Major David Willson is an attorney in the US Army. He has spent more than a decade providing legal advice to the DoD and NSA on information security. Yesterday at the BSides Denver conference Willson presented a paper titled “When does electronic espionage or a cyber Attack become an ‘Act of War’“. The BSides are an informal gathering of information security professionals from the local area.

His paper provides analysis and context to help with the definition of war, but he also offered concrete suggestions in his presentation for how nations can be better prepared to respond in the event of a cyber attack or cyber war. He calls for an international approach.

The audience response was interesting, to say the least. Most of the opposition came from a small vocal group that raised the following issues:

• Can an International group be trusted?
• Can an International group be trusted?
• And last, but not least, can an international group…be trusted?

I say this in all seriousness. Although I would like to think security professionals are familiar with trust as it relates to controls (how to detect, prevent and verify) the mention of an international approach seemed to send certain people into a spell. A centralized authority model, especially one of international membership, clearly upset the audience; eyes rolled back, arms folded, heads shook.

One person in the audience asked several times “Who will be King?! Who will be the King of the group?!”

King?

It quickly appeared that political science concepts (study of human behavior) could have helped this group see past whatever hurdles they were stuck upon. They struggled to transition from the technical material to more organizational security. While (expectedly) comfortable discussing locksport (picking locks), the mention of human behavior and power relationships resulted in comments that went awry. Here are a few suggestions for what Willson’s presentation might have started with to better prepare this particular audience.

1. Forms and types of governance (or how to distinguish monarchy from democracy)
2. Allocation and transfer of power in decisions
3. Disciplines (or how to distinguish realism from instrumental rationality, positivism and behavioralism)

This might have done the job, explaining why a centralized group with international authority would not easily be compromised by a “bad apple” (pun not intended).

One person shouted:

International authority? Someone could compromise it! Isn’t this a case where the cure is worse than the disease?!

Another person asked:

So the US could just turn off the network in another country?

First, this response suggested to me a group that works with information security can nonetheless be missing key concepts of how to apply security in a real world. Security professional know that controls can be used to detect and prevent unauthorized access. These concepts can be adapted and applied to the model(s) put forward by Willson. His point is that there is a legal framework for technical controls to be introduced. That makes sense and so we could have discussed how those controls might work to achieve the purpose of the model. Instead the audience heckled the speaker about unfamiliar topics they feared: politics, law and trust.

Second, it reminded me of non-interventionalism and isolationist movements in America. After the First World War, for example, instead of ratifying Versailles the US essentially walked away and refused to be involved with international security frameworks such as the League of Nations and International Court of Justice. The 1920s also saw tough tariffs raised on imports and immigration severely restricted.

Another example could be the American Revolutionary War. The alliance with France was essential to victory in the war, yet many in the US strongly distrusted and advocated against ties to foreign states. President Washington spoke out against intervention. Thomas Paine published a book on the subject titled provocatively Common Sense.

With all this in mind President Roosevelt presented the state of international affairs as a cause for intervention in 1940:

Some indeed still hold to the now somewhat obvious delusion that we of the United States can safely permit the United States to become a lone island, a lone island in a world dominated by the philosophy of force. Such an island may be the dream of those who still talk and vote as isolationists. […] On this tenth day of June, 1940, the hand that held the dagger has struck it into the back of its neighbor.

The US President said intervention was justified to fight a power when the goal of that power is to destroy American ideologies. This led to legal arguments like the Fourth Neutrality Act that enabled international support (US aid to France and Britain) for defense against German aggression.

It makes perfect sense to me why a military legal expert like Willson would make a case for a platform of cooperation to fight international cyber attacks and cyber war. It makes sense in non-commercial as well as commercial spheres. Companies that compete can still work together when it comes to fighting fraud and crime. It does not, on the other hand, make sense to me why this particular audience of security professionals was so delusional as to ask “who will be king” or shout “cure is worse than the disease”, unless they represent the philosophical equivalent of mis-guided American isolationists.

Although there is a colorful past of non-interventionalism movements in America, no argument of logic or historic reference was raised by the hecklers. They simply, and ironically, expressed that they have a fear of authority and of foreigners. I suspect if they were prepared better, or approached in a different way such as how to build a secure lock for a door of their car, they would be full of ideas how we might build authentication and authorization. Instead they sat and spun in fear.

The BBC reports that the British archive of secret codes is soon to be made public:

More than a million documents from Bletchley Park, Britain’s wartime code decryption hub, are to be digitised and put online. The project will take several years. What follows are some examples of the documents in the archive.

Work in progress. This shows an analyst’s workings as they decipher an intercepted encoded message. The next stage was to enter these codes into the mechanical devices developed at Bletchley Park to produce the final decoded message.

More information can be found here:

…the archive is so big nobody knows exactly what each individual document stored there contains.

However, the information they expect to dig out will definitely include communication transcripts, communiques, memoranda, photographs, maps and other material relating to key events that took place during the war.

The BBC says HP is subsidizing the conversion to digital and started the project when they heard Bletchley Park was in financial trouble.

I was just informed that my Alma Mater, the International History department at LSE, has been ranked #1 in the 2011 Complete University Guide.

It was given an overall score of 100 out of 100 possible points. Congrats LSE. Go Beavers!

Oxford was second with a score of 99.8. Hard to understand how Durham ended in third with higher graduate prospects and student satisfaction compared to Oxford, but perhaps research assessment and entry standards have more weight?

LSE was an excellent experience for me, as I studied international security during the Cold War in Asia, Africa and Europe. My thesis was on defense ethics strategy, (dis)information warfare, and long-term global security impact from military occupation of the Horn of Africa:

Anglo-Ethiopian Relations 1940-1943: British military intervention and the return to power of Emperor Haile Selassie

When asked about my transition from a history background to information security, I highlight two key points:

1. Taxonomy of Authority: At its core, security is about tracking and analyzing events – who did what, where, and when. This mirrors the historical method of studying and interpreting past events. As a historian, I analyzed written accounts to construct coherent narratives. In security, I apply the same analytical skills to computer logs and digital data. Both fields require critical thinking to assess risks based on past vulnerabilities and threats. It’s no coincidence that many security professionals, especially in the military, have a keen interest in history.
2. Case Study: Ethiopia 1940 and British invasion/occupation offers valuable lessons for modern complex security challenges. This mission aimed to establish stability while respecting Ethiopia’s sovereignty — a delicate balance given Britain’s imperial past and substantially weakened future. The outcomes of this intervention provide insights relevant to recent Western operations in countries like Afghanistan and Iraq. The post-WWII Western policy in the Horn of Africa ultimately failed to ensure regional security. Instead, it precipitated revolution, invited territorial war (with Somalia) and fueled an anti-American military party (the Derg) rise to power. The resulting instability and reduced Western influence continue to create security challenges today, such as piracy and terrorist safe havens. This historical case study demonstrates how understanding past events can inform current security strategies and risk assessments. It illustrates the transferable skills between historical analysis and information security: the ability to analyze complex situations, identify patterns, and draw actionable insights from past events.

In essence, my background in international history at LSE honed my skills in event analysis and reporting — capabilities fundamental to information security and risk management, which form the bedrock of computer security.

CollegeHumor has posted an image called “a modern adaptation of world war II for the american teenager”: