Peter Singer and Allan Friedman of the Brookings Institution have a new book published by Oxford University Press titled “Cybersecurity and Cyberwar: What Everyone Needs to Know.” They sent me an advance copy and I found it a great read for someone (me) who has an interest in the issue but is not all that familiar with the how and why of cybersecurity and warfare. Peter Singer kindly agreed to answer some questions I had about the book. Below is the resulting Q&A. (Check here for a podcast with Singer, Friedman, and Max Fisher).
Why did you write this book?
Our entire modern way of life, from communication to commerce to conflict, depends on the Internet, and the resultant cybersecurity issues challenge literally everyone. We face new questions in everything from our rights and responsibilities as citizens of both the virtual and real world, to how to protect our companies, our nations and our families from a new type of danger.
And yet there is perhaps no issue so important that remains so poorly understood. In “Cybersecurity and Cyberwar: What Everyone Needs to Know,” we try to provide the kind of easy-to-read yet deeply informative resource book that has been missing on this crucial issue. The book is structured around the key questions of cybersecurity: how it all works, why it all matters, and what we can do? Along the way, we take readers on a tour of the important (and entertaining) issues and characters of cybersecurity, from the “Anonymous” hacker group and the Stuxnet computer virus to the new cyberunits of the Chinese and US militaries.
You can read more about it at www.cybersecuritybook.com.
Erik Gartzke has argued that the damage from cyberattacks can be real but it is usually also temporary and does not much affect the balance of power. Cyberattacks are thus more of an irritant than a game changer. What do you make of this argument? Is cyberwar overhyped?
Yes, and no. The immensely important but incredibly short history of computers and the Internet has reached a defining point. Just as the upside of the cyber domain is rippling out, with rapid and often unexpected consequences, so too is the downside.
The astounding numbers behind “all this cyber stuff” drive home the scale and range of the threats:
— 9 new pieces of malware, malicious software designed to cause harm, are discovered each second
— 97 percent of Fortune 500 companies have been hacked (and the other 3 percent likely have been too and just don’t know it)
— and more than 100 governments have created military organizations to fight battles in the online domain.
Alternatively, the problems can be conceptualized through the tough issues that this “cyber stuff” has already produced:
- scandals like WikiLeaks and NSA monitoring
- the ramifications of new cyberweapons like Stuxnet
- or the role that social networking plays in everything from the Arab Spring revolutions to your own concerns over personal privacy
But we too often lump things together that are unlike, simply because they involve zeros and ones. Take the idea of “attacks.” The lead U.S. general for the military’s Cyber Command/NSA testified to Congress that “Every day, America’s armed forces face millions of cyberattacks.”[i] To get those numbers, though, he was combining everything from probes and address scans that never entered U.S. networks to attempts to carry out pranks, to politically motivated protests, to government-linked attempts at data theft and even espionage. But none of these attacks was what most of his listeners in Congress thought he meant by an “attack,” the feared “digital Pearl Harbor” or “cyber 9/11” that’s been cited a half-million times in the media and that his boss, the secretary of defense, had been warning them about in a simultaneous series of speeches, testimony, and interviews with the mainstream media.
Essentially, what people too often do when discussing “cyberattacks” is bundle together a variety of like and unlike activities, simply because they involve Internet-related technology. The parallel would be treating the actions of a prankster with fireworks, some street protesters with a smoke bomb, a bank robber with a shotgun, James Bond with his pistol, an insurgent with a roadside bomb and a state military with a cruise missile as if they were all the same phenomenon simply because their tools all involved the same chemistry of gunpowder.
That said, there are most definitely growing capabilities to cause real and lasting physical damage via cyber means, with Stuxnet being a great illustration. It was like every other game-changing weapon in history in that it caused some kind of kinetic harm (a stone, a drone, a bomb, etc.). But it was also something new in that it was virtual in its means; it was just 0s and 1s. Being software, it was both here, there and nowhere simultaneously, hitting its target, but also residing in thousands of computers elsewhere.
In the book, we explore how the next step in (cyber) war is integration, efforts like Israel’s “Operation Orchard,” where both computer network operations and traditional military activities are blended together. It’s the difference between having radios, tanks and airplanes in World War I versus the way they became powerful by being synergized in the blitzkrieg in World War II.
Edward Snowden has brought the issue of political oversight to the forefront. I was particularly struck by the parallels you strike in the book with civilian oversight over the nuclear program in the 1940s and 1950s. The Senate Armed Service Committee discovered aggressive military plans for preemptive nuclear attacks against the Soviets, which were luckily shut down before the 1960 Cuban missile crisis. You write: “Today’s leaders might want to ask if there are any cyber equivalents.” What kind of equivalents are you worried about? What questions should be asked of whom?
While the cyber arena poses, as President Obama said, “the most serious economic and national security challenges of the 21st century,” it is one that we have proved to be woefully ill-equipped to handle. Indeed, as former CIA director Michael Hayden put it, “Rarely has something been so important and so talked about with less and less clarity and less apparent understanding. . . .”
We can see this problem in everything from the public and mass media’s confusion on matters from the NSA to the latest credit card hacks to Congress’s inability to articulate anything worthy in this space, let alone take effective action. Indeed, 2013 marked the 12th year since Congress passed any significant cybersecurity legislation, the last time being 2002, half a decade before anyone had even heard of the iPhone, let alone today’s world of metadata and Google Glass.
That chapter you cite in the book looks the fact that important plans and strategies for a powerful new technology are being made, but the broader civilian political system and populace has largely remained apart from the discussion. And if there is a historical parallel to the Cold War, it’s in how civilian leaders nowadays, as in the past, might be caught off guard by some of the operational plans to actually make use of these new weapons, like the LeMay plan or the goofy U.S. Air Force discussion in 1957 of nuking the moon, just to show the Soviets that we could do interesting things in space, too. This gap is not just a U.S. issue but also is notable in states like China, where civilian control of the military is shall we say … far more complex.
I think this also applies not just to the military operational side but also has played out in the surveillance side. Congress may have approved much of the actions of the NSA, but it was clear they didn’t understand them or their ramifications, and that some ran with that. Similarly, it was reported that after General Alexander briefed Obama on NSA activities in the wake of Snowden, the president supposedly got frustrated and asked for it to be repeated to him, “but this time in English.”
What do you make of the Snowden “whistleblower or traitor” debate?
The challenge of the Snowden revelations is that it involves a massive amount of data, showing activities that roughly falls into three categories:
1) Smart, strategic, useful espionage vs. American enemies,
2) Questionable activities that involved US citizens thru backdoors, fudging of policy/law, foreign agency collaboration
3) Un-strategic (stupid) actions that targeted close American allies, as well as the underlying network security and business prospects of American technology companies (who, according to Forrester Research, may lose as much as a $180 billion worth of revenue from this).
So the problem in the discourse and debate on everything from how U.S. political leaders defended the programs to whether he is a traitor or a whistleblower is that people focus on one category but not the others. Government leaders talk about how such programs are critical to preventing another 9/11, but that doesn’t assuage the Germans on why we spied on Angela Merkel. Or, in turn, you see human rights activists talk about how this was huge for U.S. public debate about the new meanings of the 4th Amendment in the cyber age, which is true, but that doesn’t resonate to revelations of a program to spy on Chinese military research or Pakistani terror activities. The irony is that NSA should almost be glad that he disclosed all three categories, [since] if it was just the latter two, the present mess would be even uglier but more focused.
You take a nuanced position on the degree to which cybersecurity issues demand involvement by governments (they do) and can be controlled by governments (they cannot, at least not fully). A point you make that I had not fully appreciated before reading the book is that the distribution of labor productivity in this area is highly skewed: A few extremely skilled programmers can achieve more than many programmers with average skills. Governments have advantages in that they can employ many but they may not be able to compete for the very best. What are the consequences of this? Will governments become more dependent on the private sector for sensitive security tasks?
Yes, this is a space where quality matters. As the Silicon Valley firms can attest, the best programmers aren’t just elite but can give you gains an order of magnitude greater than the average.
But it doesn’t mean that scale doesn’t matter. The so-called 人肉搜索, which roughly translates as “Human flesh search engine” in China, has been very effective for its purpose of chilling public debate and online news that might not be regime friendly.
For states, they have to understand that they are, as Joe Nye put it, still the “top dogs on the Internet,” but that there are now many, many smaller dogs that can bite. Like the Internet itself, cybersecurity involves everything from states large and small to non-state organizations that range from Google to the Syrian Electronic Army to collectives of people who link up to share cat videos or conduct Anonymous campaigns to you and I. We all have both concerns, interests and powers.
To your question of hiring, it’s a good way of connecting to how at the end of the day both the problems and answers of cybersecurity are not about the software or hardware, but the wetware, the people behind the systems. Part of this is expanding our awareness, but it also goes to issues of workforce. For instance, we’re finding only about 10 percent of the cybersecurity specialists that we need in the U.S. right now. Of the ones they’re finding, hiring managers describe that they’re only happy with the quality of about 40 percent.
That’s not a good situation, but it goes beyond the IT department. Whether you’re working in the IT department or you’re working in operations, legal, marketing or finance, wherever, you’re increasingly going to be dealing with cybersecurity questions, whether it’s managing people who work on them to your intellectual property, to your services, to your contract negotiations.
This also means, though, that in that issue of both the human side and the government hiring the outside expertise, there are other drives we need to recognize, whether it be goals to build out your bureaucracy, your budget or your business. Again, there are real threats, but also the worry of a so-called “cyber-industrial complex.” In 2001, four companies were lobbying Congress on cybersecurity issues. Now it’s over 1,500. The Washington Post even gave an article on the phenomenon the title “Good News for Lobbyists: Cyber Dollars.”
How should universities reorganize to better meet the demand for people with cybersecurity skills?
Whether you are the president of the United States, of a large corporation, a small business, or your household (when actually your spouse and kids are the true commanders in chief), all of us make cybersecurity decisions that matter.
The problem is that we are not well trained and equipped for these new responsibilities. For instance, 70 percent of business executives have made a cybersecurity decision of some sort for their firms, despite the fact that no major MBA program teaches it as part of normal management training. This gap is mirrored at the schools we teach our diplomats, lawyers, generals, journalists and so on. Indeed, handing off a crucial matter for only the “experts” to understand and handle is the best way to be taken advantage of, whether it is by a hacker accessing your bank account or by a spy agency that uses technical and legal doublespeak to haze what they are actually doing.
In the book, we argue that it needs to stop being treated as just an area for computer science and better blended into the training for other fields. To put it another way, it is not a book just for the CompSci department, but for people in everything from international relations to law to business, much as cyberissues touch on all these fields.
What are the main obstacles for effective international cooperation on cybersecurity?
Oh goodness, that could take another thousand words!
We need to move from only looking at this through Cold War visions and understand 1) the multi-stakeholder levels of play, and 2) that it is all about incentives. While in some areas we will have to be adversarial, as this is part of the realm of war and national security, we can still focus on shared interests, shared threats (what in Chinese is known as “double crimes”), build coalitions where possible, accept that sometimes these efforts won’t involve all countries but that doesn’t it make it not worthwhile to build core groups, and follow a strategy of “grafting” onto treaties and agreements that already work (IE, build upon success, rather than trying to reinvent the wheel). Most of all, we need to raise the level of understanding and shared sense of responsibility, whether it be at the international level across national borders to how you handle cybersecurity issues at your office or your home.