Passwords stolen, email accounts hacked, customer data leaked, computer networks infected: Almost every day brings news that affects our lives in the world of cyber space. Yet, many people still don’t care about secure passwords, safe browsing or how much of their data is floating around in the web. Renowned warfare expert and author Peter W. Singer digged into the topic and wrote the book “Cybersecurity and Cyberwar. What Everyone Needs to Know”. Peter spoke with netwars / out of CTRL about what he thinks is the reason for this ignorance about cyber security, how the fear of a cyber strike feeds a whole industry and what would be a good way to deal with cyber threats.
Your previous books “Wired for War” and “Corporate Warriors” focused on automated warfare and mercenaries. How did you get into the cyber topic and what drove you into writing “Cybersecurity and Cyberwar. What Everyone Needs to Know”?
My work focuses on how war is changing. That is why I wrote the book about private militaries, then on child soldiers and warlords, and later focused on robotics and drones. Working on that last topic led to me to wonder about a new question of not only what is new in where we are fighting but also ‘What happens when people get the wrong kind of access?’. This question sort of links my previous books to my recent book “Cybersecurity and Cyberwar”.
Peter W. Singer: Cybersecurity and Cyberwar
What is different, however, is that in my past books, I was trying to get people to pay attention to things they didn’t know was becoming important. Cyber is the exact opposite: We all know it is important and all of us are making decisions on cyber security. But we’re doing it without effective knowledge.
In my book I’m trying to give the reader very simple tools to understand what’s happening in the space of cybersecurity: how the Internet actually works, what cyber crime and cyber terrorism is, and what we can do about it as individuals, companies, governments and military. My sense was that there was a kind of gap: books on that topic were either highly technical only for specialists or books that mostly wanted to make people scared.
Why do you think that is?
The cyber topic needs to come out of only being seen as for the so-called “IT crowd.” For too long, cyber security was viewed as a domain “only for the nerds,” as one White House official put it. Yet, that is how the Internet itself was looked at in the 1990s. But nowadays we all use it in so many different ways: communication, commerce, and in critical infrastructure. 30 trillion emails are being sent every year. You cannot find an industry that does not use the Internet.
The threats we face range from the security of your bank account, your social network or email account, to the security of the business you work at. Not to mention that cyber has become a matter of geopolitics, of conflicts on war and terrorism. We cannot treat cyber security as if it were just something “for the nerds.” At the same time, we should not treat it like something we should get overly scared about.
Nevertheless a lot of people do get scared about it. Cyber security and cyber war seem to be on everyone’s lips right now.
There are real threats and real dangers in this space. The problem with cyber security is that a lot of people lump very different things together just because they are using the same technology: The former NSA director, General Keith Alexander, testified to Congress that America’s military faces “millions of cyber attacks every day.” He was actually talking about very different things to get that enormous claimed number, everything from automated prosed and address scans to attempts to get inside the network for a variety of reasons hacktivism, theft, economic espionage, military espionage and so on. Yet, none of these “millions of attacks” was the so-called “cyber Pearl harbor” that people think is the risk. Talking about millions of attacks is like talking about the millions of bacteria attacking your finger right now; its true, but also useless as your only way of understanding a threat.
Do these threats feed a new market, a cyber security market?
When there are real threats, there is always a market where people seek to respond to it and profit from it. In 2012, the US Pentagon’s budget mentioned the word “cyber” 12 times. This year’s budget mentions it 147 times. The cyber security business will take off within the next years, not just within business, but also at every level of government: the city level, the state or province level and the national level. And it’s not just the US. Italy just launched a 30 million dollar cyber security center. It is a globally growing business.
We have seen and will continue to see cyber incidents. As much as a hacker is taking advantage of your vulnerabilities, flimflam people might be taking advantage of your ignorance and fear. Businesses claiming to offer 100 percent cyber security when you buy their products. There is no such thing as 100 percent security – if there isn’t in real life, why should it be in cyber?
How likely is it that one day we will face an attack on our financial system or power grid?
There is a real danger that someone will try and carry out a cyber attack and cause physical damage. In fact there has been and there still are attempts to attack the power grid system. Such an attack could include knocking down the system and messing with the machines’ operations, just like Stuxnet did in the Iranian uranium enrichment facility in Natanz. There is a possibility that attackers could use something similar to mess with the infrastructure.
Yet, we also have to understand such systems have long been under physical threat too, from everything from criminals to squirrels. We can either just get more scared or manage our risks and fears.
What would be a good way to take precautions?
The key is to shift from only the mentality of a catastrophic and fearful ‘cyber 9/11’ vision to a mentality of resilience. We should expect that there will be bad things that will happen. That is a reality of life, as well as cyberlife. The key is to not just try to prevent them, but also to think about how to get back up again. It’s about not just preventing it but powering through.
All the nations that have benefited a lot from the Internet in an economic, social and political way must now realize that this connectivity also creates some vulnerabilities. Yet, the dependence that nations like the U.S. and Germany and others have on the Internet should not lead us back into a Cold War mentality of think the only safety lies in building the offense up to scare the other guys into not attacking. It is more about being able to power through the risks and threats, how to get back on track, how to control the damage and bring the status back in case something happens. ‘Keep calm and carry on’ is the best response.
What can be done on a personal level to think and live cyber security in a new way?
There is a need for what I call “cyber hygiene.” The best thing to be safe is to think twice about what you’re actually doing there. Its not as highly technical as too many fear. For example, it is always a good start to secure your passwords, having complex passwords and to change them frequently. And like in real life, don’t take candy from strangers – so don’t take any hardware you don’t know and don’t click on any links that you don’t know.
Even the U.S. military walked into that trap: the most successful foreign government attack on US military networks happened quite simply. A soldier picked up a shiny object in a parking lot that turned out to be a flash drive. Since he was curious what might be on it, he plugged it into a computer on the base that was linked to a classifed network.
Hygiene is not just about the simple measures of protecting yourself, but also a broader ethic. We teach our kids to cover their mouths when they cough. Why do we do that? It doesn’t protect them directly, instead it protects others from getting infected. We should think the same thing in cyber space. We have a responsibility not only for our own safety but for the safety of everyone else we connect with.
About Peter W. Singer:
Peter Warren Singer is the founder of technology advisory firm NeoLuddite. Dr. Singer is considered a leading expert on changes in 21st centruy warfare and has authored a number of award winning books. He has consulted for the US Military, Defence Intelligence Agency, FBI and a wide-range of entertainment programs. Prior to his current position, Dr. Singer was the founding Director of the Center for 21st Century Security and Intelligence at the Brookings Institution. In September he will join the New America Foundation as strategist. Visit his website: www.pwsinger.com To learn more about his book, visit www.cybersecurityandwar.com