Politico.eu recently ran an interview with Ciaran Martin, the outgoing chief of the UK’s National Cyber Security Centre. In it, Martin raises the alarm against Chinese attempts at massive data harvesting in the West (specifically in regard to the development of AI). This issue naturally dovetails with the US debate on the banning of TikTok. Herein lies the problem. Both national security agencies and major social media companies have endeavored to normalize perceptions of industrial data collection and surveillance over the past decade or two: that public opinion might be desensitized to the threat posed by foreign actors with access to similar data troves is therefore not surprising. The real challenge in repurposing a Cold War mentality for competition with China in the cyber domain today, in other words, is not so much a lag in Western –especially European– ICT innovation (Martin is himself slipping into a pantouflage position with a tech venture capital firm): it is a lack of urgency, of political will in the society at large, an apathy bred in part of acquiescence in surveillance capitalism.
A couple of scholarly articles read today on cyberwarfare. The first, a long piece by James Shires in the Texas National Security Review, speaks to a long-term thread of interest for me, namely the (imperfect) mapping of real-world alliances with operations in the cyber domain: the UAE, Qatar, and Saudi Arabia, although strategic partners of the US in the Gulf region, nonetheless targeted Hack-and-leak (HLO) operations at the US.
Shires underscores the patina of authenticity that leaks hold, and does a good job of showing how HLOs connect them with Bruce Schneier’s concept of “organizational doxxing”. In describing these HLOs as “simulations of scandal “, he leverages theoretical understandings of the phenomenon such as that of Jean Baudrillard. Standards of truth emerge as a major object of manipulation, but the key stake is whether the public will focus on the hack or the leak as the essence of the story.
The second article, by Kristen Eichensehr at justsecurity.org, reflects on the technical and legal process of attribution of cyberattacks. It argues in favor of the creation of a norm of customary international law obliging States to provide evidence when they attribute acts of cyberwarfare to a State or non-State actor. How to guarantee the credibility of the evidence and of the entity providing it (whether a centralized international body, a government agency, or a think-tank, academic institution, or private company) remains somewhat vague under her proposal.