This symposium, held January 7, 2020, addressed the potential consequences of great power competition in cyberspace and examined the current state of Russian, Chinese, Iranian, and North Korean cyber operations, as well as how the United States is responding.
The keynote session was led by Angus King and Mike Gallagher of the Cyberspace Solarium Commission.
EDELMAN: While we get situated here, thank you so much. And thank you so much, Adam, for having us here.
And I want to take a moment and put in another plug for the Cyber Operations Tracker that exists online. I teach right now on issues that include cybersecurity, and there is no better tool in teaching the history of these operations and of nation-state activities in cyberspace than what Adam and his team have put together. So thank you for doing that.
Good morning. Welcome to CFR’s on-the-record symposium today entitled “Cyberspace and Great Power Competition.” I’m your moderator, David Edelman from MIT.
And we’re joined today by three distinguished panelists whose full bios are in the handouts that you all have on your chairs and running around. But just for a quick recap, we have Priscilla Moriuchi who’s here. She’s the head of nation-state research for Recorded Future. We have Jim Miller, my former colleague, undersecretary of defense for policy; now senior fellow at Johns Hopkins. And John Hultquist, who leads FireEye’s intelligence analysis team.
As mentioned, when we started thinking about this particular panel, of course we wanted to cover a whole range of topics. Some of them included Iran, but they didn’t necessarily start with Iran. But here we are in today’s news; we’re going to start with Iran because, obviously, all eyes are there this week. Iran is, of course, the rare country that has on some level been on both sides of destructive cyberattacks, and they’ve vowed revenge for this targeted killing of General Soleimani. So let’s just launch right in.
John, in the Washington Post yesterday you were quoted saying there are some serious questions about where the red lines are, and you said the Iranians may have a—may not have a problem with people getting hurt. The day before Chris Krebs, the head of the Cybersecurity Agency at DHS, told every company that it’s time to brush up on Iranian TTPs. They released another statement today giving companies sort of a one-on-one of what to think about. That was the one-on-one level. What are you thinking about? What are you telling your clients and what are you telling those around you about what to predict, what to expect, given this heightened tension state that we’re in?
HULTQUIST: Well, there’s two different—sort of two different problems that we’re concerned about. One is the espionage side and one is the cyberattack side.
So on the espionage side, we expect them to ramp up their espionage program. They’re going to be wanting to know what policymakers are thinking. The situation is incredibly dynamic right now. In June, when the situation was happening in the Straits, they were—they carried out a really large campaign probably against—that looked to be focused against people who would have that sort of information.
The other part of the espionage side that’s very disconcerting is we’ve seen them develop a surveillance capability. There have been—they’ve been compromising telecommunications providers, travel companies, and some other organizations that have a lot of personal information that you might use to identify and track people. Obviously, given the real physical threat associated with this actor and their history of terrorism, you know, we’re very concerned that people are being tracked and identified by the Iranian security services.
The other half of that—the problem, though, is the cyberattack issue. We saw a lot of it—we have seen it in the United States in the past. There was a destructive attack on U.S. business. There was a destructive attack against the U.S. financial sector. There was a tremendous probing campaign that targeted a lot of U.S. critical infrastructure. A lot of that sort of receded after the agreement, but the actors didn’t give up. They continued to improve; they just focused in the Middle East.
And we’re just—our big concern is, is this the red line where they sort of switch back to the United States or they grow—their campaigns now affect the United States again. We don’t think they’re going to bring the economy to its knees or turn out the lights, but for individual participants in the economy, companies like our clients, they could—they could cause some serious damage.
EDELMAN: So, Jim, you spent a lot of time thinking about/writing doctrine related to those red lines, a phrase that we tend to—(laughs)—not like to use nowadays. But when you think about that, right now let’s say you’re in the Pentagon and you’re advising the defense secretary on what to expect. What are you telling the defense secretary? What are you thinking about in terms of what U.S. defense readiness needs to look like? And how is DOD going to relate to the rest of the country when this is both a military and, as pointed out, a civilian threat to companies?
MILLER: David, I think first on the question of what Iran will do, break it down into three parts.
One is who they will attack through cyberspace. The answer is the United States and U.S. partners and allies in the region. The fact that this president hasn’t exactly fallen all over himself in making statements to defend our allies and partners, and the fact that we didn’t respond after a bombing on Saudi—in Saudi Arabia, means, I think, that Iran will feel a high degree of freedom with respect to what it can do to U.S. allies and partners. It’ll feel, I think, more constrained, both from a capability perspective and a threat or risk of retaliation, in going after the United States in cyberspace. But I think if you compare it to the 2012/2013 DDoS attacks that John mentioned or the other actions that APT32 has taken in the meantime, it’ll be a notch up. So we should expect pretty significant actions.
Iran is not going to try to take down the U.S. military. It’s going to try to impose costs on the United States and have something that they can claim is proportional retaliation. I think for that reason a second question is, what do they do besides cyber? And I—my view would be that they’re likely to undertake some form of physical attack as well, and my bet would be that it’s more likely to be against, again, U.S. allies and partners in the region or through proxies wherever they have the reach to do it. And so the fact that you’ve seen the military reportedly pause its counter-ISIS operations to button down is an indicator that Secretary Esper and others already got that memo.
And the third is—the third question is, do they attempt to signal that they have limited aims and that they don’t want to get into a war? I think they do that both through the places they attack, the ways in which they attack, and through—and through public statements as well.
EDELMAN: So, Priscilla, you’ve spent a lot of years looking at the APEC region, and obviously all our eyes are on Iran at this exact moment. So let’s move away from Iran. What are the Chinese, what are the North Koreans taking in terms of lessons from what they’ve seen play out just in the last few days and what—some of the scenarios that you just heard about that might play out in the future?
MORIUCHI: Sure. Do you mind if I touch on Iran real quickly?
MORIUCHI: So—(laughs)—only because I think that there are two other important elements to this whole sort of what’s the scope of cyber response.
And first is sort of what we might consider sort of attack creep, right? If a target network, for example, is located physically in region, in the Persian Gulf or the Middle East, right—computer networks, right, do not reside within geographical borders—so there’s always the potential that an attack or an intrusion, right, which is physically or strategically designed to only impact a certain geography or a certain network, creeps to other part of the network, right, whether that’s designed by the attackers themselves, right, or the vulnerabilities they exploit. That brings up a whole other range of possibilities and intent that you don’t always know as the victim, right, when you are victimized by that intrusion.
I think the second aspect is attribution. So over the course of the past three or four months, right, we’ve seen a number of reports come out—about three, actually—that have indicated that Russian, right, FSB-associated threat actor groups, right, have hijacked Iranian infrastructure—cyber infrastructure; domains, for example, malware, right—and used them for their own purposes, right, to conduct intrusions, Russian intrusions masquerading as Iranian, right? So that creates this element of uncertainty and another level or potential for what we call sort of inadvertent escalation, right, if a country perceives that they are attacked by Iran, right, but the reality was it was an attack that was executed by Russia.
So there’s just a lot. It’s a dynamic situation, as John said. But there’s also all these other factors that are sort of native only to cyberspace, right, and computer networks.
And so just to go back to the Asia-Pacific question, I think for North Korea, like, the answer is quite clear, right? North Korea has a nuclear capability, right, that can ostensibly reach the United States’ shores, right? Iran doesn’t have that right now. And that’s one of the, I think, factors that the Kim regime perceives as a limitation, right, on the military responses that the United States can take, you know, towards North Korea, right? So that’s one.
I think, second, both countries are just watching, right? China has already expressed support for Iran, but there’s no doubt that countries like even Russia, right—China/Russia/North Korea—are watching how this situation plays, how far Iran will push the United States. What networks, right, what are the red lines, right? Do we draw anything? And if not, they will learn a lot from if we do or if we don’t.
EDELMAN: So on this discussion of red lines but also of proportionate response, it seems there is uniform consensus, at least out on the commentators and certainly on this panel, that private-sector companies may well bear some of the burden here, that they may well be targets. If an Iranian counterattack, so to speak, focuses on U.S. companies, what’s a proportionate attack against a U.S. company? And if you’re then the United States, what’s a proportionate counterattack subsequent to a U.S. company being hit? Because traditionally, as last I checked, we’re not really in the business of disabling nonstate firms. It’s not a typical series of tactics that we engage in. But of course, the Iranians have themselves been innovators—think Saudi Aramco—in cases of going after particular companies with geopolitical significance. So how are we thinking about it? What does that escalation dynamic look like?
MILLER: David, if the U.S. wants to reestablish deterrence and reinforce deterrence not just vis-à-vis Iran, but also as Priscilla suggested vis-à-vis North Korea, China, and Russia as well, it needs to—it will need to respond in significant ways. And the significant ways need to be in the mind of the adversary decision-makers. So it’s the leadership of Iran. It’s the leadership of—perceptions of Xi Jinping and Vladimir Putin and Kim Jong-un and the people who advise them. So the U.S. should be imposing costs on them and imposing costs that make it challenging for them to sustain not just a cyber campaign, but in the case of Iran make it more challenging for them to sustain their public support.
Now, the Soleimani killing has, obviously, really reinforced the regime’s position, so this is a—this is not a near-term objective. But undermine their support from their public, which economic sanctions have generally done, and undermine their support in the region and particularly among our allies and partners so that we’re not the ones who are isolated, and then impose costs on the leadership, things that they value. And that includes—and it does include their assets of the IRGC and Quds Force, and it includes their ability to control their own communications internally, and to—and to engage in propaganda externally as well.
EDELMAN: So U.S. companies are going to be up against the Iranian Quds Force, IRGC components, I mean, you name it, plus who knows who else that might be sympathetic. Most companies, at least as far as I’m seeing from the DHS, are getting warnings. Hopefully, they’re getting some sort of additional flow of TTPs that might be associated with Iranian actions. Is that enough? I mean, is that ultimately going to be adequate to bring down any level of success? Particularly, they’re advising companies all the time. Are they going to be better defended today than they were two weeks ago? And are they prepared—your average Fortune 500 company—to deal with this nation-state threat?
HULTQUIST: We were getting questions from our government and corporate customers within an hour of the operation, and the good news is a lot of those questions included the actual names of—or the names that we’ve given to a lot of the operators that we believe are Iranian. They know these operators. I’ve worked with banks who are regularly going through cycles where they are renewing their look at the tactics of those operators and their defenses against those tactics. So this process has actually been ongoing. And one of the gifts of the sort of incident that we had in June is a lot of people refreshed their look around that time.
So the other good news is these actors did not give up. After we saw or the U.S. had all these incidents domestically, they didn’t go—the actors didn’t go away; they just shifted towards the Middle East. And so we’ve spent that time while they were in the Middle East learning a lot about them. We know the ways that they like to break into companies. We know the tools that they use. We know the flaws that their methods have. And we can—and we can pass that along, and we’ve been passing that along for several years now.
EDELMAN: So you’re comfortable with where Fortune 500 companies are right now vis-à-vis the Iranian threat? That’s good news. We never get good news in cybersecurity, I want to be clear. (Laughter.) This is a breakthrough moment.
MORIUCHI: I’m going to—I’m going to rain on that parade now.
EDELMAN: OK. (Laughter.) Back to—
MORIUCHI: (Laughs.) So many, many companies are prepared, right? Many companies completely understand, like John said, the environment in which they live, the vulnerabilities inherent within the systems that they operate, right? But many, many do not, right? And I think for the—for the private sector it touches on that larger question in which companies have been victimized by nation-states for two decades now, right, which is the government response has not ever been comprehensive, right, or if you talk to companies adequate, right, in their—in their—is what they would—might say. So whether we’re talking about Iran, or if you’re Sony Pictures Entertainment when you’re talking about North Korea, right, or other nation-states—China stealing intellectual property—you know, we’ve been dealing with this question for a long time. And perhaps this is a forcing function, right, in which this is a situation that may be unique, right? But I don’t—you know, I don’t see—we didn’t—while I was in government, I don’t know what the great response from the U.S. government would be, you know, if a media company or if a(n) oil and natural gas company, right, which I think we believe are some of the more likely targets, you know, in region, you know, does suffer a destructive cyberattack, right? Where is the recourse for replacing ten thousand computers, right? Is it with their cyber insurance? That’s not clear.
EDELMAN: What happens if the next Saudi Aramco is United Airlines?
EDELMAN: Hopefully, it’s not. You know, maybe American. Depends on what you fly. (Laughter.) All right.
MILLER: David, could I—
EDELMAN: Yeah, please.
MILLER: May I just add very quickly? Thinking about how the United States responds, including by imposing costs, is important. This Iranian situation today is a big test of the defend forward approach of this administration, which I have supported, including the work it did—I’ll say reportedly—to disrupt Russian interference in the—in the 2018 elections. This is a test. Waiting until the Iranians do whatever they are capable of doing and are willing to do vis-à-vis U.S. industry and vis-à-vis U.S. allies and partners is not a good strategy, and kudos to this administration, Paul Nakasone and others, for recognizing that and acting on it. This is a test now. Will they take preventive action? Will they do it in a way that our allies and partners support, and that can be explained to the public?
EDELMAN: So let me ask you about that, because obviously the actors we’re talking about here, particularly in the context of North Korea but Iran to some extent as well, these are asymmetric actors when it comes to, you know, one-on-one against the U.S. military, and so they’re going to be looking for those sorts of advantages. And cyber, obviously, has provided versions of that. Many of you may be familiar with a 2018 GAO report that I dropped my coffee upon reading about how—and I’m quoting here—“the Department of Defense likely has an entire generation of systems that were designed and built without adequately considering cybersecurity,” and then went through a number of weapons systems that themselves could be effectively hijacked or shut down from a standpoint of readiness by what we’d consider—certainly what these two would consider—to be very simple sorts of cyber operations.
And so what keeps you up at night on that kind of asymmetry? If we’re defending forward, but obviously an adversary is going to be—and a great-power adversary—is going to be wily, is going to be thinking about where they can get that additional advantage, is that the area? Is it in limiting military readiness? Are there other areas that you think where the Iranians might be dancing around defend forward or may have ways in that otherwise might not be contemplated by the defense establishment right now that is focused on what they’ve seen?
MILLER: David, I’m very concerned about the cyber vulnerability of U.S. systems. I’m sitting here looking at former Undersecretary for Acquisition Technology and Logistics Frank Kendall, who really began a systematic effort to address this. It’s a long-term campaign to improve the—or to reduce the vulnerability and improve the resilience of our—of our military systems. It’s going to cost over time tens of billions of dollars. It’s going to take not just a year, but a decade and more. That effort is underway.
I don’t worry about that issue vis-à-vis Iran. I worry about it vis-à-vis Russia and China, and worry about the—what I call a double whammy in which Russia and/or China can hold our civilian critical infrastructure at risk and then can at least impede, if not blunt any military response we might undertake, whether through offensive cyber operations, through long-range strike. They are certain to go after our command and control if we’re ever in a dustup. They’re certain to go after weapons systems. And we need to continue to work—the department needs to continue to work to address that problem. Not a fundamental issue vis-à-vis Iran; significant longer term vis-à-vis Russia and China.
EDELMAN: So this is important because, of course, we always speak in sort of shorthand Russia, Iran, North Korea, China as some of the capable cyber actors, but they’re not all created equal. And so, Priscilla, can I ask you, what changes have there been to let’s call them the league tables of cyber operations in terms of U.S. adversaries or even allies? What do we—what do we know now about capabilities and intentions that we didn’t four or five years ago? Have there been sort of major changes in how we think about any of the key actors here?
MORIUCHI: Sure. So I think, you know, because of the sort of situation that we’re in right now with Iran, we’ve focused a lot on the destructive/disruptive, right, capabilities inherent in cyber operations. But for some of these countries, North Korea in particular—and I sort of step back—all of these countries, their operations and their goals are, in the types of tools, right, and the organizations that they use, are tailored to the longer—both the short-term and the longer-term strategic goals, right? So even though we sort of lump these sort of four together, right, all of them have different goals over the short and medium term for their operations. They have different methodologies, right, different—whether the military plays a part, how big is that role, civilian intelligence service, contractors—for example, the criminal element. And sort of—and as we were sort of going before, you know, the actual—not all of these programs are designed with cyber espionage in mind, right?
So if we look at North Korea, for example, the North Koreans since about 2013/2014 online are now spending most of their time conducting operations to generate revenue for the regime, right, to decrease their financial isolation. They’re using, you know—we sort of talk about North Korea as sort of a criminal regime, kind of a mafia state in which, sure, they certainly are using some criminal tactics, right—stealing from banks, for example, a nation stealing money from banks, right, using the internet, right? So there’s one—(laughs)—something that doesn’t happen every day.
Two, cryptocurrency, right? North Koreans were interested, were mining and using cryptocurrency as early as 2015.
EDELMAN: They’re the bitcoin people.
MORIUCHI: When most of the world didn’t—
EDELMAN: That’s who was—OK.
MORIUCHI: (Laughs.) Most people didn’t even really realize what bitcoin was, right, and the North Koreans were already mining it and using it, right? So the North Koreans especially, and I think Iranians are also learning from this, other isolated regimes, have built up this model in which they can utilize the internet not just for cyber operations or destructive capabilities or disruption, but as a tool, right, to get around these kind of traditional structures that we’ve created, right, to isolate these kind of rogue regimes.
And it kind of takes us back to these red lines and for companies who have experienced destructive or disruptive cyber operations, right? You know, we—the traditional methods that the United States has taken—sanctions, indictments, right—aren’t particularly effective against countries that are already financially isolated, right? So there’s this idea that we have to create new tools, right, to address the goals that different countries have for the way that the operate in cyberspace.
EDELMAN: So, John, we have a startup bubble at North Korean embassies—(laughter)—just like in Silicon Valley. Who’s surprising you on the league tables? Obviously, this North Korea generating revenue is, you know, one of—one of the important examples of how, as Priscilla said, these regimes, these countries are pursuing their own aims to their own aims that may not be the same as ours we often mirror image back onto other adversaries. Anyone really surprising you of late or come way up in the league tables?
HULTQUIST: Well, China has shifted significantly. When I—when we started learning in the private sector how to really finally track China, you know, we could do it—when I was in the government we could do it, but it took us a while to figure out how to do it on the other side—it was all about the intellectual—you know, the intellectual property theft, and there’s still some of that going on. But what we’re seeing is it’s mostly dual use, it’s mostly outside of the United States and the West. It’s really focused on military technology. It’s just they’ve shifted away from that. And what we’ve seen instead of that, in lieu of that, a real focus on, again, the sort of surveillance mechanism. They are essentially exporting the Great Firewall. We see them digging in in places like telecommunications firms, where they can not only identify people of interest but they’re literally trolling for terms of interest, right? So if you are—
EDELMAN: You’re talking on firms abroad or in China?
HULTQUIST: Abroad. So you could be in an Asian country sending a text message about the premier and they’re reading that text message and keeping tabs on you. And so that’s one of the more disconcerting things we’ve seen lately.
I will say also, you know, the big surprise for me has continuously—I’ve been doing Russia for, I think, twelve years now, and every red line that I ever imagined existed has been blown through again and again and again and again. And I think the other actors are learning from each other, right? They keep pushing the lines, each one after another major incident.
But I mean, we’ve—right now we’re barreling towards, for instance, the Olympics. We believe that Russia attempted to disrupt the Olympics, like bring the games to sort of a(n) IT halt, which would have pretty much hurt its—disrupted the games. And nobody’s—aside from some cyber—a few cybersecurity companies, nobody’s publicly made that clear. And so here we are about to have these games again, and there’s no reason why they wouldn’t do it all over.
EDELMAN: And if any of you have not read the Wired article that just came out on this topic of the malware that attempted to shut down the opening ceremonies, highly recommended. Incredibly interesting, and in part because of what Priscilla said and Jim mentioned as well, that countries are starting to nest their operations in the operational infrastructure and tactics of one another to create a certain kind of frustration. I think one of the great changes we’ve seen, obviously, over the last decade—you know, ten, fifteen years ago, attribution’s impossible; on the internet, no one knows you’re a dog. Well, actually, it turns out now they do. And we’ve seen states at a level of their own satisfaction, including the United States, actually do attribution, and that’s been an interesting component.
Now, let’s talk about that piece a little bit. And I want to come back to deterrence as well because this notion of whether deterrence is even meaningful in cyberspace is one we’ll get to. But this idea of attributing states is something that companies are newly empowered with and is a role that I would argue has traditionally been reserved mostly for principally governments and occasionally the press when it comes to particular foreign policy activities. And now you have a suite of companies, some represented on this stage, that are in the position of outing nation-state operations—operations that they may not have wanted to get out, operations that I can just speak from my own experience sometimes the government didn’t expect would come out or didn’t even necessarily know about in exactly those terms.
How do you as companies—and then I want to come back to Jim, how do you think about it in the government as well—but how do you as companies think about the decision to attribute a nation-state for a particular operation or activity? I mean, are you engaged in foreign policy analysis of what are the second- and third-order implications, that it would affect broader geopolitics? Or is this fundamentally we’ve got client obligations, we want to make sure people know that we are on top of these threats? Walk us through that thought process.
MORIUCHI: So we do all of the above. And attribution is one of those questions people either love it or they hate it, right? They think it’s completely useless—
EDELMAN: Who loves it and who hates it?
MORIUCHI: (Laughs.) Depends on—(laughs)—
EDELMAN: Governments all hate it? They—
MORIUCHI: Well, like, you know, a lot of we would call them SOC analysts, right, or more technical folks, don’t—you know, I get this sort of thrown back at me a lot because I do think attribution is important—that, you know, I don’t care who’s behind it, I just want to stop it, right, clean my network. But for us, attribution is a fundamental question of defense, right?
So attribution is about understanding the larger environment in which your business or your government department or whatever lives, right? It’s not just about what’s the malware coming at me today and how do I stop that and how do I clean up my network, because if you don’t know who did it you can’t be certain that you have actually addressed the root problem, right, and maybe they’ll keep coming after you, right? So there’s a—you know, there’s a span, right, between, you know, what many criminal groups are after and what the North Koreans or the Russians are after in a corporate network. So for us, attribution is critical, right, to cleaning up an intrusion; preparing yourself if you haven’t, right, been victimized; understanding where you can prioritize vulnerability management, right—which patches you need to install first, which ones maybe can wait for a few weeks from now. And we take all of that into account.
Also the geopolitical. Like, when we were talking earlier about, you know, we went through this one set of analyses where we spent months trying to make sure that what we were seeing—which was Russian hijacking of Iranian domains, operational domains—was real, right? We needed to know. We needed to have high confidence there because of the implications for that scenario, right? So we’re not just, at least from our perspective, you know, trying to make sure that our clients understand that we’re doing our jobs, right, but we’re thinking about what is the impact that this information’s going to have in the public domain for everybody, right, who owns a cellphone and a computer and a network.
EDELMAN: So, John, what’s that hard call? What’s the key example or obfuscated example of when you’re on the fence of whether you’re actually going to do this kind of attribution, whether you’re going to come out with something like this publicly that might have these geopolitical implications?
HULTQUIST: So the first question is our clients. Usually, almost every time we’ve talked about attribution in public we’ve already discussed it with our clients, and usually our—specifically our intelligence clients get to watch that process as it grows and we go from sort of low confidence further up, and they’re already receiving intelligence as that builds. But we see it as a public service because we see it as extremely important.
Right now, for instance, there are a lot of people who are going to want to know whether or not the incident they’re looking at is Iranian or not. And then on top of that they’re going to want to know what type of Iranian actor, right? So there was I think—I think it was the Atlanta ransomware incident, I believe those were Iranian actors—Iranian criminal actors. So you know, imagine a situation where, you know, Atlanta realizes suddenly that this could be Iran. They have to start considering, well, maybe we’ll never get this—get this system back. So the second question is, are these state actors? And all these other sort of sub-questions.
And these are—these are not going to—there are no perfect answers to any of these questions, but that’s what real risk management’s about. It’s about the best answer for the situation. And that’s why we do this, right? We don’t believe—we don’t believe in perfect answers. It’s very difficult to do. But we’ve found that the internet is a great—there’s a lot of information in the internet. People leave tracks. We can learn about them. We do incident response all over the world, we have devices all over the world, and we know a lot about these actors, and we can deliver that out to the world and make it—make the world safer, we think.
EDELMAN: So, Jim, how does—the fact that companies on this stage and not on this stage, in the U.S. and not in the U.S., are able to do this kind of attribution, how does that change the way we do defense and strategy?
MILLER: David, two points.
The first is that, obviously, the private sector has improved its ability to attribute. Firms like, you know—like represented on this stage have devoted resources to it and they’ve gotten better. The government has devoted more resources to the intelligence side and it’s gotten better. Those two don’t always exactly match up in their conclusions, but most often they do over time.
Point two is that my view is that the truth will out. It’s a question of how long it will be before it comes out and how many lies will precede it, or misattributions in that sense. From a policymaker’s perspective in the government, you’d like to be able to control the time that you—the time, as you know, when you release the information. When you throw that ball against the wall it’s going to bounce back, and people expect you to be prepared to take action. If you need time to prepare that response, if you need to work with allies and partners, if you—thinking of a historical case I won’t name—if you don’t have the technical capabilities to respond through cyberspace to an actor who went against one of your private-sector companies—I’ll leave it at that—and you want to build a response package, you’d rather have it come later. So that time—any confidence you had in government that there would be either later—only later attribution or attribution you controlled, or even correct attribution, that confidence is gone. So it puts an onus on moving faster, on taking more rapid action, on applying intelligence resources, and applying the senior decision-makers’ time to take action quickly.
As this happens in the coming years it will—I think it will somewhat increase the chances of errors—in other words, acting on inaccurate information—particularly given the possibility and the reality that one actor may mask its activities under another one’s tools, and another actor may use proxies and so forth, and so attribution can get a little complicated. But no doubt that the time that policymakers thought they had a few years ago to think about it, have time to contemplate when to release the information, to control that, and to have a response in place, that’s hugely compressed.
EDELMAN: So this notion of time is actually a very interesting one as it relates to anything in cyber doctrine because, you know, for—you just mentioned, obviously, it’s compressing the decision-making time, but we almost need to elongate that window to do the sort of positive attribution that we expect, particularly given the sort of challenges that we’re seeing of countries using each other, TTPs. That’s in direct conflict with what we heard for at least eight years, which was we’ve got to react in the network at network speed right now, go, go, go; if it’s not an automated response, it’s not going to be effective. What I’m hearing is maybe that might not have been totally accurate. And that was not necessarily the doctrine of the entire government, but you heard that from a lot of folks that were on the ground and felt that there was a need for that sort of automated response to habituate in adversaries that there would be immediate consequences. Am I hearing that, in fact, maybe we need to take a little bit of a step back from reaction at network speed and respond at least at fast foreign policy speed?
MILLER: (Laughs.) That does sound like an oxymoron to me.
EDELMAN: Yeah, I don’t know if that’s fast or not. You all can tell me. (Laughter.)
MILLER: For prevention, for blocking, for mitigation, you need to act quickly, right? And I think we don’t have to unpack that. People get that. And some of that needs to occur at machine speed, and increasingly I think it will occur at machine speed.
If you’re going to—now, big break—if you’re going to take an action that involves either sending electrons across to disrupt or destroy something on the other side, or if you’re going to drop a bomb, or if you’re going to take other action, taking a few minutes to think about it first makes a lot of sense.
EDELMAN: Yeah, absolutely.
MILLER: Taking some time to make—to ensure that what you do has a high probability of being supported by your allies and partners, or at least many of them, that you have your narrative together, and that you—and I don’t—I don’t buy that you have to act immediately to have a deterrent effect. I think you need to act decisively and accurately to have a deterrent effect, and it helps if you can communicate that along with the action as well.
EDELMAN: All right. So we used the D-word. No conversation about cyber and foreign policy would be complete without a discussion of cyber deterrence, sort of. But I want to take a slightly different angle on it because, obviously, we—I want to hear more about is cyber deterrence, in the view of this panel, a thing. How is it obtained? Can we rely on it? Is it even meaningful? And I think there seems to be general consensus from what I’m hearing it’s in the context of broader foreign policy, it’s in the context of national security, in the context of what threats a state has comprehensively against a potential adversary.
But I actually want to go back to a narrower piece of it, which is this idea of what we’re seeing on the networks, because deterrence operates in a number of ways. One of them, of course, is at the strategic level. But another is at the operator level, right, the individual at the keyboard that might actually have some hesitation, that might be afraid that they’re going to cross a line, that there’s going to be unintended consequences, they’re going to get fired, or worse depending on what government they’re working for. And so the question that I—that I have for everyone on the stage, but particularly Priscilla and John: Are we seeing that sort of tactical cyber deterrence operate at all? Are you seeing adversaries that might have a lot of capability, a lot of accesses to network, a lot of potential maybe even destructive capability, and then pulling back, and pulling back maybe in response to geopolitical circumstances that they’re seeing as much as orders that they might be getting? Have we seen cases like that at all?
HULTQUIST: Oh, sorry, go ahead.
MORIUCHI: No, I just—maybe you have a pullback example.
So the way that I’ve sort of looked at this is the case of China over the past seven to ten years, right? So there was a period in time that sort of John alluded to where both in the government and in the private sector there was almost a fingerprint for Chinese intrusion behavior, right? There was a set of malware, right. There were TTPs—tactics, techniques, and procedures, right—that were quite easily identifiable because they were very bespoke capabilities that were used repeatedly by Chinese units, both military and civilian cyber units. And in about 2015, right, through a confluence of events, right, changes within the People’s Liberation Army, right, the anticorruption campaign raging within the Communist Party; potentially—depends, I mean, on who you ask—the U.S.-China cybersecurity agreement in September 2015 that year, right, China has, I would say, almost completely reengineered its cyber capability, right?
They’ve created a PLA command structure, right, that has consolidated command and control, right, operationally and organizationally. Their operations on net look completely different than they did ten years ago. Gone are the use of these sort of pieces of malware that were really bespoke capabilities. There’s a lot more use of what we would call commodity malware, which is malware that’s largely open and available, that can be purchased, right, on sort of criminal underground or even downloaded, right, capabilities for network scanning and reconnaissance that are used by criminals and nation-states alike. The use of, for example, virtual private networks or virtual private servers, right, hot points, to create this distance between the actual operators themselves and their targets. And all of these techniques are used largely by both criminals and nation-states today, and create a more convoluted environment in which there’s no longer a fingerprint for Chinese behavior, right, on attribution anymore. And they’re using a lot of the same tools that in some cases commodity RATs, for example, that Iran is also using—(laughs)—that criminal groups, both sophisticated and non-sophisticated, are using.
So I don’t—I don’t know that I have a great example of sort of pulling back at the keyboard. But this idea, right, that deterrence could have an effect on operations I think is a—is a valid one. I’d be interested—
HULTQUIST: I think, yeah, with the China example, the other thing we’ve seen is that—we’ve seen a push towards contractors where we can see it. We can’t always identify who has hands on keyboard, but a lot of the PLA operators or the ones that we suspected were PLA—in some cases we got very lucky and could actually identify—they seem to have sort of pulled back, and then we see more activity from operators that have either been identified as MSS contractors or we suspect are MSS contractors. So there’s a—they’re sort of being, you know, kept at arm’s length. Some of them are running criminal activity at the same—like, simultaneously.
Another example—I think sort of the opposite example—is Russia. So when I got into doing Russia a long time ago they were very quiet, and when they got caught they disappeared, right? And occasionally they messed up and there was a very loud incident, and you could—you could probably chalk that up to just a mistake. And then they disappeared, they burned everything to the ground, and they started again fresh.
And then we started recognizing Russian operators who didn’t care so much when they got caught, right? They didn’t care if you were observing them. They rarely burned everything to the ground. And then they started doing this sort of I/O hybrid activity where they started creating these personas and doing cyber sort of disruption and targeted leaks.
So I’ve actually seen sort of the opposite with Russia. Whereas, you know, the operator that we believe is probably FSB has always sort of remained super low key, some of their other operators have just continuously pushed the line again and again more aggressively, and it’s never really gone away.
EDELMAN: So before we get to questions from members who are assembled here, Jim, the last word on cyber deterrence? You wrote one of the first words on cyber deterrence back in government doctrine. So how’s it going? (Laughter.)
MILLER: So far, so good. (Laughter.)
EDELMAN: That’s called setting expectations. (Laughter.)
MILLER: So let me—a quick comment on—if I can, David, on the last question. I think what we’re seeing is there’s not so much people or countries pulling back, but two other features, one of which John alluded to.
One is withholds. You want some capacity to escalate. You want some capacity if things get tough to be able to go up the escalation ladder, if you will, within cyberspace. And there’s also the question of context. Why would a country go hard against our U.S. military systems today if they’re not feeling threatened by them? They’d want to withhold that.
And the second, I think we are seeing from Russia, is brandishing. So public reports through DHS about BlackEnergy and Havex being in our—being in our—malware in our grid and other intrusions, that gives leverage. That gives, you know—in a sense, WASTA (ph) as well. And so I think you’re increasingly seeing those two features be a part of it. And so the complement of deterrence is coercion. Brandishing is about developing coercive capability and credibility because there’s a perception on the other side—us, in this case—that they have that capability. So I think that we’re—I think that we’re seeing that, and their hope is that we will be deterred from coming to the assistance of an ally or partner because of—in part because of the threat to our civilian infrastructure and in part because over time we’ll have less confidence that our military systems will work.
So we need to get on the other side of that. And as you suggested earlier we need to take not just a view of how do we deter cyberattacks on the United States, which is important and includes cyber responses but not only cyber responses, as we’ve seen with economic sanctions and, you know, the high-end military response, but we need to think about how do we use cyber in order to bolster deterrence of coercion of our partners and allies, of coercion of ourselves, and to bolster deterrence of armed attack as well. And so that’s a place where the department I think has made some progress, has a lot of work to do, and where we need to—we’re talked about a national capability for cyber operations. My view is that we need to not just talk about it; we need to instantiate that, whether it’s a national cybersecurity center, whether it’s a joint interagency taskforce.
I think this administration’s made good progress in bringing together disparate parts of the—of the administration, including DHS, CYBERCOM, FBI, and so on. That needs to be instantiated for us to have a better posture for deterrence and for prevention and response.
HULTQUIST: One of my concerns, though, is that as we more aggressively use our offensive cyber—so the U.S. is probably the most sophisticated technical actor on Earth. The problem is we also have the most sophisticated technical economy on Earth, right? And Cyber Command, which has been allegedly according to media reports using offensive capabilities against military targets, it has been very recently—those incidents—Iran may not respond to those incidents in kind with a—it’s unlikely, I think, to respond to those incidents in kind with some sort of cyberattack against our surface-to-air missiles or our missile—Patriot batteries or something along those lines. I think they’re going to respond with an attack on some economic actor like a private-sector target. And so, you know, the asymmetry of the situation we need to continuously keep in mind. We are—our great advantage is also our great weakness.
EDELMAN: And on that cheery note, I’d like to invite all of you to join the conversation. (Laughter.) I’m sure we have a number of questions. Just a reminder, this meeting is on the record. And of course, the internet never forgets, but please don’t let that deter you. We have roving microphones. Please raise your hand. Please remember to state your name and affiliation.
Why don’t we start right here in the middle? Please, Shaarik.
Q: Shaarik Zafar, previously in the government, now at Facebook. It’s on the internet. If you google it, you’ll find it. (Laughter.)
EDELMAN: That figures.
Q: So there’s a report on Axios this morning that in addition to worrying about hard cyber threats that we also have to be prepared for soft information operations—influence operations, misinformation—misinformation. I’d really love the panel’s thoughts on how we should be worried about this in the context of post-Soleimani and Iran, but also great-power conflict writ large.
HULTQUIST: So we’re actually tracking—we work—this is public—we work with Facebook actually specifically to help them track threat actors. And one of our—you know, one of the things that we’ve found are Iranian threat actors. They are very aggressive. They’ve been rapidly developing their program. They’ve been sort of really interesting—they’ve sort of developed a lot of interesting schemes. That’s something that they have also done in the espionage space.
I think one of their great advantages is they’ve—what they’ve lacked in technical prowess they’ve often made up with really, really impressive, creative social engineering, and a lot of it’s been through social networks. So they’re very comfortable in that space. And as this news came out we saw them ramp up their program and start—and start pushing that stuff out.
I think it’s almost like weekly we find a new—we find a new state actor that’s getting into this game, and it is—it’s moving rapidly. It’s going to be very hard to fight.
MORIUCHI: Yeah, so I’ll tackle that one as well. So we’ve spent a lot of time over the past couple years looking sort of historically at nation-states, right, and how they’re building up their what we call sort of online influence operations capabilities, right? So this is leveraging, right, social media platforms, but also messaging platforms, right, like WhatsApp for example. And you know, interestingly, so most states have that capability right now. It’s sort of—from our perspective it’s separated into sort of these two elements.
The overt element of influence, right, which tends to be state-run media, right, consulates/embassies, that presence on social media, the message that they put out there, right, which can give you a really interesting perspective and insight into the country’s goals, right? So if you look at—if you talk about overt, right, messaging from China versus Russia—for example, right, we’ve done studies profiling Chinese overt messaging on social media using a bunch of sort of tools, sentiment analysis and others, right—the message that China is putting out is overwhelmingly positive, right, and it’s driven by this idea, right, and this desire to present China’s rise as good for the world, right?
And so the messages that are put out, you know, if you look at the whole to get, like, as a dataset, right—so there’s a lot of—I think a lot of anecdotal reporting when it comes to influence operations, right? Oh, China put out this message about the Hong Kong protests. Russia did this, right? Iran says that. But when you look at the holistic message, that’s where you get the insight, right? And so from the Chinese perspective, if you look at the messaging operations that their state-run media is engaging in, it’s overwhelmingly positive: China’s beautiful, right, the economy is amazing, right, come engage with us.
If you look at Russia, RT, right, Sputnik, they tend to focus very much, you know, on specific issues, right, that will create or amplify discontent, distrust in democracy institutions. Like, there was—there was a report about RT and Russia’s state media, for example, just in a few days how much time they’ve spent and how much print space focusing on the Epstein scandal, right, the suicide, right? Why, right? Why does Russia care about the—they don’t, right? They care about it because it’s an issue in the United States, right, and it creates distrust within our own systems, right?
In all these countries. North Korea have similar. Iran, right? This is a tool that’s used by militias, right, in Syria as well.
And so what we see are not just the embrace of influence operations on the large social media platforms, but increasingly to the places where we live, right, our lives, on messaging applications, right? Some of these actors—President Maduro in Venezuela, for example, has created his own application, right, for his supporters to download with pre-formatted social media messages that they can just click and post to whatever platform they choose, right? That’s a form of influence as well.
EDELMAN: Every U.S. presidential candidate just wrote that down. (Laughter.)
MILLER: Could I just—could I just pile in? Foreign cyber-enabled malign influence operations are a real problem. They are growing. We are not well-organized to deal with them as a government or as a country.
Domestic cyber-enabled malign influence operations are an equally large problem for our country and for democracy, and the answer cannot be, like, binary. Like, Twitter’s zero, OK; Facebook is one, right? It can’t be nothing gets through that has—is about political advertising—sorry, Dorsey—and it can’t be we’re not going to deal with this problem and pretend it doesn’t exist. And I understand that you guys are beginning to modify the initial response from Zuckerberg. The private sector has to step up. The government can play a role in helping to establish guidelines.
But I just want to encourage you in what you’re—in what you are doing, which is to get both Facebook and other institutions to step up and take this on. This is one of the biggest threats to democracy. And I’m talking about the internal, which the foreigners pile onto. We’ve got to do better.
EDELMAN: All right.
MORIUCHI: I see convergence. I just want to add one thing. I think what you’re alluding to is this convergence, right, this idea that nation-states are using for the short-term gain, right, this commonality with domestic groups, right, in which the long-term goals diverge but over the short term interests are the same and the tactics, right? So the interests and the tactics of the short terms are converging, right, even though the goals over the long term are different.
EDELMAN: All right. Next question, please. Yeah, we’ll go all the way in the back. Yeah, right behind you, please.
Q: Hi. Liz Kim (sp) from Voice of America.
Recently Microsoft took legal actions against a North Korean hacker group. Does that kind of move really help contain overseas threat?
MORIUCHI: Oh. I don’t know. (Laughs.) Right, North Korea’s a difficult case, right, because of how isolated they are.
But I think you’re sort of alluding to the larger question about whether things like indictments and court cases, right, actually have an impact on nation-state actors. And kind of the one sort of example that I have—sort of spans my time in government and private sector—is that of China. So you know, after their—FireEye’s APT1 report, which sort of broke ground for the private sector in doing attribution, the following year, in 2014, the U.S. indicted five members of the PLA, right, that were associated with this group, Unit 61398 or APT1.
I know from my time in government that the Chinese were incredibly angry, right, about those indictments, right, to the point where they called off sort of bilateral cyber discussions and would bring this up at every meeting subsequent to that, right: withdraw these indictments, right? And so whether that—how they feel today, right, in 2020, right, and how they felt then is likely different, right? But this idea that we will pursue as the United States government, like, legal action within our court systems, and that, you know, as sort of FBI agents would have said, the FBI never forgets, right? People come back to the United States and there are still indictments, right, and there are sealed indictments, and they get arrested, right, for things that they’ve done in the past. So does it have a larger deterrent effect? I’m not sure. But it certainly has had an effect.
MILLER: Can I just add—just add a little bit to that good comment? Microsoft announced a few days ago that it had gotten a finding, not from the—(laughs)—intelligence community but from a court, that allowed it to go back against North Korean actors. And I don’t—the number was, you know, something like eighty-two different instances or something like that.
This is new ground for the United States. I think it’s important that folks in government today have a good—a good, hard look at this. I think it’s an interesting model that we need to explore. But one thing I want to ensure is that—is that operations to impose costs, to damage other countries’ infrastructure, offensive cyber operations should be the sole domain of the U.S. government. And there are—there is a gray zone, if you will, between blocking and hacking back and so forth. But the U.S. government needs to continue to have the only legitimate use of force by Americans, and we should not outsource that to get vigilante justice.
I don’t believe that’s the case at all with Microsoft. I think they’re acting legally. I think it sounds like a good model to follow. But we need to be careful not of where—it’s not a red line the way we’ve talked about, but we need to be careful so that the government has a monopoly on the use of force.
EDELMAN: That’s a great point, alternatives to hack back. We’ve been talking about hack back forever. What else is out there that companies can use to get relief, to find some ways of actually engaging without necessarily going down the road that’s previously been reserved, of course, for government.
Other questions? Yes, please. Right here in the middle, red tie.
Q: The question asked—Edward Luttwak is my name.
The question asked by the presider, league tables, because I’m puzzled by this conversation as a non-expert, because in every other non-electronic activities the rankings, for example, are very clumsy, ineffective, fail all the time. Why would they be so great electronically? North Koreans we know are the world champions of cost effectiveness. Their whole ballistic missile program is cheaper than the stationery budget of the Defense Department. (Laughter.) The Russians, as we saw in the Macedonian case, the Macedonian referendum, spent about $12 or $15 to depress the attendance, which was their aim—the participation, to depress it well below 40 percent in a referendum where it should have been 90 percent.
So the Russians are skillful. The Chinese are numerous. The North Koreans are cost effective; indeed, they’re profitable. I wish our DOD earned money the way theirs does. And the Iranians, how come we talk a lot about the Iranians? Are they—is this cyber world a different world where being corrupt, clumsy, ineffective doesn’t matter?
HULTQUIST: Well, one—(laughter)—I’m going to take some heat. I’m going to take some—
EDELMAN: Get ready for that, John. (Laughter.)
HULTQUIST: I’m going to take some heat for saying this, but they’re contracting a lot. (Laughter.) Yeah, they’re contracting a lot. So when they started—when they started post-Stuxnet, sort of an inflection point, they started bringing in their nationals, hackers, to carry out a lot of these actions out. Some I think they’re quite—they’re pretty much paid by the government. They basically went legit. They set out a shingle and set up a website, called themselves penetration testers, and literally some of them list the government as their—as a client. Some of them got their military, their conscription, signed off on for their—for their work under that space. But they didn’t start out—(laughs)—like, they were not mature cyber actors from the—from the beginning. The good news is, is that you didn’t really have to be. There’s a lot of automated tools. There is a lot of knowledge that was out there. And they just—we’ve watched them slowly improve.
And while in the—one of the reasons I’m so concerned is that the actors that we saw during Operation Ababil, the targeting of the U.S. financial sector, during the destruction of—at a U.S. company many years ago before the nuclear agreement, have been improving in the Middle East and slowly improving their game there. And they’re just not the same actors that we’ve seen in the past. Part of that is they’re using a lot of off-the-shelf tools that are made for penetration testers that make it really easy to do the job, and they’re just scanning for things and looking for low-hanging fruit. Some of it’s they’ve developed a lot of interesting tactics.
The biggest thing—personally, the thing that consistently surprises me is how incredibly—these incredibly complex social engineering scheme they’ve developed. We’ve seen them create entire fictitious news agencies that exist across multiple social networks with thousands and thousands of sort of connections, and they’re all sort of supporting each other and building this legend of this fake organization behind it. And they’re using that to target all the way up to four-star level military officers.
And they just—they’re brash and they’re creative, and that makes a lot of difference. And there’s a lot of tools already out there.
EDELMAN: And so when John adds you on LinkedIn this afternoon be a little suspicious. It might not be him. (Laughter.)
All right. Other questions, please. We’re aiming for gender balance, but it’s not happening. So, please, everyone who has questions, please raise your hand. And we’ll go right over here next.
Q: Hi. I’m Kevin Sheehan of Multiplier Capital.
This is a question for John. John, as you know, you’re a principal in a book called Sandworm that is about the discovery of a GRU unit that’s been very active for many years, been very persistent, and in particular active in attacking civilian infrastructure in the Ukraine. And the scary conclusion is it wouldn’t be that difficult to conduct those same operations in the United States. How could—how could Sandworm be deterred, short of kinetic methods?
HULTQUIST: Well, I think the first—the first step would have to be a(n) open and fulsome conversation about Sandworm, right? There is bits and pieces, but we’re not really—the government, for instance, has not really issued some this is what this organization is, this is what they’ve done. And we’ve tracked this—for those of you who don’t know, Sandworm, we believe, is one of the GRU actors that we can connect to the Russian blackouts, the targeting of the PyeongChang Olympics, the NotPetya incidents that caused $10 billion and hundreds of millions of dollars at several U.S. companies including logistics and manufacturing companies. They were involved in some of the election shenanigans, as well, in the United States, as well as France. All connected to the same actor, and this story’s not really being told. It’s not really raised the level of consciousness. And we’re not really—the first step is we have to—we have to really talk about it.
The other thing is I wouldn’t necessarily see them turning out the lights like they did in Ukraine in the United States. Our grid’s probably more robust than that. But what they did is they started developing a more simplistic ransomware-based attack, and that’s what caused tens of billions of dollars of damage to U.S. companies. That attack, essentially, was designed to target Ukraine, it did target Ukraine, and it essentially leaked into other parts of the globe and still managed to do $10 billion of damage. So you can imagine the capability that’s really at hand, the economic damage that these guys are capable of.
But I really think the first thing is that we have to be talking about that actor. And the Olympics is a good place to start.
EDELMAN: All right. Further questions? Yes, please.
Q: Hi. Aynne Kokas, University of Virginia. Thank you very much.
So my question for you. We’ve been talking a lot about military threats and actions by state actors. But I’m interested when we’re looking at—what about legal investment in the United States? I’m thinking about companies like TikTok, which is not allowed on U.S. military phones now, but you know, on all of the kids’ phones—(laughs)—of all those same people, and the types of data-gathering activities that are actually very legal and could feed into these state activities. So particularly in countries like China, where there is—you know, where there’s civil-military fusion, how do we contend with issues like that? And how do—how do cybersecurity professionals in your fields deal with that when you’re—when you’re working with your clients?
MORIUCHI: Yeah. So you know, so you allude to a number of different sort of operations. So one—and John talked about this earlier—is what I would have called sort of SIGINT-enabling operations, right? And that’s kind of the surveillance, right, in which we see nation-states—China, Russia, Iran, others—moving into this sphere where the immediate victims of an intrusion, say a telecom for example, are not the intended final victims, right, in which the intrusion into that telecom is designed to enable intrusions into the telecom’s customers, right, or into the telecom’s services, right? So you know, that’s part of, you know, depending on your perspective, right, what you would either consider like a supply-chain threat, right, if you’re an end user—(laughs)—right, because the telecom is part of your software supply chain; you know, or you know if you’re a government, right, it’s an intelligence-collection threat, right? And so that’s sort of one, right, is like this idea that nation-states are using cyber operations to get information about us, right, that we don’t have control over, right, that exist in telecoms and other places.
Second are these—are the applications, right, and the data that’s collected on a second-by-second basis, right, about all of us, you know, using our phones and our devices. I think the—we are beyond the point where it’s a problem, right—(laughs)—and we are in—I firmly believe we’re in the space where we have to start talking about how do we define what’s legal and not legal in that space for both domestic and foreign companies. So if you take the example of TikTok, for example, or you know, sort of Chinese social media applications, right, there’s a fear—and I think that it’s founded, right—that China will be exporting some of its own values, right, in terms of openness in society and media. Whether that’s at a government directive, right, or not is a(n) important distinction, because if you look at some of the press reporting around TikTok some of the proactive censorship that has gone on in TikTok as an application was not necessarily the result of a government censorship mandate, right, but the way in which Chinese culture, right, views certain topics.
So there was a story a few months ago about—if we take TikTok for the example—about TikTok censoring certain videos that involved visibly disabled people to ten thousand views, right? And the perspective at TikTok was nobody would be viewing this video unless they were trying to make fun of the person with this disability, right? That’s not how we see it, right—(laughs)—in our country and in most of the West, right? So this was a proactive—what TikTok felt was a proactive way to address bullying online that was completely out of line, right, and not what most people are looking at.
So you know, legally, right, there’s not much that we can do around that, you know. But we’re at the point where—or beyond the point where that discussion has to happen. And we have to come together, if not as a global society, as countries with government, right, to help identify and enable the platforms to set their own boundaries as well.
MILLER: Yeah. Could I just add to that response to that great question? From a—from a Department of Defense or military perspective, hacks like the OPM hack and others that provided massive data about individuals, including in the government and in the military, are just a treasure trove for any country that has a long-term perspective in terms of gaining further intelligence, recruitment of assets, recruitment of spies, coercion of individuals whether through compromising material they find when they hack them or something else, attempts to demoralize in the context of a crisis, and to—and attempts to undermine confidence in their government. The list could go on.
If a country—and I think first and foremost of China in this regard—has a long-term perspective and is willing to play and wants to play a game of erosion and competition, this is just a treasure trove. And it’s something that we need to worry about as a country, and it’s something that the Department of Defense has taken initial steps but needs to do much more to defend against and to inoculate to the extent it can, because the penetrations have happened. The vulnerabilities exist. It needs to—it needs to work at the level of individuals and their families to deal with this.
It’s a great question.
EDELMAN: We have only five minutes left and a lot of hands, so we’re going to go to the lightning round. We’re going to take several questions and do our best to answer a few of them as best we can. Alan, and then—I’m going to rotate on sides—so Alan here, and then right here in the middle. Just ask your question. And then we’ll do one more over here, please, in the red tie. And then we will do our best to synthesize all of them. Maybe you’ll ask the same question.
Q: Alan Raul with Sidley Austin.
You’ve talked about the government’s role in attribution, deterrence, even forward defense. What about homeland defense, in particular of the private sector? Is the government doing enough to protect private companies? And is it being held accountable to do that? And whatever happened to cybersecurity information sharing? Has that been a success or failure?
EDELMAN: Great questions. OK. Great.
Q: Dennis Shea with the Navy’s FFRDC Center for Naval Analyses.
Returning to the event of last Friday that got us here, the assassination of an Iranian general, it’s been reported that POTUS was made several options to respond and that he chose the one in the upper right-hand corner, assassination. Can you speculate on what some of the offensive cyber responses that might have been offered to the president and why they would not have been an attractive option for him to choose? If you want to send a signal or change someone’s behavior, why not offensive cyber?
EDELMAN: Great question. And then last, right here.
Q: Peter Sharfman, MITRE Corporation.
This really builds on the last question. Iran, I believe, has a need, for the purposes of shoring up the long-term legitimacy of their regime, to make a response that is visible and conspicuous and preferably humiliating to the United States. Cyber warfare up to now has been conducted in the shadows. What kinds of cyberattacks provide high visibility, instant attribution, and great humiliation for the victim?
EDELMAN: All right. We’ve got defense and offense options, including Iran. Who wants to put it all together?
HULTQUIST: I’ll answer the last question—
EDELMAN: Hey, John, way to go. (Laughs.)
HULTQUIST: —because it’s all I remember at this point. (Laughter.)
I think a lot of the incidents that we’ve already seen could easily be sort of non-deniable, right? The thing that we’ve seen in a lot of the destructive and disruptive incidents is the adversary puts this sort of edifice or persona in front of it. For instance, when we had the incident at our—at our banks several years ago, they claimed it was a pan-Arab organization that was upset with the Innocence of Muslims video. They can just—really just get rid of that and let everyone kind of figure—(laughs)—things out for themselves. I don’t think that the work that they usually do on deniability is even really necessary.
EDELMAN: Jim or Priscilla, the cyber options before us or defending the homeland. Whither?
MILLER: I would prefer not to give a roadmap to the Iranians for how to—how to hit us. (Laughter.) But as I indicated before, I think they’ll use cyber because they can, and they will likely engage in some way in the use of kinetic force, if you will, because it’s visible. I think it’s more likely that they’ll do the latter against U.S. allies and partners and attempt to use it as a further wedge to reduce U.S. influence in the region, and we need to think about that.
Should I go on to a couple other points real quick?
EDELMAN: We’ve got two minutes.
MILLER: I would not attempt to—(laughs)—explain what’s going on in President Trump’s mind and why he selects an option. I hope that people took the lesson that only put options on the table that you think it would be sensible for the United States to implement. That would be a good approach in any event.
But clearly, there’s a view that—let me say Soleimani was an evil person who was directly responsible for the death of hundreds of Americans in Iraq and the hatching of nefarious plots throughout the region. It’s good that he’s dead. He will not only not be missed; it’s a positive. The way in which we did this, without consultation with allies and without support, is going to be very problematic. And so—but you know, just to—just to make that point.
Yeah, the cyber information—security information sharing continues to—I think continues to improve. I asked my colleagues on the—with respect to the U.S. government to private sector. What’s more impressive and what’s the biggest move in the last few years to me is the private-sector sharing that is going on through the Threat Alliance and through others. And I think that that game has improved, and I hope that that continues to go forward. I think both government and the private sector have another step function, at least, to catch up to today. And if we want to be ahead of the threat, not behind the threat, we got to take a couple big steps.
EDELMAN: Last word?
MORIUCHI: I guess—yeah, that was the only one that I was going to address. (Laughs.)
MILLER: I’m sorry. (Laughs.)
MORIUCHI: No, but it’s interesting that’s your perspective.
So when I was in government I felt that government was doing enough—(laughs)—and that partially a lot of this wasn’t our problem. But it is, right? And I think that there are a number of models around the world that we can use to test or to at least experiment with government involvement in protecting some private companies, right, if not all. The U.K.’s National Cybersecurity Centre, for example, is a model, right, in which the U.K. is quite explicit about which companies, what they’re protecting, you know, why, right, the services that they’re willing to provide for those companies and everybody else is kind of on their own.
In the United States, you know, we don’t have even those—the semblance, necessarily, of protection. Different agencies have different definitions, for example, even of what’s critical infrastructure, right? So we don’t have an agreement on whether one company’s industries is considered a critical industry or critical infrastructure or not.
So you know, I’d argue that I think that the government does have to step up. Whether it means doing more or doing less is not—I don’t necessarily have an opinion about. It’s about defining, right—helping private companies to understand better what they can expect from government when someone knocks at their door or when they experience an intrusion or when they’re asked to share information, right, when they have it. That’s a critical step that we’re just not at right now.
EDELMAN: So more work left to do.
Well, thank you so much for the wonderful questions. Please join me in thanking our panelists. (Applause.)
VAVRA: Welcome to today’s Council on Foreign Relations meeting, “The United States Goes on the Offense,” part of the Great Power Competition and Cyber Conflict Symposium. I’m Shannon Vavra. I’m a reporter for CyberScoop. I cover Cyber Command and the NSA, and I will be presiding over today’s discussion.
To my right we have Ben Buchanan. He’s an assistant teaching professor at Georgetown University’s School of Foreign Service, where he conducts research on the intersection of cybersecurity and statecraft. To my right also is Jackie Schneider. She’s a Hoover Fellow at the Hoover Institution. Her research focuses on the intersection of technology, national security, and political psychology, with a special interest in cybersecurity, unmanned technologies, and Northeast Asia.
So to get us started today we’re going to talk a lot about Cyber Command. And approximately a decade after Cyber Command was stood up it’s now a unified combatant command. It has 133 cyber national mission force teams. And in the last year, it got increased authorizations both from Congress and from the White House. And under those auspices, it has been defending forward, for instance, to counter Russia, to counter Iran, reportedly. And I’d like to get us started by asking Jackie and Ben both, has that been effective? And what does “defend forward” mean to you?
SCHNEIDER: Well, I think asking the question about what “defend forward” means is maybe a bit—I’ll start with that, because I think it’s really important. If you look at the unclassified summary that came out in 2018, it introduces the concept. And then I think there was a lot of question about what “defend forward” meant in practice because, to be honest, it looked a little bit like the U.S. was just going on the offensive and calling it defense. And I think there was a lot of outcry with academics and people who were looking at the cyber problem saying, I think you—you know, you’re being disingenuous about what “defend forward” means.
But we’ve seen a series of articulations of “defend forward” since then. I think maybe the most useful interpretation is the one that came out in the Joint Forces Quarterly by General Nakasone. And so what we’re seeing is that as “defend forward” gets kind of implemented in practice what it really is starting to look like is the ability to counter cyber operations. And so that is attacking—through offensive cyber operations, through defense, through intelligence, and the ability of states, Russia, Iran, China, North Korea—to conduct cyber operations. What I don’t think “defend forward” is, or should be, is the use of cyber operations to attack critical infrastructure. I think that it’s that it should be something that’s more scoped. But I believe that’s probably a debate that’s occurring right now is how—what types of targets “defend forward” really should be.
BUCHANAN: I think the piece of this that’s worth drawing out explicitly is a notion that this represents at least a conceptual shift in the Cyber Command authorities to play in adversary networks, and to play in the gray space between American networks and adversary networks. And the goal here is to increase the amount of friction adversaries have when they carry out their cyber operations.
As to your question of whether or not it’s effective, I think the jury is very much still out here. We don’t have a lot of data. There’s been a lot of handwringing, as Jackie said, about these authorities and about how cyber command may or may not be using them. But I just don’t think we’ve seen enough to judge whether or not this increased friction, A, is existing, and, B, is meaningfully changing adversary behavior. But it definitely I think is part of a broader realization on the part of the United States military and intelligence community that cyber operations is an environment in which nations are continually competing and engaging with one another. And the United States wants to make sure it has the authorities in place to participate in that engagement.
SCHNEIDER: And I think the effectiveness question is something where you see the strategy is really lacking. It puts forth these big ideas about how the United States is going to counter its adversaries in cyberspace. But there’s no clear way that we can understand in what ways the U.S. would be successful. So would it be successful if there’s are a number of attacks—less attacks that occur? Is it successful if there is less economic cost? Is it successful if the attacks still continue, but businesses are still profiting? So right now I think that that’s actually one of the next steps. I mean, when someone generates a strategy, the first step of strategy is to put a pen on paper. And the second step of strategy, for anybody who’s worked inside any big organization that’s implemented strategy—(laughs)—is in figuring out how you measure whether that strategy has been effective. And hopefully that’s where Cyber Command and the Department of Defense are going in the next year or two, as they implement this strategy.
VAVRA: So to ground this in some reality for the members here, we have seen Cyber Command sort of defense forward against Russia, as reported by the New York Times and the Washington Post in the last couple of years. In 2018, sending direct messages to Russian operatives, for instance, who work for the Internet Research Agency, the troll farm that was involved in interference and influence, and sowing discord in the United States in 2016 and in 2018. How should Cyber Command be measuring its effectiveness, right? Are we talking about—is it the frequency of attacks that they’re running versus then the response or the disability of an adversary to access the internet? What should we be looking at here?
BUCHANAN: I’m a little skeptical that texting Russian operatives and saying, we know who you are, is going to meaningfully change their behavior. (Laughter.)
VAVRA: And why?
BUCHANAN: My view is they’ve sort of made their life choice that they’re going to do this. (Laughter.) But maybe I’m wrong. I do think there’s the opportunity in moments of critical importance to degrade adversary capability. So I can imagine a situation, maybe this occurred in 2018 maybe it didn’t, when you have an American election and in the week before you want to understand adversary capabilities and take them offline. I don’t think you can push them offline forever, but I could imagine one place for defending forward is in this week we want to really increase the friction of adversary operations. That’s a different kind of operation. That’s what I would call a shaping operation rather than a signaling operation, to say: Hey, we know who you are. I don’t think the latter changes the game that much.
SCHNEIDER: So I think this is a problem that the United States has, in general. We are really good at measuring tactical or operational successes. We see that in campaigns like Afghanistan, where you have a series of tactical victories, and yet because of a lack of overarching political strategic objectives there’s almost no way of measuring strategic effectiveness. And so I think that this has to start at the highest level. And that’s, you know, the White House and the executive. Because the executive needs to set out clearly what are the benchmarks that they’re looking for when it comes to strategic cyber success? And I think all of the strategies fall short here.
Obviously these cyberattacks are going to continue to occur. So saying that success is attacks not occurring is a moot point, not going to happen. But trying to understand whether counter-cyber operations should decrease the overall economic costs that cyberattacks have to the U.S. government, whether there are particular infrastructures or campaigns that you can set smaller, achievable goals. I think something that Cyber Command and the U.S. government is focusing on right now is election security. And here I can imagine a series of different measures of effectiveness that are at the strategic level but include tactical successes.
So, you know, hey, we, the U.S. public, believes in the validity of the votes that they’re casting, right? They believe that the vote that they cast on that day is the vote that is tallied. So we believe in our electoral institution. That could be a strategic objective, but at the tactical level we can say: Oh, we haven’t seen any infiltration attempts. Or we know that we have backup plans for voting where our paper ballots can match up with what is being submitted electronically.
So I think that it needs to start at the highest level of setting strategic objectives. And then from there that’s kind of what war planners are really good at, is finding the tactical and the operational effectiveness measures that lead up to the strategic goal. But absent that strategic goal, we can have a series of different tactical successes at being able to disrupt or change behaviors in cyberspace without any long-term strategic effectiveness.
VAVRA: And moving into 2020, which is an election year as we all know, what should Cyber Command be thinking about when it comes to Russia and also other adversaries that may seek to interfere in whatever way in U.S. elections?
BUCHANAN: I oftentimes ask my students what their predictions are for 2020. This is a fun midterm or final exam question. And they are worryingly optimistic, which is to say I think there’s an incentive structure for other nations to throw everything they have at the United States this time. And if I were in Cyber Command’s shoes, I would much rather over-prepare for Russian or other adversary information operations and hacking operations than under-prepare. And I think there’s a very real risk that other nations will feel like there weren’t that many consequences last time. We can debate the effectiveness, but why not turn it up to eleven and really go at it this time? And I’m sure that’s something Cyber Command is tracking, but I do think this is a very real threat environment, and the election system in the United States is something that adversaries might try to test in 2020.
SCHNEIDER: I think the election question actually brings us some really interesting challenges about the delegation of authorities within the U.S. government, because the Department of Defense is the only one with authorities to conduct offensive cyber operations. So there’s a clear lane here for the Department of Defense to conduct operations against the IRA, or the Russian GRU to decrease their ability to conduct, you know, social media information campaigns, or to try and decrease their ability to access the actual kind of—the voting information.
But there is kind of a really peculiar phenomenon where, as the Department of Defense gains authorities and become more and more involved in election security you start getting a little bit worried about the Department of Defense doing too much domestic work. And so I think there is—we really—when we talk about election security have to talk a lot about the role of the states and who is helping the states to defend the way that their elections are conducted. We need to think about the role that the National Guard plays, whether it’s an appropriate role. Should we have uniformed service members that are participating on a day-to-day basis in election security, and what that means for civil-military relations. And then, you know, thinking a lot about DHS, FBI, and DOJ, who play a huge role in the overall election security.
VAVRA: And now something that Cyber Command specifically has been doing in the last couple of years is running what they call hunt forward missions. They’ll send cyber personnel abroad to countries, such as North Macedonia, Montenegro, and Ukraine, which they did in 2018 in preparation for the midterms. Where should they be going in 2020? And the goal of doing that is to hunt for malware that’s unfamiliar to the United States and then bring it back to the U.S. to defend against those who may seek to exact damage. Is there a particular country or region that you think Cyber Command should go to and hunt forward in 2020? Should they continue? Should they stop?
SCHNEIDER: So I think we can debate the effectiveness of these hunt forward teams. Like, they’re small groups of teams that go to—that physically travel to a location. They may or may not be more effective than somebody who could remotely do it from far away. But what they are is a signaling device. And what we found in cyberspace is that there are very few ways to signal credible defense mechanisms or to signal the U.S.’s credibility in supporting our allies.
But there’s something about the physicality of these groups, about taking a group of people and flying them on an airplane, in a uniform, and showing up in a foreign country, that signals that the United States is invested in states and invested in states in terms of their cybersecurity. So for that reason, I think it’s really important for the U.S., as it’s, you know, thinking about these hunt forward missions to think about allies that maybe there is doubt about the U.S.’s support for them, or allies that come under cyberattack quite often, and we want to signal that we are in it in the long haul to support them. And those would be the kind of states that you would want to send these hunt forward teams to.
The reality is this hunt forward mission right now cannot be done at scale. There’s just not enough trained personnel in the DOD to provide the kind of twenty-four/seven work that you would need to do to credibly keep all malware out of our allies’ networks. But what it can do is be a really effective signaling mechanism. So we just need to be very smart about where we send people.
BUCHANAN: I think this question of signaling in cyberspace is one of the least well-articulated questions, and yet most important. And Jackie covered it very well. I have a little bit of a different view. And I’ve spent the last two or three years essentially writing a book on signaling and shaping in cyberspace. And my view is, a lot of times nations signal in cyberspace, they signal with cyber operations, and no one notices. Or the message—
SCHNEIDER: Which is why they’re not good signals. (Laughs.)
BUCHANAN: Exactly. The message that’s received is not the message that’s intended. And I could imagine this is a case where there is some effectiveness because of the physicality, but I would be very surprised if these hunt forward teams are meaningfully changing adversary cyber operations. I don’t think the Russians are going to call things off because some folks came over in uniform. The tool is too effective. I’m not suggesting you said that, but—
SCHNEIDER: No, no, no. I agree with that. But I do think it signals credibility about allied relationships.
BUCHANAN: I buy that.
SCHNEIDER: So less Russia, more our allies.
BUCHANAN: Yeah. As a signal to the allies of support, I think it makes sense. But that is further afield, I think, than improving cyber defenses across alliances.
SCHNEIDER: Yeah, that’s very true.
VAVRA: So, speaking of signaling—and this is something that both Jackie and Ben have written a lot about—is this defense forward and this persistent engagement—which is another term that Cyber Command likes to use to describe its defend forward missions and operations—does Cyber Command run the risk of escalation with adversaries perhaps even if they don’t intend to escalate things with adversaries? Where do you land on that?
BUCHANAN: If you believe what I believe about the misinterpretation of signals, then you have to recognize this is a natural consequence of taking a more aggressive posture. And I do think it’s worth knowing that persistent engagement and this defense forward strategy is a Cyber Command strategy. Conceptually speaking, it’s not the first time the United States has done these things. You can—you can point to some examples of intelligence agencies carrying out similar defense forward missions in the past, less publicly and less talked about. But it seems to me that what’s changed here is the United States is much more willing to talk about these things. I wonder if that runs the risk of increasing escalation. On the other hand, it may provide more clarity. This is the motivation. Other nations shouldn’t be concerned. There’s a lot of unknowns here about how nations like Russia and China interpret American activities. And we should be cognizant of those unknowns and of our inability to see inside those states, at least in public.
SCHNEIDER: So I’ve been working on this cyber escalation problem for quite a few years now. And when I came to it, I came to it as an academic who had studied escalation, the security dilemmas, spiral instability. And I looked at all the characteristics that make—that academics believe create escalation dynamics, uncertainty, and often problems differentiating between offense and defense. And you look at cyber and you say, oh shoot, like, these were all the bad characteristics that lead to escalation. But then I started looking at the actual data. And so there’s a bunch of big data work that’s been done. Brandon Valeriano and Ben Jensen, and I’ve been working on war games that I’ve been running over the last year and a half, as well as war games that I have analyzed.
And what the startling thing is, is that we can find very, very little empirical evidence for escalation in the cyber domain. It’s kind of this counterintuitive finding. And we have games where there are what would be considered highly escalatory cyberattacks, where cyberattacks create nuclear effects inside war games. And yet, our players respond with, well, that’s just cyber. Or, they use some of the characteristics of cyber, the uncertainty, to slow down. They say, well, but we need to conduct some sort of attribution on it. I’m not sure if that really did come from the opposing state. And in some of these games we actually give them attribution, and it’s—and yet, the players still try and create mechanisms to slow themselves down.
So what’s been fascinating is that actually the cyberspace operations seem to create space for almost de-escalation. And so I’m less and less worried about the escalatory dynamics of most cyber operations. And I actually think that a more active cyber posture will not necessarily lead to escalation outside cyberspace. And so I think that’s maybe somewhere where we differ, is I think the U.S. maybe took a far too—not an active enough posture, because it was so afraid of escalation. And I believe that the U.S. can actually take more risks in cyberspace than it has been taking in the past.
VAVRA: And one question, as a follow up to that. We’ve seen in the last couple of years some cyberattacks and cyber operations that have led to some physical results. For example, Stuxnet or Shamoon, the attack that Iran allegedly took against Saudi Aramco in 2012. That led to the damage to tens of thousands of computers. As those may or may not become more common, but let’s assume they become more common, these physical results, do you think that the response, oh, it’s just cyber, might change?
SCHNEIDER: I’ve been surprised at how sticky people’s emotions about cyber are. And the emotion is anxiety. And this is, like, different than fear. Fear is a gut response—I’m going to fight or I’m going to flee. There’s a literal biological response. Our heartrates start fluttering. We have a sense we have to move and do something. What seems to be happening with cyberspace is actually anxiety. It just stops you. And so I’ve been conducting a series of experiments trying to understand how evocative a cyberattack has to be in order to create this sense of fear, and response, and gut reaction. And so far, it’s quite, quite high. So, like, I’m having to create new experimental treatments that could make cyberattacks actually more and more like a Gray’s Anatomy episode and less and less like what really happens on a day-to-day basis. Because of that, I think that that allows actually cyberspace tools to be used by states as a means of coercion inside the gray zone, and less as something that is a successful signal for deterrence in other domains.
BUCHANAN: My view is that you can look at the last ten or fifteen years of cyber operations, and there’s a very clear trendline, which is they’re increasingly getting more powerful both technically and states are getting more aggressive. When Stuxnet first came out in 2010, it was this huge news that you could have a physical, kinetic effect with a cyber operation. And it’s happened again and again since then. You mentioned Shamoon. There was the North Korean attack on Sony in 2014. There’s NotPetya, the Russian attack in 2017. Hundreds of thousands of computers around the world. And what’s remarkable about all of these attacks is there really hasn’t been a meaningful response to any of them. The Trump administration’s response to NotPetya was very, very light. Sort of a press release almost six months later saying: This was Russia and this is not acceptable. But there was no teeth to it.
And I think my concern around escalation is born of the fact that we have this environment in which there’s been check on, Jackie said the gray zone, the expansion of what the gray zone means. Whereas ten or fifteen years ago we may have said, this is all about espionage. Now we’ve seen very clear and very widespread acts of sabotage that we’re still putting in the gray zone.
VAVRA: Could you just talk about what you mean by gray zone, for our members?
BUCHANAN: It’s the word in vogue now, or the phrase in vogue now, but the area between peace and war where nations compete. I think you have gray zone operations that are physical. The little green men in Crimea often gets lumped in there. But one of the biggest ways in which nations compete on a daily basis is cyber operations, hacking each other. And my suggestion only is that that competition is increasingly aggressively, not just in the espionage sense but also in the sense of active interference.
I do think Jackie is right, though, that there is some element of cyber operations that thus far, and probably in the foresee able future, are governed by what academics would call the stability instability paradox. So essentially, in one area nations are comfortable with this unbounded, very rough competition, but they keep it in that area so that they could compete and go all-out in cyber operations, but it’s not going to escalate into physical conflict or something more. It's worth saying, that works until it doesn’t, until someone takes a step that’s unanticipated and you get escalation. So that’s why I’m a little bit less optimistic about this. I’m less confident in nations’ capacity to calculate in cyberspace. But thus far, despite the increasing aggressiveness, they’ve kept the conflict mostly to that domain.
SCHNEIDER: And I do want to make it clear that while I am less concerned about escalation, that does not mean that I’m not concerned about the impact of cyber operations on long-term economic and social prosperity. I am worried sometimes that we focus so much on kind of the one-off, big destruction kind of cyber Armageddon, cyber Pearl Harbor, and focus so much of our attention there that we fail to really recognize the extraordinary cost that this takes to U.S. businesses, and the ways in which sectors like the financial system—which are completely based on people’s trust in data—can really have an existential threat if these cyberattacks become more prolific and more credible.
And so I think that while I wouldn’t spend a lot of time worrying about cyber Armageddon, I do worry on a day-to-day basis about the degradation of trust in data, and trust in governance, and trust in institutions that seems to be the long-term byproduct of continued competition in cyberspace. But I think the answer to that is actually resilience. And it’s a very expensive and difficult process of making sure that in digitally dependent societies like the United States we have resilience to operate, even when we have interruptions to our digital economy. And that allows us to kind of, instead of have a graceful degradation when we have cyberattacks, instead of now I don’t believe in something and so it no longer exists.
VAVRA: Speaking of economic impact, China is an interesting sort of case here. In 2015 China and President Barack Obama came to this agreement, thou shalt not hack. For some time, some of Chinese economic cyberespionage and cyber-enabled heists dissipated, but then they started ticking back up again. And is there a role that Cyber Command should be playing here with China? And to sort of put some context to this, John Bolton, in his role as National Security Advisor last year said that Cyber Command was expanding its aperture from sort of election security focused targeting and missions to economic. Does China have a role to play there?
SCHNEIDER: So I actually think that the U.S. can be more active against China. Here’s a caveat: I do believe that a lot of the actions the Obama administration took at the end of the administration, which was a concerned cross-government, you know, sanctions, warrant, you know, FBI, DOD, to crackdown on China, I think that was effective. And I think part of why we’re seeing it’s not effective now is that that campaign changed under the Trump administration, and it’s also part of a larger trade war. So we have, like, a bigger China thing happening now than was happening in the Obama administration. So I think some things—a lot of what the Obama administration was doing actually probably would work in the future against China.
But I think something the Obama administration was not comfortable doing was using U.S. offensive cyber operations to degrade Chinese cyber offensive operation capabilities. And I think we should be open to doing more of this. I think that the U.S. Cyber Command, the Department of Defense should be willing to attack PLA units with cyber—cyberattacks on PLA units who are trying to infiltrate U.S. networks or trying to steal intellectual property. And I think that is the type of operations that can be very scoped, and yet decrease the overall effectiveness of China’s cyber capabilities against the U.S.
BUCHANAN: There are two things that are remarkable to me when you look at the Venn diagram of the United States, China, and cyber operations. And the first thing is how comparatively minor the cyber piece of that is, relative to the other two. Which is to say, the U.S.-China relationship, both in the Obama administration and the Trump administration is so vast and so complex. And for as much as, you know, dorks like Jackie and I, who love cyber operations, think this should be number one in that relationship, the reality is it just hasn’t been. And early in the Obama administration, there was much more discussing around trade, and climate, and engagement which China than there was about cyber operations. And certainly in the Trump administration there’s a lot more discussion around trade, less on climate, than there is on cyber.
So it’s important for those of us who study cyber operations to recognize this is only one piece of a very complex relationship. And that with the exception of the 2015 period, that one piece really was not at the fore of that relationship. Now, when it comes to the 2015 agreement, it’s worth noting it’s—the agreement was to not hack private sector companies and use it for economic benefit. There were wide classes of hacking activity that were still permitted. And both the United States and the Chinese availed themselves of these options. And what’s striking here is that the Chinese, in this class of permitted activity, have been very aggressive and very successful.
If you look at things like the OPM hack, getting vast amounts of data that should have been much better secured, Chinese military espionage, Chinese economic espionage that might not have been for the benefit of particular corporations, China has shown a willingness to be incredibly aggressive in its espionage capabilities, and the defensive successes are pretty few and far between. And I do think it’s been an incredibly significant arrow in the Chinese quiver over the last decade or two as part of their national strategy. Which is maybe one way of saying, we should have given it more attention than we did as we evaluate this relationship. But for the U.S. side, we haven’t really seen that happen.
VAVRA: And we have about two minutes before we’re going to go to questions, but in our last sort of question on stage here I want to talk about Iran a little bit. Last Friday the U.S. killed Qassem Soleimani, the chief of the Quds Force for the IRGC. How likely is it that Iran will respond in a cyber—in the cyber realm? And to sort of couch this, we’ve seen a couple of people who are claiming to be Iranian hackers deface certain websites. For instance, today there was a defacement of a website for a Texas government website. Is that part of the equation here? Do you see more happening, if that is indeed Iranian hackers?
SCHNEIDER: The reality is the Iranians have been conducting these cyberattacks over the last year, if not longer. So I don’t—I think cyberattacks will continue to occur. And we’ll probably have more proxy small-scale defacements right now than we would see otherwise. But a lot of the doom and gloom headlines that are out there right now I think are overblowing or overhyping the immediate cyber threat coming from Iran. Iran is a capable cyber actor. Iran is a willing cyber actor. That means that Iran will conduct cyberattacks. Iran has tried to influence and affect U.S. critical infrastructure for the last, like, six year—I mean, basically since Stuxnet. So it’s not like they—you know, they have this capability and they’ve been deterred in the past, and maybe now they’re going to turn it on. I think they’ve been trying this entire time.
But I think the real danger that is occurring right now is that these types of cyber operations, which are kind of small scale, might create some sort of confusion in decision making in a way that creates the chance of inadvertent escalation. So, I mean, when you have a bunch of military forces that are in the region, that are at alert, that are thinking about conducting strikes that have to be very precise in order to limit the escalatory impact of them, then you really want to make sure that you have really good command and control of those forces.
And the reality is, that these kind of small-scale but prolific cyberattacks brings is it increases cyber fog inside a geographic region that is already really close to war. So to me, that is probably the biggest danger that’s in this particular crisis, is the combination of the military forces that are already on alert with the potential of cyber fog. And I’m less worried about large-scale destructive cyberattacks on the U.S. domestic population.
BUCHANAN: Iran, as Jackie said, has been quite active for the last seven years. There’s three big category of Iranian attacks we’ve seen already. In 2011-2012 Iran carried out denial of service attacks against U.S. financial institutions. In 2012 and a number of periods since then it’s carried out attacks—destructive attacks against Aramco and other Middle East entities in Saudi Arabia. And then in response to Sheldon Adelson’s comments that the United States should use a nuclear weapon against Iran, it attacked the Sands Casino that he owns. So they’ve definitely shown, maybe more so than almost any other state, a willingness to punch in cyberspace.
I think it was Keith Alexander, it may have been Mike Hayden, who said one of the things about Iran that was so striking is that they almost seemed emotional and impulsive in cyberspace. That they would use a capability once they had it to express their displeasure at something. And it wouldn’t surprise me if we see that kind of action here. Again, I don’t think it’s going to change the broader strategic relationship. I don’t think they’re powerful enough. But it wouldn’t surprise me if the Iranians developed some capability and used it in the course of 2020.
VAVRA: Thank you. And I will—to put a pin in that—last year in the summer when there was some activity, an increased spike of activity from Iran, I spoke with an NSA technical director. And he said: Right now we’re just seeing Iran look to conduct espionage to understand what policymakers are thinking in the U.S. So maybe that’s why we’re seeing sort of maybe not something so punchy right now.
But I’d love to bring it—bring our questions open to the members. And we have about thirty minutes. The woman in the glasses right here.
Q: Hi. Thank you, Mariah Bastin.
So I know Iran is obviously top of mind, but my bigger concern is in on 5G, which no one has really alluded to. But 5G being as disruptive as it will, and is, and can be on emerging disruptive technologies, and the gambit of the U.S. government and alliances writ large for deterrence and defense. My question is, talking about offensive maybe not in the traditional sense, since this is around more offensive military tactics, are not necessarily in the conventional, traditional way that we’ve always discussed it in decades past, but how can the U.S. get ahead of things, which I would admit 5G was a failure on our part and there’s really no good alternative. And if it is, allies are willing to buy into it regardless of the fact that their security could be compromised, because it’s a cheaper option. So I’d like to hear the thoughts on how the U.S. can advance in that realm.
BUCHANAN: Sure. So I think there’s two pieces of the 5G puzzle that are important. The first is, there’s a very real risk of overhyping what 5G can do.
SCHNEIDER: Yes. Yes.
BUCHANAN: And I think there’s a notion a lot of times that 5G is just going to radically transform our society. And count me as a skeptic of that. I think that it’s going to be faster internet on your phones and on your other devices. And we’re—if you sort of dive into the details of the 5G specification, we’ve walked back—we here being the international telecommunications community—we’ve walked back some of the capabilities. And I don’t think it’s going to be nearly the societal force for transformation that it’s sometimes portrayed.
That said, it is the terrain on which future cyber engagements will be fought. And one of the things that we don’t do nearly enough of when we study cyber operations between nations is think about this digital terrain. No one talks about telecommunications companies in the world of cyberspace, and yet they are the world of cyberspace. So to the degree that we’re looking at which companies are making that equipment, I think there’s a very real concern there. And I think I would share your worry about Chinese equipment throughout U.S. and allied networks, or just allied networks. But I think that’s independent of the 5G discussion. And it’s independent of any discussion about 5G’s capacity to change society. That’s just an update of the terrain on which these engagements will be fought.
SCHNEIDER: I completely agree with you, Ben. There was a Wall Street Journal article a few months ago that had this huge picture of a little boy in China playing on a mobile device. And the headline was, like, China has 5G in rural communities that don’t even have plumbing. And I thought, I’d rather have plumbing. (Laughter.) Like, you know? I think sometimes we forget that, like, 5G is not the invention of, you know, sewage systems. And so I am more skeptical about the overall kind of revolutionary transformative aspect of 5G.
I am, like Ben, very concerned about the U.S. not having control of resources that are critically important to its national security. And I am concerned about our allies using resources that are basically intelligence pipelines for other countries. And this goes beyond 5G. We have a really, really, really difficult conversation that has to happen about supply chain vulnerabilities and the impact that that has on national security. And it’s a nasty, messy conversation because it has to do with regulation.
VAVRA: And I would also say, particularly with 5G, just speaking to Ben’s point about cybersecurity issues and cyberattacks, thinking about IoT has particularly come up in my coverage. Russia, for example, in August started probing in different IoT devices. And that’s definitely an attack surface that will probably expand with 5G. So that’s sort of to your point, Ben.
SCHNEIDER: Yeah. We used to have—a few years ago we would have generals come in—unnamed generals—come in and say: I want a Fitbit on every one of my soldiers. And then, like, a few years later you’re like, really, you want a Fitbit on every one of your soldiers? You know, because now you can track them. So we just have to remember that the IoT does bring with it—you know, makes you more capable and also more vulnerable.
VAVRA: The gentleman here in the blue shirt.
Q: Charlie Stevenson from SAIS.
I saw a report a couple years ago, unclassified, that said the U.S. government was spending two or three times as much on offensive cyber R&D as on defensive. I worry that our military has a 1914-like cult of the offensive and privileges the offense. What’s your sense of are we doing enough on defense and resilience?
SCHNEIDER: I would totally agree that we have a 1914 cult of the offense problem. I don’t think that’s a cyber-specific problem. I think that’s across technologies. Everything’s faster, and more likely to create first strike stability dynamics. When it comes to, like, are we spending more on offense than defense, probably—I don’t know the numbers, right? I’ve never seen them. But probably not, because just the way you calculate that is really complex. The defense is going to be rolled up into a lot of service-specific IT solutions that are not necessarily called “cyber.” Offensive cyber is actually, like, easier to categorize and code, because it’s relatively bounded. There’s very few organizations that can do it, and you kind of know what it is. Defense really spans the entire IT architecture for the Department of Defense. So I haven’t seen those numbers, but I would guess we probably spend more on defense than offense.
BUCHANAN: I also don’t know the numbers. I think they’d be classified, even if we did know them. I would only suggest that a lot of—as a country, the defensive line that we need to protect is not in the U.S. government. And a lot of times the relationship between the public and the private sector is one of the most important pieces of the cyber defense puzzle, and one that doesn’t get a lot of attention. Ninety percent of critical infrastructure in the United States is privately owned. And there’s a lot of complexity around that relationship.
And when I worry about the United States and cyber defense, it oftentimes is this sort of long tail of vulnerability, oftentimes in the private sector, that I think is what I worry about. There are pieces of the U.S. government that are very vulnerable too. Again, the OPM breach and the lack of defenses there was just malpractice. So there are key parts the U.S. government needs to do better. But a lot of what we need to defense for our society is in the private sector. And right now, that relationship is, I think, weaker than many folks would like to admit.
VAVRA: Let’s get someone in the back. This gentleman with the red striped tie.
Q: My name is Alex Yergin.
I’ve really enjoyed this conversation so far. Building on your discussion about trust and about sort of the gray zone we’re in now, are we in a world where this sort of gray zone is just going to go on forever, and we’re just going to have to adjust our way that we do any internet? Or is there actually such a thing as cyber peace?
SCHNEIDER: I don’t believe in cyber peace, but—(laughs)—
BUCHANAN: So the last line of my first book was, “There’s no easy way out.” And the last line of my second book is continuing that theme. So I’m definitely in the notion that this is an area in which nations are going to compete. Again, I’m very skeptical of their capacity to signal and manage escalation. And I think this is an environment in which the competition is unbounded. What worries me, as I said before, is if you look at the last fifteen or twenty years, the competition has only gotten more aggressive. And at some point we’re going to have to put a cap to that. But I think we’re a long way from reversing that trend and getting toward cyber peace.
SCHNEIDER: I think where you might see, like, a downtick is if the cyberattacks become so prolific that you actually see people revert to nondigital means of communication, or transactions, or, you know, we see actually kind of, like, moving back towards paper and pens. Then maybe you’ll see more cyber peace.
BUCHANAN: (Laughs.) That’s an optimistic view. There’s one point on this cyber peace question I think we should draw out further, which is that it is in the perceived interesting of almost every nation to proceed with this kind of engagement. If you look at the great powers—Russia, China, the United States—no one is really trying to dial this back in any kind of meaningful way. And everyone has their set of norms they’re pushing. But this is an environment in which nations are quite comfortable competing. And each nation has had very significant wins in its arsenal over the last ten or fifteen years in cyber operations. And I think each perceives an incentive structure that they don’t trust the other side, so they’re unwilling to make the first move to dial it back, and they can gain a lot from winning this competition, so why not keep going?
SCHNEIDER: But I do think there is some, like, strong things that we can learn from nuclear arms control. So there have been a lot of—absent the last few years—there’s been a lot of successful kind of arms control agreements in the nuclear realm. None of those are to completely get rid of nuclear weapons, right? So the most successful arms controls are those that are, like, very specific and that are clearly verifiable. And I actually think that there are things that we can do in cyberspace that do set some types of capabilities and some types of attacks kind of off the table. So actually one of the things I’ve been advocating and that I’m working on is the idea of a no first use on strategic cyberattacks against critical infrastructure. What that would look like, if it could be implementable, and whether the U.S., as a first mover, if it did that if that would have any sort of impact on U.S. credibility or ability to control escalation short of attacks on critical infrastructure.
VAVRA: And this has come up a little bit at the U.N. recently. There’s something called the Group of Government Experts that’s been meeting since about 2006-2005 to discuss cyber norms and what is acceptable behavior in cyberspace. In the last couple of years it’s been—it’s faltered a little bit. It’s been contested by Russia and China, for instance, in terms of what is acceptable in cyberspace and what behavior is acceptable in terms of attacking critical infrastructure in times of peace. And now there’s two different groups. There’s one that’s sort of perceived to be led by the U.S., and there’s one that’s called the open-ended working group. And it’s perceived to be sort of pushed forward by China and Russia, to sort of contest that norms-building. So this is actually being contested right now at the U.N. Just an aside there.
Wait, we can do both. You and then you. Sorry. (Laughs.)
Q: OK. My name is Ken Oye. I’m a professor of political science and data systems at MIT.
I want to ask a question on two topics that your panel has been chewing on. You’ve been focusing, first, on dogs that bark a lot. And that would be nonstate actors, and state actors, working financial fraud, information theft, and information manipulation. And we’ve talked about that both in the first panel and the second. Recently, in the last ten minutes, you focused on threats that are quasi-kinetic, cyberattacks on infrastructure. And those are dogs that don’t appear to be barking that much. They bark. We have examples. The examples that you’ve talked about are Estonia, Ukraine, certainly some of the more recent Iranian activities, and Stuxnet. But that’s not a long list.
So the question, and it’s really on state-to-state cooperation, with reference to the dogs that are barking a lot, much of which is conducted by nonstate actors, is there the potential for state-to-state cooperation in managing or limiting transnational threats, as there is in the area of biosecurity? And with a reference to the quasi-kinetic attacks on critical infrastructure, which are not taking place that much. Ben, you’re saying they’re rising, but it’s still far less than what states are capable of. Is there tacit understanding now that could be adjourned for further cooperation? Or are we just lucky? It’s certainly not because of our effective use of deterrence, because you were saying that we don’t do enough of that. So what’s the explanation, if you will, of tacit, limited cooperation on the kinetic? And is there the potential for more formal agreement, what Mr. Yergin described as cyber peace?
SCHNEIDER: So I actually—so I think Iran has not been deterred from taking those types of cyberattacks against critical infrastructure that create physical damage. I just think they haven’t been capable. But I do think Russia has been deterred. I think that they might have the capability to conduct some of those types of attacks and have, for some reason, not conducted them yet. So at some level this kind of strategic deterrence—this deterrence of strategic cyberattacks seems to be working. And that’s why I do think there actually is something there that we can—that we can kind of build off of.
And I think if we take a really small chunk of that, there is a potential for, while not kind of the type of arms control that would be, like, a verifiable—like, an IAEA count the missiles type of arms control—I think that there might be some sort of ability to graft norms when it comes to strategic attacks on critical infrastructure. And so I actually see a lot of potential—that we could do potential progress there. I see reports in the New York Times that the United States is actively putting malware in Russian electric grids as being not beneficial to that conversation. Even if the U.S. is doing it, I don’t really understand the point of publicizing and showing this as, like, some sort of signal. For me, that just seems to be counterintuitive.
BUCHANAN: I’ll take the first part of the question around the transnational threats. I don’t think Russia or China have an incentive to cooperate in mitigating these threats, which is to say there’s a very blurry line, in particular in Russia, between organized crime, criminal for-profit hackers, and the state. And you can point to some indictments of Russian hackers in which therein the United States will indict FSB hackers alongside criminal hackers, working together on similar or the same operations. And I think for Russia, this is a feature and not a bug.
China is a more complicated case. I think ten years ago I would have said what I said about Russia about China too. It’s probably fair to say that China has centralized a lot of its hacking apparatus. They’ve cut down, at least as far as we can tell, on some of the moonlighting their government hackers were doing for economic benefit. So there may be some room there. Again, it’s just such a tiny part of the broader U.S.-China relationship, I don’t think it’s going to get picked up. But there may be more room with China than with Russia.
On the broader point about critical infrastructure, again, I don’t think nations perceive an incentive structure that will make them willing to pursue the kind of hopeful vision that you’re talking about. If you look at what Russia has done—caused two blackouts in Ukraine. The second blackout even—
SCHNEIDER: That’s in the context of an already physical campaign that’s happening.
BUCHANAN: Yeah, but the second blackout has malicious—you know, used malicious code that—
SCHNEIDER: I mean, they’re killing people in Ukraine. So, like, that escalation line, to me, has already been overstepped in Ukraine.
BUCHANAN: All I would point to, in the 2016 cases prior to the U.S. election the U.S. is quite publicly talking about its capacity to strike at Russian critical infrastructure, potentially some kind of signal, and then you see in December 2016 a blackout in Ukraine carried out with malicious code. Unlike the 2015 blackout, far more automated, far more capable, far more capable of being used against the West. And again this is—
SCHNEIDER: I just think that things that the Russians would do against Ukraine are not indicative of the actions that they would take against the United States.
SCHNEIDER: That’s why I think that there are potentials for the U.S. and Russia to have some sort of tacit agreement at this higher level.
BUCHANAN: I don’t doubt the potential at all. I’m only suggesting that right now the relationship between the two countries is such that no one’s willing to engage that and everyone is suggesting the opposite, which is we’re in your electric grid. You should know that.
BUCHANAN: And I’m not at all optimistic that’s going to—
SCHNEIDER: It’s true. I don’t think that that’s helpful.
BUCHANAN: —that’s going to lead to any kind of walk back. Again, the incentive structure—at least, the perceived incentive structure—is often one of more aggression and more sabre rattling, even if the sabre rattling is hard to interpret.
VAVRA: A question here in the middle.
Q: Thank you. My name is David Simon. I’m with Mayer Brown.
My question is to turn back to Iran and Russia and ask: For private companies that are being attacked or anticipate being attacked, what’s the state of readiness? What has the U.S. government been doing that is helpful? Has there been joint planning, to your understanding? Beyond information sharing, what is being done? And then, what options should be put forward to the president or the commander for U.S. Cyber Command right now to make sure that companies aren’t just sitting back and waiting? If they don’t have a sophisticated hunting team, with the likes of FireEye and CrowdStrike to help them, what should the U.S. government be doing to stand in the way and take action offensively or defensively?
BUCHANAN: There’s a normative question of should here, which I’m actually not—I’ll kick that one to Jackie. I will answer—because that’s the harder one. I’ll answer the sort of factual question. And I think it was quite revealing, Eric Rosenbach, who was a senior official in the Obama administration, testified and said: The U.S. government’s really only come to help you as a company against the top 2 percent, I think he said, of threat. Which is to say, beyond some sort of baseline discussions, many companies are facing these threats on their own. Again, I’ll leave to Jackie if that’s how it should be.
But I think that’s an important thing for C-suites to realize, which is that this is an environment in which basically every major company, no matter their business, is a technology company, or has a huge technology component. And especially beyond a certain scale, they’ve got to build a cyber defense posture that’s capable of standing up to significant threats. And I don’t think, based on the current arrangement of facts, they should expect the U.S. government to do it for them. The U.S. government has not shown a willingness to do that.
SCHNEIDER: I love that David asked this question, because David played in my—the last private sector critical infrastructure war game that we conducted at the Naval War College, where these types of issues were being played out. The U.S. government actually does not have the same kind of capacity that some of the private sector firms do to conduct cybersecurity defense. So in some cases, you know, the Chases of the world, the best partnership is things like the pathfinder initiatives, where they are—they’ve built a relationship where they can share information. That way, if Chase has information that the U.S. can use to conduct counter cyber operations you have some sort of way to facilitate that. And that’s really helpful for these, like, big organizations that have a very sophisticated cybersecurity capability. In that way, they’re almost aiding the government in the government’s efforts more than the government’s aiding them.
Where I really struggle is with, like, all the, like, mom and pop or kind of average business whose cybersecurity consists of CrowdStrike and—or, no, their cybersecurity consists of a cloud provider, a cybersecurity McAfee package, and insurance. And what concerns me about that is that the U.S. government has no resources to help every single one of those people individually. But as I see that, like, most of these people are kind of giving their cybersecurity to a few organizations, we’re actually centralizing risk so that instead of being just one mom and pop company that gets attacked and is down, and if it’s a cloud provider you find that anybody that’s, you know, using that cloud provider, or anybody that’s using that particular type of cybersecurity service.
So I am actually really concerned about the centralization of those risks. And I think there is a role that the U.S. government can play, especially DHS, in aiding cloud organizations or cybersecurity organizations that are kind of centralizing most of the business practices that are happening inside the United States. So work very closely with them to try and give information and, where possible, centralize information that’s coming from businesses to go back to the DOD so that if there are opportunities for counter cyber operations, that information is past appropriately.
VAVRA: Can we have the woman here with the dark hair.
Q: Thank you. Paula Stern.
I want to go further into this discussion about really the differences between our system in the United States, with the private sector in theory being the dominant, and, for example, China or even Russia. I’d like you to talk a little bit about the intellectual property theft issue, which you touched on briefly, and the role that is being played and/or should be played by the U.S. government whether it’s the Department of Justice, which has gotten involved increasingly and/or you mentioned just the DHS in another context. What role should we retain in our system here in the United States in this cybersecurity threatened world? What role should we be retaining to assure that our system—our economic system, free-market and private sector—will continue to be robust vis-à-vis particularly China, which is the growing economy of the world?
SCHNEIDER: Do you want to take it?
BUCHANAN: Sure. I think the only option here, if you take the view that I think you’re espousing about intellectual property being a primary tenet of our system, is to elevate the importance of intellectual property theft in the Chinese relationship. And the Obama administration, again, tried to do this at the end of its time. There was mixed success about that. It is right now just not a significant part of U.S.-China discussions, which have much bigger fish to fry. And I don’t think we should be surprised if there are few meaningful consequences for intellectual property theft, that that theft continues. And there’s a variety of incentives as to why there’s been few meaningful consequences.
One obvious incentive that challenges pushing back is an incentive to collect on Chinese hackers versus to show the information in an indictment. And there’s been tensions in the U.S. government around that. The U.S. government has pursued a strategy of indicting more Chinese hackers for their activities. Obviously not ever seeing the inside of an American courtroom, or few have seen the inside of an American courtroom. And given that incentive structure, and given the relative inattention to this issue, I don’t think we should be surprised if China continues to act in this way—which does not excuse the activity, of course.
VAVRA: Right here.
Q: Hi. Jill Dougherty from Georgetown University.
I just wanted very quickly to shift the focus from terrestrial to space. What are the vulnerabilities in space? Who are the actors who can carry out attacks? And what’s the protection or mitigation of that? Thanks.
SCHNEIDER: Yeah. Space is fraught. And from a—I mean, cyber and space are intimately connected because the reason why space is relevant because of the digital information that flows in between the satellites. But the physical way in which that information is sent and received—uplinks and downlinks—mean that they’re just natural targets. There is cyber information there that is a really important target. There are physical limitations of attacks on space about kind of the physics of how you intercept those uplinks and downlinks, which in some ways I think may be cheaper to deal with than some of the cybersecurity options. I don’t know, they’re intimately connected. I don’t see an immediate solution. (Laughs.)
BUCHANAN: Yeah, I think this is job one for the Space Force. (Laughter.) There’s a—
SCHNEIDER: It’s going to create a lot of tension between the Space Force and the cyber people. (Laughs.)
BUCHANAN: Yeah, I’m sure. I’m sure there’ll be plenty of bureaucratic politics to play out here too. At a minimum—and it probably is more complex than this—but at a minimum, this looks back to the 5G discussion. This is an expansion of the terrain. And again, we think so much of cyber operations as somewhere else, as not physical. And there’s reasons for that intuition, but there’s a geography to cyberspace as well. And as you get to a more mature understanding of how hacking works, that geography is really important. And we’ve got a good sense of that geography sometimes on Earth. We understand how fiberoptic cables create choke points. We understand how the telecom network is an advantage for some nations and a disadvantage for others. And I think we’re just starting to work out how that geography is going to play out in space. And anyone who tells you they have it all figured out I think is probably guessing. But if nothing else, that’s the frame through which I would view it, is this is the terrain on which the battles will be fought.
VAVRA: Do we have time for one more question? I’d love to end on some cyber-focused question. Sure, the gentleman here.
Q: Sorry to ask again, but in war you fall back from convenience from—in war you fall back from convenience, to shelters, to things of the sort. Should there not be a general advisory to entities in the United States, which is more digitally dependent than any of its competitors, for organizations to have fallbacks? On ships you have highly advanced steering systems. They fall, you fall back to hydraulic. Hydraulic fails, manual. So I give the example here, this is my phone. I use this phone, right, because I’m involved in stuff. So the question is, should there not be such a national policy?
SCHNEIDER: Yes. Every single cyber strategy or policy in the U.S., since they started being written, have mentioned the word “resiliency.” Everyone thinks this is a good thing. The reality is that resiliency is expensive and often decreases effectiveness. So your example about the ship, having multiple redundant systems is expensive. It’s also difficult to train on. So when you look at the recent problems that the Navy’s been having, part of their problem is that it’s difficult for the individuals to understand their highly complex digital system, and still be able to do the pen and paper kind of work. And in the U.S. military, you see us moving towards systems that are less and less digitally resilient.
I have a piece from a few years ago at CNAS called the capability vulnerability paradox, where I tackle just this. And I argue for weapon systems that have manual backups, and weapon systems and capabilities that can be exercised in a time of digital degradation. But it is expensive, and it takes a lot of time, and in the end if you’re competing for time and resources you’ve competing against being the most effective force in a digitally—a digitally capable kind of environment, being the best at first strike. Really, it’s a debate between being the best at first strike and being able to survive a second strike. And I can tell you, it’s way sexier to buy weapons and prepare for things that are first strike than surviving second strike.
BUCHANAN: That’s exactly right. (Laughter.)
VAVRA: And with ransomware—and with ransomware now, that’s particularly an issue for state, and local, and schools, and other organizations that may be really small but might be totally hampered by a ransomware attack if they don’t have a backup.
So I want to thank CFR for having us here, and then Ben, and Jackie, and the members for listening with us and talk with us today. (Applause.)
ROBINSON: Good morning. I’m Linda Robinson with RAND. It’s my privilege to moderate this session with Senator Angus King of Maine and Representative Mike Gallagher of Wisconsin.
KING: Of Green Bay, Wisconsin. Green Bay.
ROBINSON: (Laughs.) As his pin shows. They are both the co-chairs of the Cyberspace Solarium Commission. And we’re here to talk about their work, which will become public—the public report will come out in a couple of months. But we have the opportunity here to discuss the issues that they’re addressing and get some insights into where the commission is coming down. This session is on the record. And you do have their bios in your packet.
So without further ado, we’re going to turn to some opening questions here, first with Senator King. Could you describe briefly the rationale for the commission’s formation and also give a threat picture of what you consider the key threats that have increased the urgency for government to act?
KING: You just enabled me to fill the rest of the hour. (Laughter.)
ROBINSON: Just a few minutes.
KING: The background of the commission is—Mike’s on the Armed Services Committee, I’m on the Armed Services Committee and the Intelligence Committee in the Senate. And we just have been through hearing, after hearing, after hearing about the seriousness of the cyber threat, which I’ll discuss in a minute, but also about the failure of our government to be in a position to respond adequately. And on a whole bunch of levels, some structural, organizational, and some in terms of policy and doctrine. And the commission was a—the brainchild of—it came out of the armed services bill, the defense bill two years ago. And it’s a kind of unique structure. It has four members of Congress—two senators, two members of the House, four members from the executive, and then six members from the private sector. So it’s an interesting discussion.
And of course, the reason that it was set up, not only are we inadequately prepared but we’re in a very volatile threat situation where cyberattacks are not imminent, they are happening. And they are happening on a continuous basis. And we found that we just aren’t in a position to really respond adequately. And it’s an absolutely serious threat. I mean, everything from the stealing of intellectual property. I mean, Google a picture of the new Chinese strike fighter. It looks exactly like the F-35. And that’s not a coincidence. And the same goes for the threat to our election security, to our critical infrastructure. So incredibly serious threat that the Congress felt collectively was just not adequately being addressed.
GALLAGHER: Well said.
ROBINSON: Yes. So what I’d like to ask Representative Gallagher to do now is give a quick overview of the commission’s approach to developing a comprehensive strategic roadmap and some of the key priorities, so we can just get an overview of how you have tackled this really vast and complex field.
GALLAGHER: Sure. Well, first of all, I want to thank my co-chair, Senator Angus King. It’s been an absolute honor to work with him on this project. It is often not fun being in the minority in the House, but this project has made the last year incredibly, incredibly interesting, exciting. And Angus King is a great American and has had the wisdom to marry a Packers fan. (Laughter.) So by extension he is a Packers fan. And so we welcome him on the bandwagon, certainly now that the Pats have immolated. (Laughter.)
But also what a great topic for CFR. I mean, great-power competition has suddenly become all the rage in D.C., and indeed the National Security Strategy and the National Defense Strategy are positing that we’re in this era of great-power competition, which is a massive sea change given where we’ve been for the last two decades. However, in cyber dilemmas quickly emerge. I mean, I think the fundamental thing we’ve been grappling with is, you know, unlike nuclear weapons, for example, you don’t need necessarily access to nation-state resources to have access to very powerful cyber weapons. In other words, you don’t need to be a great power to have a great impact in cyber. And deterrence is hard enough when it comes to dealing with nation-state actors where the decision makers are known, and yet still unpredictable. It becomes even more difficult when you’re dealing with nonstate actors who may not be known, and whose identities are obscure, or nation-states that intentionally try to obscure their activities in cyberspace.
So in some ways, if we look back at the early ’50s as the inspiration for this, where the fundamental insight of nuclear strategists, like Bernard Brodie and others, was that deterrence could not be allowed to fail, and that the military’s primary activity would be the avoidance of war rather than the winning of it, I think our starting point is the recognition that deterrence, particularly below the threshold for military force, is constantly failing, right? And the military needs to be in the business of empowering the private sector to develop more resilience to do deterrence by denial, in other words, but also to develop a strategy that allows us to do deterrence by punishment.
And I think it’s fair to say right now, without being able to reveal to you what the text of the final report looks like, that we all agree that deterrence in cyber, while difficult, is possible and, indeed, doable by the federal government. But it’s going to require the federal government to act with much more speed and agility than it is currently acting with. And if I, and this is me personally. I don’t speak for the rest of the commissioners. If I had a theme that I think will emerge from the seventy-five recommendations we have, organized along six pillars or lines of effort, it’s this: It’s how do we get the federal government to be able to operate with speed and agility in cyberspace? How do we get an organization that is not optimized for speed and agility to be able to operate that way?
A lot of different things within that. Three, to me, stand out, where I think—I’m really excited about where we’re going. One is, rather than sort of creating a bunch of new agencies and structures, we’re trying to figure out, you know, how do you enhance and empower the agencies we have right now? We’ve made significant strides in recent years, in recent NDAAs, in giving CYBERCOM enhanced authorities to do persistent engagement. I think that’s largely been a success story. But I think there’s more we can do when it comes to enhancing the role of CISA, right? Making CISA, for lack of a better way to describe it, a sexy place to work, where the best and the brightest want to participate in this mission of defending our critical infrastructure, defending the homeland from cyberattacks.
Secondly, I would highlight the need that I think spans ideological divides to ensure the integrity of our elections. I think if we screw that up, if we don’t figure that out, we’re going to be in a world of hurt, and confusion, and online and real-world chaos. And that’s an area we’re going to have some strong recommendations. And then finally, personally, I mean, you know, I think this question of how do we incentivize the private sector to act more responsibly and to do more timely reporting and really get the federal government to recognize that it exists in support of the private sector in cyber, is an area where we’re going to see a lot of recommendations. So those are three things I would highlight. We can get into more details. But I’ll stop for now there.
KING: And one of the things that makes this particularly complicated is that 80 percent of the target surface is in the private sector. So it’s not a typical army versus army. It’s how do we defend the electric system in the Southwest, or the water system in New York? I mean, there are—the relationship—one of the things we’ve struggled with most in our work is the relationship between the federal government and the private sector, building up trust and a relationship where intrusions are reported promptly, are processed promptly, and the response is developed in a timely way that makes sense. That’s one of the real complications we’ve wrestled with.
ROBINSON: Yes, thank you. And let me start, Senator, with you in a follow up on that point, and then we’ll come back to some of the governmental organization issues that you will hope to address. What—can you say more, really? We’ve had a great deal of talk this morning about the private sector. Some sense here, I think, in the room that they’re out there alone and unafraid, having to defend their own systems, and maybe there should be more of a role for government. You’ve talked a little bit about norm-setting standards. Is there new legislation, regulations incentivizing the type of cooperation that you hope to gain, and what government can do for the private sector, which is the critical—owner of the critical infrastructure in this country?
KING: Well, like Mike, I don’t want to speak for the whole commission, and I also don’t want to get ahead of ourselves in terms of the adoption of our final—our final recommendations. But I think as a general matter, and I’ve sat through a lot of hearings with utility executives, with secretaries of state. I believe—and this isn’t insulting anybody—but I believe everybody is overconfident. I think people—you ask a CEO, how are you set for cyber? We’re all set. And his CIO says, yeah, we’re all set, boss. And you know, and I just don’t believe it. And the same thing with secretaries of state. So one of the things that we have to really work on is how do we ensure that they are at some minimum level of cybersecurity.
And I remember—Mike, you probably remember—we had a meeting several weeks ago. Something like 90 percent of the risk or 95 percent of the risk of a cyber intrusion into a commercial network can be eliminated by the simple thing of not having your people click on phishing emails. I mean, cyber—basic cyber hygiene can eliminate a lot of the—a lot of the exposure. Not all of it, but a lot of it. So we’re talking about—one interesting aspect of it is insurance. If there was a vigorous insurance market for cyber destruction, the insurance market would enforce the hygiene. Do you see what I mean? In other words, the insurance company will say to the company: If you do these things your rate will be X. And if you don’t do these things, your rate will be 2X. That’s a kind of incentive to provide a stronger cyber deterrence.
The other thing is for the federal government to be more forthcoming about what it’s seeing and hearing in terms of threat. Often the federal government falls back on everything’s classified. And we can’t tell you about this. I mean, we went through this crazy thing about when to notify a political candidate that their campaign was being hacked. And you know, it’ll take four steps, and a month, and all this kind of thing. We’ve got to get over that, I think, and be—the federal government has to be more forthcoming. If they see a threat, call up the people that are being threatened and let them react. So a whole lot of—a lot of that. And the private sector has to trust the federal government that they’re—we can protect their private data. If they are being—if their personnel system is being invaded they have to be able to trust the fact that they can let the government know that, and that it somehow isn’t going to be subject to a FOIA request or otherwise become public. So there’s a lot of that complexity about that relationship. And this is sort of uncharted territory.
GALLAGHER: I agree. I would say—well, I think one sort of obvious thing the federal government could do to sort of help the private sector would be to dramatically enhance our attribution capability and, as a follow on to that, sort of create a culture within the national security community that is willing to assume risk and share that information with the private sector, whereas those of you who have worn a uniform or worked at an agency know that that is not sort of the default mode of the national security community in general and the intelligence community in particular.
Getting to the private sector itself, I think the challenge is—and Angus alludes to this—we can’t—we don’t want to pass a law that says: Every American must have two-factor authentication. Though every American should, right? And we should enhance awareness of that. You know, it took me fifteen minutes to set up my smart TV because of two-factor authentication. The fact that I had to wait that long to watch The Mandalorian was a tragedy, but I was willing to do it so that I was more secure.
However, I think there’s some smart ways we can capitalize on some best practices that are already emerging in the private sector. So for example, the 1/10/60 reporting, that’s a best practice emerging in the private sector, whereby, you know, you’re able to detect an intrusion within one minute, you have an analyst evaluate it within ten, and then you remediate it within sixty. This is important between it usually takes less than five hours for people to achieve—for hackers to achieve breakout on a network. You know, operational control where they can achieve their goals. 1/10/60 gets at that.
You could imagine a world in which we require regulated companies or critical infrastructure to collect 1/10/60 data, or something similar. They don’t have to publish it, right, because we don’t want to hurt their stock price or create all sorts of perverse market incentives. However, in the event of a major breach, you are able to interrogate those data and determine whether companies were negligent. And thereby, the point of this would be to create an incentive for the C-suite types, a financial incentive, to invest more in cybersecurity.
And the final thing I’d say is the federal government can lead by example by having a better reporting process to Congress and a better oversight structure in Congress where we’re able, at least on a quarterly basis, to poke the relevant agencies and see how are we doing in cyber? Are we improving? Are we a learning organization? So this is a very complex topic. We’re going to have a lot of different recommendations in it. But I’m excited about kind of the direction the commission is headed.
KING: One of our most valued commissioners is a fellow named Tom Fanning, who’s the president of the Southern Company, which is I think the nation’s second-largest utility. And he’s been virtually to every meeting. And he’s been really—I realize using virtually in this audience is a different. (Laughter.) He’s been to pretty much every meeting and has been a very active participant, and is very helpful to us in this, particularly with the critical infrastructure piece.
ROBINSON: Good. Thank you. Let’s turn now to some of the organization reform issues to increase the interagency agility and some of the responses needed. And starting with Congress, the legislative branch. And I—
KING: On, no. It’s all good, you know. (Laughter.)
ROBINSON: Every commission—every commission has some plank in it to reform Congress, and rarely do they occur. But I think it’s very important to start with that, to just see your perspectives on the critical steps that you think are needed to overcome stovepipes that exist, whether it’s organizational or jurisdictional.
GALLAGHER: Wow, I’m kind of—I don’t know what we’re allowed to share and what we aren’t. We’re still actively debating some of this. And it’s, like—it’s asymptotic. The closer you get to the line it—you know, we’re never quite across the finish line now. But I think it’s fair to say—
KING: But I think we can talk—we have consensus that we need to reorganize and consolidate.
GALLAGHER: Yeah, yes. And I’ve already mentioned, I think, the desire to enhance the role of CISA, elevate it. You know, not create a new agency, but kind of make—get all the ingredients in the cyber community working together. I think there is near unanimity on the need to have a sort of focal point within the White House to do oversight of that cyber community, although the devil is in the details with that proposal. And then I think there is near unanimity on the desire to have a congressional—to fix the problem whereby congressional oversight of cyber is disparate and divided among a ton of different committees and subcommittees. And perhaps taking inspiration from the ways in which the select committees on intelligence were formed in the ’70s, figuring out how we can better do oversight of cyber from Congress. So those are kind of the three buckets. And I may have said too much.
KING: No. My general principle is that Napoleon said war is history. And Freud said anatomy is destiny. King says structure is policy. If you have a sloppy, confusing structure, you’re going to have sloppy, confusing, bad policy. And that’s what we have. We have—I can give it from personal experience. Jim Risch and I had a little very uncontroversial—noncontroversial bill about cyber protection for the electric grid. I think we introduced it three and a half or four years ago. It’s been through—it went through two or three different committees. It never—it just couldn’t quite get there. And finally it was passed and signed into law in this National Defense Act. But it took three or four years to do something fairly straightforward to protect the electric grid.
That’s unacceptable. And I’ve made speeches on the floor where I’ve said, look, I don’t want to go home after a catastrophic cyberattack and say, well, we knew it was coming, and we might have been able to do something about it. But I’m sorry, we had four different committees that had jurisdiction, and we just couldn’t do it. I mean, that’s not going to satisfy my constituents. So we are going to try to talk about consolidating the authorities in the Congress. It’s tricky. No committee wants to give up jurisdiction. But I think the example of the Intelligence Committee—but hopefully we don’t need a Church Committee, sort of an intelligence catastrophe, as occurred in the ’60s and ’70s, to justify it this time. We think maybe the case is ready to be made, and we’re certainly going to make it.
ROBINSON: So thank you for that. Let’s turn to the force structure issue. And I think—if we could focus, I think, on DOD, but you may have other agencies in mind as well. But I think this is a critical issue in terms of what the force structure is currently, where it needs to go. And that, I think, includes both the roles and missions issue, as well as the workforce development and retention, which is so—it’s a critical, scarce asset at this point.
GALLAGHER: Well, without getting into the exact number, I think we can say that we will be requiring DOD to do a force structure assessment of the cyber mission for CYBERCOM and all the service cyber forces in the final text of the report. And I think it’s important to note that when we took a look at these—the operational capacity of the cyber mission force, which is now at full operational capacity. I think there’s 6,200 people across 133 teams. That was prior to the emergence of defend forward as an idea, an organizing idea within the cyber community, and prior to the emergence of a variety of threats that have now shaped our understanding of the cyber landscape.
And so I think it’s fair to say that while—that the force posture today in cyber is probably not adequate, I would go further and say: You can expect the report to have a variety of recommendations concerning how we enhance our partnership with allied countries, particularly those that have expertise in cyber. You know, the obvious ones stand out: Israel, Latvia, take your pick. And then finally, as it pertains to how the military is equipped to operate in cyber. This gets to a bigger debate about the technologies that DOD needs to accomplish its mission.
And in particular the question of connectivity and 5G, and whether we’re doing enough to ensure that our supply chains are free from the threat of espionage, particularly from the Chinese Communist Party, whether we need to disaggregate or separate key parts of our economy from China’s, and correspondingly whether that’s going to require us—and this is heresy for a Republican to say this word—to have some sort of industrial policy, for lack of a better term, in order to build things domestically.
KING: That was off the record.
GALLAGHER: That was off the record. Yeah. Yeah. (Laughter.) I just raised the question. I didn’t tell you that we were going to have—(laughter)—yeah. Let’s debate it. So that’s—
KING: Well, and the adequacy of the force structure and the danger of the threat is just not proportional. The danger of the threat that we face is so serious and so imminent. In fact, I’m sure—I don’t have any inside information or intelligence—but the folks in Tehran, I’m sure one of their options that they’re looking at right now is a cyberattack, because that’s a capacity that they have and that they’ve developed over the years. And that may well be their choice for a—for a response to the events of last weekend.
The other piece that’s interesting, and I talked to some military people about this over the weekend, some graduates of the academies. Do you need a cyber warrior to be able to do a hundred pushups? In other words, we don’t want to lower the standards of the military, but we need to tailor the requirements to the—to the job. And you know, that’s a—that’s sort of—that’s something that we have to start talking about, is what do we really need and how do we recruit those people? How do we retain them? And do they have to meet all the standards that this guy met when he went to Camp Lejeune.
GALLAGHER: We do pullups in the Marine Corps, for the record, anyway. Pushups are a weak Army thing.
KING: Yeah, good. I see, all right. (Laughter.) But those are the kinds of issues that really do need to be discussed. And recruiting. We have to—we’re—the government is competing with the private sector—with the major private sector tech firms with a lot more money. And we’ve asked people about how we do that, and the answer is: This mission. It’s important to people that they’re doing something important to defend the country. And that the military is full of extraordinary people who could be probably making much more money in the private sector, but who are choosing the mission. And I think that’s the same kind of mentality that we have to have in this field.
ROBINSON: Mmm hmm. So in the interest of getting to this very full house of questions, I’m going to ask one more question and then open it up. We had a lot of discussion about the plethora of threats this morning, obviously quite a bit Russia, China, Iran, Korea, and also across the gamut—espionage, surveillance, attacks, and then the criminal activity.
KING: And disinformation.
ROBINSON: And very much the cyber-enabled influence operations and disinformation. So I want to just ask one specific question, because I think you’ll get a lot of the array of how do we solve X. We are in an election season now. Election security’s already been mentioned. What specifically needs to happen to make the infrastructure more secure? And what can you tell us about what your report will say?
KING: I don’t want to, again, predict too much about the report, except that this is a—this is a concern. Occasionally I’ve heard people say, well, the election infrastructure is really secure because it’s a hairball. In other words, it’s so diverse, and you’ve got every community, and towns, and states, and it would be very difficult. That’s not really true. You don’t want to hack of all of Florida. If you hack Dade County, or there may be counties in Wisconsin that any political consultant worth their salt can tell you where those counties are, you can cause an awful lot of trouble. And as I indicated before, I think this is a really serious vulnerability.
One thing that hasn’t been mentioned thus far that I think is an important tool, I suspect it’s going to be part of our recommendations, is red teaming. And that is some systematic way of testing the system. I mentioned the CEO who says everything’s OK. When a skull and crossbones appears on that CEO’s desktop and says, gotcha, love Department of Homeland Security, that may be a way of getting their attention. And I think that’s an important tool. When I was governor of Maine I used to routinely call our 800 numbers that the state had, just to see, you know, how long it took people to answer, and what they said. And I’ll never forget calling in July and saying: Well, I’m a tourist and I want to come to Maine. Can you send me some material? And they said, well, yes, sir, that’ll be very nice. You’ll get it in six weeks. Which in Maine is the end of the tourist season. (Laughter.)
So I think red teaming has got to be part of what we—what we talk about. And I just think, you know, we’ve got to be no intruding, not having it be prescriptive. But we’ve got to advise people that they’re—they’ve got some problems.
GALLAGHER: I think that’s well put. I think you expect to see recommendations for sustained funding of the Federal Elections Commission, and to sort of better operationalize some of this, but also bottom-up funding, right? There’s some great nonprofits in this space, The Center for Internet Security is one of them, that can sort of go into that hairball and figure out that it’s not just enough to throw money at whoever the state elections commissioner is, because it takes a long time for that money to trickle down and it may be administrated incompetently depending on the personalities in the state. But how do we have a bottom-up approach where we can help individual campaigns, you know, tribes, et cetera, et cetera—help this diverse ecosystem better secure themselves in an election?
I also—I think you can expect to see a requirement for putting the same disclosure requirements on internet platforms in campaigns that we currently have for television advertising and for radio advertising. And finally, I’d say I think you’ll see a recommendation for what I call the back to the future approach to election security, paper balloting. A paper audit trail, which, you know, is probably the best—I mean, this is also, for my sci-fi nerds, the Battlestar Galactica approach. Like, the older model sometimes is the most survivable. So no one gets that reference. (Laughs.)
KING: But we want to make it clear, nobody’s in favor of federalizing the national—the elections.
GALLAGHER: Exactly, yeah.
KING: But there are ways that there can be some coordination, cooperation, that I think can substantially strengthen our resiliency in terms of elections.
ROBINSON: Thank you. Now we’ll turn to the members for questions. And the drill, as you all know, is please wait for the mic, state your name and your affiliation, and please be succinct. We have many people here today. Ask a question and make it short, please. Thank you.
We’ll start right here in front and work our way back.
Q: Josh Stiefel, House Armed Services Committee Staff. Hi, sir.
GALLAGHER: They let you out of your cage to come here? My gosh. (Laughter.)
Q: Through the course of the Solarium work did you and the commissioners—were you at all troubled by over-information sharing, particularly with regards to elections? So I was trying to do a mental count. By my count, I can count the Belfer Center, the Brennan Center for Justice, CyberDome, DHS, Multi-State ISAC, Association of State Election Supervisors all putting out comprehensive playbooks, and all saying that their resources are the be-all, end all. But if you have discrepancies in any of these, does that create potential areas of risk?
GALLAGHER: That’s a great question. But I view it as a positive sign. I mean, and I ultimately—and maybe this is my ideology shining through—I think the more we have nonprofits and people in the private sector stepping up to see—to take ownership of this issue, and the less it is a prescriptive top-down approach from the federal government, the better chance of success you have. Now, the challenge, I’d say, as someone who’s—you know, I’ve only been in two elections. My experience pales—Angus has, like, held every—like, he’s been the lobster commissioner, the governor. (Laughter.) Which is the most important job in Maine. (Laughter.) But maybe to your point, you really don’t know who to turn to and rarely have time in the context of a congressional campaign in particular, where my staff at my most robust was five people, to think about cybersecurity. But I think the more accessible the information is out there I think the better chance we have for success.
KING: And we’ve had—we have an excellent staff on the commission. And we’ve done a massive literature search and background. And we started the commission process last spring, almost a year ago, with a series of substantive briefings from people from think tanks, people from universities, some of the centers that you mentioned on various parts of the topic. Not that we’ve all—everybody’s read 1,000 pages of one or the other of those reports. But I think the staff has done a good job of pulling them all together and then presenting them.
And we’ve had our commission meetings—we’ve met every—pretty much every week for two straight hours—every week since last March. And we have very vigorous and open debates. I commented that it was the way Congress should work but doesn’t, where people are actually sitting around the table, debating, arguing, changing each other’s minds, and learning something. So that process has been very strong, and we’ve tried to absorb all the data that we can. So I agree with Mike. I think it’s good to have all of that. And then hopefully we can winnow it out to something that’s the recommendations, that will be executable.
GALLAGHER: It has been difficult, I would say—maybe you disagree—to draw—for the final report itself. I mean, cyber quickly becomes everything, right? I mean, so we can’t comment on everything, right?
KING: Well, I think we started with 180 recommendations, or something, and we’re down to seventy-five. I mean, we’ve tried—the hard part has been boiling it down.
ROBINSON: Yes. We’ll go in the back here.
Q: Hi. I’m Soyoung Kim from Radio Free Asia.
I’d like to give you a more expansive question regarding cyberattacks by North Korea. So I could see that some U.S. government agencies took some actions against another attack. For example, last year Treasury Department sanctioned three major hacking groups related to North Korea regime. And I think that Cyber Command has been actively posting some alerts of a malware by their hacking groups too. My question is, do you think this current actions by the U.S. government are effectively working to defend North Korea’s developing skills and technologies for hacking? And also, is there any ongoing effort to have better defense, offense, or even prevention from potential attacks by North Korean hacking groups? Thank you.
GALLAGHER: So I think they were the right thing to do, but to your question I don’t think it’s enough. And I think—you know, obviously I’m—I, like many of you, when I think about North Korea I think about Sony, I think about the—I don’t even remember the name of the movie that sparked that.
KING: The Interview.
GALLAGHER: The Interview, yes. I’m not going to comment on, you know, whether it was a good movie or not. But I think it’s had a chilling effect on Hollywood. We recently met with a group of Hollywood writers. And I found that conversation fascinating. And though we were primarily talking about China, and the threats posed by China, I do think there is an anxiety in the private sector in general, but in the entertainment industry in particular, as a result of some of these recent attacks, or the threat of future attacks, and what it could mean for their bottom line. And that’s kind of—to tie that back to what we have both said at the beginning of this, of how do you strike that right balance between encouraging the private sector to do more to invest in their own cybersecurity, but also not putting them in an untenable position, or in a position that will result in the destruction of their business.
And then just finally, I would say I think—and this is my own personal view; I’m not speaking for the commission—we’ve put a lot of—we’ve asked the financial instrument of U.S. power, specifically sanctions, to do a lot of work over the last decade, right? Sort of sanction is the default instrument of choice for legislators and members of the executive branch, because it’s tougher than saying something mean but it’s not, you know, as tough or unpredictable as shooting a missile at somebody, right? Sanctions alone are insufficient to deter adversary behavior in many cases, and I think need to be nested within a broader strategy of deterrence that involves other instruments of U.S. power, and just—and I know I’m going on. I’m sorry.
I think that—when we’re talking about deterrence in cyber, we’re talking about deterring adversaries, right, nation-states. Which means, you’re not deterring cyber itself as an instrument, or solely using cyber instruments in order to deter. Cyber is one tool in your kit, and part of a broader deterrence strategy which, to date, has not worked in North Korea. I think there’s a lot more we could be doing on the maximum pressure campaign or going back to the maximum pressure campaign in North Korea.
KING: Well, I completely agree. And we’ve had a lot of vigorous debates on this. My sort of common-sense response is that if somebody is doing something bad to you, and they never suffer any consequences, they’re going to keep doing it. Why shouldn’t they? And the other aspect of cyber that should be noted is it’s cheap. I once did a back-of-the-envelope calculation in the middle of an Armed Services Committee meeting that Putin can hire about eight thousand hackers for the price of one jet fighter. That’s a—that’s a low-cost way to mess with another country. The question of deterrence in cyber is a very complicated one.
One of the things I should mention, and this is almost parenthetical, is we’re talking about the development—we, the commission—are talking about the development of international norms and conventions similar to the laws or war and the Geneva Convention, because this is a whole new area. You know, what is—what should the rules of the road be? And those rules of the road internationally aren’t going to be—they aren’t going to stop everybody from violating it. Yes, we have chemical weapons attacks periodically, but chemical weapons have largely been unused for over a hundred years. And so we need to be talking about that.
And then to get back to the point of deterrence, it’s clear that deterrence at the level below the level of kinetic force has not worked, and I believe because we haven’t had a coherent deterrence strategy. And that our adversaries have to understand, they’re going to pay a price. It may be sanctions. It may be cyber. It may be indictment of their citizens. And again, if we had an international community that agreed, and we could indict somebody in one of these foreign countries and they couldn’t travel anywhere else in the world, that would really mean something, because other people in the world would extradite them for this offense.
So this is one of the areas that we’re working on most diligently, because I believe without deterrence it’s—we’re—you know, we’re going to be constantly in the patching business. And that’s not going to be sufficient.
ROBINSON: Yes, here, ma’am.
Q: Yeah. Alice Tepper Marlin.
ROBINSON: Wait—please wait for the mic.
Q: Thank you. I’m Alice Tepper Marlin, Social Accountability International.
I wanted to move a little bit onto issues of what municipalities and your constituents can do to build resiliency. The beauty of incentives for building resiliency is one of the key things they could do is install batteries with generators and solar energy. This serves the purpose both of building resiliency in the case of a cyberattack on our electric utilities and also contributes to slowing global warming and building resiliency to adapt to global climate change. Is something of this sort being considered? And if not, might it be?
KING: Well, we view resiliency as part of deterrence. That if you have a resilient situation, a network, that in itself is a disincentive. Why bother? I’m not convinced it’s enough, but I think that’s definitely part of the concept of building a system that will not be subject to attack. In terms of the details of what you say, well, I do a lot of work in the electric field. One of the things we could do in the electric field to be more resilient is a more decentralized electric system. What’s called distributed generation. Where instead of a gigantic plant that supplies one hundred thousand people, you have smaller facilities so that if that—you can’t take out the whole system with one hack. But that’s a—there’s a—we can go into a lot of detail on that. But I think that’s part of what we have to look at.
Q: But there’s also batteries and things like this.
KING: Oh, sure. Well, that’s a—that’s a—
Q: And incentives for people and municipalities—
KING: Yeah. All of those—if you have a decentralized electric system, and you have batteries or what other kind of storage, that—this is a whole different discussion. But batteries, to me, are one of the most important parts of our economic future. Or, I should say, storage. Storage is what—if we can master storage, then we can move very dramatically away from fossil fuels.
ROBINSON: Yes, in the back, there’s a gentleman there, I believe.
Q: Hi. Scott Maucione with Federal News Network.
So clearly there’s an issue with Iran going on. And there’s a lot of anticipatory feelings right now. What should the United States be doing in terms of force protection when it comes to cyber at this point, within DOD and within individual bases for cyber issues?
GALLAGHER: Well, I—this is less—this is more of a DHS than a DOD thing. I applaud the proactive posture of CISA and the advisories that they’ve put out.
KING: Just in the last couple of days.
GALLAGHER: In the last couple days, yeah. I think that was the right thing to do. And I know that within the Pentagon this is an issue that’s being taken very seriously. Within the White House, this is an issue that’s being taken very seriously. My own view, and this is outside the scope of the commission, obviously, is that we do need to take—you know, similar to—prior to Project Solarium by about a decade, in the same way the Harry Truman—then-Senator Harry Truman did a tour of all the bases in the United States and identified a lot of inefficiencies and weaknesses.
I think it’s long-past time for a similar tour of all of our bases around the world, particularly where we are there at the invitation—at the tenuous invitation of a host government, and where, for a very small investment in resources in asymmetric capabilities, our adversaries can inflict enormous damage on exquisite weapons systems. I mean, look at the attack on Camp Bastion. Look at the recent attack by Al-Shabaab. Look at the attack—the Iranian attack against the Saudi Abqaiq facility. I mean, we are on the wrong side of the cost curve in all of these instances. It’s why I’m an advocate for sea power over land power, but we don’t need to get into that debate today.
But so that’s obviously outside the scope of this commission, but I know, to your question, this is something that DOD is taking very seriously right now.
KING: I don’t want to sound like one note, but I get back to red teaming. I want the most bloodthirsty, vicious, brilliant hackers in the world working for us, trying to hack our own networks, so they can tell our network people—whether they’re at the Department of Defense, or the CIA, or the White House, or the Congress—where the problems are. I think that’s one of the best techniques to build resiliency into the system. You don’t really know how safe you are until somebody comes after you. And I think that’s—and it does happen. It is happening. But I think that’s a principle that I think we ought to be pushing both within the federal government and the private sector. If I was the CEO—and I suspect if Tom Fanning were sitting here, he’ll tell you that, you know, we red team ourselves. And I think that’s exactly what they need to be doing, and a very important part of this process.
ROBINSON: OK. Over here.
Q: So I’m—my name’s Suprehya (ph). I’m here with my red teaming colleagues.
I have kind of a two-part question. So the first—
ROBINSON: Hold the mic up?
KING: Hold the mic up, please.
Q: Sorry. Two-part question. The first, you said that election security wouldn’t be federalized, and you both agree. Politics aside, I’d like to know kind of why exactly that is because from, like, an industry perspective we see, like, ransomware attacks against 911 call centers, for example. And they’re kind of dealing with that on their own. I see election security kind of as the same problem, where they’re—it’s very regionalized. And possibly more could be done from a federal level, but that requires insight from you. And then secondly, the other question is red teaming is very time consuming, and fascinating, and delivers a lot of a results. But requires times to fix it, so—or, the results of the red teaming require time to fix. So is that being kind of developed right now? How do people have time to respond to the findings of a red team and then be tested again, et cetera? Thank you.
GALLAGHER: Well, just quickly, maybe I’ll reply as the Republican co-chair. Yeah, I’m not—I’m not disputing the fact—in fact, I’m conceding that the federal government has a greater role to play in election security. And indeed, hasn’t done enough. And I actually think our final report will land on a good spot. But I would think of it as a partnership, right? It’s neither entirely federal nor entirely state and local.
And then your second question was on—oh. For red teaming I sort of think about it also in the context of threat hunting, right? I mean, have—do we have—does Cyber Command have the requisite authorities to do persistent threat hunting on CENTCOM’s networks, for example, without having to get permission, right, because that will take too long and you won’t be able to identify the threat, right? Similarly, does CISA have the requisite authorities do threat hunting on, you know, critical infrastructure and other areas where it needs it?
ROBINSON: Yes, in the middle here. Yes. Thank you.
Q: Hi. Lucas Kunce, secretary of defense research and engineering.
I have a question kind of related to the CEO complacency you both brought up. And then, Representative Gallagher, you talked about the 1/10/60 data information. So your conclusion, it sounded like ,was that you would want that to be private and maybe, like, the government looks at it after the fact to kind of analyze it. Curious, though, in the context of CEO who’s complacent, it seems like, you know, give that information to investors and consumers, that’s kind of hitting them where it’s very important. So I’d just like some insight into your analysis on how you came to that decision rather than sort of the more capitalist approach.
GALLAGHER: Well, on that—so I think it’s—well, first of all, this is just me speaking. This is not the commission and I’m not saying that this is where the final report is going to land. I think it makes sense to require the collection of that information, particularly in any SIFI, what’s the acronym we’re using today, right? If you’re part of a systemically important financial organization, if you’re part of what we define as our critical infrastructure. Anywhere where if you go down, you could dramatically affect our national security and potentially endanger the lives of thousands if not millions of Americans, I think it makes sense to require those companies to collect that information. And that is not an onerous requirement from the federal government.
So I’m actively trying to maintain what you refer to as a capitalist approach, where we’re not punishing companies, we’re not saddling particularly medium and small-sized companies with onerous regulations that they cannot deal with, while at the same time collecting information that we need at the federal government to understand whether we are safe. And, again, all of this gets towards the goal of creating an incentive for companies—big, medium, and small—to invest in cybersecurity on the front end, rather than having to deal with the catastrophic implications of a cyberattack that they were not prepared for.
And you see this happening, right? I mean, the companies that have been most successful in this place are companies where the CEO has made cybersecurity a priority and given the people within his companies the authorities they need to get stuff done, and do red teaming of their infrastructure, and ask the right questions of all their employees. And so it’s going to require some sort of balanced approach between pure private sector market forces and federal government regulations.
KING: Well, one of the—one of the thorny—this is—this is a difficult issue. And one of the things that makes it difficult is that you have, for example, mandatory reporting. Well, what does that mean. Tom tells us that at the Southern Company they’re attacked three million times a day. Do they have to report every one of those? I mean, that’s sort of—doesn’t make sense. So how do you define what’s, you know, normal noise in your system and what is a substantial attack that perhaps needs to be responded to and that if the—if the relevant government agency knew about it they could provide information and feedback? Then you get into questions of liability, and you get into questions of publicity, and public disclosure.
And, you know, we want people to report. But in order to provide the incentive for them to report, they have to understand that what they report won’t necessarily become public because of the effect that it might have on the company. So it’s a very complicated issue. And it’s one of the hardest that we’re wrestling with. And if I sound confused, it’s because we haven’t resolved it yet.
ROBINSON: Yes, sir. Up here.
Q: First, I’m an MIT professor. So if you’re looking for geeky motivated hackers who cannot do 100 pullups, I can provide a lot of them. (Laughter.)
My questions is actually to exactly the point—
KING: Uncle Sam wants you! (Laughter.)
GALLAGHER: That’s right.
Q: Not me, but the students. (Laughter.)
My question is actually to the private sector-public sector discussion that you were having just now, and the incentives for the private sector to take action at the front end, as you put it. Senator, you mentioned insurance, and how insurance could have the effect of providing, if you will, private regulation, with quotes around “regulation,” through the conditions on coverage and the premiums that would be charged by cyber insurers. On that point, are you talking about something that would be voluntary or mandatory, along the lines of European insurance directives? And, two, can it work without reform in the definition of liability—product liability for defective products, or liability in terms of insufficient protections offered for customers whose credit cards are being hacked when data breaches occur?
KING: That’s a really good question. And it gets to the question of liability. If you relieve a company of liability, then that’s relieving them of a great incentive to act properly. I think insurance could be an important mechanism, but it’s got to be sort of real. And the other thing that we’ve talking about is what is the liability for somebody that puts a product in their product which is vulnerable, and they don’t check it? A chip in a microwave? And we haven’t gotten into that discussion, but we can talk all day about supply chain vulnerability and supply chain risk. And that’s—those are the issues that we’re—that we’re debating.
And again, the whole idea is we want somebody making microwaves to be concerned about the function of the chips that they’re putting in them. Or, you know, I’m not—I spend a lot of time with microwaves myself because my wife isn’t down here and I, you know, Mrs. Stouffer is the one that feeds me, principally. So that’s why it comes to mind. But whether it’s a refrigerator, smart TV, or whatever it is. And again, it’s a combination. We’re not trying to find all private sector. There need to be some federal minimum standards, particularly for critical infrastructure. And there’s a—you know, there’s sort of a differential level of engagement on those issues.
But I think what this illustrates to some extent is this is a new world. I mean, there’s very little precedent for this. And it’s been in the last twenty years. We had a thousand years to figure out the laws of war. And now we’re in a twenty-year period of figuring out an entirely different structure. And, as Mike mentioned, what makes it even more daunting is that it’s—there’s a low cost of entry. You don’t need to be Russia or China. You can be a malicious individual or, as Tom Friedman said, a super-empowered individual. And that’s a—I think the question you answer is a—ask is a really good one. And that’s the kind of thing that we’re—that’s exactly what we’re wrestling with.
GALLAGHER: Could I temper maybe the expectations with all these questions? I—and kind of in line with the idea that defining the limits of our final report has been a real challenge. We will not answer every single question. I think we will have a very bold final product, but this is taking inspiration from the original Project Solarium. It’s not as if Project Solarium concluded in the summer of 1953, and all of a sudden everyone was struck by inspiration and the light and we had a fully formed concept of containment that was a durable rudder to guide us through the dangerous waters of the Cold War, for the better part of three decades.
No. They continued to debate endlessly, throughout the Eisenhower administration and beyond. And so we hope to put out a bold marker in this final report. But more than anything else, we want to have a national debate about all this stuff. And we want to apprise Americans as to the scope of the challenge we’re facing in cyber. And if we do nothing other than make people aware of the threat, I think we will have succeeded.
KING: I think that’s a really important point. And you asked me the first question about why are we doing this? I don’t think the general public has a full comprehension of the vulnerability that we are at, and how disruptive it would be. If the Russians had parachuted people in, and broken into the DNC, and pulled the servers out, everybody would have said: That’s an attack! The fact that they did it silently and through the cyber system, it doesn’t have the same emotional response. And yet, it’s an attack, just the same.
And one of the things Mike and I are going to be doing is trying to alert people to how—to how serious this is. I mean, the Iranians have already demonstrated a capability to mess with the financial system. And imagine what it would do to our country if there was a serious disruption in—you know, how many—how many of you get paid in cash? Nobody. How many of you even get a check every week? Probably ten percent. That means it’s all electronic. That means it’s all vulnerable. And people have to realize that.
GALLAGHER: How many in this room got a letter from OPM, right? Look at that. I have it framed on my wall back home. (Laughter.)
ROBINSON: Yes. Yes, in the back, please. The lady in the back here, yes.
Q: Hi. Chloe Demrovsky, president and CEO of Disaster Recovery Institute International. Thank you for this insightful conversation.
The relationship between the federal government and Silicon Valley is fractious. (Laughs.) So when we looked at—we saw Google employees, you know, refusing to work on defense projects, for example. So when you talk about bringing in the best and brightest to work on issues of national security, this relationship is vital. How do you improve it? How do you inspire the workforce to want to work on those jobs, to work at CISA, for example? Thank you.
GALLAGHER: So I just would say, one, I was very concerned about all the Project Maven stories, and spent the better part of 2018 talking about it, and in some cases criticizing Google for it. I will say, having just gone to the Reagan National Defense Forum last month, I was incredibly encouraged by what I saw there. Jeff Bezos was there. Am I saying that right? I never know if I say his name right. Bezos, Bezos? Bezos.
KING: Yeah. Just say very rich guy.
GALLAGHER: Sorry keep delivering Prime products to me. (Laughter.) Brad Smith, the CEO of Microsoft, an Appleton, Wisconsin native, was there. A lot of major tech companies were there at a defense conference, all saying the same thing: That we not only want to work with the Pentagon, because it’s good for business, we feel a duty to work with the Pentagon as American citizens. And we have a ton of patriots in our companies. And we have foreign nations that are excited about this mission set, that want to work with the Pentagon. And that’s a message that I hadn’t heard in the previous two years. And so I actually think, maybe in part because of the backlash from Maven, we’re starting—the private sector’s starting to move in the right direction. And I don’t know if you felt something similar.
KING: No, I think the same thing. We had a meeting with Brad Smith just recently.
GALLAGHER: Great guy.
KING: And Eric Schmidt also, the former head of Google. And I think there’s an understanding that this is important to the security of the country, and the security of the world. And there are going to be individual incidents. It’s a free country. People can make their own decisions. But if the—if there is a thoroughgoing estrangement, we’re in real trouble, because we have to have a cross-utilization of the expertise and knowledge in both—in both sides, particularly the innovation in the tech sector.
ROBINSON: So I’m reluctant to close the meeting, but I know the senator has a hard stop, and we have to be punctual here.
KING: We’re having a vote in the Senate. We don’t have all that many. So I feel like I ought to be there. (Laughter.)
ROBINSON: I do have one last—an announcement I’ve been asked to make, which is that this evening’s D.C. Daughters and Sons event, Why History Matters—which is a great event—unfortunately has been cancelled because of the weather coming in. So could you all join me in thanking both Representative Gallagher and Senator King. (Applause.)