The Scariest Thing About Cybersecurity Is How Unprepared We Are

Once relegated to the opaque realm of IT geeks and reclusive white-hat hackers, the idea of cybersecurity became ubiquitous in 2013, permeating the way we think about national security, foreign policy, and our own safety and privacy. In many respects, the trend was inevitable—the logical expansion of a dark cyber underworld that has thrived on hidden sites and in secret government offices since the early days of the internet.

But for most of the unassuming public, the emergence of cyber threats has been sudden and pervasive, with each wave of credit card data thefts, national security leaks, and Silk Road arrests making it clear that the full spectrum of illicit activities—from intellectual property theft to drug dealing, bank robbery, and warfare—have moved online.

And the threats will only worsen in 2014. According to a poll of military and defense industry insiders released last week, cyber warfare has now replaced terrorism as the biggest threat facing the United States. Another recent survey, from the web security firm IID, predicts that murder via the internet and hacked security system burglaries will emerge as credible cyber threats by the end of this year.

But what is most alarming about the growing cyber threat is how ill-equipped we really are to deal with it. That’s the most striking takeaway from a new book, Cybersecurity and Cyberwar: What Everyone Needs To Know, authored by Brookings Institution researchers Peter Singer and Allan Friedman. “Basic terms and essential concepts that define what is possible and proper are being missed, or even worse, distorted,” Singer and Friedman explain in their introduction. “Past myth and future hype often weave together, obscuring what actually happened and where we really are now. Some threats are overblown and overreacted to, while others are ignored.”

This knowledge gap is worrisome not only for its naivety, the authors add, but because it's beginning to have an actual impact on global incidents. “For example, a top US official involved in talks with China on cyber issues asked us what an ‘ISP’ was,” they write. “If this had been back in the Cold War, that question would be akin to not knowing what an ICBM was in the midst of negotiating with the Soviets on nuclear issues.”

It’s a sobering indictment of the current US cybersecurity policy, which has so far been characterized by a dangerous mix of ignorance and shrill hysteria over oft-warned-about but not-yet-realized “cyber Pearl Harbor” catastrophes. In the pages that follow, Singer and Friedman cut through this alarmist rhetoric, demystifying technical jargon with simple questions like “How Does The Internet Actually Work?”; “What Is Hacktivism?”; and “Do We Need A Cyberspace Treaty?” The result is an honest, well-researched appraisal of the impact of cyber threats, and the potential solutions for cybersecurity.

In an interview with Motherboard, Singer discussed some of their conclusions, and offered some insight into what we can expect from cybersecurity in 2014.

MOTHERBOARD: In the last year, we’ve seen a proliferation of threats in the cyber realm—everything from war and terrorism to burglaries and murder. To what extent are we as a society equipped to deal with that shift?

When we were kids, this realm was essentially science fiction. Since then, global communication, global commerce, social relationships have all moved into the online world—and guess what? The threats have followed, whether they are criminal threats or military threats. The bottom line is that we are getting both the good and the bad. Too often, cyber issues are treated as either completely mystifying, or people try to take advantage of our ignorance.

That’s much of what we're trying to wrestle with in this book: How do you understand that there are some emerging dangers—and they are very real, they are serious—but also, how do we not get taken advantage of? The reality is that this is an issue that is here to stay for us, and we have to deal with it calmly and figure out how to manage it.

To what extent is the knowledge gap about cyber issues driving the hype?

There definitely needs to be more awareness building at multiple levels—in the military, in business, in politics, and, I would argue, in our schools. But there are so many other things at play here, when it comes to understanding and dealing with all of the different types of threats in this realm.

Here's an example: A senior military leader argued with me that Al Qaeda was the same as Anonymous. He thought they were in effect the same thing. Seriously. That’s just false; it was based on ignorance. But it gets at the question of what is and isn't cyberterrorism and what is and isn't a threat—and the danger of bundling together all these things, particularly when we are talking about a cyberattack or a cyber war.

There is actual military use of cyber. Stuxnet revealed that there is a potential for weapons that can cause kinetic change. So cyber war is very real, but don't lump it together with credit card theft. And not just so we can understand it, but so we can figure out how to solve all this. Understanding allows us to respond better, and it also helps disentangle some of the erroneous assumptions that are out there.

So how do companies, or individuals, get in front of the threat? And what role should the government play?

One of the core lessons of the book is that it always comes back to the people, the organizations they are in, and the incentives that drive them. There is no one silver bullet here. There's no one solution. It's about everything from developing better means for information sharing, particularly across public and private sectors, to figuring out where you need to build in incentives; where you need to raise awareness of the threat.

The government can and must do a lot better in this space. But there is also a need for private industry to do much, much better. And part of the challenge is figuring out who is responsible for doing what. That's my problem with a lot of the volume-11 narrative—it makes it seem like the threat is so huge that only the government can be responsible. To give a metaphor, if you are moving a van full of cash between two banks and protesters stand in the middle of the road and block the transfer of that van, no one would ask where the US military is. But change that van and the money in it to zeros and ones, to something digital, and we're asking, "Where is the military on this?" No—there are responsibilities that are shared.

The same goes for individual responsibility. At the end of the day, there is a whole series of mechanisms that can be put in place to stop most threats. One study found that there are 20 safeguards that would stop 94 percent of cyber threats. Most people aren't being targeted by those other six percent. And for those that are, if they talked to their IT team, they would find out that the IT folks could deal with the more advanced stuff if they didn't have to deal with the low-level stuff. A lot of this is just general awareness of cyber hygiene.

Last year, nine new pieces of malware were discovered each second. Isn’t trying to prevent cyber threats just a Sisyphean task?

It comes down to understanding the difference between the rapid evolution of the threats in technology versus the continued relevance of good practices by organizations. You can't come at it in a way that tries to identify each and every threat—that will never work. The threat is evolving too rapidly and it is too diverse to come at it with some kind of wall. And by the way, if you deal with it that way, you're going to weaken all the good ways that you want to use the internet.

Rather than perimeter defense, we should be emphasizing resilience. It basically comes down to the idea that you are never going to succeed if your mentality is to avoid bad things from happening. It's all about how you deal with the bad things, how you power through, how you pick yourself back up. You have to expect that the threat is going to grow, change, morph—you can either throw your hands up in the air, or you can figure out a way to deal with it more effectively.

What is the danger of overreacting to cyber threats?

There are some very deep concerns going on right now in everything, from the growing levels of threat, whether in the space of cybercrime or in the idea cyber is a potential battlefield, or in government-linked intellectual property theft of a massive, massive scale (in fact I would argue that IP theft is far more worrisome than the cyber Pearl Harbor narrative that's out there). But it's not just those threats, but also our responses to the threats that endanger the very way that the internet works and all the incredible economic, political, and social progress that it has spurred.

I think you see that playing out here in three particular ways: One is, does the growing level of threat out there cause us to become less likely to trust and use these important tools?

The second is the mechanisms that certain government organizations have been using to disrupt the trust in the internet and the fear that the internet may be becoming more militarized. Obviously, those are the concerns at the heart of the Snowden leaks. The third is linked to that, when groups taking advantage of those kinds of narratives—the attempt by a variety of authoritarian governments to build walls and prevent people from seeking out and finding information in the way that the internet was intended to be used.

The internet that you and I grew up with may not be the one that our kids end up with if we don't watch out, and if we don't understand this.