States, net states and network security
Nobody said it was easy.
No one ever said it would be this hard. (Coldplay, ‘The Scientist’)
Volume 8 number 1 of the Journal of Cyber Policy brings together a group of unsolicited manuscripts which we have arranged around the theme of states, net states and network security. Three articles discuss different aspects of cybersecurity from the perspective of states. Harriet Moynihan provides an analysis of the concept of due diligence in cyberspace. The evolution of the national cybersecurity strategies of Canada, the United Kingdom and Australia are assessed by W. Alec Cram and Jonathan Yuan. With a deep dive into US President Obama’s pivot in relation to China, Sally Burt argues that cyber strategy needs to be understood in the context of Grand Strategy.
The exercise of state-like power by non-state actors is examined by Callum Harvey and Christopher Moore, through a case study of Meta Platforms Inc.
Improving the cybersecurity of critical infrastructure is often a key focus for national cybersecurity strategies. The final two papers in this collection consider some of the challenges. Éireann Leverett and Andrew Cormack provide an interdisciplinary examination of vulnerability patching, to understand what kinds of regulation are most effective in driving the changes needed. Rather than the usual focus on hostile actors, Sarah Backman considers the impact of cyber accidents on the cybersecurity of critical infrastructure. The volume concludes with two book reviews.
One of our authors, Andrew Cormack, sadly passed away in April 2023, and didn’t live to see his paper in this volume published. Andrew was a pioneer in university networking in the United Kingdom, who generously shared his knowledge with others and championed an interdisciplinary approach on cyber policy issues. This editorial introduction concludes with a short tribute to Andrew Cormack, written by his co-author, Éireann Leverett.
Volume 8.1 contains the following articles:
Unpacking due diligence in cyberspace
Harriet Moynihan
As damaging cyberattacks proliferate, states are recognising the need to deter malicious actors from conducting these activities from their territories. The standard of conduct that is expected of states to meet this responsibility is known as ‘due diligence’. But what due diligence means and covers in practice remains unclear. It is even unclear whether due diligence is a legal requirement. In this paper, Harriet Moynihan unpacks the concept of due diligence in cyberspace, with recommendations for states and international bodies.
Out with the old, in with the new: examining national cybersecurity strategy changes over time
W. Alec Cram and Jonathon Yuan
National cybersecurity strategies are an invaluable tool for identifying the cyber challenges and priorities affecting states, a mechanism for channelling resources and for building the required capacities to cope with the challenges. The evolving nature of cyberspace necessitates a level of adaptivity that is not only difficult for states to achieve but also difficult to enact. In this article, W. Alec Cram and Jonathan Yuan consider how Canada, the United Kingdom and Australia have adapted and updated their national cybersecurity strategies to respond to new cyber landscapes, and what these examples tell us about the stability that derives from such strategies.
President Obama and China: cyber diplomacy and strategy for a new era
Sally Burt
The US approach to cyber diplomacy with China underwent a notable shift between the first and second terms of the Obama presidency. To explore Sino-US relations during Obama’s presidency, Sally Burt argues that it is necessary to integrate an analysis of US cyber strategy with that of a broader Grand Strategy. In this article, Burt makes a case against looking at cyber diplomacy issues in isolation. Using the case of Obama’s approach to dealing with China in cyberspace, she argues for a holistic analytical approach which includes developments in the domain of traditional diplomacy.
Cyber statecraft by net states: the case of Meta, 2016–2021
Callum Harvey and Christopher Moore
Social media platforms – and the companies that operate them – have achieved a level of power and influence that has traditionally been wielded exclusively by nation-states. These ‘net states’ are, of course, not traditional states, but an assessment of what the impact of their power will be on international relations and cyberspace is imperative. Using Meta Platforms as a case study, Callum Harvey and Christopher Moore explore how actor-network theory can help advance our understanding of why and how cyber statecraft is attempted by actors other than states, and the way state-like actors in cyberspace operate and evolve.
Patchy incentives: using law to encourage effective vulnerability response
Éireann Leverett and Andrew Cormack
Software vulnerabilities often have readily available patches, but managing these patches can be difficult: new software vulnerabilities are discovered daily, and the patches to these vulnerabilities need to be communicated to those at risk. There is a need for organisations to prioritise, and decide how to use their scarce patching resources. Éireann Leverett and the late Andrew Cormack consider which of the diverse approaches – data protection laws, regulations on liability, product quality and patching mandates – have been the most effective at improving the uptake of patches. They also consider how best to allocate remediation efforts to minimise risk and disruption.
This article is published posthumously for Andrew Cormack, a pioneer in the field of cybersecurity in education and research, who died in April 2023.
Normal cyber accidents
Sarah Backman
Cyberattacks on critical national infrastructure are debilitating, damaging and disruptive. Compromised critical infrastructure can have a variety of impacts, including, but not limited to, the delivery of public services and the integrity and safety of data. But not all of these incidents are deliberate: research suggests that some may be collateral damage, resulting from ‘normal accident dynamics’. Using an analytical framework based on Normal Accidents Theory, Sarah Backman unpacks the sociotechnical system vulnerabilities in critical infrastructure, focusing on what makes critical infrastructure vulnerable to accidents and how these accidents lead to serious consequences.
Book reviews
Atlas of AI: Power, Politics and the Planetary Costs of Artificial Intelligence
Sachin Tiwari
Original Sin: Power, Technology and War in Outer Space
Julia Cournoyer
In memoriam, Andrew Cormack
Over a decade, I had conversations with Andrew Cormack in which he taught me something new or nurtured an ability to look a topic in an inter- and multi-disciplinary way. This is as evident in his writing as it was in his conversation. Throughout his career he studied Mathematics, IT, Science, Law, Security and Privacy. I found he often had a keen grasp of economic incentives and of how they sometimes get in the way of the greater good. He loved Edinburgh, Cambridge and Cardiff, and he left his mark in each of these cities. He was kind and gentle, but could be witty and firm in his beliefs or in defence of a principle. He is beloved of a whole generation of professional incident responders, many of whom he trained, and some of whom still go for long walks in nature together to remember him. We started the journey of this paper together, and while I find myself finishing it alone, I do not feel alone at all. He changed the way I think forever, and I hope his scholarship has that effect on you too. (Éireann Leverett)