The cyber threat

Singer draws a parallel between effective cybersecurity and good hygiene. “We teach our kids, ‘Cover your mouth when you cough,’ not just to protect yourself but because you bear a responsibility for all the people you’re going to connect with,” he said. “We need that same kind of responsibility in our online life.”

Examiner: Why should the average American care about cybersecurity?

Singer: No issue has become more important more rapidly — and is less understood — than cybersecurity. It connects everything from the security of your bank account and your personal privacy, all the way to the future of world politics, such as that first example of the [Edward] Snowden NSA disclosures, which took a national political thing and made it global.

As long as you’re on the Internet, you ought to care about it. And yet, cybersecurity has been largely treated as an issue for the IT crowd, or as a White House official put it, “A domain only for the nerds.”

Cybersecurity is caught in this mix of ignorance and fear — and that’s a really bad place for something so important to be stuck. The only way we’re ever going to get anything effective done is if we demystify it.

Examiner: There’s an intersection between the cybersecurity of personal information and national security, isn’t there?

Singer: Oh, absolutely. First, because we’re all on the same networks, we’re in the same domain. So, 98 percent of U.S. military communications move across the same civilian-owned and -operated Internet that the rest of us use. We are in a world where an email from a general moves the same way that a cool cat video does.

Examiner: Citing the recent Target hack, Adm. Mullen said cybersecurity keeps him up at night. Why would a senior defense official be so worried about something like that?

Singer: That’s a really good question because he shouldn’t be. That’s not the military’s responsibility — that’s Target’s responsibility. Similarly, the Army recently said it needed to add spending in cybersecurity because it needed to protect energy companies.

I do believe there are growing threats, and I do believe there’s a need for more military spending. But the way we often justify it — by pointing to these non-military, non-national security-related areas — is not only a distortion of threats, but also a distortion of responsibilities and responses. If this is framed as an area that requires a man on cyberforce to come save you, it makes you think that it’s not your job. That may be good for a certain agency’s budget, but it may not be good for national security in the broader term.

General [Keith] Alexander, who’s head of both the NSA and Cyber Command, testified to Congress that, “Every day, America’s armed forces face millions of cyber attacks.” That’s his quote, not mine. But to get to that number, millions, he’s combining everything from address scans and probes — some that are malicious, a lot that are just automated — attempts at pranks, attempts at political protest, and attempts at diplomatic, economic and national security espionage. Yet none of these millions of attacks are what people think he’s talking about. They are thinking of the so-called cyber Pearl Harbor, cyber 9/11, that’s been cited in the media and in government speeches a half-million times. We’ve got to get beyond that.

I’m not saying there are not threats here. I’m just saying the way we talk about them is caught between this mix of ignorance and hype and fear, or what some people call the FUD factor — fear, uncertainty and doubt. You can’t mix those together and think you can operate effectively on it.

You constantly hear people say, “This is just like the Cold War.” No, it’s not. If there’s any Cold War parallel, it’s to the early stages when we neither understood the technology nor the political dynamics driving it. I think 10 years from now, we’ll go, “Oh, my gosh, why were we even listening to that?”

Examiner: Does the perception that the military should care about hacks against banks or retailers impede the civilian, corporate and military responsibility to deal effectively with cyberattack?

Singer: Yes, on a number of levels, because it distorts the sense of responsibility. There’s roughly a 12:1 ratio of spending between military cybersecurity and cybersecurity spending by other government agencies. I’m not saying the military shouldn’t be spending—I’m just saying that’s a weird balance.

And then there’s the effect that it actually might have on the military. This is an absolutely crucial area, part and parcel — not just the future, but the present of warfare. If you distort your approach to responsibility, you may not achieve some of the doctrine or capabilities needed on a future battlefield.

It’s a mix of both recognizing the threat, seeing that threat out there, and wanting to do something about it — but also that it’s a way to get funding. You can see this in the defense budget. A couple of years ago, the word “cyber” was mentioned four times. In this year’s budget, it’s mentioned 147 times. It’s one of the few parts of the budget that’s growing, so everybody wants cyber mentioned in what they do.

Examiner: Considering this idea of millions of attacks, if we’re comparing little things with big things and treating them equally, we’re not applying the resources correctly, right?

Singer: You’re not applying them right, and it also creates this mentality that, “It’s so overwhelming, what can I do? Oh, I need the man on cyber horseback to come and save me.” No.

Whether you’re running a bakery or a defense contractor, you have responsibilities and things that you can do. Because we’ve mystified cybersecurity, we’ve ignore the fact that a series of fairly simple but very effective measures would go an incredibly long way.

One study found that the top control measures are basically common practices — things like don’t accept outside hardware into your system, and look for anomalies in traffic. These are things that anyone should be doing, whether they’re the NSA or a bakery. The study found that these steps would stop as much as 94 percent of all attacks.

Examiner: It seems that every defense contractor is jumping into cyber and offering some solution, and the military is looking at tons of these. How would you assess how the Department of Defense is working in the cyber arena right now?

Singer: The Department of Defense is the best government agency working at it right now, and that’s because of the larger budget and because it has the proper incentives to do well. The Department of Defense recognizes the threats, and these threats are meaningful to it in terms of national security consequences. Defense can affect change on its own organization because its ability to cajole people into doing what needs to be done is far more effective than, say, Health and Human Services or Commerce.

However, there are a couple of problems. One is the bringing together of NSA and Cyber Command, which I think we’ll look back on as an oddity. Second is that we have to figure out the responsibilities in this space, particularly in warfare.

The third issue is the balance between cyber offense and cyber defense. The assumption has taken hold that cyber offense is dominant over defense, and as one U.S. military report put it, “will be so forth in the foreseeable future.” So not just now, but forever and ever, cyber offense will be dominant. That’s led us to spend, depending on your measure, two-and-a-half to four times as much on cyber offense research and development than on cyber defense.

Actually, cyber offense isn’t as easy as it’s often portrayed, and cyber defense isn’t as weak as it’s often portrayed. You hear people say things like a couple of teenagers sipping Red Bull in their parents’ basement could carry out a weapons-of-mass-destruction-style attack. Stuxnet illustrates the power of cyber weapons, but it’s not something a couple of teenagers could pull together. It would’ve involved everything from intelligence analysis collection, some of the top cyber talent in the world, nuclear physicists and engineering experts. Stuxnet showed you the power, but also that it’s not so easy.

The U.S., and particularly the U.S. military, is incredibly dependent on networks, and this is not a binary situation where you just face one threat and you can create some kind of deterrence framework. Here’s the parallel: If you’re standing inside a glass house — and you’re worried about everything from militaries to terrorists to criminal gangs to teenagers roaming in your neighborhood — you don’t say, “The one thing I really need to do is buy a stone-sharpening kit.”

Examiner: Several Department of Defense officials have raised some interesting points about the difficulty of adopting technology through the normal procurement system before it becomes obsolete, including the problem of personal communications on the battlefield and getting people’s smartphones integrated into a secure military system.

Singer: If you have a government acquisition system that’s set up to buy widgets when it’s actually buying a mix of software and services, you’ve got a disconnect. Previously, with the new generation of technology, the government had been in the driver’s seat of investing in the R&D of something new and buying it. Somewhere along the line, it might spin out into the civilian sector. Instead, today it’s Silicon Valley, and your challenge is how do you spin it in?

Where’s the hub of the innovation happening? Is it the Beltway, or is it Silicon Valley? Who does government contracting better: the Beltway or Silicon Valley? You’ve got the efficiency and effectiveness versus the threat side. So on one hand, yes, you’ve got an insurgent who’s able to call in and target mortar strikes on a smartphone that he bought at a bazaar versus our folks who are using communications gear that my dad would recognize from Vietnam.

Examiner: Service members have told me that for the past 10 years on the battlefield, soldiers are bringing their personal communicators. iPhones and BlackBerrys are on the battlefield. The only problem is that the iPhone that the soldier bought at the PX before he deployed is running off the local network.

Singer: Yes, you hit it. You have frustration with the old technology that the acquisition system is giving them, and so they’re saying, “Look, I can get this myself, and it’ll work better for me” — but that comes with vulnerabilities.

Let’s use a non-U.S. example. In the recent Lebanon war with Israel, Hezbollah exploited that really well. They were able to do a lot of signals intelligence against the Israelis, and they weren’t just going after their military communications — they were going after cell phones so that they could figure things out, tap conversations, etc., in a way that caught the Israelis completely off guard. And that’s a non-state actor, a really effective non-state actor.

Examiner: How can the military protect against those kinds of attacks?

Singer: It’s actually the same as in any business organization. There are certain things you can and can’t bring into certain areas. I may be okay with you having a cell phone in this space, but not when you move to the other. So first is to catch up your own acquisition so that they’re not bringing in the outside gear. The problem is that’s a slog for people right now.

It’s getting better. For example, a couple of years ago, the idea of an app was, “Huh?” Now you’ve got the development of app marketplaces where it’s literally apps that soldiers have written that other soldiers can pull from. There are apps for everything from exercise programs to bomb-targeting programs. Each year, it gets better.

Charles Hoskinson is deputy opinion editor for the Washington Examiner.