Full Text

Introduction

Cybersecurity—the practice and the debate—is more than a quarter century old. Early on, military concepts dominated, with the US Air Force and the RAND Corporation among the earliest adopters.¹ The context for this pioneering work was command-and-control warfare. By the mid-1990s the declared goal was winning in network centric warfare, taking advantage of a new "revolution in military affairs," and achieving "information dominance." The utopian goal of turn-of-the-century military visionaries was striking: to win a war before it even started. Meanwhile, for twenty-five years, the corresponding dystopian vision of an "electronic Pearl Harbor" formed a counterpoint in the early cyberwar debate. The vision of winning swiftly by high-tech cyberattack dialectically nourished the fear of perishing in one.² Perhaps no idea was more critical at the extreme ends of the spectrum of computer network attack—and defeat—than the commonly accepted view that the internet, like airpower, affords advantage to the offense over the defense.³ Whoever acts first, wins.

Then came the year 2016. Cybersecurity turned into the central issue of the US general election, gaining further in profile during the transition period and early 2017. Information operations helped mar the presidential ambitions of the losing Democratic candidate and undermined the legitimacy of the winning Republican president. Both of these assessments are highly-charged and animate a debate that is more political than technical—this deeply politicized state of the art illustrates that cybersecurity has been elevated to a public profile and significance never seen before in its quarter-century history. Yet, despite it all, almost no serious commentators were ready to see the much-feared electronic Pearl Harbor in Russia's election interference, let alone a "cyberwar"; these military monikers were flawed. 2016 showed that the quarter-century-old debate was littered with broken ideas.

Cybersecurity was not and still is not ready for prime time. The field disappoints in practice, policy, and scholarship. Cybersecurity is under-delivering on the defense, because, even decades later, soft targets are still soft, and fruits are still hanging low aplenty. Cybersecurity is under-delivering in the public debate because facts are too often poorly shared, major incidents not revealed, with too many public commentators still struggling to distinguish firm forensics from flimsy. Finally, cybersecurity is under-delivering in theory, because 25 years after the first seminal...