Max Smeets is a cybersecurity fellow at Stanford University’s Center for International Security and Cooperation (CISAC), a Research Associate at the Centre for Technology & Global Affairs, University of Oxford, and a non-resident cybersecurity policy fellow at New America. In 2018, he was awarded the Journal of Strategic Studies’ prestigious Amos Perlmutter Prize for the most outstanding publication by a junior faculty member.
This interview originally appeared on Global Policy: Next Generation-- a new annual issue from the journal Global Policy.
First, can you briefly describe your work and your interest in the field of cybersecurity?
I am currently finishing up my book manuscript on the dynamics of cyber proliferation. For at least a decade, policymakers and analysts have made explicit statements about the spread of what some call ‘cyberweapons’. Some senior officials argue that well over 30 nation-states are capable of launching cyber attacks; others are less conservative in their estimates. But, like much of the early nuclear thinking, no explicit basis for these estimates and forecasts is provided. Indeed, variations of the ‘domino effect’ logic -- when one goes cyber, all go cyber -- seem to implicitly dominate thinking.
There is a lack of attentiveness to the theoretical assumptions behind why governments are setting up these military units to conduct offensive cyber operations, and there is a need for more social science scholarship on this topic. The main argument of my book is that the world is not at the brink of ‘mass cyber proliferation’.
How much do existing theories of international security contribute to understandings of the dynamics of cyber proliferation? Are other proliferation theories still useful for understanding this new space?
They contribute a lot. Scott Sagan’s classic study identifies three ‘models’ (international security, domestic politics, and identity politics/symbolism), in the informal sense of the term, to explain states’ willingness to go for the nuclear option. I also use these ‘models’ to better understand the motivations of states to go cyber. But we have to be very careful here. The fundamental dynamics of cyber proliferation are different in a number of ways. For example, non-state actors play a much bigger role in enabling states to develop these capabilities. The Russian government, perhaps most prominently, is known to rely on cyber criminals and other patriotic hackers to conduct cyber operations. For a good overview, see this piece in Meduza.
You have also published on other topics, including your prize-winning article in the Journal of Strategic Studies. The article argues that the “transitory” nature of cyberweapons is an underappreciated dimension of cybersecurity. What do you mean by this?
Formally, the transitory nature of cyberweapons (a term which I actually do not use in my forthcoming publications) refers to ‘the temporary ability to access a computer system or network to cause harm or damage to living and material entities’.
Less formally, we can draw an analogy with food and cooking. Food is perishable. And we have a pretty good sense of ‘best-before dates’ of different types of food. The perishability of food likely affects our decision-making: when you have a delicious piece of salmon in the fridge which goes off tomorrow, you’re more likely to eat it today.
For cyber, when a new ‘exploit’ is developed for a certain vulnerability, we do not have a good sense of the practices which affect the exploit’s ‘best-before date’. Equally, there is little research which explains how these time dynamics affect the decision-making of offensive actors, and so my article in JSS sought to provide some insights.
In what ways might appreciating the transitory nature of cyber capabilities change policymakers’ approach to cyber policy?
Offensive cyber programs potentially require a different approach to budgeting, at least when compared with conventional weapon programs. For conventional weapon programs, (government) institutions can come up with a relatively good cost estimate as to what is required to maintain a certain capability; a typical budget proposal would say ‘in X years’ time, the following capability needs to be replaced/upgraded. Hence, we project to spend …’. Conventional weapons’ ageing is generally modeled as a gradual (log-linear) deterioration.
This approach, however, does not hold up for cyber. Instead, governments only have the ability to use a certain ‘exploit’ or weapon for a certain period of time, and its usability rapidly declines when it is discovered. What this means is that more flexible budgets (and hiring procedures) are recommended to cope with potentially prompt fluctuations in overall capability.
Which books have proved influential for your work?
I have been impressed by Ben Buchanan’s book The Cybersecurity Dilemma published last year. As the title suggests, the book argues that the security dilemma also holds great relevance in cybersecurity. More specifically, Buchanan’s argument is that states are incentivized to launch intrusions into others’ networks to enhance their own security, but in the process risk escalating tensions.
There are not many books in the field which combine IR theory with ‘cyber’, but this book is one of them and does it well. Also, it is pretty difficult to write a book on cyber conflict which stands the test of time, as the dynamics are changing so quickly and our understanding too. But I believe that Buchanan’s book - describing a fundamental dynamic of this ‘domain’ - will still be on course syllabi 10+ years from now.
What other disciplines should people in your subfield learn more about in order to better understand cybersecurity? Or what other disciplines do you find it valuable to draw on in your research?
Some have argued that cyber studies can be split up into different wings, in which political scientists, computer scientists, legal scholars, etc. would each contribute their own share to understanding different aspects of the cyber issue. I, however, am a big believer in interdisciplinary research and think trying to split up the field would quickly lead to a similar situation as the attempt of the blind men to discover the nature of the elephant: the one who touches its leg calls it a tree, another who touches its tail calls it a rope, and so on.
I am currently reading a lot of organizational management literature. Scholars who set out to explain the conduct of cyber operations normally focus on argument related to the ‘nature’ or ‘meaning’ of cyberspace. Yet, we cannot fully understand the use of cyber capabilities without studying the organisational structure in which its use of these capabilities is embedded. For example, in previous work I have argued that organizational integration between intelligence and military activities can both enable and constrain the conduct of cyber operations.
What piece of advice have you found most helpful as an early career researcher?
There is this great twitter account called “Lego Grad Student”. One of the tweets is a picture of 'Lego Grad Student' in a bathroom, and says: “Washing up for bed after accomplishing nothing that day, the grad student instinctively refuses to look at himself in the mirror.”
What I believe should be avoided during the PhD is a perfect correlation between ‘happiness’ and ‘PhD progress’: e.g. when research goes well I’m happy; when research goes badly I’m not happy (and don’t want look at myself in the mirror). That’s dangerous - although, of course, some correlation is inevitable and cannot be avoided.
It is likely there will be (sometimes long) stretches of time that you are not happy with your research. It is hard to break the negative cycle if there is ‘perfect’ correlation. I think a key strategy to managing this issue is setting goals that have nothing to do with your research, for instance joining a sports team or becoming a Trivial Pursuit expert. The key is finding other opportunities to generate a sense of accomplishment that can tide you over during challenging periods in your research.
What advice would you give to students just beginning their doctoral research?
We all talk about finding the supervisor who is the perfect research fit. Supervisors are important. But I would say peers are more important. Who is sitting next to in your office/open desk space changes your day, week, and PhD-life completely. Having people with whom you can share your writing and your successes or failures is also critical.
Emma Lecavalier is the Deputy Editor of Global Policy: Next Generation.
Abstract: There is a growing interest in the use of offensive cyber capabilities (OCC) among states. Despite the growing interest in these capabilities, little is still known about the nature of OCC as a tool of the state. This research therefore aims to understand if (and how) offensive cyber capabilities have the potential to change the role of military power. Drawing on a wide range of cases, we argue that these capabilities can alter the manner in which states use their military power strategically in at least four ways. OCC are not particularly effective in deterring adversary military action, except when threatened to be used by states with a credible reputation. However, they do have value in compellence. Unlike conventional capabilities, the effects of offensive cyber operations do not necessarily have to be exposed publicly, which means the compelled party can back down post-action without losing face thus deescalating conflict. The potential to control the reversibility of effect of an OCC by the attacker may also encourage compliance. OCC also contribute to the use of force for defensive purposes, as it could provide both a preemptive as well as preventive strike option. Finally, its symbolic value as a ‘prestige weapon’ to enhance ‘swaggering’ remains unclear, due to its largely non-material ontology and transitory nature.
Abstract: This article examines the transitory nature of cyberweapons. Shedding light on this highly understudied facet is important both for grasping how cyberspace affects international security and policymakers’ efforts to make accurate decisions regarding the deployment of cyberweapons. First, laying out the life cycle of a cyberweapon, I argue that these offensive capabilities are both different in ‘degree’ and in ‘kind’ compared with other regarding their temporary ability to cause harm or damage. Second, I develop six propositions which indicate that not only technical features, inherent to the different types of cyber capabilities – that is, the type of exploited vulnerability, access and payload – but also offender and defender characteristics explain differences in transitoriness between cyberweapons. Finally, drawing out the implications, I reveal that the transitory nature of cyberweapons benefits great powers, changes the incentive structure for offensive cyber cooperation and induces a different funding structure for (military) cyber programs compared with conventional weapon programs. I also note that the time-dependent dynamic underlying cyberweapons potentially explains the limited deployment of cyberweapons compared to espionage capabilities.
Abstract: Could offensive cyber operations provide strategic value? If so, how and under what conditions? While a growing number of states are said to be interested in developing offensive cyber capabilities, there is a sense that state leaders and policy makers still do not have a strong conception of its strategic advantages and limitations. This article finds that offensive cyber operations could provide significant strategic value to state-actors. The availability of offensive cyber capabilities expands the options available to state leaders across a wide range of situations. Distinguishing between counterforce cyber capabilities and countervalue cyber capabilities, the article shows that offensive cyber capabilities can both be an important force-multiplier for conventional capabilities as well as an independent asset. They can be used effectively with few casualties and achieve a form of psychological ascendancy. Yet, the promise of offensive cyber capabilities’ strategic value comes with a set of conditions. These conditions are by no means always easy to fulfill—and at times lead to difficult strategic trade-offs.
Abstract: The Perfect Weapon is the startling inside story of how the rise of cyberweapons in all their forms—from attacks on electric grids to attacks on electoral systems—has transformed geopolitics like nothing since the invention of the airplane and the atomic bomb. Cheap to acquire, easy to deny, usable for everything from crippling infrastructure to sowing discord and doubt, cyber is now the weapon of choice for American presidents, North Korean dictators, Iranian mullahs, and Kremlin officials. The United States struck early with the most sophisticated cyber attack in history, Operation Olympic Games, which used malicious code to blow up Iran’s nuclear centrifuges, and it has gone on to use cyberweapons against North Korean missiles and the Islamic State. Soon, the cyber floodgates opened. But as the global cyber conflict took off, America turned out to be remarkably unprepared. Its own weapons were stolen from the American arsenal by a group called Shadow Brokers and were quickly turned against the United States and its allies. Even while the United States built up a powerful new Cyber Command, it had no doctrine for how to use it. Deterrence failed. When under attack—by Russia, China, or even Iran and North Korea —the government was often paralyzed, unable to use cyberweapons because America’s voting system, its electrical system, and even routers in citizens’ homes had been infiltrated by foreign hackers. American citizens became the collateral damage in a war they barely understood, one that was being fought in foreign computer networks and along undersea cables.
Speaker Bio: David Sanger is national security correspondent for the New York Times and bestselling author of The Inheritance and Confront and Conceal. He has been a member of three teams that won the Pulitzer Prize, including in 2017 for international reporting. A regular contributor to CNN, he also teaches national security policy at Harvard’s Kennedy School of Government.
Alex Stamos is a cybersecurity expert, business leader and entrepreneur working to improve the security and safety of the Internet. Stamos was the founding director of the Stanford Internet Observatory at the Cyber Policy Center, a part of the Freeman Spogli Institute for International Studies. He is currently a lecturer, teaching in both the Masters in International Policy Program and in Computer Science.
Prior to joining Stanford, Alex served as the Chief Security Officer of Facebook. In this role, Stamos led a team of engineers, researchers, investigators and analysts charged with understanding and mitigating information security risks to the company and safety risks to the 2.5 billion people on Facebook, Instagram and WhatsApp. During his time at Facebook, he led the company’s investigation into manipulation of the 2016 US election and helped pioneer several successful protections against these new classes of abuse. As a senior executive, Alex represented Facebook and Silicon Valley to regulators, lawmakers and civil society on six continents, and has served as a bridge between the interests of the Internet policy community and the complicated reality of platforms operating at billion-user scale. In April 2017, he co-authored “Information Operations and Facebook”, a highly cited examination of the influence campaign against the US election, which still stands as the most thorough description of the issue by a major technology company.
Before joining Facebook, Alex was the Chief Information Security Officer at Yahoo, rebuilding a storied security team while dealing with multiple assaults by nation-state actors. While at Yahoo, he led the company’s response to the Snowden disclosures by implementing massive cryptographic improvements in his first months. He also represented the company in an open hearing of the US Senate’s Permanent Subcommittee on Investigations.
In 2004, Alex co-founded iSEC Partners, an elite security consultancy known for groundbreaking work in secure software development, embedded and mobile security. As a trusted partner to world’s largest technology firms, Alex coordinated the response to the “Aurora” attacks by the People’s Liberation Army at multiple Silicon Valley firms and led groundbreaking work securing the world’s largest desktop and mobile platforms. During this time, he also served as an expert witness in several notable civil and criminal cases, such as the Google Street View incident and pro bono work for the defendants in Sony vs George Hotz and US vs Aaron Swartz. After the 2010 acquisition of iSEC Partners by NCC Group, Alex formed an experimental R&D division at the combined company, producing five patents.
A noted speaker and writer, he has appeared at the Munich Security Conference, NATO CyCon, Web Summit, DEF CON, CanSecWest and numerous other events. His 2017 keynote at Black Hat was noted for its call for a security industry more representative of the diverse people it serves and the actual risks they face. Throughout his career, Alex has worked toward making security a more representative field and has highlighted the work of diverse technologists as an organizer of the Trustworthy Technology Conference and OURSA.
Alex has been involved with securing the US election system as a contributor to Harvard’s Defending Digital Democracy Project and involved in the academic community as an advisor to Stanford’s Cybersecurity Policy Program and UC Berkeley’s Center for Long-Term Cybersecurity. He is a member of the Aspen Institute’s Cyber Security Task Force, the Bay Area CSO Council and the Council on Foreign Relations. Alex also serves on the advisory board to NATO’s Collective Cybersecurity Center of Excellence in Tallinn, Estonia.