Age of Deception
Cybersecurity as Secret Statecraft

Cyberspace raises hard questions about national security. How dangerous are cyber threats? Does cyberspace transform war? Do hackers shift the balance of power? Why are critical systems so insecure in the first place? Has commercial industry become the front line of national defense? And how should governments respond to the mounting threat? Answers to such questions vary depending on whether we interpret hacking as warfare, or something else. This book reconsiders cybersecurity through the lens of secret statecraft.

This book pushes back on the hype about cyber warfare, but I do not minimize the importance of cyberspace in global politics. Students of cybersecurity must chart a middle way between the Scylla of exaggeration and the Charybdis of complacency. I do so by viewing cybersecurity as secret statecraft by other means, to paraphrase Clausewitz. This perspective has implications for the way we think about cybersecurity, intelligence, and institutions in international relations (IR). 

The overarching theme of this book is that contingent institutional context determines the quality of secret statecraft. I develop arguments and test them across eight chapters. The first three present the conceptual framework. Chapter 1 reviews the literature on cybersecurity and political secrecy and clarifies the distinctive strategic nature of secret statecraft. Chapter 2 moves to the operational level and develops a theory of intelligence performance. Chapter 3 provides an empirical segue by describing the evolution of vulnerable institutions and clandestine organizations in cyberspace, which has ambiguous implications for secret statecraft.

I next present detailed campaign studies of espionage, sabotage, and subversion. They showcase variation in explanatory conditions. Chapter 4 uses the case of Bletchley Park to show how a common institutional environment and a disciplined intelligence agency enabled successful signals intelligence throughout the war. Chapter 5 revisits the seminal case of Stuxnet to show how mixed conditions produced mixed outcomes: a robust organization in a problematic environment was less effective in sabotage but more effective in secret diplomacy. Chapter 6 uses the Russian intervention in the 2016 election to examine the opposite configuration of mixed conditions: a compromised organization in an open but uncontrollable environment is associated with an inconclusive outcome. The fourth logical combination of conditions—degraded organization in a complicated environment—has been illustrated by the counterintelligence compromise of Philby and SolarWinds described above.

The final two chapters discuss cross-cutting themes. Chapter 7 applies the theory to understand Chinese information technology policy, digital espionage, cyber warfare, and internet control. Chapter 8 synthesizes the empirical findings of the book. It also returns to the problem of Russian cyber operations, using the ongoing war in Ukraine to further illustrate ideas in this book. I conclude by using the theory of intelligence performance to highlight value tradeoffs in cybersecurity policy.

We are living in boom times for deception, for better and worse. Intelligence threats often emerge in the seams between systems, organizations, policies, and jurisdictions. The SVR snuck into the Department of Defense through a commercial software supply chain, and Philby snuck into the SIS in its haste to expand for the war. The study of cybersecurity likewise falls astride disciplines. There is much to learn from technical reporting about threat activity, the IR subfields of security studies and political economy, and the interdisciplinary fields of intelligence studies and science and technology studies (STS). Yet none of them are sufficient alone for understanding cybersecurity in global politics. Key insights have yet to be integrated into an accessible synthesis, which is what this book provides.