An All-Star Panel on Cybersecurity
The former Chairman of the Joint Chiefs of Staff, Admiral Mike Mullen, characterized “cyber” as an “existential threat to the United States of America” in a recent issue of Fortune Magazine:
The challenge for me and many other leaders is to really understand it….We are vulnerable in the military and in our governments, but I think we’re most vulnerable to cyberattacks commercially. This challenge is going to significantly increase….The potential is to shut down our transportation system, shut down our banking system, shut down other infrastructure in our country, and essentially bring us to parade rest.
Shortly after he made that statement, we learned about Flame: a 20-megabyte computer virus that contains 20 times more code than the much-discussed Stuxnet virus, it evaded detection for five years and, according to researchers at the Kaspersky Lab, could have infected over a thousand computers across the Middle East. Flame has fanned the flames (I couldn’t resist) of the debate over cybersecurity: while the Washington Post just ran a special report, “Zero Day: The Threat in Cyberspace,” ABC News investigative producer Lee Ferran argues that “human carelessness” is more responsible for cyberthreats than technical advances: “no matter how sophisticated the attack or how capable the defenses, the weakest link in cybersecurity is often the human at the keyboard.”
So how worried should we be? To analyze Admiral Mullen’s argument—and consider issues of cybersecurity more broadly—I spoke to several leading figures:
- Herbert Lin, chief scientist with the National Academies’s Computer Science and Telecommunications Board
- Chris Roosenraad, co-chairman of the Messaging, Malware, and Mobile Anti-Abuse Working Group
Here are my takeaways:
- It’s important to deconstruct cyberthreats into a spectrum of threats, rigorously analyzing each on the basis of its likelihood and impact.
- How one assesses the risks of those threats depends in part on one’s willingness to extrapolate: that is, to infer from that which we can observe and verify that there’s much more occurring that we can neither observe nor verify. Recall former Secretary of Defense Donald Rumsfeld’s distinction between “known knowns,” “known unknowns,” and “unknown unknowns.”
POWER GAMES: How would you respond to Admiral Mullen’s statement?
ARQUILLA: Cyberattack, at its worst, poses the threat of “mass disruption.” This could prove costly, in economic terms, and could lead to battlefield losses if the information systems upon which our troops rely are disrupted in the middle of a fight. But all this pales in comparison to the threat posed by weapons of mass destruction—nukes, bugs, and poisons. Cyber is bad, but does not pose an “existential threat.”
CARR: I partially agree…No one has produced an accurate threat assessment on this topic, so Admiral Mullen isn’t really speaking from a base set of verifiable facts. What he describes is more of a potential threat on a broad scale. If, on the other hand, he focused solely on the threats to specific industries like defense contracting, energy, artificial intelligence, research and development, and other specific high-value sectors, I’d agree with him 100%.
LIN: It depends on what you mean by “existential.” An existential threat is one that, if not countered, could threaten the existence of the United States as we know it today…In the short term, is there a cyberthreat that could threaten the existence of the United States as we know it today? Sure. Imagine a powerful nuclear electromagnetic pulse weapon detonated above the horizon of much of the United States. Such a weapon could totally fry most of the existing electronic infrastructure (that is, all computer and communications technology, both standalone and embedded in devices) on which we rely today. Such a weapon might shut down the nation’s power grid and damage much of our ability to recover.
In the long term, is there a threat that could threaten the existence of the United States as we know it today? Sure, and it does not even have to be a cyberthreat. The United States has the world’s dominant economy today, and exerts enormous economic power and influence around the world….such leadership cannot be taken for granted, and we do have economic competitors today….A threat to U.S. economic dominance could be regarded as existential, and there I would say that the United States does face an existential threat in the long run [from China].
Cyber, of course, plays into this threat: economic espionage against the United States gives other nations advantages over us in any economic competition, and we know that much of the economic espionage against us is committed using cyber means. The notion that cyber plays into an economic threat against the United States is consistent with Admiral Mullen’s statement…that “we’re most vulnerable to cyberattacks commercially.” On the other hand…the United States does not conduct espionage against other nations for the benefit of private U.S. companies. So to some extent, we have chosen to tie one hand behind our backs. There are other scenarios that are sometimes offered, such as a cyberattack that shuts down the U.S. electric power grid for months at a time. That would be a very bad outcome, and is also arguably [an] existential [threat]. But…there are two relevant points. First, this would be very hard to do….Second, there are other, non-cyber ways to achieve the same effect, and the key point here is that we don’t do very much to protect against those other non-cyber ways either.
RID: Unless he comes forward with more detail, which I frankly doubt he can—either because he doesn’t have it or, far less likely, because it’s classified—I would dismiss this statement.
ROOSENRAAD: My main response…is to nod and wonder what took the U.S. military this long to acknowledge the importance of the Internet. The Internet has become a critical part of the world economy, and that obviously means the U.S. economy as well. The purpose of the U.S. military is to protect the country’s interests around the world, so it’s inevitable that they’ll look to do so on the Internet….From a state-versus-state point of view, I agree [that “[t]his challenge is going to significantly increase”].
Over the last few years, we’ve seen a rather radical change in the world of online malware, bots, and other threats that has grown from individuals into gangs and now into…a whole shadow economy, with criminals and criminal gangs that specialize in specific areas. One expects that state-backed activities will similarly evolve from individual actions into large-scale programs, with strategic goals, centralized programs, large budgets, and other conventions….Admiral Mullen is right that commercial entities are being attacked, but I’d contest the statement that industry as a whole is more vulnerable than the military or the government. While industry approaches to cyberprotection vary from company to company, I think you’ll find that many large corporations are quite far along with their defenses against attacks, since they are aware that companies are being attacked every day.
WOODCOCK: There are two factors that make the United States particularly vulnerable to cyberattacks. First is the degree to which we, as a country, are willing to make enemies of arbitrary people in random parts of the world, for no reason or gain….Second, for us, cyber is an asymmetric risk. That is, we have far more to lose in a cyberconflict than most countries do, because so much of our economy is dependent upon the Internet…By militarizing cyberspace, we place at risk something that we hold dearer than do our adversaries. I remember thinking this when we used the BLU-114 graphite fiber bombs [according to GlobalSecurity.org, “special-purpose munition[s] for attacking electrical power infrastructure”] in Bosnia: it might have been painful for them, but it would have been utterly crippling if it had been used in the U.S., and it was an idea that we really shouldn’t have put out in the world. And, of course, all of this affects us commercially. The Internet is private-sector.
ZUCKERMAN: Many of the doomsday scenarios that are cited fail to distinguish between Internet-based systems and non-Internet-based control systems. The Stuxnet worm was the first clear piece of evidence that attacks could cross that barrier. It was a “proof of concept,” but not the norm. In fact, it was a pretty clever, even miraculous, attack….I’m scared of DDoS [distributed denial-of-service attacks] and malware, and a little less scared of the possibility that people will break the barrier that I mentioned earlier. We should spend more time being scared of that which we know is happening than that which could theoretically be happening.
When computer-security folks say that they see little justification for the doomsday scenarios, military officials often respond: “You don’t know what’s out there.” I call that response “security through obscurity.” How are we supposed to respond if we can’t see the evidence—if there even is evidence—for the dire threat assessments? The reality is that the Internet has more or less worked even though it has enormous insecurities. As recently as a decade ago, some people seriously thought that it would collapse under the weight of spam. Then it was phishing [attempts to steal sensitive information over e-mail by pretending to be a trustworthy source] that would be an apocalypse. The truth is that there are gangs of geeks out there working very hard to fix the Internet’s security gaps. They get very little press, partly because they don’t seek it, and partly because it’s sexier to say that the sky is falling than to say that we’re chipping away at those gaps.
PG: Why do assessments of cyberthreats vary so significantly among analysts? While some argue that those threats are serious and poised to increase, others contend that they’re exaggerated and well within our ability to manage.
ARQUILLA: Those who see less of a threat tend to view the absence of a “Digital Pearl Harbor” as a sign that it is unlikely that there will ever be one. Others of us (I am one of them) look at actual vulnerabilities—as demonstrated in real-world events and rigorous exercises—and worry that thinking enemies will soon make the virtual domain a theater of war and target for terror.
CARR: Because most of them occur below the radar. Most companies have no idea that they’re losing data or have unauthorized users crawling their networks. So we extrapolate…from what we do discover to cover those [threats] that we presume must also be happening which haven’t been discovered. That’s fine if the person making the estimate sticks to high-value industries, but often that’s not the case. Instead, people see something in the news about China, and all of a sudden EVERYTHING is about China. Or they read about a high-profile cyberattack and extrapolate from that that ALL companies have been breached. That’s a completely inane point of view, but the media eats it up because it makes for an exciting headline and expanded readership.
LIN: I’d argue that both kinds of analysts are right. That is, cyberthreats are serious and poised to increase, but…they are (sometimes) exaggerated and well within our ability to manage. Whether they are within our WILL to manage is a different point. For all of the expressed concern about cybersecurity, few people seem to be willing to pay very much (in dollars or effort or convenience) to fix those problems. If we as a nation would actually implement what we have the knowledge and the technology to do, our cybersecurity posture would be much stronger than it is now.
WOODCOCK: The future is unknowable, and people are very bad at quantifying risk. Some people consider what’s possible, while others consider what’s likely. Some people think that what’s possible will happen eventually, while the temporally egocentric assume that anything that’s possible will occur while they’re alive. Personally, I’m an optimist, and believe that people are, by and large, good, and it doesn’t occur to them to actually do the terrible things that other people know are possible. Perfect security is impossible, yet planes and buildings are not blowing up, because most people are rational and well-intentioned most of the time, and it’s neither nice nor useful to blow up planes. I think there are many more inventive, pessimistic, paranoid people than there are inventive, sociopathic, motivated people. Thus, people invent and worry about scenarios that are far worse than any that will actually be carried out in our lifetimes.
PG: When individuals discuss cyberthreats, to what are they generally referring? Cybercrime? Cyberattacks? Cyberterrorism? Cyberwar? How important are the distinctions between those categories?
ARQUILLA: Cyberwar has many faces. “Cybotage” can be used to gum up the works—think Stuxnet. Cybersnooping is a key aspect of modern intelligence, as is industrial espionage, the latter being a cause of the hemorrhaging of American intellectual property today. Cyberwar has made an appearance on the battlefield—think the Russian use of cyberattacks on Georgia’s information systems during the 2008 war, which contributed to the quick overrun of the latter’s forces in the field. Terrorists haven’t yet gotten up to speed in the cyber realm, probably because it takes time to develop top-flight hackers, and terrorists are reluctant to recruit cyber mercenaries (they might be working for us, like the double agent who infiltrated the Al Qaeda cell in Yemen).
CARR: There are two big categories of cyberthreats: cybercrime against banks and cyberespionage against high-value industries. Much rarer are acts of cyberwarfare, which we saw during the Russia-Georgia war in 2008 and the Israel-Hamas conflict (Operation Cast Lead) in January 2009. There has never been a single act of cyberterrorism, although I expect to see that start to happen in another three to five years as radical groups become confident about the havoc that they could potentially create via cyberattacks.
HYPPONEN: One of the key problems we have in understanding this issue is the lack of understanding of the differences between different threats. Some of these attacks (and attackers) have nothing to do with each other, yet we seem to refer to them as one and the same. A criminal who wants to steal your credit card information has nothing to do with an activist who wants to DDoS a corporate website as a protest. And neither of them has anything to do with a government employee launching cyberespionage attacks to steal classified information of foreign nations. All of these happen all the time. They have nothing to do with each other and cannot be solved with a single solution.
LIN: Everything in the media is [treated as] a cyberattack, and it masks important distinctions. Stealing information is a different kind of threat than destroying computers, and the public debate would be much saner if we distinguished between them.
ROOSENRAAD: One of the larger issues we have in the cybersecurity/Internet security/anti-spam/anti-bot/etc. industry…is the lack of a good common vocabulary. While this can sometimes just be annoying…the different terminology can actually hold back the fight against the Internet “bad guys.” There are very few organizations that can fight online threats on their own, and this means we need to share data and collaborate….But in order to work together, you need to be able to communicate. You need…a common lexicon.
WOODCOCK: These distinctions are very meaningful, and…[these categories are] far too often lumped together, in the way that people who don’t actually understand something will abstract it and refer to it as a cloud or a black box. Cybercrime is crime, some or all of which is executed online, but what’s interesting about it is that it’s crime, and that it’s the responsibility of law enforcement to investigate and prosecute it, to deter future crime. Cyberattack is a generalization of no great utility. Cyberterrorism is a boogeyman that’s possible, but doesn’t actually exist, and may not come to pass in our lifetimes. Cyberwarfare encompasses both cyberdefense, which is just good sense, and cyberoffense, which is cybercrime committed by governments. So each is a different thing with different actors: some individuals, some corporations, some governments, and others that are mythical or hypothetical….Abstractions and understanding by analogy…aren’t sufficient to guide action in this space.
ZUCKERMAN: DDoS has escalated to a serious problem for small web players and could possibly be very worrisome for mid-level government agencies. We’ve seen a high, growing level of attacks—particularly originating from the Chinese activist community—that systematically target the communication channels of human-rights NGOs. Do these attacks constitute cyberharrassment? Yes. Cyberespionage? Maybe. But cyberwar? No. War kills people.
Photo Credit: Palto/Shutterstock.com
Malcolm Gladwell teaches "Get over yourself and get to work" for Big Think Edge.
- Learn to recognize failure and know the big difference between panicking and choking.
- At Big Think Edge, Malcolm Gladwell teaches how to check your inner critic and get clear on what failure is.
- Subscribe to Big Think Edge before we launch on March 30 to get 20% off monthly and annual memberships.
Both panoramic and detailed, this infographic manages to show both the size and distribution of world religions
- At a glance, this map shows both the size and distribution of world religions
- See how religions mix at both national and regional level
- There's one country in the Americas without a Christian majority – which?
China and India are huge religious outliers
A picture says more than a thousand words, and that goes for this world map as well. This map conveys not just the size but also the distribution of world religions – at both a global and national level.
Strictly speaking it's an infographic rather than a map, but you get the idea: the circles represent countries, their varying sizes reflect population sizes, and the slices in each circle indicate religious affiliation.
The result is both panoramic and detailed. In other words, this is the best, simplest map of world religions ever. Some quick takeaways:
- Christianity (blue) dominates in the Americas, Europe and the southern half of Africa.
- Islam (green) is the top religion in a string of countries from northern Africa through the Middle East to Indonesia.
- India stands out as a huge Hindu bloc (dark orange).
- Buddhism (light orange) is the majority religion in South East Asia and Japan
- China is the country with the world's largest 'atheist/agnostic' population (grey) as well as worshippers of 'other' religions (yellow).
The Americas are (mostly) solidly Christian
Which is the least Christian country in the Americas? The answer may surprise you.But the map – based on figures from the World Religion Database (behind a paywall) – also allows for some more detailed observations.
- Yes, the United States is majority Christian; but the atheist/agnostic share of its population alone is bigger than the total population of most other countries, in the Americas and elsewhere. Uruguay has the highest share of atheists/agnostics in the Americas. Other countries with a lot of 'grey' in their pies include Canada, Cuba, Argentina and Chile.
- All belief systems represented on the scale below are present in the US and Canada. Most other countries in the Americas are more mono-religiously Christian, with 'other' (often syncretic folk religions such as Candomblé in Brazil or Santería in Cuba) the only main alternative.
- Guyana, Suriname and Trinidad & Tobago are the only American nations with significant shares of Hindus, as well as the largest share of Muslim populations – and consequently have the lowest share of Christians in the Americas (just under half in the case of Suriname).
Lots of grey area in Europe
The second-biggest religious affiliation in Europe isn't Islam, but 'none'.
- Christianity is still the biggest belief system in most European countries, but the atheist/agnostic share is strong in many places: mainly in Western Europe, but especially in the Czech Republic, where it is close to half the total.
- Islam represents a significant slice (and a large absolute number) in France, Germany and the UK, and is stronger in the Balkans: the majority in Albania, almost half in Bosnia and around a quarter in Serbia (although that probably indicates the de facto independent province of Kosovo).
Islam in the north, Christianity in the south
The map of Africa and is dominated by the world's two largest religions
- Israel is the world's only majority-Jewish state (75%, with 18% Muslim). The West Bank, shown separate, also has a significant Jewish presence (20%, with 80% Muslim). Counted as one country, the Jewish majority would drop to around 55%.
- Strictly Islamic Saudi Arabia but also some of its neighbours in the Gulf have significant non-Muslim populations: virtually all guest workers and ex-pats.
- Nigeria, due to its large population and even split between Islam and Christianity, has more Muslims and more Christians than most other African nations.
Different majorities across Asia
Close neighbours India, Bangladesh and Myanmar each have a different majority religion.
- Because countries are sized for population rather than area, some are much bigger or smaller than you'd expect – with some interesting results: there are more Christians in Muslim-majority Indonesia than there are in mainly Christian Australia, for example.
- Hindus are a minority everywhere outside India, except in Nepal.
- North Korea is shown as three-quarters atheist/agnostic, but this is debatable, on two counts. In what is often referred to as the last Stalinist state on earth, religious adherence is probably underreported. And the state-sponsored ideology of 'Juche', although in essence based on materialism, makes some supernatural claims. For instance: despite having died in 1994, Kim Il-sung was declared 'president for eternity' in 1998.
And then there's the whole minefield of nuance between those who practice a religion (but may do so out of social coercion rather than personally held belief), and those who believe in something (but don't participate in the rituals of any particular faith). To be fair, that requires more nuance than even a great map like this can probably provide.
Hungarian cartographer travels the world while mapping its treasures.
- Simple idea, stunning result: the world's watersheds in glorious colors.
- The maps are the work of Hungarian cartographer Robert Szucs.
- His job: to travel and map the world, one good cause at a time.
You can say 'no' to things, and you should. Do it like this.
- Give yourself permission to say "no" to things. Saying yes to everything is a fast way to burn out.
- Learn to say no in a way that keeps the door of opportunity open: No should never be a one-word answer. Say "No, but I could do this instead," or, "No, but let me connect you to someone who can help."
- If you really want to say yes but can't manage another commitment, try qualifiers like "yes, if," or "yes, after."
SMARTER FASTER trademarks owned by The Big Think, Inc. All rights reserved.