Angry Planet - The Kremlin may be more involved in U.S. politics than you realize
Episode Date: July 30, 2016Hackers released a treasure trove of unpleasant internecine emails on the eve of the Democratic National Convention. The Democratic Party chairwoman was out of a job and tensions b...etween Hillary Clinton and Bernie Sanders supporters were reignited just as the Democrats were trying for a prime-time show of unity. Who were the hackers? Security experts inside and outside the government have pointed the finger at Russia. So, was this an act foreign aggression playing out on a strange new battlefield?Support this show http://supporter.acast.com/warcollege. Hosted on Acast. See acast.com/privacy for more information.
Transcript
Discussion (0)
Love this podcast?
Support this show through the ACAST supporter feature.
It's up to you how much you give, and there's no regular commitment.
Just click the link in the show description to support now.
The opinions expressed in this podcast are those of the participants, not of Reuters' News.
It's not a Democrat-Republican issue.
This is a national security.
This is a democracy with a big D-democracy issue.
We're going to start this week's episode off with a question.
How deeply has Russia penetrated the U.S. political process?
Recent stories have revealed hacks of the Democratic National Committee
and the Democratic Congressional Campaign Committee.
Russia has been fingered as the culprit,
even though the investigation is ongoing.
In this week's episode of War College,
we'll look at what Russia might hope to gain from such intrusions,
but we'll also look at what other methods you'll be able to be.
U.S. rivals may use to try to shift the balance of this November's election.
You're listening to War College, a weekly discussion of a world in conflict focusing on the
stories behind the front lines. Here's your host, Jason Fields.
Hello and welcome to War College. I'm Jason Fields with Reuters.
And I'm Matthew Galt with Wars Boring.
Today we're very, very lucky, especially considering the timing, to be talking with cybersecurity
expert Peter W. Singer. Singer is a strategist at the New America Foundation and a contributing
editor at Popular Science. He's the author of cybersecurity and cyber war. So why I say that we're
so fortunate to have you, I think it'll be obvious to people when we talk about the Democratic
National Committee. All of this dirty or semi-dirty laundry has been coming out. It's been
processed through WikiLeaks and released to the press about political machinations,
behind the scenes. And there's a lot of conjecture that maybe Russia was behind it. Do you mind just taking
us through a little bit? I mean, what you've seen, what you know? Sure. So I'd already do something
that writers hate. I'd edit you. And I'd take out the words conjecture and take out the words maybe.
Essentially, we have multiple different sources that have identified Russia as being behind it.
And when I see sources, they range from three different cybersecurity companies.
And I think that's pretty notable because they're business competitors.
So, you know, they're not incentivized when one's looking over the other's work to say,
yes, I agree with this other company that, you know, they're incentivized actually to come to
different conclusions.
And yet in this case, three different companies from FBI to the intelligence community,
I've come to this conclusion to what's been fascinating to me is actually also,
the role of media in this. So, for example, one of the sort of you might describe it as cover
stories for how this was, no, no, no, no, no, it was not Russia. It was this individual hacker
called Goosephor 2.0, because Goosephor 1.0 is actually off the table right now. Gusifer
1.0 was another hacker. So in this case, it's someone saying, no, no, no, I'm Guisifer
2.0. I'm Romanian. And there was actually some really interesting. There was an interview done
with them, if I'm remembering correctly, by Vice motherboard. And they very, they sort of pulled a
quick one on him where he's saying, no, no, no, I'm not Russian, I'm Romanian. And then the
reporter quickly switches to Romanian and says, okay, you know, let's now go in Romanian. And basically
they screw it up. They do it as if it's through an auto-translate. Similarly, when they were
communicating in English, if you're doing a linguistics look at it, it's English in the way
that someone who speaks Russian as their mother tongue would speak it.
So even the media, and then also some other people in media did looks at like the metadata
and found things where there were sort of markers on it that indicated that the individual
was located in Russia, things like that.
So there's lots of different sources.
And in cybersecurity, you're rarely going to get the situation where you get, you know,
100% proof.
But in this case, we have lots and lots of information.
information. And I think what's interesting here in sort of determining attribution in this case or
any other is what court do you care about? Do you care about a legal court, beyond reasonable doubt,
those kind of evidence standards? Do you care about the court of public opinion? You know,
court of public opinion often it's just anecdotes that persuade people. So this story of like tricking someone
up who says they're Romanian, but they can't speak Romanian right. Or a different court would be
like in the White House situation room where a president, you know, in a court of law, you need, you know,
99.99% and even that is that beyond a reasonable doubt, whereas a president may have to make the
decision on, you know, I got 60% confidence in what's going on here. But in this case, yeah,
most people think it's Russia. So they went after a political organization rather than actually,
strictly speaking, a government organization, right? I mean, the DNC is not part of
the government. Do you think this is something that's widespread? I mean, are there specific targets
that Russia would be looking for? So this feels new to us, because it's somewhat new to the U.S.
It's not new for Russia. So it's pulled back on this. We're talking about the hack, but it fits within a
broader program of what you might describe as information warfare. And information warfare is a concept that
essentially Russia comes up with. That's why they're good at it. It dates back to the Stalin era,
but it has a resurgence in the mid-2000s. And actually what's interesting is it's pushed in part
by their fear of us and our information technologies and the spread of free flowing of information
through new media and the concern that it's hard to control, that it's disruptive to society.
They blame it as being behind a number of the different, what we call the color revolution,
And so this thinking takes off, this philosophy takes off, that information, it's a weapon.
You need to control it when it's coming at you.
And in turn, you can use it as a weapon against your adversary.
So control it domestically, use it as a tool of influence abroad, a tool of disruption abroad.
And this is not just talk.
They build up essentially by over 75.
different organizations of some kind in this effort. Some of them are research organizations at university
studying information warfare and other things are the military organizations, units engaging in it
to what they call the troll factories. And basically you can break it down into three areas.
You have somewhat overt media outlets pushing into the West. These are things like Russia,
today that's you know it's Russia today but it's in English and focusing on events here and it
clearly takes a certain political bit it's fascinating I'm watching Russia today you would actually
but we don't remember it's RT you know that sounds right right right yeah right right but watching
it it does seem like a doorway into an alternate universe exactly yes but Nick News is another one of
those so you got that um it's
A second type is the social media side.
And a big part of this is what we call the troll factories where it's basically,
you know, and literally people as if they're sitting in a factory and they're pushing out on social media,
Russia's message.
And again, sometimes it's overt.
Other times it's aggressively going after trolling people that say, you know,
anti-what they perceive as anti-Russian things.
So, for example, reporters reporting on what's happening, a war crime,
Ukraine. They'll swarm around them. We've seen this in elections. Russians posing as if they're
citizens from another nation, even posing as if they're members of political voters. And so in like our
campaign, we've seen them, for example, posing as Trump supporters, other times posing as other
supporters to try and divide and conquer, cause, you know, unrest, anger.
This is one thing, you know, we've seen this kind of engagement between them and what we call the alt-right and people acting as if they're Sanders supporters, but then trying to create kind of anger between Sanders and Clinton supporters.
So that kind of messy social media stuff.
The third type is this hacking, but, you know, everybody hacks.
Everybody steals information.
The traditional way of when you're going after, you know, political, whether it's governments or even political campaigns, like what we saw against.
the Obama and McCain campaign and then in 2012 the Obama and the Romney campaign.
They were targeting to find out, you know, what's the policy of these candidates?
What are their advisors saying?
What's different about this is it's to what they call docks it.
It's to reveal it in public to try and again muddy things up, muck them up,
embarrass not just the process, but maybe to aid one side.
And clearly this has been tilted to harm the Democratic side.
you know, the timing of the release right before the Democratic National Convention,
trying to do things that, again, cause anger between the Clintons and the Sanders side,
but basically dump it in public and try and embarrass it.
Now, go back to how I said, this feels new to us, but it's happened elsewhere.
We've seen these similar kind of activities, including the hacking and dumping,
going after other people's elections.
So, for example, it allegedly happened before an election in Ukraine.
A different kind happened in Russia to Russian opposition figures.
Sex tapes were released right before the election.
Attempts to do this kind of social media push side in Hungarian election, some things in the Baltics,
even in the Brexit campaign to divide up the EU, which has been a Putin priority.
And the point in all of this is it doesn't have to sway.
you know all the voters it doesn't have to sway 50% of the voters if you just muck things up you just
cause confusion you just sway one two percent that might be enough and brexit is a great
illustration of that where you know one two percent that number is enough to sway great
Britain leaving the European Union and so if we're looking at our campaign you know again if you're
if they're able to muck up just one two percent that can that can sway an election so
So it's scary, it's dangerous. And when I say dangerous, it means it's no longer a Democrat-Republican issue.
This is a national security. This is a democracy with a big D-democracy issue.
So let me ask you, just before we get any further with this, does the United States do something similar?
In talking to people over the last couple of years, when I was the opinion editor at Reuters, we ran a lot of columns looking at Putin and,
Russia, talked with Masha Gasson, among others, who's a dissent in Russia and actually knew Putin.
And it seemed like there's a real belief that the United States was involved in doing something
similar to them. Do you think, what do you think about that? I mean, is that a possibility?
So we do some things, and then there is an interpretation of the broader role of information
that they see is a general attack on them, but it goes to our political system. So that we do some
things. We, for example, also have outlets that spread information. Voice of America would be an
example. They, though, are not as, I mean, bottom line, compare Voice of America's reporting to
RT or Sputnik. And they don't tend to take, like, this is the specific, you know, which
candidate you should vote for. A lot of the misinformation side is not within them. That's actually
weirdly enough, a complaint among people in Congress is that we don't do enough propaganda
with these outlets. But so we've got that to, as I mentioned, everybody hacks. You know,
the Snowden files is a good reveal on that we do hack others. We've not yet done the kind of,
you know, some of the other public doxing side here. Now, the perception, though,
is in Russia, but in kind of authoritarian regimes in general is they do perceive, though,
our system. They do perceive new information technologies that we developed and used,
be it Facebook, be it Twitter, et cetera, social media as attacks on them and their stability.
So a different way of putting it is when you ask Russian government officials or Chinese government
officials to define an information attack. They will define it saying something along the lines of
the spreading of false information, the spreading of rumors that threatens societal or political
stability, such as rumors spread through Facebook about what we're doing in, you know, an insert
to bed or what we're doing in Ukraine. If you ask an American government officials to define
information attack, at least before this we would have said things like, oh, hacking to try and
take down the power grid. We're talking about information technologies, but you have very different
perceptions of the threats that come from them. And that, again, you know, that goes back to,
that's across of our political system, across of our culture. So all this taken together,
Peter, looking at the last five years or so in things like the OPM hack,
and what's going on now, do you think that we're behind, that America is behind?
Are we doing enough information warfare and enough cyber?
No, I wouldn't say that in terms of behind and, you know, our investment in cyber security,
particularly on the, you know, you're asking in framing kind of like, you know, who's good at offense?
NSA has a lot of different reasons they can be mad at Edward Snowden, but he also revealed that
they're pretty darn good in terms of the incredible things that they've been able to pull off
that are now in public discussion. You know, the story of Stuxnet, the first digital weapon,
the story of other kinds of devices that leap over air gaps, which is the way we used to think
systems that could be protected, the, you know, monitoring of,
of on mass scale to the breaking in of certain key, you know, communication nodes and the like.
So we have high quality in this area when it comes to the offensive side.
Our challenge is we spend a lot on defense.
We have kind of mixed success at it.
But just in general, the fact that we're so online and all that we do, whether it's the military,
whether it's civilian world in terms of our politics to civilian world in terms of our business,
it means that we don't have something that we had back in the Cold War, which was mutuality.
So when they talked, you know, in the Cold War, we had mad, mutual assured destruction.
Both sides were equally powerful and equally vulnerable.
Well, in this case, we may be actually a little bit more powerful, but we're far more vulnerable
simply because we're so far online.
And another way of kind of describing it is, you know,
who's the best at cyber defense in the world right now?
Who do you guys think?
I have no idea, honestly.
I mean, I would have guessed Israel.
I'm going to guess China.
I'd say North Korea.
And think about it.
It's not because they're all that good.
It's because they're not that wired.
You know, they have as many sort of nodes linked to the internet
as for their entire nation.
as would be in the U.S. in a single city block.
So it's much easier to defend if it's taken down,
their economy continues to rumble on.
The difference is we wouldn't want to live in an authoritarian system,
and their economy is one that celebrates the construction of a pig farm.
So we don't have mutuality.
We're more vulnerable right now.
And so what this points to is, okay,
we need to figure out maybe it's not just how to get better at being offensive, but getting better
at the defensive in terms of building up resilience, which is the idea that people are going to
attack us of lots of different kinds. People are going to attack us for political reasons, financial
reasons. The people that are attacking might range from state entities to cybercriminals to,
you know, the gray space in between of, you know, criminal and non-state groups, but they may be
working for states, lots of these different things. So instead, what you want to build up is
the ability to power through the attack. If the attacker is successful to make sure they don't
get the fruits of what they want. If they knock you down, get back up quickly. So, you know,
you could think about this and everything from, yeah, you knocked down my power grid, but I got back
online rapidly to in this case, yeah, you got inside my network, you stole my files. They're encrypted.
Good luck with that. So, you know, resilience is the idea of accepting that bad things are going to
happen to you, but preparing for them. And to me, that's where we need to move our strategy,
whether we're talking about national strategy all the way down to just your and my cybersecurity
strategy. So does that mean building also, you know, multi-levels of security so that, yeah,
they got through the first and they got through the second, but, you know, maybe they don't even
know that there's a third? That's one of the elements of it, but not the only element of it. So
that would be an element, you know, and the idea is another way. I like to use the parallel of the
human body. So your body is under constant attack. You have a, you have a, you know, and the idea is,
an incredible external layer of defense, your skin. On your fingertip right now, you have over
10 million attackers and they can't get in. But guess what? Your body is designed around the fact that,
but a lot of the other ones are going to get in. In fact, in your body right now, the ratio of
foreign to human cells is 10 to 1. But your body has things from, like you described, you know,
extra layers of defense. So it's basically gone. I figured out certain parts of me are a lot more
important. Certain information is more valuable. So that's why you have, you know, a rib cage. That's why
you have a skull around your brain. But you also have other things like, for example, internal
monitoring systems to let you know when something's off. That's why you get a fever. Your body channels
the attackers into places where they can't do harm. So that's what, you know, you have a ton of
barn cells in your gut. So, you know, yeah, you're there, but you can't really harm me. Your body
has, you know, ways of limiting and triaging around them. So I'm just kind of, you know, I'm abusing the
metaphor a little bit, but I wouldn't want people to walk away thinking, oh, I just need a couple
more layers of defense. It's more than that. There's also a mentality side of this, which is, I think,
a problem in how we and I'm going to point fingers at you guys and the media talk about
cybersecurity in both the media but also kind of the politics around it and the mentality side
is compare how we talk about things like cybersecurity or terrorism versus how the British
talked about terrorism you know so their mentality was keep calm and carry on
Ours is freak out, you know, and everything cyber war, you know, everything cyber war, cyber
911, everything's get scared. And why that's important is not just sort of your own ability to
recover, but which one do you think incentivizes attackers to come after you? The idea that
if I just do a small little thing, you're going to freak out, or I actually do something and you know
what, you're going to shrug me off. So, well, talking about it,
freaking out.
Well, I mean, I guess, well, how to say it?
So this is me trying to say it over.
Go ahead, get ahead, Matt.
Any better way to saying it?
On a scale of one to die hard four, how plausible is Cyber 9-11?
That's right.
I love that you use die hard four as the scenario, because then we have to have a discussion
on who's the attacker, and, you know, is it a,
Die Hard 4, it's the one of us disgruntled intelligence officer, but, you know, who's wearing a nice suit and traveling in, you know, some kind of cyber command center truck around the nation, whereas, you know, the other scenario is, you know, always hacker with hoodie, you know, and usually kind of disaffected maybe goth living in a basement somewhere.
Yeah, I mean, again, you know, I love the different portrayals of it.
Let me put it this way.
Okay.
There are real serious dangers in this space.
And look, I've written, you know, both a nonfiction book and a fiction book on the things that can happen in this world and the things that have happened in this world.
but there is also a great deal of fantasy and more importantly a kind of cottage industry trying to
take advantage of those fears. There's a lot of cyber-huxterism because often the get-scared message
is usually accompanied by get scared and that's why you need to hire my company or get scared
and that's why you need to double the budget of my government agency or get scared and that's
why you need to give me the legal authorities that I didn't use to have happen. So, you know, if we're
looking at the kinds of things, the kind of capabilities, there's an interesting sort of nexus here.
There's a, if you're talking about, you know, a cyber 9-11 in terms of a large-scale event that
kills thousands, but is not, you know, is geographically limited. You know, again, it's hard
to project that happening right now because right now so far there have actually not been a successful
incident of cyberterrorism that's even physically hurt a person, let alone killed one person.
And more importantly, the kind of groups that would do that, the way I describe sort of the
capability side, states like a Russia, like a China, like a Iran, they have the capability of
both expertise. And again, you want to do, you know, pull off something in this world. You don't
just need a good hacker, a couple of kids in their basement sipping Red Bull is like the way it's
always described. Look at something like Stuxnet. Stuxnet involved expertise that ranged from, you know,
people working in information security, some of the top talent in the world at the NSA, but also
expertise in fields that range from nuclear engineering to physics to espionage, to espionage,
to get it in. So, you know, if you wanted to break the centrifuge, it isn't just how do I hack the
centrifuge. It's I got to understand how the centrifuge works. Same thing on the power grid side.
So you have to have that multifaceted expertise. So that's something that states do have,
but states fall into a deterrence framework. So, you know, the way I put it like a China, a Russia,
maybe even Iran, they could do it right now, but they don't want to right now because, you know,
we're not in a state of war with them. In turn, groups like a ISIS, an al-Qaeda, whatnot,
would love to do this right now because they're not deterrable, but they don't have the
capability to do it right now. Both of them, though, time may change that. And time may change it
in terms of the capability. So, for example, you know, the level of hacking talent that a non-state
actor has right now, you know, in the future it might be much greater to large parts of this
are going to be potentially automated. But then the other thing that's changing is the target set
is changing. And that's what they call the internet of things. So you move from having, you know,
oh, you know, so ISIS, for example, hacked CENTCOM. But what did it actually hack at CENTCOM?
It hacked CENTCOM's Twitter feed. And so all that it could do was post images of
of a goat in an office, you know, embarrassing, but not deadly. But as you move to us using
internet-enabled devices, not just to communicate, but to do things like smart cars, smart power
grid, smart refrigerators, smart airplanes, as it's things that are woven into it more and more,
then you can start to do things that actually, you know, can harm people that can cause death on scale.
So, you know, again, you can do a lot of, there's a lot of, there's a lot of,
worrisome scary scenarios that loom for us. The most worrisome, though, are the ones that fall
within the framework of what a state could pull off. The good and the bad story there is, you know,
if a state like, you know, so in Ghost Fleet, we look at, you know, the takedown of GPS,
takedowns of power grids, you know, the good thing, oh, that could only happen in war.
The bad thing is it's probably happening when a lot of other.
other really bad things are going on too. So i.e., if a state's coming at you and doing things that are
causing death and destruction through cyber means, they're probably also doing it through, you know,
good old-fashioned bombs and the like. So just a question about the Internet of Things quickly.
Is there this vulnerability? Is that causing anyone to push back and try to hold the Internet of things
back? Or are we just plunging into it? There's some people who say,
you know, gosh, look at all the things that we're weaving in online. Should we be doing this?
Or can we actually have certain things that are too important to put online or sort of, you know, let's only put the unnecessary things online and keep the necessary.
Well, the first, you know, category of people, well, let's not put anything online. You know, basically they're the modern day version of the Amish, right?
So you can be willing to stick in, you know, circa 1997 world.
you're going to be at a disadvantage. So it's to go back to the example of North Korea. You could,
you could have a North Korea and not have much linked online, but you're going to pay the price,
be it in terms of your economy to your military. You know, it is advantageous to have these things
woven it. We're not weaving them in, whether it's our smart cars to smart planes because
we think it's cool or fun. It's because they bring you some kind of advantage. And the advantage
might be anything from it saves money to it saves lives. The second thing, the second thing,
thing, though, is, okay, they go, okay, okay, well, I'm not saying don't do it at all, but let's
only put the necessary stuff. Well, the problem is people's definition of what is necessary
changes over time. It basically depends on what generation you are. So, for example, GPS. If you're
older, you know, let's use the military side, you go, you know, GPS is a luxury. We don't need GPS.
Yes. I could do this just fine when I read maps myself.
If your younger generation, you're like, I can't even imagine a world where I would have to rely on a map.
More importantly, all the technology that I want to use, be it a cruise missile, be it a drone, be it my car.
I depend. It's not just that I can't wrap my head. I don't know how to do it.
It's the system is literally designed that way.
And so what I'm just sort of getting at is these forces are just naturally pushing us more and more to bringing things online.
To me, the answer is not to fight that.
I mean, again, I do think there are certain areas where we may want to question it or create firebreaks.
I do see that mentality.
I do agree with it.
But more importantly, I think it's, again, going back to how do we build resilience?
How do we make it sure that these systems can't be taken down as easily?
So, for example, when you're looking at the Internet of Things, right now of the devices that have been sort of checked, 70% of them have known vulnerabilities.
That's a number that's too high.
Will we ever get it to zero?
No.
But gosh, I'd love to get it down, and that makes us less vulnerable.
Sometimes the only way out is through and not back.
One of the things I'm interested in is what the cyber front is going to look like.
if there's more traditional conflict.
And I was wondering, you know, you've written about this in fiction and nonfiction.
I was wondering if you could tell us what you think that would look like.
And one of the recent historical examples that I'm thinking of, and you can tell me if this is
completely off base, please, is the Russian-Georgian conflict in 2008?
Mm-hmm.
Yeah.
So I think that we can come after it and sort of what's happened and what the future is.
you know, you asked earlier about cyber 9-11.
To me, I go back to more World War II examples, and the issues are more Cyber Pearl Harbor.
And again, I'm putting these in quotation marks, but people, I'll explain them later.
And Cyber Cassareen Pass for the real World War II history buffs.
And by that, I mean, in Ghost Fleet, I'm not trying to give too much of the story away.
So the story, it looks at what a war in the 2020s might look like, particularly a war between a U.S. and China.
And it's the idea of, you know, a shot out of the blue and using cyber means to take down military command and control, to take down GPS, what we were just talking about, to get inside networks.
And sometimes it might be to block the flow of information.
other times it might be to plant false information, but basically to paralyze, so to speak,
the operation.
And this is, you know, not spinning.
This is when we look at how China, for example, is envisioned.
What they look at is information ties warfare.
The Cyber-Casarine Pass issue is sort of what happens in terms of the actual battles.
So Casserine Pass was this early battle.
for the US where we're fighting in the desert of North Africa, we've got both new and old technology
for us. So we've got infantrymen, we've got artillery, but also now we've got tanks,
we've got airplanes, but we lose this battle in part because not only are we an experience
compared to the Germans who've been fighting at it, but more importantly, we've got all the technology.
we just can't figure out how to bring it all together.
So the tanks on the ground side are not working well with the air power.
And part of it's also an unclear command and control where we've got different people in charge of different areas and they just don't work well together.
So what I'm getting at is this idea of the battles may be ones that will involve both cyber and physical means.
So a real world illustration of this would be,
Israel's Operation Orchard, where this was a couple years ago, Israel discovers through cyber espionage
means that Syria is doing some nuclear research in the desert. They don't like it. So they want to do
something about it. The old school model would be you'd launch an airstrike. You'd first take out
the Syrian air defenses. You know, you'd drop bombs and missiles on their radar, their surface-to-air
missile batteries and like, and then you'd fly in and drop bombs on the nuclear research facility.
The new model was they used a mix of electronic and cyber warfare means to, in effect,
turn off the Syrian air defenses. But they turned it off in a way that the Syrians didn't even
know they were under attack. So the Syrian radar operator is looking at his machine, and it's
telling him, tonight's like any other night, nothing happening. It's not actually, you know, jamming style
where you're like, wow, someone's jamming us.
It's literally just saying nothing going on tonight.
And yet Israel, Israeli Air Force fighter bombers fly over the border, but then they drop conventional
bombs, old school bombs that take out the nuclear research facility.
So it's that mix.
And that's a good illustration of how Israel brought them together where, you know, the cyber
and the conventional are working together to sort of make both.
more effective. That's, to me, the more likely future. Russia's done, you mentioned the Georgia case.
In Georgia, it was more the kind of attacks on Georgian government websites. Georgia had a tough time
getting out its message. It wasn't this kind of takedown of command and control. So it's a good,
you know, that's a good parallel of like if Russia had just done the cyber stuff to Georgia,
they wouldn't have been at war in that case.
It was a little bit parallel to what Russia did to Estonia a couple years earlier.
But when Russia was dropping physical bombs on Georgia, they're like, okay, we're really at war.
More recently in Ukraine, we saw a more sophisticated and more integrated example of this
where Russia is basically using cyber means to not just do things like to face websites.
sites, but they're actually, through cyber and electronic warfare means, they're knocking down the
Ukrainian government's ability to communicate, not just externally, but internally. They're throwing
up a version of almost like a digital blockade around Ukrainian military units. So the military units,
they're reaching out to their command saying, what's happening? And they can't communicate with
their headquarters. Their headquarters are ordering them to do things, and they're not
getting the message. And so that's part of the story of how Russia is able to roll up quickly on
Ukraine is because basically you could argue that Ukraine had lost the cyber side of the conflict
before the actual conflict had even begun. How do you decide in a cyber world when exactly
you really are at war? I mean, it sounds to me when you're actually cutting off military units
or redirecting military units, that's pretty close to what I imagine warfare is, right?
But that's not how countries have so far responded.
Maybe Russia is trying to manipulate the democratic process here in the United States.
But that doesn't mean that we actually consider ourselves to be at war with Russia, right?
Yeah.
So, I mean, the first thing on this, and it's what I find fascinating in this discussion of, you know,
when do we know we're at war or not? How do we determine that? I was said I did some congressional
testimony on this and you know the first is let's pull back and realize the United States is
technically legally not been at war. We have made a declaration of war. Congress at least hasn't
since June of 1942. That's when they they did the war declarations against the minor access
powers like Bulgaria that, you know, we kind of had forgotten to include in the original
declarations after Pearl Harbor. So Congress, you know, they haven't made an actual vote on
this for over 70 years. So it was interesting because they were getting kind of frustrated with
the idea. We don't know. And I'm like, well, you have an issue of determining when it war in
general you haven't weighed in on. Okay. But so if we're looking at, you know, acts of war,
whether it's decided by Congress or kind of the president deciding, essentially the means
don't matter as much as the effect and the intent. So whether you're using a software of zeros and
ones or a rifle with bullets or a match, the key is first the effect. So war,
at least how it's always been defined up to this point, is that it crosses politics and mass violence, i.e. someone's got to be hurt or killed. And then the political side of it is this is how we distinguish it from things like murder. And then some people have a debate with like on the terrorism is, you know, the question of does it link to a state or not? But the bottom line, what everybody agrees on is it's politics and mass violence.
The intent, though, matters too.
So, you know, I use this example of someone in Texas, shots cross the Mexican border and kill someone in Texas.
So we've got someone's debt.
We've got effect.
And we've got a traditional, it's a bullet.
So we don't even have to say it's a cyber means.
We would still ask questions like, for example, okay, was this the Mexican?
government, was it a Mexican army unit that was crossing the border? Or was it a border guard
that had a mistaken fire of their weapon? Or was it someone in a drug cartel inside Mexico
that the Mexican government is actually running down? So the effect, someone dead in Texas,
we would still walk through things of what was the intent here in determining whether it was a war or not
or to use that example of, you know, a match.
Like, what do you mean by that?
Well, someone, a forest fire is lit inside Mexico.
It crosses the border and kills 200 Americans.
We, if it was lit by the Mexican government with deliberate intent to kill Americans and burn us down,
we wouldn't go, gosh, it wasn't a bullet or it wasn't software.
It doesn't meet the definition.
We would go, this effect, this is what matters, this intent, versus,
someone in Mexico accidentally drops a cigarette, it catches a fire and a forest fire breaks out
and lots of people are accidentally killed. So to me, you know, we sometimes overcomplicate it
by it sounds different because it's, you know, cyber, but we'll still go back to, you know,
essentially making decisions on, you know, were people hurt or killed and then did you intend to do
this? And that's, that to me is where.
where it's age old. The new parts are things like, okay, you know, attribution.
Sometimes it's much more difficult to figure out who did it. Or it may be timeline issues.
You're doing something to me that, so cyber attacks, the challenge is that they feel like
they play out in digital speed, but they actually take a long time to prepare and, and also
sometimes to detect. So, for example, the average time between
when a cyber attack begins on a target and is discovered by the target, they realize they're under
attack, at least in the corporate world, is 205 days. On the government side, we can use the
illustration of the OPM. It was well over a year between when the OPM was attacked, and we
figure it out they were under attack. But more broadly, kind of in general, and this is what wraps
together whether it's the OPM or whether it's the DNC hack is that espionage has always played a role in
war but at least in history so far no nations have gone to war solely over you stole secrets from me
it's always how it ties into something else so you can be in conflict and you know the cold war
in quotation marks and that's a good illustration how we've kind of redefined war but the
Cold War was this realm of conflict where we're competing back and forth and we're stealing secrets.
And we're doing kind of sabotage back and forth often.
We even have proxy wars going on where people are actually dying.
But we weren't old school definition at war legally with the Soviet Union.
So if we move forward today, we can be in cyber conflict with a Russia.
And they can be stealing secrets.
They can be doxing.
We can be doing it back and forth.
But I don't think it means we are, you know, Congress is going to formally declare war because one of the key things is when you formally declare war, it means all the gloves are off.
I don't have to limit you hit me in cyber.
I can hit you back with an F-15.
We're not yet in that discourse.
Well, Peter W. Singer, thank you so much for joining us and cheering us up.
As always, I leave these discussions a little bit more enlightened and,
frightened than when I enjoy it. The title of your podcast is not the shiny happy feel better about
ourselves podcast. But again, you know, pull back on this. This is a topic that feels scary. It
feels new. But it's our reality. And the way we keep it from being too scary is to figure out,
here's how we're going to manage it. Here's how to understand it. Here's how we're going to solve it,
rather than being petrified by it because we don't feel like we can handle it. We can handle this.
There's many things out there that are scary, but we don't get paralyzed by them.
Cybersecurity needs to be put in that same space.
Thank you so much, Peter.
Thank you.
Thanks.
Thanks for listening to this week's episode.
You can subscribe to the show on iTunes or anywhere else you get your podcasts.
And if you're listening to the show for the first time, you may want to check out our archive.
We've talked about the F-35 Joint Strike Fighter, the B-52, P-T-E-P.
P.S.D. Life in the Islamic State and even had a conversation about historical arsonists with Dan Carlin of the Hardcore History Podcast.
War College was created by myself and Craig Heddock.
Matthew Galt corrals most of our guests and co-hosts the show.
And it's produced this week by Bethlehemte, who has curiously small ears for someone with such painfully acute hearing.
Next time on War College.
Are there currently any people making use of military maggots, medicinal military maggots?
I just wanted to say that.
That was all that question was about, really.