On March 1, 2017, Singer testified in front of the House Armed Services Committee on what steps the country should take to prepare to take on decades of cyber mischief and worse. 

Q: In your testimony to Congress on March 1 you said that the war now involving cyber is the inverse of the Cold War. Can you talk about what this means—the inverse of the Cold War—and what its implications are?

A: The argument that I was making was that there are apt parallels with the Cold War and also fundamental differences. An apt parallel would be that, contrary to the visions of cyberwar in movies and in D.C. policy circles of power grids going down in a fiery “cyber Pearl Harbor,” what we are seeing is a competition more akin to the Cold War’s pre-digital battles, where you saw a cross between influence and subversion operations with espionage. That’s particularly true with what Russia has been up to.

This means we need to take new approaches to deterrence, reflecting the dual goal of both preventing an ongoing conflict from escalating, but also responding and better defending ourselves.

Yet, there are also fundamental differences with the Cold War, particularly in how we establish what the norms are. If you go back to the Cold War, everyone was concerned with just one kind of attack, a nuclear one. It was very clear whether it happened or not, and it was very clear who would be behind it. In contrast, now we have multiple different types of cyberattacks, with goals ranging from stealing information to blocking information to changing information. The attribution problem is fundamentally different, not just who did the attack, but even your awareness that you are under attack. There is not a clear cloud of smoke coming after the missiles launch, so we often don’t even know when a cyberattack has occurred.

But also some of the normative questions are different. In the Cold War we were weirdly okay with the Soviets targeting everything from a missile base to a city, but it was known they couldn’t actually cross the line and conduct the attack. If you hit anything, war is on.

In contrast, in cyber conflict, we’re not going to stop all types of cyberattacks, but there are some types of targets that we all have to agree to keep off the table. So stealing information from each other is something that states have always done, throughout history, and now they’re just doing it through digital means. So it’s okay if you steal information, weirdly enough, from one of our government agencies. We may not like it, but that’s within the rules of the game. So for example, the OPM (Office of Personnel Management) breach—which reportedly originated in China—is a not story of “shame on them” but “shame on us” for not securing the information better.

On the other hand, we may say stealing information from a private business violates the rules of international trade. So if you’re stealing a design from a car company and then copying and building that car, that’s a violation of the rules of that game.

Or, a new kind of norm might be that there are some types of targets that are off the table because they’re too clearly escalatory, or too prone to confusion and mistakes. So don’t go monkeying around with nuclear power plant control systems. The consequences of us finding you, or you making a mistake, are too great. That target should be off the table completely.

Q: What you’re describing is a free for all. These norms you’re talking about are counterintuitive and weird.

A: They may have once been weird, but they are now the new normal. If you go back in time to the Cold War, the very idea of Russia directly influencing the U.S. political system and that then a substantial portion of the government, including the president himself, would just shrug it off? They’d have said it sounds like the plot of that movie starring Frank Sinatra, The Manchurian Candidate. That’s absurd! But yet, that is exactly what is happening now.

Look, we’re down the rabbit hole in a lot of different ways. But again, there are fundamental lessons we should be following. As an example, if you want to establish deterrence, if you want to build norms, then clearly what threatens to undermine your position is inaction when an adversary clearly violates those norms.

Q: The timeline for reaction during the Cold War was the time the missile was in the air. Now, potentially, we don’t know when the breach happens, but we have an infinite amount of time to respond.

A: Yes, the timeline is extended out in both directions. Much of Cold War deterrent strategy was determined basically by physics, the roughly 30-minute window that it took a ballistic missile to arc across the globe and hit another continent. We had to be able to prove that we could hit that missile within that window. Proving that it could be done deterred the other side from a preemptive strike.

In contrast, in this space, in the corporate sector the average time between when a victim is attacked and when they know they’ve been attacked is between 160 to 205 days, depending on the study.

But today your ability to respond doesn’t have to happen within that window. It also doesn’t even have to be a like response. Today, if you cyberattack me, I can respond either through cyber means or I could use all of my other tools of power to find your leverage points.

As an example: Russia. I would argue that their pressure points are a rickety economy with oligarchic structures. It’s the 13th largest economy in the world and falling. So go after that.

You also have to keep in mind that you’re setting examples that everyone else is going to watch. That is again another of these downsides to us just looking the other way to arguably what is the most important cyberattack in history. And I don’t say that lightly.

By looking away, by not responding, to the Russia campaign against our election, we are telling Russia, “Hey, this works for you.” And as we can see they’ve moved on to similar tactics against our allies, with examples ranging from Great Britain to Norway to the current elections in France, Germany, and the Netherlands. But also, in addition to Russia, other actors out there are watching and learning. One of the underlying lessons of deterrence is that it’s not about punishment for punishment’s sake, it’s about influencing the other actors.

Q: Are we coming to a place where we define cyberattacks as war?

A: I’d put it this way: “cyberwar” is as abused a term as “war” is. We use war to describe everything from a state of armed conflict between nations, like World War II, to a state of strategic competition between nations that never turns to outright conflict, like the Cold War, to political campaigns against everything from poverty to sugar.

I don’t like to use the term cyberwar unless you’re talking about the classic definition of a state of armed conflict where there is actual violence, in which the internet is used not just to steal information but to conduct attacks that would have physical damage. That’s what we’re talking about in war.

But where I especially don’t like to see it is when people say, “Oh, the OPM breach, that was an act of war.” No, no it wasn’t. It was stealing information. Nations have always stolen information. No nation has ever gone to war over stealing information.

Others will say, “It’s a facility breach, North Korea conducted an act of war!” No, they attacked Sony, they outed its secrets but it’s not in the same category as when North Korean troops murdered, in plain sight, U.S. troops with axes in the 1970s and we didn’t go to war with them over that. And you’re saying that we would go to war over the fact that now we can read Angelina Jolie’s emails? We need to be precise in what we talk about, what we care about, and what we’re trying to stop.

Q: You’ve mentioned that hacking is an entry point to hearts and minds. In the past, the sphere of attack was mostly governments. But this is now something that individuals feel and that individuals have the ability to respond.

A: Yeah, I think you’re combining two different things there. The argument back in the Cold War was that the individual was not the target and had no great ability to contribute to the defense. No matter how hard you tried, you were not going to be able to dig a good enough bomb shelter in your backyard that would mean that Russia would count it as a reason not to attack.

In cybersecurity, there’s a lot going on, but individuals matter. They are often what are being attacked and, importantly, can undertake a set of cyber hygiene measures that will go an incredibly long way to preventing, deterring and discouraging those attacks.

Cyber hygiene won’t solve everything, but—whether we’re talking about political leaders, army officers or someone working at a furniture company—if we raise our game, if we don’t click that link we ought not to, we make the attacker’s job so much harder. We make it so much more difficult for them to succeed.

This is a space where you can build what’s called deterrence by denial or resilience. This is different but related to what you were asking about. During the Cold War, nations tried to subvert and undermine the politics and culture of their adversaries. We’re seeing that play out today, but through digital means. Russia is far more successful than they ever dreamed would be possible back in the Cold War. Sometimes it’s overt on social media, and other times there is a link to the cybersecurity side. So the cyberattacks and the influence operations are related but different.

To give an illustration related to campaigns: Political campaigns have long been targeted by hackers. In the 2008 and 2012 elections, the Obama, McCain, and Romney campaigns were all targeted by foreign state actors that wanted to penetrate and gain insights into what these campaigns and, more importantly, the people who were in them and were going to move into government, were thinking about policy. That’s always happened.

The difference in 2016 is that instead of merely just stealing the secrets, they were then exposed in a way that was designed to embarrass the target. The DNC breach had less in common with the OPM breach than it did with, for example, the Ashley Madison and Sony breaches. The hack was not to steal, the hack was to influence others.

So what are things we can do? They range from setting up better means to defend our elections, not just the voting machines as usually is talked about, but the political organizations that were actually the target. And learn from the past. Back in the Cold War, they created a group to respond to Soviet information warfare called the Active Measures Working Group. It was an interagency group that essentially identified Russian misinformation campaigns so that we could then respond to them. The Soviet Union, for example, was spreading false stories like we were using the 1984 Olympic Games as a way to secretly spread AIDS and stuff like that. We need a similar entity right now that can identify those misinformation campaigns online, out them, and allow us to respond to them.

Such an effort would be important not just in dealing with what Russia is doing, but it will also debunk the activity of what in Russian translates as ‘useful idiots’—aka people inside our own society, who are happy to spread lies and misinformation.

But it also involves actors outside of government, who have to take a long and hard look at themselves. That is everything from the social media companies that need to understand that their platforms are being used to take advantage of their customers. We’ve seen bot campaigns that swing from target to target, from trying to influence the Brexit Campaign to trying to influence American voters. Obviously the social media company can respond.

Also, the media needs to take a long, hard look in the mirror. I think it’s fascinating to compare how the media handled the Ashley Madison breach with how it handled the Sony and DNC breaches. Ashley Madison was about people cheating on their spouses. For the most part, the media reported the breaches but not the fruits of the crime, the individuals and what they were doing.

But when it came to Sony and the DNC the media reported the breach as well as the fruits of the crime. You could say that these two incidents involved people of public interest. Sorry! There were people like that in the Ashley Madison set, too. “But Sony involved a state actor!” Oh, because it was a foreign government influence operation, you played a role in spreading the information they got?

If the media says these things get reported case by case, then they’re being inconsistent. My point is that this isn’t only a government issue.

Q: It really does seem to me that what’s different here is the role of individuals to prevent, or foil, these attacks by exercising internet hygiene or not forwarding Facebook posts that look like trash.

A: Exactly, it also goes all the way to the individual. Am I going to play a role in poisoning the system further? And this includes learning to be more discerning. Just because it’s on Facebook doesn’t make it true.

Q: You’ve talked about punishment, having an anti-propaganda agency, but you’ve also talked about a kind of CDC that looks at breaches, reinforcing standards and metrics, offering bug bounties, and other things. Do you have a favorite in there?

A: No, because we need a wide array of activities. I think that there’s a feeling of helplessness, what can we do? Actually, there’s a set of identifiable actions we can do. And, importantly, as my testimony laid out, they’re non- or bipartisan. This doesn’t have to be a R vs. D space. To give an example, during the Obama Administration, a report identified the best practices in the private sector that could be brought into government. Now that we have a Republican president and Congress, they could adopt these suggestions. Ideas from business to aid government is a very Republican theme, so use them. Alternatively, being strong on national defense and deterrence and standing up to Moscow is in the very pedigree of the party of Reagan and Eisenhower. So, do it and be within your own party’s best traditions. The point is that there are a range of things we can and should be doing. History, however, is going to judge us on whether we act or not.

Q: Why won’t they act? Why hasn’t there been more action?

A: Good question.

The post Is the Cyber Era the New Cold War? appeared first on Zócalo Public Square.

You will not find it in the Oxford English Dictionary, but “cyberwar” made its first inauspicious appearance in 1987 when an anonymous editor from Omni—Bob Guccione’s other magazine—attached the neologism as a title for an article by Owen Davies, an Omni editor. Although he never used the word or developed the idea of cyberwar, Davies pretty much nailed the coming of robotic warfare.

But something was in the air. In 1987 and avant la lettre, cyberwar in the narrow sense of an attack by malicious code on a computer system, communications network, or critical infrastructure, had a more plausible debut as the “Jerusalem virus” aka the “PLO virus,” a logic bomb that would pop up on any given Friday the 13th. Top that, Jason.

The next recorded use of “cyberwar” was in 1991. A young academic steeped in too much William Gibson and Bruce Sterling, after watching way too much of the 24/7 coverage of the first Iraq war, delivered a paper at the Second Annual Cyberspace Conference in Santa Cruz California: “Cyberwar, Videogames and the Gulf War.” Shortly afterward he was asked by the short-lived PBS television show Late City to distill the 100-hour TV war into a two-minute video buzz clip (set to Sweet Bird of Truth by The The). He gave the concept its first definition: “a new virtual and consensual reality, the first cyberwar, in the sense of a technologically generated, televisually linked and strategically gamed form of violence.”

Both were promptly forgotten. I took some solace in Nietzsche, who said only that which has no history can be defined.

But then history responded with a vengeance: Just about every major war since Iraq had a cyber edge to it. To be sure, acts of primal if not always organized violence would continue—all too often in the name of creation myths that would not be out of place in the Stone or Bronze ages—on a daily basis by and against tribes, nations, and superpowers.

Many of these acts of organized violence continue to fit the classical definitions presented early in the 19th century by the Prussian Carl von Clausewitz, who variously defined war as a duel on a larger scale, a forceful act to compel others to do our will, and a continuation of politics by other means. The contemporary landscape of world politics is littered with casus belli that would not be unfamiliar to Clausewitz, or for that matter, to his eminent precursors like Machiavelli and Hobbes, who identified wars of gain (produced by imperial, economic, and military struggles for dominance), wars of fear (prompted by perceptions of a rising power or threatening evil), and wars of doctrine (caused by the clash of monolithic faiths and universalist ideologies).

But Al Qaeda, ISIS, and other non- and wannabe-state actors keep crashing the Westphalian system. Today’s new warriors intent on challenging the state’s monopoly on violence—like the insurgent, jihadist, or private militia—are not that far removed from their earlier counterparts, like the pirate, mercenary, and holy crusader. Even the guerre du jour of “hybrid war,” the corrosive mix of private criminality, public bellicosity, and authoritarian politics that scars the residual borders of the Cold War, has more than a hint of the medieval in the interplay of overlapping sovereignties, polymorphous combatants, and clashing cosmologies.

As long as global violence remains a viable, sometimes the only option in the face of intractable political differences, social injustices, and cultural struggles for recognition, war in one form or another will find a way. States, democratic or not, might be less inclined to initiate violence, but non-, para-, and anti-state actors have proven to be willing as well as able to use networked technology to wage asymmetric warfare—which in turn prompts over-reactions by states and furthers cycles of mimetic violence.

Classical war persists, as does the effort by new actors to offset disadvantages through new technologies. Even Clausewitz, ever the dialectician, acknowledged that “every age had its own peculiar forms of war, its own restrictive conditions, and its own prejudices.”

What is most peculiar about war in a “cyber age?” Depending on whether one goes back to the Greek (kubernētēs or “steersman”), Norbert Weiner (“cybernetics,” 1948), or William Gibson (“cyberspace,” 1984), “cyber” suggests everything from a control system with a feedback capacity, to a technologically-induced consensual hallucination, to a 400-pound hacker (pace Trump) subverting the U.S. elections.

Dating the cyber age is no easier. Someday archeologists will sift through the ruins of Bell Labs, find wire etchings in germanium and silicon and declare 1947, give or take a year, as point zero, from which microprocessors, packet switches, and fiber optics as well as digital code, information theory, and networked systems soon followed.

However, science will not capture the ghost in the machine. For that, we best go back to the originating myths. Cyber is, literally, as old as the Bible and other holy texts in which gods “steer” or “govern” the universe. In the Judeo-Christian version, those “who have no direction (kubernēsis) fall like leaves” (Proverbs 11:14); those who prosper understand that “with strategic planning (meta kubernēseōs) war is conducted” (Proverbs 24:6). Leaping a millennia or two forward, our techno-deities might not be as omniscient or omnipotent as past gods; but, weaponized and sanctioned by national security, they deter, disrupt, and if necessary destroy our enemies with relative impunity to us. Obama got religion, ordering 10 times the number of drone attacks executed by Bush; barely two months in office, President Trump increased them by another 432% over Obama.

Perhaps the most peculiar characteristic of war in a cyber age is how well it resists the traditional restrictions of warfare. As everything and everyone becomes connected, it’s very hard to confine cyberwar to a discrete place or bounded time. A few clicks, several thousand shares, and an incident escalates from a local to regional to international crisis. This is the force-multiplier effect of the cyber age, with 9/11 as the most seminal and inspirational example. Access to the internet and flight simulators made it possible for Osama bin Laden and 19 kamikaze fanatics to topple the World Trade Center, hit the Pentagon, kill nearly 3,000 people, and cause billions of dollars in damages (trillions if we include second-order effects, like the Iraq War and the rise of ISIS).

If there is a prejudice to war in the cyber age, it can be found in the conceit that virtualization makes war more virtuous. Rather than resorting to the convention of bombs, the United States and Israel inserted the Stuxnet virus to degrade the Iranian nuclear weapon program; no matter that the virus proved to be less than a precise munition and rapidly spread to non-targeted industrial platforms. Wikileaks hacked thousands of embassy cables to make U.S. diplomacy more transparent and democratic; no matter the collateral damage done to alliances and coalition efforts to restrain anti-democratic regimes. Drones pursue a cleaner kill; no matter the virtual terror induced upon whole populations.

Thirty years on, I think it is safe to say that we have not seen the worst of war in the cyber age. With so many networked actors operating simultaneously across multiple levels of power, prediction, pre-emption, or restriction of cyberwar is exceptionally difficult. Distinguishing intentional from accidental acts is hard. Knock-on effects will grow.

The cyber advantage might now go to the most technologically advanced powers, but the law of uneven development gives latecomers the edge. Which is why we should be asking now, before rather than after the Owl of Minerva takes flight at dusk, what war will look like in the quantum age.

The post The Cyber Age Demands a New Understanding of War—but We’d Better Hurry appeared first on Zócalo Public Square.