Dan Lohrmann recently blogged in another forum about a call for a US cybersecurity doctrine. Having written on a related topic and participated in other national framework initiatives before, this piece further expounds upon the question of doctrine. Or, more precisely, the question should be framed as implicating deeper and prerequisite considerations about an emerging field.
Writing a doctrine or a strategy is counter-productive, in my judgment, if the field remains ill-defined.
My launch point is founded upon a belief that this new cyber realm requires its own disciplinary construct. I would be concerned that doctrine -- without a full understanding of the field -- might add further confusion and perhaps need correction. The Monroe Doctrine, for example, did not need updating and correction. But then, the field of international diplomacy and sovereign regional interests was not a new study in the early 1800s. We do not want to be changing our National Cyber Doctrine in five or ten years -- which we have de facto done with the 2003 National Strategy to Secure Cyberspace.
What am I getting at? I believe academia needs to play a significant role in helping us first understand the cyber domain, and to shape its contours and interdisciplinary dimensions.
For example, the dust hasn't really settled on which federal department is in charge of cybersecurity. Until we have defined the domain as either homeland security, defense, intelligence, law enforcement, or even some new model (e.g., a public-private partnership), it would be impossible to set down a doctrine. How, for example, could we assert a Monroe-like doctrine about protecting sovereign cyberspace rights -- implicitly invoking a defense model -- if the responding department to most incidents were law enforcement or homeland security? National policy is not yet firm even on what constitutes an armed attack in cyberspace. If cybersecurity authorities span several departments based on the nature of the incident, that smacks of an ill-defined domain. How can doctrine be written for an ill-defined domain?
Thomas Kuhn's "The Structure of Scientific Revolutions" set out a useful model for understanding the nature and evolution of new beginnings. Kuhn wrote about how outliers, first rejected, eventually become studied and result in recognition of a new field, a new science. Until that disciplinary construct emerges and is addressed as its own unique field, outdated and often inapplicable methods and protocols from the previous field are applied to it.
The Kuhn paradigm again calls to mind the 2003 National Strategy to Secure Cyberspace. Add to that additional attempts at defining the way forward as a nation: The White House 60-day Cyberspace Policy Review, and various other national strategy, military strategy, international strategy, and other top-level strategy and implementation documents in different departments of the Federal Government. We can also look at lexicon shifts: network security, information security, data protection, cyber security, cybersecurity& This uncertain landscape reminds me of my partner's reference to cybersecurity as a "five-year old soccer game, with everyone chasing the ball in a cluster and without a game plan."
The "5-year old soccer game" analogy is useful because the unstructured and elusive chase of the cybersecurity ball is emblematic of Kuhn's observation about the emergence of new disciplines. The revisions of strategy, changes in lexicon, and general lack of structure seemingly bear out Kuhn's model. We remain in an immature state with respect to cybersecurity. Academic study and shaping of a cybersecurity discipline would therefore seem more helpful than a new doctrine.
This call for doctrine seemingly aligns with the President's pending executive order. The released draft cybersecurity executive order places responsibility in NIST for creating a "Cybersecurity Framework", which will include more than standards and protocols. NIST will develop a framework including methodologies and procedures as well, in essence an inventory and study of the cybersecurity field in establishing a baseline framework for the Nation. The only piece missing, in my judgment, is a role for academia to study the domain, and all its intersections with society. That is, approaching cybersecurity as an All of Society problem during a period of transition, rather than primarily a technology integration challenge.
Another reason for academic study is the above phrase "period of transition". Law often plays a prominent role in rebalancing societal interests during periods of change. I submit that law must play a principle role in development of the disciplinary construct and in the field itself. It is widely understood already that law has this role in the cyber field. However, I point to a much more core role.
Here I refer to the institution of law, not lawyers or legal issues. Fundamentally, the institution of law balances interests and establishes frameworks. In the interplay between society and various externalities (be they nation-states, technology, rights and interests or other dimensions), it is the institution of law that establishes the framework for resolution and then implements the procedures. The Hague Convention, Geneva Conventions, UN Charter, US Constitution... all these established the necessary and fundamental framework to resolve the underlying and pressing issues addressed in each document. Indeed, the taxonomy within any field (protocols, methods, academic rigor, etc) are governance structures, and in that sense are semblances of the institution of law.
At its core, the cyber challenge presents the question of how individuals, society and nations operate and balance competing interests through a revolutionary domain - the Internet. The institution of law will play the leading role in establishing first the disciplinary construct, and then the sub-components in the taxonomy, such as strategy, doctrine and implementing structures.
Has the cybersecurity field been shaped by law sufficiently to indicate that we are now ready for doctrine? Is our societal understanding of the field mature, such that it's presently wise to commit down a path? What's your view?
Doug DePeppe is a partner with i2 Information Security, a published cybersecurity writer, and participated in two White House cybersecurity initiatives, including the White House 60-Day Cyberspace Policy Review. He also leads the Western Cyber Exchange, a community cyber-resilience initiative. His background, projects, and publications can be found on his Homepage: www.cyberjurist.net.