Interview: P.W. Singer, Author Of 'Cybersecurity And Cyberwar' For an extra layer of online protection, author P.W. Singer advises making your security answers something counterintuitive, like pizza.
NPR logo

'What Everyone Needs To Know' About Today's Cyberthreats

  • Download
  • <iframe src="" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript
'What Everyone Needs To Know' About Today's Cyberthreats


This is FRESH AIR. I'm Terry Gross. Even if cybersecurity isn't a subject you think about a lot, the data breach of credit card information from Target and Neiman Marcus customers has probably increased your level of cyber-anxiety. My guest, P.W. Singer, is the co-author of the new book "Cybersecurity and Cyberwar: What Everyone Needs to Know."

It's about issues that face the military, government, businesses and individuals, and the decisions facing us when trying to balance security with freedom of speech and the ideals of an open Internet. Singer is the director of the 21st Century Defense Initiative at the Brookings Institution. He's the author of previous books about private military contractors, child soldiers, and how advances in robotics are changing war.

P.W. Singer, welcome to FRESH AIR. Let's start with the Target security breach, which was followed by the Neiman Marcus security breach. And at Target, I know they not only got credit card numbers, that included the code verification value, that three-number code on the back of the card that you're often asked for when you're paying for something by phone. And they got other personal data.

What do those breaches signify in the world of cybersecurity?

P.W. SINGER: There are certain things that jump out to me about these incidents. And look, there'll be more of them. The first is they're good illustrations of how cybersecurity issues affect us all. You know, even if you look at the kind of shopper who is at Target versus the kind of shopper who sends their personal buyer out to Neiman Marcus, they're both being hit here.

The second is in terms of the question for these companies, and at least in some of the information that's been following from - whether it's Target or other ones like Snapchat - is that companies may not have been taking security in the cyber realm as seriously as they should and in terms of how they communicate that when incidents happen.

There are certain industries that have done quite well because the incentives are really well-aligned, when we think about the banking industry, versus those others, whether it's consumer or the power grid, where they haven't been taking it seriously enough, again, because the incentives aren't there.

The third is the lessons for you and I, and in the book we explore at the end, there's a series of fairly simple steps we can take. We overcomplicate this. And one of them is, frankly, don't use the same password for all your different accounts because the fear in these incidents is someone can daisy chain across your accounts.

GROSS: So what I heard about Target and the Neiman Marcus breaches, it just made me wonder, like, what is the safest way to pay for something now? Obviously cash, but then you're carrying around a lot of cash with you. But if you're paying with a credit card, do you think it's any safer to pay in the store or by phone or through the Internet?

SINGER: You're never ever going to have 100 percent security, and that's true whether I'm talking about you and, you know, buying online for everything from, you know, socks to concert tickets to you name it, to the nation, when we think about our military role. You're never going to have 100 percent security in this space.

And so what you have to do is change your mentality to one of resilience, which is basically, you know, whether we're thinking about this in terms of the physical side of resilience, if your body gets cut, it just doesn't give up, it has all sorts of reaction mechanisms, to the psychological side of resilience.

If you go through life thinking that nothing bad is ever going to happen to you, well, that's a recipe for disaster. Instead it's how you're going to react to these bad things. And so it's the same - you know, if you're thinking about going into a store and you're saying, OK, but I'm using my credit card in the store, well, that credit card in the store, what is it linked to, all these other digital aspects.

What are the kind of questions that they ask you for marketing reasons, your zip code and the like? And so the point here is that you have to understand that if you're going to get the good of the cyberworld, accept that there is some bad that comes along with it.

GROSS: OK, so you and everybody is recommending that we vary our passwords and that we change them every so often, so that if somebody breaks into our information, they can't daisy chain and use one password to get into all of our accounts. I don't know anybody who is capable of remembering their passwords.


GROSS: And of course you're not supposed to store them on your computer for obvious reasons, because that can be hacked. Where do you store - I mean, what...

SINGER: Well, it's funny because we're focusing on passwords, as if they're the - you know, assumption that that's the only thing to keep you safe. No, there's a whole series of layers of things that we can do, and they range from, you know, as we were talking about, having strong passwords to often it's not the password itself, it's the secondary questions, having counterintuitive answers for them because, you know, if you're being targeted, in many way it's - they're going after the ability to change your password, to tell the provider, OK, I lost my password, can you send me a new one.

And in that case they'll ask you some kind of, you know, question like, well, what's your mother's maiden name, which is easily lookupable online, and they get multiple chances at it. So one of the things we talk about in the book is, you know, give counterintuitive answers to those. So, you know, what's my mother's maiden name? Pizza, which is instead your favorite food. So it's something they'll never, ever be able to look up.

But again, any password...

GROSS: But then you won't be able to remember that. OK, really.


SINGER: What I'm getting at - but the bottom line here, and there are some new software products that make this easier. But the bottom line is any password is breakable, or they'll go after it through work-arounds, like in the case of some of these - whether it's department stores that have been targeted, all the way up to aerospace companies to the U.S. military itself.

There's other things, very basic things we learned in kindergarten, like don't accept candy from strangers. Well guess what? The most important penetration of secure U.S. military networks by a foreign intelligence agency happened because a soldier found a memory stick that had been - there had been a candy drop is what they call it.

It had been left outside enticingly, actually in the parking lot, and the soldier picked up that memory stick and took it into the base and plugged it into their computer, and that's when we had the biggest external penetration of classified U.S. military networks.

The main thing, Terry, is for your password, don't make the mistake that is out there. First, what is the most common password today?

GROSS: Password.

SINGER: Password. What's number two? 123456, which, you know...

GROSS: Oh, brilliant, OK, yeah.

SINGER: Which in the movie "Spaceballs" they joked about how that was what we - you know, that's what I use for my luggage. Well, guess what? That's what people are still using for valuable online identities.

GROSS: So you refer to this in the book that you should never click on a link unless you know who sent it and never click on a link if it looks suspicious. So, you know, we all know people whose email accounts have been hacked. And so we get emails that appear to be from them because it has their name and email address on it, but it's actually some hacker who hijacked their email address and is sending something else.

So I've gotten my share of I'm stranded in England and I don't have any money because somebody also robbed me. Please wire me some money. I've gotten those. And then I've also gotten just a link with no message, just a link from somebody who I know. And I once or twice, I think, actually made the mistake of opening the link because I figured, oh, this is somebody who I really know and trust. Let me see what they wanted me to read.

And it opens to some, like, really weird ad, you know, like - just like an ad that looks just like incredibly cheap and schlocky for some like product like no one's ever heard of. And I don't even know if it's a real ad. And so I ask myself, what's the point of that link? Is it to get access to my email, or is it for me to read this ad that no one would read unless there was this link?

And if they want my email, what do they want it for?

SINGER: In some situations, it may be someone who's trying to get inside your network, either for your personal finance information, or maybe it's because you're part of a large media organization that they want to cause some kind of trouble for. Or in other cases, as you noted, it may not be that kind of crime, it may just be someone trying to steer eyes to, you know, the latest advertisement for men's erectile dysfunction ads or the like, where they're being paid, the criminals in these cases, are being paid by the number of clicks that they draw in.

So what I'm getting at here is a bigger problem, and again, it's thinking about it as you as an individual, the company that you're in, to how we think about this as citizens on a national security level. The head of the NSA, who is simultaneously the general in charge of the military Cyber Command, talked about how, and this is in testimony to Congress, that there were, quote, millions of attacks on U.S. military systems every single day.

But what he was doing is bundling together the kinds of attacks that you just talked about there, you know, that are everything from, you know, a low-level attempt at fraud, to address scams, to people trying to deface the Pentagon website, to people trying to carry out some kind of political protest, to people actually trying to get inside the network to steal secrets of some sort.

Another way of putting this is that we bundle together all sorts of unlike things, unlike actions and unlike people behind those actions, simply because they all involve the zeros and ones of software. We've bundled it all together. And the point of the book is that we have to push beyond that kind of thinking because otherwise we'll be helpless. We'll be helpless in terms of our counter-responses but helpless in how we think about it.

GROSS: Your book starts with a senior leader in the Defense Department talking about why he thought cybersecurity and cyberwar were so important, but he was referring to that as all this cyberstuff. What troubled you about that?

SINGER: It's that combination of knowing something's important but only being able to call it stuff.


SINGER: And that's - that was this moment which, you know, was great from a writer's standpoint for, you know, kicking off a book that tries to explain all this stuff, but it's equally troubling when we think about the ramifications of that. And look, we can't knock him too much. You know, all of us make some kind of cybersecurity decisions that matter, whether, you know, you're at the Pentagon or a large corporation to a small cupcake store to you're a journalist to you're a parent.

And yet we're not well-trained. We're not well-equipped for this area right now. To give an illustration from business, more than 70 percent of business executives, not CTOs or CIOs or the like, but business executives in general, 70 percent have made some kind of cybersecurity decision for their company, and yet no major MBA program teaches it as a regular course of management practice.

Same thing could describe what's going on at, you know, the schools we teach our diplomats, law schools, journalism schools, you name it. And so this stuff problem is a great illustration of where we're at right now but how far we need to go.

GROSS: Yeah, and you describe leaders in government and the military who aren't especially cyber-literate and don't even know how to use their email.

SINGER: There's that, but really the anecdotes that are both funny but scare me is the attitude part, the - we call it Ludditism. It's people who are in the positions that truly matter, that can truly move the dial, whether it's in law or agencies or whatever, who unfortunately sometimes are proud of their cyber-ignorance, proud of not using the technology that literally our entire world depends on, you know, whether it's our systems of commerce or communication or conflict.

In the book, for example, we use the illustration of the former secretary of Homeland Security, you know, the civilian agency ostensibly in charge of cybersecurity in the United States, and she proudly talked about how she didn't use email and in fact had not used social media for over a decade, not because she didn't think it was secure, because she just didn't think it was useful.

Or, you know, go to the Supreme Court. The Supreme Court is going to decide all sorts of legal issues in this realm, from, you know, privacy questions to what's legal or not at the NSA, a case that's probably going to come up in - certainly within the next year. And in the words of one justice there, they, quote, haven't yet gotten around to email, haven't yet gotten around to it.

I mean, this is a bad place to be.

GROSS: If you're just joining us, my guest is P.W. Singer. He's the author of the new book "Cybersecurity and Cyberwar: What Everyone Needs to Know." And he's also the director of the 21st century security and intelligence at the Brookings Institution. Let's take a short break and then we'll talk some more. This is FRESH AIR.


GROSS: If you're just joining us, my guest is P.W. Singer. He's the author of the new book "Cybersecurity and Cyberwar: What Everyone Needs to Know." He's also the director of the 21st-century security and intelligence at the Brookings Institution.

Let's look at the - you know, WikiLeaks and at Edward Snowden. Do you think that those leaks should never have happened? And I don't mean to judge the quality of the information or whether it's good that the public knows that information or not. I just mean from the perspective of government agencies. What kind of security do you think would have prevented WikiLeaks and Edward Snowden?

SINGER: What's funny about it is they're the actual types of security that these agencies were supposed to be following but just hadn't gotten around to it yet, to go back to that Supreme Court example. So it's things like not sharing passwords across, not allowing an individual in one position to have free rein over information all across the entire organization, even if it was not in their personal responsibility areas, to trying to monitor what's happening inside your networks, not just what's happening outside your networks so you're seeing anomalies like, you know, massive amounts of information being collected or going out to, in the case of Manning, not allowing certain kinds of hardware in that shouldn't happen in.

You know, he joked that he downloaded all the classified information on all sorts of operations from Iraq to Afghanistan to the like on a CD that was labeled Lady Gaga. I mean, you know - again these are huge incidents in cybersecurity, cyberwar history with a huge amount of resonance, but they're also lessons for how very basic steps can go a long way in preventing these sort of things from happening.

GROSS: You write that China is considered the most threatening actor in cyberspace. So what exactly is China doing? It's stealing patents and designs?

SINGER: It's stealing designs for things that are of, you know, clear national security importance like the design of a jet fighter. There's an advanced jet fighter that we're - we've been research and developing, and we're now in the midst of building, the Joint Strike Fighter. It's a trillion-dollar program. And that program has been hacked multiple times.

In fact in one situation it was actually hacked while the plane was in midair. They were downloading information off it that way. So how do you measure the loss there? Do you measure it in terms of the literally billions of dollars of research and development that we paid for that they got for free? Or do you measure it in terms of the 10 to 20 years that we were supposed to be ahead of them that we're not going to be?

We're already seeing design elements of that popping up in their new jet fighter systems. Do you think about that in terms of the national security impact on the battlefield, how you thought you would be ahead of them in having a military advantage that you're not going to have anymore? Do you think about it on the trade market? There's lots of different ways to weigh it.

But that's not the only thing that's being stolen. We've seen examples of companies that were engaged in some kind of negotiation, for example an oil company that was preparing a bid, and lo and behold their counterpart would come in with a bid just slightly above what they were going to do after they got inside their networks.

So they didn't steal a secret like a patent, but they stole a secret that, again, could be worth ultimately billions, or if you're talking about oil companies, it can be tens or hundreds of billions, to national security in terms of tapping into diplomatic messages to - look, in the book we talk about Operation Shady Rat.

It was this massive advanced persistent threat campaign, what they call an APT campaign, where it got into everything from international agencies that range from diplomatic ones to the International Olympics Committee to national government agencies all around the world, not just the United States but in Germany, France, Japan, you name it, to corporations, again, that ranged from, you know, oil companies to banks, you name it, to academic institutions, even my own institution.

And again, the information ranged from things that you can measure in monetary value to they scooped up the personal cell phones of White House staff that people had inside their messages, huge effort here.

GROSS: Are we talking about the government of China doing this or individuals in China doing this?

SINGER: Therein lies the challenge of this because you have this massive scale of operations. In some situations it's very clearly direct government linked. In the book, for example, we explore the attack that happened on the New York Times that again, you know, the information that they were going after was not, you know, what the New York Times was going to charge for its newspapers next year.

They were actually trying to find out who was speaking to New York Times reporters about corruption involving certain key Chinese government leaders and their families. That was what they were going after. But in that case it was tracked back to Chinese military agency. In other situations it's what you would describe as the patriotic hacker community, where they're not officially government, but they're government-linked in a certain way. And then you have the more distinct criminal aspect.

GROSS: Now but you also write China suffers the largest number of cyberattacks in the world. So if China is responsible for initiating a lot of cyberattack, how is it also suffering the largest number of cyberattacks?

SINGER: In many ways it's a problem of their own making. It's an issue of they're a greater market for hardware than they are of software. To put it more directly, they use a massive amount of pirated software. So they're not getting all the security updates for it.

One top of that, they're not the only ones emanating attacks. Whether you're thinking about the low-level criminal versions - for example right now Indonesia is at the top, not China, to the United States. If we look at ISPs, Internet service providers, of the top 50 cybercrime-spewing ones, the ones that have the most cybercrime coming out of them, 20 are American.

GROSS: P.W. Singer will be back in the second half of the show. He's the co-author of the new book "Cybersecurity and Cyberwar: What Everyone Needs to Know." I'm Terry Gross, and this is FRESH AIR.


GROSS: This is FRESH AIR. I'm Terry Gross back with P.W. Singer, co-author of the new book "Cybersecurity and Cyberwar: What Everyone Needs to Know." It's about cyber threats facing individuals, businesses and nations. Singer is the director of the 21st Century Defense Initiative at the Brookings Institution, and the author of previous books about private military contractors, child soldiers and how robotics is changing war.

There are laws of war which are often violated but, you know, we do have the Geneva Accords. Is there any equivalent for cyberwar? And if not, is there talk of having something?

SINGER: This is a huge area for the future of war, but also the future of international law. And there's some interesting historic parallels to this where, you know, in the past we receive new technologies that had been science fiction, like the fly machine, that allowed us to fight in new places, but they also showed the inadequacy of the existing laws of war and understandings of them. You know, so if you think about the airplane, our notions of what the home front was fundamentally changed by your ability to now attack behind the battle lines.

And so some people have pushed the idea that we should create an entire new set of laws for it, new cyber Geneva conventions. It's a worthy idea, but we're also trying to come out of this in a realistic manner. And rather, what we look at is the notion of grafting. For people who study international relations, grafting, building on to something that works rather than to try and write an entire new law, has been far more successful historically. And so that's what we're looking at is the idea of can you graft onto the existing laws of war, take the values from them in terms of protecting civilians, trying to have a weapon that goes after its intended target, doesn't have collateral damage, all these sorts of things to - most importantly - the idea of accountability, that it's always traceable back, that people are taking ownership of what they send out. Those are the kind of values that we want to try and have in this space.

GROSS: Yes. Well, one of the problems right now in the cyber world is it's sometimes hard to know who originated the attack. Because you can launch the attack through bots, through other computers, it's sometimes hard for a government to say this government attacked us.

SINGER: Exactly. There's not the very clear and definable, you know, smoke plume coming out of the missile. And that's why when you hear these people using Cold War parallels of cyber deterrence, they fall by the wayside - even how we do, thread assessment. But it's not just the idea of the detection part of it, it's also how you respond - or maybe rather when you respond - is changed by this. You know, back in the Cold War, the idea was that you had to, if someone was launching a missile at you, you got to get your missiles off the ground immediately before their missile hits you. Well, that's impossible in this space when you're talking about things literally moving at, you know, the speed of light across a fiber-optic. But it also may not be good strategy. You may want to watch an attack play out inside your system, so you're understanding it, so you're able to do those kind of attributions.

You may not always want to let the other side know that you know that they're attacking you. Your response, maybe you want to hit them back immediately, or maybe you want to let it settle a while and design something to go effective after them. And this is another part of it in terms of how we talk about cyber offense. There's this notion that it's incredibly easy. But if we look at examples like Stuxnet, which was this weapon that we used to go after the Iranian nuclear research, it takes a massive amount of research and time and collective effort to build a truly impactful cyber weapon. And so, again, the timelines are different from how they're described.

GROSS: Is there any national or international body now whose job is to protect the security of cyberspace from state actors and from criminals?

SINGER: It's a huge important question because how this plays out will shape the future of the Internet itself. There's been a push for the ITU - actually, it was originally the International Telegraph Union - it was originally created for the telegraph - there's been a push for this international group now to take over the governance of the Internet because of these kinds of security concerns. That's been the narrative that's been pushed. Now notably, that's been pushed by mostly authoritarian states, like the Russias and Chinas of the world. And they're using the cyber insecurity that's out there and the narrative over these kind of attacks.

But their concern is a different kind of information attack. It's not in the West how we think about it of threats to infrastructure or the like, they're worried about a different kind of Wild West - open values, the free flow of information that might be threatening to their internal stability. And so what they're pushing for is a move away from the current Internet model of multi-stakeholder to states should be able to have this kind of control and build up walls, Balkanize the Internet, the Russian model of blacklisting over 82,000 websites.

Where I come down on this is that we're all players on the Internet. And my concern in the year ahead is - and there's some major negotiations that are going to happen over this in the year ahead. And of note, because of the NSA's disclosures, the U.S. has lost a little bit of its swagger. We've also of concern, maybe lost some of our coalition partners on this, the swing states, like the Brazils, the Indias, the Germanys. And my concern is if we don't watch out, the Internet that's been so great for you and I is not going to be the ones that we give to our kids.

GROSS: Would you elaborate on that concern?

SINGER: The Internet started by two California universities connecting to each other. And it has been run, so to speak, with this underlying ethic that, you know, frankly comes out of, you know, 1970s California hippies. It's about sharing. It's about free flow of information. It's about openness. There's a huge amount of informality that's actually been incredibly effective. So, for example, some of the key decisions about certain technical standards are made by groups of people that voluntarily come together and they vote by humming. It sounds insane and yet it works. You now have pushing against this states saying we should be in charge of this. And, of course, states bring, in particular when you're talking about authoritarian states, a very different goal. And so I'm worried - and again, you can think about this in terms of the push by authoritarian states, like your Russias and Chinas of the world, and then the flip side, some of what's come out of the NSA disclosures about monitoring of a different kind of information. And so you've seen states start to - we're not there yet, but the ripple effects have been to, you know, almost poison the well.

GROSS: You know, talking about cyber security, some of the security has been handled just by freelancers, you know, individuals on the Internet. And I want you to tell the story of Brian Krebs and what he exposed.

SINGER: It's a great illustration of the power of individuals on the Internet. And Brian Krebs is this technical expert - a blogger - who also works for The Washington Post. And he got curious about not the individual cyber criminals, but the networks that they were using, the institutions, the markets and the like, and he dug a little and found that in fact, one key hub was responsible for this massive amount of cyber crime. And he contacted the organization and those that it was linking to and said hey, did you know this? And some did and now that they were, you know, notified by someone from The Washington Post, they took action; others didn't and said, wow, that's important to us. And so that hub, its activities got stopped. And low and behold, for a short period of time, 80 percent of all cyber crime on the Internet disappeared all because they went after this one hub. And it's a great illustration of how it's all a network. We're not just talking about a computer network, it's a network of people and relationships and that you can take real action if you mobilize them in a way that their underlying incentives are effective. And so in this situation it was the fact that he had the combination of technical expertise, but he also had this media side where the companies involved didn't want to be embarrassed and so they finally took action.

GROSS: You write about something called The Internet of Things. What is meant by that?

SINGER: The Internet of Things is one of the most important nutrients for the Internet itself, but also for you and I outside the Internet and, of course, cybersecurity and cyberwar impacts of it. So if you think about the way we use the Internet, our Internet-enabled devices, it's mainly been about communication between you and I, you know, me emailing you from my computer to your iPhone or the like. And that iPhone is a good illustration of one of the other trends that's out there, you know, becoming more and more mobile. But so basically, it's been about us having conversations of some sort, us sharing information online in some way shape or form.

Cisco estimates that over the next five years, we'll see the number of Internet-enabled, Internet-linked devices go to as much as 40 billion. And what that means, as you see everything from refrigerators to cars to gadgets that no one's even dreamed up yet, all being linked up, it's no longer about you and I having conversations, it's about the things having conversations among them. And so that's when in The Internet of Things it really truly starts to change the real world. So we're already seeing little micro-examples of it. Like, for example, if you've bought a new car recently, when it detects that the brake pads are about to wear out, it'll automatically notify the manufacturer, who will automatically make you an appointment at the car dealership. The next step on this will be to link outside those networks, so your car, as its driving home, it will notify your smart thermostat that you're 10 minutes out. And the smart thermostat that's linked to a smart power grid, you know, it's been on an environmentally-efficient temperature in your house and now it's going to change it to the temperature that you just like for the time that you're there. All these great powerful impacts of The Internet of Things, but, of course it also comes with cyber threat consequences of a next level.

We've already as an illustration seen car hacking. You know, not just stealing information from your car - where are you, with the GPS and the like - but now taking over certain actions of your car that is causing the car to do things contrary than what the driver of the car wants. And so it's a huge change in all our online life, but also our life in the real world.

GROSS: What kind of precautions do you take in your personal life?

SINGER: I try and practice what I preach. And in the book it goes through all of these things from, you know, password protocols to I can't tell you the number of conferences that I've gone to where you get this wonderful, really cool, you know, memory stick with the logo of you - the conference. Or recently it was a foreign government and they gave the silver memory stick; oh, isn't it beautiful? Isn't it wonderful? Sorry, going to toss that in the trash, it's not going into any of my networks.

But look, there's another part of it which is understanding that everything that you do, it still is never going to give you 100 percent security. So if you can't bear to lose it, prepare to lose it. It's true whether you're talking about access for your power grid or your jetfighter designs to those pictures of your kids that you have saved online - prepare to back them up because you might lose them.

GROSS: I want to thank you so much for talking with us.

SINGER: Thank you for having me.

GROSS: P.W. Singer is the co-author of the new book "Cybersecurity and Cyberwar: What Everyone Needs to Know." You can read the introduction to the book on our website

Coming up, Maureen Corrigan reviews Chang-rae Lee's new dystopian novel. This is FRESH AIR.

Copyright © 2014 NPR. All rights reserved. Visit our website terms of use and permissions pages at for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.