In early October, at the launch of Stanford’s Global Digital Policy Incubator, Secretary Hillary Clinton said, “We need to get serious on cybersecurity.”
It’s hard to argue with the sentiment, but what does it actually mean? Is she suggesting that companies should invest in data breach insurance? That governments should build new weapons? That police should have better decryption tools? That tech companies should write safer code, especially for critical infrastructure? That international differences in internet governance must be resolved? That individual citizens should review their online behavior? Or all of the above?
The problem is in the word cyber. At first, the word’s flexibility was a good thing—it helped raise awareness and offered an accessible gateway to discussing all kinds of security. But it has now become an obstacle to articulating credible solutions.
The term cyber has been around for decades, stretching back to MIT mathematician Norbert Wiener’s coinage of cybernetics in the 1940s. Wiener borrowed the ancient Greek adjective ‘kubernētikós’, meaning governing, piloting, or skilled in steering, to describe then futuristic idea that one day we would have a self-regulating computing system, solely running on information feedback. In the 1980s, novelist William Gibson married the prefix to space, creating the term so ubiquitous today. Since then, cyber has been used by anarchists and policymakers, scholars and laymen, artists and spies. It has been attached to concepts ranging from warfare to shopping, and it can denote opportunity as well as threat.
Yet, cyber is, in a way, empty: It acts like a sponge for meaning, soaking up whatever content is nearby. Gibson described this nicely in an interview with the Paris Review: “The first thing I did was to sit down with a yellow pad and a Sharpie and start scribbling—infospace, dataspace. I think I got cyberspace on the third try, and I thought, oh, that’s a really weird word. I liked the way it felt in the mouth—I thought it sounded like it meant something while still being essentially hollow.”
The hollow aesthetic captured by Gibson—the peculiar position of being both intuitively meaningful and a self-consciously strange word—is part of the appeal of cyber. The prefix is popular, and growing in use, not despite its hollowness, which is bemoaned by many, but because of it.
Thomas Rid, in his book Rise of the Machines, shows how various narratives have accompanied the prefix cyber since World War II, all of which cross boundaries between technology and society, between science and culture, and between the impetus created by war and security and more benign visions.
As Rid explains in the preface, the cyber idea is “self-adapting, ever expanding its scope and reach, unpredictable, yet threatening, yet seductive, full of promise and hope, and always escaping into the future.” In short, it is a sponge—but one that fails to clean up the conceptual problems of its terrain.
We can see this clearly in recent events. With new information seeping in on an almost daily basis about the Russian meddling in the 2016 elections, the cyber sponge has been absorbing everything related to disinformation campaigns, information warfare, social media bots, and election hacking.
Clinton’s talk demonstrates all of this. “In the 21st century, war will increasingly be fought in cyberspace. As Americans we need to approach this new threat with focus and resolve. Our security, physical or otherwise can’t be taken for granted,” she said. She went on to discuss the various new “weapons of choice” coming from “the highest bowels of the Kremlin”: email releases, probing voting systems, the industrialization of fake news, targeted use of Facebook ads, and more.
She isn’t wrong about these things, but speaking about them in this manner mashes them together with previous uses of the term in relation to militarized cyber operations, critical infrastructure attacks, DDoS attacks against Estonia and Georgia, and Stuxnet. In this case, the cyber label doesn’t improve our understanding of this influence. Instead, the generic term flattens the terrain by conflating the potential hacking of critical infrastructure systems and the buying of advertisements by foreign nations. This incorrectly implies similarities in response, suggesting that we can handle all of these things in a similar manner. But ensuring that the industrial control systems of a power plant will not be accessed by a malicious actor requires a very different set of actions than curbing the spread of fake news. Labeling both actions as cyber encourages the inappropriate transplant of policies and technologies across these issues.
Finally, cyber also masks significant political and organizational hurdles. Clinton speaks about “the need for public and private cooperation,” but this cooperation takes very different forms for critical infrastructure and social media, not to mention questions of state and commercial offensive actions—yet all fall ostensibly under the rubric of cybersecurity.
We’ve wrung all the utility we can out of the cybersecurity sponge. To address the “serious and urgent challenges” of our time, we need to acknowledge that they are indeed challenges plural—not one single, monolithic domain.
