India Abroad January 10, 2014 A19 INTERVIEW
want to use the Internet, but that we can’t let our fears
overwhelm good sense.
How do you think the United States is coping with this
We are very good at cyber offence, and darn well should
be, since we spend the most on it, but are very reliant on
cyberspace for our way of life, which makes us quite vulnerable.
A major problem is attitude.
Resilience is what matters most in this realm, not trying
to prevent every danger, as you never will succeed at that,
but what matters more is how you cope with the dangers.
In that, our media and political discourse does not help.
Take the idea of a cyber attack shutting down electrical
power, a fear that is central in US discourse and last summer also played out in India (which to be clear didn’t
happen in reality in either instance).
My point is not that such a danger is fake; it is real, but
rather how we cope with it is what gives it the most weight.
The power goes out all the time. But if we put the word
‘cyber’ in front of it, should we act as if life, as we know it,
What about the Asian scenario, particularly India?
Every nation depends more and more on cyberspace, but
all have not properly invested in and organized its security. I would put India in that camp of growing capability,
indeed given its thriving IT sector, but also fragile systems.
A key concern that India and the US share is the problems of intellectual property theft from business, most
often emanating from China. This undercuts trade.
We also share concerns over ensuring that the future of
the Internet is not taken over by governments. Its multi-stakeholder model has been good for free markets and
democracies everywhere and that we risk it by turning to
a State-controlled model as authoritarian States like
China and Russia have sought.
Could you please list out the major cyber threats, both
present and future?
That is why we write books! The answer would be too
long for here.
Would the alleged snooping by the National Security
Agency be classified as a cyber threat?
They certainly used various means to snoop that would
include cyber means.
At a broader level, some of the worst NSA activities
have backfired to threaten not just US business and political standing, but the Internet freedom agenda that is the
key to the future of the Internet.
What are your thoughts about the
snooping by the NSA into both e-mail
Whistleblower Edward Snowden’s
disclosures revealed three kinds of
The sensible: The spying on enemies,
everyone does this and it makes perfect
strategic sense that the NSA would do
The questionable: Some of the mass
collection was legally and policy questionable, especially in the ways it navigated around legal barriers to collect
information en masse and on US citizens;
The stupid: Such as spying on allied
The problem is that the discussion
often fails to distinguish between the
above, so people will defend one part
by talking about another part.
What steps do we need to take to build
a safe cyber world?
There is no one single action. The last
third of the book is about the ‘What can
we do?’ type questions — from how we
can better cooperate on the international level, to the national steps or
governments, to the role of businesses,
to our individual roles and responsibilities at citizens and
The steps may be cyber-related, but often draw from
history and other realms from business to public health
But the first step to doing anything effective is to start
to understand the basics. That is what the book is about.
Which terrorist outfit according to you is the most dan-
gerous in the cyber-world?
Experts I have talked with tend to identify Iranian-linked groups (which are active in conflicts like Syria and
Lebanon), as they combine the power of the State with
the flexibility of non-State actors.
Will terrorists fight the next war on cyberspace?
All actors use cyberspace to their ends now, be they in
business, politics, entertainment, or terrorism.
A better question is how would you know when a ‘
cyberwar’ begins and ends?
Should governments do more to encourage ethical hacking?
When you say ‘ethical hacking’ we need to clarify what
For instance, does it mean ‘White Hat’ hacking, people
aiding in finding vulnerabilities in systems and letting
the makers know about it, before the bad guy, ‘Black Hat’
hackers, can take advantage of those vulnerabilities.
Or does one mean people hacking in pursuit of some
ethical or political cause, better known as ‘Hacktivisim.’
These are different and the government should have a
But the bigger point is that all ‘hackers’ are not the
same, nor are all hackers bad, as too many in government
and media assume.
Will cyberspace be militarized in the days to come?
It is certainly used more and more by the military, both
for communication and likely war fighting. But the very
value of cyberspace is lost if it becomes overly militarized.
How do you see countries cooperating with each other
to combat cyber threats?
We need to understand that it is all about incentives.
Focus on shared interests, shared threats (what in
Chinese is known as ‘double crimes’), build coalitions
where possible, accept that sometimes it won’t involve all
countries, but that doesn’t it make it not worthwhile to
build core groups, graft onto treaties and agreements
that already work (build upon success, rather than trying
to reinvent the wheel), and most of all raise the level of
understanding and shared sense of responsibility across
What should private entities like
banks do to combat this threat?
Private firms have their own responsibilities too. And again, it is about
understanding the incentives.
That is why for example, banks do a
better job of protecting themselves
than infrastructure companies.
We need to do more to encourage
this, both in industry and via public
To put it another way, 70 percent of
business executives have made a
cyber-security related decision for
their firm and yet no major business
school program teaches it.
Is the hack back theory ethical?
It is certainly appealing, but so far it
remains questionable as to whether it
is legal. Even more it is not clear
whether it is wise or effective.
To explain, handing over cyber
offence operations to private firms
may parallel some of the problems that
emerged with private military firms
like Halliburton and Blackwater
(which I wrote about in my book
Corporate Warriors), as well as risk
escalating conflicts beyond what the
States might wish.
Secondly, it is a lot like vigilantism.
It feels good to strike back and ‘teach them a lesson,’ but
doesn’t work for long if you are dealing with multiple
You may teach one guy a lesson, but as one executive
put it, ‘You’ll just get five minutes of peace before another threat pops up.’
Is being anonymous a solution to be protected online?
No, both because it is getting harder and harder to
remain anonymous, as well as so much of the positive
things we use and love about the Internet must happen
with identity known.
It is about maintaining the open system of trust that
To put it another way, I should be able both to post a
joke or comment about a political leader and not worry
it will land me in jail, as well as check my personal online
bank account, and not worry it will be stolen.
If we don’t watch out, these great things about the
Internet could be risked in the years ahead.
A Free Syrian Army fighter
works on his computer.
Experts consider Iranian-linked
groups (active in conflicts like
Syria and Lebanon), as the most
dangerous in the cyberworld as
they combine the power
of the State with the flexibility
of non-State actors.
The US and India
share concerns over
ensuring that the future
of the Internet is not
taken over by governments. Its multi-stake-holder model has been
good for free markets
everywhere and that we
risk it by turning to a
as authoritarian States
like China and Russia