“Ghost Fleet actually had greater policy impact than my nonfiction work … Ghost Fleet was the one that got me invited to the White House situation room. It was the one that the Navy literally named a $3.6 billion program after it called it Ghost Fleet. And it just had greater impact. There’s no other way to cut at it.”

That’s P.W. Singer, this week’s guest on Hack the Plant, a new cybersecurity podcast produced by the R Street Institute and ICS Village, as he talks about vulnerabilities in our critical infrastructure like our water supply.

Singer is, author, strategist, and senior fellow at New America. He is considered one of the leading experts on changes in 21st century warfare and has written extensively on the cybersecurity implications of national defense and security. His first technothriller – Ghost Fleet – blended his nonfiction research into a new novel type and is on the professional reading list of every branch of the U.S. military.

(Subscribe to Hack the Plant on Spotify or Apple, by RSS feed or search for it wherever you listen to podcasts.)

Transcript:

P.W.

Our dependence on connected technology is growing faster than our ability to secure it, especially in areas affecting public safety and human life.

Bryson Bort:

Electricity. Finance. Transportation. Our water supply. We take these critical infrastructure systems for granted but they’re all becoming increasingly dependent on the internet to function. Every day I ask and look for answers to the questions: Does our connectivity leave us more vulnerable to attacks by our enemies?

I’m a senior fellow at the R Street Institute, and a co-founder of the non-profit ICS Village, educating people on critical infrastructure security with hands-on examples, not just nerd stuff. I founded GRIMM in 2013, a consultancy that works the front lines of these problems every day for clients all over the world.

P.W.

“It’s playing out in Israel right now where hackers have been going after Israeli water systems. Again, not to steal information from them, but to change the setting on the chemicals in Israeli water.”

Bryson Bort:

Each month I’m going to walk you through my world of hackers, insiders, and government working on the front lines of cybersecurity and public safety to protect the systems you rely upon every day.

P.W.: 

If you think that the small town water authorities and the mom and pop size companies have better cybersecurity in the U.S. than the Israelis do, I’ve really, really bad news for you.

Bryson: 

An attack on our critical infrastructure, the degradation to the point that they can no longer support us, means that we go back to the stoneage literally overnight.

Joshua Corman:

If we think the government’s going to solve it for us, we’re wrong, we have to help them.

Bryson Bort:

This is not a podcast for the faint of heart. If you want to meet those protecting the world, and what problems keep them up at night, then this is the podcast for you.

Bryson Bort:

I’m Bryson Bort and this is Hack the Plan[e]t. On today’s episode, we’re talking to P.W. Singer, a top expert on national defense topics. In addition to being a strategist at New America and a Professor of Practice at Arizona State University, he also co-writes technothrillers — fiction novels that expose real world cybersecurity threats so everyone can understand them. Here’s what he had to say about his first major seller, “Ghost Fleet.”

P.W.: 

It actually had greater policy impact than my nonfiction work and my nonfiction work, I was doing Fortune 500 consulting and it was on the military reading list. But Ghost Fleet was the one that got me invited to the white house situation room. It was the one that the Navy literally named a $3.6 billion program after it called it ghost fleet. And it just had greater impact. There’s no other way to cut at it.

Bryson Bort: 

So today we’re having an in-depth conversation with PW about different versions of doomsday that we hope will never happen. By the end of the episode, I think you’ll have a better understanding about the kinds of cyber threats that keep us up at night – and what can be done to keep our critical infrastructure safe. You’ll hear from PW again about his newest project: Artificial Intelligence.

Bryson Bort:

All right, so let’s start with what are the core issues in particular relating to critical infrastructure? Are we more vulnerable now to a cyber war? Why and how big is this problem P.W?

P.W.:

So what’s playing out is that the internet itself and how we use it is changing, and we have to ensure that our security keeps up with that. And so if you think about the first generations of the internet, it’s about communication between people, initially just scientists then it’s the rest of us. And along the way, all of the cybersecurity issues surface, right?

So primarily around the theft of information, be it the theft of your credit card, be it the theft of intellectual property to build your own version of that jet fighter if you’re China. That’s what’s been playing out and it’s been challenging enough. Now we are essentially wiring up what’s called the Internet of Things.

And the Internet of Things involves everything from your smart home to smart cars, to smart cities, to all the various forms of critical infrastructure that’s out there. And one of the misnomers of this is that people just think about it as like, oh, the power grid might go down.

No, no, no, no, no. It’s much more than that. It’s everything from water treatment plants to transportation networks, you name it. And unfortunately, we’re in short repeating all of the mistakes that we made previously. We’re not baking security into the emergent Internet of Things, including critical infrastructure in the way that we need to.

And there’s a variety of reasons behind that. It’s a lack of regulation. It’s a problem of sort of the balancing between convenience and security. It’s cost savings, you name it, but that’s what’s playing out and there’s all sorts of data behind this.

Whether it’s over, one study found that over 90% of the messaging traffic going back and forth on the Internet of Things, the shorthand for it is IoT is unencrypted to over 60% of the devices are vulnerable to a medium or high level cyber attack. But the outcome of it is going to be fundamentally different than everything that we’ve been wrestling with in cybersecurity for the last generation, because now you open up the possibility of physical damage, physical effect from it.

So it’s not someone stealing your data, it’s causing a change in the world. And we explore this in a book, but it’s everything from you might be able to, for example, even murder someone in their smart home without ever leaving your home, or it might be carrying out versions of the 10 biblical plagues to hit a city. It’s the physical effect. And we’ve already started to see little tastes of this.

One, for the first part would have been the Stuxnet attack that the United States conducted allegedly against Iran and was able to physically sabotage Iranian nuclear research through digital means. It was able to cause physical damage, change physical settings on their research programs. Two, there’s been an attempted version of this.

As you and I are speaking, it’s playing out in Israel right now where hackers have been going after Israeli water systems. Again, not to steal information from them, but to change the setting on the chemicals in Israeli water. And having done research on the US side of this US water systems, I can tell you if you believe that the … I live in Washington DC area, so we particularly looked at the upper river on the Potomac River.

If you think that the small town water authorities and the mom and pop size companies have better cybersecurity in the US than the Israelis do, I’ve really, really bad news for you.

Bryson Bort:

So you particularly mentioned China. Is China the only problem? Certainly I don’t think they’re the ones that are going after the Israeli water systems.

P.W.: 

No, gosh, no. This is a, you might think of it as a battle space that involves everyone. And that’s one of the other changes is essentially you might think of as kind of lowering the barriers to entry. So Stuxnet, the first one of these types of attacks, the first real cyber weapon, if we’re talking about, a weapon like a bullet, like a blade that causes physical damage.

Just in the case of Stuxnet, it was a bunch of zeros and ones of software, but it still caused physical damage. Stuxnet involved a whole team of all sorts of different specialties, a big investment of time and money and human capital, some of the top cyber talent in the US government. And that’s what it took back then several years back.

Now, we’re seeing that capability push down to not just other large states like China, but also mid tier powers like in Iran all the way down to criminal groups and even individuals. And so that changes the, we talk about, the sort of the threat landscape. It opens up the realm of more potential attacks.

It also changes the way you have to think about how you stop them, particularly all the way up to the policy level. This is not a space. I have bad news for everyone where cold war style deterrence isn’t going to work out. Cold war solid deterrence in terms of you hit me Soviet Union, I’ll hit you back just as hard, and so that’s why you’re not going to hit me, what we call deterrence by punishment.

When you have so many different actors out there with so many different interests and some of them, frankly, might not even be terrible. They might not even care about your punishment. It means you have to shift to a different style of deterrence. It’s what’s called deterrence by denial. Easier way of thinking about it is its resilience, it’s your ability to trag off and attack or bounce back quickly.

So your deterrence is, simply put, for boxing fans, its Muhammad Ali rope-a-dope. It’s you are deterred from attacking me because you don’t think it’s going to work. Not because I’m going to hit you back because you don’t think it’s going to work, and that’s what we need to build more into our strategy. And then all the way down to our systems again.

So resilience model is something that is needed more in national government strategy, all the way down to corporate strategy. Now, the challenge of a resilience model is it’s not sexy. It’s hard to sell. If you go into a boardroom or you’re going to testify to Congress, and one person says I’m going to scare all the bad guys away, and there’s never, ever, ever going to be a bad day for you, that’s very appealing.

It’s not realistic, but it sounds really appealing versus the person that comes in and says, look, the hard reality of this is that there is going to be a bad day. At some point, the bad guy is going to get it. And so my approach is to try and make that bad day not as bad and make less of these bad days happen. That’s a harder sell, but guess what?

Hopefully it’s going to be something that we take into account because the same kind of thinking has been needed in so much else in US politics right now. So if you think about the impact of the pandemic, it was a known bad day that was coming, and yet we resisted building resilience into our systems.

And the public health system is another critical infrastructure element of it. We’re paying the price for wishing away the bad day as opposed to being realistic and building resilience in. And so hopefully we can take that to heart on the cybersecurity side and think about the critical infrastructure vulnerabilities and say, okay, what are we going to do to limit that risk, reduce the consequences, make it less likely to happen?

And that’s something we’ve been exploring sort of different ways going after that. There’s the cyberspace solarium commission, which is a bipartisan commission that brought together members of Congress from both sides as well as some of the leading experts. And they essentially issued a series of recommendations that said, here’s what we can put into place.

In many ways, you can think about it as the parallel to the reports about terrorism that came out before 9/11. Here’s the things that we know we could do to limit the risk of terrorism. Now, the worry, again, parallel to 9/11 parallel to coronavirus pandemic is that those things are not implemented.

And so, one of the activities I’ve been involved in is trying to help leaders visualize that bad day to make it more likely to act so that they can, in essence, experience the bad day in a synthetic environment, is the technical term for it. The best way to think about it is can you live that nightmare scenario without actually living it? And then can that prompt you to take actions to keep that nightmare scenario from coming true.

Bryson Bort: 

Security is a hard sell. I mean, it’s generally the challenge of we need to invest in something that isn’t necessarily directly a part of the mission to assure the mission for something that is hard to understand or to envision, particularly if you’re not the proverbial computer whiz or nerd. And that’s part of why I thought that you would be a great guest host is your ability to tell those stories that actualize that.

But there’s a challenge between telling a realistic story and telling one that just gives into the industry’s challenge of FUD fear, uncertainty, and doubt. And so you mentioned IoT, the Internet of Things, and Internet of Things actually kind of splits into two categories. We have the consumer side of it, which is your nest thermostat.

And then we have the industrial Internet of Things, which are the sensors that help tell the critical infrastructure what it needs to know, and in a real time analytics to ensure availability and delivery. But is somebody’s really going to be starting a cyber war by attacking my nest thermostat?

P.W.:

A couple of things here on the FUD side that is so crucial and it’s one of the dangers in how we talk about this, is that we either veer between being so highly technical and exclusionary, that we can’t, simply put persuade, and educate the needed policy decision maker. And that is true whether it is inside a corporation or organization.

The hard reality is that someone working in, for example, a threat fusion center or the IT department, they have to be able to, at the end of the day, persuade people working in finance all the way up to the CEO and the board to make the kind of investments that are needed. But then the flip side is that if you put it all within FUD, fear, uncertainty, doubt, the data shows that sometimes people are almost paralyzed and then also it begins to no longer link to the real world.

It’s funny, I did a series of interviews of various cybersecurity leaders. And one of the things that I would ask them is what was the most influential pop culture artifact on you understanding this space? What motivated you, right? What did you … Frame the way you look at the world and people would say things like war games or the movie Hackers, various movies like that.

It’s funny that the one that I got the most resonance that people still love today is Sneakers. It’s a great movie and hits themes of security, privacy that still hold true today, even though it came out in 1992, but what was disturbing was that you had people point to ones that were completely ungrounded. I remember a member of Congress saying you know what inspired me was Die Hard 4. And I was like, oh gosh.

And so that is a challenge, and so the way I go at that is to ground it. You’ll notice when I was speaking to you and I’m making examples, I’m referencing real world incidents that have happened already. So what’s playing out in Israel right now, or Stuxnet or things that have been demonstrated possible, be it in threat vulnerability reports or at hacker conventions, whatnot.

And so that allows you to ground it. It also allows you to say, hey, this has happened and this is what we can do about it. Now let’s get to the second part that you brought up, which is the Internet of Things and how there is a seeming division between the industrial side and the consumer side.

That’s where I probably differ with you is that while there is a division in some of the conceptualization, and even the purchasing of it, it’s not truly stove pipe, or how we would describe it, air gap in this space and they are blending together. And so there are, for example, threats and of attacks that would go after both.

So if you are a nation state level threat actor like a China, and yes, you were contemplating going to war against the United States. And one of the elements that you were to use would be cyber means, you would not say, you know what, I’m only going to go after US military, fighter jets or military networks only on the base itself.

You would use civilian means to enter them and you might go after the civilian networks. As an example, one of the crucial targets that we know from Russian and Chinese discussions of their plans is to go after transportation and logistics networks. That would make it harder for US forces to deploy out to be at a scenario in Europe or in the United States.

Sorry, in Europe or in like say the South China Sea, our civilian transportation networks are integral to that. So you would go after those. The flip side is you are a terrorist group. You’re not going to say okay, I’m only going to go after this individual. You think about scale.

What I’m getting after is that both the threat side doesn’t have that hard stove piping or air gap, but also the way the networks work themselves, point blank, there’s just not that division between the two. And so it’s one of the reasons why, how do I put this? When we think about security, you have the internals of the organization, your family’s network, your power company’s network, or your military unit, but you also have the ecosystem within which it exists.

And that’s why it’s one of the many reasons why you have to approach this with both the overall public and private operating at a much more effective level than we are right now.

Bryson Bort:

The US water systems, small town water authorities, generally very limited in what they can charge, which makes it hard for them to invest in the infrastructure against these threats. What can we do to help them? And why hasn’t our water supply been attacked like the example you gave with the Israelis?

P.W.: 

So I’ll walk through it. One of the things that we tried to surface in the recent book Burn-In was the way that we talk about critical infrastructure has ironically enough, going back to that Die Hard 4 example, focused almost exclusively on the power going down scenario.

And that’d be fine if it stayed just within the realm of fiction, but that’s where almost a vast majority of the public policy attention has been paid as well. In terms of raising standards, creating certain requirements all the way down to how many words members of Congress are spending on different cybersecurity topics.

The power grid might go down scenario is just out there all the time. And the reality though is that our world has a much wider array of critical infrastructure that we rely on, transportation networks, waters. And oh by the way, water systems, there’s different types that we’re talking about. There’s water treatment, there’s the sewage and storm water system.

And to give you the scale of the things that might play out, there is, of course, the cleanliness of your water coming out of a pipe to, if you are able, the exit of storm water from certain American cities like Miami or Washington DC is the difference of it being flooded or not.

Literally the cities themselves are built at low levels, but that’s not the only one. We have transportation networks, rail et cetera, we can go on and on. And what’s interesting is that each of these critical infrastructure areas have first, they have different industry structures in the United States. So some, it is mostly private sector run.

Other ones, it is a mostly mix of state or city level authorities, a city run agency or city authorized business, et cetera. Some of them are crossing states. So they might have corporations that are operating in lots of different states, so they are of large scale. Other ones it’s, in reference, mom and pop. It’s small business.

And so again, break it down, think about the difference between rail networks versus power networks and the companies behind them, or telecom versus water. And so that is interesting issue because I remember speaking with a cyber security company and they basically explore who should they go out to, to sell their wares to.

And he described it as power companies, they’re big enough, and they have the big enough budgets that it’s a value to us to go out and work with them and sell to them versus in some areas like water treatment, we would have to go sort of the equivalent of door to door town by town. And they each have little rinky dinky budgets, and it’s not valuable enough to do this.

Another key issue in the US is the governmental agency that has sort of rough supervisory over that industry area. And what are their priorities? So related to things like water you have agencies that their prime priority for very good reasons has been protecting the environment. In power, it’s in recent years because of congressional attention, security has been emphasized more.

So when that governmental agency is going to them and saying, this is what I’d like you to … These are my standards, these are my potential regulations. What am I checking for in inspections? There’s what they emphasize or not. So you have this kind of cacophony across the US system.

Now we get to your question of the threat actor side, and now we put ourselves into the mentality of the attacker. In some of these areas, there are clear vulnerabilities that a state actor could go after, a China, a Russia, moved down the level, not as capable, but building up capability, a Iran. And then you get into, okay, going after getting into the systems and creating beachheads, that’s all playing out right now.

And we’ve, for example had seen discussions of them into various water systems, dam controls to Russia exploration into power grid all the way into certain, and this is US, but also in Europe, nuclear power plants. But the beachhead is not about yet crossing the line of physical effect.

And that’s the, okay, if you, a state crosses into physical effect, now we’ve moved from kind of a low level cyber activities into the realm of war itself where … And there’s a lot of silly, I’m trying to come up with a very kind adjective, but basically there’s a lot of really silly, stupid discussion around the definitions of cyber war.

Put it bluntly, if a state conducts a cyber attack that leaves thousands dead, no one is going to say, wow, but it was through cyber means. I guess it’s not war, I guess we can’t bomb them back. So that is sort of what you’re getting to is that for state actors, they’ve not crossed that line because to do so would mean that we would be at all out war overall, but it doesn’t mean that if we were in a war scenario, that they would not use that.

So the entry of these beachheads is then basically saying, okay, if I’m going to war, this is what I can do to conduct against you. Now, then we go down a level and we say, well, what about non-state groups, terrorist groups, individuals? It’s harder for them to conduct these kinds of activities right now, because it’s a mix of what is their capability and we’ve not fully wired up and automated.

We’re only at the start of the Internet of Things. So what you have plain out moving forward is a combination of both lashing up more and more systems, more and more of those smart thermostats that you mentioned, more and more water treatment plants saving on labor costs by automating various systems.

More and more transportation networks that don’t have human drivers, but will have a driverless car, driverless delivery truck, whatnot, guided by these systems. So you have that moving forward, and then you have threat actors that gain more and more capability. So it’s a combination where we’re going to see more of it, but of the large scale physical stuff.

For states, they’re still in a political back and forth. So the spark for that scenario is a crisis, right? So to put it bluntly, China Russia and Iran, they’re not conducting these attacks right now because we’re not at war with them, but if we were, they would. The same thing for us in turn.

Bryson Bort:

You mentioned Die hard 4, and I have personally given a talk at an auto show where we walk through the Fate of the Furious with Vin Diesel and the scene where all of the actors-

P.W.: 

Can I pause for a second? One of the awesome things of cybersecurity related to this in the Fast and Furious franchise is the character, Taj, that Ludicrous plays, in the opening movies, he is running a chop shop, an auto repair and upgrade store in Miami.

He’s basically a guy who turns cars into better hot rods. And then several movies later, he’s literally the best hacker in the world. So I love that there’s been … And much like how Vin Diesel goes from just being a guy who can race cars, and in the first movie, the bad guy is a single truck driver with a shotgun.

And then now you’re going to get to Vin Diesel is taking on a global secret conspiracy conglomerate that is able to conduct cyber attacks that take down entire networks. So, yeah, we’ve got a challenge of linking to reality in some of these, and it’s not just about the threat vulnerabilities. It’s about what literally the characters in them can do.

Bryson Bort:

Well, my favorite scene in that is when Charlize Theron says deploy all of the old days, and you have cars leaping out into this literal tsunami of wave of cars, trying to knock them out as there’s this chase to get away. And so … Sorry, go on.

P.W.:

No, I apologize for interrupting, but I mean, so yes, we can mock it, but there are certain parts of it that we can say, hey, that’s actually not so outlandish. One is the idea of going after transportation networks and in particular their reliance on external networks for navigation.

So GPS, and we’ve seen not what happens in the movies, but for example there were merchant ships. Now we’re in real world. There were merchant ships off of, in the black sea off of Russia where the navigation just suddenly started telling the ship captain you’re parked at an airport, 20 miles inland. And the ship captain is like, I am definitely not in my ship parked at an airport.

And it was them essentially going after … It was many people think it was sort of a test of capability. We’ve seen other tests where people have been able to trick drones into thinking that they are at an altitude different than they actually are, so that you could, for example, cause them to crash. And then you have the other thing that you mentioned, which Charlize Theron and her awesome hair in that movie is that she’s deploying zero days.

And so everything that I referenced was things that have already happened. Well, now we move in the realm of zero days, which is we’re on the zero day of anyone’s awareness of them. So maybe there is something that you could pull off because we just haven’t seen it yet. But you know what? I like to try and stick within that, hey, someone has already pulled this off. Don’t be surprised if they try and pull it off against you.

Bryson Bort:

What is your background? What got you into this? What first drew you to solving and explaining these problems?

P.W.:

Oh gosh. Growing up, I was the kid that if you gave me a stick within a couple of minutes, it was either going to be a Tommy gun that I was using to defend the neighborhood against the incoming Nazi army, or it was going to be a light saber that I was going to defend the neighborhood against Darth Vader.

And from that moving forward, I was always drawn between history and security issues, but also drawn to story and science fiction and the like. So I went off to school, got a PhD, did a series of books on new security threat issues ranging from private militaries to a book looking at the initial use of robotics and warfare.

The sparky moment for me in cybersecurity though and sort of my decision to go deeper and write books on it was I was actually at a conference in Washington DC on cybersecurity, a variety of people there, including a head of a US intelligence agency. And he was trying to say, talk about this stuff mattered, but he described it, and notice the word I used. He described it as “cyber stuff”.

And I thought if he could only describe it as cyber stuff, we’re in a really bad situation and even worse, he didn’t just cyber stuff like I did. He started referencing things like electromagnetic pulse, which is as a cyber attack. And that’s just basic science. It’s a difference between software and a pulse is a wave. It’s, I mean, literally different areas of science.

So it was like, wow, if you can’t even get it in that way we are. Oh, by the way, you head an entire agency, we’re really bad. And then there was another interaction with someone who referenced … They got all of these things wrong and then they referenced it. They found this as difficult is changing the time on their VCR. That VCR was still flashing 12 at them.

And I was like, oh my God, you’re still using a VCR. And so that was kind of the spark for me, and since then I’ve done a variety of books on the topic, both a nonfiction book called Cyber Security And Cyber War, Whatever One Needs to Know. More recently a book looking at the social media weaponization side of this. It’s a part of it that we’ve seen hit of course, elections military units.

It’s part of this story, the rise of extremism and terrorism, but it’s also corporations too. And that’s one of the big misnomers when we think about election security right now, there’s such a focus on protecting the voting machine, which is important, but the hard again, reality of this is that the disinformation campaigns that have been a larger threat to our democracy.

But then I also started to dip my toe into storytelling as both a way of entertainment, but a more effective means of carrying across that real-world information. And so working with a friend who had sort of come to the similar conclusion. August Cole was a writer for the Wall Street journal.

We teamed up to do a book about the future of war, and it explores some very key cyber security issues that we’ve talked about; critical infrastructure, supply chain vulnerabilities, you name it. But we packaged it within the format of a Tom Clancy style, techno thriller. It’s a book called Ghost Feet. And what was striking about that experience was it actually sold well.

It was a summer beach read for people et cetera, et cetera. But it actually had greater policy impact than my nonfiction work and my nonfiction work, I was doing Fortune 500 consulting and it was on the military reading list. But Ghost Fleet was the one that got me invited to the White House situation room. It was the one that the Navy literally named a $3.6 billion program after it called it ghost fleet.

And it just had greater impact. There’s no other way to cut at it. And so August and I were struck by that and most recently decided to dip our toes back into that in going after, here again, some of the things that we’ve talked about. Where Ghost Fleet looked at the future of war, Burn-In looks at another complex important topic, not just to cyber security, but to all of politics and policy, but also all the way down to your personal life.

Bryson Bort:

If you liked this episode, stay tuned for the second half of my conversation with PW about Artificial Intelligence — what you need to know about it and why it’s disrupting everything from John Deere Tractor to U.S. National Defense strategy. That’ll drop in October.

Thank you for listening to Hack the Plant, a podcast of the R Street Institute and ICS Village non-profit. Subscribe to the podcast and share it with your friends, even better, rate and review us on Apple podcasts so we can reach even more listeners, tell us what you thought about it and tell us who we should interview next by finding us on Twitter @RSI or at @ICS_Village. Finally, if you want to know more about R Street or ICS Village, visit rstreet.org or icsvillage.com. I’m your host Bryson Bort, thank you to executive producer Tyler Lowe of Phaedo Creative, creative producer William Gray, and editor Dominic Sterett of Sterett Production.