Max Smeets is a cybersecurity fellow at Stanford University’s Center for International Security and Cooperation (CISAC), a Research Associate at the Centre for Technology & Global Affairs, University of Oxford, and a non-resident cybersecurity policy fellow at New America. In 2018, he was awarded the Journal of Strategic Studies’ prestigious Amos Perlmutter Prize for the most outstanding publication by a junior faculty member.
This interview originally appeared on Global Policy: Next Generation-- a new annual issue from the journal Global Policy.
First, can you briefly describe your work and your interest in the field of cybersecurity?
I am currently finishing up my book manuscript on the dynamics of cyber proliferation. For at least a decade, policymakers and analysts have made explicit statements about the spread of what some call ‘cyberweapons’. Some senior officials argue that well over 30 nation-states are capable of launching cyber attacks; others are less conservative in their estimates. But, like much of the early nuclear thinking, no explicit basis for these estimates and forecasts is provided. Indeed, variations of the ‘domino effect’ logic -- when one goes cyber, all go cyber -- seem to implicitly dominate thinking.
There is a lack of attentiveness to the theoretical assumptions behind why governments are setting up these military units to conduct offensive cyber operations, and there is a need for more social science scholarship on this topic. The main argument of my book is that the world is not at the brink of ‘mass cyber proliferation’.
How much do existing theories of international security contribute to understandings of the dynamics of cyber proliferation? Are other proliferation theories still useful for understanding this new space?
They contribute a lot. Scott Sagan’s classic study identifies three ‘models’ (international security, domestic politics, and identity politics/symbolism), in the informal sense of the term, to explain states’ willingness to go for the nuclear option. I also use these ‘models’ to better understand the motivations of states to go cyber. But we have to be very careful here. The fundamental dynamics of cyber proliferation are different in a number of ways. For example, non-state actors play a much bigger role in enabling states to develop these capabilities. The Russian government, perhaps most prominently, is known to rely on cyber criminals and other patriotic hackers to conduct cyber operations. For a good overview, see this piece in Meduza.
You have also published on other topics, including your prize-winning article in the Journal of Strategic Studies. The article argues that the “transitory” nature of cyberweapons is an underappreciated dimension of cybersecurity. What do you mean by this?
Formally, the transitory nature of cyberweapons (a term which I actually do not use in my forthcoming publications) refers to ‘the temporary ability to access a computer system or network to cause harm or damage to living and material entities’.
Less formally, we can draw an analogy with food and cooking. Food is perishable. And we have a pretty good sense of ‘best-before dates’ of different types of food. The perishability of food likely affects our decision-making: when you have a delicious piece of salmon in the fridge which goes off tomorrow, you’re more likely to eat it today.
For cyber, when a new ‘exploit’ is developed for a certain vulnerability, we do not have a good sense of the practices which affect the exploit’s ‘best-before date’. Equally, there is little research which explains how these time dynamics affect the decision-making of offensive actors, and so my article in JSS sought to provide some insights.
In what ways might appreciating the transitory nature of cyber capabilities change policymakers’ approach to cyber policy?
Offensive cyber programs potentially require a different approach to budgeting, at least when compared with conventional weapon programs. For conventional weapon programs, (government) institutions can come up with a relatively good cost estimate as to what is required to maintain a certain capability; a typical budget proposal would say ‘in X years’ time, the following capability needs to be replaced/upgraded. Hence, we project to spend …’. Conventional weapons’ ageing is generally modeled as a gradual (log-linear) deterioration.
This approach, however, does not hold up for cyber. Instead, governments only have the ability to use a certain ‘exploit’ or weapon for a certain period of time, and its usability rapidly declines when it is discovered. What this means is that more flexible budgets (and hiring procedures) are recommended to cope with potentially prompt fluctuations in overall capability.
Which books have proved influential for your work?
I have been impressed by Ben Buchanan’s book The Cybersecurity Dilemma published last year. As the title suggests, the book argues that the security dilemma also holds great relevance in cybersecurity. More specifically, Buchanan’s argument is that states are incentivized to launch intrusions into others’ networks to enhance their own security, but in the process risk escalating tensions.
There are not many books in the field which combine IR theory with ‘cyber’, but this book is one of them and does it well. Also, it is pretty difficult to write a book on cyber conflict which stands the test of time, as the dynamics are changing so quickly and our understanding too. But I believe that Buchanan’s book - describing a fundamental dynamic of this ‘domain’ - will still be on course syllabi 10+ years from now.
What other disciplines should people in your subfield learn more about in order to better understand cybersecurity? Or what other disciplines do you find it valuable to draw on in your research?
Some have argued that cyber studies can be split up into different wings, in which political scientists, computer scientists, legal scholars, etc. would each contribute their own share to understanding different aspects of the cyber issue. I, however, am a big believer in interdisciplinary research and think trying to split up the field would quickly lead to a similar situation as the attempt of the blind men to discover the nature of the elephant: the one who touches its leg calls it a tree, another who touches its tail calls it a rope, and so on.
I am currently reading a lot of organizational management literature. Scholars who set out to explain the conduct of cyber operations normally focus on argument related to the ‘nature’ or ‘meaning’ of cyberspace. Yet, we cannot fully understand the use of cyber capabilities without studying the organisational structure in which its use of these capabilities is embedded. For example, in previous work I have argued that organizational integration between intelligence and military activities can both enable and constrain the conduct of cyber operations.
What piece of advice have you found most helpful as an early career researcher?
There is this great twitter account called “Lego Grad Student”. One of the tweets is a picture of 'Lego Grad Student' in a bathroom, and says: “Washing up for bed after accomplishing nothing that day, the grad student instinctively refuses to look at himself in the mirror.”
What I believe should be avoided during the PhD is a perfect correlation between ‘happiness’ and ‘PhD progress’: e.g. when research goes well I’m happy; when research goes badly I’m not happy (and don’t want look at myself in the mirror). That’s dangerous - although, of course, some correlation is inevitable and cannot be avoided.
It is likely there will be (sometimes long) stretches of time that you are not happy with your research. It is hard to break the negative cycle if there is ‘perfect’ correlation. I think a key strategy to managing this issue is setting goals that have nothing to do with your research, for instance joining a sports team or becoming a Trivial Pursuit expert. The key is finding other opportunities to generate a sense of accomplishment that can tide you over during challenging periods in your research.
What advice would you give to students just beginning their doctoral research?
We all talk about finding the supervisor who is the perfect research fit. Supervisors are important. But I would say peers are more important. Who is sitting next to in your office/open desk space changes your day, week, and PhD-life completely. Having people with whom you can share your writing and your successes or failures is also critical.
Emma Lecavalier is the Deputy Editor of Global Policy: Next Generation.
Abstract: There is a growing interest in the use of offensive cyber capabilities (OCC) among states. Despite the growing interest in these capabilities, little is still known about the nature of OCC as a tool of the state. This research therefore aims to understand if (and how) offensive cyber capabilities have the potential to change the role of military power. Drawing on a wide range of cases, we argue that these capabilities can alter the manner in which states use their military power strategically in at least four ways. OCC are not particularly effective in deterring adversary military action, except when threatened to be used by states with a credible reputation. However, they do have value in compellence. Unlike conventional capabilities, the effects of offensive cyber operations do not necessarily have to be exposed publicly, which means the compelled party can back down post-action without losing face thus deescalating conflict. The potential to control the reversibility of effect of an OCC by the attacker may also encourage compliance. OCC also contribute to the use of force for defensive purposes, as it could provide both a preemptive as well as preventive strike option. Finally, its symbolic value as a ‘prestige weapon’ to enhance ‘swaggering’ remains unclear, due to its largely non-material ontology and transitory nature.
Abstract: This article examines the transitory nature of cyberweapons. Shedding light on this highly understudied facet is important both for grasping how cyberspace affects international security and policymakers’ efforts to make accurate decisions regarding the deployment of cyberweapons. First, laying out the life cycle of a cyberweapon, I argue that these offensive capabilities are both different in ‘degree’ and in ‘kind’ compared with other regarding their temporary ability to cause harm or damage. Second, I develop six propositions which indicate that not only technical features, inherent to the different types of cyber capabilities – that is, the type of exploited vulnerability, access and payload – but also offender and defender characteristics explain differences in transitoriness between cyberweapons. Finally, drawing out the implications, I reveal that the transitory nature of cyberweapons benefits great powers, changes the incentive structure for offensive cyber cooperation and induces a different funding structure for (military) cyber programs compared with conventional weapon programs. I also note that the time-dependent dynamic underlying cyberweapons potentially explains the limited deployment of cyberweapons compared to espionage capabilities.
Abstract: Across the world, states are establishing military cyber commands or similar units to develop offensive cyber capabilities. One of the key dilemmas faced by these states is whether (and how) to integrate their intelligence and military capabilities to develop a meaningful offensive cyber capacity. This topic, however, has received little theoretical treatment. The purpose of this paper is therefore to address the following question: What are the benefits and risks of organizational integration of offensive cyber capabilities (OIOCC)? I argue that organizational integration may lead to three benefits: enhanced interaction efficiency of intelligence and military activities, better(and more diverse) knowledge transfer and reduced mission overlap. Yet, there are also several negative effects attached to OIOCC. It may lead to 'cyber mission creep' and an intensification of the cyber security dilemma. It could also result in arsenal cost ineffectiveness in the long run. Although the benefits of OIOCC are seen to outweighs the risks, failing to grasp the negative effects may lead to unnecessary cycles of provocation, with potentially disastrous consequences.
Abstract: Could offensive cyber operations provide strategic value? If so, how and under what conditions? While a growing number of states are said to be interested in developing offensive cyber capabilities, there is a sense that state leaders and policy makers still do not have a strong conception of its strategic advantages and limitations. This article finds that offensive cyber operations could provide significant strategic value to state-actors. The availability of offensive cyber capabilities expands the options available to state leaders across a wide range of situations. Distinguishing between counterforce cyber capabilities and countervalue cyber capabilities, the article shows that offensive cyber capabilities can both be an important force-multiplier for conventional capabilities as well as an independent asset. They can be used effectively with few casualties and achieve a form of psychological ascendancy. Yet, the promise of offensive cyber capabilities’ strategic value comes with a set of conditions. These conditions are by no means always easy to fulfill—and at times lead to difficult strategic trade-offs.
Abstract: The Perfect Weapon is the startling inside story of how the rise of cyberweapons in all their forms—from attacks on electric grids to attacks on electoral systems—has transformed geopolitics like nothing since the invention of the airplane and the atomic bomb. Cheap to acquire, easy to deny, usable for everything from crippling infrastructure to sowing discord and doubt, cyber is now the weapon of choice for American presidents, North Korean dictators, Iranian mullahs, and Kremlin officials. The United States struck early with the most sophisticated cyber attack in history, Operation Olympic Games, which used malicious code to blow up Iran’s nuclear centrifuges, and it has gone on to use cyberweapons against North Korean missiles and the Islamic State. Soon, the cyber floodgates opened. But as the global cyber conflict took off, America turned out to be remarkably unprepared. Its own weapons were stolen from the American arsenal by a group called Shadow Brokers and were quickly turned against the United States and its allies. Even while the United States built up a powerful new Cyber Command, it had no doctrine for how to use it. Deterrence failed. When under attack—by Russia, China, or even Iran and North Korea —the government was often paralyzed, unable to use cyberweapons because America’s voting system, its electrical system, and even routers in citizens’ homes had been infiltrated by foreign hackers. American citizens became the collateral damage in a war they barely understood, one that was being fought in foreign computer networks and along undersea cables.
Speaker Bio: David Sanger is national security correspondent for the New York Times and bestselling author of The Inheritance and Confront and Conceal. He has been a member of three teams that won the Pulitzer Prize, including in 2017 for international reporting. A regular contributor to CNN, he also teaches national security policy at Harvard’s Kennedy School of Government.
The Kofi Annan Foundation has tapped four Stanford scholars at the Freeman Spogli Institute for International Studies (FSI) to help advance one of its top priorities: to shed light on the rapidly-changing role of technology in elections around the world and to recommend ways of ensuring that digital tools strengthen—not undercut—democracy.
To that end, the foundation has formed the Kofi Annan Commission on Elections and Democracy in the Digital Age and named Stephen Stedman, a senior fellow at FSI and deputy director of its Center on Democracy, Development, and the Rule of Law (CDDRL), to serve as its secretary general. The Chair of the commission is the former president of Costa Rica, Laura Chinchilla.
Stedman is joined on the commission by Stanford colleagues Alex Stamos, the former chief security officer of Facebook who came to FSI as an adjunct professor earlier this year; Toomas Hendrik Ilves, the ex-president of Estonia who is now an affiliate of FSI's Center for International Security and Cooperation (CISAC); and Nathaniel Persily, an FSI affiliate and Stanford Law School professor.
In addition, the commission's work will be run through the university's Project on Democracy and the Internet, which is a partnership of FSI, the law school, and the Center on Philanthropy and Civil Society (Stanford PACS).
Kofi Annan, the former head of the United Nations and founder of the non-profit that bears his name, formed the commission earlier this year. In May, Annan visited Stanford to recruit for the commission and discuss his concerns about the growing role of the Internet—and social media, specifically—in elections worldwide.
"Kofi Annan always viewed electoral integrity as a bedrock principle in democracy and undertook a number of initiatives to counteract any attempt to undermine the voting process," said Stedman, who has led two other high-profile Annan initiatives over 15 years. "The rise of social media, fake news, hate news—the whole 'witches brew' of threats to electoral integrity globally—was of particular concern to him."
The commission's mandate is expansive: to "examine and review the opportunities for electoral integrity created by technological innovations," according to a foundation statement. Stedman adds that the plan calls for members to meet periodically before issuing their findings and recommendations before the end of 2019. As secretary general, Stedman will oversee the research and writing of the commission's final report.
In recent years, a number of high-profile initiatives have been launched in response to technology's negative impact on the electoral process. The Kofi Annan Foundation's effort stands out for its range of expertise, said Persily: The 12 members hail from government, business, academia, and civil society and have all dealt firsthand with technology's promise and pitfalls.
"The diverse membership on this commission brings the expertise and political skills necessary to tackle these questions," said Persily. "My guess is that we won't all agree on either the nature of the problem or how to address it, but that will force us to build consensus and come up with recommendations that will make an impact." Persily co-directs the Project on Democracy and the Internet along with CDDRL director Francis Fukuyama and also leads Social Science One, a new global initiative in which academics are granted special access to Facebook data in the hopes of generating insights into social media's impact on elections around the world.
Another notable feature is the commission's geographic scope. "The United States and Europe are easy targets," said Ilves, who is involved in a number of other high-profile initiatives on technology and elections. "But the problem extends beyond the rich, northern hemisphere and that is not on people's radar screens."
In a sign of just how urgent the role of digital tools in global elections has become, Stedman led a similar Kofi Annan Foundation commission in 2012.
"We had a lot to say six years ago about the problems affecting the integrity of elections," said Stedman, citing unfettered campaign finance and barriers to participation as examples. "But we did not anticipate the role that social media would come to play."