Understanding Cyber Security (Part One)

An important part of participating in the public square is developing at least a general awareness of the questions and problems our communities are facing. Cyber Security is a relatively new topic in politics and government, and it has taken on a new importance this election cycle. We spoke with JM, a Christian who works in government cyber security, for an extended conversation about what exactly cyber security is, why we should care about it, and how to begin factoring it into the decisions we make about our vote. Part one of the interview is below.

Can you briefly explain what you do for work?

My job title is Cyber Security Subject Matter Expert, but it’s probably more helpful for me to describe myself as someone working in cyber security policy.The field of cyber security is actually pretty broad, and requires people in lots of different roles. Some of those roles are really technical–-writing code, testing the security of networks, etc.–-and some roles have much more to do with management and strategy. I focus on the management and strategy piece. I help government leaders get a handle on the security of their computer systems, since many older computer systems (both in the government and in the private sector) weren’t really designed to be especially secure.That’s the “negative” part of my work–-finding and fixing what’s broken or insecure. The more positive part of my work is helping government decision-makers understand how they can improve on the cyber systems they already have. A big focus for me right now is helping a specific government agency move away from a very old computer system, which is insecure and very expensive to operate, towards a whole new approach that is based on common, cheap web tools and that will cost a fraction of current costs to build and operate. It’s challenging to make these kinds of transitions–-particularly in the government (for good reasons, which we can talk about in a bit). But being able to make those transitions well is actually very important, and when it’s done right you get a sense of satisfaction that you helped the government run just a bit better.It may be clarifying for me to state that I’m not a federal employee. I work for a company that contracts with government clients and also does work in the private sector.This wasn’t especially brief, but hopefully it was helpful.

One question we've gotten a couple times is why private citizens who don't work in the government should care about cyber security. Is it just about governments getting spied on by other governments?

I understand why it’s easy to think that - but just look at current news stories. Literally this week, we have an alert from the FBI that foreign hackers have attempted to infiltrate online systems associated with voting systems in Arizona and Illinois. Then think back just a few months about recent stories in the news, and you see all kinds of examples: Hackers associated with crime syndicates holding hospitals hostage by shutting down their computer networks and demanding payment in order to turn them back on. The constant dripping in the background of companies being hacked and data on consumers being stolen. Then, the stories where someone hacks into a system and doesn’t take data–-instead, they try to break stuff.So no, this isn’t just the domain of governments and spies. That’s part of it, but we’re really talking about the lives of real people, and about the amount of trust that we place in our use of networked technology.Now, to step back a bit: In a narrow sense, “cyber security” is about securing networked systems against attackers. That’s a fairly specialized topic area, and it’s okay that not everyone’s an expert in it. But I think sometimes we subconsciously allow ourselves to believe that someone has to have a graduate degree in computer science in order to care about the area of cybersecurity. I don’t think that’s right. I think everyone should care, at some level, about this topic. I think this for a few reasons:First, cyber security is an issue we all need at least a cursory understanding of now and, frankly, there’s no going back to a way of life in which we don’t. So, just writing it off as an issue for experts isn’t an option anymore. People need to know the basics about cyber security to actually understand the risks and rewards of life in a world that’s perpetually connected to the internet. Think about the rise of cars: There was a time, not so long ago, when cars didn’t exist. And then they were invented, and people started using them. And then we underwent this huge societal shift, in a very short amount of time, from almost no one having a car to almost everyone having a car. Now, you don’t need to have a degree in mechanical engineering to have a car. But everybody has to learn the rules of the road, so to speak, both to function in society and to ensure that you and those around you don’t get hurt. There are some similarities here with cyber security. You don’t have to be an expert, but at some level people really should be paying attention to the basics of cyber security. I’m talking about stuff like being safe online, not putting out too much information about yourself, not making it easy for people to steal your information, things like that.Second, there are a lot of questions we still need to answer about our social use of technology and about life in the internet age. Many of these questions will work themselves out in the political and policy arenas, and we as citizens should engage on these questions just like we do in other areas. For instance, coming back to the examples above: Every once in a while you hear arguments in favor of providing online voting options during elections. Then you hear about hackers going after voter databases. It raises questions like, “Is there ever a time at which we as a society would be willing to accept the risks that come along with the benefits of online voting?” “What’s the right balance?”This is just one example. In fact, we’ve been talking about security here, but there are a huge number of other topics related to the use of technology: How much privacy should a person reasonably expect to have in society? What are reasonable limits on the use of publically available data that can be used to identify people? Again, you can get into the technical weeds on some of these topics, just like in any area of policy. But these are issues that are getting worked out right now, and these issues affect all of our lives. it’s very important for us to foster a basic working understanding of some of the main issues and how they impact our everyday lives as Americans. And it’s pretty cool to consider that, in a lot of ways, we’re still setting the rules for how people will develop and use foundational technologies for decades to come.

We've talked a bit about why people should care about cyber security in their own lives. Why should readers care about government cybersecurity? And beyond that, why should people trying to figure out how to vote care about cybersecurity policy?

Recalling the metaphor above, cybersecurity and national defense are probably not necessarily things that people need to know everything about, but we do all need to know that it’s important, and we need to be able to vote for people who we think are going to make the right kinds of choices about it. I don’t think you’ll find many candidates going around saying “actually, cybersecurity doesn’t really matter.” I would imagine that all elected officials understand that it’s a significant issue at this point, and that it’s closely related to national security.It’s not my intent to signal support for any specific candidate in my comments here–-I’ll just say that I think people are increasingly going to factor cybersecurity into their thinking about candidates, just as they do with a range of other topics for candidates right now. For instance, people currently think about presidential candidates in terms of how they think the candidate will make decisions on issues like terrorism. Most voters at least mentally ask themselves questions like, Will the candidate be more or less likely to use military force to counter terrorism? Is military force the best response to terrorism? Things like that. Cybersecurity is going to be an issue in much the same way, with the questions being a little bit different. I image some of the questions may be: Would this candidate consider military force as a response to a cyber attack? What about a cyber attack that caused some kind of physical damage? What about a cyber attack that caused loss of life? Would they use force if it were highly suspected but not provable that a specific country had initiated the attack? How forceful will the candidate be against countries that we know have either supported or have not shut down actors that steal US company trade secrets?Here’s another example: The government—specifically Congress—continues to seek to clarify some legal vagaries regarding cybersecurity issues. Some of the legislative proposals that seek to address cybersecurity concerns are very controversial, especially in the technology community. There’s always going to be a tradeoff between security and privacy, between anonymity and transparency. Where do we want to draw the line on what’s acceptable in our society in terms of gathering data about people, or establishing boundaries on what’s legal or illegal use of IT? Or another, close-to-home example: Should cyber bullying be a crime? What online activities constitute harassment?These are big questions. Now in reality, I’m not particularly looking for the candidate most well-versed in cyber incident response techniques when I go to vote for members of the city council. But in my view, this is an area where we need our elected officials to know what’s going on. They’ll rely on their staffs, of course, but the key is that our elected officials at all levels are engaged with these topics and looking for creative solutions for the issues that are hurting their constituents.

Can you talk a bit more about the relationship between cybersecurity and national security?

I know I talked earlier about how cybersecurity is about more than just governments and spies and such, but it’s also not less than that.For one thing, the cyber domain is now a new domain in which nations can go after each other strategically, or even militarily. For example, in 2008 Russia invaded the neighboring nation of Georgia (basically during the Opening Ceremonies of the Beijing Olympics). It has been reported that Russia launched what was essentially a cyber attack on Georgia right before it started moving in its forces. The idea was to disable some of the electronic systems that the Georgians were using to coordinate their defenses. That’s just one of many, many examples. There’s a very interesting book called A Fierce Domain that captures a lot of first times that governments used cyberspace to do new things, from industrial sabotage to all-out military campaigns. It’s really an interesting set of examples of governments pushing the limits of the possible in the cyber domain, and essentially discovering that cyberspace gave them the ability to do things to each other they’d never been able to do militarily or strategically before.So there’s the issue of cyberspace being used for military purposes. But the national implications of cybersecurity extend well past just questions of military conflict. One of the fascinating things about this era is that the cyber domain has opened up new ways for nations to engage with each other—and these new engagements are changing our categories of how nations are supposed to interact. A prime example of this is industrial espionage, or industrial spying. In 2013, the security company Mandiant published a report making a very pointed, very provocative claim: The report essentially accused the Chinese government of hacking into US companies to steal their information, including their trade secrets. That Mandiant report really started to change the conversation for a lot of companies. The issue is that you have some foreign governments who are willing to steal intellectual property from major companies and funnel those trade secrets, research findings and the like to companies within their own borders. Then those companies that were hacked all of a sudden find that there are these new companies located in a new part of the world that are suddenly producing the very same products, and who can sell those products for less because they didn’t spend any money on research and development.This might not sound like overt war, and it isn’t—but it is really serious. And the US has serious, ongoing diplomatic dialog happening with multiple countries across the world about this. Not surprisingly, as reported in the press, cyber theft is a big topic during bilateral meetings between the US and China these days.So these are examples of what we’re talking about with cybersecurity in the national security space. But there are other issues as well. For instance, the prospect of cyber terrorism is a big deal that has a lot of people worried. I tell people that cyber terrorism probably doesn’t equal the plot of Live Free or Die Hard, where all of society grinds to a halt after a cyber terrorist shuts down all the systems in sight. It’s not quite that easy to make all the lights go out all at once. But there are real life examples of hackers gaining access to steel mills in Germany and making them operate in strange ways, of a researcher claiming that he was able to adjust the rotation of a jet’s engine while it was in flight, and some other examples. Pretty serious stuff. You can understand why the national defense and homeland security communities are paying a lot of attention to all this.