From hacked credit card data to compromised state secrets to cyber terrorism, Internet security has moved to the forefront of public consciousness. In their new book Cybersecurity and Cyberwar (an entry in a “what everyone needs to know” series published by Oxford University Press), P. W. Singer and Allan Friedman address realities and prevalent fears surrounding use of the Internet. Singer is a Brookings Institution scholar, and Friedman is a visiting scholar at George Washington University. We asked them to pose six pertinent questions about the future of cyber threats to the public.
1. With all the cyber risks out there, the temptation is to build higher and higher walls to keep the bad guys out. This approach works about as well as the Maginot Line worked for France during World War II. Our systems are too complex, with too many different components that may contain exploitable vulnerabilities. As we get better at protecting one level, attackers simply shift their focus. The solution has to be a model of resilience. Unfortunately, like art or obscenity, resilience is notoriously hard to define. The word connotes being able to bend but not break, to accept that bad things might happen but recover quickly. The damage from an attack should be localized, without causing catastrophic damage. This goes beyond engineering to apply to our organizations as well. How can firms and governments move to a more resilient posture, particularly when politics rewards notions of 100 percent security or deterrence?
2. From the stirrup to the airplane, the advance of technology has been inextricably linked to warfare, and the history of the 20th century teaches us that that story seldom ends happily. Modern society has grown dependent on information systems, and the insecurity of these systems will enable adversaries to cripple essential infrastructures. Unlike the massive investments necessary to build, say, an ICBM, a cyber attack is notionally much cheaper to develop. Some say this will radically change the balance of political and military power. However, recent news about the Stuxnet attack against Iran and penetrations into American corporate networks suggests that sophisticated attacks require substantial knowledge and resources. How will the ability to engage in cyber operations transform the future of international conflict?
3. Information technologies have empowered individuals and historically marginalized groups in unprecedented fashion. Protesters in Cairo can be heard in Washington in real time on Twitter. Entrepreneurs can sell whatever they want over the Internet—legally or not—and take their payment in the cryptographic currency Bitcoin. Owners of particularly cute cats can share videos with procrastinators everywhere. Yet the state is far from obsolete. The recently leaked documents from the National Security Agency demonstrated the vast reach of the surveillance state. Governments can still confiscate property and throw us in jail. How much has the power of the state really changed in a digital world?
4. Cyberspace may be a public commons that touches on many aspects of our lives, but much of it exists largely in the private domain. Most of the networks through which our bits flow are owned and operated by private companies. We’re dependent on commercial innovators to build our computers and the software that runs on them. Corporations fear that overregulation of this dynamic domain will kill the goose that laid the digital golden egg. At the same time, the laissez-faire model clearly isn’t working: our increasing dependence on this digital domain has introduced new risks to everything from the electricity grid to the financial sector to our ability to have private conversations online. How can the government encourage a wildly diverse set of private institutions to secure themselves?
5. The most popular password on the Internet today is 12345, followed by password. For many reasons, it’s impossible to build a purely secure network or computer, but the most glaring weakness in most security systems is the people who use them. We shouldn’t be surprised—most of us use computer systems for nonsecurity reasons, and security thus is hard to keep in mind the entire time. Still, there are some obvious lessons we could learn. A noteworthy breach of the Department of Defense’s secure computer system happened when an employee picked up a memory stick he found on the ground and put it in a secure computer. That’s not advanced “cyber hygiene”; that’s the five-second rule! How can we teach people to take information security practices more seriously?
6. Cyberspace is rapidly evolving past a simple network of computers and spilling over into the physical world. Our cars depend on computers to start and stop; modern houses are sold with Internet-controlled thermostats; pacemakers and implantable insulin pumps can be updated and controlled by a wireless network. We have begun to reap the benefits of what is called “ubiquitous computing.” Yet despite the growing attention paid to cyber security, this new “Internet of Things” appears to be every bit as insecure as its predecessor, and in many cases even more so. Smaller devices have less ability to run protective services, just as smaller interfaces are more helpless in getting users to appreciate the risk. Who will be responsible for protecting the next generation of Internet-enabled gadgets? If we all buy them, and they all break under attack, whom will we blame?
Permission required for reprinting, reproducing, or other uses.