Bennett, Harris, Marcus & Mundie: Expanding the Boundaries of Cyberwar

1/1

  • Jody Westby, Global Cyber Risk

  • From left, Michael R. Cote, Craig Mundie, Shane Harris, and Cory Bennett

  • Craig Mundie, Mundie & Associates

  • Shane Harris, Daily Beast

  • Alan Marcus, World Economic Forum

  • Michael R. Cote, Dell SecureWorks

  • Cory Bennett, The Hill

Panelists

Michael R. Cote
Dell SecureWorks

Shane Harris
Senior Natl Security & Intel Correspondent, Daily Beast

Alan Marcus
Senior Director and Head of Technology Sector Industries, World Economic Forum

Craig Mundie
President, Mundie & Associates

Interviewer

Cory Bennett
Cybersecurity Reporter, The Hill


Session Description:
The Internet, created by the Defense Department through DARPA, has evolved into a global platform for social and economic change. Today, from Stuxnet to Sony, we’ve come full circle as cyber-threats and security concerns threaten individuals, organizations, governments and the infrastructure upon which they rely. What global policies could be agreed upon to curb this growing threat?

Bennett: We’re going to talk a bit about cyberwar and militarization of the Internet, and I thought it’d make the most sense to kick it off by just kind of going down the line: giving everyone a chance to introduce themselves, mention a bit about what they do, and then also just give us a sense of the landscape right now. Where do you see the cyberthreats, how did we get that cyberthreat today, and what are the biggest dangers you’re seeing?

Harris: I’m Shane Harris. I’m the senior correspondent for intelligence and national security at The Daily Beast and recently wrote a book called “@War: The Rise of the Military Internet Complex,” so thank you for using my terminology in the title. Makes it easy for me.

You know, sort of where I think things are right now—and it’s sort of the thesis of my book—is that we’re at a time when cybersecurity—and we sort of take that to say defense of national networks, whether they be critical infrastructure or government networks, or frankly even sensitive corporate networks—has become a top-of-mind national security policy issue for this administration. President Obama came in 2009 ready to make that commitment. It only took him four months to give the speech from the White House when he declared the Internet a “strategic national asset,” to use his words. We’re seeing,just in the last 48 hours, yet another example of what the landscape of threats looks like from the point of view of a nation-state-versus-nation-state kind of topography, with China now being accused of hacking four million employees’ personal information—but also that same group being linked to a hack against Anthem, the health insurance carrier, which doesn’t necessarily fit a state on state model of aggression or espionage.

So I look at this from the standpoint of, What is the operator in cyberspace looking at? Whether that be someone in the military or the intelligence community. Increasingly this is taking on diplomatic and foreign policy dimensions, and an extraordinary amount of activity in the private sector. So what interests me, especially right now, is how are companies and private organizations responding to the threat against them when it’s become pretty clear that the government is not going to come to everyone’s rescue. And this raises all kinds of interesting questions we can get into about hacking back and self-defense, and what companies really can do to protect themselves. So as a journalist, those are the big questions that are driving what I’m looking at now.

Mundie: I’m Craig Mundie. I have my own little consulting firm now, but I’m pretty familiar with these things, since I spent 22 years at Microsoft—and most of our work in this domain related to trustworthy computing and security and privacy were all sort of started by me and Bill Gates about 15 years ago, and I administered them until I retired last December.

When I think about this militarization question, I think of it as a natural progression of things. You know, historically there were four domains of warfare: land, sea, air, and then space. And to some extent, cyberspace is a new space. This one happened to be created by us instead of given to us collectively—but in a sense, the evolution of the military issues I think are very analogous to how it happened in all the others. The US, interestingly, was the first country as a matter of doctrine to declare, a couple of years ago, that it deemed this fifth domain of warfare as just like the other four. And just like you don’t fight a battle in any one space—you know, you don’t confine your use of the navy to the navy; you know, if you’re going to go to go to war you use whatever you have—I think the people now think that this new space is similar. In essence: if you send me a bad packet, I may send you a cruise missile back.

But the reason that the country declared that as a matter of doctrine is, in fact, to create deterrent. And a lot of the reason you have militarization of anything is to create a deterrent, and I think we’re in the very earliest stages of trying to figure out how these things relate one to the next.

I do personally think of the militarization of this particular space and the administration of that broadly, on an international basis, as probably more difficult than the other four. And the reason for that is it’s so intimately diffused into everything we do. You know, if you think about the military pre-cyberspace, it was an environment where—almost where you see statutorily—we have the Department of Homeland Security and the Defense Department, and that whole thing started years and years and years ago with the idea that if they were off our shore, that was for the military to deal with, and if they were on our shore, that was something different. And unfortunately, the Internet doesn’t conveniently stop at that boundary anymore. And coupled with the diffusion into everything that we do, it’s going to be harder to peel it apart. So as Shane said, how do you determine what’s military espionage versus an economic espionage, for example? How do you think about administering this? To show how hard it’s going to be, the sophisticated handful of countries in the world that have activities in space, as far as I can tell, never yet have come to any real agreement about the militarization of outer space. And if you think about it, that’s out there. It’s not in the middle of everything we do every day. Now we’ve got this new space that binds them all together and is integral to how we operate in all the other four, and yet we don’t have a good way to define what we will and won’t do, and I think it’s going to be quite a challenge.

Marcus: Alan Marcus. I’m at the World Economic Forum. I head up the information and communication technology practice, and I’m leading a fairly broad effort we call 
Future of the Internet, which include a number of key pillars—one of them in particular being around cybersecurity. So we’re looking at this kind of from an economic angle. When you think of militarization, and even as Craig just mentioned, you think of land, space, air, and water. One of the things that’s kind of important from the military standpoint is protecting those places for trade, and those become mediums for trade or access for trade, and cyberspace now is just another one, right? The Internet, as we know, is a fairly large trade-facilitated platform.

Mundie: Fairly.

Marcus: So what does that mean in terms of the militarization may be not quite so clear—but certainly the notion that, as you look at some of these challenges and what the role of the military will play, in some cases might in fact be the protection of trade. And as we see some of the challenges out there, some of it is coming, say, from a mercantilist type approach, which is a way a country might increase its trade capability—and some of it may be coming from the notion that they want to create protectionism and use the guise of militarization or some kind of security in that respect.

The other angle that I’ve certainly been looking at personally, and also kind of just wrote a book called “Beyond Cybersecurity,” is thinking from the standpoint of the business leader and their role in this as a protection of the assets under which they are the stewards. So we’ve heard the notion of customer data and personal data that many companies own and, you know, as a steward of that they have to protect that. What’s their role in this—particularly if those attacks or intrusions or other types of Internet penetration are coming from a military type organization? So it’s not very clear at all what the role of the business leader is, and how they work both with their own security apparatus within the IT department, and also what that looks like working with governments—particularly for multinationals that are sitting in multiple geographies.

Cote: I’m Mike Cote. I was the CEO of a company called SecureWorks that Dell acquired a little over four years, and I now run the security service business within the Dell organization. We have about 4,000 organizations around the globe in 55 countries that we partner with to keep the bad guys out of their network, basically. It’s all organizations, not on the consumer front.

I think one of the interesting parts of the conversation—from what the panelists have already said—in my opinion, is if you step back for a minute I think we have confusion, to your point, in what individuals want from a military perspective or from a protection perspective. So, for example, if I said, “Who do you expect to protect you from a war?” The answer is clearly the US government. “Who do you expect to protect you from being attacked at home?” And it would be your local police department. Well, who do you expect to protect you on the Internet? Do you expect anybody to protect you on the Internet? I think the answer to that question varies dramatically—not only within the United States, but around the world:trying to just come to an agreement on that, before you sort of get into what the role was that the government may play.

Bennett: Yeah, and I want to pick up right there on that point in terms of who is in charge of this. You know, most of you guys mentioned deterrents in some regard. We are seeing a very proactive effort by the administration: the recent White House national security strategy upgrade. The Pentagon released a new cybersecurity strategy. Each of those tried to make much more clear exactly what they saw the government’s role as—in defending networks and using defensive cyber capabilities, even potentially offensive cyber capabilities. I’d be interested in getting your take on what you think of both those documents, and how those play into deterrence. Is it an effective form of deterrence? We probably don’t know just yet, but I’m interested in your thoughts, as they’ve been out for a few months now.

Mundie: I think one of the biggest challenges in any deterrent based scheme is you have to be able to actually make good on your threat. And one of the difficult things in the cyber environment is, attribution is difficult and hard to do in real time in many cases. And while I think a lot of investment has gone into making that better, it’s not good enough. That makes it hard, because people feel, right or wrong, that they can operate with more impunity than is the case in the physical world. And as a result, whether it’s the doctrinal statements or these programs, they’re starting to at least say, look, we’re coming up with different ways that we’ll take punitive action against people who we think are misbehaving, but it’s still a little bit hard to make good on those threats. And I think until that gets better—or in fact until we actually do it—it’s going to continue to be questionable whether or not it really slows down the thing.

One counterpoint I want to make about, you know, who are you going to call: clearly the US government and local law enforcement, or even the FBI, are going to have to step up to this threat. How much they can do, hard to tell. But the idea that they would just cede this to vigilantism or say it’s got to be done on a personal or corporate basis, it just doesn’t work. In fact, today the laws actually prohibit companies in the United States from doing those things. So, you know, even if you thought you wanted to go out and do it, you’re just prohibited by ECPA [Electronic Communications Privacy Act] and other things from being able to chase guys up the wire yourself or other things. So it’s a very weird asymmetric environment right now.

The other thing that I think is going to happen is we are going to make the technology better. You know, we’re in a transitional state, in my mind, and that’s going to have some rebalancing effect over time.

Cote: So can I ask a question—because you’re closer to some of this than the rest of us are, and I’d love your thought on—there’s an allocation of resources that has to happen in this spectrum, and do you think attribution falls high on that allocation of resources?

Mundie: Well, you know, I guess I can tell you that my view is that at the federal level, in the DOD, a lot of energy is expended on attribution. Because they realize if we really are getting into war—you know, it’s sort of like saying, well, okay, somebody shot a missile at us. If we have no clue where it came from, who do you send the army to visit? And so I think—you know, I give them the best marks in terms of investment. Unfortunately, that investment doesn’t accrue to the everyday problem that businesses and individuals have. So as you come down and say well, is the same level of sophistication there at DHS or DOJ, my view is the answer is no.

Cote: So that gets into the definition of what’s the war. How do you define war in this case?

Mundie: You know, I think for the purposes of at least this panel, I think war has to be deemed to be an aggressive movement that is not espionage.

Bennett: A destructive attack?

Mundie: Well, yeah, destructive. The weird thing now is there’s different forms of destruction. I mean, so for example, this is—I’ll give you just one example of how hard this gets, but should the US think this is war—somebody basically in a concerted effort takes out the US banking system. All they did was essentially wipe out the firmware and a bunch of the servers, but the banking system essentially goes off and doesn’t come back on readily. Is that an act of war?

Bennett: Alan?

Marcus: Well that’s the right question. You know, and you think about it, something like that’s actually happened, right? Saudi Aramco was attacked, and they had actual destruction, right? Servers went down. Operations went offline.

Mundie: Nation state against corporation.

Marcus: So was that an act of war?

Harris: Well, you know, the DOD has sort of answered this question. If the banking system—and we’re just using this as a hypothetical. Maybe we should say one or two major banks.

Mundie: But that would take out the banking system.

Harris: Let’s say that it then led to a sort of collapsing of trust and confidence and there was a run on the banks. I think the Pentagon would absolutely see that as an act of war.

Mundie: Well, I agree. So I raise that one because in some classic sense of destruction, there wasn’t much.

Harris: Right. It was data, but then it erodes the economy and you have a national panic.

Mundie: All you destroyed was a bunch of bits.

Harris: Yeah, that’s all it takes.

Mundie: But that’s all it takes these days to essentially bring an economy or a country to its knees. So in my own view, I think those things have to be deemed an act of war. But many of the classical questions then—okay, do you declare war? Does it require Congress to approve it? You know, what is the retaliatory mechanism? Are you sending the carriers and the jets or the cruise missiles or are you taking and saying, no, no, how about we launch an offensive attack, or are you going to do these things in combination? This doctrinal question is still in development, in the United States and broadly around the world, and it is not a simple question.

Bennett: Well I think some of this gets back to your point about attribution where, in order to retaliate, do we have to be able to identify very specifically? And I think the challenge the US government has run into is, even if you can identify that yes, this is a Chinese hacker that is even a member of the PLA [People’s Liberation Army], is that person actually being orchestrated by Beijing officials? And that’s kind of the second level. Do you guys think that is the difficulty we will face in terms of wanting to impose these economic sanctions like the executive order that Barack Obama put in place? That’s kind of the last line that we haven’t seen how they do that.

Harris: I don’t think that is a strategic difficulty, actually. I mean, I think you mentioned the executive order that allows the administration to impose sanctions on malicious cyber actors, so you could impose sanctions against—theoretically—the Chinese government, or you could impose them actually against a corporation in China that was the recipient of—let’s say—stolen intellectual property from an American company.

I think that with the Sony hack, actually—which is where North Korea broke into the servers at Sony, stole data, destroyed data à la Saudi Aramco—it’s never been completely firmly established—at least based on my reporting of what we’ve seen—whether that was, you know, being directed by the dear leader, or whether this was outsourced to another group or what. But at some level the administration decided North Korea would bear the responsibility for this attack. And even if they didn’t precisely spell out who was doing what, publicly at least, they made the case that North Korea was responsible. Therefore North Korea can be sanctioned. And I think that’s established a precedent where you can have, perhaps, nation-state-level attribution without necessarily having to get down to the level of whether it was authorized by this particular individual or that particular department. And the administration then came out two weeks later with this sanctions regime, essentially telling the world: hey, we’re going to hold people accountable for this kind of thing. What’s going to be an interesting test though is, after the OPM hack, whether they’re actually going to do anything about that. And I would predict no. At least publicly.

Mundie: I’m actually more worried about the non-nation-state actors that are basically terrorist organizations.

Bennett: Yes, let’s talk about that.

Mundie: You know, take China. I mean we talk a lot about China, but my own view is we have very effective deterrent at the level of military action with China. The reason is our economies are so intertwined that, you know, if China decided to do something that would sort of obviously cross the threshold of “that was actually an attack and now we’re going to go to war,” you know, the world is going to be in a bad place, and China’s going to be in a bad place. And so I think that the deterrent there, it’sthe economy.

So the bigger challenge is—now that it only takes a handful of guys in a bunker with a fiber optic cable and a few computers to wreak havoc somewhere—the places where you don’t have the natural deterrent of economic interdependence, you now have a much greater threat of viable asymmetric attack. And, you know, we’ve seen this. I mean it’s pretty much common knowledge that Iran, for one, which did the Saudi Aramco thing against the Saudis, but other actors—maybe ISIL, for example. They have a big program, you know, a declared program, that they’d love to be able to go have some effect with cyber activities, as well as their classical military stuff.

So there you can’t fall back on the deterrent. That’s why the doctrine has to be: we get to pick what we retaliate with because different things will work for different actors, and you have to think about that. But when you have a small group of people, and when the retaliation has to come in the form of non-cyber, then you’re immediately back into the same issues we have of boots on the ground, cruise missiles, you know, all of the adjectives that appropriately attend decisions about deploying military assets. And we don’t have—in my view—yet, as a matter of policy, a very good scale. I mean, you know, remember the old movies, all this stuff, DEFCON 1, DEFCON 2, right? And that was real in the nuclear case. You know, ask yourself, other than—I mean, DHS has some threat levels—

Bennett: Cyber DEFCON—

Mundie: But we don’t really have a clear gauge that says, you know, well how many bits do you have to wipe out to declare a certain level a problem? And I think these are things we’re still all learning about that are going to require a lot more policy consideration.

Marcus: I would say too, just on that: it’s not always clear which agency is looking at which set of problems in this space. And so although it’s gotten much better—and to your point, they’re working better; four years ago we held a conference here in Washington with some business leaders,looking for some US policy leadership on thinking “what is the role of the business leader?” in this aspect. We had to get representatives from 18 different government agencies and organizations—18—to cover what the US government’s position was. Now, it’s probably not 18 necessarily anymore, but it’s still not one or even two. It’s still spread over quite a bit of space. And so, trying to get to some clear policy, I think, has still got some work to do just because of the siloization of how we look at the different parts of this cyberspace.

Bennett: Yes, and you’ve seen Congress start to address that. I mean, late last year in December, they passed a series of bills that essentially codified some of these responsibilities within the government. It was described to me mostly as kind of a cleaning house type of deal. But it’s very necessary. I mean, cyber investigations span across many different agencies.

Mundie: But this is an area that’s not a global policy question—it’s a US policy question that says now that you have such continuity between what was international and what’s now in the homeland, the structure in the United States that was created—the separation of powers and duties between Title 50 for military, and Title 18 or whatever it is in the Department of Homeland Security, and the law enforcement organizations—other countries don’t have that segregation of duty. As a result their effectiveness, I think, in being able to prosecute these questions, or at least being prepared to defend against them, may actually be better than the United States right now, for all the reason that Alan indicated. And so a lot of times we don’t stop and ask ourselves, “Are we handicapping the country merely by the continuation of a structure that didn’t contemplate this kind of threat?” And that will either obligate us to get a lot more coordinated or step back and say, “Wow, you know, this just doesn’t work for the new threat landscape.” And those are conversations I would love to see the country have, which I don’t think are happening sufficiently.

Bennett: How might you suggest altering the structure within government? Or is that even so far down the line that we can’t have that conversation yet, we still have others to have before we get there?

Mundie: I don’t know. I mean, just the division between the Homeland and DOD—and we know all the reasons that that was created—just puts a big operational hurdle. And when the packages goes “whoop,” you know, zips across the ocean, lands here and now, okay, when it was coming, it was DOD and NSA, and then it got here and it’s now DHS. And, you know, that’s—it’s just hard. And in a world where speed matters, you know, we’re putting a real burden of coordination on our operating entities in the government that other countries are handling in a different way.

Marcus: You know, just kind of to that question, one of the missions of a blue water navy is to protect and keep open trade routes through the seas. That is one of their missions, and certainly one of the big missions of the US Navy. And I bring that up because, you know, if you think about it, as a manufacturer and you’re shipping goods, you’re not sitting there thinking, “Is the Navy out there protecting my shipments?” But you are reasonably safe that your goods are going to transport between countries, and largely things go okay. You’re worried about pirates, certainly in certain parts of the world, and increasingly you’re worried about some countries now deciding that international waters may now become part of their sovereignty, and, again, you look to your navy just to help you deal with those situations. If cyberspace is just another trade route, is it not reasonable to expect that your military—not necessarily war—but your military is creating a level of protection on that particular trade route, especially since it is going through, in some respects kind of virtually, an international space?

Bennett: Yes, absolutely. With that, I’m going to open it up to some questions.

Apple: My name is Martin Apple. I have two questions, essentially one basic question. The basic question is, are crime syndicate non-state actors figurable in the way you’re doing your paradigm A versus B as the two options?

And second, are there any fundamental designs of the software that start from security and build on their ability to be facile, instead of the other way around which is the way we’ve been building software for a couple of dozen years? And I point out this interesting story in the newspaper yesterday or the day before about a white hat hacker group that did 100 high tech companies. They immediately found holes in all of them. They sent notices to the CEOs. One-third of the CEOs said a curt thank you and dropped it in the waste basket, didn’t follow it; one-third didn’t respond at all; and the other third ran to go fix the patch, whatever was wrong. So it essentially says that even at the top level of our corporate understandings, we’re not paying attention.

Harris: I’ll take a crack at the first question. There was an interesting “New York Times” article that came out last week that I think kind of helps to answer this, and also kind of gets at how the coordination is evolving. And this was a story that was based on some of the Snowden documents. But historically, you know, you would take crime syndicates and you would say, okay, that’s a criminal organization, not necessarily a nation state, even if there were maybe links between that and a nation state. But let’s just take, hypothetically, an organized criminal gang in Eastern Europe, you know, that’s running financial scams. I mean the FBI has the authority and the mandate to investigate crimes committed in the United States against Americans, and that could be with a foreign actor as well. But what this “Times” article kind of spelled out was how the FBI was having great success, at least from their perspective anyway, combating the cyber threat domestically. They were getting really robust on that. But they were finding, increasingly, criminal organizations and individual criminals who were not based in the United States. They were based outside the United States. So that seems to then cross into the realm of, well, an intelligence agency goes and gathers that—not that the Bureau’s not an intelligence agency. But what they did is they essentially went to the NSA, they said, “You guys have built this, you know, fantastic global apparatus for monitoring chokepoints in the Internet, where a lot of this traffic is moving across, including stuff that’s coming into the United States. Why don’t we work together? You help us find the guys who are actually overseas but who might have compromised equipment in the US to commit crimes here, send the data over to us so it can assist our investigation.” And I think that what it shows you is that we still are sort of making distinctions between criminal organization and nation-state actor, or individual actor and nation-state actor, but these large apparatuses are kind of finding ways to team up together—both on a policy level but also at this very operational level. And, you know, what was interesting in the documents—they sort of spelled out the conversations the Bureau was having with the NSA about four years ago—was that the FBI could have gone out and built its own apparatus to try and gather that information, but it would be a lot more efficient and cheaper to just use the one that the NSA had already built. And there’s nothing illegal—or there’s no violation of policy in them working together. So I mean that kind of gets at both how the definition of what’s criminal versus nation-state requires more creative thinking, I think, about this, and we’re seeing some evidence of that.

Mundie: Well, just to be clear, I’ll say in the community that deals with these things, they generally think of those as three things. The distinction wasn’t just two. There’s states in the Westphalian sense, and there’s non-states, which are essentially like terrorist organizations. So in general, when they talk about state versus non-state, they tend to be making that distinction. Separately, there’s criminal organizations and individual activity. So we generally don’t try to just bucket it into two buckets.

And then the question about the software, I’ll just give you my thoughts. We basically had built software years and years ago just without any concept that there was going to be a threat externally. And it was only when we took systems that were designed that way, and then we happily interconnected them all, that we begin to realize that there were threats that they were never really engineered to defend against. And we’ve run that model a long way. As people are building systems now—particularly these high scale web services and others—and who are very serious about it, they pay a lot more attention to the balance of the architecture as it relates to defending themselves, as opposed to just providing service capability or features.

I think the next big step is, when we start to use the computers to monitor the other computers in much more sophisticated ways, we might make some real progress here. The big problem right now is that the classical—the distinction I make is that the model we’ve developed and operated under forever on security is sort of like what I call the medieval model. I have a castle, I put a moat and drawbridge out there, put all the good stuff inside and hope that the guy can’t get through the wall. Unfortunately the cruise missile has already been invented. You know, in many cases now, the company’s already been breached, so now we have to essentially find a different way, and that is still in development. But I do think, not because people will just start with security first, but they’ll come up with a more hybridized architecture of observation and control that will work to eliminate some of the threats that we currently don’t have a way to stop.

Marcus: And I’ll just answer the CEO question, because it’s good. In January 2011 in Davos, I asked 60 tech CEOs—and Craig, I don’t remember if you were there or not—you know, is cyber security important? And it was kind of a lukewarm reception. They were like, “It’s solved, we don’t need to talk about that anymore, there are more pressing issues.” April 2011, Sony PlayStation was hacked, then the phones started ringing: “What was that again you wanted to talk about?” So that led to a whole bunch of work that we did over a few years, which then ended with this book “Beyond Cybersecurity,” which is written for the CEO to help them understand what’s at stake, right? In that first year we asked these CEOs, “Do you know who is responsible for cybersecurity within your organization?” More than 80% didn’t even know that they had such a person. Now ask a CEO, chances are not only they know they have it, they can tell you the person’s name, they can tell you how often they’ve met. So it’s come a long way. And I think there’s still a lot more to go, but it does come to some of what Craig’s also talking about. You’ve got to think about security by design. It’s not just about patches after the fact. It’s every product, the way you deal with your supply chain, your employees, you have to build security into the system. And, you know, that’s just starting to be understood, what that starts to look like.

Westby: Jody Westby from Global Cyber Risk. So the US government has engaged in cyberwarfare more than any other country. Therefore, we have refrained from pushing global leadership out to get the laws of armed conflict to accommodate cyberwarfare because we don’t like those constraints. It’s nice to just have military freewheeling in this space, which is what we’ve done. But my question to you all is, I really think that desire for military freewheeling puts us all at risk, because it’s the private sector that’s the target. This is no longer military deciding what target they’re going to attack and when, and have their military strategy. It’s very much a private sector target. And so there are aspects of the laws of armed conflict that can actually, you know, be adjusted for cyberwarfare, just as we’ve adjusted for navy and air force, and now looking at space. So what do you think the role of the business community is to go to the government and say, “We need some global leadership” and talking about cyberwarfare and actually putting some framework around this to keep all of us safe while they’re trying to achieve their military objective?

Bennett: Anyone want to take a stab at this?

Harris: There’s a lot of questions embedded in that. Look, let me take one stab at the first part, where I would come at it a little bit differently for the idea of military freewheeling. Think of it this way, in the military—you know, and when we say the military, let’s take the NSA, where the NSA director is also the head of cyber command, where it’s the same person doing two different jobs. But Admiral Rogers, who runs that organization, has said, as you’re talking about, you know, cyberwar—that is computer network operations, as the military would define it; that is, we’re going to break into a system and cause damage—they have said publicly that the law of armed conflict does govern that: that proportionality rules, that precision in targeting, minimization of collateral damage. When you cross into the realm of espionage, a lot of the same things that the military does in computer network operations look like things that we do in computer network exploitation, or spying, where I would argue that the lines are not as clear. So there, I mean I think you’re talking about, you know, not so much is the military kind of off the chain, but like what is the proper definition of a Title 10 versus a Title 50 operation in cyberspace. And there’s a lot of mutability and fungibility between those two things. That could be a place where, you know, policymakers should ask for some more clarity, I would think.

But in general, what can the business community do? There’s not a great—at least I don’t sense it—momentum from the business community rushing to the government and saying, “Yes, please help us figure out these policies.” There’s a great mistrust among the business community of the government right now that’s partly due to I think what happened with the Snowden revelations—

Bennett: You see that with the encryption debate that’s going on, yes.

Harris: Sure, the encryption debate. They’re fearful of being regulated—

Cote: The liability issue.

Harris: The liability issue.

Bennett: Yes, with the legislation in congress currently.

Cote: You’ve got 50 AGs that are all going to come flying at you.

Harris: Right, right.

Bennett: Disclosure, yeah. Anyone else want to tack onto that?

Marcus: Well, I was just going to say, with that said, although there is this skepticism, business leaders are increasingly realizing that they’re also under attack from the criminal organizations and just pure crime. But from a business standpoint, you can’t discern whether this is a criminal organization, a terrorist organization, or a military attack. And kind of to your point—I think Craig mentioned earlier when we were backstage, there’s like 30,000 companies now deemed as critical infrastructure in the United States, and then you add all the other ones that are also under attack even if they’re not critical. The business leader does have a need to come up with some kind of alignment with government, at least in terms of protection even from crime. And if I can’t discern crime as a business leader, I can’t just draw the line and say, well, we’ll work with public security departments, you know, local police agencies. We’ve got to think much, much bigger in how that operates.

Cote: So essentially when you say it though, my understanding to the first question, that there are so many companies the FBI’s knocking on the door now to say, “You’ve been hacked” that they can’t go any further than that, other than, “You’ve been hacked, you need to go find some help.” I mean literally, it’s just so much work.

Bennett: That’s how most companies find out they got hacked.

Cote: But it’s such a massive problem today. It’s different on the war, if we can define war in the true sense of war, which I think we could come close to agreeing upon, but in the theft area I just don’t think it’s—

Marcus: So it can’t be after the fact, right? It shouldn’t be the FBI knocking on their door. There should already be this sort of policy of, “How do we work together?” Information sharing is certainly one of the things that comes up all the time. Like in health, right? If you start to share a particular outbreak, you can start to tap it off. In fact, we even just saw with Ebola, one of the things that caused it to continue to spread so rapidly was the lack of information sharing because of certain policies that were in place. So if we can get information shared in a timely manner, then actually it could help quite a bit, and then organizations such as yours and others that can actually go in there with some real solutions in real time, including, you know, trapping culprits and that sort of thing.

Cote: For the record we have real solutions. For the record we have real solutions.

Marcus: But companies are not always buying these real solutions.

Cote: No, I agree. Actually, I agree with you on the information sharing. But I think, again, the issue is that the organizations are fearful of the liability issue, and the lawyers take control immediately.

Marcus: That is true. That is absolutely true.

Bennett: I mean, it seems McConnell today said he is going to attach the Senate cyber bill onto the defense budget, the NDAA [National Defense Authorization Act]. So—

Harris: Oh, that’ll be fun.

Bennett: Yes, exactly. It’s going to generate its own fight.

Tags: , , , , , ,