Everyone Needs a Cyber Textbook

Miller Center of Public Affairs

Brookings Institution scholar Peter W. Singer co-authored a new book that aims to get the IT Crowd and the rest of us on the same page.

Goverrnment officials are subject to a near daily barrage of information regarding cyberattacks and the specter of cyberwar. Depending on the source, that can mean anything from an employee downloading work files from home to an intruder tampering with the systems that control city water supplies. Not understanding the nuances associated with those vulnerabilities can lead to off base policy decisions. 

To get Luddite four-star generals, online shoppers and systems developers all on the same page, Brookings Institution researchers Peter W. Singer and Allan Friedman just released a new primer on the topic: "Cybersecurity and CyberWar: What Everyone Needs to Know," (Oxford University Press, 2014). 

Nextgov recently sat down with Singer, a next-gen warfare aficionado, for some plain talk about killer robots and other cyberweapons. What follows is an edited version of that conversation: 

Why do we need a textbook on cybersecurity?

Cyber issues have largely been left to what I jokingly call the “It Crowd,” the IT folks. There is no issue that has arguably grown in as much importance over the last generation, and yet is so poorly understood by the rest of us, as cyber issues.

To put it bluntly, the fact that folks are taking advantage of our ignorance is one of the reasons for this book. When I say “taking advantage,” that extends to the hacker who tricks you to get inside your systems or the private company that scares you [about your vulnerability to hackers] to tell you they have the secret sauce that will solve all your problems. Frankly there’s a cottage industry of books that, like in [the movie] "This is Spinal Tap," turn the volume up to 11.

Does rhetoric about a Cyber World War or Cyber Pearl Harbor harm efforts to respond to threats? 

There is definitely some hyping going on. More than 30,000 articles have been written on the phenomenon of cyberterrorism even though there’s not been a single person hurt or killed by cyberterrorism.

When you’ve got this hype out there, it’s hard to make good policy. It’s hard to make good decisions as an individual on how to protect yourself too.

But I want to be clear: zeroes and ones can be weapons, can cause physical change in the world. It’s not to say that there aren’t real threats along these different pathways but they get mashed together and a lot of times we spend too much energy on one -- “oh my goodness the power grid might go down” -- and not on others where there is a greater, more likely threat. And, by the way, our best response to the power-grid-might-go-down scenarios -- hyping it by turning up the scare factor -- is not the best way to deal with them.

So, how afraid of cyberterrorism should we be?

A senior Pentagon official will talk about the millions of attacks on the Pentagon but to get that number they are linking together everything from a teenager trying to deface a website to highly organized groups trying to get inside to steal information. But these events are not the Pearl Harbor-like scenario that the listeners think officials are talking about when they say the word “attack.”

The best parallel for it would be a teenager with a firecracker, a mugger with a pistol, James Bond sneaking in to steal your files, a terrorist with a roadside bomb, and a Russian cruise missile. We would never say they are all the same thing because they all involve the chemistry of gun powder. But somehow, change that chemistry to digital, and we talk about them as if they are all one and the same thing. That’s where you get some of these misinterpretations.

Which nations can match our cyber offense skills?

There’s roughly 100 nations with some kind of cyber military capability. Of that, around 20 are for-real players. But, of that, only about the number that you can count on your hand are the ones that can carry out a long-term campaign. There’s a difference between an attack and a truly effective campaign. It’s the difference between 9/11 and Pearl Harbor in the first six months of Japanese operations in the Pacific, where they take the Philippines and Wake Island, etc. It’s the difference between being able to hurt you once, versus do something significantly over a long time.

The U.S., at least by my understanding, is the number one in that space and by all rights we should be because we spend by far the most on it. 

Who can compete with our cyber surveillance capabilities?

The difference here -- the difference between the U.S. and particularly China -- becomes quality vs. quantity and the focus.

There is a huge level of sophistication on the U.S. side as we’ve seen from the [former NSA contractor Edward] Snowden disclosures. But the scale of the effort on the Chinese side, particularly when it comes to intellectual property theft, is literally breathtaking -- Operation Shady Rat got into 71 different government agencies, defense contractors, oil companies and even think tanks like Brookings. In the espionage domain, to me, that’s the differentiator.

Who is the best at cyber defense? 

Actually North Korea [because the country has almost no Internet access]. Estonia has definitely built up a really interesting level of expertise: their approach towards mobilizing; tapping the expertise outside the government. It’s great to distinguish between their cyber militia vs. our National Guard reserves. They basically went out to anyone who has a level of expertise and wants to volunteer and said, ‘we’ll vet you.’ Then they use them for anything from red-teaming an upcoming election [to find vulnerabilities] to serving as on-call support cells.

Right now the U.S. approach frankly reflects bizarre state politics, not what’s best for the nation. Your top computer security expert may not want to wear a uniform and be potentially called to service in Kuwait. So therefore we’ve excluded them from the system. If we had the Estonian model we could have a way to bring them into the system to draw on their expertise, but unfortunately we don’t.

Which nation states are outsourcing cyber operations? 

The Russian government has mobilized its cybercriminal community for use in certain operations. One of the interesting outcomes of Stuxnet [the cyberweapon that derailed Iranian nuclear centrifuges] was that it sparked Iran to invest deeply in this afterwards, including creating two major university programs. Just as it’s a good time to be in cybersecurity in the U.S., it’s a good time to be in cyber in Tehran right now.

You can buy not just weapons or vulnerabilities -- those zero days -- but also the expertise. We’ve seen some signs of that in situations like Syria, where you’ve got a mishmash of everything from Syrian government to Syrian government-linked militias, or Syrian Electronic Armies. But you’ve also seen other actors working with them, including Iranian experts as well as other transnational groups. 

The book discusses "patriotic hackers" who offer their native countries plausible deniability by claiming responsibility for cyber assaults. What's the U.S. version of a patriotic hacker?

Folks outside the United States would argue that’s probably where the cluster of companies that surround Ft. Meade might be categorized. I don’t know if that’s the correct one, but that’s how they see it.

If you’re sitting in Egypt or Syria or Uganda, sometimes they describe groups such as Anonymous that way. I’ve seen senior government leaders describe Anonymous and Al Qaeda as the same thing. It may be troubling to some folks, but everything that Anonymous has done linked back to Internet freedom in some way. If during the Arab Spring the group was acting against regimes, [those government leaders] were seeing [such intrusions as sponsored by] Westerners.

There's been criticism about the effectiveness of National Cybersecurity Awareness Month. What incentive do people have to prepare? Should everyone be required to carry cyber insurance just like car insurance?

Part of it is defeating any notion that there’s one silver bullet or one-size-fits-all approach. It’s not just about figuring out your gaps. It’s about figuring out how you will respond if things go badly so you do it in a test environment rather than wait for the bad thing to happen. That goes all the way down to the individual “gotcha programs.” Some of the more successful businesses, they deliberately try to trick their own employees into clicking a bad link. If you do it once you get sent to cyber training. If you do it twice, there’s some real consequences.

Just like we teach our kids hygiene, we need to be teaching them not just to protect themselves, but that it’s their responsibility to protect others. We need the same kind of teaching in our schools. We don’t do that from the kids-level all the way up to professional military schools. We have electives that are kind of self-selecting: the guys from Cyber Command take them, but they’re already great.

Cybersecurity Awareness Month is a good thing, just like all the other awareness months are, but the very fact that there are all these other awareness months shows you that it should be the start, not the end of what we’re doing.

We also have a gap when it comes to IT expertise, particularly in government. 

Where do robots and drones come into play? Could you see an adversary overtaking an Amazon delivery drone to conduct malicious operations?

Unmanned systems operate on software. If you are able to gain the proper access or authorization you can then persuade the weapon to do something other than what its owner intended. What is the bad thing people want to do? Make it fly somewhere else, or just tap its [surveillance] information?

Example: A casino in Vegas got hacked; [intruders] got into the video cameras. The plan -- they caught them so it didn’t happen -- was to plot a kidnapping of a “whale,” these high-end gamblers that make Vegas work. The casinos surveil them so they’ll always know where the billionaire is so that when he says, “Gosh I have a hankering for chicken fingers,” there is someone with a tray of chicken fingers right behind him. So he feels like, “I love being at the Casino X because they always are ready for me.”

The idea was that [the hackers] would use the casino’s own surveillance to find where that guy was and kidnap him. Imagine if this had worked, if a billionaire had been kidnapped? That’s huge, not just to that casino but to Vegas itself.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.