Darwinian political science? No thanks.

In a graduate seminar on the scope and method of political science, political scientist Heinz Eulau would ask his students: ‘what would happen to our great commonwealth if all of political science were dumped into the ocean, never to be seen again?’ He claimed that only the brightest had an answer: ‘it probably would have to be rediscovered or reinvented.’[1]

Eulau’s question raises a further one: If the political sciences were rediscovered or reinvented today, would they be Darwinian? Some people seem to think so. This group of scholars generally refer to themselves as biopolitical scientists. But there is a central ambiguity on what exactly it means for a non-biological science to be ‘Darwinian.’ Indeed, much of the literature is mired in confusion, partially because there is little systematic attempt to conceptualize the links between the biological content, on the one hand, and the political (or otherwise social) science models they are feeding into on the other.

Usually, the insistence on the integration between the biological sciences and the political ones is an attempt to provide better foundations for the political sciences. For example, consider realism in international relations (IR).  Realism in IR stresses the importance self-interest and conflict as explanatory variables in the analysis of international politics. The underlying foundations for realism in international relations rests on claims about human nature, namely, that humans are egoistic and strive to dominate.

There has been a long-standing debate amongst IR scholars since at least after World War II regarding the intellectual foundations of realist scholarship. In a nutshell, critics of realism claim that the microfoundations of realism rest too heavily on theological or metaphysical assumptions to motivate the views regarding egoism or domination exhibited by humans that forms the core of realist theories. Critics point to these shaky foundations in classical realist thinkers, such as Reinhold Niebuhr who held that humans are inherently evil, or Hobbes and Morgenthau who claim that humans have an innate desire to dominate others and are self-interested. The latter appeals to an innate desire to dominate and self-interest are taken to be dubiously metaphysical since Hobbes and Morgenthau do not provide any scientifically respectable reasons for why we should accept their view.

Critics of realism make straightforward appeals to the foundations of realism being inherently unscientific, since religious appeals to evil or unjustified metaphysical claims are not scientifically respectable. The thought here is that if the foundations of realist theories are susceptible to such critique, then the realist theories themselves are susceptible to such critique. Indeed, criticisms of realism are framed explicitly terms used by philosophers of science to demarcate between science and pseudo-science, such as the Lakatosian ‘degenerative research programmes.’[2] As such, the charge goes, realists need to either produce a much-needed scientific foundation for their theories, or abandon them altogether.

These criticisms have been well taken. Recent responses to this challenge from critics of realism have looked toward evolutionary theory to supply the ostensibly much-needed scientific foundation for realism. Starting with Bradley Thayer,[3] a growing body of work in IR has focused on the application of evolutionary theory both to unify the intellectual core that forms realist scholarship, as well as to provide an overarching framework to phenomena of interest to IR scholars such as terrorism, war, suicide bombings, and so on. These realist responses to critics of realism again make direct appeals to scientific respectability; indeed, Thayer mentions at the outset of his seminal paper, Bringing in Darwin: Evolutionary Theory, Realism, and International Politics, that ‘[e]volutionary theory provides a stronger foundation for realism because it is based on science, not on theology or metaphysics.’[4]

It’s important to note, however, that whenever realist scholars claim that they are importing ‘evolutionary theory’ into the social sciences dealing with international politics, what they usually mean is that they are importing controversial sociobiological hypotheses. Calling this ‘evolutionary theory’ and not ‘sociobiological theory’ is itself somewhat misleading, as it gives an appearance that sociobiology enjoys universal or near-universal acceptance amongst scholars in the biological sciences. It does not.

The main problem with placing sociobiology as the intellectual foundation of realism in IR is a well-known one: sociobiology is regarded as excessively adaptationist, and is thus susceptible to the problems of overly functionalist thinking. Excessively adaptationist here means that sociobiologists tend to overemphasize the role of evolutionary adaptations in evolutionary explanations. Overly functionalist here means that sociobiologists tend to emphasize the function (typically contribution to fitness) of whatever unit is being analysed from an evolutionary perspective. Typically, sociobiologists observe a pattern of behaviour and are quick to show how that behaviour is adaptive in some evolutionarily meaningful way, and moreover, that this adaptation is an optimal solution to some evolutionary problem (i.e., that it is fitness-maximizing).

Consider two standard sociobiological examples of approaches to IR. Francis Fukuyama claims that socialism and radical feminism will fail as systems of governance since our understanding of evolutionary theory tells us that men (and masculine women, such as Thatcher) strive to be dominant. As such, power politics requires masculine policies, which rules out socialist and radically feminist policies. Thayer claims that inclusive fitness and group selection provide ‘sufficient explanations for war,’ by which he means that evolutionary theory tells us that assisting others can be thought as the broad pursuit of individual self-interest. From this he concludes that ‘evolutionary theory suggests that groups may go to war to increase inclusive fitness’ since ‘a group becomes more fit if it can successfully attack to take the resources of others’ and ‘it must be able to wage a defensive war when competitors threaten its resources.’[5]

It’s important to note that it is not adaptationist thinking or functional explanations that are per se the problem, it is sociobiology’s sometimes exclusive focus on this kind of thinking that is the real issue. This is a particularly pressing problem for IR realist scholars because of two reasons: (1) the explananda of international relations theory heightens grain-of-analysis problems that have plagued sociobiology from the outset; and (2) sociobiology’s scientific credentials are frequently questioned.

Consider the complex collective behaviour on the international stage that IR scholars take to be their phenomena of interest, that is, the explanandum. Typically, IR theorists are interested in explaining behaviour such as war, terrorism, collective xenophobia, and the like. In other words, what IR theorists are interested in is the behaviour of humans at an aggregate level: ethnic groups, international corporations, non-governmental actors, states, and so on. From an adaptationist approach, sociobiologists try to isolate particular behaviours in order to provide evolutionary explanations for the behaviour in question. Typically, these explanations are functionalist: this behaviour arises in this organism because it contributes to the organism’s fitness, and so the gene (or set of genes) that is responsible for that behaviour is favoured in natural selection. Sociobiologists use population genetics to show ‘hypothetical’ genes that could have coded for the trait in question. At the outset, however, it’s unclear that slicing up the suite of behaviours that form the complex phenomena on the international stage is possible.

What’s important here, from an evolutionary perspective, is to appreciate a distinction between mosaic and connected traits. Mosaic traits evolve more or less independently of an organism’s phenotype, whereas connected traits evolve in a way that is connected to some or rest of the organism’s phenotype. Connected traits are typically developmentally entrenched, meaning that a change in a connected trait is usually accompanied by corresponding changes in other areas of the organisms biological life. An example of a mosaic trait might be human skin colour, which can be explained evolutionarily with respect to particular aspects of the environment (e.g., sun exposure) precisely because skin colour evolves relatively independently of the organism’s phenotype. But complex human behaviour that forms the explanandum for IR theorists, such as war, terrorism, collective xenophobia, and so on, are the aggregation of individual behaviour that results from mental mechanisms that play a role in a number of behaviours. If that’s true, then the IR theorist’s explanandum does not offer itself up to an evolutionary explanans, since these kinds of behaviours are not the appropriate evolutionary unit for an independent evolutionary explanation—they are ‘unlikely to have histories to call their own, or to have independent adaptive significance.’[6]

There is a fineness-of-grain issue in another area for realist IR theorists. If the explanandum of IR theorists is complex group behaviour, then any underlying biological theory intended to provide realist intellectual foundations must provide guidance as to what unit of selection ought to be emphasized in evolutionary explanations. In many cases, however, realist IR theorists ignore debates about the unit of selection, debates that are highly controversial and continue to be waged even to this day.

As Bell and MacDonald have noted,[7] this results in contradictory or indeterminate hypotheses for realist IR scholarship. For example, Thayer (2000), in an attempt to explain the biological underpinnings of war, claims that humans are egoistic (following Hobbes and Dawkins),[8] but will sacrifice themselves for groups altruistically during war.[9] Thayer sifts seamlessly between claiming that the appropriate unit of analysis is the gene, the individual, or the group. He does so explicitly, arguing that there needs to be a ‘conceptual shift’ to explain egoism from an evolutionary perspective, given that Dawkins’s level of analysis is at the level of the gene. This raises the question: which level of analysis is the appropriate one, particularly if sociobiology is supposed to provide an intellectual foundation for IR theorists? Is it the gene, the individual, or the group? How will realist IR theorists adjudicate between these levels of analysis, especially since there is a highly controversial and long-standing debate amongst biologists themselves as to what the precise unit of analysis should be with respect to natural selection? This is particularly pressing since the standard IR analysis occurs at the group-level.

One final point to mention here is that there is something particular to the phenomena that interests IR theorists that make it especially difficult to supply realist IR theories with sociobiological foundations. IR phenomena are complex, more complex than just individual or group behaviour because of the multifaceted interactions between group behaviour, international political systems, and differing cultural circumstances. Given that sociobiology itself provides no way to delineate between evolutionary or environmental causes, it’s unclear what use sociobiology is to IR. Indeed, Thayer claims that although warfare and xenophobia may be explainable by appeal to inclusive fitness, the phenomena are also influenced by ‘environmental factors such as culture and religion.’ But what is the mechanism to parse out biological and environmental factors? Sociobiologists and sociobiologically-minded realist IR thinkers provide no response to this question, even though a lot turns on its answer.

It’s also worth noting that many biologists and philosophers of science claim that sociobiologists provide explanations do not meet the threshold criteria for scientific respectability—a threshold that realist IR theorists (such as Thayer) take to be important. Recall that debates about the scientific status of realism in international relations are framed in, and make reference to, exactly the same sorts of criteria.[10] This means even if realist IR theorists could discretely identify mosaic traits that result in behaviours that are fitness maximizing, the question of whether it is an evolutionary mechanism that brought about that behaviour still remains open. This is because functionalist thinking tends to downplay other equally or more plausible explanations for behaviour by exclusively emphasizing the contribution to fitness of whatever unit is being analysed from an evolutionary perspective.

It’s also true that, generally speaking, philosophers of science have moved far beyond verification and falsification as demarcation criteria. Whether sociobiological hypotheses can be verified or falsified might be irrelevant to judging the scientific status of such hypotheses. My point here is only that if the goal is to supply a solidly scientific foundation to realist IR scholarship, choosing such a controversial interpretation of evolutionary biology seems to be a mistake, particularly if (at least some) of the controversy focuses around sociobiology’s scientific status. 

So this is a problem for realist IR theorists by their own lights, given that they claim that one reason to adopt sociobiology is its scientific credentials. It is precisely these scientific credentials that many biologists question regularly. The thought here is that sociobiologists tend to trade in ‘just-so stories’ and commit a post hoc, ergo propter hoc fallacy in their analyses. Commentators question the scientific credentials of such analyses because they do not pass demarcation criteria that some philosophers of science have taken to be important in evaluating the scientific status of theories, such as verificationism or falsifiability. Another line of reasoning is that there is no way to adjudicate between different explanations given to us by sociobiologists, resulting in hard underdetermination problems between competing hypotheses. Sociobiologists tend to rule out competing hypotheses with a commitment to functionalist explanations, or simply by ignoring other non-adaptive or non-biological factors. In sum, it’s hard to see how realist IR theorists can contend that sociobiology is the appropriate scientific foundation for realism to the extent that sociobiologists either provide hypotheses and explanations that cannot be verified or cannot be falsified, or result in hard underdetermination problems and to the extent that IR theorists take these to be plausible demarcation criteria.

Thayer responds to the claim that sociobiology is a heavily controversial science by claiming that a controversial science is distinct from a flawed science.[11] He goes on to claim,

“The important issue is whether any controversy is anchored in scientific fact that discredits the theory or the science. Evolutionary theory is strongly supported by scientific fact, and there is consensus among evolutionary theorists that evolution through natural selection applies to humans—this was one of Darwin’s most revolutionary insights—and that natural selection operates as an ultimate cause of human behaviour” (Thayer, 2000, p. 194).

Thayer is overlooking the fact that it is precisely the scientific credentials of sociobiology that, e.g., Gould and Lewontin started criticizing in the 1970s. Specifically, they claim that sociobiological hypotheses are not scientific because they are not falsifiable. Whatever one thinks about the merits of this claim, or about whether falsifiability is a plausible demarcation criteria, it’s hard to deny that the target of Gould and Lewontin is precisely the scientific status of sociobiological hypotheses (and so is an attempt to discredit the ‘theory’ and the ‘science’ of sociobiology). In a nutshell, what fuels the controversy surrounding sociobiology is exactly that it is viewed as a flawed science by many in the biological and nearby sciences.

Finally, much of the criticism of sociobiology is undertaken from an evolutionary perspective, indeed, an evolutionary perspective motivates it. This line of critique—from people like Gould, Lewontin, and Kitcher—is quite literally motivated by the view that sociobiology departs from, or does not show fidelity to, the evolutionary theory that putatively underlies it.  So the fact that evolutionary theory—not sociobiology—is strongly supported by scientific facts, and that there is consensus among evolutionary theory that evolution through natural selection applies to humans, and that natural selection operates as an ultimate cause of human behaviour tells us exactly nothing of relevance about the status of the type of sociobiology that realist IR theories are interested in.                      

Anyone familiar with sociobiology is familiar with these criticisms in general. And there are a handful of IR and political science scholars (e.g. Duncan Bell) who have been vocal about the relationship between sociobiology and IR specifically. But the seduction persists—and has persisted over time; that is, the seduction of pulling controversial biological content into social scientific models to make them ostensibly more scientific. That's probably the phenomenon that requires explanation now. 


[1] Eulau (1997). 

[2] Vasquez (1997).

[3] Thayer (2000, 2004).

[4] Thayer (2000, 125).

[5] Thayer (2000, p. 141 - 142).

[6] Sterelny and Griffiths (2012).

[7] Bell and MacDonald (2001).

[8] Thayer (2000, p. 133)

[9] Ibid., (p. 135).

[10] Thayer (2000); Vasquez (1997).

[11] Thayer (2001).

Launch speech transcripts for Collective Action on Corruption in Nigeria in Abuja

Here's a transcript of the speech I gave at the Abuja launch for our Chatham House report, Collective Action on Corruption in Nigeria on 17/05/17. For the transcripts of other speeches given at the same event by British High Commissioner H.E. Paul Arkwright CMG and my co-author Leena Koni Hoffman, please click here

So the report is called: ‘Collective Action on Corruption in Nigeria: A Social Norms Approach to Connecting Society and Institutions.” I just want to start off by talking about what we mean by the social norms approach.

I think the key question motivating the report – and I think it’s one that policymakers, including all of you, really care about – is why do corrupt practices persist, and how do we change them? And the structure of this question is quite like other questions that face policymakers in their daily work – why do pernicious practices (like child marriage, open defecation, domestic violence, and so on) in general persist, and how do we change them?

What’s key and integral to our approach is that these two questions are intimately linked. We need to know why a particular practice persists and sustains itself in order to understand the kind of policy intervention we ought to design to induce behavioural change. And what the social norms approach emphasizes – and I’m going to lay my cards on the table here – is the set of social expectations that underlie behaviour. So we need to figure out what those are – and it’s important to remember that they might be social norms, but they might not, more on that later – before we can devise policy solutions.

Another important aspect of our approach is that the framework we use to understand corruption is as a set of interactions amongst people, amongst individuals, that is, real life flesh and blood human beings. In other words we try to understand it as a social phenomenon driven by a set of beliefs. We think corruption is stable because the beliefs that support it are self-reinforcing and resistant to change.

It’s worth mentioning at this point, I think, that we take a neutral social scientific approach to this work. We’re not interested in moralizing, or playing the blame game, or disparaging any particular sectors or institutions found in Nigerian society. We’re not interested in talking about metaphorical beasts of corruption either.

And I’ll tell you why we’re not interested in playing the blame game: It’s the fact that corruption is so frustrating – the reason it’s so frustrating is that it represents a situation where everyone (or almost everyone) realizes that it is a problem, that is, that corruption is a problem. And everyone (or almost everyone) also has a preference to live in a society that is free of corruption, or at the very least has comparatively less corrupt behaviour than the status quo. I want to suggest that even the front-line bureaucrat who is asking for a bribe in whatever context would probably prefer to live in a high honesty low corruption society than a low honesty high corruption one. And that’s what makes this whole thing so frustrating. If it’s true that everyone agrees there is a problem, and everyone has a preference to change, why hasn’t it happened yet?

Well our approach sheds some light on that problem. It’s because corruption is a stable phenomenon whereby everybody has an incentive to continue to engage in it because of a set of interdependent beliefs (even if some of those beliefs are false, which is what our evidence suggests). Social expectations of this sort are difficult to change because they’re resistant to change.

But I do want to push a kind of cautious optimism here, because I want to stress the idea that just because social expectations are resistant to change doesn’t mean they can’t change. Corruption on our view isn’t driven by evil actors or unchangeable conditions, but social expectations. And you can change social expectations. In fact we give you some tools to do just that in the policy recommendation section of our report.

So the takeaway to the social norms approach is to find out what are the types of beliefs driving a practice, and then to devise a policy response to attempt to change them. But you might ask: how exactly do you find out what types of beliefs underlie the behaviour you’re trying to change?

Well you go out into the world and try to find them, try to measure them. That’s what we did – we did a specialized social norms survey. We worked with around seven Nigerian university departments and organizations, including the National Bureau of Statistics and carried out around 4,000 surveys in six states and the FCT. We also did interviews around the country as well.

We didn’t use the word ‘corruption’ in the survey because we didn’t want to prime the respondents into giving us responses that they thought we wanted to hear. We wanted to get at their true beliefs so we tried to be as morally neutral as possible in the framing of the questions. We also asked them about their factual beliefs, moral beliefs, and legal knowledge surrounding the practice in question. Here are some pictures to partially prove to you that we really did go out there and do these surveys.

I think it’s important that we be clear about what exactly we mean by ‘social expectations.’ In the study, we use Cristina Bicchieri’s definition of social norms, which are made up of two different kinds of expectations. These are: (1) empirical expectations, which is basically an expectation about what other people do in a given situation. And (2) a normative expectation, which is basically an expectation about what other people expect you to do in a given situation. The thought is that if you hold these two expectations about a given behaviour, you will conform to that behaviour—or, in other words, you will conform to that norm. And if you don’t conform to that norm, you will be sanctioned in some way (sanctions can be innocuous like idle gossip, or they can be extreme and violent).

Consider an example that I was told about just the other day. Apparently there’s a social norm in Nigeria about handing things to people with your right hand. If you give something to someone with your left hand, then you may get sanctioned – that is, the person might say, ‘hey, don’t give that to me with your left hand. Give it to me with your right hand.’ I probably wouldn’t violate this norm because I’m right-handed, but say I did – say I gave something to someone with my left hand and they sanctioned me in some way. They told me not to do that again. That might put the thought in my head that other people expect me to give them things with my right hand and not my left hand—that would be a normative expectation in the sense described above. And if I observe other people doing that, namely, I see that other people also give things to people consistently with their right hand, then that might give me the empirical expectation. And I will probably start giving things to people with my right hand. All you left handed people probably have learnt this by now.

Another example is tipping in the United States. In the US, you’re expected to tip at least 15 – 20% after a meal to the waiter. And if you don’t, then you might get sanctioned. If I were with a close friend who did not tip after a meal, I might say something to them like ‘hey, you should really leave a tip.’ Or if I was with an acquaintance, maybe I’ll gossip about them behind their back to my other close friends like, ‘I was at dinner with this cheapskate the other day.’ Maybe I wouldn’t. But you know who definitely would? The waiter. In fact if you did that consistently, I bet the staff at that restaurant would know who the cheapskate was. They’d say, ‘here comes the cheapskate.’ Or ‘here comes the European.’ Or ‘here comes the English guy.’ Because you might be a cheapskate, or just ignorant of the norm (like Europeans, like an English person), or you might be all three.

I also want to stress one last distinction before moving onto the findings. So the kinds of behaviour I just described are driven by what we might call interdependent beliefs – that is, they are beliefs that are dependent on what other people think and do.

But it’s really important, from a policy perspective, to figure out if what’s driving a particular behaviour is independent or interdependent. So you might have beliefs that drive behaviour that aren’t dependent on what other people think or do. For example, using an umbrella when it’s raining outside is like this, as is brushing your teeth. I don’t care if you all use an umbrella or don’t when it rains outside – I will use my umbrella because I don’t want to get wet. And I don’t care if you brush your teeth or not, I value having healthy gums and a clean mouth, so I will brush my teeth. Well I might care if you don’t brush your teeth and you talk too close to me, but even so, that won’t govern my choices regarding the brushing of my own teeth!

Moral rules and moral convictions also work like this – if you have a strong moral conviction about not killing people or about not eating meat, then you shouldn’t care about whether other people kill others or eat meat. You will not kill people or eat meat because of a personal moral conviction.

Why this is important is that whether a behaviour is independent or interdependent will govern the kind of policy response required to change it.

What our findings suggest is that there are social norms governing the solicitation of bribes amongst law enforcement officers in Nigeria, but there are empirical expectations governing the giving of bribes. So law enforcement officers might ask for bribes because they have pressures from within their relevant reference networks to do so, but people generally give bribes because they see other people doing it, or they expect other people to do it, or because it’s just a way to get out of administrative hurdles.

Onto our findings. So, as I just mentioned, social norms of corruption seem to be limited to specific contexts and sectors in Nigeria, like law enforcement officers.

Second, if the environment or options are changed, behaviour will change. So people give bribes in many instances because it might just be an efficient way to circumvent inefficient rules and administrative hurdles. It’s quicker and cheaper to give a bribe than it is to go through official processes which take a while. Also, fines are usually less than bribes, making it easier to give a bribe.

We also found that collective action is impeded because in some places people have misconceptions about what other people think. That is, they systematically make mistakes about what other people think.

To return to the point about social norms amongst law enforcement officers, our research suggests that there seem to be both upward and downward pressures to engage in corruption amongst law enforcement. So senior law enforcement officers expect lower ranking officers to solicit bribes from the public and lower-ranking officers expect senior officers to do so.

What’s interesting here is that there is moralistic and value-laden language surrounding non-compliance which indicates a social norm at work – so you have this odd situation where typical moral judgments seem like they’ve been flipped upside down. Those who do the in fact morally correct thing and stand by their moral convictions and the law by not engaging in bribery are the ones who are called evil and wicked, and those who do the morally questionable thing like ask for bribes are not. Being called these things, and the loss of privilege and status that these names indicate, from people in your reference network creates strong social pressures to conform to a norm.

We also found what seems to be a case of people being systematically mistaken about other people’s beliefs, indeed, other people who are in their community. For example, in Enugu, around 9 out of 10 people said that it was wrong and illegal for a police officer to ask for a direct payment for a traffic violation instead of going through the official process, but they also thought that 5 out of 10 of their fellow citizens thought that the officer should ask for a bribe. So you have a case here, a situation where people are systematically making mistakes about the beliefs of their fellow citizens in a way that makes collective action hard. This is because it’s exactly these kinds of false beliefs that give rise to the fatalism and inevitability surrounding corruption, that make it seem like such a hard problem to overcome. Of course you would think it impossible to overcome corruption if you thought half of the people in your community think that law enforcement officers should ask for bribes and you personally think, at the same time, it is wrong and illegal for law enforcement officers to do so. These false beliefs need to be dispelled and the illusion lifted to even begin to facilitate anti-corruption collective action.  

The second behaviour we looked at was regarding a government health facility employee asking for a payment for a hospital bed – a bed that you should legally be entitled to for free.

On the diagram, you can see the shorter lighter blue bar in the middle of the other two. This bar represents responses to ‘do you think it is wrong for a health facility employee to ask for payments for a hospital bed?’ I think Adamawa came in at the highest for a yes but that’s still relatively low, with just over 20%. But then you have the other two bars – do you think a government health facility should ask for a payment, and a high percentage of respondents across the board said yes.

What’s really interesting here is that when asked about whether it was illegal for a government health facility employee to ask for a payment for a hospital bed, lots of respondents also thought it was illegal. That’s the yellowish bar. So here you have a situation where most respondents didn’t think it was wrong, in fact, they thought the nurse should ask for a payment, but nevertheless they thought or knew it was illegal.

So what’s going on here? Despite the fact that many respondents thought that asking for a payment for a bed was illegal, they found it less objectionable than bribery at the checkpoint. Presumably this is because they can see themselves as funding an underfunded service as opposed to being extorted at a traffic checkpoint. The experiences must feel different.

So people view this as making a private transfer for something that ought to be a public transfer. They’re funding a government institution and they can see where their money is going.

Even so, though, we should remember that asking for a payment for a hospital bed basically amounts to a regressive tax because it puts the burden on those who can bear it the least, that is, the poorest people. This is presumably because wealthier people can already afford to go to private hospitals where they pay for healthcare as it is.

So I want to end on that, and hand it over to my colleague Leena to go through the rest of the findings and the policy recommendations. Thank you.

Navigating the murky waters of cyberspace

A modified version of this post was published in Homeland Security Today on 01/01/15: a digital copy can be found here.

The uneasiness of cyberspace

The recent Sony hacking scandal brought one important policy question to light: To what extent should the US government be involved in the cybersecurity affairs of private citizens and business? Answering this question is difficult; the issues are highly complex, there are epistemic barriers to fully appreciate the risks that need to be managed, and it’s a platitude amongst cybersecurity professionals that cyberspace is notoriously murky. But getting the answer right is imperative because of the issues at stake – privacy, the scope of government, and even national security might hang in the balance.

The task of a good cybersecurity policy is to help us navigate through these complexities and mitigate risk. In my mind, there are at least four reasons why the government will become increasingly involved in the cybersecurity affairs of private citizens and businesses:

(1) Hackers from so-called closed-societies are sanctioned (either implicitly or explicitly) by their respective states: In closed-information societies, such as North Korea and China, hackers may operate with the blessing of the government. Implicit backing from a government ‘allows’ hacker activity to go unchecked. For example, many hackers in North Korea or China must operate at least with the tacit knowledge of the government since the Internet is so closely monitored in those countries. My suggestion here is that the ‘permission’ to allow hackers to operate in an otherwise controlled environment constitutes an implicit endorsement of hacker activity. Of course, this claim rests on the assumption that these governments have knowledge of the hacker-activity; surreptitious hacker-activity in controlled information environments does not have the implicit endorsement of those who are controlling the environment.

This implicit endorsement can be contrasted with the explicit endorsement of a government. In this case, a government maintains formal ties with hackers—for example, the People’s Liberation Army (PLA) Unit 61398 is China’s ‘cyber unit’, apparently responsible for numerous attacks on US-based public and private targets. These hackers could be part of the formal apparatus of the government (such as PLA Unit 61398) or be an independent hacking group that receives resources from a government.

That’s not to say that this kind of implicit acknowledgment but formal distance cannot characterize the relationship between the state and hackers in more open societies as well. Nevertheless, there does, prima facie, seem to be a salient distinction to be made between tacit acknowledgment in societies that straightforwardly monitor and censor the Internet, and tacit acknowledgement in societies that are comparatively ‘open’ in the relevant respect.

The upshot is this: What may look like lone hackers may not be lone hackers, particularly if they are operating in a controlled-information environment. So, for example, what may look like criminal cyber attacks for financial gain might instead be a form of sophisticated economic espionage, or worse.

(2) Information and resource asymmetries: This point is related to (1). If the pertinent cyber hacking groups are getting help from states as large as China, or states willing to spend as much money on their military as North Korea, then private cybersecurity resources will probably not be enough.

Asymmetries of information resources are particularly pronounced in cyberspace. Indeed, even small businesses are worthy targets for hackers. For example, consider the fictitious Mr. and Mrs. Kim, small business owners, who don’t know a thing about cybersecurity, but the computer at the front desk of their small independent motel holds thousands of customers’ credit card information and personally identifiable information (PII). Or say Mr. and Mrs. Kim have a franchised (but still small) hotel – a Best Western, for example. They still don’t know anything about cybersecurity, but their front desk is connected to Best Western International’s central information hub. This might give hackers access to millions of credit cards and terabytes of PII. The point is this: it’s unfair to expect Mr. and Mrs. Kim to develop cyber security practices that will keep them safe from hackers with the backing of the Chinese or North Korean governments. Similarly, it might also be unfair to expect larger businesses to develop cyber security measures that will protect against, say, PLA Unit 61398.

But we might say that it’s not unfair to expect the large multinational corporations take drastic cyber security measures, as they have resources comparable to or larger than countries like North Korea. For example, WalMart’s revenue in 2013 was almost 40 times as much as North Korea’s GDP. But asymmetry issues remain: North Korea spends a significant amount of resources on its military, and presumably quite a bit of that money goes towards gaining information superiority in cyberspace. From defector accounts, for example, North Korea has a specific program to train ‘home grown’ cyber-warriors. WalMart, however, does not have strong enough incentives to pour resources into maintaining a WalMart’s Liberation Army Unit 61398.  

It’s important to stress that the information asymmetry stems from an incentive asymmetry. North Korea, China, and indeed all states have strong incentives to put resources into gaining information superiority because relative gains far outweigh costs. An excellent military cyber unit, for example, can not only obtain sensitive and classified national security information, but it can also cause physical damage to ‘smart’ systems or systems otherwise reliant on network infrastructure (see [4] below). Hackers can also cause significant psychological and economic damage. For example, convincing New Yorkers that there is a nuclear bomb in Manhattan (say, by controlling information flows to the city) would shut the city down and in the process economically paralyze the Northeastern United States. These kinds of attacks can be executed from a computer at no threat to personnel unlike traditional warfare.

(3) Incentives for secrecy: Private actors have a strong incentive to cover up cyber attacks on their systems. This is because consumers place trust in the cybersecurity infrastructure that lies behind much of their face-to-face activity with businesses. When you deposit money into a bank, you expect that nobody can simply hack into your account and take your money – importantly, you trust the bank will insure that nobody is able to do that.

You place a similar trust that nobody can access your information when you rent a room from Mrs. Kim, or when you buy something from Target.

But what incentive would the bank, Mrs. Kim, or Target have to tell you that your credit card information was, say, a part of a large package of information taken from their systems? None (notwithstanding legal compliance). In fact, their incentives run the other way: If the bank lets it be known that someone has hacked their systems and has access to their accounts, it risks a bank run. There are similarly significant costs for Mrs. Kim and large retail stores as well – a loss of trust means a loss of business.

These incentives might run directly against national security interests. It’s important to recognize that what may look like discrete cybersecurity incidents might be part of a broad and sophisticated attack. Obtaining information about cyber attacks is not only prudent for privacy and financial reasons, then, but also for gathering intelligence and developing a robust cybersecurity posture. My view is that a mature cybersecurity posture is not only about ‘keeping out’ who we want to keep out or protecting information, but also about gathering information as well – what are the hackers looking for? Why would they possibly be looking for this or that information set? Is there a discernible pattern to their activities? 

(4) Networked infrastructure: Industrialized societies are embedded with networked infrastructure, which means that industrialized societies are embedded with cyber risk. Sometimes industry doesn’t follow best practices, as in the case of the German steel mill that didn’t keep a ‘gap’ between its networks and the public Internet. A cyber attack in 2014 caused physical damage to the steel mill, and even closed down one of its blast furnaces. Cyber attacks can wreak damage even when there’s an air gap between the public Internet and closed networks. Consider the infamous Stuxnet – a computer worm – that was introduced to the closed environment of Iran’s nuclear industrial control systems through an infected USB drive. Stuxnet shut down almost a fifth of Iran’s nuclear centrifuges before it was discovered.

These worries are only set to intensify with the growth of smart technologies and smart cities, as more critical infrastructure becomes part of the ‘Internet of Things’. Cyber risk to power grid networks, water delivery systems, and transportation increases with the increased connectivity in smart cities. Moreover, various third party contractors (with perhaps varying cybersecurity postures) are typically involved in the running of this critical public infrastructure, increasing overall vulnerability.  

These are but some of the issues we ought to keep in mind as we decide on an appropriate cybersecurity policy for a changing information environment. As cybersecurity professionals, decision-makers, and policy analysts know, cyberspace is an especially messy area when it comes to discerning the proper role of government. But even amidst all of this messiness, one thing is clear: we have a formidable task ahead of us in navigating these murky waters.