Singer decodes cybersecurity, warns against cyber-ignorance


Kreable Young | Staff Photographer
Peter W. Singer, former director of the Center for 21st Century Security Intelligence at Brookings Institution, speaks during the morning lecture at the Amphitheater Tuesday.

The first website was established in 1991. The world has changed dramatically in just 23 years.

Today, more than 30 trillion individual websites comprise the Internet, transforming nearly every aspect of daily life, business and governance. Internet users send more than 40 trillion emails every year, political scientist Peter W. Singer told the Amphitheater audience on Tuesday.

Until recently, Singer was the director of the Center for 21st Century Security and Intelligence at the Brookings Institution. This September, he will join the New America Foundation as strategist and senior fellow on their Future of War project. He founded the technology advisory firm NeoLuddite and has authored or co-authored four books, including Cybersecurity and Cyberwar: What Everyone Needs to Know. His lecture was the second in this week’s morning lecture theme, “The Ethics of Privacy.”

Singer pointed to an increasingly vast network of devices that transmit data about their users. Over the next five years, Cisco Systems estimates that 40 billion devices will be Internet-enabled, branching beyond smartphones and tablets to include cars and home appliances in the so-called “Internet of things.” Google took a significant step toward this state of affairs in January, when the company acquired the “smart” thermostat company Nest for $3.2 billion.

This reliance on and entanglement with the Internet, Singer said, has significant implications for security, from individuals to businesses and governments. For example, 98 percent of U.S. military communications are conducted over civilian-owned and -operated Internet channels, in a world in which nine new pieces of malware are discovered every second. Ninety-seven percent of Fortune 500 companies have admitted to being hacked, and more than 100 governments worldwide, including the United States, have a military Cyber Command.

Cybersecurity is on the minds of many Americans, Singer said.

The results of a recent Pew Research Center poll showed that Americans are, on average, more afraid of cyberattacks than they are nuclear weapons or climate change. The cybersecurity industry has taken note: its budget is projected to double in size to $120 billion in the next three years. Meanwhile, city and state governments are shoring up their cybersecurity measures: Florida just spent $10 million on their program. The federal government has turned its attention to cybersecurity concerns as well, Singer said: this year’s Pentagon budget used the word “cyber” 147 times, up from 12 in 2012. And the Pentagon’s 82-page 2014 Quadrennial Defense Review used the word 46 times. For perspective, Singer added, the QDR used the word “Russia” only once.

President Barack Obama has called cyber threat “one of the most serious economic and national security challenges we face as a nation.”

And yet, former National Security Agency and Central Intelligence Agency director Michael Hayden wrote in 2011, “Rarely has something been so important and so talked about with less clarity and less apparent understanding than this phenomenon.”

The threat is serious, but not widely understood, Singer said. For this reason, cybersecurity issues are frequently lumped together in one category when the types of threats are very different.

Gen. Keith Alexander, who stepped down from his role as director of the NSA in March, testified to Congress that “every day, America’s armed forces face millions of cyber attacks.” But, Singer said, this was a misrepresentation, exploiting paranoia that the U.S. is vulnerable to a so-called “cyber Pearl Harbor” or “cyber 9/11,” fears that are compounded by the 31,300 magazine, newspaper and academic journal articles that have been written on cyber-terrorism. But no one has ever been hurt or killed by cyber-terrorism, Singer said.

These disconnects in understanding, Singer said, can make people vulnerable. In fact, he said, 70 percent of business executives have made some kind of cybersecurity decision for their company, yet no major MBA program requires such coursework.

To conclude, Singer applied Benjamin Franklin’s axiom that “an ounce of prevention is worth a pound of cure” to the issue of cybersecurity.

Ninety-four percent of all cyber-attacks can be prevented by basic cyber hygiene, he said, concluding that “if we accept and manage the risks of the world, we get all the good things that we can achieve in it.”

Q&A

Q: Can you talk a little bit about, well, specifically about Snowden’s act, but the perception of the value or the violence of that act? How do you think the arc of change of our perception of that is moving, if at all?

A: Well, the complexity of Snowden — not just as an individual, but how we’ll judge the affair moving forward — is the mass scale of what was taken. We’re talking not the comparison of the Pentagon Papers, but literally a million Pentagon Papers, so to speak, talking about files taken. In turn, it’s led to a steady drumbeat of news stories coming out from it, each focused on one particular action or incident. This story over a year in will continue to happen. Just this weekend, we had another revelation, so it’s the constant flow of it. When you’re trying to kind of wrap your arms around it, how to judge it, and how to judge him, in my mind it really falls into three buckets of activities that were being undertaken. How you judge Snowden depends on which bucket of activity you care more about. Bucket number one is activities that I would call “unsurprising and strategic,” that the NSA and allies spy on American adversaries. Some of the things that were revealed were monitoring of Chinese military networks, trying to crack into nuclear research that others were doing, etc. Bucket number two is “questionable,” the surveillance debate. However we judge it, monitoring on the scale that touched more than the intended target. We can have an argument as to whether it was right or wrong, legal or not. Basically, it falls into the category of “questionable.” Category number three is what I would call “unstrategic,” or frankly, stupid. For example, targeting individual allied political leaders — Angela Merkel and the like. Watering down the security of the Internet for us all. We judge them I think on their long-term impact. The interesting thing is that what you care about is what you judge him most by. In the U.S., most of the discourse has been back and forth between espionage, we need to do this, versus monitoring mass-scale. When President Obama spoke, he put it mostly speaking to category two — that discussion of surveillance and rights. When you go to Germany, they aren’t swayed by that discussion. Why were you going after Angela Merkel? The point is that so much as been taken, we’re having multiple discussions at once. Personally, I think he’s both a whistleblower and a traitor. He’s revealed things from all of these buckets, so why can’t he be both?

Q: The cyber attack on Iran: Was it worth it, or did it release the dogs of cyber war?

A: Stuxnet was this cyber weapon that was created to sabotage Iranian nuclear efforts. What it was doing was causing their machines to malfunction and damage what they were working on, even damage themselves, but at the same time telling the human operators that everything was OK. Those machines weren’t linked to the open Internet, so they didn’t suspect that they were under cyberattack for a long time. You can see why if you were in the White House and someone said the options were to let Iran continue with their research, or we carry out physical strikes and that may cause a war, or behind door number three, I have this magical weapon that will sabotage. Nobody will be hurt. It’ll be covert, and nobody will know what’s happening. I think we’d all choose that one. The challenge is what plays out next. Stuxnet doesn’t just exist in the Iranian centrifuges — it pops out and gets into 25,000 computers around the world. A bunch of researchers start looking at it and trying to figure out what it is, so the operation goes overt. That leads to a second risk of precedence. For a long time, the United States has advocated not doing a cyber attack that causes any physical damage, and then we kind of did. Now, we say that it was for a good reason, it was an act of espionage, not war, etc., but the point is that a new precedent has been set. We can say that others would have done the same thing, but also there’s an interesting proliferation discussion here. Cyber weapons bring their blueprints with them — when you get a copy, you can figure out how it works. If the comparison of Stuxnet is like the first atomic bomb, you’re dropping the blueprints along the way. The interesting question, though, is that we could arguably flip it and say that Stuxnet may be the first ethical weapon in all of human history, in that it’s the only weapon in the world that can only cause damage to its intended target. It could only damage the specific setup that the Iranians had; even if you had centrifuges in your basement, it still would not harm them. It also had a turn-off switch, it disappeared after a period of time. Others ask whether it creates an atmosphere where we’re more likely to use it. It was the opening shot of a new kind of war.

Q: What is the relative threat that individuals face from three groups: Hackers, market forces like Google and Facebook, and our own government?

A: First, it’s like any physical parallel. It depends on who you are and what you are doing as to how you will judge this. You will judge the risk from foreign government hackers differently if you are a bakery owner as opposed to a defense contractor. You will think about the security of your bank account if you’ve got $100 in it as opposed to $100 million. Some attackers are operating on a mass scale because the returns are so low…that’s different than a group that’s an advanced, persistent threat. Kind of the “Ocean’s 11” of cyber criminals. They have an identified target, survey it, figure out how to get the information out, and they don’t stop until they get it. There is going to be a different kind of target that warrants that kind of effort. That’s what I’m getting at as to where you sit on this. There’s another little irony in the question. It made it seem like each of these groups are to be feared, but each of these groups are whom we would depend on for answers against the others. If you are fearful of government monitoring, well one of the companies taking the lead against it is Google. In turn, if you are scared of cyber criminals, well, you depend on law enforcement from the government side. They’re actors that do both good and bad. Hackers sound negative, but they figure out the vulnerabilities before others can take advantage of them.

Q: Talking about the boundaries of trust, some boundaries have been placed on Google in Europe. Is that what you mean — the continuing creation of these trust boundaries as far as your fear of the direction of the Internet?

A: Let’s walk back, the Internet itself: why is it simultaneously seemingly so incredibly wonderful and yet so vulnerable? It comes from its origin; it was funded by the United States military initially. It’s not the story people think about creating a secret means of communication. It was actually to allow university researchers to share computer time. There weren’t enough to go around, so the Internet was created as a way to network that. The result, though, is that the Internet comes out of an ecosystem that is wonderfully strange. It’s basically computer scientists in the 1960s in Northern California mostly — hippies. They bring this open ethic to it of sharing, and that’s why it’s thrived. The problem is that it’s moved beyond this original thing that it was intended for. The actors on it have all sorts of uses they aim for. Remember there was a controversy back in the 1990s as to whether the Internet should be privatized, should be used to make money. Now that’s much of our interaction with it, with people who are trying to make money. Yes, Google helps you find things, but they’re in business. Facebook is a business. So you have that aspect to it of the identities changing. It started out mostly as American scientists, then it became mostly Americans, to the Internet being now…the best I can give you is that the identity of the Internet is another joke: When Google does tracking of the most popular videos online, cute cat videos are now losing out to cute panda bears and cute goats. The reason is that people in China and Africa have a different sense of humor when it comes to cute animals than we do. With it comes a different sense of values on the Internet as far as governments looking at it and what it means. They now look at it as a threat to stability as opposed to a way to thrive. My worry is that we might break the Internet and make it more rigid and halt its progress. That’s where things like the vulcanization of the Internet, this shift away from net neutrality where we push that you should pay different amounts for your Internet experience. The joke on that is that if you like flying coach, you’ll really love the end of net neutrality. The system is changing by people who want to lock it in time rather than let it continue to evolve.

Q: Could you name one cyber threat that has been resolved, and how was it resolved?

A: Let’s first be clear here in terms of…the quick answer is that there’s a wonderful book called Worm that is about an episode of one of the biggest threats in this space a couple years ago called Conficker. It was a cyber threat that got into the networks of literally millions of people’s computers, Southwest Airlines, military computers, etc. Worm is the story of how a collective of people came together to figure out a way to essentially defeat the spread of Conficker and steer it off to where it couldn’t harm. The group took their inspiration from superheroes — they saw themselves as the superheroes of the Internet. At one time, you had a graduate student at Georgia Tech steering this negative traffic down to a sinkhole of the Internet to keep people safe from it. You’ll never be a 100 percent secure in real-world life. I cannot think of a real-world situation where you would be completely secure. You could throw up barriers, but there will be some kind of new threat. It’s the same thing in cyberspace. This wonderful story I just gave you, they still don’t know who made Conficker. Still don’t know. The challenge here is that even clues steer you down the wrong direction. At one point, they were trying to figure out, dissect the DNA of Conficker, and they found that it had an instruction hidden inside that said “don’t activate if the user target has a keyboard with Ukrainian language in it.” They thought that meant the maker was Ukrainian, until they went “Hold it, maybe this is a misdirect.” Even though they got this clue, it left them no closer to finding anything. You’re not going to get that sense of absolute completion; the cabal felt like superheroes, they reached great success, but it’s not like in the movies where it ends and ta-da, that’s over.

—Transcribed by Will Rubin