In writing Cybersecurity and Cyberwar: What Everyone Needs To Know, authors Peter W. Singer and Allan Friedman do what few cybersecurity and war scholars do: They tie together the history of the generative Internet, and its foundations in curiosity and experimentation, with the politico-military cyber security community housed in government. They connect the dots between technological traits and their insecurities. And they tell the stories of the people, not just the machines.
In the book, Singer and Friedman break down to building blocks what Internet and the World Wide Web are made of, then use those to build back up to sophisticated concepts and information.
“[T]oo often,” they write, “we bundle together lots of unlike things” that simply happen in or relate to cyberspace. In one illustrative point, the authors quote a “high Pentagon official” using the phrase “all this cyber stuff.” Even those responsible for enacting cybersecurity — or educating others in it — do not distinguish between different types of cyber activities when they talk about cybersecurity. But the variety of things that fall under the ‘cybersecurity’ umbrella is staggering, ranging from mundane email spam to nation-state level intellectual property theft, from dissidents in online message boards to organized larceny.
Indeed, so much has been written about and speculated on when it comes to cyberwar, but we have not agreed on what cyberwar will look like when we see it. Despite the doomsday hype we lend to cyber attacks, we haven’t seen the most potent form of cyber violence. Not a single person is dead from a cyber attack. “Cyber terrorists” are not simply terrorists who use the Internet, just as using electronic medical records does not make one a “cyber doctor.”
Singer and Friedman turn to one particular cyber attack to make this point. Stuxnet — the sophisticated cyber weapon that targeted Iranian centrifuges while also reporting back to the operator that all was functioning as usual– operated on a fair amount of “ethicality,” the authors point out.
Its worth noting, of course, that Stuxnet infected computers in more than ten countries including the United States. Some of its effects seem to have been sufficiently targeted, but we don’t know the extent of potential effects. And Singer and Friedman do point out that future cyber weapons would possibly not be so “ethical.”
At its core, Cybersecurity and Cyberwar makes the point that cybersecurity risk is human risk. Singer and Friedman show that cybersecurity is not to be compartmentalized, and vulnerabilities spring from the same characteristics that make a technology useful. It doesn’t always play out as the developer creating something, a hacker to penetrating it, and law enforcement or government shutting it down. Some security vulnerabilities were discovered by curious, well-intentioned explorers, and some patches were created by the hacker community. The Morris Worm was famously created by a Cornell grad student trying to find out how big the Internet was.
Merritt Baer is a Fellow at the EastWest Institute. She also operates a cyber strategy consulting company.