NEWPORT, R.I. — Last night, Senior Fellow and Director of the Center for 21st Century Security and Intelligence at the Brookings Institution, Peter W. Singer, discussed his latest book “Cybersecurity and Cyberwar: What Everyone Needs to Know” and took his captivated audience on a fascinating tour of the central issues and characters of cybersecurity. The event was part of the ongoing Pell Center lecture series on Cyber Leadership.
“A generation ago, ‘cyberspace’ was just a term from science fiction, used to describe the nascent network of computers linking a few university researchers in California,” Singer said. The first ‘electronic letter’—an email—was sent in 1971. There are over 40 trillion emails sent in a year now. The first ‘website’ was made in 1991. By the end of 2013, there were over 30 trillion individual web pages.
The Internet has revolutionized our world and become indispensable to the modern lifestyle. We depend on information and communications infrastructure in governing our societies, conducting business, sharing information, and managing the next generation of power grids, air traffic control, and other essential services. As more of the items we use every day go online, the ‘Internet of Things’–the concept that everything can be linked to a web-enabled device to collect or make use of data—is shaping our future. Cisco, a company that helps run much of the back end of the Internet, estimated that there will be over 40 billion devises connected to the Internet by 2020 as cars, fridges, medical devises, and gadgets not yet imagined or invented all link in.
“The risk side, however, is growing just as fast,” Singer warned. The very openness that has allowed the Internet to spread into almost every area of human activity has also spawned vulnerabilities of staggering proportions. Every second, 9 new pieces of malware—malicious software designed to cause harm—are discovered. 97% of Fortune 500 companies have been hacked, “and the other 3% likely have been too and just don’t know it or won’t admit it,” Singer continued. A recent Pew poll found that Americans are more afraid of a cyber attack than they are of Iranian nuclear weapons, the rise of China or climate change. And more than 100 countries have set up some form of cyber military command and are gearing up to fight battles in the online domain. In the 2012 Pentagon budget, the word ‘cyber’ was mentioned 12 times. This year it appears 147 times.
It is no wonder then, that President Barack Obama referred to cybersecurity risks as posing “some of the most serious economic and national security challenges of the 21st century,” a position that has been repeated by leaders in countries from Britain to China.
For all the hope and promises of the information age, “we are also entering an age of cyber insecurity and cyber anxiety,” Singer added. As serious as cybersecurity is, there is a danger of overreacting and exaggerating fears driven mostly by high level of misinformation and plain old ignorance. “The result is that some threats are overblown, while other quite legitimate ones are ignored,” Singer said.
“Too often, we bundle together things that are unlike, simply because they involve zeros and ones,” he said. The former head of US Cyber Command/NSA, for example, testified to Congress that “Every day, America’s armed forces face millions of cyber attacks.” To get those numbers, though, he had to combine everything from probes and address scans that never entered US networks to attempts to carry out pranks, to politically motivated protests, to government-linked attempts at data theft and even espionage. But none of these attacks was what most of his listeners in Congress thought he meant by an ‘attack,’ the feared ‘digital Pearl Harbor’ or ‘cyber 9/11’ that was then repeated by the mainstream media over a half-million times.
Another example of how what’s real and what’s feared often get conflated are the “31,300 major media and academic articles that have been written focusing on the phenomenon of cyber terrorism,” Singer said, “although nobody has ever been hurt or killed by an act of cyber terrorism to date.” Indeed, squirrels have taken down power grids, but hackers never have.
“Each of us, in whatever role we play in life, has to make cybersecurity decisions that matter,” Singer emphasized. “And, yet there is perhaps no issue that has grown so important, so quickly, and that touches so many, that remains so poorly understood,” he continued. We are not well trained and equipped for these new responsibilities. For instance, 70% of executives have made some sort of decision related to cybersecurity for their firms. Yet, no MBA programs in this country routinely teaches cybersecurity as part of normal management responsibility, nor do the schools that train diplomats, lawyers, generals, journalists and others who have to make important decisions in this regard every day. In his book, Singer quotes a former Secretary of Homeland Security, in charge of protecting the nation from cyber threats, saying, “Don’t laugh, but I just don’t use email at all.” It wasn’t fear of security but just that she didn’t believe email is useful. And in 2013, Justice Elena Kagan revealed the same was true of eight out of nine of the US Supreme Court justices, the very people who would ultimately decide what is legal or not in this space. Another anecdote Singer shared is a conversation with a top US official involved in talks with China on cyber issues who asked him what an ‘ISP’—Internet service provider—was. “This would have been like asking what an ICBM was right before going to negotiate nuclear issues with the Soviets,” he said.
Unfortunately, whether in the boardroom or the White House situation room, crucial matters are often handed off to so-called experts, which is a good way to be taken advantage of—and to feel more secure than you actually are. As I argue in my study “One Leader at a Time: The Failure to Educate Future Leaders for an Age of Persistent Cyber Threat,” achieving cybersecurity is more than a technical issue, it is a social, institutional, legal, and governance problem. In other words, it is an operational issue that requires managerial action and oversight throughout an entire organization, as much as rules and software solutions.
Throughout his book, Singer tries to demystify cybersecurity issues and remind us that knowledge (what’s really at stake and what we can do to protect ourselves), people (the human side behind every problem and needed solution in cyberspace), and incentives (motivations, costs, and tensions at play in this realm) are what truly matter.
“As long as your organization is online, there will always be cyber risks,” he said. The key is to move away from a mentality of seeking silver bullets and ever-higher walls and instead to focus on the most important feature of true cybersecurity: resilience. In both the real and online worlds, we can’t stop or deter all bad things, but we can plan for and deal with them.
In the end, what just two decades ago would have been unimaginable—that machines would one day be used to do everything from steal a person’s identity to literally become weapons of mass disruption—today is the reality, and we wouldn’t have it any other way!
For more of Peter Singer’s engaging stories and other important issues about cybersecurity—from the “Anonymous” hacker group and the Stuxnet computer virus to the new cyber units of the Chinese and US militaries—read Cybersecurity and Cyberwar: What Everyone Needs to Know.