Over the past 20 years, the internet has transformed how governments, militaries, companies and individuals work and relate to each other. With recent revelations about the American government’s extensive spying and collection of metadata from email users worldwide, questions about online security have gained new prominence. P.W. Singer and Allan Friedman attempt to list and address these questions in their new book, Cybersecurity and Cyberwar: What Everyone Needs to Know.
The book, part of an Oxford series that covers a variety of topics in a Q&A format, is designed as an entry point to the subject. According to the authors, even senior policymakers and military leaders have a poor understanding of “all this cyber stuff” (pg. 1) (as one leader put it), making this book as useful for decision-makers as for the interested layperson.
Not only is cybersecurity poorly understood, but the term captures a broad range of challenges: everything from cybercrime to cyberwar and even cyberterrorism, a threat which has not yet borne fruit. Obviously, a grandmother receiving a scam email from a “Nigerian prince” has different implications from a government attempting to infiltrate a rival’s systems.
The book addresses these issues in three sections. “How It All Works” serves as a primer to the history and evolution of computers, the internet, and how data is transmitted. The authors provide clear explanations of internet governance and an introduction to the range of threats that exist online.
The second section “Why It Matters” expands on various types of cyberattacks and cybersecurity vulnerabilities. It also features case studies on some prominent players and incidents, including the hacker group Anonymous and Stuxnet, an American-Israeli attack on an Iranian nuclear facility. The final section of the book “What Can We Do?” lays out proposals to address cybersecurity and what the limits of any action can be.
Drawing from a traditional international security framework, the authors grapple to apply existing concepts to cyberwar. Basic principles like state sovereignty pose new challenges as online activities can easily be routed around the world with no clear agreement on where or when an individual could be held accountable. The Just War principle of discrimination is similarly difficult to enforce as civilian, political, and military activities all rely on the same data infrastructure.
Another challenge is determining attribution, as it is extremely difficult to trace the origins of a malware developer or a direct cyberattack. These attacks can go undetected for a long period of time, making it difficult to tell when (or even if) a computer or database has been compromised.
Through its use of anecdotes and case studies, the book outlines how criminals, hackers, and governments make use of both human and technical vulnerabilities to gain access to other computers. Human error is a key part of breaking through cybersecurity systems. It can be as simple as opening an email, having a weak password, visiting a website, using an infected USB key, or not installing updates to operating systems. Individual error can be sufficient to grant access to entire networks, including government, industrial, or military institutions.
The authors highlight one cyberattack that dramatically changed the game: Stuxnet. Most known cyberattacks on government or military institutions have been focused on obtaining classified information or shutting down access to a government website. In this case, however, U.S. and Israeli intelligence agencies designed a cyber “worm” to infiltrate and disrupt an Iranian nuclear facility. The attack was precise, down to specifying the number of centrifuges the computer must be running in order to activate the attack. Once infiltrated, the cyberattack disguised its presence and subtly disrupted the refining process: changing the pressure inside the centrifuges, and varying the speed of the centrifuges’ rotors to make them break down. The attack was successful, making it the first example of intentional physical damage successfully inflicted by cyber means. This has opened the door to much speculation that such sophisticated weapons could become commonplace in the future.
Because of the challenges in understanding the nature of cyberwarfare, the authors draw imperfect yet helpful comparisons to existing models. They compare the U.S.–China cyber relationship to the Cold War, and explore whether we are entering a new arms race that could eventually lead to a point of “mutually assured destruction.” In this case, there is also an ideological divide between the West and China, particularly on the issue of whether access to information is a right. The Chinese government believes it has the right to control its citizens’ access to the internet, and views Western efforts to allow Chinese citizens to circumvent these controls as a violation of its national cybersecurity.
Singer and Friedman also look to the frameworks of public health policy and anti-maritime piracy efforts to see what lessons can be learned. They identify similarities in how biological and electronic viruses spread, and the need for education and participation of both government and entire populations. They suggest that a governance model based on the U.S. Centres for Disease Control could serve to encourage cooperation, disseminate information and recommendations, and mobilize rapid responses as needed.
From the world of piracy, privateers are analogous to today’s “patriotic hackers”, groups of individuals that can serve national interests without being under the direct control of the state. For example, in 2007 patriotic hackers from Russia disrupted internet services in Estonia for several days. The authors suggest that a “drain the swamp” strategy could be helpful, where known “safe harbours” for malware and infected computers could be targeted and shut down.
These imperfect comparisons highlight the authors’ challenge in tackling such an amorphous topic—akin to trying to predict the development of nuclear weapons and warfare in 1945. Singer and Friedman do a strong job of identifying the many open questions and challenges and where they intersect, without pretending to have the right answers to address them.
A key takeaway from the book focuses on how difficult yet necessary cooperation is for addressing cybersecurity issues. A collective action problem exists for corporations who would benefit from broader action, but see no incentive beyond protecting their own private interests. Governments are also distrustful of each other, limiting on what and with whom they are willing to cooperate.
Much like the technology it discusses, the book’s picture of cybersecurity is already appearing dated. This is evident in the conclusion when the authors discuss “emerging trends” such as “Big Data”, cloud computing, and the “mobile revolution” that are already impacting cybersecurity. This does not negate the information and recommendations outlined in the book, but does serve to highlight the challenges of responding in an environment that is constantly evolving.
