CYBERSECURITY AND CYBERWAR WHAT EVERYONE NEEDS TO KNOW ® oxfordhb-9780199918096.indd i 21-10-2013 22:38:12 “In our digital age, the issues of cybersecurity are no longer just for the technology crowd; they matter to us all. Whether you work in business or politics, the military or the media—or are simply an ordinary citizen—this is an essential read.” —Eric Schmidt, Executive Chairman, Google “This is the most approachable and readable book ever written on the cyber world. The authors have distilled the key facts and policy, provided sensible recommendations, and opened the debate generally to any informed citizen: a singular achievement. A must read for practitioners and scholars alike.” —Admiral James Stavridis, US Navy (Ret), former NATO Supreme Allied Commander “In confronting the cybersecurity problem, it’s important for all of us to become knowledgeable and involved. This book makes that possible—and also fascinating. It’s everything you need to know about cybersecurity, wonderfully presented in a clear and smart way.” —Walter Isaacson, author of Steve Jobs “If you read only one book about ‘all this cyberstuff,’ make it this one. Singer and Friedman know how to make even the most complicated material accessible and even entertaining, while at the same time making a powerful case for why all of us need to know more and think harder about the (cyber)world we know live in.“ —Anne-Marie Slaughter, President, the New America Foundation “Singer and Friedman blend a wonderfully easy to follow FAQ format with engaging prose, weaving explanations of the elements of cybersecurity with revealing anecdotes. From the fundamentals of Internet architecture to the topical intrigue of recent security leaks, this book provides an accessible and enjoyable analysis of the current cybersecurity landscape and what it could look like in the future.” —Jonathan Zittrain, Professor of Law and Professor of Computer Science at Harvard University, and author of The Future of the Internet—And How to Stop It “Singer and Friedman do a highly credible job of documenting the present and likely future risky state of cyber-affairs. This is a clarion call.” —Vint Cerf, “Father of the Internet,” Presidential Medal of Freedom winner “I loved this book. Wow. Until I read this astonishing and important book, I didn’t know how much I didn’t know about the hidden world of cybersecurity and cyberwar. Singer and Friedman make comprehensible an impossibly complex subject, and expose the frightening truth of just how vulnerable we are. Understanding these often-invisible threats to our personal and national security is a necessary first step toward defending ourselves against them. This is an essential read.” —Howard Gordon, Executive Producer of 24 and co-creator of Homeland oxfordhb-9780199918096.indd ii 21-10-2013 22:38:13 CYBERSECURITY AND CYBERWAR WHAT EVERYONE NEEDS TO KNOW ® P. W. SINGER AND ALLAN FRIEDMAN 1 oxfordhb-9780199918096.indd iii 21-10-2013 22:38:13 3 Oxford University Press is a department of the University of Oxford. It furthers the University’s objective of excellence in research, scholarship, and education by publishing worldwide. Oxford New York Auckland Cape Town Dar es Salaam Hong Kong Karachi Kuala Lumpur Madrid Melbourne Mexico City Nairobi New Delhi Shanghai Taipei Toronto With offices in Argentina Austria Brazil Chile Czech Republic France Greece Guatemala Hungary Italy Japan Poland Portugal Singapore South Korea Switzerland Thailand Turkey Ukraine Vietnam Oxford is a registered trademark of Oxford University Press in the UK and certain other countries. “What Everyone Needs to Know” is a registered trademark of Oxford University Press. Published in the United States of America by Oxford University Press 198 Madison Avenue, New York, NY 10016 © P. W. Singer and Allan Friedman 2014 All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, without the prior permission in writing of Oxford University Press, or as expressly permitted by law, by license, or under terms agreed with the appropriate reproduction rights organization. Inquiries concerning reproduction outside the scope of the above should be sent to the Rights Department, Oxford University Press, at the address above. You must not circulate this work in any other form and you must impose this same condition on any acquirer. Library of Congress Cataloging-in-Publication Data Singer, P. W. (Peter Warren) Cybersecurity and cyberwar : what everyone needs to know / Peter W. Singer, Allan Friedman. ISBN 978–0–19–991809–6 (hardback)—ISBN 978–0–19–991811–9 (paperback) 1. Computer security—United States 2. Computer networks—Security measures—United States. 3. Cyberspace—Security measures—United States. 4. Cyberterrorism—United States—Prevention. 5. Information warfare—United States—Prevention. I. Title. QA76.9.A25S562 2014 005.8—dc23 2013028127 1 3 5 7 9 8 6 4 2 Printed in the United States of America on acid-free paper oxfordhb-9780199918096.indd iv 21-10-2013 22:38:13 CONTENTS INTRODUCTION 1 Why Write a Book about Cybersecurity and Cyberwar? 1 Why Is There a Cybersecurity Knowledge Gap, and Why Does It Matter? 4 How Did You Write the Book and What Do You Hope to Accomplish? 8 PART I HOW IT ALL WORKS 12 The World Wide What? Deﬁning Cyberspace 12 Where Did This “Cyber Stuff” Come from Anyway? A Short History of the Internet 16 How Does the Internet Actually Work? 21 Who Runs It? Understanding Internet Governance 26 On the Internet, How Do They Know Whether You Are a Dog? Identity and Authentication 31 What Do We Mean by “Security” Anyway? 34 What Are the Threats? 36 One Phish, Two Phish, Red Phish, Cyber Phish: What Are Vulnerabilities? 39 How Do We Trust in Cyberspace? 45 Focus: What Happened in WikiLeaks? 51 oxfordhb-9780199918096.indd v 21-10-2013 22:38:13 vi Contents What Is an Advanced Persistent Threat (APT)? 55 How Do We Keep the Bad Guys Out? The Basics of Computer Defense 60 Who Is the Weakest Link? Human Factors 64 PART II WHY IT MATTERS 67 What Is the Meaning of Cyberattack? The Importance of Terms and Frameworks 67 Whodunit? The Problem of Attribution 72 What Is Hactivism? 77 Focus: Who Is Anonymous? 80 The Crimes of Tomorrow, Today: What Is Cybercrime? 85 Shady RATs and Cyberspies: What Is Cyber Espionage? 91 How Afraid Should We Be of Cyberterrorism? 96 So How Do Terrorists Actually Use the Web? 99 What about Cyber Counterterrorism? 103 Security Risk or Human Right? Foreign Policy and the Internet 106 Focus: What Is Tor and Why Does Peeling Back the Onion Matter? 108 Who Are Patriotic Hackers? 110 Focus: What Was Stuxnet? 114 What Is the Hidden Lesson of Stuxnet? The Ethics of Cyberweapons 118 “Cyberwar, Ugh, What Are Zeros and Ones Good For?”: Deﬁning Cyberwar 120 A War by Any Other Name? The Legal Side of Cyber Conﬂict 122 What Might a “Cyberwar” Actually Look Like? Computer Network Operations 126 Focus: What Is the US Military Approach to Cyberwar? 133 Focus: What Is the Chinese Approach to Cyberwar? 138 What about Deterrence in an Era of Cyberwar? 144 Why Is Threat Assessment So Hard in Cyberspace? 148 Does the Cybersecurity World Favor the Weak or the Strong? 150 Who Has the Advantage, the Offense or the Defense? 153 oxfordhb-9780199918096.indd vi 21-10-2013 22:38:13 Contents A New Kind of Arms Race: What Are the Dangers of Cyber Proliferation? 156 Are There Lessons from Past Arms Races? 160 Behind the Scenes: Is There a Cyber-Industrial Complex? 162 PART III WHAT CAN WE DO? 166 Don’t Get Fooled: Why Can’t We Just Build a New, More Secure Internet? 166 Rethink Security: What Is Resilience, and Why Is It Important? 169 Reframe the Problem (and the Solution): What Can We Learn from Public Health? 173 Learn from History: What Can (Real) Pirates Teach Us about Cybersecurity? 177 Protect World Wide Governance for the World Wide Web: What Is the Role of International Institutions? 180 “Graft” the Rule of Law: Do We Need a Cyberspace Treaty? 185 Understand the Limits of the State in Cyberspace: Why Can’t the Government Handle It? 193 Rethink Government’s Role: How Can We Better Organize for Cybersecurity? 197 Approach It as a Public-Private Problem: How Do We Better Coordinate Defense? 205 Exercise Is Good for You: How Can We Better Prepare for Cyber Incidents? 211 Build Cybersecurity Incentives: Why Should I Do What You Want? 216 Learn to Share: How Can We Better Collaborate on Information? 222 Demand Disclosure: What Is the Role of Transparency? 228 Get “Vigorous” about Responsibility: How Can We Create Accountability for Security? 231 Find the IT Crowd: How Do We Solve the Cyber People Problem? 235 Do Your Part: How Can I Protect Myself (and the Internet)? 241 oxfordhb-9780199918096.indd vii vii 21-10-2013 22:38:13 viii Contents CONCLUSIONS 247 Where Is Cybersecurity Headed Next? 247 What Do I Really Need to Know in the End? 255 ACKNOWLEDGMENTS NOTES GLOSSARY INDEX oxfordhb-9780199918096.indd viii 257 259 293 301 21-10-2013 22:38:13 INTRODUCTION Why Write a Book about Cybersecurity and Cyberwar? “All this cyber stuff.” The setting was a Washington, DC, conference room. The speaker was a senior leader of the US Department of Defense. The topic was why he thought cybersecurity and cyberwar was so important. And yet, when he could only describe the problem as “all this cyber stuff,” he unintentionally convinced us to write this book. Both of us are in our thirties and yet still remember the first computers we used. For a five-year-old Allan, it was an early Apple Macintosh in his home in Pittsburgh. Its disk space was so limited that it could not even fit this book into its memory. For a seven-year-old Peter, it was a Commodore on display at a science museum in North Carolina. He took a class on how to “program,” learning an entire new language for the sole purpose of making one of the most important inventions in the history of mankind print out a smiley face. It spun out of a spool printer, replete with the perforated paper strips on the side. Three decades later, the centrality of computers to our lives is almost impossible to comprehend. Indeed, we are so surrounded by computers that we don’t even think of them as “computers” anymore. We are woken by computerized clocks, take showers in water heated by a computer, drink coffee brewed in a computer, eat oatmeal heated up in a computer, then drive to work in a car controlled by hundreds of computers, while sneaking peeks at the last night’s sport scores on a computer. And then at work, we spend most of our day pushing buttons on a computer, an experience so futuristic in oxfordhb-9780199918096.indd 1 21-10-2013 22:38:13 2 INTRODUCTION our parents’ day that it was the stuff of The Jetsons (George Jetson’s job was a “digital index operator”). Yet perhaps the best way to gain even a hint of computers’ modern ubiquity is at the end of the day. Lie in bed, turn off the lights, and count the number of little red lights staring back at you. These machines are not just omnipresent, they are connected. The computers we used as little kids stood alone, linked to nothing more than the wall electricity socket and maybe that spool printer. Just a generation ago, the Internet was little more than a link between a few university researchers. The first “electronic mail” was sent in 1971. The children of those scientists now live in a world where almost 40 trillion e-mails are sent a year. The first “website” was made in 1991. By 2013, there were over 30 trillion individual web pages. Moreover, the Internet is no longer just about sending mail or compiling information: it now also handles everything from linking electrical plants to tracking purchases of Barbie dolls. Indeed, Cisco, a company that helps run much of the back end of the Internet, estimated that 8.7 billion devices were connected to the Internet by the end of 2012, a figure it believes will rise to 40 billion by 2020 as cars, fridges, medical devices, and gadgets not yet imagined or invented all link in. In short, domains that range from commerce to communication to the critical infrastructure that powers our modern-day civilization all operate on what has become a globalized network of networks. But with the rise of “all this cyber stuff,” this immensely important but incredibly short history of computers and the Internet has reached a defining point. Just as the upside of the cyber domain is rippling out into the physical domain, with rapid and often unexpected consequences, so too is the downside. As we will explore, the astounding numbers behind “all this cyber stuff” drive home the scale and range of the threats: 97 percent of Fortune 500 companies have been hacked (and 3 percent likely have been too and just don’t know it), and more than one hundred governments are gearing up to fight battles in the online domain. Alternatively, the problems can be conceptualized through the tough political issues that this “stuff” has already produced: scandals like WikiLeaks and NSA monitoring, new cyberweapons like Stuxnet, and the role that social networking plays in everything from the Arab Spring revolutions to your own concerns over personal privacy. Indeed, President Barack Obama declared that “cybersecurity risks pose some oxfordhb-9780199918096.indd 2 21-10-2013 22:38:13 Introduction 3 of the most serious economic and national security challenges of the 21st century,” a position that has been repeated by leaders in countries from Britain to China. For all the hope and promise of the information age, ours is also a time of “cyber anxiety.” In a survey of where the world was heading in the future, Foreign Policy magazine described the cyber area as the “single greatest emerging threat,” while the Boston Globe claimed that future is already here: a “cyber world war” in progress that will culminate in “bloody, digital trench warfare.” These fears have coalesced into the massive booming business of cybersecurity, one of the fastest growing industries in the world. It has led to the creation of various new governmental offices and bureaucracies (the US Department of Homeland Security’s National Cyber Security Division has doubled or tripled in size every year since its inception). The same is true for armed forces around the globe like the US Cyber Command and the Chinese “Information Security Base” (xinxi baozhang jidi), new military units whose very mission is to fight and win wars in cyberspace. As we later consider, these aspects of “cyber stuff” raise very real risks, but how we perceive and respond to these risks may be even more crucial to the future, and not just of the Internet. As Joe Nye, the former Dean of the Harvard Kennedy School of Government, notes, if users begin to lose confidence in the safety and security of the Internet, they will retreat from cyberspace, trading “welfare in search of security.” Fears over cybersecurity increasingly compromise our notions of privacy and have allowed surveillance and Internet filtering to become more common and accepted at work, at home, and at the governmental level. Entire nations, too, are pulling back, which will undermine the economic and human rights benefits we’ve seen from global connectivity. China is already developing its own network of companies behind a “Great Firewall” to allow it to screen incoming messages and disconnect from the worldwide Internet if needed. As a Yale Law School article put it, all of these trends are “converging into a perfect storm that threatens traditional Internet values of openness, collaboration, innovation, limited governance and free exchange of ideas.” These issues will have consequences well beyond the Internet. There is a growing sense of vulnerability in the physical world from oxfordhb-9780199918096.indd 3 21-10-2013 22:38:13 4 INTRODUCTION new vectors of cyberattack via the virtual world. As a report entitled “The New Cyber Arms Race” describes, “In the future, wars will not just be fought by soldiers with guns or with planes that drop bombs. They will also be fought with the click of a mouse a half a world away that unleashes carefully weaponized computer programs that disrupt or destroy critical industries like utilities, transportation, communications, and energy. Such attacks could also disable military networks that control the movement of troops, the path of jet fighters, the command and control of warships.” Such a vision of costless war or instant defeat either scares or comforts, wholly dependent on which side of the cyberattack you’re on. The reality, as we explore later in the book, is much more complex. Such visions don’t just stoke fears and drive budgets. They also are potentially leading to the militarization of cyberspace itself. These visions threaten a domain that has delivered massive amounts of information, innovation, and prosperity to the wider planet, fuel tensions between nations, and, as the title of the aforementioned report reveals, maybe even have set in motion a new global arms race. In short, no issue has emerged so rapidly in importance as cybersecurity. And yet there is no issue so poorly understood as this “cyber stuff.” Why Is There a Cybersecurity Knowledge Gap, and Why Does It Matter? “Rarely has something been so important and so talked about with less and less clarity and less apparent understanding. . . . I have sat in very small group meetings in Washington . . . unable (along with my colleagues) to decide on a course of action because we lacked a clear picture of the long term legal and policy implications of any decision we might make.” This is how General Michael Hayden, former Director of the CIA, described the cybersecurity knowledge gap and the dangers it presents. A major part of this disconnect is the consequence of those early experiences with computers, or rather the lack of them among too many leaders. Today’s youth are “digital natives,” having grown up in a world where computers have always existed and seem a natural feature. But the world is still mostly led by“digital immigrants,” oxfordhb-9780199918096.indd 4 21-10-2013 22:38:13 Introduction 5 older generations for whom computers and all the issues the Internet age presents remain unnatural and often confusing. To put it another way, few older than fifty will have gone through their university training even using a computer. Even the few who did likely used one that stood alone, not connected to the world. Our most senior leaders, now in their sixties and seventies, likely did not even become familiar with computers until well into their careers, and many still today have only the most limited experience with them. As late as 2001, the Director of the FBI did not have a computer in his office, while the US Secretary of Defense would have his assistant print out e-mails to him, write his response in pen, and then have the assistant type them back in. This sounds outlandish, except that a full decade later the Secretary of Homeland Security, in charge of protecting the nation from cyberthreats, told us at a 2012 conference, “Don’t laugh, but I just don’t use e-mail at all.” It wasn’t a fear of security, but that she just didn’t believe e-mail useful. And in 2013, Justice Elena Kagan revealed the same was true of eight out of nine of the United States Supreme Court justices, the very people who would ultimately decide what was legal or not in this space. It is not solely an issue of age. If it was, we could just wait until the old farts died off and all would be solved. Just because someone is young doesn’t mean the person automatically has an understanding of the key issues. Cybersecurity is one of those areas that has been left to only the most technically inclined to worry their uncombed heads over. Anything related to the digital world of zeros and ones was an issue just for computer scientists and the IT help desk. Whenever they spoke, most of us would just keep quiet, nod our heads, and put on what author Mark Bowden calls “the glaze.” This is the “unmistakable look of profound confusion and disinterest that takes hold whenever conversation turns to workings of a computer.” The glaze is the face you put on when you can only call something “stuff.” Similarly, those who are technically inclined too often roll their eyes at the foreign logic of the policy and business worlds, scoffing at the “old way” of doing business, without understanding the interactions between technology and people. The result is that cybersecurity falls into a no man’s land. The field is becoming crucial to areas as intimate as your privacy and as weighty as the future of world politics. But it is a domain only well known by “the IT Crowd.” It touches every major area of oxfordhb-9780199918096.indd 5 21-10-2013 22:38:13 6 INTRODUCTION public- and private-sector concern, but only the young and the computer savvy are well engaged with it. In turn, the technical community that understands the workings too often sees the world only through a specific lens and can fail to appreciate the broader picture or nontechnical aspects. Critical issues are thus left misunderstood and often undebated. The dangers are diverse and drove us in the writing of the book. Each of us, in whatever role we play in life, must make decisions about cybersecurity that will shape the future well beyond the world of computers. But often we do so without the proper tools. Basic terms and essential concepts that define what is possible and proper are being missed, or even worse, distorted. Past myth and future hype often weave together, obscuring what actually happened and where we really are now. Some threats are overblown and overreacted to, while others are ignored. This gap has wide implications. One US general described to us how “understanding cyber is now a command responsibility,” as it affects almost every part of modern war. And yet, as another general put it pointedly, “There is a real dearth of doctrine and policy in the world of cyberspace.” His concern, as we explore later, was not just the military side needed to do a better job at “cyber calculus,” but that the civilian side was not providing any coordination or guidance. Some liken today to the time before World War I, when the militaries of Europe planned to utilize new technologies like railroads. The problem was that they, and the civilian leaders and publics behind them didn’t understand the technologies or their implications and so made uninformed decisions that inadvertently drove their nations into war. Others draw parallels to the early years of the Cold War. Nuclear weapons and the political dynamics they drove weren’t well understood and, even worse, were largely left to specialists. The result was that notions we now laugh off as Dr. Strangelovian were actually taken seriously, nearly leaving the planet a radioactive hulk. International relations are already becoming poisoned by this disconnect between what is understood and what is known. While we are both Americans, and thus many of the examples and lessons in this book reflect that background, the “cyber stuff” problem is not just an American concern. We were told the same by officials and experts from places ranging from China and Abu Dhabi to Britain oxfordhb-9780199918096.indd 6 21-10-2013 22:38:13 Introduction 7 and France. In just one illustration of the global gap, the official assigned to be the “czar” for cybersecurity in Australia had never even heard of Tor, a critical technology to the field and its future (don’t worry, you—and hopefully she—will learn what everyone needs to know about Tor in Part II). This is worrisome not just because of the “naiveté” of such public officials, but because it is actually beginning to have a dangerous impact on global order. For instance, there is perhaps no other relationship as important to the future of global stability as that between the two great powers of the United States and China. Yet, as senior policymakers and general publics on both sides struggle to understand the cyber realm’s basic dynamics and implications, the issue of cybersecurity is looming ever larger in US-China relations. Indeed, the Chinese Academy of Military Sciences released a report whose tone effectively captured how suspicion, hype, ignorance, and tension have all begun to mix together into a dangerous brew. “Of late, an Internet tornado has swept across the world . . . massively impacting and shocking the globe. . . . Faced with this warm-up for an Internet war, every nation and military can’t be passive but is making preparations to fight the Internet war.” This kind of language—which is mirrored in the US—doesn’t illustrate the brewing global cyber anxiety. It also reveals how confusion and misinformation about the basics of the issue help drive that fear. While both sides, as we explore later on, are active in both cyber offense and defense, it is the very newness of the issue that is proving so difficult. Top American and Chinese governmental leaders talked with us about how they found cybersecurity to be far more challenging than the more traditional concerns between their nations. While they may not agree on issues like trade, human rights, and regional territorial disputes, they at least understand them. Not so for cyber, where they remain woefully ill-equipped even to talk about what their own nation is doing, let alone the other side. For example, a top US official involved in talks with China on cyber issues asked us what an “ISP” was (here again, don’t fret if you don’t yet know, we’ll cover this soon!). If this had been back in the Cold War, that question would be akin to not knowing what an ICBM was in the midst of negotiating with the Soviets on nuclear issues. oxfordhb-9780199918096.indd 7 21-10-2013 22:38:13 8 INTRODUCTION Such matters are not just issues for generals or diplomats but also for all citizens. The general lack of understanding on this topic is becoming a democracy problem as well. As we write, there are some fifty cybersecurity bills under consideration in the US Congress, yet the issue is perceived as too complex to matter in the end to voters, and as a result, the elected representatives who will decide the issues on their behalf. This is one of the reasons that despite all these bills no substantive cybersecurity legislation was passed between 2002 and the writing of this book over a decade later. Again, the technology has evolved so quickly that it is no surprise that most voters and their elected leaders are little engaged on cybersecurity concerns. But they should be. This field connects areas that range from the security of your bank accounts and online identity to broader issues of who in which governments can access your personal secrets and even when and where your nation goes to war. We are all users of this realm and are all shaped by it, yet we are not having any kind of decent public dialogue on it. “We’re not having a really good, informed debate,” as one professor at the US National Defense University put it. “Instead, we either punt the problem down the road for others to figure out, or to the small number of people who make important policy in the smoky backrooms.” And even that is insufficient, given that most people in today’s smoky backrooms have never been in an Internet chatroom. How Did You Write the Book and What Do You Hope to Accomplish? With all of these issues at play, the timing and value of a book that tried to tackle the basic issues that everyone should know about cybersecurity and cyberwar seemed ideal. And the format of this Oxford series, where all the books are in a “question and answer” style, seemed to hit that sweet spot. As we set out to research and write the book, this questionand-answer style then structured our methodology. To put it another way, if you are locked into a Q and A format, you better first decide the right set of Qs. We tried to gather all the key questions that people had about this field, not only those asked by people working in politics or technology, but also from our interactions and interviews well beyond. This set of questions was backed by what would have previously been called a “literature survey.” In the old (pre-Internet) days, this meant oxfordhb-9780199918096.indd 8 21-10-2013 22:38:13 Introduction 9 going to the library and pulling off the shelf all the books in that section of the Dewey decimal system. Today, on this topic especially, the sources range from books to online journals to microblogs. We were also greatly aided by a series of workshops and seminars at Brookings, the think tank in Washington we work at. These gathered key public- and private-sector experts to explore questions ranging from the efficacy of cyber deterrence to what can be done about botnets (all questions later dealt with in the book). We also held a series of meetings and interviews with key American officials and experts. They ranged from top folks like the Chairman of the Joint Chiefs, the highest-ranking US military officer, and the Director of the National Security Agency down to low-ranking systems administrators, from civilian governors, cabinet secretaries, and CEOs to small business owners and teenaged hackers. Our scope was global, and so the meetings also included leaders and experts from China (the foreign minister and generals from the PLA among them), as well as the UK, Canada, Germany, France, Australia, Estonia, United Arab Emirates, and Singapore. Finally, while it is a virtual world, we also visited key facilities and various cybersecurity hubs in locales that ranged from the DC Beltway and Silicon Valley to Paris and Abu Dhabi. Over the course of this journey, we noticed a pattern. The questions (and the issues that came from them) generally fell under three categories. The first were questions of the essential contours and dynamics of cyberspace and cybersecurity, the “How does it all work?” questions. Think of these as the “driver’s ed” part, which gives the basic building blocks to the online world. The second were questions on the broader implications of cybersecurity beyond cyberspace, the “Why does it matter?” questions. And then there were questions on the potential responses, the “What we can do?” questions. The following sections follow this basic structure. And with the questions laid out, then came the task of answering them. This book is the result. While the questions are diverse, you’ll notice that over the course of answering them, a few themes emerged to run through the book: • Knowledge matters: It is vital we demystify this realm if we ever want to get anything effective done in securing it. • People matter: Cybersecurity is one of those “wicked” problem areas that’s rife with complexities and trade-offs. This is in oxfordhb-9780199918096.indd 9 21-10-2013 22:38:13 10 INTRODUCTION • • • • large part not because of the technical side, but because of the people part. The people behind the machines are inherently inside any problem or needed solution. Incentives matter: If you want to understand why something is or isn’t happening in cyberspace, look to the motivations, the costs, and the tensions at play behind the issue. Indeed, anyone claiming a simple “silver bullet” solution in the cyber realm is either ignorant or up to no good. The crowd matters: This is not a realm where governments can or should have all the answers. Cybersecurity depends on all of us. States matter: That said, governments’ roles are crucial, especially the United States and China. The reason is not just that these two nations remain powerful and influential, but that the interplay of their often differing visions of cybersecurity are critical to the future of both the Internet and world politics. Cats matter: In the end, the Internet is what we make of it. And that means while serious “stuff” is at play in it, cyberspace is also a fun, often whimsical realm, with memes like dancing babies and keyboard-playing cats. So any treatment of it should be sure to capture that whimsy. To put it another way, our goal was to wrestle directly with the “cyber stuff” problem that set us on the journey. This is a book written by two researchers, following rigorous academic guidelines, and published by an esteemed university press. But our intent was not a book only for academics. The best research in the world is worthless if it does not find its way into the hands of those who need it. Indeed, the number of academic papers related to cybersecurity has increased at a compound annual growth rate of 20 percent for well over a decade. Yet no one would say that the broader world is all the more informed. Instead, we embraced this series’ core idea of “what everyone needs to know.” Everyone does not need to know the software programming secrets of Stuxnet or the legal dynamics of ISP insurance schemes. But as we all become more engaged in and dependent on cybersecurity, there are certain building blocks of understanding that we all need to have. Ignorance is not bliss when it comes to cybersecurity. Cyber issues affect literally everyone: politicians wrestling oxfordhb-9780199918096.indd 10 21-10-2013 22:38:13 Introduction 11 with everything from cybercrime to online freedom; generals protecting the nation from new forms of attack, while planning new cyberwars; business executives defending firms from once unimaginable threats, and looking to make money off of them; lawyers and ethicists building new frameworks for right and wrong. Most of all, cybersecurity issues affect us as individuals. We face new questions in everything from our rights and responsibilities as citizens of both the online and real world to how to protect ourselves and our families from a new type of danger. So this is not a book only for experts, but rather a book intended to unlock the field, to raise the general level of expertise, and then push the discussion forward. We hope that you find the journey useful, and ideally even enjoyable, just like the world of “cyber stuff” itself. Peter Warren Singer and Allan A. Friedman, August 2013, Washington, DC oxfordhb-9780199918096.indd 11 21-10-2013 22:38:13 Part I HOW IT ALL WORKS The World Wide What? Deﬁning Cyberspace “It’s not a truck. It’s a series of tubes.” This is how the late Alaska senator Ted Stevens famously explained cyberspace during a congressional hearing in 2006. As late-night humorist Jon Stewart noted, that someone who doesn’t “seem to know jack BLEEP about computers or the Internet . . . is just the guy in charge of regulating it” is a near-perfect illustration of how disconnected Washington policymakers can be from technological realty. While it’s easy to mock the elderly senator’s notion of electronic letters shooting through tubes, the reality is that defining ideas and terms in cyber issues can be difficult. Stevens’s “tubes” is actually a mangling of the idea of “pipes,” an analogy that is used by experts in the field to describe data connections. If he wanted to be perfectly accurate, Stevens could have used science-fiction writer William Gibson’s original conception of cyberspace. Gibson first used the word, an amalgam of “cybernetics” and “space,” in a 1982 short story. He defined it two years later in his genre-revolutionizing novel Neuromancer as “A consensual hallucination experienced daily by billions of legitimate operators, in every nation. . . . A graphic representation of data abstracted from the banks of every computer in the human system. Unthinkable complexity. Lines of light ranged in the nonspace of the mind, clusters and constellations of data.” Of course, if the senator had described cyberspace that way, most people would have thought him stoned rather than simply disconnected. oxfordhb-9780199918096.indd 12 21-10-2013 22:38:13 How It All Works 13 Part of why cyberspace is so difficult to define lies not only in its expansive, global nature, but also in the fact that the cyberspace of today is almost unrecognizable compared to its humble beginnings. The US Department of Defense can be considered the godfather of cyberspace, dating back to its funding of early computing and original networks like ARPANET (more on this soon). Yet even the Pentagon has struggled to keep pace as its baby has grown up. Over the years, it has issued at least twelve different definitions of what it thinks of as cyberspace. These range from the “notional environment in which digitized information is communicated over computer networks,” which was rejected because it implied cyberspace was only for communication and largely imaginary, to a “domain characterized by the use of electronics and the electromagnetic spectrum,” which was also rejected as it encompassed everything from computers and missiles to the light from the sun. In its latest attempt in 2008, the Pentagon assembled a team of experts who took over a year to agree on yet another definition of cyberspace. This time they termed it “the global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the internet, telecommunications networks, computer systems, and embedded processors and controllers.” It is certainly a more detailed definition but so dense that one almost wishes we could go back to just the “tubes.” For the purposes of this book, we think it’s best to keep it simple. At its essence, cyberspace is the realm of computer networks (and the users behind them) in which information is stored, shared, and communicated online. But rather than trying to find the exact perfectly worded definition of cyberspace, it is more useful to unpack what these definitions are trying to get at. What are the essential features that not only compose cyberspace, but also make it unique? Cyberspace is first and foremost an information environment. It is made up of digitized data that is created, stored, and, most importantly, shared. This means that it is not merely a physical place and thus defies measurement in any kind of physical dimension. But cyberspace isn’t purely virtual. It comprises the computers that store data plus the systems and infrastructure that allow it to flow. This includes the Internet of networked computers, closed oxfordhb-9780199918096.indd 13 21-10-2013 22:38:13 14 CYBERSECURITY AND CYBERWAR intranets, cellular technologies, fiber-optic cables, and space-based communications. While we often use “Internet” as shorthand for the digital world, cyberspace has also come to encompass the people behind those computers and how their connectivity has altered their society. One of the key features, then, of cyberspace is that its systems and technologies are man-made. As such, cyberspace is defined as much by the cognitive realm as by the physical or digital. Perceptions matter, and they inform cyberspace’s internal structures in everything from how the names within cyberspace are assigned to who owns which parts of the infrastructure that powers and uses it. This leads to an important point often misunderstood. Cyberspace may be global, but it is not “stateless” or a “global commons,” both terms frequently used in government and media. Just as we humans have artificially divided our globe into territories that we call “nations” and, in turn, our human species into various groups like “nationalities,” the same can be done with cyberspace. It relies on physical infrastructure and human users who are tied to geography, and thus is also subject to our human notions like sovereignty, nationality, and property. Or, to put it another way, cyberspace’s divisions are as real as the meaningful, but also imaginary, lines that divide the United States from Canada or North from South Carolina. But cyberspace, like life, is constantly evolving. The hybrid combination of technology and the humans that use it is always changing, inexorably altering everything from cyberspace’s size and scale to the technical and political rules that seek to guide it. As one expert put it, “The geography of cyberspace is much more mutable than other environments. Mountains and oceans are hard to move, but portions of cyberspace can be turned on and off with the click of a switch.” The essential features remain the same, but the topography is in constant flux. The cyberspace of today is both the same as but also utterly different from the cyberspace of 1982. The hardware and software that make up cyberspace, for instance, were originally designed for computers operating from fixed wires and telephone lines. Mobile devices were first the stuff of Star Trek and then only for the drug dealers on Miami Vice who could afford to have something as exotic as a “car phone.” Today, a growing percentage of computing is moving onto mobile devices, so much so oxfordhb-9780199918096.indd 14 21-10-2013 22:38:13 How It All Works 15 that we’ve seen toddlers punch the screens of desktop computers as if they were broken iPads. Along with the technology of cyberspace, our expectations of it are likewise evolving. This generates new norms of behavior, from how kids “play” to the even more powerful concept that we should all have access to cyberspace and be able to express our personal opinions within it, on everything from a Hollywood star’s new hairdo to what we think of an authoritarian leader. So what constitutes the Internet itself is evolving before us in an even more fundamental way. It is simultaneously becoming massively bigger (each day some 2,500,000,000,000,000,000 bytes are added to the global supply of digital information) and far more personalized. Rather than passively receiving this onslaught of online information, the individual users are creating and tailoring sites to their personal use, ultimately revealing more about themselves online. These sites range from social networks like Facebook in the United States and RenRen in China to microblogs like Twitter and the Chinese equivalents Tencent and Sina. Indeed, microblogs in China (called Weibo) have taken off to the extent that 550 million were registered in 2012. Thus, while cyberspace was once just a realm of communication and then e-commerce (reaching over $10 trillion a year in sales), it has expanded to include what we call “critical infrastructure.” These are the underlying sectors that run our modern-day civilization, ranging from agriculture and food distribution to banking, healthcare, transportation, water, and power. Each of these once stood apart but are now all bound together and linked into cyberspace via information technology, often through what are known as “supervisory control and data acquisition” or SCADA systems. These are the computer systems that monitor, adjust switching, and control other processes of critical infrastructure. Notably, the private sector controls roughly 90 percent of US critical infrastructure, and the firms behind it use cyberspace to, among other things, balance the levels of chlorination in your city’s water, control the flow of gas that heats your home, and execute the financial transactions that keep currency prices stable. Cyberspace is thus evolving from “the nervous system—the control system of our economy,” as President George W. Bush once said, into something more. As Wired magazine editor Ben Hammersley oxfordhb-9780199918096.indd 15 21-10-2013 22:38:13 16 CYBERSECURITY AND CYBERWAR describes, cyberspace is becoming “the dominant platform for life in the 21st century.” We can bitch about it, but Facebook, Twitter, Google and all the rest are, in many ways the very definition of modern life in the democratic west. For many, a functioning Internet with freedom of speech, and a good connection to the social networks of our choice is a sign not just of modernity, but of civilization itself. This is not because people are “addicted to the video screen,” or have some other patronizing psychological diagnosis. But because the Internet is where we live. It’s where we do business, where we meet, where we fall in love. It is the central platform for business, culture, and personal relationships. There’s not much else left. To misunderstand the centrality of these services to today’s society is to make a fundamental error. The Internet isn’t a luxury addition to life; for most people, knowingly or not, it is life. But just as in life, not everyone plays nice. The Internet that we’ve all grown to love and now need is increasingly becoming a place of risk and danger. Where Did This “Cyber Stuff” Come from Anyway? A Short History of the Internet “Lo.” This was the very first real word transmitted over the computer network that would evolve into the Internet. But rather than the beginning of some profound proclamation like “Lo and behold,” “Lo” was instead the product of a system failure. In 1969, researchers at UCLA were trying to log into a computer at the Stanford Research Institute. But before they could type the “g” in the word “log,” the computer at the Stanford end of the network crashed. However, the ARPANET project, so named as it was funded by the Advanced Research Projects Agency (ARPA), would eventually transform how computers shared data and, with that, everything else. oxfordhb-9780199918096.indd 16 21-10-2013 22:38:13 How It All Works 17 Electronic communication networks have been shaping how we share information since the invention of the telegraph, the device that some now look back on and call the “Victorian Internet.” The hype around that old technology were similarly high; contemporaries declared that, with the telegraph, “It is impossible that old prejudices and hostilities should longer exist.” What makes the Internet distinct from prior communication networks like the old telegraphs and then telephone networks, however, is that it is packet-switched instead of circuit-switched. Packets are small digital envelopes of data. At the beginning of each packet, essentially the “outside” of the envelope, is the header, which contains details about the network source, destination, and some basic information about the packet contents. By breaking up flows of data into smaller components, each can be delivered in an independent and decentralized fashion, then reassembled at the endpoint. The network routes each packet as it arrives, a dynamic architecture that creates both flexibility and resiliency. Packet-switching was not developed to allow the United States to maintain communications even in the event of a nuclear attack, a common myth. It was really just developed to better enable more reliable, more efficient connections between computers. Prior to its rise in the 1970s, communication between two computers required a dedicated circuit, or preassigned bandwidth. This direct link meant those resources could not be used by anyone else, even when no data was being transmitted. By breaking these conversations into smaller parts, packets from multiple distinct conversations could share the same network links. It also meant that if one of the network links between two machines went down mid-communication, a transmission could be automatically rerouted with no apparent loss of connection (since there was never a connection to begin with). ARPA (now DARPA, with a D for “Defense” added) was an organization developed by the Pentagon to avoid technological surprise by leaping ahead in research. Computers were proliferating in the late 1960s, but even more researchers wanted to use them than was available. To ARPA, that meant finding ways to allow people at different institutions to take advantage of unused computer time around the country. oxfordhb-9780199918096.indd 17 21-10-2013 22:38:13 18 CYBERSECURITY AND CYBERWAR Rather than have dedicated—and expensive—connections between universities, the vision was a network of shared data links, sharing computational resources. Individual machines would each be connected with an Interface Message Processor that handled the actual network connection. This network was ARPANET, home of the first “Lo” and start of the modern cyber era. That first 1969 link from UCLA to Stanford grew to link forty nodes in 1972. Soon more universities and research centers around the world joined this first network, or alternatively created their own networks. For the purposes of the modern Internet, a series of packets sent between machines on a single network does not count as an “internet.” Internet implies connecting many different networks, in this case these various other computer networks beyond ARPANET that soon emerged but remained unlinked. The challenge was that different networks used very different underlying technology. The technical problem boiled down to abstracting these differences and allowing efficient communication. In 1973, the solution was found. Vint Cerf, then a professor at Stanford, and Robert Khan of ARPA refined the idea of a common transmission protocol. This “protocol” established the expectations that each end of the communication link should make of the other. It began with the computer equivalent of a three-way handshake to establish a connection, continuing through how each party should break apart the messages to be reassembled, and how to control transmission speeds to automatically detect bandwidth availability. The brilliance of the model is how it breaks the communication into “layers” and allows each layer to function independently. These packets, in turn, can be sent over any type of network, from sound waves to radio waves to light pulses on a glass fiber. Such Transport Control Protocols, or TCPs, could be used over all sorts of packet protocols, but we now use a type called the Internet Protocol, or IP, almost exclusively in the modern Internet. This protocol enabled the creation of a network of networks. But, of course, the Internet didn’t stop there. The new links excelled at connecting machines, but humans excel at making technology conform to their whims. As people shared machines for research, they started leaving messages for each other, simple files that could be oxfordhb-9780199918096.indd 18 21-10-2013 22:38:13 How It All Works 19 edited to form a conversation. This became clunky, and in 1972 Ray Tomlinson at the technical consulting firm BBN wrote a basic program to read, compose, and send messages. This was e-mail: the first Internet “killer app.” Within a year, a majority of traffic across the network originally created for research was e-mail. Now networked communication was about people. The last step in creating the modern Internet was eliminating barriers to entry. Early use was limited to those who had access to the networked computers at research and defense institutions. These organizations communicated via dedicated data lines. As the evident value of networked communication grew and the price of computers dropped, more organizations sought to join. Modems, which convert data to sound waves and back, allowed basic phone lines to serve as links to other computers. Soon, researchers outside computer science wanted access, not just to take advantage of the shared computing resources, but also to study the new networking technology itself. The US National Science Foundation then connected the existing supercomputering centers around the country into the NSFnet, which grew so rapidly that the expansion required commercial management. Each upgrade brought greater demand, the need for more capacity, and independently organized infrastructure. The architecture of a “backbone” that managed traffic between the different regional networks emerged as the efficient solution. This period also saw the introduction of the profit motive in Internet expansion. For instance, by this point Vint Cerf had joined the telecommunications firm MCI. In 1983, he led efforts to start MCI mail, the first commercial e-mail service on the Internet. By the late 1980s, it became obvious that managing the nascent Internet was not the business of the research community. Commercial actors could provide the necessary network services supporting the Internet and become avid consumers as well. So the White House Office of Science and Technology developed a plan to expand and commercialize the backbone services, seeing it as the only way that the new Internet could truly take off. The planners envisioned a decade-long process, though, with the final stages of commercial handover not completed until the late 1990s. Fortunately, a young senator from Tennessee became convinced it should speed up. In 1989, Al Gore authored a bill calling oxfordhb-9780199918096.indd 19 21-10-2013 22:38:13 20 CYBERSECURITY AND CYBERWAR for quicker privatization of the network. While he would later make a slight overstatement that he “took the initiative in creating the Internet,” this move by Congress to accelerate things was crucially important to the Internet’s expansion. By the time Gore was Vice President in 1994, the NSF was turning over official control of regional backbone connections to private interests. This privatization coincided with various new inventions and improvements that then democratized and popularized the Internet. In 1990, a researcher at the European research center CERN in Switzerland took a relatively obscure form of presenting information in a set of linked computer documents and built a new networking interface for it. With this HyperText Transfer Protocol (HTTP), and an accompanying system to identify the linked documents (URLs), Tim Berners-Lee “invented” the World Wide Web as we now look at it. Amusingly, when Berners-Lee tried to present it at an academic conference, his breakthrough wasn’t considered worthy enough even to make a formal panel. Instead, he was relegated to showing a poster on it in a hallway. A few years later, researchers at the University of Illinois introduced the Mosaic web browser, which simplified both web design and introduced the new practice of “web surfing” for the general public. And whether we like to admit it or not, this is the period when the pornography industry proved integral to the Internet’s history. A darker domain that some estimate makes up 25 percent of all Internet searches, the smut industry drove both new online users and new online uses like instant messaging, chatrooms, online purchasing, streaming video, trading files, and webcams (and the growing demands each of these placed on bandwidth, driving more underlying business). “Of course pornography has played a key role in the Web,” says Paul Saffo, an analyst with the Institute for the Future, a Silicon Valley think tank. “Porn is to new media formats what acne is to teenagers,” he said. “It’s just part of the process of growing up.” And soon the mainstream media started to wake up to the fact that something big was happening online. As the New York Times reported in 1994 (in a printed newspaper, of course!), “Increasing commercialization of the Internet will accelerate its transformation away from an esoteric communications system for American oxfordhb-9780199918096.indd 20 21-10-2013 22:38:13 How It All Works 21 computer scientists and into an international system for the flow of data, text, graphics, sound and video among businesses, their customers and their suppliers.” Lo and behold indeed. How Does the Internet Actually Work? For a few hours in February 2008, Pakistan held hostage all the world’s cute cat videos. The situation came about when the Pakistani government, in an attempt to prevent its own citizens from accessing what it decided was offensive content, ordered Pakistan Telecom to block access to the video-sharing website YouTube. To do so, Pakistan Telecom falsely informed its customers’ computers that the most direct route to YouTube was through Pakistan Telecom and then prevented Pakistani users from reaching the genuine YouTube site. Unfortunately, the company’s network shared this false claim of identity beyond its own network, and the false news of the most direct way to YouTube spread across the Internet’s underlying mechanisms. Soon over two-thirds of all the world’s Internet users were being misdirected to the fake YouTube location, which, in turn, overwhelmed Pakistan Telecom’s own network. The effects were temporary, but the incident underscores the importance of knowing how the Internet works. The best way to gain this understanding is to walk through how information gets from one place to another in the virtual world. It’s a bit complex, but we’ll do our best to make it easy. Suppose you wanted to visit the informative and—dare we say—entertaining website of the Brookings Institution, the think tank where we work. In essence, you have asked your device to talk to a computer controlled by Brookings in Washington, DC. Your machine must learn where that computer is and establish a connection to enable communication. The first thing your computer needs to know is how to find the servers that host the Brookings web page. To do that, it will use the Internet Protocol (IP) number that serves as the address for endpoints on the Internet. Your machine was most likely automatically assigned an IP address by your Internet service provider or oxfordhb-9780199918096.indd 21 21-10-2013 22:38:13 22 CYBERSECURITY AND CYBERWAR whatever network you are using. It also knows the address of its router, or the path to the broader Internet. Finally, your computer knows the address of a Domain Name System server. The Domain Name System, or DNS, is the protocol and infrastructure through which computers connect domain names (human memorable names like Brookings.edu) to their corresponding IP addresses (machine data like 126.96.36.199). The DNS is global and decentralized. Its architecture can be thought of as a tree. The “root” of the tree serves as the orientation point for the Domain Name System. Above that are the top-level domains. These are the country codes such as .uk, as well as other domains like .com and .net. Each of these top-level domains is then subdivided. Many countries have specific second-level domains, such as co.uk and ac.uk, to denote business and academic institutions, respectively. Entry into the club of top-level domains is controlled internationally through the Internet Corporation for Assigned Names and Numbers (ICANN), a private, nonprofit organization created in 1998 to run the various Internet administration and operations tasks that had previously been performed by US government organizations. Each top-level domain is run by a registry that sets its own internal policies about domains. Organizations, such as Brookings or Apple or the US Department of State, acquire their domains through intermediaries called registrars. These registrars coordinate with each other to ensure the domain names in each top-level domain remain unique. In turn, each domain manages its own subdomains, such as mail.yahoo.com. To reach the Brookings domain, your computer will query the DNS system through a series of resolvers. The basic idea is to go up the levels of the tree. Starting with the root, it will be pointed to the record for .edu, which is managed by Educause. Educause is the organization of some 2,000 educational institutions that maintains the list of every domain registered in .edu. From this list, your computer will then learn the specific IP address of Brookings’s internal name server. This will allow it to address specific queries about content or applications from inside the Brookings domain. Then, the Brookings name server will direct your computer to the specific content it is looking for, by returning the IP address of the machine that hosts it. oxfordhb-9780199918096.indd 22 21-10-2013 22:38:13 How It All Works 23 In reality, this process is a little more complex. For example, servers often store data locally in caches for future use, so that every query does not have to go to the root, and the protocol includes specific error conditions to handle errors predictably. The rough outline above, however, gives a sense of how it all works. Now that your computer has the location of the data, how will that data get to your computer? The server at Brookings needs to know that it should send data to your machine, and the data needs to get there. Figure 1.1 illustrates how your computer requests a web page by breaking down the request into packets and sending them across the Internet. First, at the “layer” of the application, your browser interprets the click of your mouse as a command in the HyperText Transfer Protocol (HTTP), which defines how to ask for and deliver content. This command is then passed down to the transport and network layers. Transport is responsible for breaking the data down into packet-sized chunks and making sure that all of How your computer talks to a website 1. You click on a link on your web browser application, which translates the click into a request in the HTTP protocol. 2. The application’s HTTP request is chopped up by the operating system into small, individually addressed IP packets. http://www 7. The web server IP Packets IP Packets reassembles the packets, and interprets the HTTP request to send the web content. 6. Website’s ISP 3. Your computer sends packets to the local network. The Website’s ISP Your ISP 4. Each packet is routed individually to a larger network. Packets in the same message can take different paths. Backbone Networks sends the traffic to the web server. 5. Tier 1 or “back-bone” networks route traffic to other nodes that are closer to the destination IP address. Figure 1.1 oxfordhb-9780199918096.indd 23 21-10-2013 22:38:13 24 CYBERSECURITY AND CYBERWAR the chunks arrive free of error and reassembled in the correct order for the application layer above. The network layer is responsible for trying its best to navigate the packets across the Internet. If you think of the data you are trying to send and receive as a package of information, the transport layer is responsible for packing and receiving the packages, while the network is responsible for moving them from source to destination. Once at the destination, the packets are reassembled, checked, and then passed back up to the application—in this case, a web server sending you the web content you requested. But how do the packets know how to get across the Internet to their destination? Like the DNS that helped your computer find the website it was looking for, the organization of Internet networks can be thought of as a hierarchy. Each computer is part of a network, like the network connecting all the customers of an Internet service provider (ISP). ISPs are essentially the organizations that provide access to the Internet, as well as other related services like e-mail or hosting websites. Most ISPs are private, for-profit companies, including a number of the traditional telephone and cable TV firms that began offering Internet access when the field took off, while others are government or community owned. Those networks, in turn, form nodes called Autonomous Systems (AS) in the global Internet. Autonomous Systems define the architecture of Internet connections. Traffic is routed locally through the AS and controlled by the policies of that organization. Each AS has a set of contiguous blocks of IP addresses and forms the “home” for these destinations. All have at least one connection to another AS, while large ISPs might have many. So routing to a particular IP address is simply a matter of finding its AS. There’s a problem, though: The Internet is big. There are over 40,000 AS nodes on the Internet today, and their interconnections are changing and shifting over time. Given this scale, a global approach to routing everything the same way is impossible. Instead, the Internet uses a dynamic, distributed system that does not maintain a permanent vision of what the network looks like at any given time. The principle of routing is fairly simple: at each point in the network, a router looks at the address of an incoming packet. If the destination is inside the network, it keeps the packet oxfordhb-9780199918096.indd 24 21-10-2013 22:38:13 How It All Works 25 and sends it to the relevant computer. Otherwise, it consults a routing table to determine the best next step to send the packet closer to its destination. The devil is in the details of this routing table’s construction. Since there is no global address book, the nodes in the network have to share key information with other routers, like which IP addresses they are responsible for and what other networks they can talk to. This process happens separately from the Internet routing process on what is known as the “control plane.” Routers also pass along information to their neighbors, sharing up-to-date news about the state of the network and who can talk to whom. Each router then constructs its own internal, temporary model of how best to route the traffic coming through. This new model, in turn, is shared so that a router’s neighbors now know how it will pass along new traffic. If this sounds complex, it’s because it is! In just a few pages, we’ve summed up what it took decades of computer science research to create. The takeaway for cybersecurity is that the entire system is based on trust. It is a system that works efficiently, but it can be broken, either by accident or by maliciously feeding the system bad data. The Pakistan example shows what happens when that trust is abused. The government censors “broke the Internet” by falsely claiming to have direct access to the IP address that serves YouTube. This was a narrow, local, politically motivated announcement. But because of how the Internet works, soon every ISP in Asia was trying to route all their YouTube traffic to Pakistan, solely because they believed it was closer than the real intended destination. The models they were building were based on false information. As more networks did this, their neighbors also came to believe that YouTube was the Pakistani IP address. The whole mess wasn’t resolved until Google engineers advertised the correct routes aggressively across the network. In sum, understanding the Internet’s basic decentralized architecture provides two insights for cybersecurity. It offers an appreciation of how the Internet functions without top-down coordination. But it also shows the importance of the Internet’s users and gatekeepers behaving properly, and how certain built-in choke points can create great vulnerabilities if they don’t. oxfordhb-9780199918096.indd 25 21-10-2013 22:38:13 26 CYBERSECURITY AND CYBERWAR Who Runs It? Understanding Internet Governance In 1998, a computer researcher and a respected leader in the networking community named Jon Postel sent an innocuous sounding e-mail to eight people. He asked them to reconfigure their servers so that they would direct their Internet traffic using his computer at the University of Southern California rather than a computer in Herndon, Virginia. They did so without question, as Postel (who had been part of the team that set up the original ARPANET) was an icon in the field, who served as a primary administrator for the network’s naming system. With that one e-mail, Postel committed the first coup d’état of the Internet. The people he had e-mailed ran eight of the twelve organizations that controlled all the name servers—the computers ultimately responsible for translating a domain name such as “Brookings.edu” into a computer-addressable IP address. And the computer in Virginia that he had steered two-thirds of the Internet’s root servers away from was controlled by the US government. While Postel would later say he had only seized control of a majority of the Internet’s root servers as a “test,” others think that he did so in protest, showing the US government “that it couldn’t wrest control of the Internet from the widespread community of researchers who had built and maintained the network over the previous three decades.” Postel’s “coup” illustrates the crucial role of governance issues even for a technical space. As the Internet has grown from a small research network to the global underpinning of our digital society, questions of who runs it have become more and more important. Or, as Eric Schmidt (who went on to become the CEO of a little firm known as Google) told a 1997 programmers conference in San Francisco, “The Internet is the first thing that humanity has built that humanity doesn’t understand, the largest experiment in anarchy that we have ever had.” Since digital resources are not “scarce” like traditional resources, its governance questions are a bit different. That is, the main questions of Internet governance are of interoperability and communication rather than the classic issue of distribution, which has consumed political thinkers from Socrates to Marx. However, even in a digital world of seemingly endless resources, traditional issues of governance also arise in cyberspace, including representation, power, and legitimacy. oxfordhb-9780199918096.indd 26 21-10-2013 22:38:13 How It All Works 27 Key decision chokepoints revolve around the technical standards for interoperability, the distribution of IP numbers that gives computers an address allowing them to send and receive packets, and the management of the Internet’s naming system. Interestingly enough, it is this final category, the intersection of the technical and nontechnical aspect of naming, that has produced the most conflict. The operations of the Internet require independent actors to follow basic rules that guarantee interoperability, known as standards. This standards-based approach goes back to the beginning of the Internet, when the engineers building the initial systems published Requests For Comments (RFCs) to seek feedback on proposed standards. Over time, this group of network engineers and researchers grew into an international, voluntary standards organization called the Internet Engineering Task Force (IETF). The IETF develops new Internet standards and protocols and modifies existing ones for better performance. Everything developed by the IETF falls under specific working groups that concentrate on areas like routing, applications, and infrastructure. These groups are open forums that work mostly through mailing lists, and anyone is welcome to participate. Many of the individuals in them are from large technology firms, but no one actor or small party can steamroll the process, which relies on consensus. Openness, and even a sense of whimsy, is critical to the culture of the IETF. In some working group meetings, the members decide on an issue by humming for or against a proposal. The proposal with the loudest hum advantage wins. While it sounds a bit silly, it is seen as a way of maintaining the original Internet creators’ ethic of fostering consensus and reaching decisions relatively quickly. The volume of the humming also helps maintain a level of anonymity, unless you abuse the system: That is, you can hum or not without opening your mouth, but it’s hard to hum louder to dominate a vote without being too obvious about it, which would cause backlash. Despite the sense of fun that can drive working groups members, security is a principle concern in the system. In addition to working groups focused on particular security issues, every proposed standard must have an explicit “Security Considerations” section. Additionally, a security directorate reviews all proposed standards passed from the working groups to the Steering Group. oxfordhb-9780199918096.indd 27 21-10-2013 22:38:13 28 CYBERSECURITY AND CYBERWAR While the IETF has no official board or formal leadership, the Internet Engineering Steering Group (IESG) offers oversight and guidance for both the standards process and the standards themselves. In turn, the Internet Architecture Board (IAB), which evolved from the technical advisory board of the original ARPANET management in the early 1970s, offers further oversight of the IESG. Both of these organizations fall under the auspices of the Internet Society, or ISOC, an international group formed in 1992 that oversees most of the technical standards process. The ISOC came about when Internet governance moved beyond just matters of technical coordination. As the web went global and companies began to depend on Internet business, more and more participants had a financial or political stake in the system’s evolution in one direction or another. Organizations began to disagree on process, and the US government’s central involvement worried many. The ISOC was established as an independent, international organization to offer a formal, legal means to safeguard the independent and open standards processes. ISOC’s power derives from its membership; it’s open to any individual and, for a fee, any organization. These members then elect trustees who, in turn, appoint leadership to the IAB, which oversees the governance process for the IESG and the working groups’ process they guide. Imagine this alphabet soup all as a mix of informal, semiformal, and formal groups all nested together. This structure promotes a high degree of independence while still allowing for accountability to the Internet community. While there are political and financially motivated disagreements, when it comes to standards development, the process has thus far fostered globally shared interest in maintaining a functioning Internet. This ethic of shared interest, however, becomes more difficult in dealing with property rights and other scarce resources on the Internet. The Internet may be seemingly infinite in size, but it still has zero-sum games. Identifiers such as IP addresses and domains have to be unique—the Internet wouldn’t work if multiple parties attempted to use the same IP address or wanted to resolve a domain name to a competing address. One of the earliest oversight roles was apportioning these numbers and names. What emerged was the Internet Assigned Numbers Authority, a collaborative effort of the US government and the early researchers who had developed oxfordhb-9780199918096.indd 28 21-10-2013 22:38:14 How It All Works 29 the original technology. Yet as the Internet grew, control of this process grew more important. Assigning names and numbers meant control over who could access the Internet and how. Jon Postel’s “coup” illustrated the need for a more transparent and accessible governance structure. The growing pressure for a commercial Internet, and the emerging realization that Americans could not expect to control the network forever, meant that this new structure could not be run by the US government. In 1998, after a survey period that sought input from the public and key Internet leaders and organizations, responsibility shifted to an independent corporation with a governance structure that “reflects the geographical and functional diversity of the Internet.” The Internet Corporation for Assigned Names and Numbers, or ICANN, was born. While chartered in California as a nonprofit, ICANN set in motion a structured way to distribute IP addresses that more appropriately reflected the Internet’s global nature. Regional authorities in North America, Europe, and Asia, followed later by Latin America and finally Africa in 2004, took over this task and continue to perform this role today. Not everything with ICANN is easy. Domains define identity on the Internet, which brings strong commercial and political interests into conflict. Decisions about who gets what Internet identity inherently create winners and losers; adding new top-level domains such as .tech enables new business models but requires more expense for trademark protection to fend off “squatters.” Trademarks themselves can pose risks. For example, a process was needed to decide which of the many businesses with “Apple” in their name would get apple.com. At the same time, that process could not be corrupted to deny free speech opportunities, such as sucks.com. This process has even touched on hot issues of national identity. When nations achieve independence or dissolve into civil war, who controls their country’s top-level domain? In Western Sahara, both sides of a forty-year-old conflict claim the rights to the top-level domain .eh. The process and governance of ICANN have drawn even more controversy. Policy scholars use the term “multi-stakeholder process” to describe its organic, open, yet non-representative approach. oxfordhb-9780199918096.indd 29 21-10-2013 22:38:14 30 CYBERSECURITY AND CYBERWAR Decisions are supposed to be made by consensus, while a host of advisory committees help represent key constituencies in the Internet’s smooth operations, such as Internet service providers and the intellectual property community. National interests from around the world are represented through a Governmental Advisory Committee. Yet this multi-stakeholder model strikes some as disposed to favor the powerful. Governments and large commercial interests can afford to pay staff to participate in these forums, while nonprofit civil society groups may lack the resources to sit at the table at all. Many argue that special interests are too heavily represented among the decision-makers. Others want it to be more like traditional international organizations, which tend to follow the United Nations model of “one state, one vote.” And despite efforts to globalize Internet governance, many still see ICANN as captive to US interests. The control of assigning names and numbers still ostensibly belongs to the US Department of Commerce, which it delegates to ICANN by renewable contract. That is, the United States retains overall control, while the management function is held by an industry-led organization. Both have a vested interest in maintaining the status quo. The challenge, of course, is that no other institution or process could easily replace ICANN. While it is easy to criticize ICANN, there is no practical model for an alternative organization that must represent and balance such a broad range of interests from around the world and across all sides of complex policy issues. The key takeaway of these governance issues for cybersecurity is not just the important role that trust and open-mindedness have played in the Internet’s growth (aspects that are challenged by growing security concerns) but that the Internet has always been recognized as a space that defies traditional governance models. In 1992, Internet pioneer David Clark of MIT set out his bold dictum for the community: We reject: kings, presidents and voting. We believe in: rough consensus and running code. This quote has been widely circulated. Less well known is what Clark wrote on his very next slide: “What are we bad at? Growing our process to match our size.” oxfordhb-9780199918096.indd 30 21-10-2013 22:38:14 How It All Works 31 On the Internet, How Do They Know Whether You Are a Dog? Identity and Authentication Carnegie Mellon University professor Alessandor Acquisti has a fun but scary party trick: show him a picture of your face that is online and he will then guess your Social Security number. Understanding how Acquisti does this is useful even for non-Americans (who lack these supposedly secret Social Security numbers) because it illustrates the story of identity and authentication and how it can go awry. Acquisti first uses image-matching technology to find your face on a social networking website. If your birthdate and birth city are listed online, as they are for most people, then he can use the patterns that link time and location to the first five of the nine numbers in your Social Security number. Then it is just a numbers guessing game for the remaining digits. If you come from a small state like Delaware, the Social Security number can be determined in less than 10 tries. In theory, no one should care, since Social Security numbers were never meant to be secret. Before 1972, Social Security cards even said “not for identification” on them. But as we began to use computers to track people, it became critical for computers to differentiate individuals. Using someone’s name alone wasn’t enough: there are too many John Smiths in the world. Across every database, each record needed to be accessed with some identifier unique to that person. And since every American had a unique Social Security number, it was convenient to use that. So far, so good. The number was just a means to look someone up in a computer. But this number also became the way for two systems to know they were talking about the same person. Soon the Social Security number began to be used to track bank accounts, tax details, and all other sorts of personal information. Along the way, organizations assumed that, since Social Security numbers weren’t published, they weren’t public, and if they weren’t public, they must be secret. Wrong. In the computer world, “identification” is the act of mapping an entity to some information about that entity. This can be as mundane as a fantasy football website accepting the association between a person and the name the person claims, or as critical as matching a medical record to an unconscious patient. It is important to separate identification from “authentication,” which is the proof of the identification. This proof has traditionally oxfordhb-9780199918096.indd 31 21-10-2013 22:38:14 32 CYBERSECURITY AND CYBERWAR been defined as “something you know, something you have, or something you are.” What you “know” is the basic password model. It is a secret that is known, presumably only by the right person. Something you “have” refers to a physical component with limited access, so that only the right person might have it. With bank ATMs, it is a card, while more recently the mobile phone has become a de facto authenticator for receiving text messages containing a one-time code. By entering this one-time code, people taking action on the Web show that they have control of the verified mobile phone that is receiving the messages. Finally, you can prove who you “are” through something recognizable. Since this often refers to one’s person, we call this a “biometric.” Biometrics can be as simple as another human recognizing your face or as sophisticated as a sensor that recognizes your eye’s retina. There are weaknesses with these proofs. Passwords can be guessed or broken and require a cognitive load (you have to memorize them). If they are reused across different contexts, then breaking one system allows an attacker into others. Things that you “have” can be stolen or forged. And even biometrics can be compromised. For instance, access readers that require supposedly unique fingerprints have been fooled by forged fingerprints pressed into Gummy Bear candy, or, much more gruesomely, pressing down an amputated finger onto the machine (Russian mobsters ironically don’t seem to like cute, bear-shaped candy). There are various mechanisms to bolster these measures. One is to contact trusted friends to confirm that individuals are who they say they are. The idea is drawn from the old line “It’s all about who you know,” since a mutually trusted friend can verify that the individual in question conforms to the claimed identity. Other systems factor in the cost of fooling the controls. Anyone can create a website claiming a specific identity, but it requires time and effort to maintain an active and lengthy presence on an associated social media platform like Twitter or Facebook. Here again, these can be hacked or faked, but at a much greater cost to the attacker to pull off. After authentication is authorization. Now that a system knows who you are, what can you do? In classic computer security, authorization was about giving access to network files, but in our increasingly connected world, gaining authorization can open the doors to practically everything. Authorization is the part that links these oxfordhb-9780199918096.indd 32 21-10-2013 22:38:14 How It All Works 33 technical issues to policy, business, political and moral questions. Is the individual authorized to buy something, like an account on an online gambling site? And even if so, is the individual old enough to participate? Or, at a slightly larger world stage, just because someone has access to a military’s classified networks, should the person be authorized to read and copy every file in them (a practice that would haunt the US military in the Bradley Manning and Edward Snowden leaks)? The entire problem was perhaps best illustrated by one of the most cited cartoons in history. In 1993, New Yorker magazine published a drawing by Peter Steiner of two dogs sitting near a computer. One dog tells the other, “On the Internet, nobody knows you’re a dog.” Yet this isn’t to say that people can’t find out private details about you if they want. Every activity on the Internet is data being routed from an Internet Protocol (IP) address. As we saw in the prior section, an IP address is a numerical label that is assigned to an addressable connection in the Internet. For most consumers, the IP address is not permanently assigned to their device. Instead, the IP address will be dynamic. The consumer’s Internet service provider will assign an IP address for a period of time, but it might be reassigned to someone else after the consumer disconnects. However, if an Internet service provider retains the relevant data, it is able to correlate the IP address at a specific date and time to a particular service subscriber. An IP address is not in and of itself information about an identifiable individual. But it can provide some information about the geographic location and the means by which that individual accesses the Internet. It is the potential for how the IP address can be combined with other information (or could be reasonably combined with other information) that has privacy advocates concerned. If you can combine enough of this online and offline information, you might have enough data to make a high-probability guess about who was doing what and where. For instance, in the 2012 scandal that enveloped CIA director General David Petraeus, the FBI was able to backtrack the anonymous sender of a series of threatening e-mails to the business center of a hotel that his mistress turned out to be staying at. The information gathered about identity is not the same as proof of identity. Relying on the IP address would be like relying on license plates to identify drivers. A sophisticated user can easily hide or disguise her IP address by routing her activities through another point oxfordhb-9780199918096.indd 33 21-10-2013 22:38:14 34 CYBERSECURITY AND CYBERWAR on the Internet, making it appear that that node was responsible for the original traffic. There are, however, many other types of data that can be collected that are harder to hide. Even the patterns of how individual users browse and click through a website can be used to identify them. This question of how can we identify and authenticate online activities is a different question from how should we. You may not have wanted your Social Security number to be revealed at a party. Or that dog might have preferred its identity remain secret, at least until the two of you had gone out on a few more online dates. For the purposes of cybersecurity, the bottom line is that digital identity is a balance between protecting and sharing information. Limiting acquired information is not only good for privacy, it can prevent others from gaining information for more sophisticated authentication fraud. At the same time, each system has incentives to maximize the amount of data it collects, as well as use that data for its own goals. What Do We Mean by “Security” Anyway? There’s an old joke in the security industry about how to secure any computer: Just unplug it. The problem is not only that the joke is becoming outdated in an era of wireless and rechargeable devices, but once a machine is plugged in, there are practically an infinite number of ways its use might deviate from its intended purpose. This deviation is a malfunction. When the difference between the expected behavior and actual behavior is caused by an adversary (as opposed to simple error or accident), then the malfunction is a “security” problem. Security isn’t just the notion of being free from danger, as it is commonly conceived, but is associated with the presence of an adversary. In that way, it’s a lot like war or sex; you need at least two sides to make it real. Things may break and mistakes may be made, but a cyber problem only becomes a cybersecurity issue if an adversary seeks to gain something from the activity, whether to obtain private information, undermine the system, or prevent its legitimate use. oxfordhb-9780199918096.indd 34 21-10-2013 22:38:14 How It All Works 35 To illustrate, in 2011 the Federal Aviation Administration ordered nearly half of US airspace shut down and more than 600 planes grounded. It seemed like a repeat of how American airspace was shut down after the 9/11 attacks. But this incident wasn’t a security issue, as there was no one behind it. The cause was a software glitch in a single computer at the Atlanta headquarters building. Take the same situation and change the glitch to a hack: that’s a security issue. The canonical goals of security in an information environment result from this notion of a threat. Traditionally, there are three goals: Confidentiality, Integrity, Availability, sometimes called the “CIA triad.” Confidentiality refers to keeping data private. Privacy is not just some social or political goal. In a digital world, information has value. Protecting that information is thus of paramount importance. Not only must internal secrets and sensitive personal data be safeguarded, but transactional data can reveal important details about the relationships of firms or individuals. Confidentiality is supported by technical tools such as encryption and access control as well as legal protections. Integrity is the most subtle but maybe the most important part of the classic information security triumvirate. Integrity means that the system and the data in it have not been improperly altered or changed without authorization. It is not just a matter of trust. There must be confidence that the system will be both available and behave as expected. Integrity’s subtlety is what makes it a frequent target for the most sophisticated attackers. They will often first subvert the mechanisms that try to detect attacks, in the same way that complex diseases like HIV-AIDS go after the human body’s natural defenses. For instance, the Stuxnet attack (which we explore later in Part II) was so jarring because the compromised computers were telling their Iranian operators that they were functioning normally, even as the Stuxnet virus was sabotaging them. How can we know whether a system is functioning normally if we depend on that system to tell us about its current function? Availability means being able to use the system as anticipated. Here again, it’s not merely the system going down that makes availability a security concern; software errors and “blue screens of oxfordhb-9780199918096.indd 35 21-10-2013 22:38:14 36 CYBERSECURITY AND CYBERWAR death” happen to our computers all the time. It becomes a security issue when and if someone tries to exploit the lack of availability in some way. An attacker could do this either by depriving users of a system that they depend on (such as how the loss of GPS would hamper military units in a conflict) or by merely threatening the loss of a system, known as a “ransomware” attack. Examples of such ransoms range from small-scale hacks on individual bank accounts all the way to global blackmail attempts against gambling websites before major sporting events like the World Cup and Super Bowl. Beyond this classic CIA triangle of security, we believe it is important to add another property: resilience. Resilience is what allows a system to endure security threats instead of critically failing. A key to resilience is accepting the inevitability of threats and even limited failures in your defenses. It is about remaining operational with the understanding that attacks and incidents happen on a continuous basis. Here again, there is a parallel to the human body. Your body still figures out a way to continue functioning even if your external layer of defense—your skin—is penetrated by a cut or even bypassed by an attack like a viral infection. Just as in the body, in the event of a cyber incident, the objective should be to prioritize resources and operations, protect key assets and systems from attacks, and ultimately restore normal operations. All of these aspects of security are not just technical issues: they are organizational, legal, economic, and social as well. But most importantly, when we think of security we need to recognize its limits. Any gain in security always involves some sort of trade-off. Security costs money, but it also costs time, convenience, capabilities, liberties, and so on. Similarly, as we explore later on, the different threats to confidentiality, availability, integrity, and resiliency each require different responses. Short of pulling the plug, there’s no such thing as absolute security. What Are the Threats? It sounds odd that reporters took a passenger jet to Idaho just to watch a cyberattack, but that’s exactly what happened in 2011. Worried that the public did not understand the magnitude of growing cyberthreats, the Department of Homeland Security oxfordhb-9780199918096.indd 36 21-10-2013 22:38:14 How It All Works 37 flew journalists from around the country to the Idaho National Laboratory. Only four years earlier, the INL, an incredibly secure and secretive facility that houses a Department of Energy’s nuclear research facility, had conducted a top-secret test to destroy a large generator via cyberattack. In 2011, in an effort to raise awareness about cyberthreats, government experts not only declassified a video of the 2007 test, but held a public exercise for journalists to “watch” a faked cyberattack on a mock chemical plant. The government wanted to show that even their own experts couldn’t prevent a team of hired hackers (known as a “red team”) from overwhelming the defenses of a critical facility. This episode is a good illustration of how those who professionally think and talk about cybersecurity worry that their discussions of threats are ignored or downplayed. Frustrated, the result is that they resort to turning the volume up to the proverbial 11 à la Spinal Tap, conducting outlandish exercises and only talking about the matter in the most extreme ways that then echo out into the media and public. Indeed, following a series of warnings by US government officials, by 2013 there were over half a million online references in the media to “cyber Pearl Harbor” and another quarter million to a feared “cyber 9/11.” The complacency these experts worry about stems in part from our political system’s reluctance to address difficult, complex problems in general, and cybersecurity in particular. But this kind of tenor also feeds into a misunderstanding of the threats. For example, three US senators sponsored a large cybersecurity bill in the summer of 2011, and so wrote an op-ed in the Washington Post urging support for their legislation. They cited a series of recent, high-profile attacks, including those against the Citigroup and RSA companies and the Stuxnet worm’s attack on Iranian nuclear research. The problem is that these three cases reflected wildly different threats. The Citigroup attack was about financial fraud. The RSA attack was industrial theft, and Stuxnet was a new form of warfare. They had little in common other than they involved computers. When discussing cyber incidents or fears of potential incidents, it is important to separate the idea of vulnerability from threat. An unlocked door is a vulnerability but not a threat if no one wants to enter. Conversely, one vulnerability can lead to many threats: that unlocked door could lead to terrorists sneaking in a bomb, oxfordhb-9780199918096.indd 37 21-10-2013 22:38:14 38 CYBERSECURITY AND CYBERWAR competitors walking out with trade secrets, thieves purloining valuable goods, local hooligans vandalizing property, or even cats wandering in and distracting your staff by playing on the keyboards. The defining aspects of threats are the actor and the consequence. The acknowledgment of an actor forces us to think strategically about threats. The adversary can pick and choose which vulnerability to exploit for any given goal. This implies that we must not only address a range of vulnerabilities with respect to any given threat, but also understand that the threat may evolve in response to our defensive actions. There are many kinds of bad actors, but it is too easy to get lulled into using media clichés like “hackers” to lump them all together. An actor’s objective is a good place to start when parceling them out. In the variety of attacks cited by the senators above, the Citigroup attackers wanted account details about bank customers with an ultimate goal of financial theft. In the attack on RSA, the attackers wanted key business secrets in order to spy on other companies. For Stuxnet (a case we’ll explore further in Part II), the attackers wanted to disrupt industrial control processes involved in uranium enrichment, so as to sabotage the Iranian nuclear program. Finally, it is useful to acknowledge when the danger comes from one of your own. As cases like Bradley Manning and WikiLeaks or Edward Snowden and the NSA scandal illustrate, the “insider threat” is particularly tough because the actor can search for vulnerabilities from within systems designed only to be used by trusted actors. Insiders can have much better perspectives on what is valuable and how best to leverage that value, whether they are trying to steal secrets or sabotage an operation. It is also important to consider whether the threat actor wants to attack you, or just wants to attack. Some attacks target specific actors for particular reasons, while other adversaries go after a certain objective regardless of who may control it. Untargeted malicious code could, for example, infect a machine via e-mail, search for stored credit card details o…
QUALITY: 100% ORIGINAL – NO PLAGIARISM
(USA, AUS, UK & CA PhD. Writers)
CLICK HERE TO GET A PROFESSIONAL WRITER TO WORK ON THIS PAPER AND OTHER SIMILAR PAPERS
About Our Service
We are an online academic writing company that connects talented freelance writers with students in need of their services. Unlike other writing companies, our team is made up of native English speakers from countries such as the USA, UK, Canada, Australia, Ireland, and New Zealand.
- At ClassicWritersBay.com, most of our writers are degree-holding native speakers of English who are familiar with various writing styles. Our writers are proficient in many fields, including Economics, Business, Accounting, Finance, Medicine, Chemistry, Literature, Mathematics, Statistics, and many others.
- Making our customers happy is an important part of our service. So do not be surprised if you get your paper well before the deadline!
- We pay a lot of attention to ensuring that you get excellent customer service. You can contact our Customer Support Representatives 24/7. When you order from us, you can even track the progress of your paper as it is being written!
- We are attentive to the needs of our customers. Therefore, we follow all your instructions carefully so that you can get the best paper possible.
- It matters to us who writes for you, and we are serious about selecting the best candidates.
- Our writers are always learning something new, so they are familiar with the latest developments in the scientific world and can write papers with updated information and the latest findings.
- Quality original papers that follow your instructions carefully.
- On time delivery – you get the paper before the specified deadline.
- Attentive Customer Support Representatives available 24/7.
- Complete confidentiality – we do not share you details or papers with anybody else.