By Cynthia Iris International Affairs Forum: You have just launched your book, Cybersecurity and Cyberwar. The subtitle of the book is, What Everyone Needs to Know. You wrote the book for a very wide audience, from government and the military, to corporations and even parents. Why not focus on a few key groups, such as the military and government contractors, and write the book for them? Dr. Peter W. Singer: The underlying goal of the book hits the problem area. Cybersecurity issues are as important to you on an individual level and in questions of the security of your bank account, your privacy, and yet they ripple up to those very same questions matter to you as a citizen, to senators, to judges, to presidents. To the role, they also matter in issues of corporate life. At the same time, we also see they connect to questions of war and global stability. What drove us in the book is there is no issue that has become more important more rapidly in politics, business, war, law, you name it, that is less understood than cyber issues. So, that’s the goal of the book. There’s very much an emphasis on the idea of everyone needs to know. IA-Forum: In reading your book, it was clear that you interviewed a broad range of experts and interested parties and read extensively on the subject. From that phase of the book, who were your most informed sources, and why? Dr. Singer: They tended to be younger and more junior in the organizations that they were in. So, you look at government agencies and departments -- there are people who know the issues incredibly well. The problem is, they’re not yet in the big boy chairs. The same could describe corporate. The same could frankly describe law. We have these wonderful anecdotes from all these different spaces there’s a huge amount of cyber security expertise within government, and yet you had the Secretary of Homeland Security, the civilian agency, ostensibly in charge of cybersecurity, who talked about, very proudly, how she doesn’t use email. In fact, hasn’t used social media for over a decade. Not because she doesn’t think it’s safe or secure, but simply because she just didn’t think it’s valuable. Same thing is replicated at the Supreme Court, which will ultimately adjudicate many of these key issues, to business. Seventy percent of business executives have made some kind of cybersecurity decision for their company. And yet, no major MBA program teaches on it. Even the field of international relations (IR). This is a crucial area for the future of war, questions of world politics, regional politics. If you work on U.S./China issues, if you want to understand the Arab Spring, cyber comes up again and again. And yet, it’s viewed as this technical area. My concern is that we stove pipe it, concept-wise, and think it’s just for the experts. The experts often tend to be a little bit wonkier, a little bit more technical, frankly a little bit more junior. And yet, we’re all the ones collectively making decisions around it. This is an issue that’s frequently stove piped, so you will see people from the IT crowd who wonderfully understand the technology, but don’t understand the ripple effects that it has in the other domains. In turn, you’ll have someone who, for example, deeply knows the law, but doesn’t know what’s technically possible or not. And so, you see these field divisions really strike hard in this realm, and of course we know that in the real world, it’s not these stove pipes, the real world doesn’t follow those stove pipes. IA-Forum: So, one conclusion that you draw from your research and interviews is that many public officials are naïve about cybersecurity and that this is beginning to have a dangerous impact on the global order. Can you give us a couple of good illustrations? Dr. Singer: Let me give you two. One would be the Cold War comparison. The comparison that’s been made by everyone from international relations professors to congressmen to generals to prominent news columnists. If you know both your history and your cyber side, you quickly realize that if there is any parallel, it’s not what these people mean. It’s the cabinet official who told me how malware is “just like a WMD”, and went into the notion of the value of cyber deterrence framework that could have been written by someone in the 1950s. But rather, and this actually goes back to that date, if there is a Cold War parallel, it’s to the early days of the Cold War when both nuclear weapons and the political dynamics that they drove really weren’t well understood. The notions that we now laugh at, as Doctor Strangelove-ian, were actually taking seriously. And the same when it comes to the IR side of this – think about the early ways they approached it, versus the much richer understandings that we have today. There’s not just an academic IR question, there’s very real tensions being spurred by this. We, for example, explore the relationship that, between the United States and China, and what cyber is doing to that. I would argue there is no relationship more important in the future of global stability than these two great powers. And in the book, for example, we have, on one hand you have the quote from the U.S. Congress that describes China as “the most dangerous actor on the Internet”. On the flipside, you’ve got the Chinese Academy of Military Sciences report that describes how, “an Internet tornado has swept across the world”, and that we must engage in a “warm up for an Internet war”. Top American and Chinese government officials talked with us about how they found cybersecurity to be far more challenging than traditional concerns between the two nations. That is, what you had is this mix of confusion and misinformation about the basics that’s helped drive the fear and instability between them. They compared it to issues like trade, human rights, regional territorial disputes, which pop up again and again in IR literature. They said, look, ‘we may not agree on these issues, but we at least understand them; we know how to do the dance’. That’s not the case for cyber. And it’s not just about understanding what the other side is doing, but also frankly what their own nations are doing, which goes back to that Doctor Strangelove comparison. And even the basics, the anecdote we give in the book is the senior American government official involved with talks with China on cyber issues, who asked us what an ISP was. Which, you know, if this had been back in the Cold War, it’d have been like not knowing what an ICBM was in the midst of negotiations with the Soviets on nuclear issues. I could go through an IR department and find a huge number of people that don’t know that. My mom doesn’t know what an ISP is. She does know what an ICBM is. She’s a retired nurse. An ISP affects her life far more than an intercontinental ballistic missile. But it’s because she grew up in an era where people may not have agreed on different nuclear issues, but they could talk about them, they understood them. We’re just not the same here. IA-Forum: Do you think that it is really partly a generational issue? That it's a matter of the 'digital immigrants' versus the 'digital natives'? Dr. Singer: It’s part that, but if that was the case we could wait around for it to be solved. And we can’t, because there’s too many issues that will have to be dealt with and resolved before that generation moves out of the chairs. But more seriously, just because you’re young doesn’t mean you understand these issues inherently. And in fact, go back to what we were talking about before, the advantage of a digital immigrant versus a native is that they’ve been in both worlds. And so, they can draw lessons and understandings from both worlds. And, just because you understand the technical side doesn’t mean you understand the history, including from other fields. And so in the book, we draw lessons from everything from the age of sail and how we dealt with privateers, and the rise of global norms, to the emergence of some of the most effective government agencies in history, like the Center for Disease Control. You’re drawing from different fields, different lessons. Keep in mind new fields that treat everything as brand new and don’t draw lessons from others can end up repeating some of the same mistakes. I talked about that Doctor Strangelove parallel. Another one would be is offense/defense: in the cyber world, there is a series of assumptions that have been built around the idea that the offense will have an advantage, as in the words of one U.S. military report, “for the foreseeable future”. Not just now, but for the foreseeable future. There’s a series of issues that are wrong with that. And these comments are from people who very much understand the technical side. But, they’re ignoring three core things. The first is, when you dip into it a little bit deeper, the offense is not that easy – to pull off a sophisticated campaign, or even an effort like a Stuxnet. There’s not the inherent advantage that too many people think is out there. The second is they’re ignoring a great deal of military history. Every time someone thought the offense would be dominant forever, it turned out to be the opposite. World War I is a great illustration of that. And not understanding that drove crisis instability. The third is that they’re applying an assumption about what that means and not recognizing the very vast and deep literature and debate in IR over offense-defense. So, the assumption is if offense is dominant, then therefore we should spend far more on offense. In fact, depending on the study, the U.S. is spending 2.5 to 4 times as much on cyber offense research and development as we are cyber defense. But go to the IR literature in offense-defense, and people say, ‘maybe not, don’t just take this as an assumption that’s the thing you’re supposed to do’. You know, to give a different metaphor, it’s a lot like standing in a glass house with gangs of roving teens, because it’s not a dyadic relationship, and saying, ‘the best think I ought to do is go buy a stone sharpening kit’. IA-Forum: Should the military have its own private Internet? Dr. Singer: The military in a certain way already does. SIPRNet, its own secure, sort of separate net from the rest of the Internet. And very well, it should it makes sense for it to have that kind of separate communication. But no one should imagine for a second that that solves the problem. First is the supposedly separate safe Internet has been penetrated multiple, multiple times. Sometimes from the outside, and sometimes from the inside. And like every other air gap in history, it’s not worked. Second is, just because you have your separate Internet doesn’t mean that you’re still not dependent on the rest of the Internet that all the rest of us use for your direct operations. Yes, the military has SIPRNet, but 98% of all U.S. military communications still go over the civilian-owned and operated regular Internet. That’s the same for all the other actors out there. To the non-military entities that the military depends on are using it, such as the private military industry. Yes, your networks are secure, but the companies that supply and move all of your logistics aren’t on it. So, if they get hacked, yes, your network may be secure, but they could end up delivering you toilet paper instead of bullets, just by a simple change in the shipping container barcode. To the broader realm of national security, which is the broader infrastructure. So, again, the threats in cyber space reflect the users of cyber space, which reflect the governance of cyber space. It’s multi-stakeholder. It’s everything from the more than 100 Cyber Command-like military entities that are out there, more than 100 nations have them, to corporations, large, Google-esque, down to small cupcake stores, to collectives that range from hacker collectives (the Anonymous groups of the world), to collectives of people that love IR literature and cute cat videos, to you and me and your mom and your kids, we’re all active in this space. And that means we all have responsibilities, but we all play a role in some of the various threats and responses out there. IA-Forum: How is Estonia ahead of the U.S. in models for cyber war? Dr. Singer: We look at Estonia as a great illustration of an alternative approach to mobilizing the skill sets of your populace in cyberwar and defense. In the United States, we have created a military command, Cyber Command, and it is far better funded than the civilian cybersecurity sides. Pentagon spending on cybersecurity is essentially around 10 times as large as Homeland Security spending (it kind of depends on how you add up the different lines). But then you get to the question of, 'how do we mobilize outside of government'? And what are we doing? We’re running it through our traditional National Guard and reserves. So, we’re seeing various guard units being created for cyber. That’s good that we’re doing more, but you’re not going to get all of the best talent involved that way. A Silicon Valley programmer may want to help his nation, but not have to be eligible for being deployed to Kuwait on a training exercise. In Estonia, they have something called the Cyber Defense League – an organization that allows the government to tap the wider expertise but these people are not wearing a formal uniform, being called out for other activities. What’s important is it’s not just IT specialists, it’s also people who understand things like engineering and law and the like. They utilize it in lots of different ways. It’s to be on call in emergencies, it’s a pre-vetted force of experts who can come in and help out. They also use it to do things like ‘red team’ different government networks. They do online voting there, so they try and find holes in it before the bad guys do. In many ways, it’s a different approach if we’re thinking of military parallels, it’s the difference between a traditional guard force versus the kind of defense that nations like Switzerland design for themselves, and the Nordics. And so, the lesson here is that there’s no one best way. Each nation is going to have to find its own way. But, large powers like the United States should not think that their way is inherently the best and that there are no lessons to be learned from the smaller powers like an Estonia. IA-Forum: You point out the Silicon Valley issue, where that industry feels like it’s in an arms race with its own government. Along with that, you believe intellectual property loss is a bigger issue than a cyber-terrorism attack. So, how does the government and private enterprise, just within the U.S., best work together for cyber security? Dr. Singer: Huge issue, huge problem made all the more difficult by the Snowden revelations. As you put it, these companies now see themselves, and it’s a quote from a senior technology executive, in an arms race with their own government. Trust is crucial in areas of international cooperation studies we found. It’s also crucial in the running of the Internet itself. And that’s been one of the biggest victims of the disclosure of these various activities that were going on there. One of the key areas is to understand that we all have responsibilities in this space, and it’s not something to be handed over to one actor or another. So, if you’re thinking about everything from the massive, massive campaign of intellectual property theft emanating from China, by one measure, the largest theft in all of human history. As opposed to the 31,000 mass media and academic journal articles that have explored cyber-terrorism, which is a fictional scenario that has not happened yet, doesn’t mean it never will, but let’s be blunt, 31,000 articles about something that has never hurt or killed anyone. Versus something very real, this massive campaign, which is having very real consequences. To disruptions, where the goal is not to steal information, but to disrupt the flow of information in some way, like a political protest. An online political protest. In all these areas, it’s not simply for the government to handle. The man on horseback to come rescue me. And yet, that’s how it’s painted. Think about two banks moving cash between them. They have a van, and a group of protestors in the street block the van for a couple of hours. No one would ever say, ‘where’s the government’? Change that van and the cash in it to the 0 and 1 of software, and we somehow think about it as a government responsibility. Or the same of someone stealing secrets from me. That doesn’t mean the government doesn’t have a role to play, particularly when it comes to activities that are linked to another government, where they’re using the tools of traditional espionage, and you’re using the tools of traditional espionage, both back at them, but also to understand what they’re doing. And a large part of what needs to happen when we think about these campaigns is the flow of information to understand the threats, to better react against them. And that’s why we’re seeing that in some sectors, where government and corporations work well together in sharing information back and forth, and finance would be an illustration of that. We’re not seeing in in other sectors. This comes back to understanding the incentives, understanding the laws and government powers in place and where they’re missing. IA-Forum: You talked about hardware, software, and ‘wetware’. What is wetware and how important is it in the cybersecurity equation? Dr. Singer: Wetware is the people. This is a story not about the software, not about the hardware, it’s not about getting the special widget or the secret sauce antiviral program. That’s the best way to be taken advantage of. If you want to understand the threats. Want to understand the best responses to them. You want to understand why the best responses aren’t being implemented. It’s about the people, or the organizations they’re in. The incentives that drive them. The costs, the disincentives, it’s all about the people. And that’s great from a writer’s standpoint, because you get cool stories, cool characters out of that, to weave into it. That’s great from a social science perspective, because it means you have a role to play, too. And the understandings of what’s playing here, drawing on everything from international relations theory to anthropology. To, when we think about our own individual efforts to take, to protect ourselves, to protect our kids, there are things that are about us that are within our power, they’re within our power to effect, that are within our power to understand. IA-Forum: So, would you say that people are more important in the equation than the technology? Dr. Singer: Yes. Peter W. Singer is the director of the Center for 21st Century Security and Intelligence and a senior fellow in the Foreign Policy program. Singer’s research focuses on three core issues: current U.S. defense needs and future priorities, the future of war and the future of the U.S. defense system. Singer lectures frequently to U.S. military audiences and is the author of several books and articles, including his new book, Cybersecurity and Cyberwar: What Everyone Needs to Know, Oxford University Press, 2014, co-authored with Allan Friedman. The book’s website, cybersecurityandwar.com, has a variety of academic and related resources. Singer received his Ph.D. in government from Harvard University and a B.A. from the Woodrow Wilson School of Public and International Affairs at Princeton University.: