30 July 2018

Cyber Conflict: The Evolution of Warfare

Reena Ninan

Panelists discuss the rise of cyberattacks over the past decade and how the development and dissemination of cyber weapons have changed the nature of modern geopolitical conflict. NINAN: Welcome everyone to “Cyber Conflict: The Evolution of Warfare.” I’m Reena Ninan, a CBS News anchor and correspondent. I’ll be moderating this panel with the illustrious Laura Galante who is a founder of Galante Strategies and a nonresident senior fellow for Cyber Statecraft Initiative, Atlantic Council, and Robert Knake who is a senior fellow here at the Council on Foreign Relations and a cybersecurity policy analyst.

Is that fair to say? Did I get that title right?


And, of course, David Sanger, who has got a new book out, author of The Perfect Weapon: War, Sabotage, and Fear in This Cyber Age and, of course, national security correspondent for The New York Times.

I want to thank you all for joining us.

And I kind of want to kick it off, David—actually, Laura, let’s start with you over here at the end here. You know, in 2007 the brief that intelligence agencies put together, the Global Threat Assessment, nothing was written about cyberthreats and concerns. Eleven years later, are we any better at being imaginative and looking at this aggressively?

GALANTE: Well, if I think back to 2007, so much of the discussion in the government, and if there was a real discussion on the outside, was about the technical implications of cybersecurity. Right? And it was seen as an IT issue, not as a boardroom or decision-maker-level sort of concern.

And this was very much relegated to kind of the nerd in the basement. How are we going to protect the global information grid? How are we going to think about this in terms of keeping our networks survivable and resilient? This wasn’t a question of, how do we use this capability as a strategic and almost asymmetric force to change geopolitics? And that, I think, is the state we’re in today: How do we think about this?

And David spoke, obviously, you know, brings us through the last ten years or so of that change in thinking. But how do we see this as a peek into the future of what conflict will look like, not just cyber conflict?

NINAN: Rob, I want to ask you, you were inside the White House, the Obama administration, helping to determine this type of policy and response. When you compare the U.S. to other countries—Russia, China, North Korea—how do we compare right now with cyber capabilities?

KNAKE: So I think it’s fair to say that we are the best in the world on the offense. The problem is we are the most vulnerable in the world on defense, and that’s from a technical standpoint, it’s also from a political standpoint.

We are going to be less reactive to incoming cyberattacks because we have more to lose and we’re in a democratic society that is going to force government to take certain responses. That’s not true of China, Russia, Iran, or North Korea.

NINAN: David, back in 2014, you spoke to then head of Cyber Command, Admiral Mike Rogers, who said my number-one priority—you write this in the book—is to “establish some cost” for cyberweapons against America. Did that happen?

SANGER: It didn’t. And before I answer, I just want to thank you for doing this and thank everybody here for having me and Richard for what he has done with the Council, the sort of bringing these kind of—ten years ago, it would have been hard imagining even having this conversation in a lot of places. We did a few times at the Council, but not as often as we do now. So it’s wonderful to be here.

When I asked that question of Mike Rogers, who he was newly appointed as the head of the National Security Agency and U.S. Cyber Command, and it was just weeks into his job, and he said, basically, that’s how you’re going to have to measure me and my success.

By the time he was leaving, he had, I think—I think even he would probably admit that we were in worse shape in that regard because we had suffered far more attacks. His own agency was in worse shape because of that because they had lost a good number of their cyberweapons to a group called Shadow Brokers. And those weapons had actually been shot back at U.S. allies during the WannaCry attacks that the North Koreans did.

And when you delve into the book, you’ll see that this got so severe that some in the Obama administration, including the secretary of defense, tried to fire Rogers for where they were on that and for their inability to strike back convincingly against ISIS. So I don’t think by that measure he was successful.

I also am not actually convinced that that’s his fault. Because while cybersecurity in general in the United States has improved—the utilities are better than they were, the financial industry is certainly better than they were, others have gotten aware of it, individuals are doing things now that they never did before to protect themselves, two-factor authentication, all those other things that we try to go do—as Rob suggested, the attack space has sort of so increased that while we’re getting better, we’re getting more vulnerable faster than we’re getting better.

So as we connect everything to the web, whether it’s our autonomous cars or whether it’s the Alexa in the living room or whether it is your refrigerator or whatever else it is you attach, you’ve created a new set of vulnerabilities. And, you know, if you look at the attacks that have happened, some of them have struck the security cameras people put outside their houses and organize those into botnets that then do an attack. So the problem has certainly gotten worse.

And I think that the thing that struck me the most out of the reporting for The Perfect Weapon was going back and trying to reconstruct with some of Rob’s former colleagues and many who were there after Rob had come onto the Council, what happened as they thought about responding to major hacks. And the most vivid example is the debate that took place inside the Obama administration, the Obama White House, in the summer of 2016, really starting about two years ago this week, about how to go respond to Vladimir Putin. The evidence that Putin had come out and done this attack was growing internally. They didn’t admit to it until October in public, but it was out there.

And there were a whole series of proposals to President Obama about how to retaliate. Disconnect the Russians from the global financial system, the SWIFT system, that will teach them a lesson. Until somebody came along and said, well, great idea, but, you know, when the Europeans get around to wanting to get their gas to keep from freezing over the winter and they can’t pay for it so the Russians don’t deliver it, this one may not be so popular, say, in Germany.

And then they said, well, let’s go reveal his connections with the oligarchs. And some people stepped in and said, well, nice idea, but, you know, can you imagine the Russians? This just in: Putin’s getting bribes from the oligarchs. Gee, wow, that’s fabulous news.

And then some people from the Fed come in and say, you know, we really don’t want to set a precedent of going in to central banks and making money disappear. It might really be something we could come to regret later on.

And so at each step along the way—and the president himself raises the ultimate one, which is, supposing we do something to the Russians and they come back on Election Day? We know they’re already trying to get into the registration systems in Illinois and Arizona, and at that point there was evidence or suggestions of others. Supposing they come back and play into the Trump narrative that the election is rigged? What do we do then?

So everybody had a meeting and they basically agreed, yeah, so Hillary’s going to win anyway, we’ll deal with this after.

NINAN: You know, David’s mentioning sort of the financial institutions.

Rob, when you were with the Obama administration, Iran did strike some of the financial institutions. So if Iran is striking U.S. financial institutions, Rob, aren’t you going to hit back?

KNAKE: So, I mean, that was obviously what the first temptation was when this was happening. And the phones were ringing at every level, my counterparts at the major banks all the way up to the White House chief of staff, saying you need to do something, you need to hit back. The decision not to do that, I think, was twofold: One, there was the dialogue that at that point was secret between the U.S. and Iran on the nuclear deal. And so the Iranian team were not going to let us do anything to jeopardize that—nuclear, cyber, nuclear wins. The other view was we didn’t want to respond in kind to this kind of activity because we didn’t want to legitimize it. And so simply saying we’re going to absorb it, we’re going to put the costs on the banks, they can afford it, and we’re going to go about our business as Americans was the answer at the time.

NINAN: When you talk about cyber capabilities, Laura, and you’re creating some sort of policy or plan into this, how does that compare to nuclear? Is it the same? Is it different? Can you make comparisons?

GALANTE: So I think it’s been the paradigm that we’ve compared cyber against because there is something of a paradigm there. Right? But where this gets really difficult is the type of weapon we’re talking about here is, at its core, code. Right? And we have this desire to think about it in terms of, when will we use this? How does this fit into an ops plan? How does this fit into something where we understand how conventional weaponry will be used? How does this fit into our doctrine?

And what’s really tough—and I’ll—and I’ll point to the Nitro Zeus example that I think David writes about well in this book—is you can—you can spend years—

NINAN: Let’s step back for a second. Explain Nitro Zeus, which is code on the shelf that they—

GALANTE: Sure. Code on the shelf to be used after—well, if the Iranian agreement had failed, right, and developed by now the head of Cyber Command in a program in the NSA to be used against the Iranian nuclear program.

NINAN: It would shut down the lights, infrastructure, everything.

SANGER: It was—it was—it was fascinating because it was the program to—if you got into a conflict with Iran, presumably one the Iranians started or Israeli-Iranian program, it would basically pull the plug on everything inside Iran you could in hopes of winning the conflict without ever firing a shot.

GALANTE: So to take a weapon like that, right, and to take a piece of code like that, it’s been developed for a very specific purpose, for a specific target, for a specific use case. This isn’t, oh, a Tomahawk that can be used in different types of conflicts. And it’s got a shelf life on it. So this is something where you can brag about Nitro Zeus if you’re the U.S. government and say look at this capability we have, but if it’s a year or if it’s six months afterwards, if the politics have changed, if the circumstances have changed, that’s not much of a deterrent.

So I think we’re dealing with something where we’re trying to find the strategic paradigms, we’re trying to find doctrine where we can think about this weapon set and we’re struggling in a lot of ways to find predictability around it.

NINAN: So, you know, David, you’re talking about Nitro Zeus. And I found it fascinating because I think this is something most people don’t know much about, the Nitro Zeus program. Obviously, like Laura explained, it’s on the shelf, never been used, it’s there. How do you create a policy when you’re not openly—and you talk about this in the book—talking about what we have? Can you create some sort of a cyber policy if you’re not discussing openly? We know Obama had a speech about drones; can Trump have a speech on cyber?

SANGER: A really interesting question. And one of the central arguments of the book is that we’ve hit the point where our own deep classification about all things cyber, an almost reflexive classification and secrecy around it, because it was a weapon largely developed by the intelligence community—and they tend to deal in secrecy, right—that that is actually now getting in the way of our own ability to both set global standards about what we’ll attack and what we won’t and to do the kind of deterrence that Rob and Laura have been discussing.

So let me give you an example or two. First of all, because we keep so much about our capabilities secret, you’re not doing the first thing you do in deterrence, which is let me tell you what could happen to you if you mess with us. Now, of course, that’s got to be a credible threat.

But in the last book I wrote six years ago, Confront and Conceal, I reveal a lot of the details about Olympic Games, which was the program against—that was executed against the Iranian centrifuges. And there was a fascinating debate I only found out about years later, inside the Obama administration when that happened, which is, do we continue to deny that Olympic Games was a U.S.-Israeli program, or do we embrace the revelation? Which, by the way, wasn’t my original revelation; the code itself got out around the world, so people knew there was code, I wrote about where it came from and the presidential debates and that. Do we embrace this and say, yeah, we wrote this and it’s only a tiny fraction of what we can do, so people should know it?

And that debate lasted very briefly. And basically, the intelligence community shut it down and said, no, we’re not going to admit to anything. And we ended up with a four-yearlong leak investigation that was really pleasant I can say. (Laughter.) So the instinct is not to go do this.

I don’t know how we end up setting standards where we wall off certain things that we’re all going to agree in the world that we’re not going to attack, unless we begin to talk about what our policy on this is or not.

So let me give you an example. We might want to set a global norm that you don’t attack election systems. Certainly after what we went through in 2016, that sounds pretty good to us. But if we did it—and I’d be interested to hear Laura and Rob on this because they’ve had much more experience with these people than I have—I bet there is an element of the U.S. intelligence community that would say wait a minute, before we step in here, there are some elections we might want to go toy with, do we really want to go set this? Certainly, historically, in a pre-cyber age, we’ve toyed with plenty—Italy, Latin America. You might want to set a standard that you will not attack civilian facilities—hospitals, communication systems, emergency services, things like that.

The people who wrote Nitro Zeus might want to step in and say, well, does that mean we have to pull all that code back? Because frankly, you unplug Iran, you’re unplugging the hospitals and the communication systems as well.

So I think we’ve hit that moment where we’re actually getting in our own way. And it’s one of the reasons that I wrote the book, which is sort of to force that out.

NINAN: Laura, you want to weigh in on this?

GALANTA: Yeah.

I think—I think what you’re pointing to, David, is sort of the central question of arms control. Right? And it’s, how much are we willing to tie our own hands on this? And with every incident, with every tool that we think through, we think we could deploy this or the U.S. government could deploy this in X circumstance, so we don’t want to have any way of constraining that power.

But when we—when we’ve talked about this, when the U.S. government has talked about this publicly, they’ve centered on this contention of sovereignty. And for years, one of the huge sticking points between Russia and the U.S. when there was a dialogue on this weapon set was around whether we will determine cyberspace to be a sovereign domain. We’ll call it a warfighting domain, but is it a sovereign domain?

And the U.S. would sort of laugh and say, no, no, this can’t be a sovereign domain, this is—this is a global playground, it’s a global commons, we can’t stifle innovation. And, of course, on the darker side, we don’t want to stifle our ability to act in it either. And, look, Russia, if you determine this is sovereign, then you can do whatever you want to your own population and in your sovereign space and we’re not willing to concede that our assets that may be in your determined sovereign space are necessarily good for you to be in charge of.

So sovereignty was the sticking point. And this has really come back to haunt us in 2016, of course, where, all right, U.S., you’re not willing to call cyberspace sovereign, how about the DNC, how about election infrastructure, how about the minds of Americans? If that’s not—if that’s not sovereign space, sovereign U.S. space, then it’s free to manipulate.

So I think we have to grapple with the question of how we define this domain, which has been the real sticking point here for 20 years, if we’re going to have any ability to set some of the norms that David’s referring to.

NINAN: So, Rob, if, you know, determining what is sovereign territory in the cyberworld is a gray area. How do you determine what constitutes an act of war?

KNAKE: Well, so I think the answer here is very, very carefully and slowly. When we have looked at trying to build norms in this space, it’s a lot like what David suggests. So the example I’d give was the norm that we’ve promoted against Chinese economic espionage where we said we don’t engage in this, you shouldn’t engage in this, states shouldn’t be kleptocracies, you shouldn’t use your intelligence capability to collect trade secrets from foreign companies and give them to your national champions—straightforward idea.

Now, it so happens that it had been U.S. internal policy since the 1950s that the intelligence community would not engage in industrial espionage for the benefit of U.S. companies. Beating that out of the IC and making that simple idea public was almost impossible. I think it probably took us two years to get to the point where we would say we don’t do this and nobody else should.

So if we’re going to take that concept and say, OK, now we want to make a withholding statement about the power grid, here’s how we will view a Chinese or Russian incursion into the power grid, how do we want our incursions into their power grids to be viewed? Because if we say it’s a hostile act and we get caught, that could be terribly ugly.

NINAN: You know, David, this—

SANGER: Can I just add on to Rob’s point for a moment?

NINAN: Yeah, please.

SANGER: So just a few weeks ago, the Department of Homeland Security circulated this warning. I think CBS, I remember, reported on this. And it basically said we have found a certain kind of malware throughout the utility industry. And the utilities had all known about this since the summer and some even before that. And it was a warning of what to look for and so forth.

And I remember in the course of the reporting on the DHS thing saying to the DHS people, well, this is fine, I can understand why we’re concerned about it. You see this Russian stuff sitting in your grid, the first thing that comes to mind is we’re going to go turn it all off. I said, of course, the U.S. has put very similar implants in Russia and elsewhere. We’ve reported more than a hundred thousand by now, probably several hundred thousand. Just from reading the Snowden documents, you’d see that.

And I said to DHS, do you want the rest of the world to interpret the intent of our implants in their systems the same way your warning interprets the Russian ones in ours? And the answer they come back is we’re DHS, we just defend our systems, we don’t answer questions like that.

And I think, you know, you may want to think about the fact that someone’s going to have to answer questions like that. Normally, that would be the kind of question we would then take to Rob’s old office at the White House, made more difficult by the fact that as soon as John Bolton came in, he eliminated the job of cybersecurity coordinator, which had been—because clearly, the U.S. government was over-coordinated in cybersecurity. (Laughter.) And so the person who was in the job, Rob Joyce, who had run the Tailored Access Operations unit of the—of the NSA, which is the group that breaks into these foreign networks and puts the implants in, not only did they send him back to the NSA, they eliminated the job. So, frankly, if I had to ask that overall policy question that we’re debating here today, I’m not sure I would know who to ask it.

NINAN: You know, the bureaucracy, navigating the bureaucracy turf war is not just in the cyber realm. We talked about this 9/11 post attacks, rethinking intelligence and analysis.

You were in that office. What do you think most Americans don’t realize about the way, just as David talks about, trying to figure out who’s on first, who’s on second here?

KNAKE: The number of different equities that come into play in any kind of cyber offense decision or any decision to use intelligence for the purpose of cyber defense. I think when—I mean, we had a—it’s fair to say, in the Obama administration we took a very kind of consensus-based approach to most decisions. That meant that the Commerce Department got to come in and say here’s our views on what impact carrying out this operation would have on the commercial prospects for U.S. companies abroad. We know the Russian market is small, but it’s not that small. The Chinese market, on the other hand, is huge. I think that was actually the right approach. When we were looking at how do we change China’s behavior, we wanted to create a subtle shift within an overall context of trying to improve relations with China.

NINAN: But, Rob, ultimately, who is it? Is it the president of the United States who says launch that cyberattack? Who calls the shots on that?

KNAKE: So if you read the declassified summary of Presidential Policy Directive 20—

NINAN: I’m sorry, I missed that. I apologize. (Laughter.)

KNAKE: —it’s very clear that at this point—and Admiral Rogers was very clear in his testimony on this point—at this point, policy is still that it’s either the president or, in extenuating circumstances, the secretary of defense. So it’s very similar at this point to nuclear launch requirements. That is something that, at least in press reporting, Bolton wants to change and devolve power down to Cyber Command.

SANGER: And that actually started before Bolton came in, that effort. And I had a story on this in Monday’s paper that was really drawn from the book. And the idea, which I think makes some sense, comes out of counterterrorism really. And Laura can tell us a little bit of this from her experiences in the government as well.

But the theory in counterterrorism was you don’t sit around and wait at the border for somebody to bring a bomb in on an airplane. You go out and find the house where the bombmaker is and you wipe it out at the source. And that’s worked, you know, fairly well. And it’s one of the reasons we haven’t had a repeat of a 9/11-like experience. The idea is, could you move that over to cyber, go watch malware being developed someplace else, and wipe it out? Yeah, you could.

The problem is that the first time that you do that without presidential authorization to do it and without the kind of big debate that Rob just described, to the country that’s receiving it, whether it’s Russia or China or Iran or North Korea, it’s going to look like they just got hit by a preemptive attack and they’re going to stand up and say these people weren’t developing malware, they were developing educational software for schoolchildren K through three, you know? And it’s going to look like we started the battle. And you’d kind of like the president to be tuned into that before we say start that conflict.

NINAN: We’ve only got a few minutes left. I do want to go around and ask you guys before—you know, part of this, we’ve heard, is the lack of imagination, of imagining these scenarios and predicting things to happen. I want to get a sense from you of, what are the lessons learned when it comes to cyber warfare?

And also, what do you believe, Laura, is maybe the next frontier?

GALANTE: So I’ve said a couple comments about how we define this domain. And I still think that’s a really relevant question because I think we have countries and adversaries who are defining cyberspace on very different planes. Russia is thinking about this in terms of information and in terms of, quote-unquote, “cyber,” so the technical aspects of it. And they’re acting in this information role. Right? North Korea, they’re thinking in terms of a very large geopolitical strategy on this and how cyber is a piece of that.

So I think what we have to continue to question is, are we thinking big enough about who the players are, how to include them?

And this is one of—one of your tenets, David, in the book, is, you know, how much secrecy around all of these different pieces of capability development, but then also defensive actions, how do you include those with the different actors, whether it’s Facebook, whether it’s banks? You know, whatever that sector might be, how do you bring them in to understand the threat and then actually do something about it? So are we thinking big enough about what the attack surface is at the national level?

And, you know, a quick anecdote. I’m in Ukraine quite a bit.

NINAN: Yeah. We didn’t even get to Ukraine, there’s so much to talk about.

GALANTE: Right. I’m in Ukraine quite a bit. And one of the kind of lasting comments from my—from my last trip that keeps me up at night is one of the deputies there said to me as I was walking out, he said remember 1917, it wasn’t just the politics, it was the bread. It was the bread riots that started everything, right? And what he meant by this—and it was part of a longer conversation—but what he meant by this was this is a fight, a low-grade conflict, a constant state of battle where figuring out how to hit people in their most vulnerable way to change how populations think is an incredibly effective tool. And if you can change how people think, you don’t have to go and shut the lights off, because you’ve already gotten them to have the democratic change, or whatever you want to think it is, you’ve already gotten them to act in a sense where they thought they were the actor.

So I kind of leave it at that. I think we haven’t yet seen how far this will go.

And I’ll turn it to Rob.

KNAKE: I’m going to pivot off of Laura’s comment and say that I think actually my biggest concern right now is that the Russians will shut the lights off. The reason I say that, if you look back to 2011, ’12, ’13, ’14 and when we were in the midst of looking at how to counter China, our counter-China plan, we got that sort of well underway and then somebody said, OK, we need to start our counter-Russia plan. And the response sort of around the table was, well, what do we want to counter that Russia is doing? I mean, the way Russia operates is kind of by the old Cold War espionage rules, they’re very stealthy, they’re very targeted, they’re hitting the State Department, the White House, the Joint Chiefs of Staff, but these are all legitimate targets for intelligence. So what do we want to do? They’re kind of the good example, we respect their tradecraft. China is sloppy, it’s getting caught all the time, it’s everywhere. You know, they’re bad tradecraft and they’re doing a bad thing with it. But, Russia, OK. Well, what were we missing?

The Russians were manipulating elections in their near abroad. That’s what they brought to us in 2016. So when I look at Ukraine, I say, well, what else have they done in their near abroad that they might bring here? They’ve now, I think, shut out the lights in Ukraine twice. In most people’s views, those weren’t really serious attempts, they were just practicing. And the question is, what are they practicing for?

NINAN: David?

SANGER: Let me just build off of Rob. So the book opens with that, one of those Ukraine shut-off-the-lights moments and the U.S. sent a team right away to go figure out what happened here. And the team came back and said, well, bad news and good news. You know, the bad news was the Russians came in, they got inside the control system for these power companies. The people who were sitting at the—at the control banks were watching the cursors move around their screen, but when they reached for the mouse on their own desk and tried to move it, it had nothing, it was completely disconnected. It was like getting into a car and turning the steering wheel and the wheel wasn’t moving. Right? But the car was still being driven.

So the good news was they think we were better protected than the Ukrainians were. The bad news was, in the end, the Ukrainians turned the power back on by actually going out and finding the old-fashioned switches, you know, out in the substations and literally throwing them by hand to get the power back on and disconnecting their computer system.

So everybody said, well, that’s great, there’s a backup system. And people would say, well, yeah, except in our modernization of our electric grid we took out all the old switches, they rust, they’re hard to maintain, so we didn’t have the manual backup.

Fast forward to the election system. How many jurisdictions do we have that didn’t have basically paper equivalent, paper ballots? That’s the manual backup for the electoral system as opposed to the one in the—in the electricity grid.

And so I worry about the big turnoff of power. But I think, in some ways, we’re better deterred there because I think a state realizes that, if you turned off all the power from Boston to Washington, you’re probably going to get some kind of a response and maybe a military response.

What’s fascinating about cyber is that, over the past five or six years, states have learned how to dial it up and dial it down to keep it a short-of-war weapon so that they don’t provoke that military response. And that’s where we are completely hopeless on the question of deterrence. I don’t think that means we can’t develop a deterrent theory. But in the ’50s, it took a long time before people came up with a theory of deterrence that worked in the nuclear world.

Henry Kissinger was in this building, I think, when he was working away on what became nuclear weapons in foreign policy, the 1957 book that sort of laid it out. And I went back and reread it before I settled down to serious writing on this book. And, you know, two things struck me: It was the first popular thing that had been written so that people began to understand that you could actually deter the Soviets, which was good; and second, he thought you could conduct a limited nuclear war along the way, which had some people a little on the upset side.

So it’s time that we began to do what we did in the ’50s and put the technologists and the strategists in one room to seriously think about how you do the deterrence work. And that’s happening some places around the world. Alex Stamos is here, who has been thinking about this a lot at Facebook. Alex is in the book as well. Harvard has got a cyber initiative now that Bob Belfer, who is here, has been financing, among others, and backing, and that’s also looking at it. And here at the Council, there’s been some really great work being done on that.

But I would have to say that, overall, the work that’s being done on the outside is more impressive to me than the work that’s being done inside the U.S. government.

NINAN: It’s also great to end on that note of hope, David, that you still see that there is a possibility of a path forward on this.

I want to invite our members, to open it up for questions. I ask that you say your name and tell us where you’re from and, also, if you can stand because, again, this on the record, it’s being recorded, and folks would like to see you as well.

Where should we begin?

Yes. Do we have—oh, we have a microphone? Yeah.

Q: Hi. My name is Gary Sick, Columbia University. Thank you all for a really very interesting presentation.

One thing that I noticed was that David mentioned what the United States had done in Iran with the centrifuges and all, which was a successful operation, technically. And then Rob mentioned the problem that they ran into when Iran attacked some of our facilities here. Nobody connected those two. On one hand, we were saying, well, gee, we did this to Iran, we’re not going to admit it publicly. But then when Iran does something to us, obviously in retaliation, we don’t draw the connection between the two. And I really wonder how you can function in a deterrent environment if you can’t link one thing to another, and I think it’s not being done. Very much like counterintelligence, by the way.

NINAN: Rob?

SANGER: Well, we certainly tried to link it in the pages of The New York Times. I mean, you know, I made it—I think I made it abundantly clear that the Iranians didn’t just sort of suddenly think that Bank of America and Chase would be good targets. They thought they would be good targets after their centrifuges started melting down, right?

But the fact that nobody in the U.S. government would acknowledge the first attack meant that they couldn’t then seriously answer the question, didn’t you make your banks vulnerable?

KNAKE: I’m going to try and talk theoretically about this, if I could. (Laughter.)

Yeah, I think it’s safe to say that the message coming from the banks, which, I mean, they’ve hired all of our ex-colleagues from the intelligence community—I mean, Goldman Sachs has more people doing cyber intelligence than the State Department; that’s not a joke, that’s true—they very quickly said we think we know why this happened, we think you did Stuxnet, and we think we’re being DDoSed for it and this is not fair to us. We didn’t have anything to do with it, this is a national security concern. I think our response was, ultimately, kind of, you know, tough, because it’s in the national interest that we not respond in kind and escalate. And, I mean, there’s a—there’s a certain view that we allowed the Iranians to have the last word in that pattern of escalation.

NINAN: Do you see that as possibly now with sanctions, pulling out of the Iran nuclear deal, do you think it’s an obvious cyberattack, that they will hit our institutions, if they feel the pressure on, in the cyberworld?

KNAKE: I’m going to look to Laura on this one. (Laughter.)

GALANTE: Thanks. I think we sent an enormous message, whether it was intended or not, in Stuxnet. And Stuxnet basically said to the world go ahead and militarize cyberspace, we’re doing it. And that kicked off so many different strategic, but also tactical initiatives in militaries to go ahead and do this.

But I think where your question—where your question is maybe harder to answer is when we think about this from the Russian side. 2016, in many ways, was a response to what Putin saw as election interference in 2011. And Hillary Clinton’s dog whistle to the NGOs and all of the other, you know, American deep state in Russia that it could be elevated to come and, you know, influence his election, which was a much closer election in 2011 than the past—than the past, most recent election.

So I think it’s when the asymmetry of response—Stuxnet to banks, fine, we can—we can see that link, we can kind of understand that that’s retaliatory. But when we don’t even consider that 2011 was a provocative moment in terms of how Russia perceived it, that’s even harder for us to consider how do we respond to this.

NINAN: Next question.

Yes, sir, right here.

Q: I’m Donald Shriver of Union Theological Seminary.

Last week’s column by David Sanger sort of ended on the down note that there doesn’t seem to be much interest in defense against a cyberattack. And I don’t know whether it’s just this administration or other administrations, but that puzzled me because I would think national defense would be a big issue in almost any administration. This one puzzles most of us on a lot of accounts. But how do you explain the possible justice in accusing a government of the United States of not being interested in national defense around this issue? Is it their political attitude toward the rest of the world? Is it that the technology of attack is so sophisticated that the technology of defense is lagging behind?

NINAN: That’s a good question.

Q: Or what?

NINAN: Thank you, sir.

That’s a really good question, David. What do you think? I mean, are we doing enough?

SANGER: Well, we’re certainly spending a lot of money. I mean, it’s hard to—so much of this is buried in black budgets, it’s hard sometimes to go figure out exactly how much we’re spending.

And in the audience, we have Alyza Sebenius who was my champion research assistant in the course of the—of the book.

And, Alyza, we spent a lot of time trying to figure out who was spending what, where.

And I think at the end of it—and correct me if I’m wrong here—we came to the sort of rough conclusion that, while the U.S. is spending a lot on cyber defense, it’s probably spending even more on cyber offense at this point, which might make sense because a lot of the defense spending has to be done in the private sector. You can’t have the U.S. government paying for Con Ed’s cyber defense here or Goldman Sachs’ cyber defense.

But there is a real debate and I would say confusion about who is even responsible for doing this defense. So the way that PPD 20, the presidential directive that Rob referred to before, is written, in the unclassified and the classified version—we’ve seen them both because Snowden leaked the classified version—is that the Department of Homeland Security gets the primary defense here in the United States and the Defense Department would only step in for the very top tier of big attacks, state attacks against the U.S.

But nobody has defined where that line is, and no one really wants to define where that line is because you want to leave your adversaries wondering a bit. The problem is, I find many people in the Defense Department wondering where that line is and what exactly they’re supposed to go do about it, and they don’t view the Department of Homeland Security always as sort of the sharpest knives about how you go about this.

Is that fair, Rob?

KNAKE: Yeah. I mean, I think the real challenge, and I think you hit on it, is, it’s not so much a question of responsibility, but practicality. Right? If Cyber Command were to defend JPMorgan defensively rather than just using their offensive capability in response, they’d need to be sitting on JPMorgan’s network. And this is proposed at least three times a year at various conferences. And I think Cyber Command has been more forceful in making this case that they need to go do that.

The response, I think, from much of the private sector is, well, why do you necessarily think that your capabilities, which are largely commercial capabilities, are any better than what you can buy from Mandiant or CrowdStrike or Cylance or you name it? So I think that’s the first step.

And then the second question is really the who-pays-for-it question. Right? If the answer is, well, this should be a government responsibility, but Cyber Command doesn’t have better capabilities or the Department of Homeland Security doesn’t have better capabilities, maybe the answer is tax credits or some other way for government to pay for the national defense of the United States in cyberspace rather than putting a government agency on the backbone of the internet.

NINAN: Another question. Yes, Robyn?

Q: I’m Robyn Meredith of JPMorgan.

NINAN: There’s a mic right there, Robyn. Yeah.

Q: Sorry. I’m just not sure which of you can answer this, but I wanted to go to North Korea for a second.

So we have the Iran attack as a precedent. Why have we—do we—is it not possible to make a similar attack on North Korea if we determined we wanted to? Or why haven’t we done so when the nuclear strikes became such a danger?

NINAN: Laura, do you want to take this one?

GALANTE: Unless David wants to describe—

NINAN: And then we’ll let David—

GALANTE: David wrote the chapter on this. (Laughter.)

SANGER: It is—it is on the back cover of the book.

GALANTE: Yeah.

SANGER: So, we did. In January of 2014, President Obama ordered an increase in cyberactivity against the North Korean missile threat. And we began to discover when the North Koreans were shooting off an intermediate-range missile called the Musudan that it had a failure rate of about 88 percent for a missile that was pretty well understood and tested and all that. And while a lot of people have—early on their missile programs, they sent a lot of missile off into the water. By the time it’s that mature, that was just too high. And Bill Broad, a science reporter I do a lot of this work with, and I looked at this and we said, yeah, maybe this is an accident, but I don’t think so.

And so we spent about eight months digging it and, sure enough, we found a U.S. program that sort of fits under the rubric of left-of-launch, which means attacks you do before a missile gets launched. And it’s everything from sending in bad parts to doing cyber and electronic activity against this.

Kim Jong-un suspended that program in October of 2016. It didn’t get a whole lot of publicity around here, there was something else going on in October of 2016. And then he moved very quickly to a new missile program that turned out to be the one that scared us to death because it involved the intercontinental missiles and a completely different technology. And there, he only had one significant failure out of probably half-a-dozen launches thereabouts, maybe more.

So either the U.S. decided it had been too obvious, or the program simply didn’t survive the change in technology. And that’s one of the things that you discover the most about doing these kind of cyberattacks. They’re fairly brief because you have this one moment where you understand how a system works and you can attack it, but the system changes. And it’s kind of like, if you went into your house with the original electrical blueprints for the house and tried to do something to the electrical system and you discovered that over the past fifty years different electricians have come in rewiring things in different ways, you’re not going to have the result you think.

Well, the North Koreans rewired. And to this day, we don’t understand how many of the failures in the North Korean system, Robyn, were the result of the U.S. government acting up. All the cyber people say, OK, that was us. Right? And a lot of other people say, well, some of it may have just been North Korean incompetence.

NINAN: So we just don’t know how—

SANGER: We don’t know how—we know the program was there; very hard to measure how effective it was.

NINAN: Question—yes, in the back.

Q: Hi. Jason Tepperman from Promontory Local Credit.

Could you speak a little bit about the dynamics of private sector firms hacking back and particularly in the context of, you know, thinking of this as counterterrorism and the desire to be able to take some proactive action? What are the kind of—what’s the status of that? And what do you see as the implications?

GALANTE: I would put this as a hot topic every-other year. Would you agree with that? It’s sort of cyclical. It comes back, should there be hack backs, should there not?

You know, I think we’re at a point where it’s not a question of whether the U.S. government will ever put their seal of approval on hacking back. I think the question is, what does response look like for a private sector company right now?

And I think where we’re facing a really tough—a really tough point in terms of the private sector being able to do something about this is the confusion in being able to figure out, who do I go to first? When we used to notify people when I was part of the private sector teams who were finding a lot of these breaches, the question was, do I go to the SEC and file an 8-K because I’ve had all of my shareholders’ data taken or all of my health care records taken? Do I need to file that first? Do I go to the FBI? When will this go public?

So the ability to mitigate the damage financially or reputationally, integrity of the network-wise, is something that these companies are increasingly dealing with. But then to take a further step and say how do I go after the attacker who found me I think is just a place where most companies don’t want to go and where the government doesn’t want companies to go either.

NINAN: Other thoughts, Rob?

KNAKE: I think it’s essential that the U.S. military maintain a monopoly on violence in cyberspace. The last thing we want are private companies starting wars that the U.S. government and the U.S. military has to finish. So I think that’s important.

The problem is, right now there is absolutely no way that if you are being targeted by the Russians or the Chinese, and even in a destructive way, that you could communicate that and coordinate response with the U.S. government and with Cyber Command. It’s simply not going to happen over systems that are already compromised, like telephone lines, email, et cetera. And so we’ve got to have a system where we’re able to have that kind of real-time coordination, at least with a hundred or so most critical companies in the United States.

NINAN: David, when you talk about—I know so much is on infrastructure and grids. Is there a point when we will be able to say in this country we’re good, we’re safe, and we’re protected on infrastructure? Will it ever come to a point like that?

SANGER: I don’t think so because infrastructure is forever changing and the infrastructure we depend on is changing. So if you—the Department of Homeland Security had a list of 16 areas that they defined as critical infrastructure in 2016. And it included the obvious, the utility grid, but it also included, like, national monuments, the Washington Monument, the Jefferson Memorial. OK, they—how this became critical infrastructure I don’t know, but they were on the list. OK. What wasn’t on the list? The election system. The fundamental underpinnings of American democracy did not make the critical infrastructure list.

So in the midst of the hack I go to see Jeh Johnson, who was the secretary of homeland security. And he had a—he was trying to get that put on the list. OK. So you’d think that would be relatively easy. So he calls up the secretaries of state of each of the states since the states run the election system in our system. And the secretary of state from Georgia said, wait a minute, you’re not going to do this, this is the beginning of a federal takeover of the election system. (Laughter.) And then a lot of other governors, largely in red states, but not exclusively in red states, had the same reaction. And he couldn’t do it until about three or four days before the end of the Obama administration where, with absolutely no notice, they just, like, put something in the Federal Register saying we have just added the election system to this. By the way, we’re out of here, right? And that’s sort of where it stands today.

NINAN: That’s fascinating.

Yes, sir, right here. Yeah.

Q: Jeff Laurenti.

Laura Galante had pointed to an analogy between cybersecurity and nuclear weapons. And it took some fifteen to twenty years after Hiroshima before the United States government began to think it couldn’t always stay two steps ahead of the Soviets and that maybe in the Kennedy and Johnson years with the Test Ban Treaty and Nonproliferation Treaty you began to create an international regime to control them. Can the U.S. stay so far ahead of others in this cyberwarfare side that we don’t have to think about kind of multilateral pathway rules of the game? Can one imagine multilaterally agreed rules of the game in times of peace for what would be off limits? And is there any circumstance in the event of an actual fighting, fight-to-the-death war that something in cybersecurity should still be off limits between the warring powers?

GALANTE: I think the only way where the U.S. will have some credibility on limiting this is if we’re willing to say what we will not do and actually stick to it. I mean, in a sense, that’s what happened in nuclear. Right? We had to agree to limits and we had to agree to different treaties where we would not further or use our military—our nuclear capability.

So I think until we’re willing to take things off the table and, as David points out, have a discussion about what is worth taking off the table and why, it will be very difficult for us to stay ahead, as you put it, or to constrain others to not use their advantage or to use anything they have against us.

And, you know, if we were talking five or six years ago, there were a handful of different states who could actually do something that was—that was a large enough effect that we would notice it, something beyond a defacement or a DDoS attack or something like that. Today, that number has multiplied significantly.

And with this capability, we always talk about how quick and kind of cheap this is to develop, which is true to some degree. But I think the other part of it, and when you’re thinking about the basic calculation for a capability, right, it’s intent—or for a threat, it’s intent plus capability equals threat. And on the intent side of this equation, the fewer—the fewer countries who are not willing to use espionage or attack us, the more this threat rises because capability is not that hard to get, unlike a nuclear where that capability was more difficult to develop.

So I think it’s a question of, what are we willing to take off the table and not develop? How public do we want to be about that? And are we willing to stick with it?

NINAN: Do you guys want to weigh in? Anything?

KNAKE: The only thing I would add—and I think, Laura, you’ve been in this experience with the Russians; I’ve had this experience with the Chinese—both of them come from the same perspective where we would start and say, OK, we believe the laws of war apply in cyberspace. Pretty simple point, right? We don’t need to reinvent international law for this new domain. And they would push back against that.

And I think—I think you guys in 2012 or so finally got them to say, OK, we agree, the laws of war apply in cyberspace. Right? So we don’t have to start anew, we can accept that you don’t target hospitals in cyberspace because you don’t drop bombs on hospitals.

NINAN: Interesting.

We have time for one more question.

SANGER: And can I throw in one very—

NINAN: Yeah, sorry.

SANGER: —very quick thought on that, not to cut off the question?

I agree with everything that Rob and Laura have said, but I also don’t think this is an area where treaties are going to work. First of all, the technology moves too quickly. Secondly, there are way too many players. When you went to go do treaties in the nuclear age, we knew we had a handful of nuclear players. And basically, if you could do this with the Soviet Union and then Russian, you were 90 percent of the way there.

Here, the weapons are, as Laura suggests, in the hands of states or in the hands of criminals, they’re in the hands of nonstate actors, they’re in the hands of terrorists, they’re in the hands of teenagers. I don’t know about in your household, but when I had teenagers in my household, they didn’t do treaties. (Laughter.)

So the result of this is that we’re going to need to have some broader norms that I think are discussed. And one of the ideas that Brad Smith at Microsoft just laid out—and I know there are a lot of people in the U.S. government who did not like this idea—is a sort of Geneva Conventions set of rules. And the interesting thing about the Geneva Conventions is they weren’t organized by any government, they were organized by the Red Cross.

NINAN: That’s a fascinating point.

One more question before we have to wrap it up from the audience. One more?

Yes, ma’am, right here.

Can we do this? Yeah? All right.

Q: Thanks. Joan Spero from Columbia University. Thank you all for a fascinating and troubling set of comments.

I’m a private sector bank, a major money-center bank. I would like to be able to turn to my government for help if I am attacked.

Now, I’m on the list, I guess, David. What kind of assistance can the U.S. government give me? Or what are they not willing to give me?

KNAKE: So, I mean, you know, the analogy that my boss always got mad at me for doing, but he’s no longer my boss, is—(laughter)—I would say basically it’s the—it’s the Home Depot model, you can do it, we can help. Right? The government isn’t going to come in and secure your network, do the incident response, or pay for anything, right? So government is going to come in and do what government alone can do: law enforcement, investigation, diplomacy, possibly sanctions, possibly offensive cyber capability.

What you’re going to get from the Department of Homeland Security is going to be technical advice assistance. But you’re going to have to call Laura’s old employer or another company to come in and help you remediate your network. That’s simply not something that the government is equipped or willing to do at this point.

So, I mean, the short answer is you’re largely on your own, but you’re supported. It’s very different than any other kind of warfare.

SANGER: And, Joan, take it outside of the thought of a bank here, because banks understand their risk level here and, by and large, they’ve got the resources to go about doing this. And there are some good models out of large banks that have invested in this.

But take more vulnerable organizations that feel like they don’t have the resources. A good example from the book, the Democratic National Committee. OK? So before the election cycle gets going, they bring in Dick Clarke, you may remember him from, you know, pre-9/11 days and post-9/11 days, he now runs a cybersecurity firm. They do a quick survey of the DNC’s computing system and they come back and they basically say you guys are hopeless. OK? Like, you’re down in kindergarten levels. Here’s a plan to go—right, and they showed them how much it was going to cost. And they said, great, this is too much money, we’ll pay for it after the election. OK?

And then the FBI calls and says, by the way, the Russians are inside your system. Well, I’m sorry. They called and they asked to be connected to somebody to who they could tell that to. And they got connected to the help desk. (Laughter.) Just like all of you. And the story is sort of unbelievable and it’s laid out in here. But basically, the people who answered the phone don’t believe it’s really FBI agents. They spend nine months going back and forth, exchanging phone calls, the FBI never actually walks the twelve blocks it would take to get them to the DNC. And in the interim, the Russians cleaned out everything that we now know the Russians cleaned out.

So the good news in your scenario is that the institution actually is aware that they’ve got a problem and wants help. The ones that worry me the most are the ones that either don’t have the resources go to go it or are clueless that they need help. And that’s probably where we need to start.

NINAN: And on that note, I want to say this is an amazing book. I realized what little I know about the cyberworld.

I want to say copies are available outside.

And, David, will you be around possibly to sign?

No comments: