“The State, the Internet, and Cybersecurity with Peter Singer”
Asia Institute Seminar
8 JANUARY 2014
On January 2, Dr. Emanuel Pastreich, director of the Asia Institute, sat down with Peter Singer, director of the Center for 21st Century Security and Intelligence and a senior fellow in the Foreign Policy program of the Brookings Institute. Singer’s research focuses on three core issues: current US defense needs and future priorities, the future of war and the future of the US defense system. Singer lectures frequently to US military audiences and is the author of several books and articles, including his most recent book, Cyber Security and Cyber War (www.cybersecuritybook.com).
Emanuel Pastreich: “When you chose to title your new book as Cyber Security and Cyber War did you intend to make a clear distinction between two discrete issues?”
Peter Singer: “Cyber security and cyber war are two separate topics that are related in that within the new domain of cyberspace we see an overlap between what we traditionally refer to as the civilian sphere and the military sphere. Cyberspace is evolving as a realm that includes everything from commerce, entertainment and communications to forms of direct conflict. For example, 98% of all military communications travels through cyberspace, but, at the same time, the cyberspace they are channeling over is primarily civilian owned.
“Let us step back and take a look at this problem in proper perspective. For too long the thinking about cyber security questions have been left to what I call the “IT crowd.” That is to say we have a group of technologists pondering cyberspace and its potential. But at this point in time, whether you are a politician, a general, a business leader, a lawyer, a citizen or a parent, those security questions are clear and present for the rest of us as well. We need to understand cyberspace and commit to planning for a future with it at the center.
“The book is structured around approximately sixty central questions concerning the nature and the potential of cyberspace. ‘How it all works? For example, I use the Internet every day, how does it actually work?’ Or ‘What is cyber terrorism?’ ‘I keep hearing about it; is it as bad as some people say?’
“The book then traces the technology back to the ‘who,’ the prominent players in the field and why their dynamics matter. For example, ‘Who is this Anonymous group I keep hearing so much about in the news?’ ‘What is the strategy of the US military for cyberspace?’ ‘What is the Chinese strategy in cyberspace?’
“And then the final third of the book concerns ‘What can we do?’ Those questions range from the personal and organizational to the national, the regional, and the global level. So the book includes everything from how to prevent possible global cyber wars on a massive scale to offering advice on how to protect ourselves and maintain the Internet that we all know, love, and depend on.
“What differentiates this book from my previous books, Wired for War and Corporate Warriors: The Rise of the Privatized Military Industry, is the nature of the debate we are raising. In my previous books whether I was describing private military contractors like Blackwater or the rise of drones, I was trying above all to draw public attention to a new issue of critical importance. For example, when I started working on drones in 2005 it was a new field that called out for attention, for people to realize that drones were real and would matter very soon. In the case of this book on cyberspace, however, the issue is quite different. We all know cyberspace and security is a critical topic. The problem is rather that we simply do not understand it. Not knowing about cyberspace means that we can be taken advantage of. At the individual level we are subject to hackers and false information. And at a higher level, companies and government agencies have profited, frankly, by just making this whole process seem much scarier than it actually is. And then there are the groups that claim to have the “secret sauce,” the “secret recipe” that will solve all the problems of cyberspace. We want to explain cyberspace to people in a manner that builds substantial understanding and also makes for a great read. We include many funny anecdotes, intriguing characters, and jokes that are not found normally in a technology book.”
Emanuel Pastreich: “So, in cyberspace, is there a posse comitatus?”
Peter Singer: “Well, no, there is not. There remain a series of issues that we need to work out. When I say ‘we’ I am talking about communities at every level, from the global down to the national, regional, and individual. We need to think about how agencies and corporations can be made accountable and responsible, but also about what we can do as citizens. For example, what exactly do we mean as a community, as a nation, by ‘cyber war?’ And, in turn, who should we expect to fight it?
“One challenge that we find in this debate that we want to unpack for readers is the wide variety of dissimilar threats that we often bundle together as cyber threats simply because they all take place in cyberspace. For example, one senior Pentagon official cited an enormous number of cyber attacks on the Pentagon when he testified to Congress. The problem was that what he spoke of an “attack” the congressmen listening imagined some existential ‘cyber Pearl Harbor’ or ‘cyber 9-11.’ After all, that is what the secretary of defense had been discussing in various closed hearings. Yet, what the Pentagon official was talking about with these numbers instead was a hodgepodge ranging from attempts at address scans or ‘knocks,’ defamation (i.e., pranks such as changing external user-face websites), espionage (i.e., stealing secrets), and some more aggressive attempts to compromise security.
“That Pentagon official was bundling together everything from the equivalent of a teenage prankster with a firecracker, to a pistol-robber, a terrorist with a roadside bomb, a spy with a hidden gun, and a military armed with a cruise-missile. He was giving the impression that all these ‘attacks’ were basically similar because they all use the technology of cyberspace. But the only similarity between a firecracker and a cruise missile is the use of the technology of explosive materials. Such discussions are not a responsible way to keep the public informed about a critical issue.
“What we need to do is to disentangle our thinking about the nature of the threats and in turn that will allow us to disentangle our thinking about appropriate responses. For example, the US Military Cyber Command and its partner the National Security Agency have taken on a wide range of roles largely because of an overwhelming fear of what cyber attacks could be and also the fact that other agencies lack skill and the budget capacity. They are handling issues, as a result, that frankly are not appropriate to their mandate. ‘Appropriate’ here means in a strategic and organizational sense, and also in a legal sense.
“Think of it this way: Let’s imagine two banks were transferring money between them and one of their trucks was blocked in the street by a group of protesters. Well, no one would say, ‘call in the Army! It is the Army’s responsibility!’ And yet that is how we often react if the issue involves electronic transfers. We have to get over that kind of thinking. This is also huge to the concerns of IP theft and US-China tensions that result from it. It is critical that we disentangle certain subtle but important differences between a ‘9-11’ threat and a ‘death by a thousand cuts.’”
Emanuel Pastreich: “That makes sense. I want to come back to the division of labor you hinted at. For example, with regards to the players such as the FBI, the NSA or the army, is there a field, for example, in which the FBI has exclusive dominion? The very terms domestic and international can be ambiguous when we are talking about cyberspace.”
Peter Singer: “You have hit one of the major challenges. Trying to figure out when and where this construct — the notion of a state border — was established back in the 1700s applies, and when it does not, is a major bone of contention. Too often it seems as if cyberspace is a ‘stateless’ domain as some claim. As the adage goes, cyberspace is the ‘global commons.’ So some assume that somehow nations, states, have no role in cyberspace. But the reality is that states matter in cyberspace in two core ways.
“First, what happens in cyberspace has a direct impact on states. Simply put, since our commerce, communications, and infrastructure all depend on the safe, smooth running of that domain, states have to think about cyberspace seriously with an eye towards their own security and stability. They cannot afford not to care. Second, while cyberspace is virtual, the people who design and administer it, and the hardware that runs it, are located within national borders. There is no truly stateless aspect to cyberspace.”
“Let me be clear on this point. I am not suggesting that transnational dimensions are insignificant. They are critical and unprecedented. But the problem is far more complex than it appears at first glance. I am pushing back against the notion that cyberspace is somehow ‘stateless.’”
Emanuel Pastreich: “But we have players these days around the globe who can use randomized data, so it is not so easy to figure out by the servers which particular state he, she, or they are in. So although cyberspace is not stateless, there are ghosts in the machine.”
Peter Singer: “Yes, that is an important challenge. This problem comes up, for example, in the case of not only attribution but also of prosecution for crimes. There is a movie out about Julian Assange, ‘The Fifth Estate,’ that illustrates both sides of this problem. On the one hand, WikiLeaks, the organization, has been able to stay functional because of its transnational presence. Each time a state tries to shut it down, it simply transfers operations or picks up stakes. It also has woven a funding structure into things on which the state depends. It did so with the French banking system, for example.”
Emanuel Pastreich: “The viral effect…”
Peter Singer: “Yes, exactly. On the other hand, Julian Assange the person has been indicted in one state and is stuck in an embassy in another. While the online organization has been able to thrive, some of the individuals involved are subject to the power of the state. The power of the state still matters.
“To return to your question, one of the things that we will have to figure out is: what is the appropriate mechanism for states to cooperate in these domains? What agencies matter? Which is an appropriate response on the state level? And, finally, where is the line between the public and the private? In our book we have chapters in which, as an illustration, we ask whether we need international treaties for cyberspace. Are such treaties even possible? We also consider the dangers of certain international institutions overreaching their mandate and being used to clamp down on freedom of expression online. We see today new coalitions of democratic forces battling authoritarian states over the future of the Internet itself.
“Then at the state level we call for an end to viewing cyberspace through solely a national security or law enforcement framework. There are examples in public health, for example, in which nations are able to cooperate better but also to extend responsibility not just to the government but also to us as individuals. In the case of public health, there are national and international agencies that conduct investigations, research, and carry out the tracking of disease outbreaks. But we do not say that the entire work is up to them. For example, I teach my kids to cover their mouths when they cough, because we teach the importance to our kids of the habits of good hygiene to protect both themselves, but also others. There is an equivalent to cyber hygiene which serves not only to protect youth, but also to teach them that it is their responsibility as good citizens to protect others online. There are some parallels here in terms of protecting your computer from being taken over by a botnet. It is also about protecting the broader Internet.
“The book offers new, creative, different ways at looking at security.”
Emanuel Pastreich: “One of the challenges for us today is the distinction concerning the attribution for various cyber threats. Are these problems a result of a decline of morality, bad behavior, increased corruption, or is this problem simply a product of Moore’s Law? Many crimes are simply easier and cheaper to do today. The problems cannot be stopped easily because they are driven by changes in the playing field itself.”
Peter Singer: “You ask two very important questions. But let us first try to disentangle a bit. On one hand, we can talk about the motivations of groups like ‘Anonymous’ that have, in many ways, become the bogeymen of the cyber era. In one of the chapters in the book I ask somewhat ironically, ‘Who is Anonymous?’ The book delves into the history of the organization and describes how it operates. What is important to understand is that this organization defies our traditional notion of a top-down hierarchy. Rather, Anonymous is more of a constantly shifting collective. But also, consistently throughout its history, there has been a focus on Internet freedom, Internet good behavior. For example, the public debut of ‘Anonymous’ in the mainstream media came when the group helped to track down a child predator. Later on, the line that connected everything from the operations they carried out concerning the Church of Scientology to their role in ‘Operation Avenge Assange’ in response to the financial supporters of WikiLeaks being challenged, to the many activities being carried out today, was the emphasis on threats to Internet freedom. People can certainly go back and forth debating on whether Anonymous’ has gone too far or not. But the problem is that policy makers talking about cyber security tend to lump together ‘Anonymous’ with Al-Qaeda or Russian criminal organizations. Those are all very different organizations. We need to be clear about the variety of players.
“Regarding your second point, one striking feature of the short history of cyber security and cyber war is rate of the game change in our generation. With regards to technology, security, and war there is a far lower barrier to entry now and, in turn, the greater empowerment of smaller organizations — all the way down to individuals.
“Technological change forms a clear line that connects the past books that I have done on private military contractors, child soldiers, robotics, and now in cyberspace. Several centuries ago, whatever the weapon of war, it required a massive scale to build and operate effectively. Historian Charles Tilly said that ‘War made the state and the state made war.’ There was a centralization of power before. Instead, now, with the new technologies, cyber weapons or drones, a massive organization such as a “Manhattan Project” is no longer needed to produce a small drone or to carry out a cyber attack. While these new weapons have certainly been useful to governments, they have even been even more empowering for small groups and individuals. Some people dismissed users like ‘Anonymous’ as ‘all bark and no bite.’ But, a small group of online individuals, most of whom had never met, have found a way to mobilize and to direct the world’s attention to causes about which they care. That was not possible before.”
Emanuel Pastreich: “You have perhaps a slightly more optimistic view of what is happening. It seems to me that when ‘Anonymous’ carries out their strikes for Internet freedom, there are groups in corporations or in government who go along with them, even support them in their efforts, not because they necessarily believe in the ‘Anonymous’ cause but because it aids them in their particular agenda they are pursuing. Maybe they just want to bring down the NSA so they can get a piece of that enormous budget. It is a bit more complicated than it appears.”
Peter Singer: “Yes, absolutely. It is both a new trend but also the story of politics going back to the ancient philosophers. In discussions about technology we tend to want to focus on the technology itself. Engineers are most comfortable talking about how it works. However, why it matters, in history, always comes back as the critical issue. To understand what is happening in cyberspace and cyber security, we need to understand the people, the organizations, as well as the motivations and incentives that drive them we need a broad perspective. We must get a glimpse at the dynamics going on within a group such as ‘Anonymous’ and how governments are reacting to it. That perspective also helps us understand why certain business sectors, like the financial sector, have done a great deal in protecting themselves in cyber security, while others such as the electrical power grid have not. It all comes down to incentives.”
Emanuel Pastreich: “Maybe you can say a few words about our response. There are at least two problems in terms of security. If one wants to have security in a situation in which a single individual or small group can do an enormous amount of damage, it requires by nature a repressive system. The system has to be capable of being focused and responding very effectively. So, it inherently creates problems. Any response is going to be problematic.
“The second issue concerns the rate of technological change. If technology keeps changing, evolving exponentially, you might make up some treaty on cyber security in 2014 that will be meaningless by 2020 because the nature of cyberspace would have changed so profoundly.
“What are your thoughts on these two questions? First, how do you maintain security without it becoming a repressive system? And how do you maintain standards and the rules in a constantly-changing environment?”
Peter Singer: “The first question, in many ways, again echoes back across the ages before the Internet was ever conceived. The debate over the trade-off of rights versus security is not new. We can see that debate in the writings of ancient philosophers. The way they came down on the issue back then is the way we should come down on it today. Yes, you can live in a system that has no terrorism, where criminals are immediately caught. But, in reality we call those totalitarian regimes. However, you could also live in absolute anarchy, but that is an equally insecure world that does not allow one to exercise the most basic rights as a result. The key is finding that balance. We should not assume we can eliminate all threats. Rather we should accept the reality that threats exist and seek to manage them.
“It is all about building structures and incentives that will allow you to manage the world better. In the book we present fifteen things we can and should do to respond to cyberspace, everything from building appropriate institutions in government and global institutions to local community activities. We see the effort to establish better security as both a public and private problem. We must establish the right incentives, build better information sharing systems, and increase transparency. We need to set up clear norms for accountability and reliability. There are many cyber-people problems for which we need to train experts at all levels to respond. There is so much that we can and should do.
“But we also should not let fear steer us solely. The book opens with a description of how each of us remembers as young boys or girls the first time we saw a computer. I was seven years old when I first saw a computer. I am now thirty-eight. My dad took me to a science museum and there I took a class to learn how to program computers to do an amazing thing: print out a smiley face. That is the beginning of the book. We circle back to that same moment at the end of the book. Imagine if my dad had told me at the age of seven, ‘This thing, the computer, it is going to allow people to steal your identity. It is going to allow militaries to carry out all new kinds of war. It may even allow terrorists to turn off the power grid or steal everyone’s money.’ My little seven year-old self would have said, ‘Oh my God, Dad, we must stop this computer, do not turn it on.’
“Of course, looking back at that, we accept these risks because of all the great things that we can do with computers. I can track down the answer to almost any question on line. I am friends with people around the world I have never met. To me, what has played out over the last thirty years is exactly the same thing that we will witness in the future. We have to accept and manage the risks because of all the great things we can do with this technology.
“That is where we have to be mindful of the people who are trying to steer us in the wrong direction, whether it is the people who are trying to make cyberspace too insecure a space, or the people who are trying to make it too secure but do away with the freedom and great features in it by just militarizing this space.
“Regarding your second question concerning whether technological change could lead to outdated treaties or laws practically the very next day, you have hit it exactly right. Cyberspace is a constantly-evolving medium, and indeed the Internet that we know and love today will be quite different five years from now. Everything from the users, to the language of the Internet, to the mentality of online freedom, will change.
“Also, many parts of the Internet are going mobile. And in the future the Internet will be woven into things. Cisco estimates that over the next few decades we will go from having a couple billion devices online, essentially each person behind a device, to seventy-five billion devices online. That means that it will not be just people behind those devices carrying on conversations—it will be things talking to each other.
“One cannot legislate a too-defined law that will not remain relevant. That would not be a good strategy. It also ignores the ‘reality’ of today. You are not going to find the United States, Russia, South Korea, North Korea, China, or Brazil all agreeing on the exact language of some treaty right now. That does not mean that you do not need a building of new laws, norms, and codes for conduct and behavior. In the United States, our Congress has not passed new major cyber security legislation since 2002. What we are pushing for globally and nationally is not to rewrite all law, but, rather to graft new law to previous legal precedents. Rather than plant an entire new tree, instead we should graft new legal developments for cyberspace onto an old, healthy tree. That is, determine what works, affirm the common values that we all hold, and then build off of that. That is the pathway to success.”
Emanuel Pastreich: “Yes, right. When I wrote an article some time ago entitled ‘Constitution of Information,’ the first point I stressed was one could not write such a constitution unless the writer actually had stakeholders involved in the discussion. It would just be an academic exercise to talk about an ideal world. The real process requires actually getting the people who can make decisions that represent active organizations involved.”
Peter Singer: “Absolutely.”
Emanuel Pastreich: “You mentioned the future of war at the very beginning. Of course this is a topic of great interest to me. Let us suppose that the computational power of the most recent NSA supercomputer will be available in a laptop in a few years. Let us imagine a world in which information processing power is so cheap that what we call supercomputers are no longer anything special. What will we have to do to maintain a secure world in that environment?”
Peter Singer: “We will need to determine which aspect of security comes first. There is the notion of physical security. But, there is also the notion of secure, online communications: that what I say to you is not necessarily shared with the government or other third party. That tension is at the heart of the recent NSA scandal that swept the United States and is arguably evolving into a fundamental debate globally.
“The Internet is a world in an online setting that is about sharing — the sharing of information and sharing of computing resources. As it has evolved, it has demanded that we share organizational and individual responsibilities in order to run it. There is no one thing that runs the Internet.
“This idea of sharing on the Internet is being deeply challenged. It is being challenged in terms of online expression and in terms of how and by whom it is run. We have a responsibility to be involved in that dialog, granted how much we benefit from the Internet.
Emanuel Pastreich: “I want to play devil’s advocate regarding this question. You and I might not like having some government agency, or some multinational agency, checking everything that we are writing, or saying, to each other. But, one could imagine a world in say, five years from now, a world in which other people are posing as either you or I and saying all sorts of misleading things that they attribute to us — a world in which you cannot even tell whether who you are speaking to is real.”
Peter Singer: “You do not have to imagine that world! We are already there!”
Emanuel Pastreich: “In such a world, we might think it is helpful to have, and we might eventually depend upon, some agency to actually to document and tell us that this is what we actually said to whom when. An agency to assure us that the ‘friend’ on Facebook is real.”
Peter Singer: “Absolutely. Again, the issue is frustrating in that there is no simple, easy, answer. This idea of being able to identify and track someone down makes perfect sense for the scenario that you just laid out. That makes absolute great sense. On the other hand, that very same capability may be used by some totalitarian regime against some brave dissident or human rights activist. Again, this is not speculation; it is real. An employee who votes a certain way or indicates some kind of political preference online can be punished at their job for it. This is not something twenty years out.
“In one case in the Unites States an employee wrote something on Facebook about a local election for which the boss then fired him. At the end of the day, we want absolutes, but really the issue is finding the right balance.”
Emanuel Pastreich: “In a recent article I wrote about the future of virtual reality. As it becomes less expensive, it will be possible to make up ten thousand or more virtual people and to make them mimetically convincing. That is to say, to give them all specific high schools they attended, parents, memories of childhood, etc. To create such a high level of resolution that you literally can no longer tell that they are virtual. I think that problem exists in tiny batches now. But, in five or ten years it might quite serious.”
Peter Singer: “Yes. Well, now we are jumping into things that are quite beyond the book. But, they are absolutely fascinating. This idea about — perhaps where you are headed — the Turing test, in which essentially it is a computer capable of tricking a human. We are kind of there now.”
Emanuel Pastreich: “For example, if you create virtual reality now with some of these games out there, you can imagine that we are just a few years away in which that reality is really indistinguishable and, if you start to take the people in it, and give them full background, distinct personalities, somewhat like Bladerunner, programming the robot with a history of child memories and so on, then it will literally be impossible to tell the difference.”
Peter Singer: “Welcome to the twenty-first century! This is something that we wrestle with in the robotics world, but the problem looms in cyberspace, too. There is a vast array of both capabilities but also political, military, and business, legal, moral, and ethical questions that we thought were science fiction a generation ago, but they are now with us. And yet a century ago people back then had to figure out strange things like “horseless cars” and “flying machines.” Hopefully, we will muddle our way through in this century.
“The point of the book is that you simply cannot respond appropriately if you do not understand how cyberspace works, what its implications are, and why it matters.
“I think of the parallel to the introduction of the horseless carriage. Many were astounded by this new thing and realized that they had to have something that they had never needed before when everyone rode horses, which was the strange thing called the traffic law. That change went beyond laws, extending to norms of conduct. In the United States, a man wrote a book about the proper way to drive a car; not technically but socially the proper way to drive. From that book we got the idea of two lanes, passing on a certain side, signaling before the turn. These were not just legal laws but also norms.
“Yet, if you go back and look at it, some of the early laws on the government side were insane because they did not understand the technology. One of the early laws related to horseless carriages was that someone was supposed to walk in front of the car with a flag to let people know that it was coming. And when they got into an intersection and wanted to turn, they pulled out a flare and fired it into the sky. This made great sense in a world of horses but makes no sense in a world of cars.
“There are similar proposals out there now about cyber security that one day we will look back on in the same way we do on the above example.”
Emanuel Pastreich: “I fully understand what you are saying. It is also possible that you have exponential technological change that you will start to run into gaps between what we experience and anything that we have ever encountered before. If you, for example, start to grow brain cells, in the tens of thousands or millions and sort of create a being, it is basically going to throw a monkey wrench into all of the assumptions we have.”
Peter Singer: “In my writing, what draws my attention is exactly those game-changing technologies, these disruptive technologies, ‘killer applications,’ however they are described. These are technologies that fundamentally alter the political, military, legal, business, and ethical discourse.
“We have had these game-changing technologies before in history. They range from fire, the printing press, gunpowder, steam engine, to the atomic bomb and the computer. The difference today is that with the speeding up of technological change, they are coming at us faster and simultaneously happening in multiple domains. So, we are having a tough time keeping up with Moore’s Law in IT.
“In DNA sequencing the rate of change is now many times faster than Moore’s Law. In the past, for example, the steam engine took roughly one hundred years to spread around the world to the level of global use. With the Internet, an invention spreads in nanoseconds. It is tough for us to keep pace with this. It is particularly tough for older organizations such as stake governments or militaries or businesses.
“They are having a difficult time keeping up with this level of change. To use an example in the book, the director of the FBI neither had a computer in his office nor an email account as late as 2001. As late as ‘9-11.’ Yet it is even a problem today. The secretary of Homeland Security, the agency responsible for cyber security in the United States, she told us earlier this year that she still does not use email. She did not think that it was useful. That sounds crazy, except, our newest supreme court justice revealed a few months ago that she is the only one on the Supreme Court who uses email. Eight of the other nine justices do not. The highest court in the land will ultimately resolve these core questions of security, privacy, rights, but its members have almost no working knowledge of common technologies. These show the challenges we face before us.”