Goverrnment officials are subject to a near daily barrage of information regarding cyberattacks and the specter of cyberwar. Depending on the source, that can mean anything from an employee downloading work files from home to an intruder tampering with the systems that control city water supplies. Not understanding the nuances associated with those vulnerabilities can lead to off base policy decisions.
To get Luddite four-star generals, online shoppers and systems developers all on the same page, Brookings Institution researchers Peter W. Singer and Allan Friedman just released a new primer on the topic: "Cybersecurity and CyberWar: What Everyone Needs to Know," (Oxford University Press, 2014).
Nextgov recently sat down with Singer, a next-gen warfare aficionado, for some plain talk about killer robots and other cyberweapons. What follows is an edited version of that conversation:
Why do we need a textbook on cybersecurity?
Cyber issues have largely been left to what I jokingly call the “It Crowd,” the IT folks. There is no issue that has arguably grown in as much importance over the last generation, and yet is so poorly understood by the rest of us, as cyber issues.
To put it bluntly, the fact that folks are taking advantage of our ignorance is one of the reasons for this book. When I say “taking advantage,” that extends to the hacker who tricks you to get inside your systems or the private company that scares you [about your vulnerability to hackers] to tell you they have the secret sauce that will solve all your problems. Frankly there’s a cottage industry of books that, like in [the movie] "This is Spinal Tap," turn the volume up to 11.
Does rhetoric about a Cyber World War or Cyber Pearl Harbor harm efforts to respond to threats?
There is definitely some hyping going on. More than 30,000 articles have been written on the phenomenon of cyberterrorism even though there’s not been a single person hurt or killed by cyberterrorism.
When you’ve got this hype out there, it’s hard to make good policy. It’s hard to make good decisions as an individual on how to protect yourself too.
But I want to be clear: zeroes and ones can be weapons, can cause physical change in the world. It’s not to say that there aren’t real threats along these different pathways but they get mashed together and a lot of times we spend too much energy on one -- “oh my goodness the power grid might go down” -- and not on others where there is a greater, more likely threat. And, by the way, our best response to the power-grid-might-go-down scenarios -- hyping it by turning up the scare factor -- is not the best way to deal with them.
So, how afraid of cyberterrorism should we be?
A senior Pentagon official will talk about the millions of attacks on the Pentagon but to get that number they are linking together everything from a teenager trying to deface a website to highly organized groups trying to get inside to steal information. But these events are not the Pearl Harbor-like scenario that the listeners think officials are talking about when they say the word “attack.”
The best parallel for it would be a teenager with a firecracker, a mugger with a pistol, James Bond sneaking in to steal your files, a terrorist with a roadside bomb, and a Russian cruise missile. We would never say they are all the same thing because they all involve the chemistry of gun powder. But somehow, change that chemistry to digital, and we talk about them as if they are all one and the same thing. That’s where you get some of these misinterpretations.
Which nations can match our cyber offense skills?
There’s roughly 100 nations with some kind of cyber military capability. Of that, around 20 are for-real players. But, of that, only about the number that you can count on your hand are the ones that can carry out a long-term campaign. There’s a difference between an attack and a truly effective campaign. It’s the difference between 9/11 and Pearl Harbor in the first six months of Japanese operations in the Pacific, where they take the Philippines and Wake Island, etc. It’s the difference between being able to hurt you once, versus do something significantly over a long time.
The U.S., at least by my understanding, is the number one in that space and by all rights we should be because we spend by far the most on it.
Who can compete with our cyber surveillance capabilities?
The difference here -- the difference between the U.S. and particularly China -- becomes quality vs. quantity and the focus.
There is a huge level of sophistication on the U.S. side as we’ve seen from the [former NSA contractor Edward] Snowden disclosures. But the scale of the effort on the Chinese side, particularly when it comes to intellectual property theft, is literally breathtaking -- Operation Shady Rat got into 71 different government agencies, defense contractors, oil companies and even think tanks like Brookings. In the espionage domain, to me, that’s the differentiator.
Who is the best at cyber defense?
Actually North Korea [because the country has almost no Internet access]. Estonia has definitely built up a really interesting level of expertise: their approach towards mobilizing; tapping the expertise outside the government. It’s great to distinguish between their cyber militia vs. our National Guard reserves. They basically went out to anyone who has a level of expertise and wants to volunteer and said, ‘we’ll vet you.’ Then they use them for anything from red-teaming an upcoming election [to find vulnerabilities] to serving as on-call support cells.
Right now the U.S. approach frankly reflects bizarre state politics, not what’s best for the nation. Your top computer security expert may not want to wear a uniform and be potentially called to service in Kuwait. So therefore we’ve excluded them from the system. If we had the Estonian model we could have a way to bring them into the system to draw on their expertise, but unfortunately we don’t.
Which nation states are outsourcing cyber operations?
The Russian government has mobilized its cybercriminal community for use in certain operations. One of the interesting outcomes of Stuxnet [the cyberweapon that derailed Iranian nuclear centrifuges] was that it sparked Iran to invest deeply in this afterwards, including creating two major university programs. Just as it’s a good time to be in cybersecurity in the U.S., it’s a good time to be in cyber in Tehran right now.
You can buy not just weapons or vulnerabilities -- those zero days -- but also the expertise. We’ve seen some signs of that in situations like Syria, where you’ve got a mishmash of everything from Syrian government to Syrian government-linked militias, or Syrian Electronic Armies. But you’ve also seen other actors working with them, including Iranian experts as well as other transnational groups.
The book discusses "patriotic hackers" who offer their native countries plausible deniability by claiming responsibility for cyber assaults. What's the U.S. version of a patriotic hacker?
Folks outside the United States would argue that’s probably where the cluster of companies that surround Ft. Meade might be categorized. I don’t know if that’s the correct one, but that’s how they see it.
If you’re sitting in Egypt or Syria or Uganda, sometimes they describe groups such as Anonymous that way. I’ve seen senior government leaders describe Anonymous and Al Qaeda as the same thing. It may be troubling to some folks, but everything that Anonymous has done linked back to Internet freedom in some way. If during the Arab Spring the group was acting against regimes, [those government leaders] were seeing [such intrusions as sponsored by] Westerners.
There's been criticism about the effectiveness of National Cybersecurity Awareness Month. What incentive do people have to prepare? Should everyone be required to carry cyber insurance just like car insurance?
Part of it is defeating any notion that there’s one silver bullet or one-size-fits-all approach. It’s not just about figuring out your gaps. It’s about figuring out how you will respond if things go badly so you do it in a test environment rather than wait for the bad thing to happen. That goes all the way down to the individual “gotcha programs.” Some of the more successful businesses, they deliberately try to trick their own employees into clicking a bad link. If you do it once you get sent to cyber training. If you do it twice, there’s some real consequences.
Just like we teach our kids hygiene, we need to be teaching them not just to protect themselves, but that it’s their responsibility to protect others. We need the same kind of teaching in our schools. We don’t do that from the kids-level all the way up to professional military schools. We have electives that are kind of self-selecting: the guys from Cyber Command take them, but they’re already great.
Cybersecurity Awareness Month is a good thing, just like all the other awareness months are, but the very fact that there are all these other awareness months shows you that it should be the start, not the end of what we’re doing.
We also have a gap when it comes to IT expertise, particularly in government.
Where do robots and drones come into play? Could you see an adversary overtaking an Amazon delivery drone to conduct malicious operations?
Unmanned systems operate on software. If you are able to gain the proper access or authorization you can then persuade the weapon to do something other than what its owner intended. What is the bad thing people want to do? Make it fly somewhere else, or just tap its [surveillance] information?
Example: A casino in Vegas got hacked; [intruders] got into the video cameras. The plan -- they caught them so it didn’t happen -- was to plot a kidnapping of a “whale,” these high-end gamblers that make Vegas work. The casinos surveil them so they’ll always know where the billionaire is so that when he says, “Gosh I have a hankering for chicken fingers,” there is someone with a tray of chicken fingers right behind him. So he feels like, “I love being at the Casino X because they always are ready for me.”
The idea was that [the hackers] would use the casino’s own surveillance to find where that guy was and kidnap him. Imagine if this had worked, if a billionaire had been kidnapped? That’s huge, not just to that casino but to Vegas itself.