What can infosec learn from strategic theory?

Antonio Roque, of MIT Lincoln Labs, has published some provocative papers to arXiv over the last year. These include one on cybersecurity meta-methodology and one on making predictions in cybersecurity. These papers ask some good questions. The one I want to focus on in this short space is what cybersecurity can learn from Carl von Clausewitz’s treatise On War.

This might seem a bit odd to modern computer scientists, but I think it’s a plausible question. Cybersecurity is about winning conflicts, at least sometimes. And as I and others have written, one of the interesting challenges about generating knowledge with a science of security is the fact we have active adversaries. As Roque tells us, generating knowledge in the face of adversaries is also one of the things On War is about.

One important question for me is whether Clausewitz interestingly presaged our current problems (and has since been overtaken), or if On War makes contributions to thinking about cybersecurity that are new and comparable to those from the fields of economics, mathematics, philosophy of science, etc. After a close reading of these papers, my stance is: I have more questions that need answers.

In general, I actively want diverse fields contributing to cybersecurity. In our paper on practicing a science of security, we endorsed the mosaic unity of disciplines, where each field contributes to the discipline in their way on their topics. But translating strategic theory, with its focus on competing sovereign nation-states, to my grandmother’s interaction with spammers, is not an easy task. If Roque were limiting his scope to what On War teaches us about cyberwar, it would be an easier sell. But he explicitly wants to translate strategic theory to all of cybersecurity.

In my reading, Roque wants to transition two main elements of On War to security folks: the three parts of critical analysis and how Clausewitz suggests to do them, and the fact that critical analysis is a performative mental exercise.

In my opinion, the first of these, the parts of critical analysis, is transparently outdated by modern science. And, insofar as philosophy of science is the meta-reflection on the practice of science, it seems to me that Clausewitz here is superseded by the work we surveyed on modern philosophy of science. This seems clear from the parts of critical analysis: “(1) Identification of facts; (2) Determination of causes of the facts; (3) Investigation of the means used and intentions behind their use” (pg. 8).

I don’t have any problem with this as a strategic outline. I agree, this is still what we want to do. This is enough to make Clausewitz perhaps brilliant for his time. But that was the 1820s. Right now, I want to know how I, as an analyst, do each of those steps. Roque does not seem to present Clausewitz’s answer here, and he does not compare it to other modern methods of how we complete these steps to demonstrate any benefit from taking Clausewitz’s viewpoint.

Philosophers of science have spent at least a century hammering out “what do you mean by ‘fact'”, for example. Scientists and statisticians have built on that. Fisher’s 1935 book The Design of Experiments, where he introduces modern frequentist statistics for experiment design, is still a useful read today for how one “identifies facts”. Why should we use Clausewitz’s epistemology instead? It seems much poorer. Sure, On War discusses identifying facts in wartime. And Clausewitz is admirably pluralist and pragmatic, something I’m sympathetic to.

What I think happened here is that Roque found Clausewitz to be usefully pragmatic in an area of science of security where there were a lot of dogmatic laws-of-physics types saying there is no general knowledge in security. Clausewitz offers a much more pragmatic approach, as military types are wont to do, which says basically (in my reinterpretation of Roque’s explanation) stay aware and use whatever works to make predictions; avoid biases because your opponent will exploit any bias you sink into. Awesome, I agree.

The thing is, I think modern philosophy of science, game theory, economics, psychology, pedagogy, and so on actually say this same thing, and better, with more detail, and with more heuristics for actually doing the job. And if Roque is going to use the philosophical terms-of-art “epistemology” and “ontology” and try to say why those Clausewitz puts forward are good, he immediately solicits the question of how this compares to other epistemology and ontology work and why strategic theory is better. And there is no answer; this most natural question is not addressed. The whole philosophical movement of logical empircism was born and died responding to problems with these three steps just in between 1920 and 1970. My complaint has been science of security people are stuck in 1960s logical empiricism; I’m not going to easily accept a turn, however pragmatic, that’s at heart 1820s German idealism.

The second key aspect of Clausewitzian critical analysis is that it is “performative”. This is about training staff, really; about developing a “creative ability” during wartime. But I’m left with several questions here. What do we need to train? What topics or skills? If my students read Clausewitz, do they instantly win all the CTF competitions? I prefer Angela Horneman’s description of this, in her “How to think like an analyst”. It’s not clear to me what different insights strategic theory gives the analyst. I take Roque believes there are some, but I don’t see them spelled out. I’d like to know them.

I have my personal answer to this, which is that generating and applying generalised knowledge via heuristics is how we all do this, scientists included. We connected mechanistic explanation, hypothesis generation, and incident analysis in a paper a couple years ago. Roque cites this article, but he totally glosses over how strategic theory might interact with it.

Strategic theory sounds like a great source of insight for us. But I’m left from this work not knowing how it integrates.

My best guess is that I can use it as a translating tool between academics and military types. It seems like Clausewitz recommends steps that academic science of security also recommends and can elaborate on. If I can use something the military types are comfortable with to translate academic or scientific concepts, that would be wonderful. Roque doesn’t provide any such hooks or connections for translation. But my guess is that Clausewitz would agree with historian of science Peter Dear in The Intelligibility of Nature. What we need, in adversarial combat, is to use what Dear defines as “those bodies of knowledge reckoned to be most solidly grounded in evidence, critical experimentation and observation, and rigorous reasoning” (pg. 1) — namely, science.

Thanks for reading! I’m sure I’ve got something wrong, or perhaps just overlooked. Leave comments here, or reach out over email.

Leave a Reply

Your e-mail address will not be published. Required fields are marked *