Editor’s note: In an interview with Emanuel Pastreich, director of the Asia Institute, Peter Singer discusses the dynamics of cyberspace and how governments should best conceptualize cyber threats, and suggests that cybersecurity’s greatest challenges are in threat identification and attribution. Learn more about these issues by reading Cyber Security and Cyber War: What Everyone Needs to Know.
Emanuel Pastreich: “When you chose to title your new book as Cyber Security and Cyber War did you intend to make a clear distinction between two discrete issues?”
Peter W. Singer: “Cyber security and cyber war are two separate topics that are related in that within the new domain of cyberspace we see an overlap between what we traditionally refer to as the civilian sphere and the military sphere. Cyberspace is evolving as a realm that includes everything from commerce, entertainment and communications to forms of direct conflict. For example, 98% of all military communications travels through cyberspace, but, at the same time, the cyberspace they are channeling over is primarily civilian owned.
“Let us step back and take a look at this problem in proper perspective. For too long the thinking about cyber security questions have been left to what I call the “IT crowd.” That is to say we have a group of technologists pondering cyberspace and its potential. But at this point in time, whether you are a politician, a general, a business leader, a lawyer, a citizen or a parent, those security questions are clear and present for the rest of us as well. We need to understand cyberspace and commit to planning for a future with it at the center.
“The book is structured around approximately sixty central questions concerning the nature and the potential of cyberspace. ‘How it all works? For example, I use the Internet every day, how does it actually work?’ Or ‘What is cyber terrorism?’ ‘I keep hearing about it; is it as bad as some people say?’
“The book then traces the technology back to the ‘who,’ the prominent players in the field and why their dynamics matter. For example, ‘Who is this Anonymous group I keep hearing so much about in the news?’ ‘What is the strategy of the US military for cyberspace?’ ‘What is the Chinese strategy in cyberspace?’
“And then the final third of the book concerns ‘What can we do?’ Those questions range from the personal and organizational to the national, the regional, and the global level. So the book includes everything from how to prevent possible global cyber wars on a massive scale to offering advice on how to protect ourselves and maintain the Internet that we all know, love, and depend on.
“What differentiates this book from my previous books, Wired for War and Corporate Warriors: The Rise of the Privatized Military Industry, is the nature of the debate we are raising. In my previous books whether I was describing private military contractors like Blackwater or the rise of drones, I was trying above all to draw public attention to a new issue of critical importance. For example, when I started working on drones in 2005 it was a new field that called out for attention, for people to realize that drones were real and would matter very soon. In the case of this book on cyberspace, however, the issue is quite different. We all know cyberspace and security is a critical topic. The problem is rather that we simply do not understand it. Not knowing about cyberspace means that we can be taken advantage of. At the individual level we are subject to hackers and false information. And at a higher level, companies and government agencies have profited, frankly, by just making this whole process seem much scarier than it actually is. And then there are the groups that claim to have the “secret sauce,” the “secret recipe” that will solve all the problems of cyberspace. We want to explain cyberspace to people in a manner that builds substantial understanding and also makes for a great read. We include many funny anecdotes, intriguing characters, and jokes that are not found normally in a technology book.”
Pastreich: “So, in cyberspace, is there a posse comitatus?”
Singer: “Well, no, there is not. There remain a series of issues that we need to work out. When I say ‘we’ I am talking about communities at every level, from the global down to the national, regional, and individual. We need to think about how agencies and corporations can be made accountable and responsible, but also about what we can do as citizens. For example, what exactly do we mean as a community, as a nation, by ‘cyber war?’ And, in turn, who should we expect to fight it?
“One challenge that we find in this debate that we want to unpack for readers is the wide variety of dissimilar threats that we often bundle together as cyber threats simply because they all take place in cyberspace. For example, one senior Pentagon official cited an enormous number of cyber attacks on the Pentagon when he testified to Congress. The problem was that what he spoke of an “attack” the congressmen listening imagined some existential ‘cyber Pearl Harbor’ or ‘cyber 9-11.’ After all, that is what the secretary of defense had been discussing in various closed hearings. Yet, what the Pentagon official was talking about with these numbers instead was a hodgepodge ranging from attempts at address scans or ‘knocks,’ defamation (i.e., pranks such as changing external user-face websites), espionage (i.e., stealing secrets), and some more aggressive attempts to compromise security.
“That Pentagon official was bundling together everything from the equivalent of a teenage prankster with a firecracker, to a pistol-robber, a terrorist with a roadside bomb, a spy with a hidden gun, and a military armed with a cruise-missile. He was giving the impression that all these ‘attacks’ were basically similar because they all use the technology of cyberspace. But the only similarity between a firecracker and a cruise missile is the use of the technology of explosive materials. Such discussions are not a responsible way to keep the public informed about a critical issue.
“What we need to do is to disentangle our thinking about the nature of the threats and in turn that will allow us to disentangle our thinking about appropriate responses. For example, the US Military Cyber Command and its partner the National Security Agency have taken on a wide range of roles largely because of an overwhelming fear of what cyber attacks could be and also the fact that other agencies lack skill and the budget capacity. They are handling issues, as a result, that frankly are not appropriate to their mandate. ‘Appropriate’ here means in a strategic and organizational sense, and also in a legal sense.
“Think of it this way: Let’s imagine two banks were transferring money between them and one of their trucks was blocked in the street by a group of protesters. Well, no one would say, ‘call in the Army! It is the Army’s responsibility!’ And yet that is how we often react if the issue involves electronic transfers. We have to get over that kind of thinking. This is also huge to the concerns of IP theft and US-China tensions that result from it. It is critical that we disentangle certain subtle but important differences between a ‘9-11’ threat and a ‘death by a thousand cuts.’”
Pastreich: “That makes sense. I want to come back to the division of labor you hinted at. For example, with regards to the players such as the FBI, the NSA or the army, is there a field, for example, in which the FBI has exclusive dominion? The very terms domestic and international can be ambiguous when we are talking about cyberspace.”
Singer: “You have hit one of the major challenges. Trying to figure out when and where this construct — the notion of a state border — was established back in the 1700s applies, and when it does not, is a major bone of contention. Too often it seems as if cyberspace is a ‘stateless’ domain as some claim. As the adage goes, cyberspace is the ‘global commons.’ So some assume that somehow nations, states, have no role in cyberspace. But the reality is that states matter in cyberspace in two core ways.
“First, what happens in cyberspace has a direct impact on states. Simply put, since our commerce, communications, and infrastructure all depend on the safe, smooth running of that domain, states have to think about cyberspace seriously with an eye towards their own security and stability. They cannot afford not to care. Second, while cyberspace is virtual, the people who design and administer it, and the hardware that runs it, are located within national borders. There is no truly stateless aspect to cyberspace.”
“Let me be clear on this point. I am not suggesting that transnational dimensions are insignificant. They are critical and unprecedented. But the problem is far more complex than it appears at first glance. I am pushing back against the notion that cyberspace is somehow ‘stateless.’”
Pastreich: “But we have players these days around the globe who can use randomized data, so it is not so easy to figure out by the servers which particular state he, she, or they are in. So although cyberspace is not stateless, there are ghosts in the machine.”
Singer: “Yes, that is an important challenge. This problem comes up, for example, in the case of not only attribution but also of prosecution for crimes. There is a movie out about Julian Assange, ‘The Fifth Estate,’ that illustrates both sides of this problem. On the one hand, WikiLeaks, the organization, has been able to stay functional because of its transnational presence. Each time a state tries to shut it down, it simply transfers operations or picks up stakes. It also has woven a funding structure into things on which the state depends. It did so with the French banking system, for example.”
Pastreich: “The viral effect…”
Singer: “Yes, exactly. On the other hand, Julian Assange the person has been indicted in one state and is stuck in an embassy in another. While the online organization has been able to thrive, some of the individuals involved are subject to the power of the state. The power of the state still matters.
“To return to your question, one of the things that we will have to figure out is: what is the appropriate mechanism for states to cooperate in these domains? What agencies matter? Which is an appropriate response on the state level? And, finally, where is the line between the public and the private? In our book we have chapters in which, as an illustration, we ask whether we need international treaties for cyberspace. Are such treaties even possible? We also consider the dangers of certain international institutions overreaching their mandate and being used to clamp down on freedom of expression online. We see today new coalitions of democratic forces battling authoritarian states over the future of the Internet itself.
“Then at the state level we call for an end to viewing cyberspace through solely a national security or law enforcement framework. There are examples in public health, for example, in which nations are able to cooperate better but also to extend responsibility not just to the government but also to us as individuals. In the case of public health, there are national and international agencies that conduct investigations, research, and carry out the tracking of disease outbreaks. But we do not say that the entire work is up to them. For example, I teach my kids to cover their mouths when they cough, because we teach the importance to our kids of the habits of good hygiene to protect both themselves, but also others. There is an equivalent to cyber hygiene which serves not only to protect youth, but also to teach them that it is their responsibility as good citizens to protect others online. There are some parallels here in terms of protecting your computer from being taken over by a botnet. It is also about protecting the broader Internet.
“The book offers new, creative, different ways at looking at security.”
Pastreich: “One of the challenges for us today is the distinction concerning the attribution for various cyber threats. Are these problems a result of a decline of morality, bad behavior, increased corruption, or is this problem simply a product of Moore’s Law? Many crimes are simply easier and cheaper to do today. The problems cannot be stopped easily because they are driven by changes in the playing field itself.”
Singer: “You ask two very important questions. But let us first try to disentangle a bit. On one hand, we can talk about the motivations of groups like ‘Anonymous’ that have, in many ways, become the bogeymen of the cyber era. In one of the chapters in the book I ask somewhat ironically, ‘Who is Anonymous?’ The book delves into the history of the organization and describes how it operates. What is important to understand is that this organization defies our traditional notion of a top-down hierarchy. Rather, Anonymous is more of a constantly shifting collective. But also, consistently throughout its history, there has been a focus on Internet freedom, Internet good behavior. For example, the public debut of ‘Anonymous’ in the mainstream media came when the group helped to track down a child predator. Later on, the line that connected everything from the operations they carried out concerning the Church of Scientology to their role in ‘Operation Avenge Assange’ in response to the financial supporters of WikiLeaks being challenged, to the many activities being carried out today, was the emphasis on threats to Internet freedom. People can certainly go back and forth debating on whether Anonymous’ has gone too far or not. But the problem is that policy makers talking about cyber security tend to lump together ‘Anonymous’ with Al-Qaeda or Russian criminal organizations. Those are all very different organizations. We need to be clear about the variety of players.
“Regarding your second point, one striking feature of the short history of cyber security and cyber war is rate of the game change in our generation. With regards to technology, security, and war there is a far lower barrier to entry now and, in turn, the greater empowerment of smaller organizations — all the way down to individuals.
“Technological change forms a clear line that connects the past books that I have done on private military contractors, child soldiers, robotics, and now in cyberspace. Several centuries ago, whatever the weapon of war, it required a massive scale to build and operate effectively. Historian Charles Tilly said that ‘War made the state and the state made war.’ There was a centralization of power before. Instead, now, with the new technologies, cyber weapons or drones, a massive organization such as a “Manhattan Project” is no longer needed to produce a small drone or to carry out a cyber attack. While these new weapons have certainly been useful to governments, they have even been even more empowering for small groups and individuals. Some people dismissed users like ‘Anonymous’ as ‘all bark and no bite.’ But, a small group of online individuals, most of whom had never met, have found a way to mobilize and to direct the world’s attention to causes about which they care. That was not possible before.”
Pastreich: “You have perhaps a slightly more optimistic view of what is happening. It seems to me that when ‘Anonymous’ carries out their strikes for Internet freedom, there are groups in corporations or in government who go along with them, even support them in their efforts, not because they necessarily believe in the ‘Anonymous’ cause but because it aids them in their particular agenda they are pursuing. Maybe they just want to bring down the NSA so they can get a piece of that enormous budget. It is a bit more complicated than it appears.”
Singer: “Yes, absolutely. It is both a new trend but also the story of politics going back to the ancient philosophers. In discussions about technology we tend to want to focus on the technology itself. Engineers are most comfortable talking about how it works. However, why it matters, in history, always comes back as the critical issue. To understand what is happening in cyberspace and cyber security, we need to understand the people, the organizations, as well as the motivations and incentives that drive them we need a broad perspective. We must get a glimpse at the dynamics going on within a group such as ‘Anonymous’ and how governments are reacting to it. That perspective also helps us understand why certain business sectors, like the financial sector, have done a great deal in protecting themselves in cyber security, while others such as the electrical power grid have not. It all comes down to incentives.”
Pastreich: “Maybe you can say a few words about our response. There are at least two problems in terms of security. If one wants to have security in a situation in which a single individual or small group can do an enormous amount of damage, it requires by nature a repressive system. The system has to be capable of being focused and responding very effectively. So, it inherently creates problems. Any response is going to be problematic.
“The second issue concerns the rate of technological change. If technology keeps changing, evolving exponentially, you might make up some treaty on cyber security in 2014 that will be meaningless by 2020 because the nature of cyberspace would have changed so profoundly.
“What are your thoughts on these two questions? First, how do you maintain security without it becoming a repressive system? And how do you maintain standards and the rules in a constantly-changing environment?”
Singer: “The first question, in many ways, again echoes back across the ages before the Internet was ever conceived. The debate over the trade-off of rights versus security is not new. We can see that debate in the writings of ancient philosophers. The way they came down on the issue back then is the way we should come down on it today. Yes, you can live in a system that has no terrorism, where criminals are immediately caught. But, in reality we call those totalitarian regimes. However, you could also live in absolute anarchy, but that is an equally insecure world that does not allow one to exercise the most basic rights as a result. The key is finding that balance. We should not assume we can eliminate all threats. Rather we should accept the reality that threats exist and seek to manage them.
“It is all about building structures and incentives that will allow you to manage the world better. In the book we present fifteen things we can and should do to respond to cyberspace, everything from building appropriate institutions in government and global institutions to local community activities. We see the effort to establish better security as both a public and private problem. We must establish the right incentives, build better information sharing systems, and increase transparency. We need to set up clear norms for accountability and reliability. There are many cyber-people problems for which we need to train experts at all levels to respond. There is so much that we can and should do.
“But we also should not let fear steer us solely. The book opens with a description of how each of us remembers as young boys or girls the first time we saw a computer. I was seven years old when I first saw a computer. I am now thirty-eight. My dad took me to a science museum and there I took a class to learn how to program computers to do an amazing thing: print out a smiley face. That is the beginning of the book. We circle back to that same moment at the end of the book. Imagine if my dad had told me at the age of seven, ‘This thing, the computer, it is going to allow people to steal your identity. It is going to allow militaries to carry out all new kinds of war. It may even allow terrorists to turn off the power grid or steal everyone’s money.’ My little seven year-old self would have said, ‘Oh my God, Dad, we must stop this computer, do not turn it on.’
“Of course, looking back at that, we accept these risks because of all the great things that we can do with computers. I can track down the answer to almost any question on line. I am friends with people around the world I have never met. To me, what has played out over the last thirty years is exactly the same thing that we will witness in the future. We have to accept and manage the risks because of all the great things we can do with this technology.
“That is where we have to be mindful of the people who are trying to steer us in the wrong direction, whether it is the people who are trying to make cyberspace too insecure a space, or the people who are trying to make it too secure but do away with the freedom and great features in it by just militarizing this space.
“Regarding your second question concerning whether technological change could lead to outdated treaties or laws practically the very next day, you have hit it exactly right. Cyberspace is a constantly-evolving medium, and indeed the Internet that we know and love today will be quite different five years from now. Everything from the users, to the language of the Internet, to the mentality of online freedom, will change.
“Also, many parts of the Internet are going mobile. And in the future the Internet will be woven into things. Cisco estimates that over the next few decades we will go from having a couple billion devices online, essentially each person behind a device, to seventy-five billion devices online. That means that it will not be just people behind those devices carrying on conversations—it will be things talking to each other.
“One cannot legislate a too-defined law that will not remain relevant. That would not be a good strategy. It also ignores the ‘reality’ of today. You are not going to find the United States, Russia, South Korea, North Korea, China, or Brazil all agreeing on the exact language of some treaty right now. That does not mean that you do not need a building of new laws, norms, and codes for conduct and behavior. In the United States, our Congress has not passed new major cyber security legislation since 2002. What we are pushing for globally and nationally is not to rewrite all law, but, rather to graft new law to previous legal precedents. Rather than plant an entire new tree, instead we should graft new legal developments for cyberspace onto an old, healthy tree. That is, determine what works, affirm the common values that we all hold, and then build off of that. That is the pathway to success.”
Pastreich: “Yes, right. When I wrote an article some time ago entitled ‘Constitution of Information,’ the first point I stressed was one could not write such a constitution unless the writer actually had stakeholders involved in the discussion. It would just be an academic exercise to talk about an ideal world. The real process requires actually getting the people who can make decisions that represent active organizations involved.”
Singer: “Absolutely.”
Commentary
The State, the Internet and Cybersecurity
January 13, 2014