KQV Interview: Will the Next World War Start in Cyber Space?

PittsburghGlobalConference_125Pittsburgh Global Press Conference — 30 minutes of conversation designed to make you better aware of the world around you. Pittsburgh Global Press Conference is brought you by KQV in cooperation with the World Affairs Council of Pittsburgh, a non-profit, non-partisan organization and now Pittsburgh Press Conference.

 

Listen to the audio version now, or view the transcription by fall 2015 intern Hannah Purkey.

George Savarese: Hello again everyone, welcome to the Pittsburgh Global Press Conference, I’m your host, George Savarese. It’s a pleasure to be back with all of you. Thisweek, our program is very special. It’s brought to you by the World Affairs Council of Pittsburgh as part of a series they are doing on cyber security, a three-part series, and the first part, our guest is P.W. Singer, one of the world’s leading authorities on cyber security, the co-author of the book Cyber Security and Cyber War and his new book Ghost Fleet. P.W. Singer, thank you so much for joining us.

P.W. Singer Cybersecurity and 21st Century Warfare Expert Strategist and Senior Fellow, New America Foundation

Peter W. Singer: Appreciate it. Thanks for having me on.

Savarese: And I have to say, Mr. Singer, that you were doing a fine job of scaring us with your last book on cyber security and cyber war. Now you’ve written Ghost Fleet, which is a quasi-fictional book on cyber world war. You had us with Cyber Security and Cyber War, what was the motivation for–?

Singer: Well, there is a bit of a difference between the two, Cyber Security and Cyber War is a non-fiction book. It’s a primer; it’s essentially trying to take this topic of cyber security that’s been locked between two spaces. It’s either been something that people consider highly technical and only for, I jokingly call it the It crowd, only for the IT folks to understand, and at the other end of the spectrum, it’s been the get-scared and give-me-your-money in terms of “I’ll have this widget to solve the cyber security problems for you.” And so that book is basically an explainer– how does this all work, why does it matter, most importantly, what can we do? And the we being everything from cyber security effects government, it effects business, it effects you as an individual, you as a parent, you as a citizen. So that’s the cyber security book.

Savarese: Really lessons for the average American, and how to navigate through all of the confusion.

Singer: Exactly, and along the way, tell some interesting stories about the people behind the different technologies. And that, again, connects to one of the key lessons here, is that, while cyber security is about computer security, at the end of the day, if you want to understand it — the target approach of the attacker and how you ought to be defending — it always comes back to the people, how our attitudes, our programs, our organizations. So, that’s the cyber security story. Ghost Fleet’s a little bit different, different in a number of ways. It’s a new book that came out a couple of weeks ago. It is a smash-up of two genres, it’s a techno-thriller in the style of early Tom Clancy…so people made the comparison…

Savarese: I was gonna say, you’re like the new Tom Clancy here, with cyber security and cyber war and I mean that in the best possible light because Tom Clancy was brilliant.

Singer: Oh, and in particular if you remember early Clancy– there’s a book called Red Storm Rising, he wrote, that was a look back in the mid-1980s of a what-if back then. What if the two great powers went to war? Back then, it was the U.S. and the Soviet Union. And it’s a great read and I remember actually, reading it in the back of my mom’s station wagon on the way to the beach. It was that kind of reading experience and yet, it was also something that got a lot of attention within the Pentagon, within the White House. So it was both a great book, but also an influential book. And there’s a number of other books I loved reading, the Michael Crichton’s and the like, so Ghost Fleet tries to recreate that experience, the techno-thriller, about a what-if. What if there was a war between the U.S. and China? But what makes it different from the Clancy or Michael Crichton’s or whatever books, is that while it’s fiction, obviously we haven’t yet gone to war with China. It’s based off of real-world trends and technologies. So it’s a novel that comes with 400 end-notes so whenever you come across something that seems interesting or sounds crazy science-fiction, you can go to the endnotes and say ah-ha! That’s real. So, that’s been fun about the project.

Savarese: I think that’s what’s terrifying about this book, is that there is so much reality in here. If this was Friday the 13th, I’d say, “Ah, that’s just very, kind of cartoonish.” This is steeped in real-world reality and I have to tip my hat to you because you’ve been writing about this for some time now and I think anyone who picks this up, including people at the Pentagon, I would hope, would say, “Oh my God!”

Singer: Yeah, we’ve had, actually on that last point, what’s been a crazy experience of it. We joke we must have the strangest cross of endorsers and blurbers so the book’s gotten – it’s built up a fan base. But the fan base crosses everything. We’ve been invited in to meet with the Secretary of the Navy, the Chairman of the Joint Chiefs, senators, people in the White House, about the real-world lessons of a novel. And yet at the same point, we’ve gotten some really kind words about it from everything from the writer of Game of Thrones or the writer of World War Z, the creator of Hunger Games, the movie. And these are things that you don’t normally see that cross between a four-star admiral saying, “Well, I like it!” and someone from Game of Thrones saying, “Well, I like the same thing!” and I think part of that again goes to our approach. You said the realism is what makes it scary, but that also is how we built it, so we went about meeting with…I’m saying we, it’s not the royal we, I should add, my co-author on it is a guy named August Cole who was the defense beat reporter for the Wall Street Journal, so again we both come out of this space of the real world but we grew up both with a love of these kind of books.

So, he was from Washington State; and we didn’t know each other back then; but he read Red Storm Rising and early Tom Clancy at his parent’s cabin on the Puget Sound. For me, it was Myrtle Beach, South Carolina. The point is when we were building the book, we tried to meet with real-world people behind the characters. And, so, who are the people who might fight in a future war, fighter pilots, special operations forces, Chinese admirals. But then, what was fun, I think, going back to the real-world point of the book is that there’s also a cast of characters who likely would play a role that we don’t pay enough attention to. They range from a venture capitalist from Silicon Valley, a prominent billionaire who’s interested in space, a teenager hacker who’s a Chinese university student. So, these are the real-world people that inspired us for the book, but they also are the ones that populate the story and you can have a lot of fun with that.

Savarese: You’re listening to the Pittsburgh Global Press Conference, brought to you by KQV, brought to you by the World Affairs Council of Pittsburgh, a stellar organization that has been bringing educational programs to Pittsburgh for over 60 years. This week on the Global Press Conference, our topic is cyber security and the reality of cyber war. And our guest is P.W. Singer, one of the world’s leading authorities on cyber security. He is the co-author of his new book, Ghost Fleet, a novel of the next world war. Now Mr. Singer, you have been writing extensively this summer, I saw a piece in The Atlantic that you wrote with August Cole, how to write about World War III, the Wall Street Journal had a piece, June 28th, “Author Warns U.S. Military to Focus on China, “So I have to ask, are we currently in a cyber-arms race with China?

Singer: Short answer, yes. Longer answer is, it’s not just a cyber-arms-race; it’s an overall arms-race. You can think about it in this way. China has built more warships, more war planes than any other nation in 2012, 2013, 2014. It will do so in 2015, planning to do so 2016, 2017. You get the picture. In turn, the U.S. military has announced a new strategy to, in their words, offset China with a new generation of high technology. So it’s not just cyber weapons that both sides are working on, in terms of both the actual digital weaponry, but also the organizations that they’re building. So the U.S. for example, we’ve created a cyber-command, a new military organization designed to fight and win wars in cyber space. It’s co-located in Fort Meade with the National Security Agency, the NSA, which of course has gotten a number of big amount of attention in recent years. China has a parallel to that, a parallel architecture, for example, their third department is…and again, don’t just think of the players here as the official government and military units; there’s also a range of non-state actors and so they range from cyber security companies to university-affiliated cyber militia. So both sides are in this, and again, it’s not that a war between the U.S. and China is inevitable; I certainly do not think that. But we are, we have to admit, we are in this arms-race, we are in a geo-political competition and there are risks of war. The way to think about this, kind of pull-back, big international affairs, the kind of things the Council here wrestles with. The 20th century was shaped by great power conflict, we had two world wars that happened and killed tens of millions of people, we had one world war that fortunately never happened, but the fear of it, a third world war, it shaped everything from geo-politics — we had a Cold War — to how we thought about international sports.

You know, think about how you and I looked at the Olympics. I still check to see how we do, better against, you know, — to me they’re the Soviets, but now they’re the Russians. Well OK, we thought we put that history to bed in the 21st century and yet, it feels like it’s coming back. We can see it in Russian land grabs in the Ukraine. Visits by bombers with red stars on their wings have become regulars on NATO’s borders. We’re at our highest level of alert in NATO and Europe since the mid-1990s, the last time we had a heightened Cold War. And, as I mentioned, the same thing in the Pacific, it’s not just an arms-build up, it’s things like tensions between artificial islands built on disputed territories, rites of passage. So, this is the undertone to this geo-political competition, and again, wars can start in any numbers of ways. We had one World War that started — it was basically a very deliberate set of decisions. We had another World War that was a crisis, but out of control. Same thing could loom for us in the future. A war can start by accident, a war can start by a deliberate set of choices. So, we have to come at this with our blinders open; we need to understand this is the new geo-politics, and that’s the point of Ghost Fleet, is to use the mechanism of fiction to 1) tell a fun, interesting, exciting story and 2) describing it as “useful fiction,” allowing people to learn things, to better understand the world today and tomorrow, not just the overall geo-politics, but also down to things like certain technologies, like, “what the heck is next with Google Glass?” We play that out in the book.

Savarese: I think it’s fascinating that the book comes out just a few weeks before Chinese President Xi, visits the White House. Xi Jinping is in Washington meeting with President Obama right now and the President said that cyber-attacks is going to be one of the main topics of discussion. And one of the goals of their summit will be some type of early accord against cyber warfare. Do you think this is window-dressing, Mr. Singer or something more substantive?

Singer: It’s useful, but it’s not going to solve these problems; we shouldn’t expect it to; I don’t think either party does. And again, part of the issue here is that we need to disentangle what it is that is playing out and what most worries us. So, when you’re thinking about the cyber security problem, there’s levels to it, particularly the U.S. and China. The first level is classic espionage. You stealing secrets from my government agencies, something’s that’s happened for millennia. And the latest illustration of this would be the Chinese breach of the Office of Personal Management, where personal files of at least 21 million Americans, including 5.5 million people’s fingerprints — and not just general people — people who have security clearances. That was breached, allegedly, by China, but guess what? We engage in espionage too, as Mr. Snowden revealed. So first is the level, this game of espionage. The second is something that has touched, I think of particular interest in Pittsburgh, is intellectual property theft. So it’s not going after government agencies for classic government secrets, it’s going after private businesses for their business secrets; and what’s driving this is, you know, we like to think of China as communist, but it’s really mercantilist.

Savarese: Even after ALCOA, U.S. Steel, PPG, these Pittsburgh companies, and with the help of people at Carnegie Mellon University and the FBI office, and their computer response team, five Chinese were indicted or at least named as being the hackers. That’s kind of remarkable that they were at least able to identify it.

Singer: Yes, and so what we’re seeing here is they may be private victims of the hack, and the goal of it is to steal some kind of business information. You mentioned the ones in Pittsburgh, but on an overall national level, it’s ranged from soft drink companies to energy drink companies to furniture makers, and typically they’re ones that either have a product, some kind of innovation that someone is looking to recreate, or they’re engaged in a business negotiation, someone wants to know their secrets. So the point is, we may describe it as private business but they’re competing against some official or quasi-official Chinese entity and they’re being breached by again, usually it’s been tracked back to something that’s government related. So that’s the second level of concern. The third level of concern is what we could describe as preparing the battlefield. It’s where we’ve seen probes and entrances into things like critical infrastructure, gas lines and the like. The goal is not to steal secrets, the goal is preparing the battlefield for a what-if, to break things if we ever went to war, so it’s not to be activated now, but it’s to set up situations.

So, these are the three levels of concern. You can already see a challenge here, we’ve got one where, you know, we don’t like it happening to us, but we do it too, so neither side is really going to ban it. We have another one where we’d like them to stop, but it’s integral to their economy, so it’s unlikely that they’re going to stop. And then we have the third level, which is the one they’ve come to kind of a lose—we can put it as agreement in quotation marks–but it’s really not, where the two sides have essentially said, “We’re not going to actually attack and take down each other’s critical infrastructure in peacetime.” Notice the caveat to this, so it’s good that we’re engaging in these discussions, certainly better than not engaging in these discussions. It’s good that we’re trying to set up certain norms, but it’s not going to end all the different levels of concern. And so really, the next stage for the U.S. is to figure out what is the mechanisms to change the incentive structures here, to essentially shift the cost-benefit balance. And that’s where you’ve seen example like, “Well, is it indicting individual hackers? Will that serve as a warning?” Some people would say, “Yes,” others would say, “The likelihood of five Chinese hackers ever setting foot in Pittsburgh is quite low, so they are unlikely to see the inside of a courtroom. So, did it accomplish its goals?” Other people will say like, “Maybe we should do things like sanctions, sanction Chinese companies, people push back…”

Savarese: Limit visas of Chinese students, things like that.

Singer: There’s all these different mechanisms that people say and then other people push back and against them so the example with company sanctions is the people who typically propose these are often not in American businesses, because American businesses are worried about the push back against. You could use an example of 20% of Apple’s revenue last quarter came from sales in China. So, they don’t want to see something happen that cuts them off — again, there’s no one simple, ready answer. To me, there’s certainly things we can do to change the cost-benefit in terms of pushing back, but so much of this is really about looking inward. In technical terms, you describe it as “deterrence by denial.” In real terms, it’s basically, “make it harder for the other side to hack you, make it harder for them to pull benefit from it, better protect yourself and that’s of benefit, whatever the attacker intends.” We could do a heck of a lot better at cyber security in the U.S. and the we here is again, every level, from individuals to businesses to government. As these example of the OPM breach or as episodes like Sony all illustrate.

Savarese: Well, that’s interesting that you mention that because we had as a guest a few weeks ago, the former director of the CIA, Michael Hayden, who is a Pittsburgher. And he was incensed, not so much that China was trying to hack into government files and the breach by the Chinese hackers into OPM, he was incensed by the fact that they were able to it. That our security was so lax — that our cyber security was so lax, computer systems. We have government people saying they’re antiquated, they need patches, emergency patches needed to be put on there and I guess his point was, “How did we get to the point where we are so lax and so vulnerable that something like that could happen?”

Singer: It’s simply not been made a priority, and not been made a priority at the proper levels. It’s a topic that hasn’t at least been up to this point been paid enough attention to, and then typically mishandled or misinterpreted. OPM is a great example of it…but what’s even more interesting is that many of the flaws that they had as a government agency were replicated across all the various businesses and corporations that have been in the news for the breaches that have happened to them. The point here is the entry is not typically some kind of super-sophisticated new digital weapon a la the story of something like a Stuxnet, which was this new, amazing new digital weapon created by the NSA to sabotage Iranian nuclear research, something no one had even seen before. Instead, what we’re more typically seeing is tools and techniques that have been out there for years and that very basic measures should have stopped. So the OPM example that you hit is everything from, “Oh, they weren’t investing enough in their cyber security; the leadership wasn’t making it a priority; oh by the way, they were outsourcing their IT to a Chinese subcontractor, the very nation who…”

Savarese: If you wrote that in one of your books, people would say, “Oh that’s just ridiculous.”

Singer: But again, a lesson for private companies. They had not looked at themselves and said, “Which of the information that we had are our jewels of the crown, so to speak, and how are we protecting ourselves in general, but how are we better protecting this particular kind of information?” They weren’t doing that, and that’s something that private businesses should have. So then when someone is on the inside, they don’t have free reign…oh by way, what happened to companies like Sony, guess what? Happened to the NSA. Certain guy was already on the inside, named Mr. Snowden. And it shouldn’t have been, “Oh, I’m able to pull 1.3 million files.” There should be layers to this, internal monitoring mechanisms, so that when there is a breach, when people start touching these different files, you have warning, so to speak, go off on it. The breach at the OPM, and again, all the various corporate episodes, they aren’t often happening in a nanosecond; they are playing out over days, weeks, sometimes months. On average, it takes a private business 250 days to realize that it’s been cyber attacked.

Savarese: 250 days?!

Singer: Yeah, yeah. Crazy when you think about this because we talk about this all goes at digital speed, well actually, no, a lot of it moves at the speed of molasses. So that internal monitoring, different measures in terms of access, so after the fact, after this OPM breach, the federal government said, “we’re going to have this — they called it a “cyber-security sprint.” All the other different agencies, let’s finally get around to implementing what we should have put in place.

Savarese: A 30 day sprint…

Singer: Well, we can mock it, but at least they were doing something. And one of the things they put into place, which should have been there before, was to factor authorization. That sounds really complex, to factor. The easier way to explain it, it works like your ATM. Something that you know, a password, something that you have. In that case, an ATM card. The point is, think about the password that you have on your ATM — it’s not a super long, complex password. Cards can be counterfeited. But it’s the combination of the two that makes it more difficult for the attacker, and this two-factor is the kind of thing that any business should have to protect their, again to go back to their crown jewels, to you or I should have it on our email. And if you don’t, go change it right now.

Savarese: But you were telling us this years ago. Two and three years ago, you were warning about stuff like this. I remember hearing you on Fresh Air with Terry Gross a year and half ago, where you were basically warning against finding basic lessons from previous hacks. It seems almost kind of mind-numbing that they were able to breach OPM and a host, a myriad of all these different holes that needed to be patched were exposed.

Singer: Yeah, part of it is people not paying attention to it. But part of it is, we exist, we work in these human organizations that are bureaucracies. And then when we start talking about something like the OPM, it’s in the federal government and guided by Congress and if you want to identify a cross between bureaucracy and dysfunction, that’s what happens when you combine government agencies and Congress. So, we can knock on OPM and say things like, “Gosh, they weren’t paying enough attention to it; they had antiquated computer systems,” and then in these hearings afterwards, Congress was like, “how did you have all this old equipment? Why weren’t you spending more?” And you could see like, “Oh, who funds us?” So I think the challenge with cyber security is to understand it as an issue that is not going to go away. It will be with us, essentially, for as long as we use computers and the internet. And it’s not something to be- there are bad things playing out- oh, by the way, it’s not something that you’d be utterly petrified by and there’s measures we can take to manage it. And I think one of the challenges moving forward, both within companies’ organizations but also within politics is to try and identify how do we create the incentives to get this better? How do we motivate people, businesses, and government, to get better at this?

And so, as an example, we’re starting to see certain changes on this, some of the changes is we’ve gone from corporate boards and executives and not facing any market punishment, for these breaches to…we’re starting to see people and executives lose their jobs over it, we’re starting to see lawsuits. Another example of an incentive is the development of a cyber-security insurance market. You and I have insurance for our house, our cars. It’s both for our protection, but then we create these incentives, where we say, “I want to behave better…” incentivizing everything from air bags to, “I’m not going to give the keys to my 16 year old at 2:00am because I’m worried about what they’re going to do to my rates.” So if you can start to create these incentives, and then of course, that moves up to the level of government. We’ve seen a process to create certain standards for cyber security, kind of aspirational goals that say businesses or agencies should meet these standards. Right now, they’re aspirational. The next stage on this is, “What will be required or not?” So, it moves it from saying, “ought to” to “has to.” And so, I think we’re getting better at it, but it’s like any other area that’s with you there forever. You’re going to have to be mindful of it, not consider it like, “Oh cyber security, I took care of that two years ago.” No way, that’s just setting yourself up for a fall.

Savarese: I wish we had another hour to talk about these issues. P.W. Singer, the half hour went by extremely fast, thank you very much and thank you for joining us and sharing these insights.

Singer: Oh, I appreciate it. Thanks for having me on.

Savarese: Our guest has been P.W. Singer, he is the author of the new book, Ghost Fleet, and he is one of the world’s leading authorities on cyber security. He is also the co-author of the book Cyber Security and Cyber War. The book Ghost Fleet just came out a few weeks ago; it is exceptional reading. I urge people to go out and pick it up. Ghost Fleet by P.W. Singer. You’ve been listening to the Global Press Conference on all news 1410 KQV. I’m your host George Savarese. The program is brought to you by the World Affairs Council of Pittsburgh, an extraordinary organization that has been bringing World Affairs to Pittsburgh for over 60 years. Thanks to my friends at the World Affair’s Council–Emily Markham, Julie Maloney, Annie Prucey, and Jerry Voros, the heart and soul of the Council, the lion in winter. And special thanks to Amy Looney, our producer here at KQV, remember you can go back to listen to this program and all of our interviews at the website, worldpittsburgh.org. Thanks for listening everyone and join us again next Sunday at 10:30AM for the Pittsburgh Global Press Conference.