Img src https www yourisp com yourpicture jpg

CYBERSECURITY AND CYBERWAR WHAT EVERYONE NEEDS TO KNOW ®

oxfordhb-9780199918096.indd ioxfordhb-9780199918096.indd i 21-10-2013 22:38:1221-10-2013 22:38:12

“In our digital age, the issues of cybersecurity are no longer just for the technology crowd; they matter to us all. Whether you work in business or politics, the military or the media—or are simply an ordinary citizen—this is an essential read.”

—Eric Schmidt, Executive Chairman, Google

“This is the most approachable and readable book ever written on the cyber world. The authors have distilled the key facts and policy, provided sensible recommendations, and opened the debate generally to any informed citizen: a singular achievement. A must read for practitioners and scholars alike.”

—Admiral James Stavridis, US Navy (Ret), former NATO Supreme Allied Commander

“In confronting the cybersecurity problem, it’s important for all of us to become knowl- edgeable and involved. This book makes that possible—and also fascinating. It’s every- thing you need to know about cybersecurity, wonderfully presented in a clear and smart way.”

—Walter Isaacson, author of Steve Jobs

“If you read only one book about ‘all this cyberstuff,’ make it this one. Singer and Friedman know how to make even the most complicated material accessible and even entertaining, while at the same time making a powerful case for why all of us need to know more and think harder about the (cyber)world we know live in.“

—Anne-Marie Slaughter, President, the New America Foundation

“Singer and Friedman blend a wonderfully easy to follow FAQ format with engaging prose, weaving explanations of the elements of cybersecurity with revealing anecdotes. From the fundamentals of Internet architecture to the topical intrigue of recent security leaks, this book provides an accessible and enjoyable analysis of the current cybersecurity landscape and what it could look like in the future.”

—Jonathan Zittrain, Professor of Law and Professor of Computer Science at Harvard University, and author of The Future of the

Internet—And How to Stop It

“Singer and Friedman do a highly credible job of documenting the present and likely future risky state of cyber-affairs. This is a clarion call.”

—Vint Cerf, “Father of the Internet,” Presidential Medal of Freedom winner

“I loved this book. Wow. Until I read this astonishing and important book, I didn’t know how much I didn’t know about the hidden world of cybersecurity and cyberwar. Singer and Friedman make comprehensible an impossibly complex subject, and expose the frightening truth of just how vulnerable we are. Understanding these often-invisible threats to our personal and national security is a necessary fi rst step toward defending ourselves against them. This is an essential read.”

—Howard Gordon, Executive Producer of 24 and co-creator of Homeland

oxfordhb-9780199918096.indd iioxfordhb-9780199918096.indd ii 21-10-2013 22:38:1321-10-2013 22:38:13

1

CYBERSECURITY AND CYBERWAR

WHAT EVERYONE NEEDS TO KNOW ®

P. W. SINGER AND ALLAN FRIEDMAN

oxfordhb-9780199918096.indd iiioxfordhb-9780199918096.indd iii 21-10-2013 22:38:1321-10-2013 22:38:13

3 Oxford University Press is a department of the University of Oxford.

It furthers the University’s objective of excellence in research, scholarship, and education by publishing worldwide.

Oxford New York Auckland Cape Town Dar es Salaam Hong Kong Karachi Kuala Lumpur Madrid Melbourne Mexico City Nairobi

New Delhi Shanghai Taipei Toronto

With offi ces in Argentina Austria Brazil Chile Czech Republic France Greece

Guatemala Hungary Italy Japan Poland Portugal Singapore South Korea Switzerland Thailand Turkey Ukraine Vietnam

Oxford is a registered trademark of Oxford University Press in the UK and certain other countries.

“What Everyone Needs to Know” is a registered trademark of Oxford University Press.

Published in the United States of America by Oxford University Press 198 Madison Avenue, New York, NY 10016

© P. W. Singer and Allan Friedman 2014

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, without the prior

permission in writing of Oxford University Press, or as expressly permitted by law, by license, or under terms agreed with the appropriate reproduction rights

organization. Inquiries concerning reproduction outside the scope of the above should be sent to the Rights Department, Oxford University Press, at the

address above.

You must not circulate this work in any other form and you must impose this same condition on any acquirer.

Library of Congress Cataloging-in-Publication Data Singer, P. W. (Peter Warren)

Cybersecurity and cyberwar : what everyone needs to know / Peter W. Singer, Allan Friedman.

ISBN 978–0–19–991809–6 (hardback)—ISBN 978–0–19–991811–9 (paperback) 1. Computer security—United States 2. Computer networks—Security

measures—United States. 3. Cyberspace—Security measures—United States. 4. Cyberterrorism—United States—Prevention. 5. Information warfare—United

States—Prevention. I. Title. QA76.9.A25S562 2014

005.8—dc23 2013028127

1 3 5 7 9 8 6 4 2 Printed in the United States of America

on acid-free paper

oxfordhb-9780199918096.indd ivoxfordhb-9780199918096.indd iv 21-10-2013 22:38:1321-10-2013 22:38:13

CONTENTS

INTRODUCTION 1

Why Write a Book about Cybersecurity and Cyberwar? 1

Why Is There a Cybersecurity Knowledge Gap, and Why Does It Matter? 4

How Did You Write the Book and What Do You Hope to Accomplish? 8

PART I HOW IT ALL WORKS 12

The World Wide What? Defi ning Cyberspace 12

Where Did This “Cyber Stuff” Come from Anyway? A Short History of the Internet 16

How Does the Internet Actually Work? 21

Who Runs It? Understanding Internet Governance 26

On the Internet, How Do They Know Whether You Are a Dog? Identity and Authentication 31

What Do We Mean by “Security” Anyway? 34

What Are the Threats? 36

One Phish, Two Phish, Red Phish, Cyber Phish: What Are Vulnerabilities? 39

How Do We Trust in Cyberspace? 45

Focus: What Happened in WikiLeaks? 51

oxfordhb-9780199918096.indd voxfordhb-9780199918096.indd v 21-10-2013 22:38:1321-10-2013 22:38:13

vi Contents

What Is an Advanced Persistent Threat (APT)? 55

How Do We Keep the Bad Guys Out? The Basics of Computer Defense 60

Who Is the Weakest Link? Human Factors 64

PART II WHY IT MATTERS 67

What Is the Meaning of Cyberattack? The Importance of Terms and Frameworks 67

Whodunit? The Problem of Attribution 72

What Is Hactivism? 77

Focus: Who Is Anonymous? 80

The Crimes of Tomorrow, Today: What Is Cybercrime? 85

Shady RATs and Cyberspies: What Is Cyber Espionage? 91

How Afraid Should We Be of Cyberterrorism? 96

So How Do Terrorists Actually Use the Web? 99

What about Cyber Counterterrorism? 103

Security Risk or Human Right? Foreign Policy and the Internet 106

Focus: What Is Tor and Why Does Peeling Back the Onion Matter? 108

Who Are Patriotic Hackers? 110

Focus: What Was Stuxnet? 114

What Is the Hidden Lesson of Stuxnet? The Ethics of Cyberweapons 118

“Cyberwar, Ugh, What Are Zeros and Ones Good For?”: Defi ning Cyberwar 120

A War by Any Other Name? The Legal Side of Cyber Confl ict 122

What Might a “Cyberwar” Actually Look Like? Computer Network Operations 126

Focus: What Is the US Military Approach to Cyberwar? 133

Focus: What Is the Chinese Approach to Cyberwar? 138

What about Deterrence in an Era of Cyberwar? 144

Why Is Threat Assessment So Hard in Cyberspace? 148

Does the Cybersecurity World Favor the Weak or the Strong? 150

Who Has the Advantage, the Offense or the Defense? 153

oxfordhb-9780199918096.indd vioxfordhb-9780199918096.indd vi 21-10-2013 22:38:1321-10-2013 22:38:13

Contents vii

A New Kind of Arms Race: What Are the Dangers of Cyber Proliferation? 156

Are There Lessons from Past Arms Races? 160

Behind the Scenes: Is There a Cyber-Industrial Complex? 162

PART III WHAT CAN WE DO? 166

Don’t Get Fooled: Why Can’t We Just Build a New, More Secure Internet? 166

Rethink Security: What Is Resilience, and Why Is It Important? 169

Reframe the Problem (and the Solution): What Can We Learn from Public Health? 173

Learn from History: What Can (Real) Pirates Teach Us about Cybersecurity? 177

Protect World Wide Governance for the World Wide Web: What Is the Role of International Institutions? 180

“Graft” the Rule of Law: Do We Need a Cyberspace Treaty? 185

Understand the Limits of the State in Cyberspace: Why Can’t the Government Handle It? 193

Rethink Government’s Role: How Can We Better Organize for Cybersecurity? 197

Approach It as a Public-Private Problem: How Do We Better Coordinate Defense? 205

Exercise Is Good for You: How Can We Better Prepare for Cyber Incidents? 211

Build Cybersecurity Incentives: Why Should I Do What You Want? 216

Learn to Share: How Can We Better Collaborate on Information? 222

Demand Disclosure: What Is the Role of Transparency? 228

Get “Vigorous” about Responsibility: How Can We Create Accountability for Security? 231

Find the IT Crowd: How Do We Solve the Cyber People Problem? 235

Do Your Part: How Can I Protect Myself (and the Internet)? 241

oxfordhb-9780199918096.indd viioxfordhb-9780199918096.indd vii 21-10-2013 22:38:1321-10-2013 22:38:13

viii Contents

CONCLUSIONS 247

Where Is Cybersecurity Headed Next? 247

What Do I Really Need to Know in the End? 255

ACKNOWLEDGMENTS 257 NOTES 259 GLOSSARY 293 INDEX 301

oxfordhb-9780199918096.indd viiioxfordhb-9780199918096.indd viii 21-10-2013 22:38:1321-10-2013 22:38:13

INTRODUCTION

Why Write a Book about Cybersecurity and Cyberwar?

“All this cyber stuff.” The setting was a Washington, DC, conference room. The

speaker was a senior leader of the US Department of Defense. The topic was why he thought cybersecurity and cyberwar was so important. And yet, when he could only describe the problem as “all this cyber stuff,” he unintentionally convinced us to write this book.

Both of us are in our thirties and yet still remember the fi rst computers we used. For a fi ve-year-old Allan, it was an early Apple Macintosh in his home in Pittsburgh. Its disk space was so limited that it could not even fi t this book into its memory. For a seven-year-old Peter, it was a Commodore on display at a science museum in North Carolina. He took a class on how to “program,” learning an entire new language for the sole purpose of making one of the most important inventions in the history of mankind print out a smiley face. It spun out of a spool printer, replete with the perfo- rated paper strips on the side.

Three decades later, the centrality of computers to our lives is almost impossible to comprehend. Indeed, we are so surrounded by computers that we don’t even think of them as “computers” any- more. We are woken by computerized clocks, take showers in water heated by a computer, drink coffee brewed in a computer, eat oat- meal heated up in a computer, then drive to work in a car controlled by hundreds of computers, while sneaking peeks at the last night’s sport scores on a computer. And then at work, we spend most of our day pushing buttons on a computer, an experience so futuristic in

oxfordhb-9780199918096.indd 1oxfordhb-9780199918096.indd 1 21-10-2013 22:38:1321-10-2013 22:38:13

2 INTRODUCTION

our parents’ day that it was the stuff of The Jetsons (George Jetson’s job was a “digital index operator”). Yet perhaps the best way to gain even a hint of computers’ modern ubiquity is at the end of the day. Lie in bed, turn off the lights, and count the number of little red lights staring back at you.

These machines are not just omnipresent, they are connected. The computers we used as little kids stood alone, linked to nothing more than the wall electricity socket and maybe that spool printer. Just a generation ago, the Internet was little more than a link between a few university researchers. The fi rst “electronic mail” was sent in 1971. The children of those scientists now live in a world where almost 40 trillion e-mails are sent a year. The fi rst “website” was made in 1991. By 2013, there were over 30 trillion individual web pages.

Moreover, the Internet is no longer just about sending mail or compiling information: it now also handles everything from linking electrical plants to tracking purchases of Barbie dolls. Indeed, Cisco, a company that helps run much of the back end of the Internet, esti- mated that 8.7 billion devices were connected to the Internet by the end of 2012, a fi gure it believes will rise to 40 billion by 2020 as cars, fridges, medical devices, and gadgets not yet imagined or invented all link in. In short, domains that range from commerce to communica- tion to the critical infrastructure that powers our modern-day civiliza- tion all operate on what has become a globalized network of networks.

But with the rise of “all this cyber stuff,” this immensely impor- tant but incredibly short history of computers and the Internet has reached a defi ning point. Just as the upside of the cyber domain is rippling out into the physical domain, with rapid and often unex- pected consequences, so too is the downside.

As we will explore, the astounding numbers behind “all this cyber stuff” drive home the scale and range of the threats: 97 percent of Fortune 500 companies have been hacked (and 3 percent likely have been too and just don’t know it), and more than one hundred gov- ernments are gearing up to fi ght battles in the online domain. Alternatively, the problems can be conceptualized through the tough political issues that this “stuff” has already produced: scandals like WikiLeaks and NSA monitoring, new cyberweapons like Stuxnet, and the role that social networking plays in everything from the Arab Spring revolutions to your own concerns over personal privacy. Indeed, President Barack Obama declared that “cybersecurity risks pose some

oxfordhb-9780199918096.indd 2oxfordhb-9780199918096.indd 2 21-10-2013 22:38:1321-10-2013 22:38:13

Introduction 3

of the most serious economic and national security challenges of the 21st century,” a position that has been repeated by leaders in coun- tries from Britain to China.

For all the hope and promise of the information age, ours is also a time of “cyber anxiety.” In a survey of where the world was head- ing in the future, Foreign Policy magazine described the cyber area as the “single greatest emerging threat,” while the Boston Globe claimed that future is already here: a “cyber world war” in progress that will culminate in “bloody, digital trench warfare.”

These fears have coalesced into the massive booming business of cybersecurity, one of the fastest growing industries in the world. It has led to the creation of various new governmental offi ces and bureaucracies (the US Department of Homeland Security’s National Cyber Security Division has doubled or tripled in size every year since its inception). The same is true for armed forces around the globe like the US Cyber Command and the Chinese “Information Security Base” ( xinxi baozhang jidi ), new military units whose very mission is to fi ght and win wars in cyberspace.

As we later consider, these aspects of “cyber stuff” raise very real risks, but how we perceive and respond to these risks may be even more crucial to the future, and not just of the Internet. As Joe Nye, the former Dean of the Harvard Kennedy School of Government, notes, if users begin to lose confi dence in the safety and security of the Internet, they will retreat from cyberspace, trading “welfare in search of security.”

Fears over cybersecurity increasingly compromise our notions of privacy and have allowed surveillance and Internet fi ltering to become more common and accepted at work, at home, and at the governmental level. Entire nations, too, are pulling back, which will undermine the economic and human rights benefi ts we’ve seen from global connectivity. China is already developing its own net- work of companies behind a “Great Firewall” to allow it to screen incoming messages and disconnect from the worldwide Internet if needed. As a Yale Law School article put it, all of these trends are “converging into a perfect storm that threatens traditional Internet values of openness, collaboration, innovation, limited governance and free exchange of ideas.”

These issues will have consequences well beyond the Internet. There is a growing sense of vulnerability in the physical world from

oxfordhb-9780199918096.indd 3oxfordhb-9780199918096.indd 3 21-10-2013 22:38:1321-10-2013 22:38:13

4 INTRODUCTION

new vectors of cyberattack via the virtual world. As a report entitled “The New Cyber Arms Race” describes, “In the future, wars will not just be fought by soldiers with guns or with planes that drop bombs. They will also be fought with the click of a mouse a half a world away that unleashes carefully weaponized computer programs that disrupt or destroy critical industries like utilities, transportation, communications, and energy. Such attacks could also disable mili- tary networks that control the movement of troops, the path of jet fi ghters, the command and control of warships.”

Such a vision of costless war or instant defeat either scares or comforts, wholly dependent on which side of the cyberattack you’re on. The reality, as we explore later in the book, is much more complex. Such visions don’t just stoke fears and drive budgets. They also are potentially leading to the militarization of cyber- space itself. These visions threaten a domain that has delivered massive amounts of information, innovation, and prosperity to the wider planet, fuel tensions between nations, and, as the title of the aforementioned report reveals, maybe even have set in motion a new global arms race.

In short, no issue has emerged so rapidly in importance as cyber- security. And yet there is no issue so poorly understood as this “cyber stuff.”

Why Is There a Cybersecurity Knowledge Gap, and Why Does It Matter?

“Rarely has something been so important and so talked about with less and less clarity and less apparent understanding. . . . I have sat in very small group meetings in Washington . . . unable (along with my colleagues) to decide on a course of action because we lacked a clear picture of the long term legal and policy implications of any decision we might make.”

This is how General Michael Hayden, former Director of the CIA, described the cybersecurity knowledge gap and the dangers it presents. A major part of this disconnect is the consequence of those early experiences with computers, or rather the lack of them among too many leaders. Today’s youth are “digital natives,” having grown up in a world where computers have always existed and seem a nat- ural feature. But the world is still mostly led by“digital immigrants,”

oxfordhb-9780199918096.indd 4oxfordhb-9780199918096.indd 4 21-10-2013 22:38:1321-10-2013 22:38:13

Introduction 5

older generations for whom computers and all the issues the Internet age presents remain unnatural and often confusing.

To put it another way, few older than fi fty will have gone through their university training even using a computer. Even the few who did likely used one that stood alone, not connected to the world. Our most senior leaders, now in their sixties and seventies, likely did not even become familiar with computers until well into their careers, and many still today have only the most limited experience with them. As late as 2001, the Director of the FBI did not have a com- puter in his offi ce, while the US Secretary of Defense would have his assistant print out e-mails to him, write his response in pen, and then have the assistant type them back in. This sounds outlandish, except that a full decade later the Secretary of Homeland Security, in charge of protecting the nation from cyberthreats, told us at a 2012 conference, “Don’t laugh, but I just don’t use e-mail at all.” It wasn’t a fear of security, but that she just didn’t believe e-mail useful. And in 2013, Justice Elena Kagan revealed the same was true of eight out of nine of the United States Supreme Court justices, the very people who would ultimately decide what was legal or not in this space.

It is not solely an issue of age. If it was, we could just wait until the old farts died off and all would be solved. Just because some- one is young doesn’t mean the person automatically has an under- standing of the key issues. Cybersecurity is one of those areas that has been left to only the most technically inclined to worry their uncombed heads over. Anything related to the digital world of zeros and ones was an issue just for computer scientists and the IT help desk. Whenever they spoke, most of us would just keep quiet, nod our heads, and put on what author Mark Bowden calls “the glaze.” This is the “unmistakable look of profound confusion and disinter- est that takes hold whenever conversation turns to workings of a computer.” The glaze is the face you put on when you can only call something “stuff.” Similarly, those who are technically inclined too often roll their eyes at the foreign logic of the policy and business worlds, scoffi ng at the “old way” of doing business, without under- standing the interactions between technology and people.

The result is that cybersecurity falls into a no man’s land. The fi eld is becoming crucial to areas as intimate as your privacy and as weighty as the future of world politics. But it is a domain only well known by “the IT Crowd.” It touches every major area of

oxfordhb-9780199918096.indd 5oxfordhb-9780199918096.indd 5 21-10-2013 22:38:1321-10-2013 22:38:13

6 INTRODUCTION

public- and private-sector concern, but only the young and the com- puter savvy are well engaged with it. In turn, the technical com- munity that understands the workings too often sees the world only through a specifi c lens and can fail to appreciate the broader picture or nontechnical aspects. Critical issues are thus left misunderstood and often undebated.

The dangers are diverse and drove us in the writing of the book. Each of us, in whatever role we play in life, must make decisions about cybersecurity that will shape the future well beyond the world of computers. But often we do so without the proper tools. Basic terms and essential concepts that defi ne what is possible and proper are being missed, or even worse, distorted. Past myth and future hype often weave together, obscuring what actually happened and where we really are now. Some threats are overblown and overre- acted to, while others are ignored.

This gap has wide implications. One US general described to us how “understanding cyber is now a command responsibility,” as it affects almost every part of modern war. And yet, as another gen- eral put it pointedly, “There is a real dearth of doctrine and policy in the world of cyberspace.” His concern, as we explore later, was not just the military side needed to do a better job at “cyber calculus,” but that the civilian side was not providing any coordination or guidance. Some liken today to the time before World War I, when the militaries of Europe planned to utilize new technologies like railroads. The problem was that they, and the civilian leaders and publics behind them didn’t understand the technologies or their implications and so made uninformed decisions that inadvertently drove their nations into war. Others draw parallels to the early years of the Cold War. Nuclear weapons and the political dynamics they drove weren’t well understood and, even worse, were largely left to specialists. The result was that notions we now laugh off as Dr. Strangelovian were actually taken seriously, nearly leaving the planet a radioactive hulk.

International relations are already becoming poisoned by this dis- connect between what is understood and what is known. While we are both Americans, and thus many of the examples and lessons in this book refl ect that background, the “cyber stuff” problem is not just an American concern. We were told the same by offi cials and experts from places ranging from China and Abu Dhabi to Britain

oxfordhb-9780199918096.indd 6oxfordhb-9780199918096.indd 6 21-10-2013 22:38:1321-10-2013 22:38:13

Introduction 7

and France. In just one illustration of the global gap, the offi cial assigned to be the “czar” for cybersecurity in Australia had never even heard of Tor, a critical technology to the fi eld and its future (don’t worry, you—and hopefully she—will learn what everyone needs to know about Tor in Part II).

This is worrisome not just because of the “naiveté” of such pub- lic offi cials, but because it is actually beginning to have a danger- ous impact on global order. For instance, there is perhaps no other relationship as important to the future of global stability as that between the two great powers of the United States and China. Yet, as senior policymakers and general publics on both sides struggle to understand the cyber realm’s basic dynamics and implications, the issue of cybersecurity is looming ever larger in US-China rela- tions. Indeed, the Chinese Academy of Military Sciences released a report whose tone effectively captured how suspicion, hype, ignorance, and tension have all begun to mix together into a dan- gerous brew. “Of late, an Internet tornado has swept across the world . . . massively impacting and shocking the globe. . . . Faced with this warm-up for an Internet war, every nation and mili- tary can’t be passive but is making preparations to fi ght the Internet war.”

This kind of language—which is mirrored in the US—doesn’t illustrate the brewing global cyber anxiety. It also reveals how confusion and misinformation about the basics of the issue help drive that fear. While both sides, as we explore later on, are active in both cyber offense and defense, it is the very newness of the issue that is proving so diffi cult. Top American and Chinese gov- ernmental leaders talked with us about how they found cybersecu- rity to be far more challenging than the more traditional concerns between their nations. While they may not agree on issues like trade, human rights, and regional territorial disputes, they at least understand them. Not so for cyber, where they remain woefully ill-equipped even to talk about what their own nation is doing, let alone the other side. For example, a top US offi cial involved in talks with China on cyber issues asked us what an “ISP” was (here again, don’t fret if you don’t yet know, we’ll cover this soon!). If this had been back in the Cold War, that question would be akin to not knowing what an ICBM was in the midst of negotiating with the Soviets on nuclear issues.