What everyone needs to know about cyber warfare
On Research and Debate Cycle, the ICRC will host an event on cyber warfare at its headquarters in Geneva, Switzerland. During the debate, which is entitled, "Internet in Bello: IHL and Cyber Operations," experts will examine the applicability and application of the rules of war on the conduct of hostilities during cyber ops. In addition, they'll talk about some of the actual dangers posed by cyber warfare to civilians., as part of its new
Ahead of the event, Intercross' Editor, Anna Nelson, sat down with one of the foremost cyber experts in the US, Peter W. Singer, who is the director of the Center for 21st Century Security and Intelligence at the Brookings Institution and co-author of the recently published book, Cybersecurity and Cyberwar: What Everyone Needs to Know.
Dr Singer’s research focuses on three core issues: current US defense needs and future priorities, the future of war, and the future of the US defense system. He talked to Intercross about why cyber issues should be of concern to anyone working in politics, law, ethics, business, the military… and just about everyone on the planet.
Intercross: Let's start with something that a lot of people seem to confuse, which is the use of terms like cyber warfare, cyber crime, cyber terrorism, and cyber security. We hear them used interchangeably but presumably, the distinctions are important?
Peter W. Singer: When it comes to cyberwar, what concerns me is how this term is used to describe activities that do not amount to armed conflict. A major magazine recently had a cover story entitled, “Cyberwar” and the picture on the front was an ominous cloud over a city. If you read the actual article, it talked about credit card and intellectual property theft. It didn’t talk about the military or the use of cyber activities to carry out an attack on a nuclear research facility, for example. There's a big difference between massive intellectual property theft – as damaging to individuals, companies and organizations as it might be – and actual cyberterrorism. Yet the term cyberterrorism has been used in over 31,000 journal, newspaper, or magazine articles. According to the FBI, however, no one has been hurt or killed by cyberterrorism.
I joke that it’s a lot like the "Shark Week," on American television, which obsesses about a danger that is unlikely to harm most people. In fact, you're 15,000 times more likely to be injured by your toilet than by a shark. So far, our discussions of the threat of cyberterrorism don’t match the reality. I'm not saying terrorists don't use the internet, because they definitely do, but that's different from cyberterrorism. To give you an illustration, the way terrorists use the internet is a lot like how we, as individuals or organizations, use it. We use it to connect with others, meet new people, re-establish connections with old friends and colleagues, and share information. We would never describe two terrorists writing a letter to each other as "postal terrorism," but we do describe two terrorists e-mailing each other as being within the realm of cyberterrorism. And all of this is very different from cybercrime, which exists in countless forms. We need to disentangle all of these things and stop lumping everything together under the same digital umbrella. And it's not just a question of definition. There's also huge resonance for international law. For example, when does a cyberwar begin and when does it end? Can cyber weapons be ethical or not?
Intercross: How has the digital realm changed the face of espionage?
Peter W. Singer: It’s had a huge impact on it. First, because of the tremendous amount of open-source information that is available to anyone. For example, an intern and I compared Google Earth images with photos of Chinese shipbuilding facilities and we were able to identify a Chinese aircraft carrier under construction, as well as the exact size of the aircraft hanger and the type of jets it would be equipped with… before it even left the harbor! That’s the kind of thing the CIA could only dream about during the Cold War.
But it's not just that the information is available – it's how it's being communicated and collected that's really at the heart of the Edward Snowden and National Security Agency affair, and this leads to a lot of thorny questions when it comes to legal and privacy issues. Finally, it's also a question of stability. The irony right now is that in terms of US-Chinese relations, the point of tension between them is not traditional political issues. Sure, they have their disputes over trade, borders, and human rights, but when you talk with officials from both sides, there are two interesting observations. First, while they might not agree on these areas of contention, they know how to dance on them. That is, they know how to talk to each other and keep it from bubbling over. When it comes to cyber, no one is in lockstep.
Intercross: What are the challenges of getting people, especially Congress, to think seriously about cyber issues in such a muddled space? One would hope that because of the security, economic, and political interests at-stake, lawmakers would be able to find common ground on cyber issues. What's the reality?
Peter W. Singer: You know, I was chatting with a senior White House official recently, and the way they expressed it was that it is an area largely considered “just for the nerds." The official explained that in order to get people to pay attention, the nerds had to turn up the volume and run around saying the sky was falling. And that's not just the case within government. It's the same with businesses, academic circles, and other arenas. Cyber is considered a specialist area involving questions of technology. Far too often, people's reaction is, "Let the cybersecurity guys handle this." And, in turn, the "cyber guys" turn to fear mongering in order to get people to pay attention to broader threats. So that's problem number one, as just like the Internet itself was "just for the nerds" and we all now use it, so too is cybersecurity for all of us.
With regard to Congress, they're definitely interested in cybersecurity issues. They average 60 hearings per year on cyber. But doing something is a different question. They haven’t passed any major cybersecurity legislation since 2002. Think about the computer or the phone that you were using back then. Cyber is additionally vexing for Congress as it doesn't fall neatly into boxes – it's international, crosscutting, and goes far beyond legislative issues. That means the traditional coalitions have a tough time building around it. For example, there's no Democratic or Republican cybersecurity strategy because it doesn't fall neatly along partisan lines. It's the same with business. Some companies and corporations want to see standards, some want to fight standards.
This links to the third problem set. Because cyber has traditionally been treated as a technology issue, people have not frequently looked at it from an incentives perspective. Well, guess what, whether it comes to how people actually use their computers or how people actually operate in war, there’s what you’re supposed to do and what often happens, and the key to making sure that people actually act the way they’re supposed to – whether you’re talking about a technology or a practice in war – is to make sure the incentives are properly aligned. To give a basic illustration, if you want to understand why financial services companies are really good at cybersecurity and power companies are really bad at it, it’s all about the incentives and bottom line. Yet, we still try to come at it in the same way we did a decade ago.
Intercross: What are the special challenges, particularly when it comes to the private sector, linked to cybersecurity and cooperation with the government?
Peter W. Singer: One is just the core understanding amongst senior leadership. Seventy percent of business executives have made a cybersecurity decision for their organizations. Not 70 percent of CTOs or CSOs, but 70 percent of executives in general. And I bet this would carry over to most NGOs. Yet no major MBA program or public policy program teaches it. Sure, there are electives that people can take, but no courses that future decision makers have to take to help them understand the complexity of these issues.
The second is the question of whose responsibility is it in terms of the public/private relationship. People say, “If I was under attack by an airplane then it would be the responsibility of the Air Force to come protect me. Why aren’t they doing that with cyber?” But it's not the same thing. If, let’s say, a bank was transferring money to another bank with an armoured van and a group of protestors blocked that van for a couple of hours and then they dispersed, no one would say, “Gosh darn it, where was the US military?” Change the example of the van and the money in it being made of zeroes and ones, and the protestors are made of zeroes and ones, and people will ask, “Gosh darn it, where is the US military?” Indeed, that very example has been used to promote greater Pentagon cyber spending. The question of who’s responsible for protecting people is a problem.
The third is a different discussion of incentives, which is the perception of gains, costs, losses, etc. For example, information sharing is something that’s really needed within cybersecurity, but the incentives to share are looked at differently by different actors. A power company might not be willing to share information about attacks on it – not because they don't care about the cybersecurity consequences – but because their lawyers are more concerned about how the information might be used against them by environmental groups. They're more worried about the cost of a pending lawsuit from an environmental group than sharing vital information that could make the computer systems safer. To carry the illustration further, a power plant can tell you the exact cost that would hit them as a company if they took their plant offline for a couple of hours to upgrade their cyber defences. Yet, they can't come up with how much a successful cyber attack against them might cost. So what do they do? They go with the definitive costs and decide not to upgrade, which is a mistake that organizations and individuals also make.
The irony is that taking defensive steps isn't all that expensive. The real solutions are about people and processes, and many of them are just basic “cyber hygiene.” The most important incident in US military cyber history, in terms of being penetrated by an outside actor – not the Snowden example of an insider – but an attack from the outside, was when a US military serviceman picked up a memory stick that he found in the dirt in a parking lot and plugged it into his computer inside the base, thereby letting the attack in. The worst attack succeeded all because he didn’t respect the “five second rule”. The five second rule of basic hygiene, let alone cyber hygiene. So it’s not about spending your way out of it, it’s about changing your mentality and creating better awareness.
Intercross: When it comes to cyber warfare, there's a commonly held adage that "Those who have the capacity, don't have the motivation and those with the motivation, don't have the capacity." Do you agree and are you worried that in the not too distant future, those with the motivation will also have the capacity to do some real damage?
Peter W. Singer: That's a great question. Those in-the-know say, “China could, but wouldn’t. Al-Qaeda would like to, but can’t… yet.”
There are some who would like us to believe that a couple of kids in their parents' basement could pull off an attack equivalent to a weapon of mass destruction. The reality is, no they couldn't. The Stuxnet worm, which reportedly ruined one-fifth of Iran's nuclear centrifuges, is a good example of what's required to build a new cyber weapon. In order to build this exquisite new weapon, they needed some of the top cyber experts in the world, combined with intelligence gathering on the exact type and setup up of the centrifuges used in Iranian nuclear research. This wasn’t just one dude… there was a lot of great expertise on the cyber side. In turn, they were being advised by experts in everything from engineering to nuclear physics. Then, when they built this new weapon, they didn’t just toss it out there. They tested it on working centrifuges to see what it would do. Then it came time to deploy the weapon and that involved James Bond style espionage to employ it. This is not a skill set that either a group of teenagers or Al-Qaeda has.
Similarly, when you look at international capabilities at the state level, there are roughly a hundred nations that have built up some kind of cyber military capability or some kind of equivalent to a Cyber Command. But that’s a lot like saying, you know there are 100+ countries that have air forces. Let’s be honest, Burundi’s Air Force and the US Air Force are not equal. So, when it comes to the serious players that could carry out a major cyberwar campaign – which is not the same as a single attack – you're talking about less than 20 and maybe even fewer than 10.
That said, we still need to remember that this is a space where the defences are incredibly fragile and where we will see actors – just like in regular conflict – motivated to go after civilian targets, even though they shouldn’t. The reality of modern conflict is that more than 90 percent of the causalities are civilians and we're going to see the laws of war deliberately violated in the cyber realm as well.
Intercross: Looking at legitimate threats and the types of issues you’ve described, how are they best addressed? Is it through legal mechanisms? Is it technological?
Peter W. Singer: Well, it’s just like every other issue when it comes to war, and the laws of war and the respect for them. There’s no silver bullet solution, no one single thing that can be done. What we need to do is come at it from different angles, from updating the law to building norms of international cooperation. Particularly when it comes to this international side, I’m a believer in looking at what has worked historically and seeking out parallels. You’re more likely to meet with success if you graft onto something that already works than if you try to plant an entire new tree or write an entire new treaty.
Similarly, when it comes to the idea of arms control negotiations, historically their value has not been only the final treaty that everyone agrees to, but rather the process of getting to that treaty. For example, when the Soviets and the Americans met in those initial arms control talks for the first years, you could describe them as a failure because they didn’t come to an agreement. But what they did do was start to build communities of interest. Most importantly, they started to agree on common terms and understandings, and that’s when the impact happened. Similarly, as with the experience of banning anti-personnel landmines, don’t wait for every single nation to agree and then do it; rather start building groupings and coalitions. That will help create norms that others must react to, even if they disagree.
That won’t solve it all, though. You still have the organizational questions and national issues. And this is where another historic example comes in. Go back a couple hundred years, when the sea was a vital space of commerce, communication, and conflict – just like the internet today. There were actors in that space who carried out acts of violence, but there were a variety of them. There were navies and formal state militaries, but then there were other non-state actors, and even they had differences. You had pirates and individual groups going after loot, and then you had a murky group of privateers, who were non-state actors that would do a state's dirty work and carry out attacks. They were hugely important. In the War of 1812, the US had 22 Navy ships and 517 privateers. It was the privateers that did a better job… they’re the ones that actually hammered away at the British economy so that the British were forced to negotiate.
There's a parallel today in cyberspace, where you’ve got formal militaries, cyber criminals, and these fuzzy things in the middle – we call them a lot of different names, including cyber militias – but basically, they’re being used by states to enhance their power and, just like privateers, to disaggregate a little bit of deniability. So let’s look back on why the privateer trade ended, and why piracy went from being seen as an accepted practice to being something that’s internationally against the law. For all the attention that the guys off Somalia get, .001 of all international trade is threatened by piracy. So anti-piracy efforts have been successful. Look at how we built up the norms against it. It’s also an interesting example because it illustrates how states that disagree, that are preparing to fight each other, can actually still come together. So back in that time period, the US Navy and the Royal Navy trained to fight each other – and they should have, given that they just fought two wars against each other. But they also found a way to cooperate on anti-piracy and anti-slavery patrols. So, what I’m getting at is, organizationally there are lot of different ways to come at this internationally.
Finally, whether you’re talking about the international system, states, businesses, NGOs, or individuals, we have to move away from either an ignorance or deterrence mentality towards one of resilience. This is a world where the threat will never, ever go away, and you can’t deter it because there are too many actors. So it’s all about resilience – both technical and psychological. I think this is particularly important when we’re thinking about the humanitarian community and the law. You can’t go out in the world and think that no bad things will happen to you. That’s a recipe for failure. Resilience is about how do you manage the bad things? How do you get up quickly when you get knocked down? And how do you have the mentality that the bad things are not going to knock you off your intended path?
That’s what matters in your home life, your love life, your work life, and that’s what also matters in your cybersecurity life.
Editor's Note: Intercross invited Prof. Michael N. Schmitt to comment on this interview and weigh in on some of the thory legal questions surrounding cyber warfare. Read it here.
What limits does the law of war impose on cyber attacks?
ICRC report on IHL and the challenges of contemporary armed conflicts
The Tallinn Manual on the International Law Applicable to Cyber Warfare
Previous Intercross articles on cyber issues:
IHL & New Technologies: Part V - Pushing back the gray
IHL & New Technologies, Part IV: Cordula Droege on the consequences of cyber ops
IHL & New Technologies, Part III: Michael Schmitt on the relevance of the rules of war
IHL & New Technologies, Part II - Eric Jensen responds