8 January 2014

Just the Right Amount of Cyber Fear

A new book provides a sensible, engaging rundown of the threats we face
PATRICK LIN JAN 6 2014,
An analyst looks at code in the malware lab of a cyber security defense lab at the Idaho National Laboratory in Idaho Falls, Idaho September 29, 2011. (Reuters)

If our leaders don’t even use email, can we trust them to make decisions about our brave new e-world? In a book released a few days ago—Cybersecurity and Cyberwarfare: What Everyone Needs to Know—we are immediately struck by how unprepared we really are as a society:

As late as 2001, the Director of the FBI did not have a computer in his office, while the U.S. Secretary of Defense would have his assistant print out e-mails to him, write his response in pen, and then have the assistant type them back in. This sounds outlandish, except that a full decade later the Secretary of Homeland Security, in charge of protecting the nation from cyber threats, told us at a 2012 conference, “Don’t laugh, but I just don’t use e-mail at all” … And in 2013, Justice Elena Kagan revealed the same was true of eight out of nine of the United States Supreme Court justices, the very people who would ultimately decide what was legal or not in this space.

Scary. Or is this a strategic choice to opt out of technology, given online threats every day in the news?

As breathless headlines on cyber dangers reach a fever pitch, the new book by Peter Singer and Allan Friedman comes right on time to help cut through the hysteria and wake up the oblivious. It’s an impressive tour de force, as was Singer’s 2009 bestseller Wired for War on military robots. But the subject of this new book is technically more complex, and it demands a different, more approachable treatment. To that end, Singer and Friedman have written a book that is as accessible as it is complete: the discussion follows a question-and-answer format—digestible bites to choose from, as you like—and the prose is as entertaining as nonfiction can be, with pop-culture references and current events sprinkled throughout.

In this review, I will walk through the main parts of the book, pointing out areas of interest. As an overview, the book is sensibly organized in three parts: the first part “How It All Works” explains in simple language the technology behind cybersecurity and cyberwar; the second part “Why It Matters” draws out the legal, policy, and social implications; and the third part “What Can We Do?” examines possible solutions to this complex puzzle. So there’s something for everybody, and only a relative few people in the world today have a holistic grasp of all these moving parts.

As with Wired for War, readers will appreciate the storytelling around what could have been a dry subject. This is in part due to the many interviews the authors conducted with key players in cybersecurity and cyberwarfare—weaving in human stories, firsthand reports, and important history lessons into their narrative. Offhand remarks also make for a fun read, like references to Shark Week, Members Only jackets, Gangnam Style, RickRolling, and cat videos. But the book also has serious academic chops: Written by two PhDs from the famedBrookings Institution, it engages the latest news related to cyber and is meticulously researched, as seen from the sheer number of sources in nearly 600 endnotes.
Part 1: How It All Works

Cybersecurity and Cyberwarfare is careful to ground the discussion in real computer science and engineering, not in popular misconceptions. To know how cyber threats work and defend against them, we first need to know how computer networks operate, and this means starting with ARPANet, precursor of the modern Internet.

So in this section of the book, we’re introduced to packet-switching, DNS, ICAAN, firewalls, advanced persistent threats, SQL injections, DDoD attacks, certificate authorities, cryptography, and other basic concepts. A lot of this alphabet soup can be intimidating to the layperson; however, the discussion proceeds in plain, relatable language:

The last line of defense is akin to the strategy that nuns use to police Catholic school dances. The nuns often stuffed balloons between teenagers dancing too closely, creating an “air gap” to ensure nothing sneaky happens. In cybersecurity terms, an air gap is a physical separation between the network and critical systems … The problem with air gaps, much like the abstinence the nuns try to enforce, is that it often doesn’t work in practice … maintaining an air gap is often unrealistic, as the Iranians discovered when their supposedly air-gapped systems still got infected by the Stuxnet virus.

Not just the technical details, but the book also offers obscure trivia to make history come to life. For instance, the first word ever transmitted across a computer network (ARPANet) was “Lo” in 1969…as a mistake; the network crashed on UCLA researchers before they could finish typing “Log” to log into a computer at Stanford Research Institute (now SRI). More recent trivia: just a few months after computer-security experts cleaned the network of a major U.S. trade association, a thermostat and printer in its building were caught sending messages to a computer in China—betrayed by its own appliances.The human, apparently, is one of the weakest links in cybersecurity.

These stories and technical concepts are framed by the primary goals of information security: confidentiality, integrity, and availability (also known as the “CIA triad”). Confidentiality is about keeping data private; integrity is about ensuring that the system and data weren’t tampered with; and availability is about the ability to use a computer system as anticipated.

The biggest virtue of this section, however, isn’t in its obvious technical expertise. What separates it from other soulless primers is its masterful use of stories—real events—to help readers “get it”, such as: when Pakistan accidentally “broke the Internet” by redirecting YouTube traffic through its servers in an effort to censor content; how a Carnegie Mellon professor could guess the social security number of a face online, with uncanny accuracy; and how game-changers, such as WikiLeaks, Bradley Manning, and Edward Snowden, were able to do what they did.

Again, in plain, engaging language:

In 2008, a U.S. soldier was walking through a parking lot outside of a U.S. military base in the Middle East when he spotted an unwrapped candy bar lying on the ground. Without knowing who had left it or how long the candy had been on the ground, he decided to take the bar inside the base and eat it for lunch. Sounds absurd and even a bit disgusting, right? Well, substitute a USB flash drive for that candy bar, and you have the story of what started Buckshot Yankee, one of the largest cyber breaches in U.S. military history.

The human, apparently, is one of the weakest links in cybersecurity. Other anecdotes support this claim, such as this one, inside the minds of cyberattackers:

The reconnaissance and preparations can take months. The teams are not just trying to understand the organization of the target but also its key concerns and even tendencies. One [advanced persistent threat], for example, was casing a major technology firm headquartered in Minnesota. Team members eventually figured out that the best way to crack the system was to wait until a major blizzard. Then they sent a fake e-mail about the firm changing its snow day policy; in Minnesota, this was something that everyone from the CEO on down cared about. Another effort, which American national security officials have blamed on Chinese intelligence and military units, gathered details not only on targets’ key friends and associates but even what farewell they typically used to sign off their e-mails (e.g., “All the best” vs. “Best regards” vs. “Keep on Trucking”) to mimic it for a spear phishing attack vector.

The sections here have helpful, self-explanatory titles, offering the reader a menu from which to pick and choose; the book doesn’t need to be read from start to finish or in order. The framing questions include: How does the Internet actually work? Who runs it? What are the threats? How do we trust in cyberspace? How do we keep the bad guys out? And more.
Part 2: Why It Matters

This next part is the largest of the book’s three parts—so I’ll give it a longer look here—and it makes a convincing case for why we need to pay attention to cyber. Many of us have been on the receiving end of a cyber threat, whether a victim of malware, email scams, or hackers intent on stealing our personal information and credit card numbers from stores. More than nuisances, there’s a real cost attached to cleaning our infected computers as well as identity theft, such as a damaged credit report that prevents you from getting a loan or mortgage. On cybercrime, the book cover a full range of misdeeds, including Nigerian scams, the Stranded Traveler con, fake charities, typosquatting, and more.

Businesses certainly know the effects of cybercrime, such as ransomware and intellectual property (IP) theft. As notable cybersecurity expert Dmitri Alperovitch is quoted in the book, “I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.” He also calls the massive theft of corporate IP a “historically unprecedented transfer of wealth.”

Why would someone want to steal IP? Just look at Apple’s iPhone: the Chinese factory that made the early models earned $15 for manufacturing a $630 product. As Jim Lewis, expert at the Center for Strategic and International Studies, puts it, “The easiest way to innovate is to plagiarize.” Some experts put the cost of IP losses, for U.S. companies alone, at $250 billion per year. Given that, in 2013, the average company of 1,000 employees was spending about $9 million per year for cybersecurity, these costs are not trivial and are ultimately passed down to consumers and taxpayers.

When the state becomes the target rather than industry, fears about cyberwar are at their peak. That’s when we hear alarms about a “digital Pearl Harbor” or “cyber 9/11.” Besides WikiLeaks, Stuxnet, and daily cyber break-in attempts on the U.S. Department of Defense and other government agencies, the book points to lesser-known, but equally if not more terrifying, threats such as Shady RAT, GhostNet, and others, going as far back as 1982 when the CIA’s logic bomb allegedly blew up a Soviet gas pipeline.

When cyber threats come from abroad, there’s special panic and pressure on the state to respond. But what kind of response is needed? Are any of these threats to national security, as many believe, that warrant a military response? As explained in this book, it matters whether a cyber incident is truly an attack, as opposed to a criminal intrusion, vandalism, or espionage. Defining “cyberattack” is tricky, though, especially since all these things can look to be the same thing. Even if we were truly attacked, does the cyber event represent a “use of force,” the necessary condition for a state to respond militarily? Our current rules of war had physical attacks—e.g., bullets and bombs—in mind in laying down the “use of force” requirement, so it’s not clear if or how they can account for cyberattacks (at least those that don’t cause physical damage).

Even if we determine an event to be a true cyberattack, there’s another big problem: attribution, or identifying the malicious actor. It’s not as simple as figuring out the IP address or national origin of the attack, since attacks could be routed through servers in innocent countries; and it’d be wrong to retaliate against innocent parties. Even if we’re certain that an attack has come from a particular country, it’s difficult to pin down whether the state was actually behind it, or if it were patriotic hackers, hacktivists (a term first coined by the Cult of the Dead Cow: more weird trivia), or mere criminals. If we can’t accurately attribute an attack, then how can we deter attackers?

China, of course, is the main suspect in many foreign cyber operations against state and industry systems in the US. But Singer and Friedman are careful to present a more balanced look at the political conflict:

But before we point too many fingers at China for operating in this realm, remember that the United States is just as active; indeed, large parts of its intelligence apparatus, like the aforementioned CIA and NSA, are dedicated to this same mission; the 2013 Snowden leaks showed 213 of these operations in 2011 alone.

Further, China is a major victim of cyber threats, home to as many as 70 percent of the world’s infected computers; and America is a major source of cybercrime, host to 20 of the world’s top 50 “crime-spewing” Internet addresses. Yet numbers alone don’t tell the whole story, which involves karma:


The reason for China’s heavy malware infection rate is that as much as 95 percent of the software that Chinese computers use is pirated, meaning that it doesn’t get the same security upgrades and patches that legal license holders do, leaving them vulnerable to basic threats. As computer security expert James Mulvenon explains, “Therefore, China is right when it says that it is a victim of hacking, but the main culprit is its own disregard for intellectual property, not state-sponsored espionage.”

Nonetheless, the political tension on cyber between China and the U.S. is real, and the authors offer a fair, non-argumentative analysis of the competing values in this conflict. The U.S. and much of the Western world see the cyber policy debate as one about protecting human rights, including free expression and information access, and less-democratic nations are naturally cast as villains. But there’s also something to be said for social stability, and this is critical to understanding what nations such as China and Russia might want from a cyber treaty. (More than 550 million microblogs have been censored in China.) Domestically, we also see the cyber debate framed in competing ways, as about national security versus privacy and free speech; and it is again important to be aware of these underlying conflicts if we are to make any progress.

The cyber domain upends many concepts that we used to know. Besides confusion now around what counts as an “attack”, it’s not clear what “cyberwar” means: “We in the U.S. tend to think of war and peace as an on-off toggle switch—either at full-scale war or enjoying peace,” said Joel Brenner, the former U.S. National Counterintelligence Executive. But in the cyber domain, it is possible to have ongoing, low-intensity incidents, none of which individually rises to the level of “use of force” yet can cause crippling aggregate effects; this is the concept of “death by a thousand cuts.”

Likewise, “cyberterrorism” is a much-ballyhooed but vague fear: a “term like cyberterrorism has as much clarity as cybersecurity, that is none at all.” The fear also doesn’t seem to match the hype:

... the “Izz ad-Din al-Qassam Cyber Fighters” claimed responsibility for a series of denial-of-service attacks on five U.S. banking firms. While many believe they stole credit for cybercriminals’ work, the effects of the attacks were negligible, shutting down customer access to the sites for a few hours. Most customers didn’t even know there had been an attack. Take out the word “cyber” and we wouldn’t even call such a nuisance “terrorism” … As one cyber expert put it to us, “There are threats out there, but there are no threats that threaten our fundamental way of life.”

Perhaps to Iran, the Stuxnet worm is a clear example of a cyberterrorist attack, if not an outright act of cyberwar. The malware blew up Iran’s nuclear centrifuges and their replacement for over a year—key equipment in their alleged illegal development of nuclear weapons. Singer and Friedman not only walk us through this dramatic operation—a real-life Mission: Impossible plot—but they also use Stuxnet as a case study in ethical cyberweapons. In contrast to indiscriminate malware, such as an email virus, Stuxnet was designed to activate under highly specific conditions that narrowed its target to one, e.g., only if exactly 984 centrifuges were linked together and controlled by a certain operating system. This specificity and requisite inside knowledge reveals how hard it is to hit a weapons lab or any other sensitive facility, and therefore how unlikely cyberterrorism might be:

To cause true damage entails an understanding of the devices themselves: how they run, their engineering, and their underlying physics. Stuxnet, for example, involved cyber experts as well as experts in nuclear physics and engineers familiar with a specific kind of Siemens-brand industrial equipment. On top of the required expertise, expensive software tests had to be conducted on working versions of the target hardware. As a professor at the U.S. Naval Academy [George Lucas] explains, “the threat of cyber terrorism, in particular, has been vastly overblown,” because conducting a truly mass-scale act of terrorism using cyber means “simply outstrips the intellectual, organizational, and personnel capacities of even the most well-funded and well-organized terrorist organization, as well as those of even the most sophisticated international criminal enterprises. To be blunt: neither the 14-year old hacker in your next-door neighbor’s upstairs bedroom, nor the two or three person al Qaeda cell holed up in some apartment in Hamburg are going to bring down the Glen Canyon and Hoover Dams.” By comparison, the entire 9/11 plot cost less than $250,000 in travel and organizational costs and used simple box-cutters.

Even if not directly used to inflict harm, digital technologies have been used in the service of terrorism, such as: Hotmail accounts and a website’s comment section to coordinate the 9/11 attack; Google Earth in the 2008 Mumbai bombings; and hidden “geotags” in photos uploaded by U.S. soldiers that gave away their position and resulted in devastating mortar attacks by Iraqi insurgents in 2007. Social networking opens unique vulnerabilities. After the top-secret Osama bin Laden raid in 2011, a U.S. cybersecurity analyst demonstrated how easy it was to use social-networking tricks to find 12 members of the Navy SEAL team that killed bin Laden, including their names, their families’ name, and home addresses.

Patriotic hackers also get special attention in this book, especially since they make attribution of a cyberattack difficult, blurring the lines between state and nonstate actors. Who the actor is can mean the difference between an act of cyberwar and mere cybercrime. Noting the cozy relationship between patriotic hackers and their host state:

Criminal groups are given some freedom to operate in exchange for demonstrating their patriotism when governments ask for aid. Think of it as the cyber equivalent of the deal struck between the FBI and Mafia during World War II, when the Feds agreed to lay off their investigations in exchange for the mobsters watching the docks for Nazi spies and aiding military intelligence operations in Italy. Similarly, Russia was fairly active in cracking down on cybercrime rings before the cyberattacks of the late 2000s, but it has been far more lax in its law enforcement since [the 2008 Georgia attack that had the hallmarks of a Russian hacker group].

But states should be careful that the monsters they feed don’t run out of control:

Once set loose in cyberspace, hackers can go off message or engage in unwanted activities. In an embarrassing episode, the winner of China’s 2005 regional competition was later arrested for attacking rival hacker groups’ websites. And when the Chinese government only wanted positive news to surround the 2008 Beijing Olympics, Chinese patriotic hacker forums made negative news by providing tutorials on how to launch a DDoS attack against the CNN website (they were upset by its reporting on riots in Tibet). Things proved especially escalatory in 2010 when patriotic hackers from Iran and China, two ostensible allies in the real world, got into an escalating series of retaliatory attacks after baidu.com (the Chinese version of Google) was hit by the “Iranian Cyber Army.” Thus, governments are sometimes forced to crack down on the very patriotic hackers they once relied on. For instance, in 2010, the Chinese government ordered the Black Hawk Safety Net site shut. Previously, the site had been a hub for patriotic hacker tools and lessons, with some 170,000 members.

The section headings here are again useful to readers who want to quickly find specific discussions, such as: Who is Anonymous? What is cybercrime? What is cyberespionage? So how do terrorists actually use the web? What about cyber counterterrorism? What is Tor and why does peeling back the onion matter? What might a “cyberwar” actually look like? Why is threat assessment so hard in cyberspace? Who has the advantage, the offense or the defense? And so on.
Part 3: What Can We Do?

Now with an understanding of the underlying technologies and situational awareness of the cyber problem we face, this last part of the book examines possible measures we can take to better secure the cyber domain and our increasingly online life. As such, it is particularly useful for policymakers, but also information technology professionals and the broader public who is ultimately affected by national cyber policy.

Starting with the popular complaint that technology is more trouble than it’s worth, and the call to “repeal the Internet,” the authors don’t mince words:


To put it bluntly, such an idea is a nonstarter. Setting aside that a technology is not a law—it can’t be “repealed” or uninvented—the notion of going back to the world right before the Internet makes as much sense as rebootingBeverly Hills 90210. The world has changed.

We are now dependent on the Internet in everything from commerce to communications to, yes, even conflicts, while the modes and expectations of cyberspace have become woven into an entire generation’s very worldview.

Reengineering the Internet to be more secure, though, is an idea taken more seriously but also faces key challenges. “Resilience” is word bandied around in cybersecurity, but this is a more nuanced discussion than we usually let on: “There is no single definition, path, or strategy for resilience. We need to avoid treating it like a magical buzzword that has no real meaning.”

It’s certainly natural to think about cybersecurity in adversarial terms, given malicious actors. But this isn’t the only way to frame the problem, and the frame matters as it can suggest different solutions. For instance, if we draw an analogy between cyber threats and the Cold War, we might gravitate toward political and military options. But if we use other frames, such as cyber threats as a disease, then we can benefit from lessons in managing public health, such as creating a cyber equivalent of the Centers for Disease Control (CDC):


For instance, the CDC has led efforts to bolster the average American citizen’s awareness and education on basic steps to take to keep themselves safe, as well as prevent dangerous diseases from spreading. The underlying concept to emerge from the CDC’s research is that Ben Franklin’s saying, “An ounce of prevention is worth a pound of cure,” really is true. In studies of everything from malaria to HIV, the CDC found that disease prevention was the best pathway to control and, in turn, that effective prevention required building an ethic of individual responsibility. We see the fruits of this work woven into our daily lives, from workplace reminders on how washing your hands can prevent the spread of the seasonal flu to TV and web advertisements on how abstinence and the use of condoms can prevent the spread of sexually communicable diseases. The same kind of “cyber hygiene” and “cyber safe” ethics might be bolstered through similar efforts to convince users of cyberspace of their own responsibilities to help prevent the spread of threats and malware.

As another analogy, if we think of hackers and other malicious actors as pirates, then we can learn from past lessons in combating actual piracy on the open seas, including the wisdom of empowering industry to defend itself—that is,counterattack, also known as “hacking back” or euphemistically as “active cyber defense.” A path to international cooperation, for example, is now plausible in this frame:

After the War of 1812, for example, the British Royal Navy and nascent U.S. Navy constantly prepared for hostilities against each other, which made sense since they had just fought two outright wars. But as the network of norms began to spread, they also began to cooperate in antipiracy and antislavery campaigns. That cooperation did more than underscore global norms: it built familiarity and trust between the two forces and helped mitigate the danger of military conflict during several crises. Similarly, today the United States and China are and will certainly continue to bolster their own cyber military capabilities. But like the Royal Navy and new American Navy back in the 1800s, this should not be a barrier to building cooperation. Both countries, for instance, could go after what the Chinese call “double crimes,” those actions in cyberspace that both nations recognize as illegal.

Since cyber threats like malware don’t usually care about national borders, cybersecurity is a global problem with much at stake. International institutions are positioned well to drive governance efforts, such as the International Telecommunications Union (ITU). But recent challenges for the ITU, and any such global collaboration, are traced back to the root conflict between competing visions and values, i.e., liberty versus security, as well as human rights versus social stability.

Similarly, governments haven’t made much progress on a cyberspace treaty, especially if that’s perceived as a handicap for advanced cyber powers such as the U.S. Looking at the Outer Space Treaty, Antarctica Treaty, and other precedents as imperfect guides for cyber, Singer and Friedman outline a strategy to “graft” desired provisions into existing international law and agreements, evolving a broader framework rather than starting from scratch: “Rather than starting anew, adapt the horticulture technique of adding a new plant to the roots of an older plant [i.e., grafting]. Build off of established frameworks and interests to increase your chances of success.”

But the solution won’t be as simple as an expanded treaty. A sustainable and effective plan will likely require a rethink of the role and responsibilities at every level of the cyber ecosystem, from government to industry to the individual. This means greater public-private cooperation, education priorities, creative recruitment of talent, and much better cyber hygiene by computer users. And this means policymakers, industry, and the public need a better view of the big picture in cybersecurity, including its technical foundations and its implications.

The section headings here include: Why can’t we just build a new, more secure Internet? What is resilience, and why is it important? What can (real) pirates teach us about cybersecurity? Do we need a cyberspace treaty? How can we better collaborate on information? What is the role of transparency? How can we create accountability for security? How can I protect myself (and the Internet)? And more.

* * *

The panic over cybersecurity is understandable. In the last decade, we’ve seen an uptick in terrorism, frightening new ways to wage war, information security breaches at (and by) the highest levels of government, and unreasonable dependency on information technologies. No one is safe. Your home computer has likely been infected with malware before, if not now. Stock markets andpower grids have failed from software glitches and Twitter hoaxes. Defense agencies worldwide are ramping up for cyberwar.

But how much of this is hyperbole? What should we really be worried about, and why? And what can we do about it? Cybersecurity and Cyberwarfare gives us actual case studies, insider interviews, bizarre trivia, and a lot of dramatic statistics to help demystify the danger, and there is real danger. The timely book brings thoughtful, witty, and balanced analysis to this very important emerging discussion.

I imagine that this book would be useful in a range of settings, from the classroom to coffee shops to boardrooms to the War Room. Not just technology and history, the discussion is a smooth blend of philosophy, ethics, law, policy, psychology, and other disciplines that illuminate the complexity of human society. While much work still needs to be done to secure the cyber domain, it’s a very readable and expertly researched introduction to the subject, straightforward and compelling. In short, it’s a book I wish I had written.

No comments: