All of us have some awareness of war. We study historic battles at school, we see images of suffering beamed through our television screens, and we hear that our governments are making war against all kinds of enemies—from poverty to drugs to terrorism. Despite this, most of us will never really know what it means to live in a physical war zone. But in a world that is both physical and digital, the situation has grown more complex.
With most of the world’s population using the Internet, every physical challenge now has a digital manifestation. The Internet is the world’s largest ungoverned space, borderless and obscured by a fog of confusing technical jargon. As a result, most of us do not know how to defend ourselves against the threats we might encounter there. In order to keep our communities safe, we must establish a common understanding of digital threats, and learn to mitigate them through our personal and collective behaviors.
A defining characteristic of any war zone is civilian casualties. In physical war, bombs or mortar shells are aimed at combatants but often hit nearby targets, such as schools or hospitals. In digital war, attacks are often aimed at a small percentage of the world’s population, but often wind up affecting many more people online. Think of some forms of malware as the improvised explosive devices of the digital world, lying in wait and targeting anyone that happens to stumble upon it by clicking a malicious link, creating a ripple effect of infecting innocent bystanders as you unwittingly spread the malware to others. Think of some forms of phishing as the mortar rounds of the digital world, fired at a population indiscriminately in hopes of hitting something important. Just as physical armies lay siege to cities, digital fighters lay siege to critical websites, making them inaccessible for anyone through distributed denial of service (DDoS) attacks. And like in any war zone, the resulting chaos creates opportunity for criminals to join the fray, often employing the same tactics.
These might seem like strained comparisons. After all, physical war can kill, while digital warfare generally cannot (at least, not directly). Obviously physical war is profoundly more violent and threatening than anything occurring on the Internet. And that’s partly the point—we offer these analogies to put some of these digital threats into perspective and make comparisons to concepts we all understand. Digital attacks can, however, have profound physical consequences. Having our email password phished, for instance, is no longer the mere inconvenience it was fifteen years ago. Beyond casual communication, email accounts contain a vast amount of personal information, from hobbies and political leanings to utility bills and bank accounts—not to mention our travel plans, the names of our closest friends, and sometimes embarrassing photos or documents. Such attacks on our online identity can compromise our closest secrets, steal our identity, and damage our very sense of self. The impact is even greater in countries with repressive regimes, where making the one free newspaper inaccessible strips the public of access to truthful reports and leaves the stage wide open for government propaganda.
Digital war matters. Once we accept that physical war has a digital counterpart, we can begin to build defense strategies against digital threats. But first, we must make the threats themselves easier to understand.
Even children understand the vocabulary of warfare, like guns, bombs, and landmines. They have a sense of the havoc such things wreak. But how many of us know what a DDoS attack is? How many of us can explain phishing, social engineering, ransomware, malware, man-in-the-middle attacks, zero-day exploits, network obfuscation technology, or multi-factor authentication? This jargon is common in the technology and defense industries, but scarcely understood in mainstream society. This creates a barrier that prevents most people from comprehending very real threats.
For example, it is not hard to convince people of the danger that land mines pose, but it can be nearly impossible to convince someone that two-factor authentication is crucial for securing their email account against phishing. Have I already lost your attention? This illustrates the problem.
To address digital security, we must create a shared lexicon that replaces technical jargon with terms that are easy to understand. A phishing scheme, for instance, is like a fake ATM that gives you an error message when you try to use it, yet steals your credit card details and pin number in the meantime. Now whoever set up the fake ATM can get into your bank account at will. Analogies like that can and should play a larger role in explaining digital threats to the public.
Once we’ve established a common understanding of digital threats, we need to guard against them. We can’t wait for governments to solve the problem for us because the Internet is global and ever-evolving. We need to take charge of our own digital safety, individually and collectively.
Personal security measures are rarely convenient, but in the physical world, we follow reasonable precautions most of the time. We carry keys, lock our cars and houses, and spend money to install security systems or obtain insurance. We should take care of our digital identities in the same way. That means creating strong passwords and enabling two-factor authentication on our accounts. That means purchasing Security Keys as the strongest form of account security. That means avoiding outdated, pirated versions of operating systems that are not secure at all. Simple safety measures like these can hugely improve our security online.
Ask national security experts what keeps them up at night, and at least half will probably mention some sort of “digital Pearl Harbor”—a cyber attack that damages critical infrastructure, for example, or that disrupts communications at a critical time and thus paves the way for a physical attack. Part of the anxiety comes from the clear and present danger posed by cyber weapons, at a time when governments are becoming increasingly willing to use them in lieu of conventional warfare. Iran boasts of the capabilities of the Iranian Cyber Army, and the Syrian Electronic Army proudly flaunts its ability to hack prominent news organizations and target dissidents. Another part is rooted in the fact that with digital attacks, a rogue individual can achieve the same outcome as a state—meaning that the number of potential adversaries is impossible to calculate. Both of these anxieties can be mitigated by increasing our personal preparedness, which cannot be managed at a national level alone.
There is no denying that physical safety is and always will be our priority. But we ignore the safety of our digital world at our own peril, precisely because the dichotomy between the physical and digital worlds is a false one. There is no such thing as stand-alone cyberspace—it’s just another dimension of our lived existence. Part of our struggle to address these digital threats is because we lack any visceral, physical connection to them the way we have with images of war and suffering. Yet it would be a mistake to minimize these types of threats simply because we can’t see them or because the attackers are often invisible. The consequences are all too real. And, with a simple shift in outlook, we can start to lock the barn door before the horse is gone.