Susan Landau pointed last week to a disagreement between the two of us, saying that current definitions of cybersecurity (such as the HSPD-54 that Herb quoted) are outmoded and a new definition is necessary. We agree with Susan, and as we discussed the matter, we find that we are in fact much more in agreement than disagreement. At least part of Susan’s perception that we disagree is understandably rooted in the titles of our respective pieces.
Herb was trying to argue that the disruption to the election of 2016 was not primarily the result of poor cybersecurity practices or technologies—as most of the nation currently understands cybersecurity vulnerability. As a variety of hearings and investigations are starting to make clear, the disruption resulted mostly from cyber-enabled Russian information warfare practices and activities that have been entirely legal under U.S. law and that have used information technology products and services in exactly the way they were designed to be used—to spread uncensored information rapidly to selected groups of people.
Paul was trying to argue that the election infrastructure—electronic vote counting systems, voter registration systems, and so on—was vulnerable in the 2016 election (even if not much seems to have happened to it). Those vulnerabilities remain for the 2018 and future elections to such an extent that warrants serious national attention to fix them. Left unfixed, major hacking efforts may be able to take advantage of these problems and cause a kind of disruption to the 2018 election that we have not yet seen.
We agree with each others points. We also both contend that treating the information warfare dimensions of the problem, like other cybersecurity problems, will do little to remediate the vulnerabilities of U.S. society to information warfare. Last, we agree that the danger of putting them in the same box is that neither the information operation vulnerabilities nor the cybersecurity vulnerabilities will be adequately addressed.
Susan’s contention that a new and broader definition of cybersecurity should include information warfare as a threat is thus conceptually correct. Ironically enough, 30 years ago, the term “information warfare” did include, and arguably focused on, what we understand today as cybersecurity. But both of us have been around government long enough to believe that redefining a term that defines important budget categories is fraught with danger and likely to further confuse the debate.
We have different enough perspectives that they will disagree on many things (with the utmost respect, of course). But both believe that both information warfare problems and cybersecurity problems afflict U.S. elections and the infrastructure that supports it. And we look forward to working together on appropriate solutions.