Interviews

Bookforum talks with Peter W. Singer

Cybersecurity and Cyberwar: What Everyone Needs to Know BY P.W. Singer, Allan Friedman. Oxford University Press, USA. Paperback, 320 pages. $16.
Peter W. Singer

Peter W. Singer’s previous books introduced the public to an unfamiliar world of privatized armies, child soldiers, and frightening robotic military machines. His latest offering, Cybersecurity and Cyberwar: What Everyone Needs to Know (Oxford University Press), coauthored by cybersecurity specialist Allan Friedman, doesn’t take us to some distant, hypothetical battlefield, but rather into our own computers, to the dark—and, at times, bizarre—cyberworld that he calls “a place of risk and danger.” Singer, who is a Senior Fellow at Brookings Institution and the Director of the Center for 21st Century Security and Intelligence, points out that while most people in the government, the military, and the private sector now agree that cybersecurity is a serious issue, few do anything about it, and almost nobody actually understands what it is. The purpose of the book is to translate the impenetrable language of cyber—“asymmetric cryptography,” “distributed denial of service,” etc.—into the vernacular so that governments, companies, and citizens can develop “proper understanding and thoughtful responses.” Unlike the bellicose, power-hungry cast of characters populating his books, Singer himself has a very peaceful and disarming effect. To illustrate complex concepts, both in the book and in conversation, Singer likes to tell funny stories. (One of his favorites is about the time Pakistan cut off the world’s access to cute cat videos.) But no jokes can diminish the seriousness of Cybersecurity and Cyberwar; I found the book so frightening that after reading it I felt compelled to buy the Premium version of Norton Antivirus. Naturally, when I recently met Singer in his light-filled office at Brookings, I was eager to find out if I was now safe from cyber attacks.

BOOKFORUM: After reading the book, I went online and bought Norton Antivirus, the really expensive “Premium” one. So I don’t have to worry about my cybersecurity anymore, right?

PETER W. SINGER: I wish I could assure you that all is fine, but unfortunately that’s not the case. One of the lessons of the book is that it’s not about the technology—it’s about the people that are around it. So as great as all the bells and whistles are, it’s more about your approach, and how you want to deal with this problem. As great as it is that you have bought these new software defenses, you have other things that you have to think about. For example, what’s your password?

It’s 123456...

No, you don’t actually have to tell me! To this day, the most popular password is still “password,” followed by “123456.” That is not a good defense. And this isn’t just in cyber. As it turns out, for a long time, the U.S. nuclear codes were “00000,” which is the same as the code on my luggage lock.

In the book, you use the term “cyber hygiene.” It’s a vivid term. What exactly does it mean?

One of the challenges with cyber is the way people have framed this issue. People turn the volume up to 11, to borrow a Spinal Tap reference. There have been more than a half million references to a “cyber 911,” and there have been 31,000 articles written about the phenomena of “cyberterrorism.” Even though no one has been hurt or killed by cyberterrorism. What it does is create a sense of overwhelming doom and fear, a sense that there’s nothing that we can do about it.

Instead, the parallel that we look at is public health. In public health, there’s a role for international collaboration in identifying disease outbreaks, and an understanding that there’s national responsibility to do something about a health issue. But it also comes down to you and me and our responsibility. I teach my kids to wash their hands and to cover their mouths when they cough. That’s the same kind of ethic that we need to build when it comes to our online activity. There are very basic things that you can do to protect yourself. Those things are good for you as an individual and the organizations that you’re in. But when you practice good cyber hygiene, you’re also doing it to protect others in this broader ecosystem of cyberspace. The joke in the book is that even basic physical hygiene would have prevented some cyber breaches. The biggest outside penetration of the US military network happened when someone found a memory stick in a parking lot and thought it was a good idea to plug it into a US military laptop.

Have you ever personally been a victim of a cyber attack or cyber threat?

Yes, actually. But let’s be clear, one of the goals of the book was to disentangle what is meant by “attack.” When a Pentagon Official talks about the millions of “cyber attacks” on the U.S. military, he is including everything from teenagers playing pranks trying to deface the Pentagon website to people trying to steal top secret information. It’s a bit like bundling together everything from teenagers setting off firecrackers to terrorists trying to set a roadside bomb, to James Bond sneaking into your building with his Walther PPK pistol, trying to steal your files, just because they all involve the chemistry of gunpowder.

In Wired for War, you open with a very memorable passage about your interest in war as a child. “Other kids went to Narnia,” you write, “and I went to Normandy.” How did this interest in kinetic war transform into an interest in non-kinetic hostilities that you examine in Cybersecurity and Cyberwarfare? If you look back at your childhood self, do you think you would have been interested in cyber security issues?

In some ways, it was a bit of a jump. In this town, I’m seen as a technology guy, which my wife finds absolutely hilarious. She works at an actual technology company, and she sees me as a neo-luddite. When our wireless network goes down, she’s the one that figures out how to bring it back, not me.

My previous books were about trying to draw people’s attention to something new that wasn’t yet recognized, but that I felt was going to matter in war. This topic is different in that everybody kind of recognizes that cyber is important. We all use the Internet every day, we don’t well understand it and its security ramifications.

Cyber is shaping the world beyond the online space. One example is Stuxnet, the wonderful and scary little piece of malware that was able to sabotage Iranian nuclear research by causing a number of centrifuges to destroy themselves. On one hand, it’s like every other weapon in history. It caused physical damage. So what’s new about it? Well the new thing is that Stuxnet wasn’t a thing—it was a bunch of zeroes and ones in programming language. On the other hand, it was also a little bit like the first atomic bomb. It opened Pandora’s box. The point being that there is a line that connects what’s new to what’s old of kinetic and non-kinetic.

Your books are flush with historical tidbits—would you call yourself a history buff?

Oh, I’m definitely a history buff. I love history and I love telling stories from it. But I also believe in the Mark Twain saying—well, it’s credited to Mark Twain, but some say he didn’t actually say it—that “history doesn’t repeat itself, but it does rhyme.” While we don’t see exact replications of the past, we can certainly learn from good and bad choices made in the past.

Could you see yourself writing a purely historical inquiry?

Well, some people have said that in this book we may have just accomplished writing the first history of cyberspace and cybersecurity. We’ve got everything from the story of how the Internet actually came about to the story of the time Pakistan accidentally kidnapped all the world’s cat videos. One anecdote is an example; 500 of them may be a history.

You often draw from historical examples of kinetic wars, and yet do you think that cyberwar complicates the archetype of warrior and hero? As opposed to the Odysseus figure, we have people who are sitting in dark basements, typing away on computers.

You shouldn’t have said Odysseus. You should have said Achilles for that prototypical warrior hero.

I was thinking of Carl Jung’s Odysseus.

Ahh. Poetry versus psychology. Well, we have the term “going to war.” “Going to war” has meant roughly the same thing for the last 5,000 years, whether you’re talking about Achilles (or Odysseus) going off to fight in Troy or my grandfather going off to fight in the Pacific in WWII. Our warriors would go to a place of such danger that they might never see their family again. That’s the thread that connects all warriors. And yet that truth of the last 5000 years is being broken by the emergence of a new wave of technologies that have allowed the human to be moved geographically and chronologically from the point of danger. With robotics and drones and cyber, the human role may be um 9000 miles away from the battle. There’s the Air Force drone pilot sitting in Nevada, flying over Afghanistan, or the programmer designing a weapon that will deploy by itself, six months later. This is a sea change in the experience of war. There was a recent controversy in the US military over whether drone warriors and cyber warriors should be eligible for medals or not. On one hand they’re playing important roles, fighting for the nation. On the other hand, they’re not physically exposing themselves to danger. People say that’s not what you should get medals for. This is not just a question of honor. The structures the systems we have for deciding when and where we as a nation go to war are still based on that idea of putting people in harm’s way. But now you can carry out acts of war without sending people into harm’s way, without risking soldiers. So how should we now decide whether to go to war?

The longbow transformed war, and the steam engine transformed war, and so did the railroad and the atomic bomb, but the narrative of war never really changed. And then suddenly these remote forms of warfare come along—the drone, the cyber attack—and the narrative of war changes. Would you say that’s fair?

Some things are changing, and some are not. At the end of the day what’s not changing is that no matter the technology—whether it’s a stone or a drone—war is still a human endeavor. It’s driven by human greed, human anger and human miscalculation. That’s how wars start. The stone, the drone, these don’t start the war. The humans behind them start the war. But the technologies do change the narrative of war in terms of heroism and courage. I joke that the best way to see this illustrated is through Mel Gibson movies. At one point in time the ideal warrior was the one who was most physically courageous and fierce, who led the charge into danger. That’s Mel Gibson in Braveheart. Then, you get the musket, and courage is defined not as being the fierce guy leading the charge, but being willing to stand in a line and calmly face danger and not run away. That’s Mel Gibson in The Patriot.

You’re really going to start testing my cinematic knowledge here.

Then, the notion of standing in a line, exposing oneself to danger changes from being bravery to insanity with the rise of the machine gun. That’s Mel Gibson in Gallipoli, and/or Mel Gibson on a Malibu highway.

But cyber is not just a new kind of weapon. It introduces the fight to a new space. This is what happened with the airplane, which opened up the air. It raised new ethical questions—new questions of where the battlefront was and should be. The same thing is happening in cyber, except that it’s a man-made space. Like humans, some features of this space are always the same, and others are constantly changing and are completely unpredictable. And that’s what makes it so damn challenging.

Do you think that we will eventually see a new kind of pulpy war book about hackers, instead of commandos?

There have already been attempts at that. But most of the pulpy stuff doesn’t reflect the realization that in both good fiction and the real world, the story is about the people. The pulpy stuff also always tries to raise the stakes—to ill effect, I think. I do consulting with Hollywood and the phrase that’s constantly used there is “raise the stakes.” I was part of a movie project in which the fate of the U.S. government, and democracy itself, was at stake. The feedback from the studio executive was that we need to figure out how to raise the stakes. The survival of the United States was at stake—well, no it has to be the survival of the world!

Everyone is looking for that “cyber 9/11” or “cyber Pearl Harbor” whereas in reality the threats in the cyber world range from your credit card being stolen to the designs of a jet fighter being stolen. On one hand, those aren’t sexy. But on the other hand, the cumulative total of all these attacks may be far more consequential than the kind of outlandish scenarios that people talk about. There’s the danger of a single cut, or death by a thousand cuts.

Did you have a steep learning curve when you were writing this book?

Oh, definitely. It was a learning curve trying get a better handle on the dynamics of the technology—how things actually work—but even more so, how to explain it all in a manner that can be read by anyone from a senator to a business executive to your average New York Times reader. The challenge of the writing is not just how to understand it for yourself, but how to translate that in a manner that um will be easy to understand by readers. Oh and by the way, it still has to be interesting and accessible.

What about the mechanics of language, though? How do you simplify the complex vocabulary of this field?

What we found in cyber is that it’s not so much about trying to simplify specific words, but rather how to explain the very different meanings that people have when they use the same word. And this is not just important for the reader, but this has huge political and policy consequence. My co-author, Allan Friedman, and I open one chapter by talking about a negotiation between American and Chinese leaders. The Americans began by saying that they “very much welcome this engagement” and that there needs to be more engagement. The Chinese leaders interpreted “engagement” as either an engagement to be married or engagement in terms of an armed battle. Either way, they are very confused as to why the Americans want more of this with them.

Where do you go from here? You did drones, you did robots, and now you have done cyber. Is there a new transformative war technology that I still haven't heard about that you already know about?

I have not firmly answered that for myself in the nonfiction space, but there are two fiction projects that you’ll hopefully hear about soon.

Arthur Holland Michel is the founder and Co-Director of the Center for the Study of the Drone, an interdisciplinary research, art, and education project at Bard College.