Research chat: Peter Singer on cybersecurity and what the media needs to know
Peter W. Singer is a senior fellow and director of the Center for 21st Century Security and Intelligence at the Brookings Institution. His work has focused on the intersection of technology and conflict. His new book, co-authored with Allan Friedman, is Cybersecurity and Cyberwar: What Everyone Needs to Know, a comprehensive primer and narrative about evolving dynamics in the digital space.
Editor John Wihbey of Journalist’s Resource recently caught up with Singer. The following is an edited transcript:
Journalist’s Resource: Why should media members learn more about cyber threats?
Peter Singer: I would argue that there is no issue that has become more important and less understood than cybersecurity. You can think about this a lot of different ways — from the importance of the field to the number of articles that have reported on it. It’s equally fascinating when you talk about the journalism side, because cybersecurity touches on so many different areas. Despite the fact that we can run down the answer to almost any question we might have, this is a space where basic terms and essential concepts that define both what’s possible and what’s proper — what’s right and wrong — are being missed, or, even worse, distorted. It’s a place where past myths and future hype weave together.
There are certain things that people believe, and have been reported, as actually having happened that have not. Then there are very real things that are ignored. We can see this in terms of how we characterize cyber threats and report on them. We see things that are overblown, where people overreact, and other very serious ones that by relative measures are not covered.
JR: For media members and their organizations, what do they need to learn more about specifically?
Peter Singer: It’s on multiple levels, and I think that’s what is not well understood. The first is: What is the training that journalists get in this area? The answer is generally “none.” And we might ask, “Why should they?” And I’m not just knocking on journalism. Seventy-percent of business executives in general — not just technology executives — have made some kind of cybersecurity decision for their company, despite the fact that no major MBA program teaches it as part of your normal management responsibilities. That same gap exists for the way we train our lawyers, our diplomats and, yes, our journalists. This is a new area that journalists need to have an awareness of. There are relevant stories in almost any field, whether you are on the crime beat, the U.S.-China relations beat, the Wall Street beat. In all of these, we see cyber issues popping up, and you can’t do a good job of reporting unless you have a basic awareness.
Second, journalists are targets. Essentially every single major American media group has been hacked in some way, shape or form. In our book, we explore the New York Times being hacked by a group based in China. It wasn’t to steal the secret recipe of the ink used at theNew York Times. It was going after New York Times intellectual property of a different kind: It was to see who was talking to New York Times reporters about corruption within the Chinese political system. That same kind of targeting has happened with multiple other major news outlets.
Third, the news business is like any other kind of business, and there are basic organizational responsibilities and roles. Media organizations hold all kinds of information, including the credit card information of subscribers, which are important and targets.
Whether you are the beat reporter, the editor or the chief operations officer, you have to have an understanding. It’s a three-level understanding, and yet it’s not there. And so I go back to: Should we blame journalists that this understanding is not there? No, it’s not part of the training that they have been traditionally given. But still, it’s a gap. To me, it’s not just a responsibility to the story, but to yourself and your organization.
JR: What gap does your book attempt to fill?
Peter Singer: The writing that has been in this space, when it comes to books, has been caught between two poles: One type treats this as an information-technology, IT-crowd issue, and by the very nature of how technical issues get talked about, it’s fairly exclusionary. Second, there is the histrionic — the “get scared”– category, then repeated back in the wider media, such as through the half-million references to “cyber 9/11.” Journalists need to be more discerning consumers when they hear that kind of thing. There is a joke in our field that there should be a drinking game based on any time someone references a “cyber Pearl Harbor.” More seriously, when someone says that, journalists should be prepared to follow up. Those phrases are the bumper stickers, not the end of the statement or argument. Yet they are used in business pitches, governmental speeches and Congressional hearings in that way. We’ve been caught between this state of ignorance and this fear factor. That’s not a good place for anybody, either in the public space or on the journalistic side.
What we try to do is create a resource book to fill that gap between the two poles, to explain how it all works and why it all matters, and we try to do that in a way that is both interesting and not histrionic.
JR: So what’s the proper antidote to both the ignorance and the hype?
Peter Singer: At a broader level, it’s changing our mentality; this is an issue that will be with us as long as we have the Internet, and it is on-going.
One of the challenges for regular businesses is that you’ll hear a CEO say, “Three years ago this company came in and sold us widget X that was supposed to solve all of our cybersecurity problems. We already made the cyber investment.” There is a double flaw in that thinking. First, there is no silver-bullet solution: You bought widget X and think it’s all solved? If you think that, you’re being taken for a sucker. Second, just because you made an investment three years ago doesn’t mean it has gone away. Things change and evolve.
The parallel for journalists is that there is a base-level for understanding that we all need, and we’re all doing catch-up. But it’s also about recognizing that, just as your Internet usage has changed — maybe at an earlier point in your career you were doing dial-up and now you have an iPhone — by the same token the threat landscape has evolved. And again, this is whether you are on the politics beat, the business beat, or some other — we’re even seeing these issues pop up in the sports world.
We need to normalize this space, instead of treating it as this strange, exotic space. Or as one White House official put it to me, “It’s a domain just for the nerds.” No, just like the Internet itself, cybersecurity is for all of us, even the nerds among us.
JR: What do you make of the fact that many people regard this as arcane set of issues not susceptible to normal human understanding? How does that hurt journalism on these topics?
Peter Singer: There is a sense that this is a highly technical topic area, and in turn there is a double fear of it: One, can I understand it? Second, will my audience understand it, or will it become so technical and dry that it is not even worth going into it? The reality is that whether you are thinking about reporting on the story or trying to protect yourself and your organization, it’s not ultimately about the hardware and software. It’s about the “wet-ware” — people. The nature of every single cyber problem and cyber solution comes down to a human decision, and one usually driven by those age-old but always fascinating human values, everything from greed and power to competition and laziness. Getting at that aspect of the story is key, I think.
JR: How might those insights inform the way we cover a corporate hacking incident?
Peter Singer: In the case of the 2014 Target hack, the story seems to be of a company operating in the way big companies typically have done in other spaces: Following certain standard operating procedures and incentive structures that led it to not take needed action; ignoring previous attacks and vulnerabilities, and then dribbling out information in a way that hurt itself. You can obviously tell the technical side of the story, but there is a human side. To me the lesson is that you should not be afraid of it because it seems technical; in the end, it is not a technical story.
JR: What about obfuscation and silence by companies and institutions that are victimized? They are frequently scared to talk.
Peter Singer: Another challenge for journalists is the following: On the one hand, the best way to defend the wider cyber ecosystem is for companies and government to share information. The problem is that they fear they’ll be blamed if the bad news gets out — both in terms of a hit to their brand, and legal culpability. We often see that companies that should be letting people know about attacks, even attempted attacks, [but] are closely holding that information. To give you a pointed example, for our book we spoke with an energy company in the Midwest that did not want to share information about cyber attacks it had suffered, not because of implications within the cyber realm, but because it feared repercussions in a field it feared more, namely environmental lawsuits.
For reporters, you can see how this all ties together. It also points again to being discerning about information and understanding the differences of these marketplaces and what’s driving them. It’s not that business, in general, is reacting the same way. Banks, for example, are doing a much better job on their own cybersecurity both individually and also in terms of sharing information. This is because they face a different kind of marketplace, different incentives, different regulatory structures, than the retail sector, the health care sector, or the power and infrastructure sector. These sectors are responding differently because of the human side; it’s not that the banks have access to X,Y, Z secret security widgets that the retail sector and, for example, Target do not have access to.
JR: How might journalists consider consumers’ and citizens’ interests in their reporting?
Peter Singer: There are things that readers can learn from these articles, such as their responsibilities. They can’t control what goes on inside Target’s networks. But they can use strong passwords and not use the same passwords for all accounts, so that when the passwords are stolen from one company and put on a black market, they’re of no utility. What now happens, because customers tend to repeat their passwords across accounts, is that criminals who get passwords can “daisy-chain” across companies. If you use different passwords, that takes the value out of them. Being able to tell that kind of story is important, too.
JR: Why do we not see more responsibility at companies that suffer cyber attacks? Shouldn’t we now expect better security, and for corporate leaders to be held accountable?
Peter Singer: When error happens, it’s most often a human error, and it’s actually most often at senior levels. To put it a different way: It’s twice as likely that the error happened because a senior person clicked on something that let the hacker in than because a junior person clicked on something. It’s twice as likely. So you ask why there is not more responsibility when senior folks are more likely to be to blame? Think on that for a minute. Second, this is a topic area where if you’re outside the “IT crowd,” it’s hard for you to understand, and so you have a tough time of figuring out when there is culpability or not.
Finally, because of the histrionics, the events are often not as great as they appear. This moves into the media and politics side of it. For example, the number of academic and media articles on cyberterrorism to date is somewhere around 31,300. But zero is the number of people who have actually been hurt or killed by an incident of cyberterrorism.
JR: Give us an example of the media aiding and abetting the hype.
Peter Singer: A little while ago, two dudes apparently shot at power transformers with rifles at one site in California. Two things happened. First, I got tons of calls from journalists about it. I said, “Why are you calling me?” And they said, “Because it’s a cyber attack.” A bullet hitting a power transformer is not “cyber.” It’s just not. But this narrative of the power grid going down has gotten so woven into our understanding of “cyber,” despite the fact that squirrels have taken down the power grid more times than the zero times that hackers have. I’m not saying hackers are not a threat. But the point is that these threads have so gotten woven together, and journalists so poorly understood this space, that they were reporting this incident as if it were cyber, when it wasn’t.
Second, there was an excitement factor. All of the major outlets covered it. On the political right, Fox News; and on the left, NPR. Let’s look at what happened. A few rifle shots were apparently fired at a one site in the power grid in California, and the power never went out. Simultaneously, 600,000 people lost power in Pennsylvania and that was not really reported by the major outlets. The reason was because it was caused by a storm. We spun up the excitement of one thing versus another, all based off of confusion and hype.
JR: What are the consequences of overheated media coverage?
Peter Singer: My concern is not just the journalistic side of this. It’s also about how we prioritize very real threats that are out there. If there is anything we’ve learned from the 9/11 attacks, it’s that it is not just the initial incident that’s important; it’s the reaction to it that truly matters in longer historical terms. And there is a fundamental difference between the American approach and, say, the British approach, which is to “keep calm and carry on.” What we are doing with our overheated response is incentivizing the very attacks we fear, because we are certain to overreact to them.
We discuss in our book an incident in the context of cybercrime where the news media was reporting it as if the entire Internet was going to break because of the incident. A group had created a cyber crime ring in Estonia and was running a botnet. The headlines were things like “Hundreds of Thousands May Lose Internet.” Fox News ran with it as the “Internet Doomsday.” The actual story was that the FBI was going to shut it down this botnet it had caught in operation, but many people’s computers were on it. The FBI had caught the criminals, but now it was stuck running the criminals’ network at a high cost and so wanted to stop. The media was reporting this as the looming “Internet Doomsday.” Instead, the FBI just facilitated a bunch of companies to step up and provide technical assistance in the interim to the consumers on that network. Problem solved. But that story is not as sexy as “Internet Doomsday.”
This is where I’d mention journalism’s public role. Instead of “doomsday,” how can we get “resilience”? This is not a knock just on journalism. You are incentivized to have a big scary headline, whether you are the media company trying to sell clicks and newspapers or the private company trying to sell security widgets. But that may not be good for all of us in the end.