Russian President Vladimir Putin has signed off on a new information security doctrine (PDF) for Russia. Reports about the new doctrine highlight Russia’s broader conception of information security compared with the United States. The U.S. must come to grips with this broader conception if it is to counter the Russian cyber threat.
Reports about the new doctrine in RT and TASS indicate that the Russian conception of information security includes much more than just the confidentiality, integrity, and availability of networks and the information that they store and transmit. This is certainly part of the Russian conception. But it is only one part. One is struck by the many references to the social, cultural, psychological, and even spiritual aspects of information security mentioned in the RT and TASS reports on the new doctrine.
This will likely seem strange to many in the United States. That is because we have, historically, had two competing understandings of “information” at work in our discussions of information security. One is an understanding of information as bits and bytes stored and transmitted over networks. The other is information as perceptions, the psychological or “hearts and minds” aspect of information. In the United States, over time, it is the “bits and bytes” understanding that has come to dominate.
But it need not be this way. Nor was it always this way. At this year’s NATO conference on cyber conflict, Martin Libicki reminded the audience that the United States once had a much broader definition of “information warfare.” This definition included more than just cyber-physical attacks so often the focus of U.S. thinking. While the U.S. conception of cyber conflict has narrowed, he warned that the Russians have maintained a broader understanding of information warfare.
Actions carried out based on this broader understanding could provide a serious challenge to the West, one that it might not at first recognize or be equipped to counter. Other observers have since seen alleged Russian cyber meddling in the U.S. presidential election as an example.
If the United States is to come to grips with the real cyber challenges that it faces, it must do two things. First, it must come to understand the wider conception of information security under which its Russian adversary operates. Second, it must understand its own historical relationship with this broader conception of information security.