The term “cyber” with its various derivatives is gradually becoming part of political parlance. Usually it is in relation to some malicious attempt to deny or sabotage an online service, leak sensitive information from a remote database, and the like. Attackers of that sort are often referred to as “hackers”, while their acts qualify as “cyber attacks”. The discussion surrounding the topic is heavily influenced by military notions of offence and defence, and by an emphasis on the kind of issues peculiar to the maintenance of public order.
While there is truth to be had in those security-focused themes, cyber cannot be conceived as merely another domain for the conduct of what effectively amounts to war. A simple way of putting it is that cyber is the extension of collective human experience in digital space, complemented by the interaction between machines and programmed/preconfigured logical processes. Apart from security, cyber encompasses such issues as ethics, the distribution of power and control among situational agents and patients, the presence of social-economic hierarchies, and so on.
What is cyber
Cyberspace: The notional environment in which communication over computer networks occurs.
— Oxford Dictionary
These concepts are relatively novel. Their implications have not been envisaged in their fullest. Policy-makers may lack the expert advice necessary for legislating on the matter, or they still do not appreciate its significance as a core item on the agenda. The law is lagging behind technology, at least as far as the pace of change is concerned. New inventions and innovative ways of organising labour and distributing the product thereof often expose a certain disconnect between the physical and the digital realms. The former remains wedded in political custom and in traditional views about statehood, belonging, subjectivity, ownership, and the like. The latter can be found exploring the outer boundaries of such issues as individuality, property, agency, often challenging their conventional value and overall usefulness as paradigms for the new era.
We live in an age of transition. Cyber is pushing itself to the centre of human society. Technological progress is such that there is a strong sense of inevitability to it all. The Internet is ubiquitous and rapidly evolving into a domain populated not just by humans accessing it through personal computers, but by ‘connected devices’ (appliances such as the fridge and the thermostat) that are programmed to retrieve remote data in order to execute certain tasks. Many utilities and everyday activities become digitised or have a software component attached to them. The software is, generally speaking, designed to harness the potential provided by a network of communications. It accesses the network to interoperate with other pieces of software, its output becoming the input of the other, with the ultimate objective of automating repetitive activities, and of simulating human intelligence in the anticipation of likely outcomes to evolving states of affairs.
The networks that emerge from the interplay between humans, machines and their programs, form a space unlike anything we have experienced before. This is not a tract of land that we can draw lines on, some territory where we can maintain a standing army ready to fend off incursions. Cyber is, first and foremost, a system of variables, with their interactions unfolding at various levels of abstraction. It is largely notional in that regard. Though ‘notional’ should not be thought of as akin to ‘ethereal’, ‘magical’, or anything of the sort. The system is comprehensible throughout, even though it is highly complex and consists of numerous components that demand certain expertise to be properly comprehended. Yet there are those qualities of cyber that relate to social experience which require the same kind of political thinking that applies to more familiar instances of quotidian public life.
Cyber for the people
It is conceivable to think and speak about cyber without being a ‘nerd’, ‘hacker’, ‘technologist’. The lay person can perfectly understand topics pertinent to cyber such as the diffusion or concentration of economic power, the effective control of corporations—also known as “Internet giants”—over large segments of online activity, mass surveillance by the government, and things of that nature.
The first step to approaching cyber is to demystify it. Yes, technical insight into anything that has to do with computers and software requires a certain set of advanced skills that take years to acquire and master. Indeed the number of people who can provide expertise on the finer points are but a small minority. However, the same kind of argument can be forwarded for virtually every area of policy. Agriculture has its experts. Law. Economics. The military. Whatever their peculiarities, these are not excluded from the political process. Citizens and their representatives maintain their views on those issues; views that often translate into legislative action and/or policy initiatives from the government. Cyber can be no different.
The second step to approach the subject is to consider cyber’s emergence and presence in light of everyday experience, of its impact on ordinary life. For instance, every labourer knows what widespread automation can do to their work prospects. By using that which is immediate, we can fathom the ramifications of digitisation in the workplace, family life, the political process and governance, social stratification, the distribution of power within and across states. It is, in other words, to identify the social-cultural-historical change brought by cyber and to recognise—or attempt to anticipate—the structures derived therefrom.
The political talk on cyber is not about the technicalities that the developer or the engineer has to deal with. It concerns the effects of this new domain of human invention on social organisation. Cyber is, as we posited in the introduction to this chapter, the digital extension of collective human experience and, therefore, yet another dimension of the exercise of political authority. As such, it needs to be understood, regulated and managed just as every other aspect of human venture, rather than be left open to the major [corporate] interests now active in the field.
Cyber extends to physical space
To this end, we need to broaden the definition furnished above. Though technically correct, it is too narrow for our politically-focused analysis. Cyberspace is not merely notional or, rather, it is not realisable in purely notional terms. In essence, cyber and its space consists of two magnitudes: (i) hardware, (ii) software. There are data centres, power supply chains, local and remote computers, and whatever other ‘connected’ device may form part of the network (or network of networks).
Hardware-wise, cyber is a decentralised system that is ultimately present in physical space. Hardware is the platform where software can function. It also is the object on which software may iterate, potentially to affect its modality, its state of being.
To elaborate on the latter, let us consider the following example. Your computer runs an Operating System (Linux, Windows, Mac, Android, iOS, etc.). It is the software infrastructure on which applications such as your web browser, text editor, music player, etc., get to run on. Very simply put, your computer is an abstract structure consisting of three layers: the hardware, the OS at the software’s base, the apps at the top. An integral part of the OS is a program known as the “kernel”. It manages memory usage, input and output devices, and the like. Your mouse and keyboard, the monitor, the stereo speakers. These all work thanks to the kernel. And obviously because programs are programmable, the kernel can also be instructed to do certain things, such as not to allocate sufficient memory for a certain task, or not to send the necessary signal to the monitor. You get the idea. Software gets to affect the state of the hardware, while hardware defines the potential of the software, presenting us with an organic whole.
If we extend this to computer networks and software stacks (layers of abstraction each with an ever more specialised function), we get a multidimensional system whose inner workings happen in conceptual space, yet whose ultimate impact is made manifest physically.
A working definition of cyberspace can, therefore, be formulated thus: a multifaceted architecture for creating, storing, communicating, and managing data and for influencing the state of any physical entity or resource ultimately linked to it.
Here is a scenario to emphasise the physical aspect of cyber. Imagine an electricity authority that wants to optimise the way it handles power production. Its engineers have developed a program that uses several indicators to determine the scale of operations. When consumers turn on their air conditioners at peak hours the program responds by producing the additional electricity. It automatically scales back when usage falls to a lower point. There is no need to have humans manually control switches. The program does that 24/7 with no delays whatsoever. The efficiency gains for the electricity authority and ultimately the cost savings for the consumer are considerable. Now imagine some attacker wanting to disrupt the power supply. Assuming they bypass the security checks, they could write/inject the necessary code (set of formalised logical commands) that would confuse the program or make it do something that was not originally intended, such as over- or under- supply electricity, to the point of causing physical harm to the electricity network.1
Data channels are notional. Their underlying infrastructure is physical. Extend this to traffic lights, the water supply, telecommunications, whatever connected device you [will] have at home such as your thermostat, fridge, toaster, and you can fathom the extent to which software impacts ‘reality’.
Cyber solidity through the rule of law
Cyber is another domain for the exercise of supreme authority, sovereignty. Unlike the magnitudes of land, sea, and air, the space resulting from the networks of humans, machines and their programs is largely notional. Traditional concepts of drawing borders are of no use, at least not in the context of an open Internet. So how may a polity proceed to delineate its “territory”, the province of its jurisdiction, in such an environment? The answer is to be found in cyber’s ultimate connection to physical reality. Data centres are located somewhere. They are governed by a certain legal order, as do the natural/legal persons that eventually get to use them.
In a previous chapter we posited the rule of law as a factor of sovereignty. The effective exercise of control rests on the integrity of the legal order. Its universality, reasonableness, and predictability. A stable legal framework strengthens the people’s trust in their polity. It fosters a strong connection between the government and the citizens that ultimately stand to gain from an intrinsically reliable system. Citizens must trust the law in order for the public institutions to exercise effective sovereignty. By extension, they need to have confidence in the capacity of law makers to provide for a secure and impartial field when it comes to a domain such as cyber that greatly influences their livelihood.
The entire architecture that provides for the emergence of social experiences in digital space needs to be brought in line with the highest possible legal standard. Citizens and businesses alike can expect nothing less than a robust system on which to base a great[er] portion of their individual and social activity. The state regulates other key areas of daily life, such as the financial system which is central to virtually every business transaction. Telecommunications, education, social welfare also fall in that category. The authorities cannot afford to abstain from setting the criteria for the security and protection of data, data centres, networks, and so on. These are critical infrastructure.
A robust legal framework in the realm of cyber must consist of two tiers: (i) global principles, (ii) domestic legislation. As concerns the former, international agreements need to be formulated to the effect of providing guidelines for local authorities to put into law. This would be similar to the approach followed on bank supervision and prudential policy. The ambition is to lay the groundwork for the mutual enhancement of soveregnties through improvements in the overall intergrity of a truly global system. Domestic legislation will then provide for the specifics of self-determination. To ensure that the rules satisfy the needs of the polity and are aligned with its constitutional tradition.
The right legal framework can create the economic conditions/incentives that will make it profitable to consider security an integral part of everything related to cyber, from the hardware to the software. The solidity of cyber will not happen serendipitously. It requires concerted efforts. To disincentivise bad coding, manufacturing, marketing practices that render the system fragile. To set the criteria and the direction. For cyber is an extension of the polity’s province of legality. It has to exhibit predictability and reasonableness in the same way the rest of the legal order does.
FOSS can secure public authorities
It is typical for public authorities to run some old version of a commercial Operating System (OS), typically Microsoft Windows. The way software is rendered secure is through ‘patches’. New code that addresses a specific vulnerability. Support for old software is not readily available. It requires specialised teams or a bespoke setup for handling its vulnerabilities. That is inefficient, expensive, and usually implies that the authorities are dependent on an external service provider, including the creator of the OS.
Free and open source software (FOSS) can provide a secure and in many ways superior alternative. We will use Linux as a case in point.2 This is a type of OS that is developed in an open, decentralised, and peer-reviewed fashion. There are many distributions or distros of Linux. Each caters to the specific needs of its target audience. For example, Debian is the benchmark for many use cases. Arch Linux is for the super-tech-savvy. Linux Mint is the standard of stability and ease of use. Tails is for those who require the highest degree of privacy.
It may seem counter-intuitive to suggest that an open code base is more secure than a closed one. The weaknesses of the former can be seen by everyone. Those of the latter can only be known by those with access to it. Or so it is thought. In fact these can be traced just as well. What this line of reasoning misses is the following:
- Collaboration. The paradigm of FOSS is that of an altogether different way of doing business. It is based on collaboration and the dissemination of knowledge. Sharing makes everyone better off. Whereas the proprietary model is predicated on the artificial scarcity created by copyright law. It gains from secrecy, obscurity, and the obfuscation of certain truths.
- Perverse incentives. Because the proprietary model draws its competitiveness from a spirit of secrecy, a corporation might have the perverse incentive not to disclose/acknowledge any vulnerability to its product. In contradistinction, FOSS will get to be updated almost immediately. As soon as the weakness is identified.
Openness is not a security liability. It is an asset. There are more people looking at the code and auditing it. Their interests, at least for the majority of them, are those of the community. To have a stable and reliable system.
From the perspective of the polity that is a potential bonus. A public entity can be instituted to the effect that it works full time on the government’s various FOSS projects. Let us call it the ‘Digital Transition Unit’ headed by the ‘Information Ministry’. The Unit can work on existing code to optimise it for the specific needs of the state. Its efforts will be complementary to those of the open source community. It will even give back to the community whenever it adds a new feature or tackles some security vulnerability.
Public funds will thus be directed to distributed projects that (i) have no ‘backdoors’, (ii) are not controlled by a single corporation, (iii) may be audited by security researchers across the globe, (iv) come with a license that does not bind the state to the agenda of some private actor. Public money for the promotion of the public interest.
Imagine the world’s most affluent states making such a commitment. The efficiency gains for everyone involved would be tremendous. Obviously FOSS is not appropriate for everything the state does. The military and security agencies will require some bespoke system. However, many of the state’s needs are well covered by software of this sort. Anything that has a positive effect on the state’s security and on the solidity of its connection to cyberspace has to be prioritised as a matter of reinforcing a factor of effective sovereignty.
Cyber is central
The fact that an entire chapter of a series about sovereignty is dedicated to what cyber is and why it may be relevant in a political context, goes to show that the topic has still not fully entered the public mind. To the lay person all this may come across as “tech stuff for geeks”. Even so, cyber’s technical nature does not necessarily render its actual organisation morally neutral or values-free. Nor does it mean that it has no implications whatsoever on the commons.
Cyber is relevant to politics by virtue of the fact that software with the capacity to connect to a remote network has become the irreducible factor of an ever growing number of activities and social experiences. Whatever gets to somehow condition or otherwise influence relations between people must be subject to public debate and scrutiny. The general points aside, there are some more specific reasons as to why the topic is relevant:
- Economics. Depending on the licensing framework and the incentives’ structure derived therefrom, certain markets emerge (markets do not exist in an institutional vacuum or in a rules-free, decontextualised domain). The gains are distributed accordingly, which means that hierarchies and social structures may be established that provide advantages to certain groups over others. Issues such as fairness and equality of opportunity naturally arise.
- Security. This can be considered in the form of homeland security but also of the privacy of households/individuals. The integrity of cyber is of utmost importance to ensure that every activity contingent on it is carried out as intended (e.g. the power supply mentioned above, or your ‘smart’ thermostat not leaking your home’s sensitive data). Without appropriate measures such as a robust legal framework for fostering bottom-up practices for protecting the space, the damages can be far-reaching, the effects particularly deleterious.
- Governance. Given the nature of cyber as a form of shared infrastructure, it can potentially impact two types of businesses and social relations: (i) those whose starting point is cyber and (ii) the ones that have an indirect connection to the ‘tech industry’ by virtue of using some digital tool or service. As such, the specifics of cyber have to be regulated in light of the general interest, with the space as such being considered a public good.
The fact that a degree of technical knowledge is required to grasp the finer points of cyber should not be a reason to keep the discussion confined to an inner circle of specialists. Every area of expertise has aspects that are not immediately accessible to the uninitiated. That does not render them immune to criticism or conceal them from the public purview. Besides, that is where journalists, bloggers, and independent analysts/commentators come in to communicate the information demanded by the general population in a form that is accessible. The danger of considering something to be too technical and thus obscure is that the dominant forces operating within the system may find ways to exploit the public’s indifference, much to the detriment of the public interest.
A polity that seeks to exercise control over the means of governance, the factors of its effective sovereignty, must recognise in cyber a domain that needs to be aligned with its general political direction.