Arms Control Today
The Obama administration has issued four documents dealing with issues of cybersecurity. Two are concerned with protecting the United States against the many real and imagined forms of cyberattack, one announces an effort to establish protective norms of behavior among “like-minded” countries, and one accuses China and Russia of stealing economic information by cyberintrusion, making it evident that they are not included among the like-minded countries.
The documents feature basic principles and generally worded aspirations with very little specification of plausibly effective operational policy. At the level of computer code, there is a world of intricate operational detail to which the documents refer, and that level of detail is validly considered to be too abstruse and too sensitive for public discussion. Yet, in declaring that policy actions are required to deal with significant vulnerabilities that cannot be decisively removed, the documents implicitly reveal a prevailing judgment that robust protection of the many activities that now occur in cyberspace cannot be achieved by mastery of computer code or by any other technical means. The beginning of wisdom on the subject is realization that the issues in question are essentially unprecedented and for that reason very imperfectly understood.