Globalisation, cybersecurity and strategy: special consideration for information strategiesJosé María Molina Mateos
Globalisation can be taken into consideration as a supra-individual force in which connections and impact expand without direction or concrete meaning and is representative of the mixture of a rapid change and a transformational paralysis.
After the events of 1989-1991, everything that happened anywhere is global everywhere in the hands of the new electronic means of communication that allowed connecting the planet at great speed.
Globalisation has been guided by two main currents, one constituted by the enormous development of communication capability and the revolution that this has led to, and the other, the financial one.
In the political sphere, the result is the critical point of equilibrium between this supra-national globalizing tendency and the reduction of the scope for the exercise of democratic political action which, to this day, is still resides in nation-states.
Starting from the development and use of communications, cyberspace has emerged, a complex reality, with multiple dimensions, that requires a deep reflection and could be defined as a set of electronic interconnections arranged in networks, which constitutes a relationship space comprising components of a material nature of technological base, of a non-material nature sustained on information and knowledge, through the language, of an anthropological nature based on the sociability of human beings, that has become in its means and procedures to provide services and has generated a new cultural space with economic, political, legal, social, and security effects; which has restrictions as regards security, development and respect for human rights and needs to establish an international strategy for its management.
Following the criterion of the Joint Cyber Defence Command, the set of activities carried out through these technological infrastructures, the services they provide and the information they manage, aimed at protecting cyberspace against its illegal use, guaranteeing freedom, rights and the well-being of the general public, their defence, the principles and values of their coexistence, as well as their contribution to international security, is what we know as cybersecurity.
The basic principles and values that affect cybersecurity are already included in the international texts on Human Rights and, at least formally, in the constitutions of all the countries of the globe.
As a lesson learned from recent cyber incidents, real and effective cybersecurity may require not only attention to each and every one of its classic phases (prevention, detection, reaction, analysis, recovery, response, research and coordination), but that needs to influence its own essential components of an organizational, training and professional nature, as well as particularly, in cyber-counter-espionage and cryptology.
A basic metric of cybersecurity could come hand-in-hand with simplified risk analysis, using the classical variables of impact and probability. In this way, the degree of risk would be expressed by an index, which will be the final result of the analysis in terms of the possibility of an event caused by a cybernetic threat or danger and of the consequences of a cybernetic incident on the normal functioning of the scope to which it refers.
CYBER RISK = CYBERPROBABILITY x CYBERIMPACT
Managers of destinations in countries and organisations have always needed to immerse themselves and interact in their national and international realities and create a point of view regarding the future, and this should not be any less regarding cybersecurity.
With the fall of the Berlin Wall in 1989 and the end of the Cold War, a new step was taken in strategic thinking and it was perceived that the reciprocal dependence of States on international life led to the need to address any national solution from a global perspective.
The concept of security far exceeds its military component to be the result of a combination of political, economic, technological, social or cultural factors. In the international global game, each nation pursues the consolidation of its security as a priority within the traditional metric of its foreign policy.
Currently, the security of each country and world peace are threatened by economic, ecological, technological, social or institutional dangers similar to military dangers. Among the technological hazards are the risks and threats in cyberspace, a field of cybersecurity that requires its own strategy.
Among other things, the importance of the strategy lies in the selection of the political and military effort in a scenario, so as to achieve a synthesis that allows solving the present issues, with a clear vision of the future scenarios resulting from them.
The strategy could be taken into consideration as the adaptation of resources, means and capacities of the nation to the changing environment in which it operates, with a direct impact on the use of opportunities and risk assessment, according to the objectives set by the Government.
This concept would correspond to the General Strategy of the Nations, or Great Strategy, which few nations have and, from a country perspective, would be what is known as a first level strategy. It will be grown in strategies corresponding to sectorial areas among which would be cybersecurity.
The hierarchy of strategies in an indicated area entails the necessary subordination of the strategies to the previous ordinals which means that they has to be configured in coherence with them. In systemic terms, this supposes that they have to act in the direction of marked action from the higher level entity.
THE STATE DOES NOT HAVE THE CAPACITY TO MANAGE SECURITY ON ITS OWN
The State no longer has the capacity to solve solving security problems alone.
There are continuous references to regional, international and even global security that has given rise to concepts such as cooperative security or common security, which involves collaboration between state and non-state agents as a way to resolve security conflicts.
This cybersecurity situation would requires the development of military and civilian capabilities for the defence and use of information systems to ensure that a country can effectively defend itself against cyberattacks and could take action against adversaries wherever they may be found. To achieve this, it has to resort to traditional methods of cooperation between States and open up to an even greater level of international collaboration, as well as deepening public-private cooperation.
At the current cybersecurity stage, it has been considered necessary to approach it from a general perspective and, in a way, to contribute to the necessary awareness of a phenomenon. This is of great interest to society, the state, corporations, companies and individuals at a global level, because cyberspace is a reality that irrevocably involves everyday life and from which enormous opportunities arise of all kinds, but also new risks that require to be neutralised.
National initiatives expressed through strategies are orientated in the right direction to provide a response from States to security issues in cyberspace from the perspective of individual countries. Spain has had the National Cybersecurity Strategy in force since 2013.
The no less significant, but insufficient regional responses, including the European Cybersecurity Strategy, reinforce the previous ones, confirm the appropriateness of the path chosen and highlight the need to take a step towards an international initiative of this kind. What is far from being the next immediate milestone, in the logical sequence scope, implies a considerable qualitative leap in the complexity of the need to respond to a multitude of interests at stake, derived from different cultures and political and legal systems, with different technological developments, whose treatment requires a minimum of harmonization to be successful.
The global character and high complexity of cyberspace requires an international strategy for its use and development that harmonizes the different components that come into play.
This need is highlighted in the US International Cyberspace Strategy of May 2011, which, even if it has been drawn up unilaterally by a single nation-state, can serve as a reference model for another, possibly multilateral, under the auspices of the United Nations.
This initiative justifies the implementation of a strategic approach based on previous successes, recognizing the challenges faced by societies and in addressing them, ensure adhering to fundamental principles.
One of the essential components of cyberspace and cybersecurity is the information itself, which has its own strategy, linked to the previous ones by a systematic type of relationships.
TO ADVANCE, WE HAVE TO BE CLEAR THAT IT IS ABOUT THE INFORMATION
An approach to an information strategy requires prior identification of the basic functions to be carried out on them and their relationships with others, establishing a strategic positioning, stimulating everything derived or related to them.
The process will be enriched by adding the components of each to a solid strategic body, refined and accepted by all.
To move forward, we need to have a clear and shared concept of what is "information", what is "strategy" and the principles that an "information policy" are to inspire.
Considering that everything related to information is impregnated with politics, before tackling an information strategy, we need to determine the principles that are an information policy are to inspire in a modern democratic society.
Accordingly, six basic functions of regular information can be identified: acquire, process, classify, protect, store and distribute.
The acquisition of information can be carried out through the most diverse procedures that go from its own production to its acquisition through purchase, through communication means, through the diplomatic channels, of the information and intelligence services, the one coming from research and science, culture in general or other sources.
A systematic acquisition strategy would be one that relates all these sources and determines which are available or not, which are the preferred, or which require an implementation, enhancement or refinement.
Among the procedures for acquiring information, the importance of the activities of intelligence and intelligence services and the positive or negative brain drain, in a strategic and organized way, are highly significant in that they stem from the power of the most capable scientists and brains.
The perception of the importance of the acquisition of information as a knowledge base, allows us to propose that in the future, it will given similar importance and value as physical acquisitions. When that moment occurs, it will be when the knowledge society will really have arrived, with all that will be involved in economically and legally, rather than merely politically, their true asset value.
INFORMATION IS OF DIVERSE NATURE AND ORIGIN
Information processing consists of acquiring it, processing it and acting in accordance with it. At present, ICTs play an significant role in these aspects.
Information is of a quite different nature and importance and any strategy requires a clear distinction through its proper classification of the essential blocks, from which different treatments are derived, among which public and private information stand out. Within them, to designate different subgroups by virtue of its specific nature, and allocate levels according to the transparency, protection or secrecy they require.
As regards classification, we need to adhere to the essential elements of an information policy, to take as a reference the derivatives of the international treaties on human rights and the constitutional texts of all the countries of the globe, at least in essence, in one way or another, the principles and exceptions summarized below and which, in the Spain's case are enshrined in Articles 18.3 and 20 of the Constitution.
Every information strategy requires inexorably to include its own protection, to which end "information security" has been developed that also covers the technology that makes its treatment and communication possible, stimulating a deep and constant research and development of products, systems and cryptographic applications that allow for effective integrity, accessibility, authentication and confidentiality of protected information. All this is leading to an approach to making encryption universal, which all that this implies for transparency, which in itself requires a discerning regulation impregnated with a high level of political sensitivity to solve the collisions that occur between different rights in conflict, and achieve a response to the question: what is the necessary security to ensure the freedom possible in the digital world?
Technologies are no longer tools to achieve a predetermined purpose, and have the sole responsibility to correctly meet the objectives for which they were created.
This is therefore the end, the goal: to be deserving of the corresponding qualifier. However, this end is usually only part of a more complex whole.
A particular technology can be good or bad at protecting information or processing it, storing it, communicating it, and so on. In the end, it can be seen that all this set of aims and objectives are different aspects related to an element of autonomous entity regarding what they act on: information.
INFORMATION STORAGE IS KEY
Within the protection of information, there are two dilemmas of high political, legal and operational significance, based on the relationship between security and freedom, which requires an individualized treatment: the cyberdilemma derived from opposing interests and rights, and cryptoconflict, derived from the use of cryptology for the protection of information.
The accumulation of information for later use constitutes what is known as storage, and implies the conservation with the possibility of recovery, which also requires order, easy access and the guarantee of lasting in time, without loss of the different elements that it comprises.
The information storage function has always been conceptually and factually essential, but it has become increasingly important due to the information explosion that occurred with the arrival of ICTs and the voracious consumption it triggered.
Although information has been acquired, processed, classified, and even protected, it is of little use if it is not available to the recipient in a timely manner. Hence the need to approach distribution as a strategic factor, which increases its complexity when it comes to devising international approaches and, more so, if it has a global character.
A distribution policy implies the indication of who has access to what type of information, as well as the means of access, which is closely related to classification, protection and storage factors.
Since ICTs are the physical element that makes cyberspace possible and that information is the objective and purpose of their actions, the information itself is a determinant element in configuring freedom and security in cyberspace. This strategy is the starting point for the construction of a balanced, free, secure and peaceful cyberspace.
We can consider that developing an information strategy is the essential premise to build the model of cyberspace and cybersecurity.
From a systemic perspective that would include both the international level represented by the United Nations, which would mark the general direction, as well as regional and state governments and, even, within these, public administrations and private business or professional entities.
WE HAVE TO MOVE TOWARDS DIGITAL PEACE
All this would configure a ubiquitous strategic information system that would be the "core" and starting point on which the bases of other strategic systems (such as technological, legal, informational, legal-informational, or legal-informational-security) that integrate cyberspace as well as the strategies that have been developed regarding it, which would constitute the great definitive step in the progression of formulating a systematic and final concept of information, from which all the others would be derived.
We could consider that this desirable legislation previously requires a political consensus on the essential critical variables related to information. This is reflected in an international strategy on cyberspace that incorporates a detailed diagnosis of cyberdilemas and cryptoconflicts, in all of its facets, and include second-level international strategies on information, technology and law, the result of which would be the basis for the development of a comprehensive cybersecurity strategy, a reference point and a source of inspiration for the legislation that is derived from it, based on the one that can move, effectively and successfully, towards digital peace.