{"id":74173,"date":"2022-07-29T11:30:26","date_gmt":"2022-07-29T01:30:26","guid":{"rendered":"https:\/\/www.aspistrategist.ru\/?p=74173"},"modified":"2022-07-29T11:36:18","modified_gmt":"2022-07-29T01:36:18","slug":"its-still-early-days-for-cyber","status":"publish","type":"post","link":"https:\/\/www.aspistrategist.ru\/its-still-early-days-for-cyber\/","title":{"rendered":"It\u2019s still early days for cyber"},"content":{"rendered":"<figure><img loading=\"lazy\" decoding=\"async\" width=\"1000\" height=\"666\" class=\"alignnone size-full wp-image-74178\" src=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/07\/markus-spiske-8OyKWQgBsKQ-unsplash.jpg\" srcset=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/07\/markus-spiske-8OyKWQgBsKQ-unsplash.jpg 1000w, https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/07\/markus-spiske-8OyKWQgBsKQ-unsplash-205x137.jpg 205w, https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/07\/markus-spiske-8OyKWQgBsKQ-unsplash-768x511.jpg 768w, https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/07\/markus-spiske-8OyKWQgBsKQ-unsplash-332x221.jpg 332w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n<p>Despite information security figuring in the defence and national security consciousness since well before the end of the Cold War, we remain in the early days of cyber.<\/p>\n<p>For some years after September 2001, when concerns over cyber were overtaken as a national security priority by terrorism, cyber tended to be seen a secondary concern, most worrying when it merged with other threats like cyberterrorism.<\/p>\n<p>That seemed a fair conclusion. Terrorism is a tool of the weak. Cyber is similar\u2014an attack can be launched with little more than a laptop and an internet connection.<\/p>\n<p>And there is indeed a thriving criminal industry comprising individuals, loosely affiliated networks and more established gangs, trading in exploits, malware and stolen data. Ransomware, with its prospect of fast and easy financial return, is a major incentive in a hypercompetitive criminal cyber industry.<\/p>\n<p>The motives that drive criminal elements, however, differ from those of nation-states in cyberspace.<\/p>\n<p>Cyber has become a valuable tool in the larger armoury of governments. Nation-states compete for access and influence in cyberspace. Some governments focus on their own people and political rivals. More generally, cyber is one element of grey-zone activity, or hybrid warfare.<\/p>\n<p>For example, cyber offers both material and a means by which Russia can undertake its long practice in influence and disinformation operations, <em>maskirovka<\/em>. China has used cyber operations to steal valuable intellectual property, fuelling its own technological competitiveness and economic growth. North Korea uses its cyber capability for financial gain, to fund its nuclear program and to evade sanctions.<\/p>\n<p>By its nature, cyber activity and effect can be hard to discern. It is the dark side of digital: the same technology and systems that generate new business models, greater efficiencies and increased capability, connectedness and capacity inherently carry vulnerabilities, misconfigurations and points of access that can be exploited by an adversary.<\/p>\n<p>But even as governments find cyber useful as a tool and appreciate its potential threat, the usual policies and traditional frameworks of national security have difficulty gaining traction in cyber, because of the nature of the domain.<\/p>\n<p>The operating environment for cyber is vast and everchanging. Policymakers can\u2019t conceive of their strategic objectives or plan for specific outcomes in cyber as they can for land, sea, air or even space. In those domains, technology is built to operate in, on or through physical terrain.<\/p>\n<p>In cyber, the technology <em>is<\/em> the terrain. Changing the technology\u2014the logical structure, content and connections of systems and applications\u2014alters the terrain. And that occurs every instant, creating or closing opportunities, threats and means of action within that domain.<\/p>\n<p>Yet cyber isn\u2019t free of the physical world. It is tethered in data centres, fibre networks and sensors. It is shaped by the dependencies inherent in supply chains.<\/p>\n<p>Cyber is also embedded in the social world: human interaction with technology\u2014the access and use of systems, applications, devices and data\u2014adds further complexity and dynamism.<\/p>\n<p>The combinatorial complexity of technology, the physical world, and social purpose and interaction generates, for all intents, an infinite space of possibility. Structure does matter, but attackers don\u2019t want for opportunities.<\/p>\n<p>Because change is constant, opportunities, and the advantages they may confer if exploited, are fleeting. That fundamentally alters the calculus of risk, cost, benefit, resourcing and outcome.<\/p>\n<p>In the cyber domain, nation-states have little understanding of or control over their own assets and vulnerable threat surface. Governments must deal with considerable tech debt, accumulated since information and communications technologies became commonplace as business tools and control systems, more than 60 years ago.<\/p>\n<p>Legacy ICT includes infrastructure and applications that remain in organisations but are no longer supported by vendors and often neglected. Some legacy systems run operations, industrial systems and critical equipment. Such systems are often bespoke, written without security in mind and unable to be patched.<\/p>\n<p>Then there is shadow ICT, which lies outside official channels and awareness\u2014the server under the desk, the software-as-a-service purchased with a corporate or personal credit card, the \u2018free\u2019 use of online storage.<\/p>\n<p>The stock of large and growing amounts of legacy, operational and shadow ICT is a product of a fast-moving, easily accessible, affordable digital environment. But it means that \u2018official\u2019 ICT, even within government organisations, captures a comparatively small area of the overall vulnerable threat surface of systems, operations and data.<\/p>\n<p>And with few exceptions, a nation-state\u2019s information technology base is not designed, developed, maintained or controlled by governments, but by private industry, obscuring further its scale, scope, vulnerabilities and opportunities.<\/p>\n<p>There\u2019s no single government body that has a good understanding of what needs defending\u2014or what assets the government has at its disposal\u2014except possibly in the abstract.<\/p>\n<p>That\u2019s unlike other domains of power, where military, diplomatic and intelligence assets, including the physical borders of a country, are carefully accounted. Changes in those assets are often slow; they are rarely ephemeral, or intangible, in the way that a cyber advantage or tool may be.<\/p>\n<p>The strategic logic of operating in this environment continues to evolve. Strategies\u2014and the ways of thinking, planning and controlling activity\u2014in the conventional domain are likely to be ill-suited to the cyber domain. If applied without understanding or care, they could even prove detrimental to the interests of a nation and its citizens.<\/p>\n<p>New strategies, norms, ways of operating, systems of governance and policies are needed to at least complement, if not replace, conventional frameworks when dealing with the cyber domain.<\/p>\n<p>And a strategic approach based on anticipation, speed and transience in an intangible environment that transcends physical boundaries presents significant challenges to existing norms and institutions. Those include many at the heart of liberal democratic governance and society: evidence-based decision-making, the means of civilian control, the process expected through law, notions of sovereignty, the accountability demanded of democratic institutions, the responsibilities of the private sector, the freedoms of civil society, and the engagement due allies and partners.<\/p>\n<p>Working through all these means that we\u2019re in only the early days of cyber.<\/p>\n<p>So far, governments have focused on the practicalities of interests, threats and operating in the cyber environment. While such difficulties shouldn\u2019t be underestimated, it\u2019s not enough to focus on those alone. Careful thought needs to be given to governance, policy, statecraft and strategy if the challenges of a very different domain of security, one that intrudes into every facet of daily life, are to be managed effectively.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Despite information security figuring in the defence and national security consciousness since well before the end of the Cold War, we remain in the early days of cyber. For some years after September 2001, when &#8230;<\/p>\n","protected":false},"author":861,"featured_media":74178,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[391,713,731,35,332],"class_list":["post-74173","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-cyber","tag-cyberattack","tag-internet-governance","tag-risk","tag-technology"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v19.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>It\u2019s still early days for cyber | The Strategist<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.aspistrategist.ru\/its-still-early-days-for-cyber\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"It\u2019s still early days for cyber | The Strategist\" \/>\n<meta property=\"og:description\" content=\"Despite information security figuring in the defence and national security consciousness since well before the end of the Cold War, we remain in the early days of cyber. For some years after September 2001, when ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.aspistrategist.ru\/its-still-early-days-for-cyber\/\" \/>\n<meta property=\"og:site_name\" content=\"The Strategist\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ASPI.org\" \/>\n<meta property=\"article:published_time\" content=\"2022-07-29T01:30:26+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-07-29T01:36:18+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/07\/markus-spiske-8OyKWQgBsKQ-unsplash.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"666\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Lesley Seebeck\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:site\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Lesley Seebeck\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\",\"url\":\"https:\/\/www.aspistrategist.ru\/\",\"name\":\"The Strategist\",\"description\":\"ASPI&#039;s analysis and commentary site\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.aspistrategist.ru\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-AU\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/its-still-early-days-for-cyber\/#primaryimage\",\"url\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/07\/markus-spiske-8OyKWQgBsKQ-unsplash.jpg\",\"contentUrl\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/07\/markus-spiske-8OyKWQgBsKQ-unsplash.jpg\",\"width\":1000,\"height\":666},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.aspistrategist.ru\/its-still-early-days-for-cyber\/\",\"url\":\"https:\/\/www.aspistrategist.ru\/its-still-early-days-for-cyber\/\",\"name\":\"It\u2019s still early days for cyber | The Strategist\",\"isPartOf\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/its-still-early-days-for-cyber\/#primaryimage\"},\"datePublished\":\"2022-07-29T01:30:26+00:00\",\"dateModified\":\"2022-07-29T01:36:18+00:00\",\"author\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/234257d47cdae20040ac334973efd4d4\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/its-still-early-days-for-cyber\/#breadcrumb\"},\"inLanguage\":\"en-AU\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.aspistrategist.ru\/its-still-early-days-for-cyber\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.aspistrategist.ru\/its-still-early-days-for-cyber\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.aspistrategist.ru\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"It\u2019s still early days for cyber\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/234257d47cdae20040ac334973efd4d4\",\"name\":\"Lesley Seebeck\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/f091ef55cb0dfe06e4e0cb2511a3fb7b?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/f091ef55cb0dfe06e4e0cb2511a3fb7b?s=96&d=mm&r=g\",\"caption\":\"Lesley Seebeck\"},\"url\":\"https:\/\/www.aspistrategist.ru\/author\/lesley-seebeck\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"It\u2019s still early days for cyber | The Strategist","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.aspistrategist.ru\/its-still-early-days-for-cyber\/","og_locale":"en_US","og_type":"article","og_title":"It\u2019s still early days for cyber | The Strategist","og_description":"Despite information security figuring in the defence and national security consciousness since well before the end of the Cold War, we remain in the early days of cyber. For some years after September 2001, when ...","og_url":"https:\/\/www.aspistrategist.ru\/its-still-early-days-for-cyber\/","og_site_name":"The Strategist","article_publisher":"https:\/\/www.facebook.com\/ASPI.org","article_published_time":"2022-07-29T01:30:26+00:00","article_modified_time":"2022-07-29T01:36:18+00:00","og_image":[{"width":1000,"height":666,"url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/07\/markus-spiske-8OyKWQgBsKQ-unsplash.jpg","type":"image\/jpeg"}],"author":"Lesley Seebeck","twitter_card":"summary_large_image","twitter_creator":"@ASPI_org","twitter_site":"@ASPI_org","twitter_misc":{"Written by":"Lesley Seebeck","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/www.aspistrategist.ru\/#website","url":"https:\/\/www.aspistrategist.ru\/","name":"The Strategist","description":"ASPI&#039;s analysis and commentary site","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.aspistrategist.ru\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-AU"},{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/its-still-early-days-for-cyber\/#primaryimage","url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/07\/markus-spiske-8OyKWQgBsKQ-unsplash.jpg","contentUrl":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/07\/markus-spiske-8OyKWQgBsKQ-unsplash.jpg","width":1000,"height":666},{"@type":"WebPage","@id":"https:\/\/www.aspistrategist.ru\/its-still-early-days-for-cyber\/","url":"https:\/\/www.aspistrategist.ru\/its-still-early-days-for-cyber\/","name":"It\u2019s still early days for cyber | The Strategist","isPartOf":{"@id":"https:\/\/www.aspistrategist.ru\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.aspistrategist.ru\/its-still-early-days-for-cyber\/#primaryimage"},"datePublished":"2022-07-29T01:30:26+00:00","dateModified":"2022-07-29T01:36:18+00:00","author":{"@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/234257d47cdae20040ac334973efd4d4"},"breadcrumb":{"@id":"https:\/\/www.aspistrategist.ru\/its-still-early-days-for-cyber\/#breadcrumb"},"inLanguage":"en-AU","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.aspistrategist.ru\/its-still-early-days-for-cyber\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.aspistrategist.ru\/its-still-early-days-for-cyber\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.aspistrategist.ru\/"},{"@type":"ListItem","position":2,"name":"It\u2019s still early days for cyber"}]},{"@type":"Person","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/234257d47cdae20040ac334973efd4d4","name":"Lesley Seebeck","image":{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/f091ef55cb0dfe06e4e0cb2511a3fb7b?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f091ef55cb0dfe06e4e0cb2511a3fb7b?s=96&d=mm&r=g","caption":"Lesley Seebeck"},"url":"https:\/\/www.aspistrategist.ru\/author\/lesley-seebeck\/"}]}},"_links":{"self":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/74173"}],"collection":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/users\/861"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/comments?post=74173"}],"version-history":[{"count":5,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/74173\/revisions"}],"predecessor-version":[{"id":74180,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/74173\/revisions\/74180"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media\/74178"}],"wp:attachment":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media?parent=74173"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/categories?post=74173"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/tags?post=74173"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}