Existing approaches to cybersecurity emphasize either international state-to-state logics (such as deterrence theory) or the integrity of individual information systems. Neither provides a good understanding of new “soft cyber” attacks that involve the manipulation of expectations and common understandings. We argue that scaling up computer security arguments to the level of the state, so that the entire polity is treated as an information system with associated attack surfaces and threat models, provides the best immediate way to understand these attacks and how to mitigate them. We demonstrate systematic differences between how autocracies and democracies work as information systems, because they rely on different mixes of common and contested political knowledge. Stable autocracies will have common knowledge over who is in charge and their associated ideological or policy goals, but will generate contested knowledge over who the various political actors in society are, and how they might form coalitions and gain public support, so as to make it more difficult for coalitions to displace the regime. Stable democracies will have contested knowledge over who is in charge, but common knowledge over who the political actors are, and how they may form coalitions and gain public support. These differences are associated with notably different attack surfaces and threat models. Specifically, democracies are vulnerable to measures that “flood” public debate and disrupt shared decentralized understandings of actors and coalitions, in ways that autocracies are not.
Download the paper from SSRN.