Cybersecurity and Cyberwar (42 page)

Just as wearing your seat belt doesn't mean you'll not be hurt when you enter a car, such steps are no guarantee to cybersecurity. They are, however, recognition that we can all contribute to the solution while better protecting ourselves and the Internet as a whole.

In 2008, the Roadrunner first ran online.

The world's first “petaflop” supercomputer, Roadrunner was able to perform one quadrillion (that's a million billion) floating point operations per second. At a cost of more than $120 million to build, it had 296 server racks that contained
122,400 processor cores
. This meant it was huge in physical scale, covering over 560 square meters (6,000 square feet), or roughly the size of the Jumbotron video scoreboards at modern sports stadiums.

Built by IBM for the US Department of Energy, in 2008 Roadrunner's original purpose was to conduct incredibly complex simulations of how nuclear weapons age, in order to keep America's nuclear arsenal reliable but unused. It would go on to make calculations in many other fields, like aerospace and high finance. Notably, Roadrunner was not just the world's fastest computer but also the first hybrid designed supercomputer, using a mix of AMD Opteron dual-core processors and IBM PowerXCell 8i CPUs, essentially an enhanced version of the Sony PlayStation 3 video game processor.

But technology moves fast, even for supercomputers. As we sat down to write the conclusion to this book, news broke that Roadrunner's run was done. Once the world's fastest computer, it was no longer competitive a mere few years later. It wasn't just that research was reaching “exascale” speeds (1,000 times faster than Roadrunner's petaflop), but that the machine's once cutting-edge design was now incredibly inefficient. Roadrunner needed 2,345 kilowatts to operate, which meant it cost roughly several million dollars
just to power and then cool the system. And so, just five years after it had been the world's most powerful computer, Roadrunner was dismantled. In a final indignity, the no-longer-supercomputer's parts were shredded. Because of the classified nature of the calculations that had once run on it, Roadrunner couldn't be trusted, even after death.

The sad fate of Roadrunner is something to keep in mind for weighing the broader lessons. Cyberspace, and the issues involved, will continue to evolve, including beyond the Roadrunner-like tour you have taken in this book through the world of cybersecurity and cyberwar. New technologies will emerge, and new social, business, criminal, and warfare models for using them will be developed that will create transformational change.

While none of us can know exactly what the future world is going to look like, we think it is important to pay attention to the key trends today that might shape that world. To use a metaphor, imagine a kettle filled with water on a stove. With all our science, we can put a robot rover on Mars that sends back pictures via Twitter, but even with supercomputers like Roadrunner we cannot reliably predict where any single molecule of water in that kettle will be next. We can, however, reasonably predict that more and more heat applied to that water in the kettle will ultimately cause it to turn to steam. So if there is a fire under the kettle, that's a key trend to understanding what might happen next.

Trends are guides, nothing more and nothing less. But these macro guides are important to identify. As the futurist
John Nasibett once said
: “Trends, like horses, are easier to ride in the direction they are going.”

As we look forward, there appear to be at least five key trends that matter greatly to that future story of cybersecurity. None of these trends is definite, and indeed, there will be many more that will emerge. These trends are driven by a number of factors that we can begin to observe. Hardware has gotten substantially cheaper, making it both easier to concentrate in incredibly powerful data centers, as well as diffuse into our everyday lives. New uses will emerge that take advantage of this broader capacity, and new generations of users around the world will find new paradigms for understanding how cyberspace can expand into their lives.

The first among the most fascinating and important trends emerging now is the rise of “cloud computing,” where computing
resources are managed outside the individual or organization's control. Essentially, the cloud moves personal computing from hardware you purchase to a service you buy online. In some ways, this new development echoes the birth of the Internet itself. Cloud empowers individuals by providing practically limitless computational resources and by sharing powerful computing resources over the network with many users. A new startup, for example, no longer needs to worry about buying and running its own web servers, HR sales records, or even data storage—it can be rented from a cloud provider, saving as much as
40 to 80 percent
, depending on the situation. The militaries of the world are also greatly interested in the cloud.
General Martin
Dempsey, the top US military officer at the time, told us in 2013 that he wanted to move the force from running some 15,000 different computer networks to a “joint information environment” in the cloud. He saw that this would not only cut costs, but also reduce the number of human systems administrators, the potential Bradley Manning and Edward Snowden types who had been behind so many recent data breaches. The result is that the cloud field has boomed in recent years, with the global industry growing from roughly $79 billion in 2010 to an estimated
$149 billion in 2014
.

Beyond cost savings and size, cloud computing is deeply important to the future of the Internet, potentially altering the very architecture and power balance of cyberspace. Individual machines become less important, and instead the companies that control the data and access to it play an increasingly essential role. This can actually solve some security issues: the average individual consumer or even IT security worker is probably not as good as the security engineers at the large firms like Amazon or Google who specialize in the cloud and can bring scale to the problem. The incentives also align better. Just as banks had to grow better at differentiating between legitimate and fraudulent transactions, cloud providers will have to learn to detect illicit behavior if they hope to be a successful business.

At the same time, cloud computing introduces a host of new security policy concerns. The risk is much more concentrated, but comes with less certainty. As data flows between the cloud provider and the user, who, exactly, is responsible for different aspects of security? International boundaries become even more important, but more challenged. As
a Brookings report explored
, “What [one] state
might see as an opportunity for law enforcement or public safety intervention could very well be viewed as a flagrant violation by the data owner, used to operating under a different set of laws.” Will every state demand its full rights into the cloud, balkanizing the Internet, or will countries follow a free-trade model that sacrifices closely held traditional values in the name of greater efficiency?

Cheaper and more accessible storage and computation will inspire new uses, particularly the collection and analysis of data. This leads to the second important trend: “Big Data.” As data sets have grown ever larger and more complex, new tools and methods have been needed to understand them. These tools, in turn, continue to support a qualitative shift in what we can learn from information collected. This has driven everything from the NSA's controversial collection of “meta-data” about the wider public's Internet contact points in the hunt for terrorist links to fundamental shifts in business models. For example, Netflix started as a company that rented movie and TV show DVDs that were shipped primarily via the postal system. With the rise of the Internet and online media, it shifted to a streaming digital model. But as Netflix sent out its online movies and TV shows, it gathered vast data on the preferences of the individual consumer and the wider collection of viewers they were part of. The collection and analysis of this new scale of data
allowed Netflix to approach
the market in a whole new way, even using it to produce and shape the very content and cast of its own hit series
House of Cards
.

The sweep of Big Data is immense. More and more decisions and analysis, even of the most human concerns, begin to be made based off of links and associations. As a result, Big Data can also lead to big problems. The revelation of NSA meta-data collection caused an immense scandal that is still shaking out, with implications for everything from the future of counterterrorism to broader public trust in government. But even the seemingly innocuous use by Netflix also demonstrates the dangers of Big Data for privacy. After releasing a de-identified list of user movie preferences to crowd-source an improvement to their recommendation algorithm, executives were shocked to learn that researchers could tie this data to real identities. In one instance, a list of what movies someone liked was enough to determine his or her
closeted sexual orientation
. More data, and better tools to understand it, can yield
unprecedented knowledge, but they may also break down human social, legal, and ethical boundaries we aren't yet ready to cross.

Better and cheaper technology will not only concentrate computational power, it will also distribute it across the globe. This is the essence of another key trend, what has been called the “mobile revolution.” From one perspective, telecommunications going mobile is not that new a trend. The process arguably began in 1973, when Motorola engineer Martin Cooper stood on a New York City street and called his rival at Bell Labs to crow about beating him to the invention of a mobile telephone (meaning the “revolution” started with a
prank call
). But as phones became “smart” and added Internet functionality, the Internet itself went wireless and mobile (for instance, the percentage of visitors to websites using mobile devices jumped from 1.6 percent in 2010 to
20.2 percent in 2012
).

The shift of personal computing from the desktop to mobile devices will only increase as devices get cheaper and smaller. And innovation in this space shows no sign of stopping.
One 2013 study
found that a full quarter of all patents were for mobile technology.

But as the digital extends further into the physical world, there are other limits. Today's mobile devices depend on radio communication, which is built on a finite spectrum, a binding constraint for the number of devices and how much data they can send. This is the battle of bandwidth. A key challenge is whether technical advances such as cognitive radio will allow more dynamic and context-sensitive use of radio frequencies, which is necessary to opening up the airwaves to more devices and applications.

As we use phones and tablets more, the security risks are also going mobile. By the start of 2013, over
350,000 unique variants
of malware had been created to target mobile devices; there were none just a few years earlier. This increase is natural, but the real danger is that our understanding of the risk has not grown at the same rate. Mobile devices have smaller interfaces that offer less security information, and have fewer computational resources for defense. Unlike your desktop computer, mobile devices also usually travel between the workplace and home, making organizational security boundaries harder to define. Users currently have less control over their devices and are thus more dependent on vendors for security. Yet, as we saw earlier, that market is fragmented, with multiple makers, from the phone to the operating system to the mobile apps, each
with a role in security but often lacking any sense of responsibility for it. And, finally, similar to the broader security issue, mobile platforms present governance questions: which government organizations have oversight, and which market actors are responsible for countering mobile threats? Just as with the desktop world, all these issues will have to be resolved.

Mobile technology can transform the world by putting data directly into our hands, but what makes it even more powerful is the number of hands the devices reach, especially outside the developed world. Whereas the mobile phone started as an expensive device that only those rich drug dealers on
Miami Vice
could afford, now it spreads computing power across the income spectrum, with immense consequences. In East Africa, mobile technology has revolutionized banking and commerce; anyone with a mobile phone can pay anyone else with a phone using M-Pesa, which doesn't require access to a bank or credit system. This growing role in the developing world economy, however, means that security becomes even more important, and unfortunately it becomes most pressing in places least able to afford high-end security solutions.

This demographic shift in the makeup of those who consider cyberspace home points to a fourth important trend when considering the future of cybersecurity. When the Internet started out, it linked together a small set of American researchers, mostly Californians (who are even more of a peculiar species). Today, an ever-shrinking percentage of cyberspace is American, and even Western in terms of its users, the content they put on it, and the use they make of it.
The UN, for example, predicts
that Chinese-speaking users of the Internet will outnumber English speakers by 2015, while there are more mobile smartphone users in Africa than in the United States and the EU.

This shift matters greatly in ways both big and small. For example, the dominance that cute cats have had over online videos (an Internet meme we have had so much fun with in this book) may be ending. Google researchers have noticed an explosion of cute goat and cute Panda bear videos that have risen in parallel with the greater number of users coming online in sub-Saharan Africa and China. More important than the breaking of cats' monopoly over Internet cuteness, the very language is shifting. For the first few decades of the Internet, no standards-conforming browser could
access a website without using Latin characters. This has been recently broken, meaning you now find the Egyptian Ministry of Communication at http://