The Cybersecurity Paradox

There is a paradox in the quest for cybersecurity which lies at the heart of the polemics around whether or not Apple should help the U.S. Federal Bureau of Investigation (FBI) break the encryption on an iPhone used by the pro-Islamic State killers in San Bernardino.

The unexpected truth is that the world is made a safer place by allowing public access to full encryption technology and sharing responsibility for action. When it comes to encryption, it is wrong to give into fears of terrorism and to take refuge in misguided illusions of total top-down control.

Violent extremists have already understood more quickly than most states the implications of a networked world. They know that a terrorist attack in Paris or Istanbul immediately reverberates worldwide, and the so-called Islamic State (IS) makes astute use of gruesome videos to terrify as well as to recruit. The number of victims matters less than the number of “impressions”, as Twitter users would say.

States are relatively comfortable fighting for territory, whether it is to destroy the territory of the enemy – bombing IS in Syria and Iraq – or defending their own. But how does one win in the digital space?

As the FBI’s demands on Apple to help them investigate the San Bernardino shooters have shown, security officials are unsurprisingly trying to maximise the comparative advantages provided by state resources and authority. Many have the capacity to access countless sources of data, to process them with ever increasing computing power and eventually to find the terrorist needle in the haystack of law-abiding citizens. They are also keen to retain the capacity to access all digital communications through back doors, so that encryption does not protect criminal enterprises.

Human rights concerns have so far had limited impact on this trend. In the U.S. and Europe, infringements on rights are seen as a lesser evil than the alternative of more terrorist attacks, especially when one considers their potential political consequences: authoritarian populists who would go much further in the destruction of civil liberties.

But centralising state national security may not work. Behind closed doors, a growing number of professionals question the effectiveness of systematic reliance on data-mining, noting that too many false alerts mean that security services are spread thin. Most of the terrorists involved in the recent Paris attacks were not unknown to the police, but the thousands of people who are now listed in databanks could only be effectively monitored by tens of thousands of intelligence operatives.

Excessive reliance on signal intelligence generates too much noise. It may be more effective to focus on targeted electronic surveillance and focused human intelligence. The critical ingredient of volunteered help is also more likely if genuinely inclusive policies can win over allies among disadvantaged communities and countries.

The received wisdom that state surveillance requires back doors to encryption programs was being questioned well before Apple took its stand. If there are secret keys for the authorities to access data, it is wishful thinking to believe that criminals won’t find them too. In fact, making unbreakable encryption widely available might strengthen overall security, not weaken it. Violent extremists and criminals will have the benefit of secure communications, but so will many more millions of citizens and systems threatened by their hacking.

In cyberspace, attack is cheaper than defence: criminals engaged in fraudulent schemes are already exploiting that asymmetry. Perhaps already, and certainly tomorrow, it will be terrorist organisations – and legal states – which will exploit it with lethal effectiveness. Critical infrastructures, transport, and industry have become increasingly dependent on digital processes. Encryption, while it can have an offensive use, may become the ultimate defensive weapon that will help limit the imbalance between offence and defence in cyber-warfare.

This idea of decentralised defence allows individuals and corporations to become providers of security as they strengthen their firewalls and create a resilient society.

It points to a broader trend for nation states too. National security structures are not going to become redundant, but in a world that is both asymmetric and networked, the centralised organisation of power may not be the most effective organising principle. A nation state’s remit is not broad enough to effectively confront global threats; but at the same time, the concentration of power that it embodies provides an attractive target for weak but nimble enemies.

One way to fight asymmetric wars is to deprive the enemy of a strategic target by distributing power rather than concentrating it, copying the way terrorists make themselves elusive targets for states. Unarmed civilians will continue to provide easy soft targets for terrorists, but attacks against them will have less strategic impact, and therefore be less attractive, if power is more dispersed.

Distribution of security measures among a multiplicity of actors – neighbourhoods, cities, private stakeholders – will make society more resilient. And over time, smaller but well-connected communities may be more effective at preventing and identifying terrorist threats among their members. Decentralised, networked self-defence may well shape the future of national security.