the experts have a clear vested interest in hyping the threat, so as to create greater demand for their services,” he calls for “an objective, blue-ribbon commission to look carefully at this question” of cyber threats. As a model of such a commission, he pointed to the 2008 CSIS Commission on Cybersecurity for the 44th Presidency that produced a report, “Securing Cyberspace for the 44th Presidency,” [PDF] that had a great deal of influence on the President’s “Cyberspace Policy Review” [PDF] released in May 2009. But he also says that he “can’t tell how reliable its conclusions are likely to be. Why? Because I can’t tell how many of its members are people with a stake in the outcome. Makes me wish somebody like Richard Feynman was still around to chair it.”
But it doesn’t take a rocket scientist (or a rock star physicist either) to look at the list of members of the CSIS commission and see that it is unbalanced. There are far too many consultants and industry executives among on the list, including some who, like McConnell, show signs of having been through the revolving door at least once–i.e. an IT executive and/or consultant who is also listed as a “former” government official of some sort. Now, this is not to say that industry experts and consultants should not be part of the debate. They absolutely should be. If we had none of these folks on commissions like the CSIS commission, we would be making a big mistake. But to have the vast majority of a commission that had a profound impact upon White House-level policy so unbalanced towards industry executives and consultants is also irresponsible.
For example, why not have a scholar of international relations, perhaps Walt even, on the commission? Why not have some scholars who study cyberculture or hacker culture? Why no scholars of information society and economy….Manuel Castells perhaps? Why no historians of computing or Internet? Or maybe something even more wild, some historians who have studied responses to the perceived security threats of earlier forms of “new media” like telegraph and radio? There are certainly folks who have studied the history of intelligence, and SIGINT in particular. Might they have a contribution to make? OK, maybe that’s crazy talk. But it’s not crazy to ask why there are no academics like Dorothy Denning, Martin Libicki, Ron Deibert, or many others, who study cyberspace security from various empirical and disciplinary perspectives.
There is more to cyberspace security than the technical aspects. And if we are to assess the challenges properly and devise appropriate and effective responses to them, we desperately need to hear from a wider variety of voices. So while I agree with Walt that we need more “objective” (and diverse) panels working independently on the question of cybersecurity, and that the CSIS Commission on Cybersecurity for the 44th Presidency can serve as a model, I think that the CSIS commission should serve as a model of the type of commissions that we should avoid.