Cyber Operations and National Security: A Panel Discussion

>> I have to say it's actually a long time since I've been
to any talk at Dartmouth
that has had people spilling out into the aisles.
Part of it is it's in a smaller room than we often have,
but nevertheless, the attention and the interest
in this topic is evident in its efficacy.
I'm Daryl Press.
I am a professor in the Government Department here
at Dartmouth and I'm also the coordinator of the War
and Peace Studies Program at the Dickey Center.
Welcome to our panel discussion on Cyber Operations
and National Security.
This is a topic which has already attracted great
and also growing attention, not only within government circles
and analyst circles but also in the public media.
For the last week, almost every single day there's been a page 1
or page 2 article about cyber threats or cyber conflicts
in one of the major newspapers in the United States
and it looks like it's a trend that will continue.
Why is that?
I think there are two basic reasons.
Number one, as we all know,
our societies depend upon information technology
functioning, you know.
Our society is deeply depended upon us.
For the power grids that allow meetings like this to happen,
as support for water distribution
and food distribution networks, as the critical infrastructure
in the financial services industry, in hospitals,
societies depend-- modern societies--
on functioning IT infrastructure.
Number two, modern military forces depend
on functioning IT infrastructure.
Obviously, for communications but also for the kind
of broad set of command functions,
for the intelligence function, for surveillance,
for reconnaissance, and even independent of the ability
or the need of military units to integrate together.
Most weapon systems now depend upon ships working effectively,
probably basically everything but the knife.
And so the question that this raises for us is,
I guess a series of questions.
Number one, does the cyber domain create opportunities for,
let's say, adversaries of the United States
to substantially degrade US military operations
without building up expensive capable conventional forces
of their own.
Number two, does the cyber domain create capabilities
or opportunities for adversaries of the United States
to create substantial harm or substantial disruption
to civilian infrastructure in a very nontraditional way.
Who, what kind of groups
out there are developing sufficient capabilities
to be able to do real harm with various cyber weapons?
Is this the kind of thing
which it will take very sophisticated state actors
with flush coffers and hundreds and hundreds of programmers?
Or might poorer countries
and weaker countries also be able to carry this out?
Or might non-state actors, groups of guys,
two unemployed guys
in Kazakhstan pull off meaningful attacks
against various cyber targets.
What opportunities does it provide
for the United States either in the espionage realm
or in the military realm to do significant harm
to the militaries or government functioning
of adversaries of the United States?
Or possibly, is this much to do about nothing?
Is this a domain in which there's been a tremendous amount
of exaggeration about vulnerability, tremendous amount
of exaggeration about threats and really, it's military forces
and intelligence organizations
and contractors looking for missions.
Where does it lie within kind of the worst case scenarios
and the possibility this is all a big one--
one big exaggeration.
Let me say that six months ago, Denise Anthony,
Professor Anthony from Sociology Department and Tom Candon,
both of whom are an ISTS dreamed about this panel.
And they basically said that we have a ton of expertise,
very diffused expertise here at Dartmouth
in areas covering infrastructure security, cybersecurity,
a lot of it though was on the commercial side.
A lot of it was people who were not necessarily focusing day
and night on national security policy.
And then there is also a broader group of people, some of them
in the social sciences, students across the college
who have interest in national security policy
and their insight was let's try to marry these things up
and have a panel to try to raise these issues and see
where we go from there.
And so, they get an awful lot of credit for starting this
and then they connected with me as the representative of the War
and Peace Program for the Dickey Center.
So, this is a program here today that's sponsored by ISTS
and the Dickey Center.
I should also say that it's really the first of a series
that we're gonna be running throughout the year.
So, the panel today is terrific.
We intend to have three more public events through the course
of the year, in the winter and the spring term,
dates and specific topics or TBA will be announced very,
very soon so stay tuned for that.
Alright, enough of this.
Let me just turn to the panel really quickly.
We have three terrific panelists today.
Let me introduce them each very, very quickly right now
and then I'm just gonna sit down
and let them each give a presentation.
The format for today is they're gonna give brief presentations,
probably about 10 minutes each, and then I'm gonna try
to help facilitate a conversation among them
for probably about 20 minutes and then we're gonna turn it
over to you guys for Q&A.
So there'll be plenty of time for that.
Panelist number one is Dr. Herb Lin.
Dr. Lin is chief scientist
at the Computer Science Telecommunications Board,
National Research Council at the National Academies.
He is a director of major projects on public policy
and information technology and has written some
of the real seminal text to this day--
to date about topics of cyber security,
offensive information welfare and cyber deterrence.
So, it's a great honor to have him here.
The second person to speak, I believe, Martin,
are you gonna go second?
>> I guess I am now.
>> There you are.
Second person to speak now is Martin Libicki
who is a senior scientist at RAND and he has been focusing
on the impact of information technology on national
and domestic security for many years
and he recently authored a manuscript called
Cyberdeterrence and Cyberwar and is just one
of the leading experts on this topic.
Lastly but not least, we have John Lindsay.
John is a postdoc at UC San Diego.
He just received his PhD at MIT.
He has a Master's in Computer Science from Stanford
and has research in this domain, although he has a wide area
of research, is on strategic use of cyber space
and the conduct of irregular warfare.
John Lindsay served as a US Naval Intelligence Officer
with Air Targeting and Special Operations Units in Europe,
Latin America, and Iraq.
Yesterday or a few days ago,
Tom pointed out that I can tell you purely by coincidence,
all three of our panelists are graduates of MIT
and actually I am too.
And so he suggested that I begin the whole event
by leading you guys in the MIT fight song but I won't.
So, with that, let me turn it over to Herb Lin.
[ Applause ]
>> Did I screw up?
I did screw up.
Okay, there we go.
Okay. So thanks.
Great to be here.
For those of you who were at the--
at lunch today, my apologies, it's the same view graphs,
different stories but have the same view graphs.
So, my job here is to talk a little
about the fundamental underlying technology here
to give you some idea of the basics the real--
the knots and bolts of what's going on it.
It's not a very technical thing but it's--
the technical dimension of this is different in many ways
than one might be used to if you're thinking
about more traditional kinetic operations.
This is the one slide version of cyber policy.
Everything you needed to know on one slide.
We depend on, as Daryl pointed out,
we depend on information technology for both military
and civilian purposes therefore we have to defend it.
Cyber security is what you do to defend it, to protect it.
Okay, there's a defensive aspect to it
and an offensive aspect to it.
The defensive aspect is something that lots
of people talk about but it's inadequate.
The offensive side of it is very hush-hush,
not talked about at all.
On the defensive side, there are basically two things you can do.
You can find better antivirus programs.
All of you should be running antivirus programs
on your computers or you should have firewalls,
all that kind of thing.
Put passwords, all that stuff.
Those are what we call passive defenses.
And if you get into trouble you can call the cops, okay,
and then they tell you get in line because they've got a lot
of other people to worry about too.
So, all that's inadequate and so it's natural to start thinking
about the offensive dimension of it.
How much do you strike back?
Make somebody who is hacking pay a penalty of some sort.
But it's not discussed at all publicly
for a variety of reasons.
For example, the reason the Defense Department strategy
on cyber space doesn't at all acknowledge the role
of offensive operations.
Once you have offensive operational capability,
you can use them for non-defensive purposes.
You can use them to further your own national interests.
So, if you've heard of Stuxnet, anybody,
how many people heard of Stuxnet?
Okay, so Stuxnet is a computer worm
that has attacked Iranian centrifuges that are used
to produce enriched uranium for nuclear weapons
and there are some reports that says that set it back
by you know three years, you hear varied assessments of it.
Nobody knows who did it.
Nobody knows who is responsible for it.
There are a lot of theories.
Nobody knows for certain who is responsible for it
but it was clearly a cyber attack against Iran.
These are the fundamentals of offensive operations.
>> By the way, these slides, I'm gonna send them along to Daryl
if you give me your email address
and he will distribute them to anybody who wants them.
There are three elements to an offensive operation.
There's access, vulnerability and a payload.
Most probably, let me give you an example of it.
You have a-- let's say you have a file cabinet, okay,
and there's information that there are papers in it.
What are you gonna do?
You wanna get at it, you're the enemy,
you wanna get inside that file cabinet.
Access is where is the file cabinet,
it's one thing if it's in my office.
It's another thing if it's in a bank.
It's another thing if it's in a police station.
It's a different thing if it's in the--
it is on the space station, okay.
Vulnerability is how strong that lock is on the file cabinet.
Is it-- does it have three pins, four pins, six pins.
Does it have two locks, one lock?
Is it made of thin sheet metal or is it very--
or the wall is very thick?
There are vulnerabilities there to be taken advantage of, okay.
And the payload is what you wanna do, that is,
once you get inside the file cabinet, you have these papers?
What do you wanna do?
You wanna shred them.
You can destroy the data.
You wanna just photocopy them or put them back?
That's stealing information, that's espionage.
Do you want to alter the data on it, so you erase something
and then you write some--
a new number on certain pages and so on?
That's compromising the integrity of the data.
Do you want to pour ink all over the paper
so that the other guy can't read the paper?
That's denial service.
And so there are various things that you can do.
You can use, you can accomplish these methods,
these ends by using both technical and social means
that is, it's not just hacking, computer hacking.
It is bribing a secretary.
So that's another aspect of offensive,
taking offensive operation.
So, when you talk about access, let me talk a little bit
about all three of those.
Access, there is remote which is doing it at a distance.
Sort of roughly over the internet, right,
or maybe you have a WiFi connection on an internet
on a local area network that doesn't talk to the internet
but there's a WiFi connection on that you can get access to that.
And there are various things
that you can do once you have this kind of remote access.
But there is also close access which is you get
up close to the computer.
So, probably some of you bought your computers mail order.
They appear in your, you know, at home, right.
How do you know that somebody didn't open
up the box while it was on a loading dock
and swapped in, put in some software?
Okay, I bought my computer that way.
Maybe somebody did it to me.
How do I know that somebody didn't open it up and put
in a new chip somewhere?
Or, while I was talking over here, somebody put
in a USB drive that I don't know about
and loaded some software onto this.
Well, actually I was watching my computer but you know the--
not everybody would do that
and also that's another way of getting it.
An infected USB drive is the way--
it is one way that the Stuxnet virus could have gotten
in to the Iranian networks
which were not connected to the internet.
And so there are various ways of getting access
that require you to get a close up.
There are vulnerabilities to war.
There is cranny software.
There's a hardware that can be tampered with.
There are communications channels
that you broadcast and if you use Wi-Fi.
Sometimes, you connect to an unencrypted link
and it set your computer, at least mine tells you,
you are about to communicate over an unencrypted link.
Other people could see your information.
You sure you wanna do this.
There's the system configuration,
sometimes the system comes with default passwords.
You can look up default passwords on the internet
from most routers, for example.
I have done it, you can do it too.
You can probably crack 30 percent of the routers you come
across with just by knowing those default passwords.
And people don't change them.
Why, because they're lazy, okay.
There are many ways of getting access.
You can compromise the users, okay.
You can blackmail them.
You can bribe them.
You can get it at the manufacturer
that you can persuade the CEO.
You can persuade the CEO to do something, especially if you're
about to get your-- if you are a government
and you wanna give this guy a contract.
you say well, you-- we're gonna give you lots of business
in the future if you cooperate with us and the cooperation is,
well, you make antivirus programs and well,
maybe you wanna ignore the following virus
if it ever-- if you ever see it.
That's a possibility.
I don't know that this has ever been done but certainly,
within the realm of possibility.
You can get a communication channels.
You can monitor a WiFi signal.
You can-- sometimes, there is a modem that's attached
to a computer, telephone connection to a computer
that shouldn't be there but it's there anyway.
Sometimes, somebody goes into a closet that's outside and hooks
up a WiFi router that nobody knows is there
and they broadcast it.
In fact, at home, I have a-- I used to carry it around,
I don't do it anymore.
I have a little device about this big that turns any computer
into WiFi broadcast station.
So, if I slip it on to the computer in your office
and put it in box so that you'll never see it,
it just becomes a WiFi link and now I can listen on you
on your conversations just by walking down the hall.
There are all kinds of interesting ways of these.
You can go after service providers.
Service providers who would do virus checking, for example.
You can plant them all inside a manufacturer,
all sorts of things you can do.
What can you do once you're inside?
So, I talked about you can steal information
or you can compromise, even alter it,
you can make it unavailable to other people.
You can pretend that it comes from someone else.
Okay, all of those are-- those three things -
compromises of integrity and authenticity and availability,
those are usually called attack.
They degrade, disrupt, destroy information
on a computer system.
Exploitation is when you steal information.
It's not stealing in the usual sense.
If I steal your wallet, you don't have it anymore, right.
I have your money, you don't.
But if I steal your Social Security number, I have it
and you have it too, that's why you don't know
that you've lost your Social Security number
because you haven't actually lost it,
you still know what it is, right.
That part is what makes the whole business so interesting.
Excuse me.
Both attacks and exploitation use the same technical means.
If there is something that happens to your computer,
you don't know whether it's an exploit or an attack, right.
What happened?
I don't know and it's very hard to know.
By the way, the press also can't distinguish them.
To them everything is a cyber attack but if you look
up cyber attack, well, they're almost always is
an exploitation.
That is somebody has lost information,
has compromised information.
Key characteristics of these things, okay.
What can you do?
Well, sometimes you're not interested in the computer.
You're interested in the generator that's connected
to the computer so you try to kill the computer
so you kill the generator.
The generator is the thing you wanted, okay.
And so what that means is that since you can connect
to any field of the computer,
the indirect effects really matter a lot.
And, indirect doesn't mean not primary.
This friend of mine says electrons don't wear uniforms
in cyber space.
That means that's his fancy way of saying
that it's anonymous in cyber space.
An operation is anonymous.
You don't know who attacked you.
You could-- you may have some clues but it's very hard to know
with high degree of confidence who attacked you just
on the basis of technical signatures.
Sometimes, they got bad guy makes a mistake
that you can exploit.
You can figure out who attacked you but it's hard.
The technology is here, right.
You can buy-- get it at Best Buy.
You can get it mail ordered.
You can download hacking tips on the internet.
So, what this means is that since the technology,
offensive technology is available to everyone,
it means that even non-state actors,
small players can create some of the effects
that previously took big players to accomplish, to do.
And they can be companies, they can be individuals.
They could be criminals, they can be terrorists,
they can be some organized crime.
They can all get this stuff too.
If you're poor, you can steal money on the internet.
Lots of people are stealing money on the internet
and what do you do with that money?
You can buy more resources.
You can pay programmers to do things for you and so on.
And so you can also steal computing resources
so I can steal your computer or the use of your computer
for a little while and make it do what I want
and you'll never know that you've done it.
You can do cyber attacks on a broad scale or a narrow scale.
That is they can be narrowly targeted.
Stuxnet was something that was aimed only
at centrifuges operated by Siemens control systems, okay.
Nothing else.
This only attack and it went--
it touched a lot of other computers
but it didn't do anything bad to them.
It was targeted only at that system that had centrifuges,
certain centrifuges ran by Siemens control systems.
Or you could have a very broad attack
that just targets everybody indiscriminately.
Here, the lesson is the more precise you wanna be,
the harder it is.
The more expensive it is the more intelligence you need
and so on, longer lead times.
Cyber operations are really hard to plan, very, very complex,
more so than traditional military operations.
Many more options.
You can-- sometimes your attack can be only used once
so you attack and the other guy fixes it, fixes the problem,
fixes the vulnerability that you took advantage of.
And now you can't use that anymore so it means you have
to use a different method of attacking
if you wanna attack them again and you may run out of that.
>> You may run out of different ways of going after him.
Maybe temporarily limited in effect by design.
There's a new variant of Stuxnet that's going around now
that disappears after 36 days,
it turns itself off and deletes itself.
It can be limited in scope.
It can be hard to execute on the fly if there's a target
that pops up and you don't know anything about it
and you haven't done any preparations
to gather intelligence.
You're gonna be hard pressed to conduct the cyber attack on it.
And these guys are fast.
They can-- people often talk about them
as them being very fast and impressive that goes
at the speed of light.
You know that's true but there are a lot
of other considerations.
There's the planning.
There's the policy issues.
There's the legal issues.
In practice, over time and historically over the less 10
and 15 years or so, the speed of a cyber attack has been governed
by law not by the speed of transmissions.
It operates at the speed of law not at the speed of light.
How do you use offensive operations to defend yourself?
Well, you could do it before the attacks.
You can get early warning.
You can know that he's about to--
that he's about to attack you.
How do you do that?
You have to be in his computer system watching him generate
the attack.
That means you have to be-- you have to penetrate his system.
Maybe you have to pre-you can preempt him.
Maybe you can destroy his computer systems before he is
able to destroy yours and to attack yours, you could do that.
During an attack, by the way we've announced
that we're willing to do this.
We can attack the computers that are attacking us
so that we can disrupt the attack in progress.
And afterwards, we may have to conduct forensic operations
to go after the guys that are attacking us just
to see who they were.
So, what happens is that there's a computer,
you go back one computer and you look at that computer and finds
out that that was compromised by another guy who was compromised
by another guy who was compromised by another guy.
You got to go through all of those guys
to go all the way back to find out who was the ultimate--
who was ultimately responsible.
I know that takes offensive capability
and maybe you wanna conduct retaliation
to discourage further attacks.
How might you use these offensive capabilities
to do non-defensive operations, okay.
So these are illustrative.
I'm not advocating any of them
but for example you could use them
to fill an adversary's air defense
so that your bombers can go through without being shut down.
You could destroy their electric grid because--
you might want to do
that because their electric grid supplies the Ministry
of Defense.
You might want to disrupt their elections.
So, you can see why I'm not advocating this, right.
I'm not saying this is a good thing to do but it's a matter
of record that the United States has wanted to influence public--
influence elections in other countries before.
One way to do that would be to go
after an electronic voting system, to hack that.
You could disrupt the adversary research and development
or productions of weapons of mass destruction.
Or you could steal information from them.
You could get their negotiating positions
for treating treaty negotiations,
you can get their political plans,
you can get valuable commercial information, okay,
what they're company-- what are these companies doing
and what are certain companies doing
to get their trade secrets and the like.
As a matter of policy,
the United States does not do this to other nations.
We do not collect intelligence to gather information,
economic information for the purpose
of gaining economic advantage, okay.
That's a massive modern policy.
Every other nation in the world does this.
We don't. A couple of observations and then--
a few observations then I'll turn it over to Martin.
First is that we haven't seen anything yet, that is,
this is all still very new and many forms
of offensive operations just haven't appeared yet.
So, what we see in conflict
with cyber space is gonna be very different in the future
than what we see in the past.
Stuxnet, a lot of people talked about it.
It was a wake up call to the policy community.
The approach is generally applicable,
the specific code is not, at least not the payload side
of it, but it was not a wake up call
for the technical community.
Everyone in the technical committee knew that something
like Stuxnet was possible.
There's a paradox in this--
paradox in the cyber space which is that it's very hard
to do good defense so people say then we have to think
about deterrence, preventing the-- to making the other guy,
dissuading the other guy from attacking.
But then when you look or think about cyber deterrence,
you come back and say, that's really hard so we need
to do better defense, right.
So, we have to do good-- we can't do good defense,
we have to do deterrence and we can't do deterrence
because we don't know how to do
that so we have to do good defense.
And if you think that's unsatisfactory, you're right.
Nobody knows how to square-- you know to get around that.
The argument that there are many forces driving us towards
offensive operation for non-defensive purposes,
that's the only thing left to do because the offensive operations
that you conduct can't really protect your own technology
despite what the claims are by various people
within the defensive establishment.
And cyber is not separate from other conflict domains
that you can-- you have a wide range of tools
at your disposal to respond.
You can respond at kinetics base.
You can respond diplomatically, through law enforcement,
economically, variety of things you could do.
And the last thing I wanna point out in all these is
that there's a lot of secrecy about this
which clouds the discussion and that's really,
really, really problematic.
That's a part of why we did these two reports.
These reports are available for free on the internet.
Do a search on those terms and you'll get free--
you'll be taken to free PDFs of them.
And, I'm happy to answer any questions later on,
contact information there blah, blah, blah.
Martin.
[ Applause ]
>> Alright, thank you for your applause.
You don't even know what I'm about to say.
Once, I had the opportunity to talk
to a retired Israeli general.
We were talking about Stuxnet.
Now, Stuxnet is a bit of a paradox if you ask the question,
how much did it set back to the Iranian nuclear program.
Because when IISS took a look at the number
of centrifuges destroyed, it was about 10 percent.
The Iranians managed to recover that in
about a six-month time period.
And yet, you had all these estimates that said
that Iran was set back three years.
So, I talked to the guy.
I said look, you have this wonderful Stuxnet,.
It didn't seem to have done you a whole lot of good, now did it?
And he said maybe yes and maybe no.
He says it might have done more good than it looks.
I said, what do you mean?
He said, and obviously I'm not quoting him exactly
since it was a long time ago and it was too far, far away.
But, he said look at it this way.
Right now, Iranians are producing 3 percent uranium.
If they're gonna get to a bomb, they're gonna have
to produce 90 percent uranium.
Once we get past the 13th threshold, everybody in the rest
of the world gets excited 'cause they have to kick out the IAE,
International Atomic Energy Agency inspectors.
At that point, Iran has to start running a gauntlet, right?
They've got to get to where they have a bomb before the rest
of the world's community comes
down on them like a ton of bricks.
Now, if you run and made the calculations,
it's only gonna take me about say three to four months to go
from 3 percent to a bomb.
That may be a gauntlet they can run.
But what if Iran is not entirely certain they can do it?
What if they're not entirely certain because they don't know
that they have cleaned Stuxnet out of their system, right?
It's very easy to tell that you're infected.
It's very, very difficult to tell that you're not infected.
So, what if you had this aura of
and I'm gonna use the term magic here, right.
Remember Arthur C. Clark's dictum
and his efficiently advanced technology is indistinguishable
from magic.
Well I'd like to offer the proposition
that cyber war is probably as close we're gonna come to magic
and conflict as we have in a long time.
It's mysterious not because it is ultimately
at the point mathematics and of course mathematics
by definition is completely transparent.
But it's mysterious because its mystery lies in the complexity
of the systems that we attack.
For any halfway defendant system and I'm being very liberal
on the use of the word halfway.
A system can only be attacked if there are flaws in the system,
if there are vulnerabilities in the system.
Now, if your system was simple, you could pretty much guarantee
with reasonable-- there's even some mathematical proofs
that in fact the system is flawless
but as we know now today computer systems are
increasingly complex.
And every year they become more and more complex,
not only the software more complex but the aggregation
of things that we put together
in networks also becomes complex, right.
Now, what happens is the only reason I can attack you is
because I know that you have a flaw in your system.
I believe you're having a flow in your system
that you yourself are unaware of.
Then notice by the way, that's a very high bar in knowledge.
I've gotta know more at least something about your system
that you don't know about.
Oh, why don't you know about it?
Again, it's because of that complexity, right?
If I knew my systems were not infected,
I would also know enough about my systems
that my systems couldn't be infected.
But in fact, we don't have that level of knowledge precisely
because of that notion.
Now, so what we have is a world
in which people have a certain level of concern and fear.
>> But fear is the wrong word as I will demonstrate in a moment,
okay, about whether how penetrable their systems are.
And why do I say fear is the wrong word.
You're maybe all familiar with the acronym fear, uncertainty
and doubt which is usually said in one breath as one word
as if it were the same thing.
But in fact, it's not because if you take a look
at nuclear weapons, you're talking about a world of fear.
You're talking about a world of almost somatic response
to the fear of nuclear weapons.
But if you talk about cyber weapons, you're really
in the realm of doubt.
You're really in the realm of lack
of content of knowledge, right.
If I had a nuclear bomb and I was threatening you,
you would have no doubt about the efficacy of that device,
particularly if I demonstrated it before.
But if I had a cyber weapon and I was threatening you,
you might have a great deal of doubt about the integrity
of your own systems or you might not have no doubt at all,
which gets into somewhat a paradox.
And the world of cyber war is nothing
if not replete with paradoxes, okay.
If I demonstrate a capability, I may be adding to my ability
to deter all sorts of actions on your part but at the same time,
I might be reducing it.
If you think I'm 10 feet tall and I go to a large amount
of trouble to demonstrate I'm 8 fee tall what have I really done
in the world of deterrence?
And the answer is well, maybe I haven't done myself any
favors yet.
Maybe I've sort of gotten rid of the magic
and what you actually want is to maintain the notion of magic
in the other side's mind, okay.
Now, that's offensive.
Let me talk a little bit about defensive
and turn the problem back on itself.
I've been in this business more or less kind
of 15-20 years there about.
When I was at the National Defense University,
I had a good colleague of mine Colonel Allard [phonetic]
who said the first rule
of informational warfare is do not do it to yourself.
I know it was pretty wise on our parts, right,
so let's think about deterrence.
Magic is what the United States does to other countries, right?
Or is it what we do to ourselves?
For instance, if you were the secretary
of defense you wouldn't dare deter yourself by worrying
about a cyber Pearl Harbor.
You wouldn't dare deter yourself and demonstrate
that the United States can make that and be dissuaded
by saying how easy it is, how probable it is for some of you
to take down the national infrastructure and
yet we do it all the time.
Yet we do it all the time
because we ourselves are a little uncertain
about cyber war.
It's almost axiomatic to say that whatever cyber war happens,
it will be something we didn't predict.
I'll give you an example from the news
of about a week or so ago.
There was an article in the New York Times saying
that US military planners had thought
that it might be a good idea to carry out cyber war
against Libya's air defense systems only to realize
that you can't exactly flip that button, right.
If I've got a nuclear bomb and I built it for Germany,
and Germany just happened to have quit the war,
I can always use it for Japan, right?
Nice target set.
You can't do that for cyber because the vulnerabilities
in the systems you're going after have to be discovered
as it turns out, unless the other guy is really stupid
at his infrastructure and you never count
on other people's stupidity.
It may always give you an opportunity.
Generally speaking as Herb suggested it's gonna take a
while to find that vulnerability.
So it's like okay, give me six months and I'll get
into Libyan's air defenses and you're the kinetic guy
and you're saying, excuse me,
but in a week I'll probably have all that stuff, you know,
down to the ground anyhow.
Who are you guys trying to impress?
Which by the way is not a bad question for cyber war, okay.
Now, this business of magic, I could go on and on
but in deference to the length of the conference
and in deference to my generally lack of sleep I just want to end
on the following note.
About 30 years ago, I got into this war business.
I started working for the Department of Navy
and I quickly learned that if you wanna be serious in talking
about war, you had to sprinkle in some German words.
Blitzkrieg was good.
There are others like you know fingertip control.
There's a German equivalent for that, right.
That showed you were really a serious student of war.
One of the problems in cyber war, however,
is we haven't had a whole lot of German.
A part of the problem is that the word cyber
in German translates into, ready, cyber.
'Cause actually it's a Greek word and I really miss this.
So I'm going to coin now a German word for cyber war.
First thing I would do is I wanna capture the notion
that a lot of what concerns us is really not war, right.
We're concerned about countries e.g. China overtaking us
in an economic race because they're stealing all
of our intellectual property.
They're concerned about us destabilizing the Chinese state
because we will not shut off dissident groups broadcasting
the United States into China.
By the way, these are serious concerns in both of our stock--
our countries and if you try to negotiate about cyber war,
you realize pretty quickly you're talking
about two different things
which kinda makes negotiations a little more difficult
than you might have hoped.
At any rate, so I've decided the word struggle was a much better
idea and it translates into some German words der Kampf.
If you speak German, you know my pronunciation is not good
but I'll do what I can.
But what do we do for the first word?
And it turns out there's a very nice word called zauber.
How many of you are familiar with Zauberflote?
Mozart's Magic Flute, right?
And it sounds similar to cyber but it really means magic.
So there you have it.
I'm gonna put a trademark on the term zauber kampf and for
that I will turn in to you.
[ Laughter ]
[ Applause ]
>> Well, thanks very much.
Martin, you couldn't have set me up better because I wanted
to say something quickly about the word cyber
and it is a very strange word.
It's only recently in the past couple of years that we started
to use it as a standalone word.
It's always been abound prefix in words like cyberspace,
cyberwar, cyberattack or the older idea of cybernetics.
And really the best translation is control.
It comes to us from the Greek word "kybernan" which means
to steer or to pilot a boat, it's the same root
as government, and once you start thinking about it
in that term I think that it will help us to get little ways.
Cyber as an independent word has only really emerged
in the last couple of years as the Department
of Defense has started talking about it as another domain,
independent domain for conflict which is separate
from the natural domains of sea, space, land, and the air.
And this may make some sense when you have
to run a bureaucracy and you need separate budgets
to make sure people are trained
but it's a little strange actually to think about it
in this way because computers
and communications control systems are the things
that allow military forces to do anything at all in any
of these other actual domains.
So you can't operate in the sea or the land
or in the air unless you can actually connect planes
with their headquarters and one another and if they're able
to see their adversaries, so on and so forth.
So this is fundamentally an integrated control technology
which makes it possible to do all other sorts
of military operations.
But now, we started talking
about the idea of operating cyber.
We have US Cyber Command that is going to you know command
and control cyber offense and defense in this area.
So how can we think about this?
Prior to the stand up of US Cyber Command,
probably the biggest advocate in the US Government for thinking
about it this way was the US Air Force.
You might remember they have a slogan,
"air space and cyber space."
They're running commercials and whatnot.
The Navy has also been a big proponent
and it should be telling that it's the Navy and the Air Force,
the two most technologically sophisticated services
that really been started to bang the drum about cyber
when it's been the Army and the Marine Corps
that are actually been engaged in two hot wars
in Iraq and Afghanistan.
So, here we are talking a lot about cyber at a point
that we're drawing down defense budgets are shrinking
and whatnot.
So what is the prognosis for cyber as an independent weapon?
Well, I think it's instructed actually to think
about the Air Force and thinking about technology
as an independent weapon because this was a service
that was actually built around an innovation.
The aircraft and the argument
that this could be an independent weapon to fight,
at least fight wars differently and perhaps even win them
without the help of the other services.
But when this theory was put into practice,
it ran into a couple of challenges.
So the original ambitions kind of came in two flavors
and one was an idea that if you attack,
if you flew over the battlefield,
didn't engage forces at all, went all the way home
and started bombing civilian target, you would cause
such panic and dispiriting situation
that the populace would beg their leaders to stop the war
which will be so bad that there would be complete lost
of morale.
The other theory was, well this is a way
to break the economic infrastructure
and break the war-making potential
of the adversaries' countries so they wouldn't actually be able
to wage war in the battlefield.
Fair enough, let's go ahead and try this
in the Second World War.
The British discovered quite quickly
that it was actually difficult to operationalize.
They have pretty good intelligence
on what the German economy looked like.
They had target-- folders on lots of juicy economic targets
but they found it was actually quite difficult to get bombers
into location and deliver their weapons.
They were so inaccurate that the British decided
to start bombing-- excuse me--
they were so unprotected they were getting shot down.
>> They started bombing at night therefore they were just aiming
for cities hoping that they would hit factories within them.
When the Americans showed up,
they were a little more accurate, they were only missing
by a couple of miles rather than entire cities.
But still that was a long learning process before
Americans realized that bombers could not escort themselves.
They were getting just mobbed and shut down with great lost
of life by German air defenses.
So not until escort fighters were starting to--
the long-range jet fighters were produced
in enough quantities were American bombers able
to deliver the punch.
But even then they found that was very difficult,
found that when you bomb an adversary's population,
they don't give up, they actually get angry.
And this is an experiment that's been run over and over again
against the United States with Pearl Harbor and 9/11.
The United States against Serbia,
we found people don't like getting bombed.
It tends to redouble their resolve to resist.
Furthermore, economies actually tend to be fairly resilient.
The British economy took a pounding and get--
ended up producing more war material at the height
of the Allied bombing than before us.
They found all kinds of synthetics to use
when oil stocks were depleted, different ways
to produce ball bearings and whatnot.
So, the original theory didn't work out too well,
but that doesn't mean that,
I mean this was a very costly campaign
but it doesn't mean that it was useless.
It did a couple of very good things.
Probably the best thing that this did
for the allied war effort was
that it sucked off the German Air Force
so that Allied ground forces really didn't have to deal
with the German air threat that they might have otherwise.
And it's undeniably created a great deal of friction
in the German war machine both in the war economy
and the command and control.
So the idea of winning independently turned out not
to work so well but there was this support
of friction injection role that strategic bombing could play.
Fast forward to today, I think that actually some
of those considerations are fairly independent
of the technology involved.
We're talking about, you know, using a technology
to bypass fighting all together
to attack critical infrastructure
and to make war cheaper and easier somehow
than it otherwise would be.
I would argue for much the same reason
that you previous speakers talked about because this is
such a complex technology.
There's a great deal of ambiguity.
It is both harder.
We're not sure how our adversary is going to react.
But there are these interesting supporting rules
that cyber operations can play.
I mean we've talked a lot about several of these,
but just to run over them real quickly.
The use of cyber for intelligence is a huge boon.
It's possible now to exfiltrate you know, gave you bytes of data
that would have been very, very risky and caused lots
of planning and you know, putting lots of agent risk
at life-- agent lives at risk during the cold war.
So that's a lot easier.
That can help to improve one's relations
against adversary in the long run.
The whole self theft of intellectual property
and other information resources whether be wealth itself,
whether it be negotiating positions and other sorts
of informational resources can perhaps
over the long term alter the balance
of power between countries.
I think there is a whole host of very interesting operations
that more resemble covert special operations than actual,
you know, big war fighting.
And Stuxnet is-- might be a good example.
Things that take a lot of planning
that are very target specific and you know, are really sort
of an in and out thing but might not have, you know,
large scale strategic effects but, you know,
are part of the ongoing game that, you know,
great powers tend to play.
Great powers are, you know, just constantly involved
in finding ways to make things they see inflictive
for one another without crossing those red lines that cause wars
that would be too costly for either to fight anyway.
And lastly again, also, the covert action category but,
you know, there's also an overt side.
I think this whole notion of influencing populations
and affecting stability from the inside is something that we see
in a number of different states interested
in very different flavors.
So, I'll end it here so we can open up for discussion
but you know, bottom line, you know, there are precedents
for thinking about the most frightening
and most dangerous scenarios
that get the most press in the news.
But there is good reasons to be very suspicious
if that would actually be useful in any kind
of a strategic operation and
yet at the same time I think the play book
for intelligence regular warfare covert operations is very
interestingly expanded by this technology.
[ Applause ]
[ Inaudible Remark ]
>> So I have to say that was absolutely terrific.
The 3 panels did a great job kicking off this discussion.
I wanna get, you know, questions
from the audience pretty quickly.
But let me try to get kind of the discussion
on maybe arguments between you guys going
by raising a couple questions.
I'll do them one at a time.
But only do a couple questions and see if I get reactions
and then after that I'll take questions from the audience.
So question number 1 is this,
which is I'm having a hard time figuring
out myself whether fundamentally when we think
about the weapons side of cyber things
as opposed to the espionage.
When we think about the weapons side of cyber things,
are these fundamentally weapons of the strong
or weapons of the weak?
Now with a first cut through,
we all could know all the arguments why these might
fundamentally be weapons of the weak,
very low barriers to entry, right?
And then our kind of Jack Bauer kind of fantasies, you know,
two disgruntled guys in their underwear in Kazakhstan,
you know, doing untold amounts of damage
across the eastern sea border, something like that.
'Cause again low barriers to entry, you know, couple people
with some good technical skills in the internet connection can
as Herb said, steal resources, get controls
in more computing power, do a lot of damage.
Okay, I understand that story.
On the other hand, what we also learned from the three
of you guys and from other discussions that we've had,
is that a really serious cyber attack against a series,
the kind of infrastructure,
a target that's been defended is gonna require a lot of planning,
a big intelligence network to figure
out the specific vulnerabilities, social as well
as technical vulnerabilities in that network.
It's gonna require a big coding effort.
It's gonna require maybe a whole range of these cyber weapons
to be used in sequence 'cause each weapon would only work
maybe against a single target.
And then once you've used it once they're gonna fix
those holes.
And so I think about that and I think maybe this really is,
you know, a weapon of the strong and when John was just talking
about sea, space, air and ground as kind of domains of warfare,
I think well, United States dominates the sea, the air
and the space not so much, not as much the ground.
Those are the areas of where technology rules like this one.
And then lastly, it occurred to me
that if I was an Iranian, I'd be offended.
I mean like there's all this talk about the danger
of cyber warfare and the threat to the United States, I'd say,
for God's sake the only ones
who we think did this ever was either you
or one of your friends.
So maybe this isn't this weapon of the weak,
maybe this is the weapon of the strong
and what's the big concern here?
Any or all of you.
>> Why does it have to be either-or?
>> Whose it principally?
>> Why does it have to be principally?
I mean, the argument that I would make here is
that cyber attack is a methodology.
>> Sorry.
>> And it's like having a chemical explosive.
You have chemical explosives in a gun, you know in a pistol,
in chemical explosives in blockbuster bombs that weigh,
you know 10,000, you know that are 10,000 pounds heavy.
And that's a lot.
And but they're completely different
in different scenarios.
So I don't know that it has to be principally one
or principally the other.
That's a way of achieving something.
>> I have a colleague of mine who has a 3-stage plan
for carrying out cyber war against the Taliban.
Step 1, teach them to read.
[ Laughter ]
>> Step 2, sell them computers.
Step 3, you can probably guess.
[ Laughter ]
>> Cyber weapons are unique.
And let me give you a contrast.
If I have a gun and you don't have a gun,
I'm in better position.
If I have a ship and you don't have a ship,
I'm in a better position.
If I have a plane and you don't have a plane,
I'm in a better position.
It's also true for space craft.
But if I've got a computer and a hacker
and you don't have a computer,
I'm not in a better position 'cause you have to get
at some level of development before you're even vulnerable
for that.
But-- so I would say it's not a matter of the strong
versus the weak or the weak versus the strong.
It's a matter of then elite versus of a naive.
Let me give you another example here, okay.
There are a lot of countries that use weapons
that they don't have the capability of manufacturing
because they don't have the sophisticated infrastructure.
They buy a lot of weapons from folks.
Now, if I take an F-16 and it happens to be in the hands
of an underdeveloped country, chances are they won't use it
in sophisticated ways the US Air Forces would.
Chances are they won't maintain it as well
as the US Air Force would.
Okay, they won't integrate as well.
But it's still a fearsome war weapon.
But if I-- you have a network and I have hackers,
I can turn that network into a negative weapon.
I can make you worse off for having gone the trouble
of having that network because you haven't matched the
sophistication of your network management, the sophistication
of the technology that you're using for it.
Now, you could have joined networks altogether
in which case you're vulnerable for certain attacks, okay.
>> Or you could buy networks and have the sophistication
to protect them and the wisdom to figure out what you put
on the network and what you don't.
But where you don't wanna be is having enough money
to buy the networks and not enough sophistication
to know how to protect them.
And that's when you're vulnerable.
>> I'm gonna come down and say that this is a weapon
of the strong against the weak.
And I think that you know, the use of IT in all sectors
of society has been to enhance control precision
and the ability to manage uncertainty and ambiguity.
But there's a great book called The Control Revolution
by James Beneger.
He wrote it back in '86 before the internet kicked off.
But his argument was that the information society is not a new
thing that you know Apple invented.
This is something that has been part and parcel
of the industrial revolution in increasing abilities
to control thing,
that challenges controlling the controls and the growth
of bureaucracy communications, computers.
All of these things have gone together
and then greatly advantaged large corporations
and large states which incidentally are, you know,
the prime drivers in innovation of kinda lot
of the core infrastructures in these things.
So I think that in order for it to be a weapon of the weak,
the strong really has to pull its punches and agree
to do something, you know, like we do in Iraq or you say well,
we're very interested in building this--
a new state that looks something like a democracy
but at least you know, is somewhat functioning,
it's gonna have these various liberal institutions.
In order to do that we're going to have to abide by a lot
of laws, you're going to abide by some of those laws
so we're gonna facilitate the insurgence ability to hide
within the population.
And exploit some of those rules
that we have voluntarily agreed to follow.
So you've already kind of raised the bar into a higher level
of control than all out, you know, [inaudible] territory
and trying to figure out, you know,
just kind of what is the rough state
of ownership of what's going on.
>> Maybe throw one kind of question--
one last question on the table
and then I will open it up for people here.
So again, so the kinda root cause I think of the concerns
at the not and among cyber experts who think about it
because that's what they do for a living.
But for folks who are focused on US national security,
why shouldn't they of austerity and scarce defense dollars.
Why should they be funded?
So, one is this notion that it might give asymmetric advantages
to the weak and hence to really require a lot of efforts.
The other one though has to do with something
that you guys touched on quickly
about the problems of attribution.
And the problem of attribution meaning that it's difficult
to determine after an act who was the source unwinds many
of our-- the ways that we like to deter nasty events
and respond to them afterwards.
And again, the initial first cut kind of logic that makes a lot
of sense which is for means
that require many more IQ points than I have.
People could take over servers around the world far away
from where they're located and run the tax from them,
et cetera, so I understand that.
The question is this, if somebody does enough damage
with the cyber attack and I don't know what enough is.
A substantial amount of damage against the powerful country,
United States, Great Britain or Russia or whatever
and that country were motivated to vote the serious resources
of a powerful state to figure out who did this.
Do you think and by who, I mean where it came from.
Do you think that's just--
there's just technical reasons why they're never gonna
get there?
Or do you think that using the various tools
that you guys understand better than I as well
as the general intelligence [inaudible] that again,
the reason attribution is hard is the attacks are pinpricks.
And if the attacks were pinpricks attribution start
getting involved.
>> So what's the question?
>> So the question is,
is the attribution problem really a fundamental difficult
problem in this.
Or does it only appear
to be 'cause the acts have been pinpricks
and annoyances and espionage.
Because an attribution is not a huge problem,
then all the normal tolls of US national security policy
and state craft seem to apply.
>> We go to war even when there is zero attribution.
So okay.
[ Laughter ]
>> We did that in Iraq.
>> That's right.
>> There was no evidence at all
that they were responsible for the 9/11 attacks.
And we went after them for that anyway and so on.
So the level-- so it's not clear that the level
of attribution actually is significant in, you know,
in any decision to attack somebody.
But I mean, you raised an interesting point.
I think you're saying is if it were a very serious attack,
wouldn't we develop more resources
to finding out who it was.
Who is responsible and then hold them accountable.
I think that's basically the question, right?
>> And if you can do that, then use the normal tools
of state craft to deter and to punish and the--
>> So-- well, so for example, if you were the victim
of a very serious cyber attack
and let's say was launched by a state.
It would be an interesting question as to whether or not
that state could keep it secret, okay.
So you have your spies and you have your communications
intercepts and all those other sort of tools that you can't--
that you can't figure out who it was
from the technical signature.
Examining the hard disk but they--
you know, that [inaudible].
But maybe you have other intelligence,
maybe you have a spy that's well placed,
maybe you over hear a couple of conversations
between the senior general staffs or something like that.
And we get a lot like that.
And we get a lot of information
through those kinds of challenge.
So I think it's a red airing to say
that really attribution is impossible.
It's just that it's very uncertain,
what uncertain means is, maybe,
you know maybe you have it and maybe you don't.
And it depends all on the circumstances.
>> Another complicated question.
First of all, it's not a question whether you know
or not.
It's a question of with what confidence do you know
and with what conference are you willing to act?
And by the way that was not the first time we went
through war based on attribution.
There was the--
[ Inaudible Remark ]
>>No-- then I argue with you, sir.
There was the Spanish-American warfare.
Classic example of going to war against the guys
who didn't do it in the end.
Okay. You bring up an interesting question.
When it comes to cyber espionage from China
and I do use the word China here.
We know it's China, we have a lot of evidence it's China and
yet they seem to do it anyhow.
Why? Because it's considered cyber espionage
and that's below the threshold and the second reason is
that there's no harm to the actual computer.
In other words, I could spy--
I could take information from your computer for years
and you'll never know the difference.
A cyber attack is gonna be a lot more instant.
Okay. Now having said as much, there are 2 issues
and I'm gonna address the easier one.
The first issue is does the attacker think
that he can get away with it?
And the second question is, can he in fact get away with it?
Right. For deterrence policy you need the attacker to believe
that the chance he can get away with it are preparedly good.
And there are other things you throw
into the equation but that's key.
Now let's turn, the other side is do we think how confident can
we in fact be?
I would argue that the attribution is hard in a world
in which we have no consequences.
In a world in which we did have consequences
and other people would know it, they would take a lot more time.
And one of the things they would do is make sure
that we were looking at somebody else.
Right. There was a war game that RAND ran
about 15 years ago and had a scenario.
And they divided the-- they had 7 groups of people looking
at the same scenario in the war game.
Four of them thought China did it,
three of them thought Taiwan did it as a rep--
as a sort of false flag operation.
That's the real world you're gonna get into in
such circumstances where you wanna carry out an attack
and not have anybody know it.
Now the political scientist, Richard Kugler comes to mind
in this particular case, would say, well, you wouldn't carry
out a cyber attack without identifying yourself otherwise
what's the point?
It turns out that what's the point is a real question
and we can go on and on about things that are the point
and things that are not the point.
For instance, I'll give you an example, if you are an advocate
of a group that it is in fact in many countries, say a religion.
And you want to dissuade the United States
from doing something against the religion, okay.
You don't have to announce yourself
because it could be one of several suspects.
If on the other hand, you have 2 countries that are contesting
over a piece of territory, and you carry out an attack,
it's gonna be kinda hard to hide yourself just based on context.
Now, there is a long discussion of technical community
as to whether we can trace an attack to a particular box.
And the technical community goes nod, nod, wink, wink,
we're better than you think they are-- we are.
I don't know.
Maybe they're right, maybe they're wrong.
Now, here's a couple ways that-- don't try this at home guys,
to carry out an attack from somebody else's box.
One, free WiFi, available at every [inaudible]
in most public libraries.
Two, infect somebody else's machine
and have them carry out the attack.
Three, your friendly cyber cafe.
By the way, all of these attacks are much harder to do from China
because China has much better surveillance than we do.
And number four, and this has never been done
but there's no reason why you couldn't do it.
Get a phone, pay cash, get the SIM card, pay cash,
don't leave an ID behind, don't call your friends,
that's very important, never call your friends
on a phone you're gonna attack with, right?
>> Carry out the attack.
Dust off your fingerprints.
Throw in the garbage can in somebody--
in a different cell tower.
And you're practically scot-free unless you have a reputation
or unless you've been blabbing to your friends.
If you've got good trade craft your chance
of getting caught are fairly low.
Now, so you're back to all this other ancillary stuff
and it essentially comes down to the question of which follows.
I really hate to speak Algebra
so I'll try to do the best I can.
Are you more afraid of being wrong than you're afraid
of not going ahead when you're right,
multiplied by the probabilities of both of them?
And if the answer is yes it becomes a strategic decision
it's not a legal decision.
>> I largely agree with both of these, with Herb and Martin.
I'll just say that, you know, it's much more risky to stick
up a 7-Eleven than it is to, you know, remove 40 million dollars
from a bank if you can, you know, do that
and that's definitely been done.
However, you know, I think a larger implication
of the question you're asking is how valid are analogies drawn
from the domain that we have lots of experience with
and that we can draw 99 percent of the site's security examples
from which are crime fraud, espionage, other you know,
high jinx, you know, hackers showing
that they've done things just because they can.
How valid are those intuitions about attribution,
about offense dominance, about the difficulty of detection
when applied to the strategic level.
>> Okay, let me turn this open to you guys
and just take any questions you guys have.
Typically on these things we try to take questions first
from students so if there any people
who are clearly self identifying as students
if you have a question raise your hand.
>> No identity theft allowed.
>> What was this?
>> No identity theft allowed.
>> Exactly right just stand up and say your name
and your social security number.
[ Laughter ]
>> And your mother's mother maiden name.
>> So why don't we start right here with a person
who had their hand up a second ago and then go down--
>> I'm not a student.
>> No I understand completely and by the way, yes.
>> Oh okay, I had a comment for Mr. or Dr. Libicki
about the saying that if you know that you're--
you know your vulnerabilities than your--
you can defend so then you can invulnerable.
I-- just as a sort of a middle manager IT type person
for years I have to disagree with that
because I think there is a lot of knowledge
of what you're vulnerable about and getting people
to do something about is a sort of a major part of the problem
which I think Mr. Lin said which also--
and then I just wondered about a comment
if you gentlemen could comment on [noise] recently
in the stands news bites which is sort of aggregation
of security little things
about U.S. drones had they been getting the virus
in the last couple of weeks.
And U.S. Defense Department are putting both people and saying,
"Oh it was nothing don't worry about it.
He just stole the passwords."
And I think, oh I wonder what that means
without having U.S. drones having their passwords stolen
and having a virus and end up from what mister--
the kind of denial of--
the secrecy that Dr. Lin was talking about.
>> Let me respond to your comment.
First of all I'd like to say you're correct.
Practically this isn't something I tell people.
If I have something on my machine, on my network that's
of interest to a state intelligence agency
and my network is connected
to the internet color it gone 'cause there are so many ways
to get into garden variety internet systems
and so many unknown flaws, okay, that they'll eventually find it.
Now the problem is that in many systems not all systems
but in many systems the greatest flaw is the user.
The bad password, the poor habits, the difficulty
in keeping patches et cetera, et cetera, et cetera and that leads
to a different formulation and the formulation is as follows.
This world has [inaudible] and this world has castles.
There are certain things like castles like the Nuclear Command
and Control System of the United States and there are other
like [inaudible] such as Facebook.
When we open ourselves up to the internet we trade the virtues
of openness for the pain of insecurity
and the question then becomes is do we understand the trade off
and are we making the tradeoff correctly.
If you're gonna take a university which is based
on the open exchange of ideas and wall it off in the rest
of the world you're not doing yourself any favors, okay?
The tradeoffs just aren't in the right place.
Nuclear power plant you'll flip it around, okay?
So it ends up that the most important piece
of information you have
when you're running a system is not the technical information.
It's the self understanding you have
of what information is important to keep the privilege
and what information is not important to keep privileged
and you would surprised how many people
in fact its pretty universal you skip step one
and you go to step two.
You go to the technical means okay,
without considering the nontechnical issues first.
You know Sun Tzu is right, self knowledge is the beginning
of all knowledge-- or was it Plato?
I think it was Plato talking Sun Tzu.
[ Laughter ]
>> In response to your question about the virus
on the predator terminals I agree, you know,
the Air Force Public Affairs handled that really poorly
and you know they'll be working with that.
But there's so much bad stuff sloshing around even
on military classified networks.
It would just blow your mind and I think if you kind
of just think about the experience that you have,
you know, in your organization working with IT,
having random blue screens of death just having your PC freeze
and not knowing why, misfiling things,
all of these normal things that, you know, are really funny
to laugh about and do work into the office space go
on in the military in spades and yet the organization continues
to go on so if you're going
to attack this organization you better do more
than just do a lot of noise and friction because it's very good
in inflicting friction upon itself.
So you gotta be really, really targeted
if you wanna have something that's gonna come
out of the noise.
So, yeah, that's alarming, it's disturbing
yet at the same time there a lot of just normal glitches that go
on in the flying of these vehicles that's why there's a
man in a loop to kind of like deal with, you know,
manages these things when they happen.
>> Actually let me make another statement
about the keystroke log in general.
I don't know enough of the details of the actual incident
at this point to say anything authoritative
about the Air Force did or did not do.
But not every vulnerability
and not every attack is necessarily worthwhile, okay?
Let us say I could collect the keystrokes
and that's all I could do is collect the keystrokes
as opposed to command and control of UAVs, right?
If I'm going through an air gap system it's not gonna
be instantaneous.
I got to get somebody to walk the USB drive in.
I got to get somebody later on to walk the keystrokes out.
So you have to count on a certain lack
which means I can't control the system all I can do is learn
about this system, right?
And so in the end I get this information back
and now I have two months worth of keystrokes and UAV operations
that have come and gone long time ago.
And the next question is was
that worthwhile for the attacker?
The intelligence guys will always say, yes.
I don't necessarily trust them and is that really
such a problem for the Air Force?
And the answer to that one may, maybe no, maybe yes.
You have to be able to translate one into the other.
One of the things that made Stuxnet work is the attackers--
I was about to say who they were, right?
The attackers didn't care when the centrifuge was crashed.
They just wanted them to crash.
A month later, two months later, four months later,
eight months later it was pretty much all the same.
They were just here to break things
so Stuxnet was a one way system.
All they had to do was to get the worm from the open world
to the closed world for the worm to do its work.
Now let's say you want to take down their defense system.
I need a certain precision here, right?
If I take it down a month before the war starts it will be
patched up and running and harder.
If I take it month after the war starts my entire air defense
system, you know, the war maybe over anyhow.
You've got to get the timing right
and not every vector that's used
for a cyber attack can get the timing right particularly
when you're going through an air gap which is probably more
than you want to know but there it is.
[ Laughter ]
>> Thank you.
>> Yes sir?
>> So you defined a lot about theoretical stuff which is great
and it's really, really impressing stuff but if I have
to stay policy maker ask my question and be,
so what does this mean for the U.S.
for the U.S. National Security Policies,
where do we go from here?
Do we have to devote more to cyber research
and development or cyber defenses?
What are your suggestions moving forward?
>> More for research and development.
[ Laughter ]
>> More for FFRDCs.
>> Budget isn't the only issue.
But there are certainly interesting problems
in this phase so just to give one--
let me give you just two examples of interesting problems
that nobody really has any idea how to deal with.
This is what you'd spend some of your R&D money on.
How do you tell the adversary that what you're doing is benign
and exploitation rather than hostile,
overtly hostile in attack?
When you launch an operation how do you deal with it?
How do you let the-- because you--
you don't want the other guy overreacting.
How do you inform him?
You don't call up on the hotline and tell him, you know,
the worm that you're seeing now is a friendly worm
and is just gonna steal information.
Your not gonna do that right?
>> But how will he know?
Okay? And that's-- there's another question let's say
you're in a shooting war in cyberspace
and you're trading viruses or whatever.
How do you know-- and then you say no more, peace, stop.
How do you know that the other guy has stopped shooting at you?
How do you know that you've stop shooting--
how does he know hat you stopped shooting at him, okay?
So let me give you an example
of something that's just completely nuts, okay?
Because-- why?
Because you have to--
you're still under cyber attack from everybody else.
So does that mean that when I start the cyber I have
to identify my malware where the inside there's a string
that says this is-- this code comes from the U.S. government
and is part of a real attack so that when they no longer--
>> Wait a minute.
>> So that when we stop, so that
when we stop we no longer send those packets.
This gets into the surreal, okay?
This is complete-- what I'm proposing here,
I'm not seriously proposing for the tape,
it's completely ridiculous, okay?
But how would you do it?
How would you know that the other guy is complying
with the cease-- with a "cyber ceasefire"
and what would that mean?
Nobody has any idea how to deal with these issues and it's not--
it's partly a question of money but it's really--
nobody has good ideas about this stuff.
>> Paul you wanna go next?
>> Yeah, you know, my biggest recommendation
in this case is to, you know, relax not go too fast.
Military's gonna do what the military is gonna do.
But because so much of this problem is based
on the relationship between the private sector
and the public sector there is a tendency to reach
for regulatory tools to perhaps, you know,
enforce design requirements or various requirements
on the architecture of the internet
which could have fairly adverse consequences
for the innovativeness, the economic productivity,
the information economy, civil liberties,
and privacy concerns are really big when you start thinking
about security and automatically thinking that surveillance
and security are the same and they're not.
So in that case I would say, you know, be very wary
of precautionary reasoning that says computers are every where,
threats are every where and normally adopt a commitment
to trying to make sure that you have proof and evidence
and good reasoning before you have a regulatory intervention
into, you know, the market in order to manage.
And I might not have made this clear.
I mean the private sector is essential because, you know,
they invent own and operate most
of the infrastructure of cyberspace.
They create the vulnerability and therefore could reduce it
if their incentives were different.
So, you know, that's really kind of a long term management issue
which is a different one than kind of traditional, you know,
self enclosed military space of developing capabilities
to affect the balance of power.
>> Three things, first of all I think the military has
to understand what its performance of like be--
what its performance would be like under conditions
of a first rate cyber attack.
My hunch is that we do not understand it nearly as well
as we need to from the military's perspective.
Number two, I would make sure that electro grid is air gap.
It used to air gap by the way
and then we started getting lazy I think we have
to return to air gap.
Not because the likelihood of a wholesale attack
on electric grid is particularly high
but because the consequences are sufficiently serious.
And the number of people you would sort
of discuss it the whole notion of castles,
think the electric power grid is a castle I think the number
of people you will inconvenience is relatively small,
it sounds like a good trade off to me.
The third thing I would do is modular number one and number is
to stop going around telling everybody how vulnerable we are.
>> Okay I just wanna ask a question
to something Herb had said but before that I also kind
of wanna say something there.
When the National Security Agency was here last week I
don't know how many of you went to some of those,
some of the issue they're recommending is
at least workforce, right?
All the smart students in here need to be trained in or we need
to be training more people in the technical skills in order
to at least understand what are the things they're
talking about.
So just my plug for engineering and computer science,
not in sociology so do that too, but my question is for Herb
which is you just said we announced
that this isn't a serious attack.
This is just-- we're just looking around the network.
Is that what China's doing because as you--
all three almost acknowledged, right?
There's lots of evidence of, you know, China,
with a persistent threat that we know from China
and I'm sure we're doing it the other way too.
So why is that sort of known and yet assumed
to be not problematic?
Not problematic but it's not-- it's not--
it's not seen as an attack.
It's just seen, we know state actors like China
or in our networks that they're in a lot of, you know,
secure networks and-- but it's not really a threat.
It's not an attack and how do we know that,
because nothing bad is happening,
because the consequences isn't clear?
That-- and so, just your opinion on that kind of a thing.
>> It's an interesting question as to whether China is send--
are you saying that is China sending us a message?
Is China trying to persuade us that they're benign?
>> I don't know what they're doing or that--
[ Simultaneous Talking ]
>> That's right, but so there's lots of evidence
on the [inaudible] side.
I don't know on the Chines side, that there-- there are--
those state actors who are able to penetrate lots of systems,
maybe not the-- maybe not the castles but lots
of things leading up to the castles.
>> Right.
>> And yet this is not a provocation that would be,
if their chips were sitting off
of our boarders or something else.
So, how do we know-- you said in these kinds of cyber locations,
there isn't an announcement
that this is not an attack it's just [inaudible].
But how do we know?
How do we tell?
Why are we assuming that in say, what China is doing
to our networks and probably what we're doing
to China's networks?
>> It's-- I don't know how to tell you
of knowing it I answered that and we think that the--
we think that the Chinese are only stealing information
because that's what we've discovered.
But once we have-- we know what the--
once we have the code and we're able to take the time
to do a serious analysis of it and to figure
out who would communicate with [inaudible] and so on
and all this other stuff,
we have some idea what it-- of what it's doing.
But in the heat of a crisis, I mean that's our equal.
You don't worry so much about this under peace time conditions
because I mean, there's not a war going on,
okay and so you have the time
to actually conduct some analysis to tell you.
But if you're in the-- if tensions are rising,
it becomes a really pressing issue
to know whether something is benign or something is malicious
and I'll just make the observation that in times
of tension, when conflict likelihood is rising your
intelligence demands go up.
So you really want information on what their Nuclear Command
and Control System is doing for example, some other guys.
You really want to be in there to understand
that when they move their mobile missiles around,
it's a routine exercise not being provocative.
You really want to know that.
So you're gonna increase your effort.
But if they see you at that time wondering
around in their Nuclear Command and Control System,
you dare say they might get upset
and a little nervous, right.
So what-- my only point is that it's--
nobody knows how to deal
with this problem technically or procedurally.
It's just-- how do you deal with it?
No one knows.
>> Herb on this exact point
about how the gray area [inaudible] benign espionage--
you relay just a little bit of what you were telling me
about these hooks about--
>> Sure, so some years ago-- two years ago now,
there were some reports that were broken
in the Wall Street Journal.
Yeah, the Chinese had penetrated our electric grid.
And big front page story about-- about kind of tracing the--
of the electric grid and those are really,
really serious, okay?
And that's as far as the story went.
When I've talked to people in the electrical power industry,
and I say, "What did you actually find?"
The answer that came back was,
"We never found any actual malware.
What we found was hooks, placed vulnerabilities
that were introduced so that you could download something into it
but there wasn't actually anything bad there
that could be-- that would actually cause damage.
It was just opening up a hole
that a knowledgeable person could penetrate later on."
Now how do you interpret that?
I mean from one end, that's actually--
actually, I'd say that's the really the sensible thing
to do, okay?
You don't want to leave any smoking gun there that says
that your gun, you know, it's gonna destroy the information.
That's what you would want
because you could always upload your information
to it later on when you want to.
>> And that's the-- that's the story.
>> Where in the networks, where those hooks?
Was it on the--
>> Sorry?
>> Was on the generation side, the control side,
the rest of the office network?
>> That-- It was on the generation, it was on--
as I understand it it was on the generation
on the operational side, not the business side, but the fact
that it was on the-- it could've be on the business side
that was-- you expect those to be a lot more vulnerable
but sometimes the business side taps the operational side
directly too, so.
>> And then there's operations in those operations?
>> Right.
>> Yeah.
>> I would have to say I'm constantly struck by the--
by again, cyber feel so different but the analogies
to conventional warfare where for
so many years you got stories that oh,
U.S. aircraft near soviet air space were escorted out.
What were they doing?
They were establishing hooks.
But what they were basically doing is they were mapping
altitudes and locations where they would
or would not be detected by radar's exactly the same sort
of thing, establishing opportunities
for [inaudible] later.
>> Is there a student yet-- a student--
yes and then I'll try to--
>> And there's a students up there too.
>> Okay, yes, sir and I'll come here.
And if we do have time otherwise I'll just invite you
where were-- who's the third student here?
And if do have enough time I'll [inaudible] afterwards,
but yes, certainly.
>> I just have a quick comment on portion just right now.
How the National Security Agency came,
try to recruit people to work for them.
Last week, I read an article [inaudible] Times saying if--
there was a front page article on cyber coalition in China,
saying China's organizing people in small groups
that they'll all have daytime jobs but after
that they get together and they--
I think they were called cyber attacks and cyber defense.
And they are listed under the army in Chinese, you know,
I'm not sure what is it called, it was in the army, yeah, right,
so I'm not sure if that's any of the-- is that--
but it seems to be alarming to me
that they're doing that in a weird time.
So I'm not sure how you're going to interpret that in a sense
of attack competitiveness and defense.
>> David? I'm sorry.
Jon, actually-- we suggested
because we have three more questions.
Let me take-- pick up that question [inaudible] in the back
and pick up this question and then three
of you guys can each have one more time
to answer whichever parts of those you like to.
That's question number one, gentleman in the back.
>> I have been to groups like anonymous and wall site
that have been in the news a lot lately for like, you know,
bringing down major websites
and stealing confidential information and it seems like,
these attack are being executed at a precise time
on a precise target that they're not too like to coordinate.
So I was just wondering if that could ever pose
in competitive national security threat and how those kind
of tests can you deal with.
>> And the last question, gentleman in the back.
>> So what was-- just, how has the sprint of like,
I guess you could say commodity systems really change the game.
Everybody's running Window systems now
and it seems like [inaudible].
So how do you-- how do we--
well, yeah, except that you can come in for that server.
So how is that gonna change the game sort of to say, I mean now,
if you see a vulnerability in a system, there's a good chance
that that same vulnerability is sitting
on somebody else's system and does it--
does that cut down on your--
base on your data just have used a barrier to attack essentially?
>> Well I just work on the where Jon you start
and then Mark then Herb and then we'll close down and--
>> Okay.
>> But just whatever parts of this you like.
>> I think I can link these two together actually.
China is always very, very murky because you have a lot
of activity and the degree of the stay is always the question.
How much is there in explicit, you know, relationship
between the PLA and state.
How much of this is just encouraged or tolerated
and I think there's a great deal of that, you know,
in the social patriotic movement
and there's all sort of interesting facts.
To me just the fact that the Chinese government has been--
had this big push towards indigenous innovation
to encourage companies to develop their own version
of whatever is the cutting edge thing creates this great
underground market for, you know, private gray side hackers
to provide industrialism in our services
for those Chinese companies.
But at the same time, American companies wanna be
in China, you know?
They're trying to buy our debt
so like we don't necessarily wanna poke them
in the eye that much.
You don't ask questions that you want to answer for.
So I think the link here is, you know, U.S.--
well there's other stuff they're doing but we're not.
I think that even though the motivations are very different
and, you know, as an American I'm glad that we have groups
like this doing this in some situations in our pool.
But, you know, we have a large number of, you know,
motivated private sectors some with help from the government
for example using the [inaudible] which is developed
by the office and enable research is now a major tool
for groups that are trying to empower dissidence
in authoritarian societies to communicate with one another,
encouraging a democratic movement.
I mean, if you're an authoritarian company--
country and you see, you know, tools that are developed
by the U.S. Government, funding that's coming
from the state department to encourage, you know,
your citizens to subvert your internet that starts
to look like patriot acting.
>> I guess I'm next.
I'm a little less-- I'm less worried
about the Chinese malicious just like I'm less worried
about going in some air force based on a bunch of part timers.
If you're gonna be a good actor, you have to be a good actor
and it's got to be a full time job and you've got
to be supported by intelligence.
Other than that, it gets back to the second question you end
up painting mustache, virtual mustaches on websites.
And I'm sorry, I'm not particularly impressed
and I forgot the third question.
>> Commodity systems.
>> Commodity systems make things--
make hacking a good deal easier.
Actually, let me take 30 seconds.
You're all familiar with what this is.
I'm not gonna sell you-- sell you one of these things.
But I will tell you there's no malware for it.
Now the reason there's no malware for it is not
because Apple has better security engineers
and Microsoft doesn't.
In fact Microsoft's slightly better.
If you compare the MAC to a PC, they're about 6-1/2 of those
than the other and I think
on technical grounds the PC has a slight edge.
The reason that this is far less subject to malware is
because it's a close system.
And the reason it's a close system it's
because Apple makes more money that way.
The bottom line here is different architectures produced
vastly different consequences for cyber security.
I'm not saying it's probable but I will say that it's possible
that 20 years from now we'll look back on this era,
this interlude of cyber dependence and say,
what were we thinking.
Why did we build our systems in such a way
that anybody could do anything to all of them, okay,
when there are much better ways of designing a critical systems.
>> I'll just follow up on this one primarily and I think
that it's certainly true that monoculture has its--
has its drawbacks but there also many advantages to monoculture,
ease of maintenance and, you know, and so on.
And it's a trade off.
There are people who think--
from a technical standpoint think
about how you generate 17 different versions of Windows
or something like that instead of critical places.
So there's active research of that.
I'll point out that it's not--
at this point the most malicious vector is not operating systems,
it's targeting Flash.
>> Okay.
>> Adobe Flash and Adobe is now the most serious problem
in this.
>> So maybe they're gonna develop a theory of war base
on a middle-size Silicon Valley company sloppy.
[ Laughter ]
>> Yeah, as I said at the very beginning, this is the first
of what I believe will be a four part series and as I said,
I can't imagine a better way to have kicked this off
than with these three very provocative presentations.
Please join me in thanking our guests.
[ Applause ]