Getty Images

Multiple justices of the U.S. Supreme Court—the people who will ultimately decide where the law stands on cyber-military issues—do not even use computers. P.W. Singer, director of the Center for 21st Century Security and Intelligence and senior fellow at the Brookings Institution, finds this fact absurd. His book, Cybersecurity and Cyberwar: What Everyone Needs to Know, tackles the perplexing, entertaining, and downright scary sides of cyberwar.



What is it that people don't understand about cybersecurity?

It's almost a question of what do they understand. One senior Pentagon leader described it as "all this cyber stuff." When people in serious positions are calling a serious problem "stuff," we know we have an issue. But it's not just an important issue for senior leaders on the military side. It matters in business, politics, law, media, and of course for all of us as citizens, netizens, and individuals looking to protect ourselves and our kids online.

What threats do individuals face on the Internet?

One of the challenges when talking about threats, whether it's to the individual or to the nation, is that too often we bundle together lots of unlike things simply because they're all happening in cyberspace. I recently had a meeting with a senior defense official who bundled together everything from someone carrying out an online protest to the Chinese's grand, strategic-level theft of intellectual property from American tech and defense companies. He considered it all the same thing, but of course they are very different.

As an individual, you're a player in this world too. The kind of threats that are out there range from the quite simplethe classic email seemingly from your mom, who somehow is now in Iceland and wants you to send her your bank account informationto the more complexbeing pulled into a bot net. The organization you work in, whether it's a paint company or an aerospace company, has been targeted by campaigns seeking to steal intellectual property or trade secrets. The country you live in faces threats of terrorism and even warfare.

But maybe the biggest threat you face is other people taking advantage of your ignorance. It's happening at the individual level, where the hacker tricks you into doing something [because] you didn't any know better. But it also happens at the political level, where there are organizations taking advantage of our lack of understanding and our fears, and running with them.

There are real threats out there that are growing, but there is also a lot of hyping and people trying to take advantage of youa lot of hucksterism with people trying to stoke our fears. And then they say, don't worry, I'm the one with all the answers. This could be a military organization saying, just spend more money on me and all will be solved. Or companies saying there are all of these problems, but if you just buy my secret sauce, my silver bullet solution, you'll be safe. Of course it's not a problem like that. As long as we use the Internet we will have cybersecurity and cyberwar issues. It's a world we need to manage, rather than just solve in one fell swoop.

Are the most susceptible people those who just don't understand the basic rules of cybersecurity?

I think so. You can see this, from the people who are tricked into clicking that link that they really shouldn't have to the biggest cybersecurity incident in U.S. military history, which came about because someone didn't respect the 5-second rule. They picked up a memory stick in a parking lot and plugged it into their computer. This is not cyber hygienethis is basic hygiene they weren't even following! Whether you agree or disagree with the outcomes, the [Bradley] Manning and [Edward] Snowden cases are great illustrations of organizations not following the most basic levels of internal security guidelines.

As far as the actual surveillance activities that Snowden disclosed, I personally don't think that senior political leaders would have authorized many of them if they had understood the full ramifications. The discussion would have been fundamentally different if people had been able to connect the dots.

And you can see that in a lot of the political debates going on now. You have folks making very weighty decisions who still don't understand the basics, whether it's the head of Homeland Security telling us that she doesn't use email or social media (not because she doesn't think it's secure, because she doesn't think it's useful) or the multiple Supreme Court justices who will ultimately decide where the law stands on these issues but who don't even use computers. These are concerns.

Seventy percent of business executives, whether they're in car companies or defense companies, have already made a cybersecurity decision for their firm in some way, shape, or form, despite the fact that no major MBA [Master of Business Administration] program teaches this as a regular course of business management.

The IT crowd gets the technology, but they don't understand all the ramifications, the ripple effects in other fields. In turn, the people working in politics, law, ethics and media outside of the technical field don't understand the technology. We have to figure out how to connect these, because they both matter.

What is the difference between cyberwar and cyber terrorism?

There have been more than 30,000 academic articles and reports about cyber terrorism, but no onezero peoplehas actually been hurt or killed by cyber terrorism. It's a lot like Discovery Channel's Shark Week. We obsess about our fear of sharks despite the fact that you're 15,000 times more likely to be hurt on your toilet.

According to the F.B.I., actual cyber terrorism is a politically motivated attack on digital networks to carry out violence that causes physical harm. It is a very real possibility. It's something that groups really want to do, they just haven't yet been able to pull it off.

This is different from the use of the Internet by terrorists. Terrorists have used and continue to use the Internet in all sorts of ways, just like the rest of us. They use it to communicate, meet new people, find old friends, and share information. It's been a way for terrorists, just like Christian singles looking to mingle, to connect. None of this is the same thing as cyber terrorism. By understanding what they want to do, what they can do, and what they are doing, we can better develop responses and not be taken advantage of in some of our fears.

The problem with cyberwar is this term. A major magazine had a cover that was titled "cyberwar," and yet the article was about everything from credit card fraud to intellectual property theft. But it wasn't about the actual military use of cyber, which is what's really known as computer network operations.

A great illustration of this is the story of Operation Orchard. The Israelis were able to coordinate operations against the computer networks of an air defense system in Syria, allowing them to carry out an air strike in a way that wouldn't have previously been possible.

Another is Stuxnet. Some argue that it's the equivalent of the atomic bomb, not in terms of its power but in terms of it being the first in an entirely new weapons class that will shape the future.

In one way, Stuxnet was like every weapon in history: It caused physical change in the world, physical damage. But what made it fundamentally different is that it was there and everywhere and nowhere at the same time because it was made of zeros and ones. It was a digital weapon. It was also arguably the first autonomous weapon in that it was fired, so to speak, and then went out in the world, but reacted to what it encountered. Essentially it was not only autonomous, it was also arguably ethical in that it was all over the world in tens of thousands of computers, and yet it was designed so that it could only cause damage to a particular set of centrifuges in Iran. Everywhere else it turned off.

It gave new meaning to the idea of a very, very accurate smart weapon. This was a weapon that could only cause harm to one thing in the entire world. On the other hand, just when you start to describe it as ethical, it really opened Pandora's Box, because not everyone is going be so ethical in the future.

How are countries coming to terms with the ethics of using digital weapons in a military context?

It's a new realm of international competition and conflict and it's very much on its way to becoming an arms race. I mean the worst aspect of arms races in the past, where countries spend a lot of money competing with each other but end up all less secure. We explore in the book the role of international negotiations and the potential of new laws and arms control. It's going to be really difficult, but that doesn't mean there's not value in trying.

You also have this issue to be worked out on the national level. You have more than 100 countries building cyber military command equivalents. The civilian side needs to better understand the ramifications. This is most definitely a concern in both the U.S. and China, particularly right now when there's a buildup of capabilities and military doctrines that are not well understood by the civilian leaders.

It's not just our role as citizens of these countries and netizens of the Internet itself, but it's all affecting this online world that we depend on. Cyberwar is not something that will take place in a far-off realm. It's something that will happen on the Internet that we all use. It's not just that we might be targetedit's that it will go through us.

You single out the U.S. and China in your book. Are they the main players on the cyberwarfare world stage?

Yes. You can't talk about the Internet today or its future without talking about the U.S. and China. These are the two great world powers right now and for the future, in political, economic, and military terms. Cyberspace is the fastest-growing, least understood point of friction between them. They also represent two fundamentally different visions of the Internet.

What are their two approaches to the Internet?

The Internet originated in the United States. Its design, structure, and governance reflect the values of hippie scientists of northern California. It may be incredibly important to warfare and state governments, but it's still mostly privately run. There's a notion of freedom that runs through the U.S. vision. There's a worry in the U.S. that it's becoming like the Wild West with all of these emergent cybersecurity threats.

The Chinese side is equally worried about the Wild West, but they mean something completely different. When American officials talk about the danger of information attacks, they mean attacks on things like infrastructure. When the Chinese use the term information attack, they're speaking about the idea of spreading information that's bad for their society, bad for their regime. It's the Wild West's values, and that threat to stability is the real danger there.

That doesn't mean though that all is lost and this is fated to be some kind of inevitable conflict. There are a lot of different ways that they could cooperate around "double crimes"crimes that both sides see as points of concern. And in turn, they could do a much, much better job at managing the areas that they disagree on.

Could Internet service providers (ISPs) say, "We don't want the military using our network to attack other countries"? Could they shut that down, prevent it from happening?

They could try. It might be one thing for an ISP based outside the U.S. to say, "We've discovered this thing and we're not going to cooperate with it." It's a lot different for a U.S. one. Is it their legal requirement? Is it patriotism?

The NSA (National Security Agency) was gathering all of that information in the pursuit of counterterrorism, but [the Snowden revelations] have been a hammer blow to the trust that American technology companies have in the U.S. government. Many of them now see themselves, as one exec put it, in an arms race with their own government.

Many types of computer network operations in a military context would be hard for an ISP to figure out. There are some things that are quite obvious like a massive denial-of-service attack, but many other activities that matter more in actual cyberwar would not be so evident.

Again, it's the difference between a massive denial of service and a new version of Stuxnet. Low-level attacks are like defacing a website, which is the computer equivalent of spray-painting a funny mustache on someone's picture, or a denial of service, which is the equivalent of a bunch of people standing in the lobby of a business that they don't like and blocking access. Something like Stuxnet is a weapon.

Did civilians build Stuxnet?

Yes, lots of civilians. Stuxnet wasn't just hacking. It was a Manhattan Project-like equivalent. It brought together so many different skill sets. First you had a huge amount of intelligence gathering and analysis. They knew not only that the Iranians were working on this nuclear research, but also the exact type of centrifuge made by what manufacturer and what product number. They had that level of intelligence.

Then you had some of the top technical experts in the hacking world working together to create, in computer terms, a quite beautiful, quite wonderful new weapon. Like any new weapon, they tested it out. They used a physical equivalent to the target they were going after. Then they had to get it back in the system, which involved another espionage effort of spies.

So it's basically an operation that involved everything from people who understood hacking and computer science to people who understood nuclear physics and engineering to your James Bond equivalents. It's not the kind of thing that just a couple of dudes in their basement could pull off. It's not the kind of thing, frankly, that an Al Qaeda can pull off right now. As someone joked, China could do it, but as long as we're not at war, they won't. Al Qaeda would love to do it, but they can't ... for now.

Will the next Northrop Grumman and Lockheed Martin compete for government contracts making cyber weapons rather than airplanes?

Not willthey are. This is one, if not the only, growth area within the defense industry today. Every major company has jumped into this. Fifteen percent of all the mergers and acquisitions in the defense world over the last couple years have been big companies buying small cyber companies. And those cyber companies range from ones that work on network defenses to ones that essentially develop new kinds of cyber weapons. That is a natural result of this becoming a new realm of conflict.

But we also have to watch out for the rise of a cyber-industrial complex. A few years ago there were only four companies lobbying Congress on cybersecurity issues. There are now over 1500 companies lobbying Congress on cybersecurity issues.

Today we have powers that we couldn't even have imagined when we first heard of the Internet. It's all about figuring out how to navigate it, so that we manage the inevitable bad but still get all the good.

This content is created and maintained by a third party, and imported onto this page to help users provide their email addresses. You may be able to find more information about this and similar content at piano.io