The Double-Edged Sword of Cyber Security

J. Peter Burgess

J. Peter Burgess

J. Peter Burgess is professor of philosophy and political science, and Director of the AXA Chair in Geopolitics of Risk at École Normale Supérieure, Paris. His research concerns the meeting place between culture, politics and technology, with emphasis on questions of risk and uncertainty. He is author of the forthcoming publication “Terror and Disenchantment: Security after the Unthinkable”.

In January 1961, U.S. President Dwight D. Eisenhower addressed the American public at the end of his term and warned of what would be a central conundrum of the times: the emergence of the ‘military-industrial complex’. The simple but powerful notion stems from Eisenhower’s observation that the already mastodon armaments industry, a by-product of the privatisation and industrialisation of security, had greater financial interest in war than in peace.

While this specific challenge remains today, its more recent conceptualization is called ‘dual-use’, which is the ability of any technology to do either good or evil, depending on how it is used. For example, nuclear energy technologies can serve society’s energy needs or annihilate populations, rocket engines can launch communication satellites or carry nerve gas and GPSs can guide us to a critically needed hospital or a smart bomb to its target.

70 years after Eisenhower’s speech, the prominence of security technologies in society accentuates and intensifies this reality. Indeed, the dual-use issue is particularly salient for security technologies, which hold the potential to do both good or harm. Cyber technologies represent a particularly important example of the conundrum of security and society. The immense societal benefits of cyber technologies coupled with the considerable vulnerability of cyber systems, and the uncommonly high profitability of the cyber industry create a particularly difficult dual-use dilemma.

A good example of the dual-use dilemma in cyber security is the American Colonial Pipeline cyber-attack in May 2021 in the US. The attack was carried out by mobilising cyber technology in order to disable a regional petroleum delivery system managed by cyber technology. When the attack shut down a critical fuel network, the US federal government declared a state of emergency, triggering measures that compromised core US societal values, such as privacy, dignity, trust, care and solidarity.

Cyber security measures risk advancing societal values in one way, while threatening them in another.

The central challenge in addressing the societal impact of cyber security measures is the dual-use character of cyber technologies: they both provide benefits to society and present the greatest threats to it. The infrastructure, the expertise, the knowledge and the methods all originate in the same ecosystem. The only defences we have against cyber risks are cyber technologies themselves.

Since no security guard can fend off a lightning-fast algorithm, cyber surveillance, tracking, profiling, automated analysis and decision-making seem to be the only options. The malevolent activities in cyber space can only be reduced by flooding the entire cyber ‘body’ with cyber poison and these invasive measures can compromise the exact societal values that cyber technologies are meant to serve, such as privacy, dignity, trust, solidarity, rule of law, civil and human rights, health and safety, among others. A societal approach to cyber security design would first determine which of these societal values cyber technologies generate, and what values are threatened when these cyber technologies come under attack.

Societies in general can be distinguished from one another by the degree to which they regard security as a collective problem or as an individual problem. Whereas Scandinavian countries organize the security of their societies in terms of seeking collective good and avoiding collective bad, highly liberal and individualistic societies like the United States trust that allowing citizens the maximum of freedom to seek the good and avoid the bad will in the end be best for all. Central European countries lie somewhere in between.

The challenge lies in the reality of privatised technology development, as true today as it was for President Eisenhower in 1961. Security in general and cyber security in particular hold the greatest risk in the face of the conundrum that is created when financial values are prioritised over societal values. It is the situation where decisions about what cyber technologies to build and how to build them are based on corporate balance sheets rather than on values and public good.