“Cyberspace is fluid, it is pervasive, it affects anybody who wants to participate, and it is very difficult to control,” says Nazli Choucri, MIT professor of political science and a leading researcher on international conflict. “In fact, we’re not really sure who is in control.”
In the Explorations in Cyber International Relations (ECIR) program, funded by the Office of Naval Research, Choucri and colleagues across multiple disciplines at MIT and Harvard study how governments and private groups try to exploit online possibilities and minimize online risks, how international relations are evolving under cyber pressures, and how world politics are influencing the entire cyber domain.
At the international level, Choucri says, there are two major debates about governance of cyberspace. One is a major conflict over the roles that the private sector and international organizations such as the International Telecommunications Union should play in managing the Internet. The other is about cyber security and cyber espionage and different ways of controlling damages.
Talks on these two issues of governance and security are running on parallel tracks in various contexts, but given the pervasive overlap, “it’s really important that the talks converge,” she says.
The need is particularly urgent because of the astonishing pace of developments online. “Change is happening much too fast for the state to control the impact on its own population,” she says. Even in the United States, which was fairly quick to create a cyber czar and various other organizational structures, the designated authorities and their policies are not well connected to one another, she emphasizes. Any connections that do exist are loose.
Private industry has struggled to respond quickly to cyber challenges, especially cybersecurity threats. The extent of this struggle was explored in an ECIR project examining how firms respond to cybersecurity breaches, led by Michael Siegel, a principal research scientist at the MIT Sloan School of Management.
“The difficult part of the research has been to convince companies that this situation will be a generic one forevermore, so they should think more broadly about deciding how much security do they need, how much they will pay for it, and in what conditions, and develop an entire policy,” Choucri says. Companies need to share information to solve the problem, but they have balked at doing so because of concern about their liabilities, she says.
Taking a broader perspective on cybersecurity, Choucri has worked with Professor Stuart Madnick at the MIT Sloan School of Management and graduate student Jeremy Ferwerda to examine the structure of both public and private responses to online threats — with special attention to the computer emergency response teams that have been established in many countries.
“The current institutional landscape resembles a security patchwork that covers critical areas rather than an umbrella that spans the known modes and sources of cyber threat,” the three researchers summed up in a 2013 paper in Information Technology for Development. “We expect that responses will be driven more by institutional imperatives and reactions to crises than by coordinated assessment and proactive response.”
As one crucial step toward more proactive response, the researchers called for pairing statistics on cyber threats and responses collected by international and national organizations with data from the private sector.
They also highlighted three major challenges in defending against cyber crime. First, “many individuals are not accustomed to reporting cyber crime to law enforcement organizations because issues may be deemed ‘minor’ or purely technical in nature, or because events on the Internet are deemed outside the jurisdiction of a local police agency,” they wrote. “Second, even when crimes are reported, investigation and prosecution remains difficult. Evidence is often ephemeral and transitory, and the global nature of cyber crime presents serious difficulties in pinpointing the location and identity of criminals. Lastly, it often proves difficult to assess the true monetary damage of cyber crime.”
In other ECIR work, Choucri has collaborated with David Clark, Internet architect and senior research scientist at the MIT Computer Science and Artificial Intelligence Laboratory, to build a conceptual framework that aligns architectural layers of the Internet and the players that control it with the structure of international relations and the players that shape world politics. “That gives us an internally consistent way of mapping which actors and which activities and which rules operate at each Internet layer and each level of international relations,” she says.
When Clark began analyzing control points and players for given Internet activities, “all of a sudden the cyber ecology and the cyber topography surfaced,” Choucri says. “It’s far more complex than I could have imagined, and it’s at variance with what I know about politics and power, because the Internet has a lot of autonomy low down in the hierarchy.”
Another ECIR effort, led by the MIT Sloan School of Management’s Madnick, is developing a set of tools that can be deployed across scientific journals to automatically create taxonomies of structures, processes, actors, actions, and potential outcomes in cyber international relations. Applications of this work build on experience in knowledge networking drawn from the Global System for Sustainable Development, an earlier effort led by Choucri. This system is being extended to include the cyber arena in a companion initiative called the Cyber System for Strategy and Decision.
Madnick and his colleagues found that although “cyber space” and “cyberspace” were thought to be “essentially the same word with just a minor variation in punctuation,” their usage varies significantly within the taxonomies they generated. “Since the overall field of cybersecurity is so new, understanding the field and how people think about it (as evidenced by their actual usage of terminology, and how usage changes over time) is an important goal,” they pointed out in a 2012 paper.
Reassessing state roles and controls
Examining politics on a global scale, Choucri’s "Cyberpolitics in International Relations" (MIT Press, 2012) maps the interplay of cyber realities with international relations policy and practice.
“Underneath all of the issues is an emergent major contention in international politics,” she says. “Will we be able to maintain the Internet, and cyberspace as a whole, as a relatively open arena of interaction, or will they become more compartmentalized and more contained, as it is in China? And what does all of this mean for individual expression and individual freedom?”
“In the traditional world of international relations, the major players are countries and other big private or public entities, and the individual has very little leverage on anything,” Choucri says. “But cyberspace is an arena that has empowered individuals and aggregations of individuals, not only in industrial countries but everywhere, in ways that have never happened before. The population of the globe is really going to become much more assertive. That’s not exactly a message that governments everywhere enjoy.”