The Cybersecurity Dilemma
Book Review by Guest Contributor, John Davis: The Cybersecurity Dilemma (2017) by Ben Buchanan.
The Cybersecurity Dilemma is a digital age look at a traditional security dilemma that occurs when nations conduct actions to ensure their security. Some of these defensive actions can be perceived by adversaries as aggressive posturing, and can lead to escalation and even conflict or war. Ben Buchanan takes his readers on an interesting journey, starting with historical examples of how the security dilemma played out with tragic consequences or “near misses.” He analyzes recent and current cyber incidents of notoriety and the implications to the stability between nations in this emerging cauldron of risk, as a result of characteristics and challenges unique to the cyberspace environment. Using public information, he brings to light some of the most intriguing and complex cyber events that have recently captured public attention, using excellent, easy to understand analysis. He also provides rigorous analysis of the potential consequences of this “subterranean” sphere of competition and conflict in cyberspace and how it could impact international stability in the physical realm. Finally, he offers some recommendations for navigating these troubled waters in ways that may help nations reduce the risks and potentially prevent misinterpretation, miscalculation and mistakes that could lead to conflict.
The Cybersecurity Dilemma is a must-read for cybersecurity professionals from the strategic policy level to those who are more technically oriented in information technology and cybersecurity. Ben Buchanan writes of a traditional security dilemma about nations conducting activities to better defend against threats, but in doing so cause the perception among their adversaries that these same activities are for aggressive or even offensive purposes. The resulting dilemma is that, in being responsibly defensive, a nation may be provoking its adversaries, causing escalation, and undermining its own security as a result of these defensive actions.
Buchanan uses well-known examples of how this dilemma has played out over history with sometimes catastrophic, or near catastrophic, consequences. The anecdotes he uses include both traditional and cyber-related events, such as the U-2 mission during the Cuban Missile Crisis, the broad U.S. cyber contingency attack plan against Iran's aggression and nuclear ambitions, the U.S. efforts to gain intelligence on Chinese hackers, the preliminary cyber intrusions that enabled Stuxnet, and the dilemma the U.S. faced in convincing the British and Germans that they need not fear each other during the run up to World War I.
When translating this dilemma to the cyberspace environment, Buchanan takes the reader on a fascinating journey that uses open source information to cover a wide range of recent and current, contentious cyber events around the world. This journey provides tremendous, accurate insight and analysis into the how and why of some key, but still nascent, national cyber-operational efforts. More importantly, he helps to uncover and explain, in plain English, some of the potential, negative consequences of these activities, as well as some practical ways to reduce the danger of miscalculation and mistakes.
Despite having some level of technical detail and, in some instances, taking a very mechanical policy analysis perspective, I found the book to be a quick and easy read for any professional in the cybersecurity community. I especially enjoyed the way Buchanan concludes the book with some rather practical, basic advice about how to navigate the risks that the cybersecurity dilemma poses for nations. This advice encompasses a multi-pronged approach that includes strengthening the baseline cybersecurity posture and defenses within a nation, building credibility and trust with potential enemies to advance security through stability and bilateral cooperation, taking unilateral action to demonstrate the pursuit of stability, and establishing a communicated and declaratory posture for dealing with intrusions of significance. I think these points would be of interest to broader audiences in general.
Finally, this book has a very timely application to several current national and international efforts regarding deterrence in cyberspace. The Defense Science Board, which supports the Department of Defense, publicly released its report about Deterrence in Cyberspace in February 2017. According to the most recently released draft of the Trump administration’s cybersecurity executive order, there will be a requirement for specified U.S. government departments and agencies to conduct work on cyberspace deterrence as well. Having recently participated in a RAND conference about deterrence in the “grey zones” of maritime, space and cyberspace in the context of the U.S.–Japan alliance, this is yet another indicator of the level of interest in the topic. Given the interest in these and other efforts to find solutions for the issue of deterrence in cyberspace, I believe this book can inform that debate and contribute valuable insight to help with the deterrence-related issues of signaling, escalation control, declaratory policy formulation, deterrence by denial, confidence building measures and international cooperation.
Whether you’re in the public or private sector, and no matter if you’re a policymaker having to deal with emerging cyber-related issues or a technically savvy cybersecurity professional on the front lines of the ongoing battle in the digital environment, this is a book that should go to the top of your professional reading list. The Cybersecurity Dilemma is a well-written, well-researched, important contribution to the nascent, but growing, body of literature about a relatively new challenge we are all facing in increasing scope and consequence. Ben Buchanan helps us to better understand what we are dealing with, the potential outcomes, and what we can do to better manage the risks in the digital age.