“Cyber” is the buzzword of the decade in the defense world, so overhyped and overused it has lost almost all meaning. Intelligent discussion of cyber threats is a rare gem indeed. But even experts who shed real light on the dark corners of cyberspace consistently miss a crucial dimension of both the threats and the opportunities it holds for the US military.
That brings us to Cybersecurity and Cyberwar, a new book out today (we got an advance copy) by Brookings scholars Peter Singer and Allan Friedman. Singer and Friedman have written a worthy and insightful book – although hardly a revolutionary one – on cybersecurity for civilian networks, including at key defense companies, and even many Defense Department systems. But, like so many other smart people, they have dropped the ball on the second part of their title: cyber war.
What people who should know better still keep forgetting is that cyberspace, however you define it, is bigger than the Internet. It’s much, much bigger than the World Wide Web, which is just the sexiest part of the Internet: Software from Microsoft Outlook email to SCADA controllers for the electric grid use the Internet but not the Web. And the most crucial networks are not connected to the Internet at all: Matthew Broderick in Wargames aside, you can’t take over a missile launcher from your home computer.
Yet most discussion about cyber threats boil down to stopping bad people from doing bad things online. That’s adequate for most private sector organizations and even government agencies – but it’s just the tip of the ship-killing iceberg for the military and intelligence world.
An iceberg is a particularly appropriate analogy because one crucial insight comes from the concept called “Air-Sea Battle,” a brainchild of the Navy and the Air Force. Militaries have been messing with each other’s radios and radars for generations, transmitting deceptive signals to spoof and jam them. But if the enemy’s radios and radars are run by computers – and most now are – you can also transmit signals to hack them. Then, if the enemy’s computers are linked together – and America’s certainly are – your virus can spread throughout their network.
You don’t need the enemy to connect his network to the Internet. You don’t even need a spy or patsy to download a virus off the Internet onto a thumb drive and then stick the thumb drive into the secure network, as almost certainly happened with the Stuxnet attack on the Iranian nuclear program. You just need the enemy’s radios and radar to receive incoming signals – which they have to do in order to function.
That’s why the US Navy is working hard to figure out exactly what every system on its ships is transmitting and receiving. That’s why the most in-the-know advocates for the contentious F-35 – the Air Force, Navy, and Marine Corps Joint Strike Fighter – talk about it launching not just missiles and bombs but viruses.
The second crucial insight comes from the Army-led “Strategic Landpower” initiative, although the idea is so nascent it hasn’t got a name. Cyberspace may seem ethereal and intangible, but every 1 and 0 comes from some physical object – a computer, a wireless transmitter, a cable – and the vast majority of those objects are on land. So do the vast majority of the users: Social media aside, you can’t literally live on the Internet, you live on the ground. So ground troops can still kill or capture you. Soldiers can take over your Internet Service Provider, not by hacking it, but by marching into its offices and pointing guns at people’s heads until they do as they’re told. Even in an age of global electronic networks, it still matters who has local, physical control.
Cybersecurity and Cyberwar touches on the edges of these ideas. The authors wisely note that (almost) every piece of Internet infrastructure physically exists on the ground in some country’s jurisdiction – the exceptions being undersea cables and communications satellites – so the nation-state and its agents still matter, very much so. They even debunk the idea enshrined in Pentagon doctrine that cyberspace is a “global commons” like the sea or air: After all, no government agency or military force can turn large sections of the ocean on or off.
Singer and Friedman also do a valuable service in beating back the hype about “Cyber Pearl Harbors” and “Cyber 9/11s” or the US suffering countless millions of “attacks.” Those alarmist statistics lump together everything from a virus easily stopped by someone’s firewall to credit card theft to the loss of secret schematics for the F-35 stealth fighter. Those “attacks” vary from trivial, to significant losses for one particular business, to actual matters of national security, but none of them does as much damage as a good old-fashioned bomb, they argue. Even if hackers shut down the national electrical grid for weeks on end, bad as that would be, it wouldn’t be as bad as a single nuclear explosion.
“It’s a lot like ‘Shark Week,'” Singer said about the overhyped dangers. “Squirrels have taken down the power grid more times than the zero times hackers have.” There’s lots of talk about how the attacker always has the advantage in cyberspace, he told an audience at Brookings this afternoon, but “a true cyber offense, an effective one, a Stuxnet style [attack] is something quite difficult.”
Brookings is a modestly left-of-center organization, so unsurprisingly Singer and Friedman propose a classically left-of-center approach to cybersecurity both at home and abroad. At home, we need to develop stricter standards, enforced by government regulation if business won’t step up. Abroad, we need to negotiate new treaties, not because they won’t be broken – of course they will be – but to build international norms that encourage responsible behavior and punish bad behavior with shame and sanctions. And both domestically and internationally, the best solutions to cybersecurity are cooperative, they argue passionately, with the Centers for Disease Control and the eradication of smallpox much better models than the Manhattan Project and the Cold War arms race.
Singer decried the US military’s focus on offensive cyberwarfare, which gets more than twice as much R&D funding as cyber defense, by some counts four times as much. (That said, you could argue the commercial world is doing plenty on defense that the Pentagon can simply buy, while any offensive weapons it has to develop itself). The US emphasis on offense, he said, is like deciding that “the best way to protect your glass house … is to buy a stone-sharpening kit.”
But Singer doesn’t think much of the standard approaches to defense, either, because they rely on keeping outsiders out. “It’s Maginot Line thinking. [It’s] the walls of Jericho. Walls never work,” he said. Even a network with no physical connection to the Internet — one with a so-called “air gap” — can be compromised, as the Iranian nuclear program’s experience with Stuxnet showed. And many threats are from insiders, users with authorized access such as Bradley Manning or Edward Snowden. Instead of imaging we can keep out every threat, Singer said, we need to build systems that are resilient when some attacker inevitably gets through. “Bad things are going to happen,” he said. “It’s how you bounce back from them.”
Singer and Friedman make good points, and Cybersecurity and Cyberwar is a good book, a useful book, one that has some right to the claim in its subtitle, What Everyone Needs to Know. The US Army even named it to the service’s official reading list, declaring “If you have a computer, smartphone, or digital account, you should read this book. [It’s] what every individual — and Soldier — should know.”
It’s just not everything you need to know. Like so many studies on cyberwarfare, it leaves out a crucial military dimension.
Updated 3:30 pm with Singer comments from this afternoon’s event.