The Lack of New Ideas
How does a major form of interaction that has certainly changed twenty-first-century life, the internet, lead to a stagnant research field that appears no different over decades? Why are there no new ideas in cybersecurity?
After nearly five months of a reckless and norm-busting conventional war in Ukraine, the cybersecurity community is still asking when the cyber war will start. When a cyber conflict did not materialize, pundits fell back on the typical claim that it was really happening, but we just couldn’t see it. The cyber war is mainly fought in the shadows, or perhaps the “Upside Down” like in Stranger Things. It’s all there, we just don’t know where to look, apparently.
For all the reported success of Ukrainian resistance, precision targeting, and coordination between forces to deny the Russians any advantage, a team of NATO scholars had the complete inability to recognize hyperbole when they claimed that “cyber-operations have been Russia’s biggest military success to date in the war in Ukraine.” Cybersecurity has main character syndrome, a term used to describe the lust for attention in the new generation, with cyber playing a key role in every story about the future of geopolitics.
This need to be the main character in a devastating war of conquest is no more apparent than in Microsoft’s series of cybersecurity reports. They note that cyber war is happening and that there is coordination between military and cyber action, with Microsoft standing as the defender between chaos and order in Ukraine.
Unfortunately, it is still not clear how Microsoft defines cyberattacks. Coordination is never demonstrated beyond a correlation between an event one day and another the next day, providing no evidence that these events are connected and centrally directed. Instead of noting the importance of the defense and providing lessons for the community, Microsoft hunts for answers to questions they presume we are asking, such as where is the cyber war?
Overcoming the Challenge
This article presents a challenge to the cybersecurity community to develop new and interesting questions. If we were playing bingo with old and discredited concepts such as cyber privateers, building public-private partnerships, offensive advantage, or the need to enable deterrence, every observer would be waving their winning card in the air. The field of cybersecurity has the strange inability to develop new questions while at the same time making “cyber” the hero of every story.
Progress only comes through new explorations of unconventional ideas. For example, instead of focusing on rural access to broadband and increasing diversity in the field, why not put things into action by trying to solve the digital redlining issue which limits access? Digital redlining is when poor and minority communities in major urban areas have limited access to broadband, severely constricting educational opportunities and creating workforce pipeline issues in the first place.
Instead of focusing on the need to achieve coercive effects in cyberspace suggesting that the cyber offense has the advantage, how about we study the impact of cyber actions on behavior first before providing strategic solutions? Precision is needed in research; investments should only come through clear evidence of an impact, all hallmarks of social science.
Without novelty, cybersecurity will continue to fail as a field. There is no progress in cybersecurity. Instead, there are frequent setbacks and academic arguments that go in circles with no clear resolution. It would be nice to feel stupid from time to time when reading the next emerging generation of cyber security scholarship. Progress here will require throwing off the shackles of expectation and searching for novelty.