This is part 2 of my email interview with Peter Singer, co-author of a new book called Cybersecurity and Cyberwar: What Everyone Needs to Know (link takes you to the book's official website, which includes discussion questions and even a song list). Part 1 of the interview is here.
SR: Having traveled the world researching this subject, if you could nominate the single most damaging myth about cybersecurity, what would it be and why?
PS: The White House official who described it as just a domain 'for the nerds.' If you and anything you care about are online, and you and your organisation and your family are, you better get smart on it. As long as we treat cybersecurity as only a matter for the IT Crowd, we ignore that the most basic precautions go a long way to protect both the internet's users and the network itself. Indeed, one study found that as much as 94% of attacks could be stopped with basic 'cyber-hygiene.' Perhaps the best example is that the most popular password in use today is '12345.'
SR: When we hear the word 'security' we are tempted to think about how to keep bad guys out. But is that really the best way to think about cybersecurity, or is it more a question of resilience (ie. building the capacity to recover quickly from security breaches, rather than seeking to prevent all of them)?
PS: Cybersecurity is hugely important, which means that it is a needed field that is booming, both for business and bureaucracies looking for budget dollars. But we also need to understand that anyone saying they can solve all your cyber problems is either ignorant or up to no good. It is a management problem that will never go away. The key is to move from a mentality of seeking silver bullet solutions, false lines of perfect defence, or even the idea that we can offensively 'hackback' our way to safety and instead focus on building that most important core feature of cybersecurity: resilience. Think about how life works. You can't stop or deter all bad things; it is how you plan for and recover from them that determines success. The same holds in online life.
SR: How do you distinguish between cybersecurity and cyberwar?
PS: The same as we do between regular security and war, just now with digital means and ends. Security is a condition, while war is a conflict. Whether its war on land, sea, in air, or now in cyberspace, war always has a political goal (which distinguishes it from crime) and an element of violence. The problem with 'cyber war,' though is much like regular 'war' we use the term to describe all sorts of other things. Think about the 'war on poverty,' 'war on drugs' and whatnot. For example, a major global magazine had a cover story on 'cyberwar,' replete with a digital mushroom cloud over a city, but the article was about things like credit card fraud.