Everything you know about cyberwar is wrong

Author and security expert Peter W. Singer explains what we really need to know about cyberthreats - and what we need to do about them

The SXSW conference in Austin, Texas, is normally known for super-optimistic techno razzle-dazzle intended to inspire a new generation of technologists to create the next Twitter or Foursquare. But amidst the beer-soaked cheerleading, this year the event saw fit to invite noted security author Peter W. Singer, director of the Center for 21st Century Security & Intelligence at the Brookings Institution, to warn attendees about the dangers of cyberwar in a featured session called Cyberwar: What Everyone Needs To Know. It was pretty sobering stuff even for hardcore technology professionals:

1. Things are really, really bad

An increasingly digitized world is increasingly vulnerable to the consequences of cyber attacks in terms of communication, commerce, infrastructure, and conflict. Singer pointed out that 95% of U.S. military communications travel over the civilian Internet, and nine new pieces of malware are discovered every second. "97% of the Fortune 500 have admitted they’ve been hacked," Singer said, "while the other 3% just won’t admit it yet."

2. But we're being deliberately scared

Serious as the problem is, however, the hype may be even worse. Polls show that Americans are now more afraid of cyber attacks than they are of Iranian or North Korean nuclear weapons, climate change, or authoritarian China. The Pentagon budget statement used the word "cyber" 12 times two years ago: This year? 147 mentions.

31,300 = academic journal and major media articles on cyber terrorism

0 = number of people hurt or killed by an actual cyber terrorism incident

The  fear mongering is supporting a "cyber industrial complex" poised to double to $120 billion in the next few years, Singer said, and boosted Congress’s cyber security lobbying corps from four companies in 2001 to more than 1,500 today.

3. Our leaders don't understand what's going on

According to Singer, the senior officials responsible for cyber security policy around the world have no idea about the technology involved, much less the dangers and solutions. That’s a critical problem, Singer said, because while the Internet has challenged state power, "the big dogs still bark and bite" - they still make a difference.

How bad is the ignorance? "Don’t laugh," Singer said, but a former Secretary of Homeland Security told Singer she didn’t use email, not because of security reasons, but because she didn’t believe it was useful. Some Supreme Court Justices haven’t gotten around to email either, but that won’t stop them from ruling on everything from net neutrality to NSA spying. And Singer said one U.S./Chinese negotiator had to ask him what an ISP was. But it’s not just government that’s clueless: 70% of business executives say they’ve made some sort of cyber security decisions for their company, but no major MBA program teaches the subject. Basically, the political and business elites treat security as IT outpost, too techy to trouble with.

4. Please don't let me be misunderstood

The result, Singer said, is that some threats are overblown, while other, more real threats are ignored: "It absolutely pains me when I hear that cyber weapons are just like a WMD, so we should act like this is a new Cold War." It’s really more like the early Cold War, Singer explained, "when we didn’t understand the technology and its ramifications." (Back in the day, Singer recalled, the Air Force was preparing plans to nuke the moon. Seriously.)

So while the U.S. Army Cyber Command has estimated that the country faces millions of cyber attacks, Singer said that figure combines everything from thefts and phishing attacks to pranks and protests. They all get lumped together simply because they involve the same technology. A senior Pentagon official has argued that Anonymous and Al Qaeda are the same thing, while Singer said they’re just a pair of  "non-state actors that begin with the letter A."

The result, Singer said, is not just a distortion of threats, but a misapplication of resources. The Internet of Things will be a game changer, Singer said, as cyber attacks don’t just seek to destroy things, but take physical control of everything from cars to drones to robots.

Still, the media too often portray cyber attacks as easy, that "a couple of teenagers on Red Bull in their parents’ basement could carry out a WMD-style cyber attack." It’s not going to happen, Singer said: "Al Qaeda wants to, but can’t. China could, but doesn’t want to. Yet."

5. Cyber offense vs. cyber defense

There’s an inherent idea that in the cyber world - offense is dominant over defense. That’s why the military spends four times more on offense than it does on defense, Singer said. But this is a misguided approach.

Playing cyber offense is not as easy as often portrayed. For one thing, "we’re not in a binary Cold War anymore." In today’s multi-threat environment, who do you aim your offense at?

Meanwhile, "defense isn’t like some turtle lying on its back helpless, there are things we can do." There’s a wealth of lessons to learn from history outside the internet domain, Singer says, including how nations dealt with pirates and privateers in the Age of Sail and the effectiveness of the Centers of Disease Control in controlling diffused threats.

Prevention is a better approach than a trying for a cure, Singer claimed. Basic cyber hygiene could thwart 94% of all cyber attacks, he said, noting that the worst cyber attack on the military was a simple "candy drop" - a memory stick left in the dirt outside a U.S. base where a soldier picked it up and plugged it in. "That’s not just cyber hygiene, it’s basic hygiene," SInger said. "It’s the 5-second rule."


Copyright © 2014 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022