Russian election interference changed the cyber playing field. While United States intelligence knows how it happened last time, what can it do to stop it from happening again? Cybersecurity experts Adam Segal and David Sanger join this week’s Deep Dish podcast to discuss the latest in US cyber policy.
Brian Hanson: I want to invite all our listeners to join our Facebook group, you can find us on Facebook under 'Deep Dish and Global Affairs'. This is a public group, everyone is welcome, so please join in. You can find out about upcoming episodes in advance, you can submit questions to our upcoming guests, so please go check us out under 'Deep Dish and Global Affairs'.
Adam Segal: I think with cyber we tend to always focus on the last battle, there is a new set of targets out there that we don't expect, I think. Some people are beginning to pay attention to the census.
David Sanger: When you look at malware you can't figure out its intentions, you can only figure out its capabilities. The other side, just as in a nuclear world, could miscalculate your intentions.]
Brian Hanson: This is Deep Dish and Global Affairs, going beyond the headlines on critical global issues. I'm Brian Hanson and today we're talking about cyber security, both in context of election hacking- which has been much in the news recently- as well as taking a look at the broader issues of cyber security and how we can respond to them.
Brian Hanson: We're going to do two back-to-back interviews today, you'll hear from Adam Segal at the Council on Foreign Relations and also David Sanger from the New York Times. Just a note as we get going that we caught David Sanger in the Denver Airport in-between flights so that you'll hear a little bit of background noise for that interview as well.
Brian Hanson: I'm joined by Adam Segal, a US cyber security expert who serves as the Ira A. Lipman chair in Emerging Technologies in National Security, and who's also director of the Digital and Cyber Space Policy Program at the Council on Foreign Relations. He has a book on the subject that is "The Hacked World Order : How Nations Fight, Trade, Maneuver and Manipulate in the Digital Age." Welcome Adam, it's great to have you on.
Adam Segal: It's great to be here.
Brian Hanson: So since the recent Helsinki summit between President Trump and President Putin, there's obviously been a tremendous focus in the press about what happened in the US election. And a lot of the press discussion has been whether or not President Trump accepts the consensus of US Intelligence community. I want to set that issue aside and go beyond that controversy to look more deeply into the issue of cyber security and elections and what the threats are and what can be done to address the threat.
Brian Hanson: So, I want to start, Adam, with a fundamental question of; why was the US so vulnerable to this kind of attack?
Adam Segal: Well, I think it was a kind of fundamental assumption that we had an agreement with the Russians about what type of cyber activities were legitimate. We knew that the Russian, along with the Chinese and others, were conducting widespread cyber espionage. We knew the Russians had hacked into the State Department, into the White House, they had targeted elections, but we thought it was primarily for information gathering. We didn't think they were going to move to trying to influence the elections, even though we knew they had been active with their neighbors. We just thought that they would limit their targets to their neighbors and to Europe, and would not target the United States.
Brian Hanson: When you say that they already hacked into the White House, one could imagine that would set off all kinds of red flags. Why when we saw that kind of activities did the, at the time the Obama administration, just assume that well this is intelligence gathering. Which sounds like, when you're hacking into the White House, a pretty significant problem on its own, but why didn't that trigger more of a response?
Adam Segal: Again, I think we were trying, broadly, to set what we thought were the norms of behavior in cyber space. And we were not just talking to the Russians, we were also talking to the Chinese about what legitimate hacking looks like, and the US was trying to create a distinction between good hacking and bad hacking with the Chinese. Good hacking is the type of hacking that the United States did, which is primarily political and military espionage. Bad hacking is what the Chinese were doing, which was industrial espionage. So I think one of the reasons why ... We weren't happy that the Russians were hacking into the White House, or the State Department, but we didn't do a lot about it was because the US was doing it fairly extensively to potential adversaries. We didn't want to call that kind of behavior out, because we were clearly doing it as well.
Brian Hanson: So it sounds like, in that, we didn't really even imagine that it could be ... that this kind of hacking for offensive means to influence election was really in the realm of what people thought someone might do. The kinds of norms that we're setting up didn't involve this.
Adam Segal: I think that's right. I think in the US we had a very narrow focus on what we were calling cyber security. So, how do you keep an attacker out of your devices? How do you protect the confidentiality, integrity and assurance of the data? And the Russians and Chinese primarily talk about information security, so how do you do all of those first things? How do you protect cyber security, but also how do you think about how information is used to influence political discussions inside a country's information space? Or cyber space? And so that, I think, was a different way of framing the problem.
Brian Hanson: So, if at that time, there was this assumption about hacking and its purposes, clearly after 2016 and other subsequent events and hacking and intervention in other elections, including in European countries. Our understanding of how these capabilities can be used has been enlarged. What've the responses been? Is there now a set of tools, processes, routines to counter this kind of activity?
Adam Segal: Well I think we're identifying those. I think we've broken the problem down now into a set of tools and policy responses. First of all, we think about how do we protect the actual electoral system. Voting systems, voter logs, those types of things. And then second, how do we think about influence operations and social media in particular. And within those two categories we are slowly developing a set of policy tools and responses, plus how do we message to potential adversaries that there are going to be costs for influencing, or trying to be active, in those two spaces.
Brian Hanson: So let's break those down a little bit. Focusing on protecting the election system itself, what kinds of capacities have been developed and how effectively can we- we've got an election coming up, incredibly important mid-term election in this country. What kinds of capacities exist to counter the kind of actions we saw in 2016?
Adam Segal: I think, the first thing that happened was the Obama administration designated electoral systems as critical infrastructure, which hadn't been the case before, so in some ways signal both domestically and internationally that we were going to take this seriously. The second thing that's happened is, there's been about 380-million-dollars set aside by the Federal Government to help states protect cyber security. And primarily what we want to do is get electoral systems off the internet. Have them not connected to remote systems. In particular, two things we want to happen, we want to have electoral systems that have backups- in particular, paper backups, so if they're hacked we can do an accounting. And second, we want to have random post election audits in place, so you can also check up.
Adam Segal: So, not all states have that in place and we're trying to build that out.
Brian Hanson: So, how confident can voters be going in to this election, that those kinds of capacities and preventions will be in place? Is this something that ... proceeding at a good pace, and everybody can feel totally fine that there's no possible problem? How much confidence should we have?
Adam Segal: Not a huge amount, but better than before. As I mentioned, the 380-million-dollars was set aside, there was delay. Some of the states ... So we have an incredibly decentralized voting system where each state runs it in a way that they see fit. Some have argued that the Federal government is overreaching and the DHS- the Department of Homeland Security- was overreaching. So, some were slow to accept that money. Some who have accepted that money have used it and spent it in ways that probably is not the most efficient or effective way. So I think there's a general feeling that we're not moving fast enough. There's a bipartisan bill in the Senate that would push more money out to the states, but as you ... I think kind of put your finger on the problem. The problem is going to be confidence, and that's a hard thing to build in the electorate once they think that there's problems.
Adam Segal: How do you make sure people ... That they're votes count? And so we would have to move faster, and I think more robustly.
Brian Hanson: So, that's interesting. It raises the possibility, and let's just kind of go to one of those dark scenarios that is actually suggested by one of our Facebook listeners- Jarod Fazio. He says, "If votes are hacked and found to have been changed, at what point can we declare an elected official illegitimate? What happens if we do so?" So what happens if there is? We do that post audit, we find votes have been changed and that actually affects the- what do we do at that point?
Adam Segal: It's gonna be very hard. We are already in this political environment. If you remember in the run-up to the presidential election, the president was claiming before he won that the system was rigged. And so, we have a situation of extreme political polarization where already there's going to be a default, I think, from both sides to claim that there's been a rigging or some type of interference. It's gonna be very hard to do that and have both sides, I think, accept the outcome.
Brian Hanson: So, given that partisan environment that we have right now, is that affecting the ability to even address and put in some of the protections that you talked about earlier? And creating hindrances to that?
Adam Segal: It is, I think it's playing a larger effect on the second basket, on social media and the role that that plays. But it has, I think, affected the electoral security in ways that we didn't expect. I think we had thought that this is a more bipartisan issue, and as I said there is a bipartisan bill in Senate to roll out the money, but it has certainly, I think, made implementation harder than cyber security experts had thought that ... They said, "Well here we have these kinds of standard procedures that would make elections more secure," I don't think that they expected that the political support would not be as forthcoming.
Brian Hanson: Yeah. So let's move to that second category, that second basket of things. Social media affecting debates and discussions in the country. What can be done against that kind of interference?
Adam Segal: So here, I think, primarily we've looked at two responses. One is, primarily the responsibility of the tech companies. And that is, taking down material that is disinformation or produced by Russian trolls or designed to foster social disagreement or polarization in the political environment. So there's been a lot of discussion about what the tech companies can do. And then the second is, what we as individuals, or consumers, of this information should do. How do we educate ourselves? How do we make sure that we aren't part of the problem and spread the disinformation even further?
Brian Hanson: So let's focus on tech for a moment. Mark Zuckerberg was just in the news yesterday about questioning whether or not Facebook and other media companies like his have a responsibility for screening out false news. In that case, it was Holocaust deniers. To what extent is our media companies engaging in this issue and putting in the kind of protections to help the public sort out what is believable and what isn't?
Adam Segal: That's part of the problem. It's 'cause Facebook and others have consistently said they're not media companies, they're platforms. So, as platforms, they have consistently argued that they don't have a responsibility, or shouldn't be in the job of censoring or taking things down. You can see from the reaction to Zuckerberg about his statements about Holocaust denial, it's kind of an extreme version of it, but that position is becoming increasingly untenable. I think we've increasingly said to the tech companies, you do have a responsibility to take things down and you're gonna have to play a role as censors. Which is extremely uncomfortable for the United States, both given it's First Amendment freedoms and the idea that it's private companies that are playing this role as opposed to Congress or the government.
Adam Segal: And then we have the other issue about the media's role in spreading the information and how it reports on it. In many ways they've been taken advantage of by the trolls and the Russian disinformation because they know that the most extreme positions are gonna get reported in an effort to say, we have to have balance, which is not really served us very well.
Brian Hanson: Yeah, do you see the media companies responding to that in some way? In how they cover these kinds of stories so that they don't become the conduits to spread these extremist lies?
Adam Segal: I think so. I think, one, we've seen the media companies more willing to say "This is not true," or "This is a lie," or "This is fundamentally disinformation" as opposed to, on the one hand, on the other hand reporting. I think, also, as you mention in the opening, that they are more sensitive to where the information came from. If it was produced by a hack or doxing of someone, they, at least, seem more willing to say, "Should we be reporting on it," or it should be at least placed in the context of 'this is where the information came from. It may, in fact, be produced by Russian hackers.'
Brian Hanson: Okay. Let me move, then, to that third set of responses, or the third area, the third basket of tools you mentioned. Which was, really, messaging from the US Government that you can't- to others who would be tempted to have these kinds of interventions, make these kinds of interventions- that if you do, there's a price to be paid. Have we seen that happen in the US at this point? Maybe this leads us back into that controversy about the administration and a responsibility for what happened. Has there been development of those kinds of messagers or counter measures to potential, or real, hackers?
Adam Segal: Yeah. The problem is that the signaling from the administration has been completely mixed. On one hand, the administration itself has gone a long way to calling out the Russian hackers. We had the indictment of specific hackers, we had the calling out of Russia for being behind the NotPetya attack, which was a malware that spread wildly from Ukraine and affected a number of US companies. We've had sanctions against individuals and companies. So the administration itself, through the Department of Justice and the State Department, has continued an Obama policy- administration policy- of naming and shaming and being fairly clear about we can attribute these attacks to Russia and we are going to try and raise the cost.
Adam Segal: The problem, of course, is that the messaging from the president counter-acts that. So just given the response to the press conference with President Putin and calling into question the intelligence agencies attribution in many ways diminishes what the other parts of the administration are doing.
Brian Hanson: As a result, has the US Government actually taken concrete actions that we know of, against this kind of interference?
Adam Segal: Well the indictments, there were sanctions from the Treasury last week that were directed at specific individuals and Russian companies that support the hacking infrastructure. So those are specific measures that the Treasury did take. But the larger issue, and one that you see the Congress continually calling the administration out about is, is it enough and is it possible to create a deterrent in cyberspace? A lot of people hate that term, and the attempt to try to apply the idea of deterrents in cyberspace, 'cause they think it's gonna be ineffective. We do know that cyber command and the National Security Agency are working to disrupt Russian hackers and are taking a more forward leaning position.
Adam Segal: But all of that is really, quite honestly, out of sight and we don't really know what's going on.
Brian Hanson: It strikes me that a lot of this is defensive measures. If people are gonna try to hack in, what can we do to avoid it or to prevent it from happening? That's a hard game to win every single time. It only takes once to be able to get in to a system. Are there more things that you think should be in play? More policies, more kinds of approaches that you think should be being pursued at all, or more vigorously than they are, in order to safeguard the US?
Adam Segal: Well, quite honestly, I think the biggest problem right now is just a kind of a coherent strategy. I think there are lots of small things that are happening that are in the right direction. So as I mentioned before, the increased funding for election security at the local level, the sanctions that come from the Treasury Department, but I think the larger problem is that we really don't have a consistent, coherent message about what the US wants to achieve in cyberspace. And how we're gonna respond. Part of that is a cross-messaging from the president, part of that is personnel. The office of the cyber coordinator in the State Department was eliminated under Secretary Tillerson. Secretary Pompeo has said that they're gonna re-state, but right now it's not a focus. And the National Security Council, that the cyber coordinator position has also been eliminated.
Adam Segal: I would be happy if we did a lot of the things we're doing now, but did them more consistently with better signaling and messaging.
Brian Hanson: And for listeners who are following this issue and the US response, what are the most important things they should be paying attention to? You mentioned a few positions that should be filled. Other kind of indications that we're moving in a more positive direction to defend the US. What would those be?
Adam Segal: Well I think one would be spending at the local level and, quite honestly, the most important thing is these voting machines with paper backups and audits. That would probably go the longest, go the furthest in making us more secure. I think, also, we need to begin thinking about not only the mid-terms, which is clearly gonna be a target, but other systems that are gonna be vulnerable to hacks that play on this extreme polarization that we're seeing right now.
Brian Hanson: And then, in addition, I wanna go back to something that you talked about at the very beginning, which was the creation of international norms and understanding of appropriate cyber behavior. And get a sense of, is there work being done on that level? One of the things that strikes me is that even as I ask that question is there's kind of an implicit ... In that idea of coming up with a common understanding is an idea of some sort of multi-lateral approach, some sort of international agreement, that goes beyond the United States. And in this administration with its focus on the exercise of US power, and resistance to multi-lateral approaches ... are we pursuing, is the US Government pursuing establishing norms through some sort of mechanism, to try to regulate this kind of behavior?
Adam Segal: So there was a process through the UN, it was called 'The Group of Government Experts' that had been meeting and had been making some progress in identifying some norms of behavior. In 2013 it issued a report that all of the participants- there's 15 countries including China and Russia- agreed that international law applied in cyberspace, and in particular, the UN charter. And then in 2015 it released another report that identified four norms of behavior that had to do about critical infrastructure and protecting computer emergency response teams. Unfortunately that process fell apart in 2017, in part because of the obstructionism, particularly from Cuba, but also because the United States wanted to go further in how international law applies in cyberspace, and in particular the right of self defense. And the Chinese and Russians really have argued that we need new treaties in this space.
Adam Segal: What's gonna replace that process, or should it be restarted, is now under discussion. The Trump administration has said that it doesn't oppose restarting the process, but it wants to work with like-minded countries, which means Europe and others. But the problem is, as you noted, is that the US doesn't seem particularly engaged in multi-lateral institutions right now. And after the NATO summit, alliance relations are not particularly strong. So it's unclear how the Trump administration believes it's going to start developing and implementing those norms. If it doesn't use the UN and if it doesn't use its alliances.
Brian Hanson: Yeah, and how important is that? As we think about the long term security against cyber attacks. Is the establishment of these kind of multi-lateral norms important?
Adam Segal: There certainly are a number of skeptics who would say no, that states right now are gonna do what they can get away with in cyberspace and that the norm discussion is premature. I tend to be slightly more optimistic, I do think there are some areas where there are shared interests with the great powers, at least. North Korea and Iran are probably harder cases, but I think Russia, China and the US have some shared interests in making sure that critical infrastructure does not go down and that core components of the internet don't go down because of cyber conflict.
Adam Segal: It's very hard to imagine how you move those discussions forward right now, just given the bilateral relationships with Beijing and Moscow are so difficult. I have some optimism that under different political conditions you could identify what those shared interests would be.
Brian Hanson: And certainly these problems aren't gonna go away any time soon. So there'll be repeated opportunities to address these issues, no doubt. So, as we close, I just wanna ask, what is the one thing that you would encourage our listeners to bear in mind in this issue of cyber security in the long run? What should they be paying attention to? What is the thing that's being neglected? Where should they focus their attention?
Adam Segal: Well, I think with cyber we tend to always focus on the last battle and that's part of the reason why we weren't expecting the influence operations. So there's a lot of talk on electoral systems right now, I suspect that there's a new set of targets out there that we don't expect. I think some people are beginning to pay attention to the census, so you can imagine that manipulating the census would be incredibly politically polarizing and would have effects that the electoral system has now.
Adam Segal: And I suspect that there are things out there that we just aren't even thinking about. The other thing is that I think ... We tend to think of cyber as separate from the physical world, but we're moving to a world where they're just intertwined. And that has to do about the internet of things, all the devices in our homes that we're connected to the internet, and our autos and other things.
Adam Segal: In the future, we just won't be talking about cyber as something separate, it'll just be part of our everyday lives.
Brian Hanson: I'm not sure if that's hopeful or if that should all give us huge concerns, but certainly the bigger point of the ubiquity of these issues are not gonna go away. And the need to be able to manage them effectively came through very strongly. Adam, thank you so much for taking us through these issues and really giving us far greater insight than frankly we're getting in the day-to-day media of the current controversies. It's great to have you on.
Adam Segal: It's my pleasure, thanks for having me on.
Brian Hanson: I'm joined by David Sanger, who's the National Security correspondent for the New York Times, and David has a new book called, "The Perfect Weapon : War, Sabotage and Fear in the Cyber Age." Welcome David, it's great to have you on Deep Dish.
David Sanger: Good to be with you.
Brian Hanson: So, much of the public discussion right now around cyber security issues focuses on election hacking. I'd like to go beyond those issues with you, because one of the things I really appreciated about your book is that you lay out a number of cyber security threats that we're facing now and into the future. And, in fact, one of the images that you have that, I think, really helps frame this discussion is that you liken cyber warfare to the introduction of war planes and military combat as really a game changer that we don't fully understand what the implications are right now. And we're still finding our way out.
Brian Hanson: So, to start off the conversation, let me just ask the question about elections is, people think about cyber security, certainly elections are important. Election integrity is important. Is that seen as the most important cyber issue, or are there other issues that we need to be paying attention to as well?
David Sanger: Imagine for a moment that we're having this discussion three years ago. Would we be saying that elections were the biggest issue? No. Nobody even thought about that. We would be saying that taking out the electric grid, that sort of cyber Pearl Harbor, was the big issue of the day. And, in fact, one of the arguments that I make in the book is that our focus on the cyber Pearl Harbor issues, one massive attack that would probably bring about a massive military response, blinded us in some ways to what we needed to be doing.
David Sanger: And what we need to be doing is looking at the broad array of cyber activity. And that's everything from espionage- which I don't really deal with that much in the book, it seems to be just a new way of doing an old thing- to data manipulation. Whether that's changing votes or changing [inaudible 00:29:51] in our military database, to affecting an actual, physical set of equipment machinery- what the United States and Israel give to Iran during all the big games, which was the trade name for the attacks on the Iran nuclear plant or what the US attempted to do against North Korea's missiles.
David Sanger: Or what North Korea did against Sony. So, you have to understand this is sort of a wide spectrum and that's all why this is sort of a perfect weapon. Because you can dial it up and you can dial it down, and of course it's cheap and it's deniable.
Brian Hanson: And who are the major players who are developing and actually exercising these kinds of capabilities?
David Sanger: It's vastly more complicated than in the atomic age. Even this many years after Hiroshima and Nagasaki, we have only nine nuclear powers in the world, both declared and undeclared. Whereas in cyber, of course, you've got state actors; 20, 30, 40. You've got criminal groups, you have the potential of terror groups, you have patriotic hackers; just people who are doing this because they want to stand up for their country. You have teenagers, you have vandals, you've got a huge variety.
David Sanger: And the number of targets is so much vaster than it was in the nuclear age where you were basically targeting cities, big population areas. Here, the private sector is the biggest target. So, if you wanted to disrupt life in the United States, you go after the communications systems, you go after the utilities and you might go after the voting system just to undercut competency in democratic institutions.
David Sanger: It wouldn't stop there, as well. You can go after people's autonomous cars so that they're scared to get in to their autonomous cars. The fact that we have connected so many things to the internet means that there are far more vulnerabilities we have at home than we did give or ten years ago. Five or ten years ago, you didn't have an Alexa in your house. You didn't have an internet connected TV. You did not have a internet connected refrigerator, I've still never quite figured out why my refrigerator needs to be internet connected. But I'm sure there's a reason.
David Sanger: Cars did not have anywhere near the function of the kind of electronics and the connectivity that they do today. So, these are all reasons that the attacks surface has increased even as our own cyber practices to get more secure have increased. The fact of the matter is, our vulnerabilities are out-pacing our improvements in security.
Brian Hanson: So, given that range of vulnerabilities, I think one way to help think through the consequences of those vulnerabilities is to think about a couple of different contexts. And one of those is how cyber threats and cyber attacks could be used in combination with ... In the context of a shooting war, where there are bullets flying or we're getting toward bullets flying and missiles going off. How could cyber attacks be part of a strategy for a military conflict like that?
David Sanger: Well I'd take the traditional out of the of the [inaudible 00:33:30] odd part of the strategy and then [inaudible 00:33:33] you read about a plan the United States had, a vast war plan that was called Nitro Zeus. It would basically have unplugged Iran, if we'd gotten into a conflict with them. Fortunately we didn't because the 2015 nuclear accord was struck, although I understand there's problems with that now.
David Sanger: The fact of the matter is, if all major powers are now integrating cyber into their war plans, and they start with the beginning of their war plans in the hopes that you could so cripple a country that you'd never have to fire a shot. That's what Nitro Zeus is about. That's what we fear when we hear about Russian malware in our utility grid. That's what we fear when we hear about the Chinese getting into, or the Iranians getting into the financial grid.
David Sanger: If you could see vast parts of infrastructure taken down at the opening days of conflict, it would pre-empt the conflict. And part of the difficulty here is, you could have a partial cyber attack which miscalculated about how the other side would respond. And you could go from a cyber conflict to a human war pretty quickly.
Brian Hanson: Yeah, when you say that, it reminds me of nuclear deterrents. Having grown up in the Cold War and been involved in debates over nuclear issues back in the 80's, nuclear deterrents was something that was built over time and a lot of it was being able to interpret the intentions behind the actions of other actors.
Brian Hanson: Is there any kind of an attempt to establish that common vocabulary, or that common ... A set of tools to understand what's happening when you see somebody show up inside your system, and you see them inside your utilities? How do you know what folks' intentions are? What other country's intentions might be?
David Sanger: So when you look at malware, you can't figure out it's intentions you can only figure out its capabilities. So, let's say you see malware in an electric grid that's put in there by the Russians. Are they putting it in for psychological purposes? Just to show they can get in? Are they putting it in to prepare for war and be able to shut things down? Are they putting it in to prepare for something short of war? If we got into a big diplomatic conflict and they want to show that they could turn off just a city or a region? Which is exactly what they did in Ukraine in 2014 and 2015.
David Sanger: All kinds of different options out there, and the concern you have is that the other side, just as in the nuclear world, could miscalculate your intentions. So you could see one city go out and rather than concluding, "Well that's the beginning and end of it," you could say, "That's the beginning of taking out all major American cities." And then you might speed up your military response.
David Sanger: In the nuclear age we worked out with lots of different players all these signaling issues, so that you wouldn't have unintentional escalation. But you don't know how to do that in the cyber age, because there are so many different players. In fact, when you see the malware put in your system, you probably don't know whether it's from the spade or a non-spade actor.
Brian Hanson: Yeah, and that could be, depending what it's intention is, it could be critical to be able to make that determination quickly. So, if that's the world in the context of more traditional military conflict, one of the things we've seen is even in quote "peace time" like we have right now, that cyber attacks are happening. What kinds of things are being done in this context of when there isn't a shooting war and we don't appear to be heading to a shooting war?
David Sanger: Well, one of the things you could go do is begin to think about a ... What Brad Smith at Microsoft and some other executives have called a cyber ... a Digital Geneva Convention. The real Geneva Convention, the original Geneva Conventions, were all focused on protecting civilians. And, in fact, civilians these days feel like they are the collateral damage caught in a much bigger state-on-state conflict.
David Sanger: So one of the big questions here is, would this be a better way to go than, say, signing treaties on the theory that a treaty in the cyber world would be out-dated technologically by the time you negotiated it. And probably would never even get through our Congress or those of many other countries.
Brian Hanson: So, let me ask you a question that combines traditional defense deterrents thinking with the new cyber security threats. And, specifically, with the NATO summit there's been a lot of focus on Article 5, an attack on one is attack against all. Does that kind of thinking, and those kinds of alliance relationships, do they apply when it comes to cyber? Is a cyber attack something that would trigger a broader alliance response?
David Sanger: Well, on paper yes, in reality we don't know. NATO passed a resolution two or three years ago that said that a cyber attack could result in the invocation of Article Five. Which was the article in which says, "An attack on one is an attack on all." But it never set any rules about the conditions under which we'd actually go do that, right?
David Sanger: Just as Article Five for conventional wars doesn't say what rises to that level. You'll remember Article Five has only been invoked once, it was the day after 9/11, I think [inaudible 00:39:46] come to our aid. Now, in a period of time where we've got a president of the United States who's questioning whether he would come to the aid of countries if Article Five is invoked, if they haven't paid enough into NATO. We haven't even gotten to the question of whether you would come to the aid of a country that was attacked in a cyber way.
David Sanger: And we haven't seen it tested yet. One part of the book that I think you're listeners might be interested in, is the part that discusses how NATO is so hopelessly behind on cyber, that for years their cyber defense center was open 9 to 5, Monday to Friday. It was almost an advertisement to the Russians to say, "Hey try an attack on the weekend."
David Sanger: Even today, those defenses are focused on protecting NATO's own headquarters communications systems. I asked them and I said, "Okay, I'd like to talk to you about your offensive plan. You have an offensive nuclear plan in which you would basically call on nuclear states to go use their nuclear weapons if the old Soviet Union came through the Baltic gap. What's the equivalent cyber plan?"
David Sanger: And they looked at me with this look that said, "We don't have one."
Brian Hanson: So if NATO doesn't have one, and I know you've got a plane boarding very soon and your time is limited, but what should the US policy agenda be to respond to these kinds of cyber threats? What should our priorities be and what should we, as citizens, who, as you pointed out, are often-times in the front lines of these kinds of attacks. What should we look for in terms of what the government can do to help provide protection?
David Sanger: I thought that the Trump administration was off to a good start. They had hired Tom Bossert, who was the Homeland Security Advisor who had worked in the Bush administration, knew a lot about cyber. They bought in Rob Joyce as the Cyber Security Coordinator, he had run the NSA's tailored access operations unit, that's the unit that does offensive attacks against other countries. And of course, you want to put somebody in charge of defense who's done offense for a living.
David Sanger: Same reason you hire a retired bank robber to do bank security. So, what happened? When John Bolton came in as the National Security Advisor, he ousted both of them within about a week and then he got rid of the Cyber Security Coordinator job. I think we've taken a big step backward, because that is the job where you begin to go sort out all of the different competing agendas; the Department of Homeland Security, Department of Defense, the NSA, all the other agencies who have pieces of this.
David Sanger: Now a lot of agencies that don't think about it, but needed to. Think of the Office of Personnel Management, which lost so many of its own records to the Chinese.
Brian Hanson: So as we close, David, what would you recommend our listeners pay attention to, that's maybe under covered or under appreciated, as they continue to follow the developments and responses to cyber security threats?
David Sanger: I think they have to look at whether or not the government's really got it's act together, whether you're convinced that there is a viable plan on both defense and on offense. And if you don't hear the kind of attention [inaudible 00:43:18] are other military plans, and you have to begin to wonder how vulnerable you are. There's a certain amount you can do yourself, to factor authentication; have a code sent back to your cell phone, other kinds of things to make sure your passwords are up-to-date, but that's not going to help you against the state attacker.
Brian Hanson: Terrific, well I appreciate you taking the time to talk to us in between flights and also thank you for your book. I think it does a superb job of laying out this landscape of threats and the agenda of what we need to be thinking about. Not just as a government, but also as citizens to respond to what, clearly, is going to be a growing and increasingly important foreign policy threat.
Brian Hanson: Thanks very much, David, for coming on Deep Dish.
David Sanger: Thank you, and thanks for all the work you guys do at the council.
Brian Hanson: And thank you for tuning in to this episode of Deep Dish on Global Affairs. As a reminder, the opinions you heard belong to the people express them and not the Chicago Council on Global Affairs. And if you like the show, please let us know by tapping the subscribe button on your podcast app. So that you can receive each episode as it comes out.
Brian Hanson: You can find us under 'Deep Dish on Global Affairs' wherever you listen to podcasts, and if you think you know someone who would enjoy this episode especially, please take a moment and tap the share button to send it to them as well. If you ave questions about anything you heard today or if you want to know about upcoming episodes in advance and submit questions for upcoming guests, please join our Facebook group which you can find under 'Deep Dish on Global Affairs.'
Brian Hanson: This episode of Deep Dish was produced by Evan Fazio, I'm Brian Hanson and we'll be back soon with another slice of Deep Dish.