John Arquilla is Distinguished Professor of Defense Analysis at the U.S. Naval Postgraduate School.  His interests extend from the history of irregular warfare to the strategic implications of the information revolution. He is the author of: The Reagan Imprint; Worst Enemy; Insurgents, Raiders, and Bandits; Afghan Endgames; and Why the Axis Lost. Some principal publications from his years with the RAND Corporation think tank range from In Athena’s Camp to Networks and Netwars and, most recently, Whose Story Wins.  The two earlier RAND books foretold problems of cyber insecurity, while the current monograph studies, among its other themes, the vulnerability of the United States to political warfare waged via social media. His commentaries have been widely published, including in The New York Times, The San Francisco Chronicle, Forbes, The Atlantic, Politico, and Foreign Policy Magazine. He has appeared on all of the major network and cable news programs.  In terms of policy work, Dr. Arquilla consulted to senior military commanders during Operation Desert Storm and the Kosovo War.  He has continued in this capacity in several post-9/11 actions.  In 2011 he served on a small team, working for President Barack Obama, who asked to be provided with some “new directions for American defense.” His latest book is Bitskrieg: The New Challenge of Cyberwarfare. 

In this exclusive Cyber Talk interview, Dr. Arquilla introduces his new book, Bitskreig, and shares his unique perspectives concerning the current state of cyber security.

Tell us about what prompted you to write Bitskrieg:

It is clear from the hemorrhaging of intellectual property via hacks, the rise of ransomware, and the increasing dependence of our military on the information domain, that cyber security is in terrible shape and needs improvement immediately if individuals, commercial firms, civil government and the armed services are to be better protected. Bitskrieg examines all these threats and provides technological, organizational, and strategic solutions.

What is the main message that you wish to impart on readers?

“The market” has not demanded cyber secure systems, and politicians on both the Right and Left resist a government regulatory role in mandating security standards. So it is time for the market to be nudged, firmly, toward building systems that are secure from the chip-level out. And it is high time that government assume a regulatory role in cyber. We have government safety standards in many fields, across a wide range of products. Cyber should not be exempt from having security standards regulated.

How do you currently see cyber warfare affecting enterprises?

My greatest worry is that competitive edge is being lost because of the bleeding out of cutting-edge research and development (R&D). I remember being contacted by one of the hackers with whom I stay in touch, a while back, who notified me that a certain Fortune 500 company’s R&D was being systematically stolen. I brought him to a meeting with that firm’s CIO who, in disbelief, said there was no way this could be happening. The hacker then pulled out his laptop, clicked a bit, then showed the CIO that he had accessed the company’s most sensitive R&D. Changes were soon made. But this problem still persists across many enterprises.

How can organizations discern whether they’ve experienced a regular hack or an act of cyber warfare (if at all)? 

This is tough, because the very same exploits used for spying or theft are also used for acts of “cybotage” – whether immediate, or with cyber weapons that wait for a particular moment or signal.  Cyberwar can be very stealthy. Like Carl Sandburg’s fog in the poem, coming in “on little cat feet.”

Senators introduced legislation suggesting that enterprises “hack back.” Your thoughts?

I would differentiate it this way: “back hacking” (tracking so as to identify ultimate users) is good; “hacking back” (retaliatory attacks) is bad, because it will lead to cyber escalation. And American enterprises offer far richer “target sets” than any of our potential adversaries.  We (enterprises and the current administration in DC) should think less about punitive retaliation and more about improving defenses.

What should limitations on cyber warfare look like and how should they be enforced?

When President Obama discussed a form of behavior-based cyber arms control with President Xi in 2015, they talked in terms of refraining from mounting attacks on civilian companies and infrastructure. This would be a great first step. Interestingly, this idea was first discussed twenty-five years ago when I was part of the American delegation meeting with Russian cyber experts. And it was the Russians who actually introduced the idea of behavior-based arms control. My book details, to the extent allowed, what went on at that meeting, and why this process has moved at only a snail’s pace ever since.

What kinds of treaties, resolutions or disarmament agreements can nations consider?

All of IT is “dual use.” That is, it can be used for commerce, education, and all manner of other peaceful purposes. But the same tech can be used for war. So any treaty that is reached has to be behavior-based. Like the Biological and Chemical Weapons Conventions. Many, many countries can make these sorts of weapons, but most nations have willingly covenanted never to make or use them. Both Conventions have been very successful. They don’t, however, cover nonstate actors, which is a challenge when it comes to cyber, with its hacker networks and even super-empowered individuals.  But if, say, Russia signed on to a cyber arms control agreement, the various trolls who now enjoy haven in that country would lose their protection.  A Cyber Weapons Convention, widely subscribed to by nations, would put hacker networks on the run.

Would an internet 2.0 (quantum internet) potentially resolve security issues once and for all? Did we just build the internet the wrong way?

This is a theme I discuss in Bitskrieg. My assessment is that quantum computing will convey an initial edge to cyber security.  But quantum will eventually be exploited by malefactors who will harness its power for hacking purposes.  Thus my call for “data mobility” – strongly encrypting, then moving info around in the Cloud and the Fog. Not just uploading it and letting it sit in one place. Data at rest are data at risk. And always will be.

What kinds of emerging technologies should we be most concerned about from a cyber security perspective?

AI is already having powerful impact on cyber operations. Given the speed and complexity of attacks, defenses cannot function effectively without AI.  At the same time, the use of AI on the offensive is going to pose fast-moving threats everywhere, from outer space to cyber space. And even to the fiber-optic links on the ocean bottoms across which virtually all international communications move. Indeed, some nations have fully autonomous, AI-driven mini-subs (what I call “U-bots”) that are smart enough to go to great depths, locate the fiber optics, and either tap into or cut them. The economic consequences of this kind of robotic attack would be catastrophic. Similarly, emerging AI attack weapons are being designed to cripple other systems, from infrastructure to military command and control systems. G.I. Joe is going to be going up against A.I. Jane. Ultimately, it will be AI v. AI. The next “face of battle.”

Anything else that you wish to share with the Cyber Talk audience?

My thanks for this opportunity to connect with your readers.