Read Cybersecurity and Cyberwar Online
Authors: Peter W. Singer Allan Friedman,Allan Friedman
Three decades later, the centrality of computers to our lives is almost impossible to comprehend. Indeed, we are so surrounded by computers that we don't even think of them as “computers” anymore. We are woken by computerized clocks, take showers in water heated by a computer, drink coffee brewed in a computer, eat oatmeal heated up in a computer, then drive to work in a car controlled by hundreds of computers, while sneaking peeks at the last night's sport scores on a computer. And then at work, we spend most of our day pushing buttons on a computer, an experience so futuristic in
our parents' day that it was the stuff of
The Jetsons
(George Jetson's job was a “digital index operator”). Yet perhaps the best way to gain even a hint of computers' modern ubiquity is at the end of the day. Lie in bed, turn off the lights, and count the number of little red lights staring back at you.
These machines are not just omnipresent, they are connected. The computers we used as little kids stood alone, linked to nothing more than the wall electricity socket and maybe that spool printer. Just a generation ago, the Internet was little more than a link between a few university researchers. The first “electronic mail” was sent in 1971. The children of those scientists now live in a world where almost 40 trillion e-mails are sent a year. The first “website” was made in 1991. By 2013, there were over
30 trillion individual web pages
.
Moreover, the Internet is no longer just about sending mail or compiling information: it now also handles everything from linking electrical plants to tracking purchases of Barbie dolls. Indeed, Cisco, a company that helps run much of the back end of the Internet, estimated that 8.7 billion devices were connected to the Internet by the end of 2012, a figure it believes will rise to 40 billion by 2020 as cars, fridges, medical devices, and
gadgets not yet imagined
or invented all link in. In short, domains that range from commerce to communication to the critical infrastructure that powers our modern-day civilization all operate on what has become a globalized network of networks.
But with the rise of “all this cyber stuff,” this immensely important but incredibly short history of computers and the Internet has reached a defining point. Just as the upside of the cyber domain is rippling out into the physical domain, with rapid and often unexpected consequences, so too is the downside.
As we will explore, the astounding numbers behind “all this cyber stuff” drive home the scale and range of the threats: 97 percent of Fortune 500 companies have been hacked (and 3 percent likely have been too and just don't know it), and more than one hundred governments are
gearing up to fight battles
in the online domain. Alternatively, the problems can be conceptualized through the tough political issues that this “stuff” has already produced: scandals like WikiLeaks and NSA monitoring, new cyberweapons like Stuxnet, and the role that social networking plays in everything from the Arab Spring revolutions to your own concerns over personal privacy. Indeed, President Barack Obama declared that “cybersecurity risks pose some
of the most serious economic and
national security challenges of the 21st century
,” a position that has been repeated by
leaders in countries from Britain to China
.
For all the hope and promise of the information age, ours is also
a time of “cyber anxiety
.” In a survey of where the world was heading in the future,
Foreign Policy
magazine described the cyber area as the “
single greatest emerging threat
,” while the
Boston Globe
claimed that future is already here: a “cyber world war” in progress that will culminate in “
bloody, digital trench warfare
.”
These fears have coalesced into the massive booming business of cybersecurity, one of the fastest growing industries in the world. It has led to the creation of various new governmental offices and bureaucracies (the US Department of Homeland Security's National Cyber Security Division has doubled or tripled in size every year since its inception). The same is true for armed forces around the globe like the US Cyber Command and the Chinese “Information Security Base” (
xinxi baozhang jidi
), new military units whose very mission is to
fight and win wars in cyberspace
.
As we later consider, these aspects of “cyber stuff” raise very real risks, but how we perceive and respond to these risks may be even more crucial to the future, and not just of the Internet. As Joe Nye, the former Dean of the Harvard Kennedy School of Government, notes, if users begin to lose confidence in the safety and security of the Internet, they will retreat from cyberspace, trading “
welfare in search of security
.”
Fears over cybersecurity increasingly compromise our notions of privacy and have allowed surveillance and Internet filtering to become more common and accepted at work, at home, and at the governmental level. Entire nations, too, are pulling back, which will undermine the economic and human rights benefits we've seen from global connectivity. China is already developing its own network of companies behind a “Great Firewall” to allow it to screen incoming messages and
disconnect from the worldwide Internet
if needed. As a Yale Law School article put it, all of these trends are “converging into a
perfect storm
that threatens traditional Internet values of openness, collaboration, innovation, limited governance and
free exchange of ideas
.”
These issues will have consequences well beyond the Internet. There is a growing sense of vulnerability in the physical world from
new vectors of cyberattack via the virtual world. As a report entitled “The New Cyber Arms Race” describes, “In the future, wars will not just be fought by soldiers with guns or with planes that drop bombs. They will also be fought with the click of a mouse a half a world away that unleashes carefully weaponized computer programs that disrupt or destroy critical industries like utilities, transportation, communications, and energy. Such attacks could also disable military networks that control the movement of troops, the path of jet fighters, the
command and control of warships
.”
Such a vision of costless war or instant defeat either scares or comforts, wholly dependent on which side of the cyberattack you're on. The reality, as we explore later in the book, is much more complex. Such visions don't just stoke fears and drive budgets. They also are potentially leading to the militarization of cyberspace itself. These visions threaten a domain that has delivered massive amounts of information, innovation, and prosperity to the wider planet, fuel tensions between nations, and, as the title of the aforementioned report reveals, maybe even have set in motion a new global arms race.
In short, no issue has emerged so rapidly in importance as cybersecurity. And yet there is no issue so poorly understood as this “cyber stuff.”
“Rarely has something been so important and so talked about with less and less clarity and less apparent understanding.⦠I have sat in
very
small group meetings in Washington ⦠unable (along with my colleagues) to decide on a course of action because we lacked a clear picture of the long term legal and policy implications of
any
decision we might make
.”
This is how General Michael Hayden, former Director of the CIA, described the cybersecurity knowledge gap and the dangers it presents. A major part of this disconnect is the consequence of those early experiences with computers, or rather the lack of them among too many leaders. Today's youth are “digital natives,” having grown up in a world where computers have always existed and seem a natural feature. But the world is still mostly led by“digital immigrants,”
older generations for whom computers and all the issues the Internet age presents remain unnatural and often confusing.
To put it another way, few older than fifty will have gone through their university training even using a computer. Even the few who did likely used one that stood alone, not connected to the world. Our most senior leaders, now in their sixties and seventies, likely did not even become familiar with computers until well into their careers, and many still today have only the most limited experience with them. As late as 2001, the Director of the FBI did not have a computer in his office, while the US Secretary of Defense would have his assistant print out e-mails to him, write his response in pen, and then have the assistant type them back in. This sounds outlandish, except that a full decade later the Secretary of Homeland Security, in charge of protecting the nation from cyberthreats, told us at a 2012 conference, “Don't laugh, but
I just don't use e-mail at all
.” It wasn't a fear of security, but that she just didn't believe e-mail useful. And in 2013, Justice Elena Kagan revealed the same was true of eight out of nine of the United States Supreme Court justices, the very people who would ultimately decide what was legal or not in this space.
It is not solely an issue of age. If it was, we could just wait until the old farts died off and all would be solved. Just because someone is young doesn't mean the person automatically has an understanding of the key issues. Cybersecurity is one of those areas that has been left to only the most technically inclined to worry their uncombed heads over. Anything related to the digital world of zeros and ones was an issue just for computer scientists and the IT help desk. Whenever they spoke, most of us would just keep quiet, nod our heads, and put on what author Mark Bowden calls “the glaze.” This is the “unmistakable look of profound confusion and disinterest that takes hold whenever conversation turns to
workings of a computer
.” The glaze is the face you put on when you can only call something “stuff.” Similarly, those who are technically inclined too often roll their eyes at the foreign logic of the policy and business worlds, scoffing at the “old way” of doing business, without understanding the interactions between technology and people.
The result is that cybersecurity falls into a no man's land. The field is becoming crucial to areas as intimate as your privacy and as weighty as the future of world politics. But it is a domain only well known by “the IT Crowd.” It touches every major area of
public- and private-sector concern, but only the young and the computer savvy are well engaged with it. In turn, the technical community that understands the workings too often sees the world only through a specific lens and can fail to appreciate the broader picture or nontechnical aspects. Critical issues are thus left misunderstood and often undebated.
The dangers are diverse and drove us in the writing of the book. Each of us, in whatever role we play in life, must make decisions about cybersecurity that will shape the future well beyond the world of computers. But often we do so without the proper tools. Basic terms and essential concepts that define what is possible and proper are being missed, or even worse, distorted. Past myth and future hype often weave together, obscuring what actually happened and where we really are now. Some threats are overblown and overreacted to, while others are ignored.
This gap has wide implications. One US general described to us how “understanding cyber is now a command responsibility,” as it affects almost every part of modern war. And yet, as another general put it pointedly, “There is a real dearth of doctrine and
policy in the world of cyberspace
.” His concern, as we explore later, was not just the military side needed to do a better job at “cyber calculus,” but that the civilian side was not providing any coordination or guidance. Some liken today to the time before World War I, when the militaries of Europe planned to utilize new technologies like railroads. The problem was that they, and the civilian leaders and publics behind them didn't understand the technologies or their implications and so made uninformed decisions that inadvertently drove their nations into war. Others draw parallels to the early years of the Cold War. Nuclear weapons and the political dynamics they drove weren't well understood and, even worse, were largely left to specialists. The result was that notions we now laugh off as Dr. Strangelovian were actually taken seriously, nearly leaving the planet a radioactive hulk.
International relations are already becoming poisoned by this disconnect between what is understood and what is known. While we are both Americans, and thus many of the examples and lessons in this book reflect that background, the “cyber stuff” problem is not just an American concern. We were told the same by officials and experts from places ranging from China and Abu Dhabi to Britain
and France. In just one illustration of the global gap, the official assigned to be the “czar” for cybersecurity in Australia had
never even heard of Tor
, a critical technology to the field and its future (don't worry, youâand hopefully sheâwill learn what everyone needs to know about Tor in
Part II
).
This is worrisome not just because of the “naiveté” of such public officials, but because it is actually beginning to have a dangerous impact on global order. For instance, there is perhaps no other relationship as important to the future of global stability as that between the two great powers of the United States and China. Yet, as senior policymakers and general publics on both sides struggle to understand the cyber realm's basic dynamics and implications, the issue of cybersecurity is looming ever larger in US-China relations. Indeed, the Chinese Academy of Military Sciences released a report whose tone effectively captured how suspicion, hype, ignorance, and tension have all begun to mix together into a dangerous brew. “Of late, an Internet tornado has swept across the world ⦠massively impacting and shocking the globe.⦠Faced with this warm-up for an Internet war, every nation and military can't be passive but is making
preparations to fight the Internet war
.”