On January 2, Dr. Emanuel Pastreich, director of the Asia Institute, sat down with Peter Singer, director of the Center for 21st Century Security and Intelligence and a senior fellow in the Foreign Policy program of the Brookings Institute. Singer’s research focuses on three core issues: current US defense needs and future priorities, the future of war and the future of the US defense system. Singer lectures frequently to US military audiences and is the author of several books and articles, including his most recent book, Cyber Security and Cyber War (www.cybersecuritybook.com). This is the second in a six-part series.
Emanuel Pastreich: “So, in cyberspace, is there a posse comitatus?”
Peter W. Singer: “Well, no, there is not. There remain a series of issues that we need to work out. When I say ‘we’ I am talking about communities at every level, from the global down to the national, regional, and individual. We need to think about how agencies and corporations can be made accountable and responsible, but also about what we can do as citizens. For example, what exactly do we mean as a community, as a nation, by ‘cyber war?’ And, in turn, who should we expect to fight it?
“One challenge that we find in this debate that we want to unpack for readers is the wide variety of dissimilar threats that we often bundle together as cyber threats simply because they all take place in cyberspace. For example, one senior Pentagon official cited an enormous number of cyber attacks on the Pentagon when he testified to Congress. The problem was that what he spoke of an “attack” the congressmen listening imagined some existential ‘cyber Pearl Harbor’ or ‘cyber 9-11.’ After all, that is what the secretary of defense had been discussing in various closed hearings. Yet, what the Pentagon official was talking about with these numbers instead was a hodgepodge ranging from attempts at address scans or ‘knocks,’ defamation (i.e., pranks such as changing external user-face websites), espionage (i.e., stealing secrets), and some more aggressive attempts to compromise security.
“That Pentagon official was bundling together everything from the equivalent of a teenage prankster with a firecracker, to a pistol-robber, a terrorist with a roadside bomb, a spy with a hidden gun, and a military armed with a cruise-missile. He was giving the impression that all these ‘attacks’ were basically similar because they all use the technology of cyberspace. But the only similarity between a firecracker and a cruise missile is the use of the technology of explosive materials. Such discussions are not a responsible way to keep the public informed about a critical issue.
“What we need to do is to disentangle our thinking about the nature of the threats and in turn that will allow us to disentangle our thinking about appropriate responses. For example, the US Military Cyber Command and its partner the National Security Agency have taken on a wide range of roles largely because of an overwhelming fear of what cyber attacks could be and also the fact that other agencies lack skill and the budget capacity. They are handling issues, as a result, that frankly are not appropriate to their mandate. ‘Appropriate’ here means in a strategic and organizational sense, and also in a legal sense.
“Think of it this way: Let’s imagine two banks were transferring money between them and one of their trucks was blocked in the street by a group of protesters. Well, no one would say, ‘call in the Army! It is the Army’s responsibility!’ And yet that is how we often react if the issue involves electronic transfers. We have to get over that kind of thinking. This is also huge to the concerns of IP theft and US-China tensions that result from it. It is critical that we disentangle certain subtle but important differences between a ‘9-11’ threat and a ‘death by a thousand cuts.’”
Pastreich: “That makes sense. I want to come back to the division of labor you hinted at. For example, with regards to the players such as the FBI, the NSA or the army, is there a field, for example, in which the FBI has exclusive dominion? The very terms domestic and international can be ambiguous when we are talking about cyberspace.”
Singer: “You have hit one of the major challenges. Trying to figure out when and where this construct — the notion of a state border — was established back in the 1700s applies, and when it does not, is a major bone of contention. Too often it seems as if cyberspace is a ‘stateless’ domain as some claim. As the adage goes, cyberspace is the ‘global commons.’ So some assume that somehow nations, states, have no role in cyberspace. But the reality is that states matter in cyberspace in two core ways.
“First, what happens in cyberspace has a direct impact on states. Simply put, since our commerce, communications, and infrastructure all depend on the safe, smooth running of that domain, states have to think about cyberspace seriously with an eye towards their own security and stability. They cannot afford not to care. Second, while cyberspace is virtual, the people who design and administer it, and the hardware that runs it, are located within national borders. There is no truly stateless aspect to cyberspace.”
“Let me be clear on this point. I am not suggesting that transnational dimensions are insignificant. They are critical and unprecedented. But the problem is far more complex than it appears at first glance. I am pushing back against the notion that cyberspace is somehow ‘stateless.’”
Pastreich: “But we have players these days around the globe who can use randomized data, so it is not so easy to figure out by the servers which particular state he, she, or they are in. So although cyberspace is not stateless, there are ghosts in the machine.”
Singer: “Yes, that is an important challenge. This problem comes up, for example, in the case of not only attribution but also of prosecution for crimes. There is a movie out about Julian Assange, ‘The Fifth Estate,’ that illustrates both sides of this problem. On the one hand, WikiLeaks, the organization, has been able to stay functional because of its transnational presence. Each time a state tries to shut it down, it simply transfers operations or picks up stakes. It also has woven a funding structure into things on which the state depends. It did so with the French banking system, for example.”
Pastreich: “The viral effect...”
Singer: “Yes, exactly. On the other hand, Julian Assange the person has been indicted in one state and is stuck in an embassy in another. While the online organization has been able to thrive, some of the individuals involved are subject to the power of the state. The power of the state still matters.
“To return to your question, one of the things that we will have to figure out is: what is the appropriate mechanism for states to cooperate in these domains? What agencies matter? Which is an appropriate response on the state level? And, finally, where is the line between the public and the private? In our book we have chapters in which, as an illustration, we ask whether we need international treaties for cyberspace. Are such treaties even possible? We also consider the dangers of certain international institutions overreaching their mandate and being used to clamp down on freedom of expression online. We see today new coalitions of democratic forces battling authoritarian states over the future of the Internet itself.
“Then at the state level we call for an end to viewing cyberspace through solely a national security or law enforcement framework. There are examples in public health, for example, in which nations are able to cooperate better but also to extend responsibility not just to the government but also to us as individuals. In the case of public health, there are national and international agencies that conduct investigations, research, and carry out the tracking of disease outbreaks. But we do not say that the entire work is up to them. For example, I teach my kids to cover their mouths when they cough, because we teach the importance to our kids of the habits of good hygiene to protect both themselves, but also others. There is an equivalent to cyber hygiene which serves not only to protect youth, but also to teach them that it is their responsibility as good citizens to protect others online. There are some parallels here in terms of protecting your computer from being taken over by a botnet. It is also about protecting the broader Internet.
“The book offers new, creative, different ways at looking at security.”