Cyber-enabled economic warfare (CEEW) is a hostile strategy involving attack(s) against a nation using cyber technology with the intent to weaken its economy and thereby reduce its political and military power.
Under the leadership of Dr. Samantha Ravich and through rigorous interdisciplinary research, FDD launched its project on CEEW to provide an understanding of the real threat the United States and other free market democracies are facing: a bloc of hostile and increasingly aggressive authoritarian regimes who seek to turn our market openness and vitality against us.
The conference featured the formal release of four new monographs (available below) on the CEEW strategies of China, Russia, Iran, and North Korea.
Dmitri Alperovitch is the Co-Founder and CTO of CrowdStrike Inc., a leading provider of next-generation endpoint security, threat intelligence and incident response services. A renowned computer security visionary, he is a thought-leader on cybersecurity strategy and state tradecraft. In 2016, Dmitri revealed Russian intelligence agencies’ hacking of the Democratic National Committee (DNC), events which unveiled the full scope of cyber influence operations being launched against the 2016 US Election. In 2010 and 2011, he led the global team that investigated and brought to light Operation Aurora, Night Dragon and Shady RAT groundbreaking Chinese cyberespionage intrusions, and gave those incidents their names. Fortune Magazine named Dmitri as one of “40 Under 40” most influential young people in business and Politico Magazine featured him as one of “Politico 50” influential thinkers, doers and visionaries transforming American politics.
John P. Carlin, former Assistant Attorney General for the U.S. Department of Justice’s (DOJ) National Security Division (NSD), chairs Morrison & Foerster’s Global Risk + Crisis Management practice and co-chairs the National Security practice. He is the author of Dawn of the Code War: America’s Battle Against Russia, China, and the Rising Global Cyber Threat, which provides an inside look into how we combat daily attacks on United States companies, citizens, and government. Prior to serving as the DOJ’s highest-ranking national security lawyer, John served as Chief of Staff and Senior Counsel to FBI Director Robert S. Mueller, III and as National Coordinator of DOJ’s Computer Hacking and Intellectual Property (CHIP) program. Under his leadership, the NSD launched nationwide outreach across industries to raise awareness of national security, cyber and espionage threats against U.S. companies, and encourage greater C-suite involvement to corporate cybersecurity matters.
Frank Cilluffo directs the McCrary Institute for Cyber & Critical Infrastructure Security at Auburn University. Prior to joining Auburn, he founded and directed the Center for Cyber & Homeland Security at George Washington University where he led a number of national security and cybersecurity policy and research initiatives. He serves on the Homeland Security Advisory Council as the Vice Chairman of the Future of Terrorism Task Force. Frank previously served as Special Assistant to the President for Homeland Security.
Daniel Hoffman retired in 2017 as a senior Intelligence Service Officer with the Central Intelligence Agency. During his 30 years of distinguished government service, he held several high level positions with the CIA including a Senior Executive Clandestine Service Officer. He was also a CIA station chief in South Asia and Central Eurasia, with tours of duty in the former Soviet Union, Europe, and war zones in both the Middle East and South Asia. He has substantive expertise on geopolitical and transnational issues related to the Middle East, South Asia, Russia, counterterrorism, as well as cyber and counter-intelligence. He speaks fluent Russian, Estonian, Finnish and Urdu. Now in the private sector, he is a frequent public speaker on cyber security, terrorism, Russia, and leadership. He is a recipient of CIA’s Distinguished Career Intelligence Medal.
David Maxwell is a senior fellow at FDD. He is a 30-year veteran of the United States Army, retiring in 2011 as a Special Forces Colonel. He has served in Asia for more than 20 years. He served on the United Nations Command / Combined Forces Command / United States Forces Korea CJ3 staff where he was a planner for UNC/CFC OPLAN 5027-98 and co-author of the original ROK JCS – UNC/CFC CONPLAN 5029-99 (North Korean Instability and Collapse) and later served as the Director of Plans, Policy, and Strategy (J5) and the Chief of Staff for Special Operations Command Korea (SOCKOR). He is on the Board of Directors of the Committee for Human Rights in North and the OSS Society.
Ellen Nakashima is a national security reporter for The Washington Post. She covers issues relating to cybersecurity, surveillance, counterterrorism and intelligence. In 2018, she and her colleagues were awarded a Pulitzer prize for their examination of Russian interference in the 2016 election, possible links between the Trump campaign and Kremlin agents, and the U.S. response. In 2014, she and another team of Post reporters received the Pulitzer Prize for Public Service for reporting on the hidden scope of government surveillance and its policy implications. Ellen has also served as a Southeast Asia correspondent and covered the White House and Virginia state politics. She joined The Post in 1995.
Dr. Samantha F. Ravich is the chairman of FDD’s Transformative Cyber Innovation Lab and the principal investigator on FDD’s Cyber-Enabled Economic Warfare Project. She is also a senior advisor at FDD, serving on the Board of Advisors of FDD’s Center on Sanctions and Illicit Finance (CSIF). In August 2018, Samantha was appointed to the President’s Intelligence Advisory Board (PIAB) and designated to serve as vice chair. She was also appointed in October 2018 to the congressionally-mandated Cyberspace Solarium Commission. Previously, she served as deputy national security advisor for Vice President Cheney, focusing on Asian and Middle East Affairs as well as on counter-terrorism and counter-proliferation. A defense and intelligence policy and tech entrepreneur, she is advisor on cyber and geo-political threats and trends to numerous technology, manufacturing, and services companies as well as a managing partner of A2P, a social data analytics firm.
Michelle Van Cleave served as the National Counterintelligence Executive under President George W. Bush, responsible for providing strategic direction and ensuring the integration of counterintelligence activities across the federal government. She has also held senior staff positions in Congress, at the Pentagon working on homeland defense policy in the aftermath of 9/11, and in the White House Science Office, where she served as Assistant Director and General Counsel under Presidents Ronald Reagan and George H.W. Bush. A lawyer and consultant in private life, she is also a principal with the Jack Kemp Foundation.
B. Edwin Wilson was appointed the Deputy Assistant Secretary of Defense for Cyber Policy on February 20, 2018. In this capacity, he supports the Secretary of Defense and other senior Department of Defense leaders by formulating policies and strategies to improve DoD’s ability to operate in cyberspace. He retired from the U.S. Air Force after serving on active duty for over thirty-two years. In his last duty assignment, he served as the Deputy Principal Cyber Advisor to the Secretary of Defense and Senior Military Advisor for Cyber, Office of the Under Secretary of Defense for Policy. In these capacities, he supported the Principal Cyber Advisor as the primary advisor to integrate and oversee the development of all DoD cyber capabilities, activities and policy, as well as provided senior military perspective on cyber policies, strategies and plans to guide DoD efforts in cyberspace.
Dr. Larry M. Wortzel is an eight-term commissioner of the U.S.-China Economic and Security Review Commission. He served for 32 years in the United States Armed Forces, including seven years in the infantry as well as assignment in signals intelligence collection, human source intelligence collection, counterintelligence, and as a strategist. He served two tours of duty in Beijing, China, as a military attaché and spent twelve years in the Asia-Pacific Region. He is the former Director of the Strategic Studies Institute at the U.S. Army War College and served as director of the Asian Studies Center and vice president for foreign policy and defense studies at The Heritage Foundation. He has written or edited ten books and numerous scholarly articles on China and East Asia.
Juan C. Zarate serves as chairman and senior counselor of FDD’s Center on Sanctions and Illicit Finance (CSIF), and Chairman and Co-Founder of the Financial Integrity Network. He is also Senior Adviser at the Center for Strategic and International Studies (CSIS), Senior National Security Analyst for NBC News and MSNBC, and Visiting Lecturer of Law at the Harvard Law School. Juan served as the Deputy Assistant to the President and Deputy National Security Advisor for Combating Terrorism from 2005 to 2009, and was responsible for developing and implementing all aspects of the U.S. government’s counterterrorism strategy, including countering violent extremism and weapons of mass destruction. He was the first-ever Assistant Secretary of the Treasury for Terrorist Financing and Financial Crimes.
Dr. Samantha F. Ravich, Principal Investigator, FDD’s project on Cyber-Enabled Economic Warfare; Vice Chair, President’s Intelligence Advisory Board
John P. Carlin, former Assistant Attorney General for National Security at the U.S. Department of Justice
Juan C. Zarate, Chairman and Senior Counselor, FDD’s Center on Sanctions and Illicit Finance; former Deputy National Security Advisor
RAVICH: Welcome. I think we’re all taking our seats now, except for me, I’m standing. My name is Samantha Ravich and I am the Principal Investigator on the Cyber-Enabled Economic Warfare project here at the Foundation for Defense of Democracies, a non-partisan research institute focusing on national security and foreign policy, organized in the immediate aftermath of the 9/11 attacks.
Before we begin, I’d like to take a moment to honor our veterans, members of the armed force — armed services, law enforcement and public servants. Our nation thanks you for your dedication and service to our country. You defend our nation and our ideals, and in the cyber realm you are increasingly joined on the battlefield by the private sector, as we’ll discuss today.
I would like to welcome and acknowledge our distinguished audience of foreign policy and national security professionals. We are privileged to have with us ambassadors, cyber and defense attaches and other senior diplomatic officers from more than 20 nations, as well as officials from the White House and the Departments of Defense, Energy, Commerce, Justice, Treasury and State.
We welcome members of the Intelligence community as well as congressional staff. We’d also like to acknowledge the many members of the press, both domestic and international, here with us today. Welcome, also, to the audience joining us via live stream.
We’re pleased to be joined today by members of FDD’s National Security Network. I’ve had the privilege of traveling on a few of the NSN overseas trips and speaking at events with this cohort. This next generation of National Security practitioners gives me great confidence in the country’s future. We’re also delighted to welcome several members of the Cyber-Enabled Economic Warfare Advisor Group. Your insights have helped shape our work over these past few years.
I’m pleased, also, to welcome fellow members of the Board of Advisors for FDD’s Center on Sanctions and Illicit Finance. It is a pleasure serving with you all.
After the conference we will be circulating a survey, via e-mail, to help us understand the perceptions of the threats from cyber-enabled economic warfare. We ran a similar survey a few years ago at the outset of our work, and it will be interesting to see if and how perceptions of the threat has changed. The results will be anonymous and I hope you all will be willing to participate.
So as we get started, I want you to keep three things in mind during today’s conversations. And I know it’s — it’s not an easy feat with everything that is going on in our personal lives, and our country and the world, but important enough that for today I don’t feel bad about asking you to do this.
So the first thing is the recognition of the critical role that American inventions and innovations have played in the prosperity and security of our country since the birth of our nation. George Washington so recognized the importance of encouraging the advancement and protection of inventions that he called for the passing of the Patent Act as his — in his first State of the Union Address.
And in fact, there were 150 patents issued during his presidency, and each was signed and sealed by President Washington himself. Over the next two centuries American inventors, such as Samuel Morse, developed the telegraph — patent number 1,647 for those of you who are counting, and the Wright brothers flew the first controlled flight of a power-driven airplane — patent number 821,393.
Ponder for a moment on the transistor, the key active component in practically all modern electronics, developed by William Shockley at Bell Labs. Consider the personal computer, the internet, GPS.
All right, now second, think about what would have happened if those inventions had never come to be, because the inventors themselves could not profit from their hard work and so decided not even to bother, or if those inventions had been stolen by our adversaries before they could give our country their full benefit.
World War I may have come to a different conclusion if General Pershing never had the air advantage. And if Andrew Higgins’ boat design, protecting the propeller from grounding — patent number 422,146 — had been stolen by the Axis Powers, Normandy may not have been possible and the tide of World War II may never had turned in our favor.
And now, third, think about the critical inventions and innovations today that are being killed in the cradle or stolen to be used against our prosperity and security. All right, you all may have heard about the recent Micron case and our panelists may speak about it more today, but briefly, the Boise, Idaho based Micron provides approximately 20 to 25 percent of the world’s supply of dynamic random access memory integrated circuits — alright?
The company has invested billions of dollars over the years to develop its intellectual property. And since at least the fall of 2015, a Chinese state-owned company has been stealing its trade secrets through cyber and non-cyber means, most likely looking to counterfeit the technology and flood the market with cheap substitutions, severely impacting the health and welfare of Micron going forward, and by extension, the security of our personal computers, workstations and servers.
Think about the effect on our security and prosperity, if a critical component of our wired world was powered by a Chinese state-owned entity. When the U.S. Commerce Department added Fujian Jinhua Integrated Circuit Company to the entity list at the end of last month for its theft from Micron, Commerce Secretary Wilbur Ross quite rightly stated that, “when a foreign company engages in activity contrary to our national security interest, we will take strong actions to protect our national security.”
So, the actions to protect Micron and punish Fujian Jinhua were long overdue. But in some ways, that particular horse had already left that stable carrying billions of dollars in revenue and military vulnerabilities on its back.
To protect our national security industrial base going forward, the U.S. government and our population at large needs to understand that there are adversaries out there who know that our greatest strength is our ability to create and innovate, and own the fruits of our labor because the business of America is truly business. We are the number one military in the world because we are the number one economy.
So our work here on cyber-enabled economic warfare helps in this mission by shining a light on the strategy on of our adversaries to undermine our prosperity, and thus, our security.
We have entered a frightening new world. Where not only a country like China or Russia can cause massive harm to our economy, but so could Iran and North Korea. Two countries with a combined GDP of less than 1/10th per capita the GDP of North Dakota, right, but all the cyber capabilities of a super power.
So with that statistic now rattling around in your head, I want to welcome Juan Zarate and — and John Carlin to the stage.
Juan Zarate serves as Chairman and Senior Counselor of FDD’s Center on Sanctions and Illicit Finance. It is his fault that I joined CSIF’s board more than four years ago and I thank him every day for that vision and his thought leadership on future threats and opportunities facing our nation. And as many of you know, John Carlin served as assistant attorney general for national security and is an adviser to our Cyber-Enabled Economic Warfare project. John has a new book out, “Dawn of the Code War: America’s Battle Against Russia, China and the Rising Global Cyber Threat.” I cannot recommend it more highly. If you have not already picked up a copy, we have books for sale at the registration. And with that, let me thank you all for being here and hand it over to Juan. Juan, Thank you.
ZARATE: Thank you, Sam.
Good morning, everybody, I hope everyone is doing well. First of all, Sam, I want to thank you and Cliff and FDD for hosting this conference. I want to thank you for your leadership on, in essence, pioneering this space, the space of exploring what cyber economic — cyber-enabled economic warfare actually means, how it’s playing out, how it dovetails with our concerns on cybersecurity, supply chain security and all the other issues that relate to our core national security interests. And so, Sam has really been at the forefront of this, and I want to thank her and FDD for your leadership in pioneering this — this thought — thought domain.
There’s nobody better actually to kick off this conference — this inaugural conference on CEEW, as we call it, than John Carlin. As Sam mentioned, John has just come out with his book, “Dawn of the Code War: America’s Battle Against Russia, China and Rising Global Cyber Threat.” Aside from being an incredibly insightful book, very detailed — incredibly detailed, it has probably the best title I’ve heard in a while. It’s a blend of “Planet of the Apes” meets “Star Wars.” “Dawn of the Code War.” So — but I saw it at Barnes & Noble yesterday, it looked like it was selling well, John, so congratulations.
CARLIN: Thanks, Juan.
ZARATE: As you know from John’s bio, he’s had a leading role in the law enforcement and policy space, both as chief of staff at the FBI as well as assistant attorney general for the national security division, where he really did pioneer and — and focused on cybersecurity threats, in particular from a law enforcement perspective. And the book details all of the cases and investigations that John was a critical part of and the FBI has been — and the National Security Complex, has been a part of.
John is now writer and commentator, he’s also written other — other works. I use a law review article of his in my Harvard Law School course, which talks about law enforcement and deterrence in the cyber domain. He’s also now a practitioner at Morrison and Foerster. So, we’re really lucky to have John with us talk about these issues. John, welcome.
CARLIN: Thank you, Juan.
ZARATE: Let’s start first with kind of your view of the scope and evolution of the cybersecurity problem and our vulnerabilities. You have been a part of the national security — sort of community — for a long time looking at these issues, prosecuting these cases. How do you describe the evolution in terms of the actors, the vulnerabilities, the capabilities in this space?
CARLIN: Well, you really look back and there’s been a significant change both in what the threat actors are doing and our response to it. And so when I was a prosecutor prosecuting computer hacking and intellectual property cases, a so-called “CHIP”, which is one of the worst — worst ideas that Former Director Mueller had — but the name came back when he was running the prosecutor’s office in San Francisco. I worked with an FBI squad; great squad, and we worked on the criminal side of the House. There was another squad behind a locked, secure, compartmented door and they were dealing with intelligence threats.
The whole time I was working those cases, I never knew what was happening on the other side of that door. In fact, an agent would occasionally switch squads and they just disappeared never to be seen again, we didn’t know what happened. When I went over, I ended up coordinating that program criminally nationwide for the Justice Department and still it was — the focus was on criminal actors. When I went over to the FBI to be then — now director of the FBI, Bob Mueller and relatively anonymous compared to his current role, the door opened.
And for the first time I could see what was happening on the intelligence side of House and amazing work had been done at starting to map the threat and we could watch — there was a JumboTron screen actually, size of a movie theater — we could watch in real time as nation-state actors, particularly China, attacked places like universities, then would hop from the university into private companies and we would see billions and billions of dollars’ worth of intellectual property, trade secrets and trade negotiation strategies flow out of the United States. It’s watching that that led the former head of the National Security Agency, Keith Alexander, to call it the largest transfer of wealth in human history.
That was focused on — on transferring wealth, making money, had an economic motive. I think what we’ve seen since then, in addition to that type of dollar-focused theft, is the growth of destructive attacks and the use of cyber — the cyber domain as a tool of coercion. One of the things you track through the book is how in the beginning, there were some amazing work done at — for incidents that looked like they might be the result of a nation-state, and there was some early nation-state activity, but often they ended up being, you know, the caricature of a teenager in the basement.
You know, they weren’t the world’s most sophisticated actor once we got to the end of the line and figured out who did it. I mean, that’s similar to, I don’t know how many of you are familiar with the so-called Mirai Botnet; this was just a year and a half ago, and what happened is, the group figured out with these new Internet of Things connected devices — so devices and billions and billions of new ones are being added to the Internet each day using the same insecure protocol that we’ve been using for years with digital communications, but now it’s our baby monitors, it’s toasters, it’s refrigerators, their default being rolled out, sold and they’re not secure by design.
And so what happened is, some young Canadians, basically kids, as a prank, really had to do with gaming, decided to create what’s called a botnet. So that’s essentially a cyber weapon of mass distraction. They release code, compromise, sometimes millions of devices and what they do is they set up one command and control node so with a single command, you can direct this army of compromised computers.
And for their purposes, which had to do with some gaming dispute, they launched this cyber weapon of mass destruction and it took down part of the Internet. It took down the — that we’re relying on now, it’s not e-commerce anymore, right, it’s commerce. So when you disrupt the backbone of the Internet, you’re affecting lives, you’re affecting commerce, you’re affecting economies. So that’s what kids can do now.
And what we’re increasingly seeing is nation-states deliberately using these tools and it’s moved from the province of the kind of war games caricature of a kid fooling around in their house, to big business for organized criminal groups and as part of a tool of power for nation-states.
ZARATE: John, it’s a little frightening the way you describe the sort of divide between the criminal and intel side, because it harkens back to the counterterrorism world and the divide, the intel wall that was so much a part of the 9/11 commission report. Talk to us about, you know, walking through that door. And you’ve mentioned sort of seeing the map. Talk to us about, what you saw the nation-state actors doing and not just doing on their own, but in combination with the organized criminal groups and hackers that they were able to enlist. I think — you’ve talked about this before, you’ve written about it. The blend of actors has been really important.
And I would just commend those watching those here, if you haven’t read the FDD reports on Russian, Chinese, North Korean and Iranian cyber-enabled economic warfare you need to, because it — all those reports — detail what those campaigns, what those capabilities look like. But from your perspective, what have those asymmetric capabilities and the blend of actors looked like?
CARLIN: Yes, so two quick threads. One, so after the — when we looked at that incredible intelligence feat mapping — when I say we could watch it happening, they had a graphic user interface. The tech guys will call it GUI. So we literally were watching them steal the — steal the information on this screen. When we looked at it, although it was an intelligent success, I think you’ll agree it did not feel like strategic success to be able to watch it flow out of the country.
So what we took from that was we need to change our strategy here, we need to figure out a way to disrupt. There was a — there was a logic to why it was staying in the intelligence lane. You know, for years there was an approach when we did espionage cases, where if we identified a foreign espionage ring inside, say, the United States, often we would let the ring continue to run while monitoring it, feeding it false intelligence. And that was because if you disrupted it, it might be harder to find what they replaced it with.
It was on a relatively small scale and so it was better to figure out what the operatives were doing here rather than disrupt and encourage them to improve the way that they were collecting information. The problem with cyber, which you touch on, Juan, is that this asymmetric threat — we were seeing on scale actual — what I will call — low intensity conflict that was causing real harm to real victims now and putting companies into bankruptcy.
And we weren’t learning a whole lot. It was too — too broad, too big. The — former Director Comey called it, like, having a drunken gorilla banging around in your house as a — as a burglar. They weren’t taking steps to hide their tradecraft. And so we needed to disrupt. When I went back to the Justice Department, we created a new initiative to do just that and it’s still very new. It was only created end of 2012, 2013, and it led to the first case of its kind, the indictment of five members of the People’s Liberation Army, a specialized unit, unit 61398.
And that unit, their day job, they put on a uniform, they went to work and we put an attachment that showed it around 9:00am the activity spiked. You’d see this activity. It hit places like Westinghouse right before they were going to do a joint venture where they stole the technical design specifications for a lead pipe so the next morning they wouldn’t have to pay the lease the pipe or hit a solar company, stole its pricing information from its e-mail, bankrupted the solar company, and then to add insult to injury, when they filed a trade action to sue for unfair trade practices, they stole the whole legal strategy.
So that’s what the second largest military in the world was doing. And that attachment showed it started at nine, it went from nine to noon, unlike today’s conference. Apparently they don’t do the working lunch because it decreased from noon to 1:00.
Increased again from 1:00 to 6:00, decreased overnight on weekends and on Chinese holidays. So the prosecutor in me would call that circumstantial evidence, but also as — as a threat, as a national security threat, that means what company can compete if that is literally the day job of the second largest military in the world and it’s causing real damage?
That is a government problem. That is a conflict where we need to engage or we will lose. So that was the — why we brought the case. And you asked about the blended threat.
CARLIN: I think what we’ve seen since then increasingly — there are four major actors in the space, China, Russia, North Korea, Iran. Particularly — so with China, we’re seeing the so-called blended threat where state actors on the side, to make a buck, are using state tools to commit crimes for their own purposes. One thing that’s trending not just from China but from Iran and from North Korea, are sophisticated what look like so-called advanced persistent threats.
So it has the tactics, the techniques, the procedures of a nation-state entering companies. I have clients like this all over the United States and they say oh my gosh, we’ve been hit by China or looks like North Korea, what are we going to do, they’re getting the world’s best forensic experts to help them and it turns out they’ve hacked in just to get the free bandwidth so they can mine digital currency. Mining digital currency, you get paid a small amount and the idea is it costs a lot of electricity, essentially, to maintain the bandwidth so that you ultimately — you don’t really make a lot of money from mining.
But if you hack and use somebody else’s bandwidth, you can make a buck. That is not part of China’s strategy. It may be North Korea’s because they’re trying to raise money due to sanctions, so like ransomware, it may actually be for a state aim. With China, Russia, Iran, who also are doing that same type of activity, they’re using these increasingly available tools of statecraft, these same weapons, just to make a buck. So that’s one version of the blended threat.
Another version of the blended threat, though, is — is — what’s shown in the Yahoo! case. So here’s a case where Russian — we tried to get Russian cooperation. We had a top 10 most wanted by the FBI credit card hacker. So someone that goes around, steals numbers and then uses the dark web — so that portion of the internet that is not indexed — to sell what they have stolen for a buck. And it’s a very sophisticated market.
If you go to the right place today on the dark web, it looks like Amazon. And when I say it looks like Amazon, I mean you go on and you say I want to buy stolen credit cards and there’s a bunch of vendors who sell the stolen vendor — credit cards and they have customer reviews, including a five star system.
ZARATE: It’s a Yelp for the dark web.
CARLIN: It’s a Yelp for the dark web. So they have — literally it’ll be like five stars, I’ve bought from this crook before, a large percentage of their stolen credit cards work. Great review. And then what I love are the ones that are one star, this crook is not trustworthy. Like, what did you expect?
But anyway — so they go on and sell this type of information. And so we said, OK, this isn’t statecraft, let’s get Russian cooperation the way we have with child pornography in the past and other issues that — where law enforcement can cooperate no matter how many different disputes you’re having in other areas.
In this area, though, what they did — and this is laid out in the indictment Justice Department later brought — they didn’t help. Not only did they not help, they signed him up as an intelligence asset. So then they said keep stealing but also we’re going to task you sometimes to steal things that are for the benefit of Russia. So that — that is another version of the blended threat. And the third version is, I think the increasing organized crime problem right now, is increasingly a Russia problem.
Russia is a rogue actor when it comes to cyberspace. And this is true in terms of unleashing indiscriminate tools of destruction, like NotPetya, a ransom worm — so a worm that self-propagates to lockup the — lockup computers inside — and servers inside companies in order — ostensibly that if you pay a certain amount you can free it. Although with NotPetya, it seemed like there was no way to pay to unlock your goods. This is something that hit all across the world, it caused a global shipping company to lose over $500 million, it caused FedEx to lose $300 million of damages, and that’s just two companies.
ZARATE: And the health sector in the U.K. was affected.
CARLIN: Health sector in the U.K.
CARLIN: This is similar to WannaCry, a North Korean…
ZARATE WannaCry, yeah.
CARLIN: … version that had happened earlier, that…
CARLIN: … that escaped. So you have that type of activity. And then you have, if you look at some of the best cases the department has brought recently, you know, cases that you kind of can’t believe the details but it’s important to share them.
Like indicting a criminal conspiracy that stole billions of dollars of goods whose name was, In Fraud We Trust. That was the motto of the group.
And so it was like a — a kingpin of criminal group where all the best fraudsters had a place where they could share information, work together. Which is what we need to start doing with our foreign partners.
When you do those takedowns, you see great international cooperation and then you see a no-go zone with Russia. So they are just not cooperating at all.
And as long as these actors don’t hit Russian targets, cooperate with tasking, they’re providing cover for them. And that’s not going to change until we take concerted action.
ZARATE: Right. That’s fantastic, the way you described that. It’s not fantastic that it’s happening, it’s fantastic the way you’ve diagnosed it.
John, how do you — how do you think about this concept of cyber-enabled economic warfare? I mean, you’ve — you’ve described some elements of it already.
You know, there are dimensions of this that — that involve a tax on the financial system. Jamie Dimon recently talked about cyber-security being the fundamental challenge to the integrity of the financial system.
You have the types of attacks that you’ve described, which are attempts to gather information, undermine, you know, companies, takeover markets.
There is, in the maximalist version — and this is something Sam has pioneered, this idea of weakening an economy to actually undermine political and military power.
How do you see this domain of cyber-enabled economic warfare, and what are some examples of it that people can think about, get their hands and — and minds around it?
CARLIN: Yeah. One of the reasons — so we talked a little bit about how it used to be in the shadows, and we weren’t applying the core lesson of September 11th, right?
Which was, we need to share information across the law enforcement and intelligence divide, and work at — at scale and speed within and between governments so that we can disrupt attackers who want to attack the American way of life. We’ve started to apply that now in cyber.
But what makes the cyber threat different, right, is that that’s not sufficient. So that was necessary. But then the next part, which is really a new problem for government to tackle, is that the infrastructure is in private hands. You know, over 90 — well over 90 percent of the infrastructure is in private hands.
Which means if we’re going to effectively combat this threat, we need to call it for what it is – I named it dawn of the code war — that we’re in a low-intensity conflict that includes nation-states, and we need to start figuring out ways to — to share information at speed and scale across the government-private sector divide.
That means figuring out ways to incentivize private companies to share information with the right authorities in law enforcement and intelligence. And it means figuring out ways to change the way we were all trained, so that our default is to share information that — that, right now, still, I think, overwhelmingly gets marked either “sensitive” or “classified” so we don’t default-share it back to — to show what the threat is.
Now, we’ve made great progress. And one thing in the book is, just to make public and share what we have already done through great work by law enforcement agents, by FBI, by intelligence analysts, and made public.
Put it together, and you start seeing that this isn’t a science fiction or threat of the future, which I was finding when I talked to boards or CEOs. A lot of this has already happened, we just are not sharing what has already occurred.
So in terms of the — the threat of cyber-enabled warfare — economic warfare — we’ve had it. So Iran was using, as a tool of government power, they used two affiliates of the Iranian Revolutionary Guard Corps to attack our financial sector with distributed denial of service attacks.
So it’s that same concept of botnets, hundreds of thousands of compromised computers given a single command. And what they did is, they attack the weak point on the financial sector. Not where they’re spending lots of money, protecting how transfers are effectuated.
But instead, the outward-facing websites that consumers use. And they bombarded them with these requests for information. They did so at times of diplomatic churn. And while we had sanctions in effect, and before a compromise had been reached or a deal had been reached. And it affected hundreds of thousands of customers, and cost tens of millions of dollars to the financial sector.
We showed that that same group — and I believe this is also an arm of economic-enabled warfare — showed that they had been able to hack into the sluice control systems of the Bowman Dam in Rye, New York. So that meant they’d be able to life up the sluice gates and flood the surrounding areas.
And we had talked for years, that this was a threat. But no case had been made public before, that — that someone had actually done it.
Now as it happened, the Bowman Dam wasn’t working. It was down for physical maintenance. But I think you’ll agree, like our — our principal response should not be crumbling infrastructure as a defense against cyber — cyber-attack.
ZARATE: That’s one form of cyber-defense.
CARLIN: It’s one form of cyber. You don’t see — just to segue slightly, but it is actually true, when you’re thinking through — I mean, partly what we did, is we, over a 25-, 30-year period, we moved almost everything we value, from papers and books…
CARLIN: — to digital, and then we connected it through a protocol. And we go through the history of the internet, including interviewing the founders, it was never designed for security in mind. It was designed for communications.
And we did so systematically, in government and the private sector. We did that without properly calculating what the risks were.
Some of those decisions might remain the same. Many would not, if we actually thought, “Hey, what would a terrorist, what would a nation-state, what would a crook do to disrupt this activity?” And now we’re all playing catch-up.
One of the answers is…
CARLIN: … use old stuff. You know, the Russian attack on the Ukrainian power grid was not as effective as they thought it would be, and as it might be, here in the United States, because they had only recently upgraded their technology so they actually knew how to operate, still, the electric grid manually.
Now, we’re moving to places where that’s no longer the case. Maybe we shouldn’t. And the same thing happened to our electoral system, right?
CARLIN: What was the solution to this great sophisticated 21st century nation-state attack of potentially disrupting our elections? Paper ballots. You know.
So they may be lower-cost solutions…
ZARATE: Floppy disks for the nuclear program, yeah.
CARLIN: Only take it so far.
ZARATE: And are you — just to take the Iran example, are you worried that Iran will dust off that playbook again, given that sanctions have been ramped up? Do you think Iran is poised to attack, perhaps in more sophisticated ways?
CARLIN: Yes. I mean, I think it’s something that we need to take — there has been an increase, it looks like, in Iranian activity over the last year, year and a half.
There was a great case that laid this out, that didn’t get a lot of attention, I think, because of so many things — other things that are going on, that showed Iranian activity across this swathe of U.S. industry that the Justice Department brought, based on FBI investigation.
I don’t know why right now. And so be it, people are theorizing as to why you’ve seen the activity, what are they doing with the information that they’ve been taking.
You have this diplomatic play right now, where Iran’s working effectively with Europe to try to evade sanctions. If that fails, then I can definitely see an increase in disruptive attacks, and something we need to start preparing for now.
North Korea is already quite active. And what they’re doing is, in some cases, less to send a political message and more as a way to evade sanctions. They’re committing ransomware on a regular basis, so they’re attacking private companies and collecting ransoms just like crooks are doing. They’ve committed a nearly $100 million bank heist, that also has been laid out in a public indictment, taking advantage of the SWIFT system and would have been a $1 billion but for a small actual mistake that allowed it to be uncovered. So they’re…
ZARATE: So it was the Bank of Bangladesh case…
CARLIN: … Yes.
ZARATE: … that people have heard about?
CARLIN: Yes. And then WannaCry itself looks like it — it’s unclear to me whether that could have ever raised money, or whether that was a tool that escaped from them that they were going to use to try to coerce, or whether it was a money — a money-raising tool.
And we’ve already seen them use cyber as a political tool, again, with this low-intensity conflict concept when it came to not liking the First Amendment, or the right of free speech, when North Korea attacked Sony Motion Pictures because they didn’t like a movie they were going to make. It’s the only time in my career I’ve had to brief the President of the United States in the Situation Room and start with giving a plot summary of The Interview.
ZARATE: Did you play a clip?
CARLIN: We played a little clip — I don’t know how many of you have seen it but it — it — it’s not an easy movie to summarize because it doesn’t make a whole lot of sense. And we war gamed for years, what would it look like if a rogue nuclear-armed nation attacks the United States through cyber means. We got that one wrong in terms of what the first attack would look like, but that was an attack.
I mean make no mistake — on a value, right? The same way the Russians are undermining confidence in our electoral and democratic system, and view democracy as an existential threat, which fuels their strategy in Germany, and then similar attacks in France and elsewhere.
North Korea was saying, hey, we can sit from North Korea and influence the decisions of moviemakers in the U.S. so they don’t produce content…
CARLIN: … that we don’t like. That is a form of warfare. It’s using coercion to change the way we behave.
ZARATE: Yeah. An asymmetric attack on our soft power, right?
ZARATE: That’s right. John, help us to, sort of, think about, sort of China and the threat from China. You know, China is a major economy, you know, soon to be the largest economy in the world, a major military power to — to your point earlier, major cyber capabilities. They’re doing lots of nefarious things.
They also do a lot of things under the guise of just being a part of the international community. They’re trying to grow their economy at a certain rate every year to meet the needs of their people. They are trying to make technological advances, the China 2025 plan. They’re now talking about greater self-sufficiency in the wake of the trade battles with the United States.
How should we think about Chinese behavior and especially in the cyber-enabled economic domain? How do you diagnose this, because I think it’s hard for people to kind of get their hands around understanding Chinese behavior?
CARLIN: Yes, it’s so — it’s — and I know it can sound somewhat pessimistic when you describe where we are and the current threat. And I think that’s a necessary bell to ring because we — this is the area in which we move furthest, fastest, and we are more vulnerable than other countries and it needs to be addressed.
I’m optimistic in some ways with — with China and Chinese behavior because, at the end of the day, it’s a cost-benefit strategy for them and it’s a cost-benefit strategy that can be measured in dollars and cents. And so, what it is going to require, and sooner rather than later, is a concerted effort to raise the cost, and raise the churn and raise the diplomatic tension over a targeted type of conduct, to say it is not OK to steal intellectual property or trade secrets.
Your better — your strategy is better effectuated by investing in research and development. And it seems like, you know, ultimately they don’t — unlike some regimes, North Korea or possibly Iran, Russia — they don’t want to blow up the current international world order. They wanted — they want to succeed within it, so there may be an incentive.
And we saw this a little bit because after the indictment of the People’s Liberation Army members. And then, there’s a case that I go through in the book that got less attention at the time, but I believe China was tracking carefully, and that’s the case of Su Bin. So there was a lot of discussion. Is this name and shame? You’ve indicted these officers. Unlikely China is going to extradite members of its — of an elite military unit, so why are you doing this?
And we said, you know, this is — these are real charges, if we catch people there will be criminal consequences. There was an individual named Su Bin, who had stolen economic — committed economic espionage in a conspiracy against Boeing and other companies, who was arrested pursuant to U.S. process in Canada. They knew he was under arrest, they wanted to get him out, they weren’t successful, he was brought here and he did serve — he was incarcerated.
So there was that case, and then President Obama signed a new executive order that — for the first time, thanks to the Juan Zarate approach built in terrorism, but if we applied that same approach of allowing individuals to be sanctioned, not just those who stole information through cyber-enabled means but the companies or individuals that benefited from the stolen information, and there was a lot of reporting that the Obama Administration was about to use that new sanctions authority.
So, I think it was that combination that led President Xi in a breakthrough to say we agree with the concept. You shouldn’t use the military and intelligence to target private companies for the benefit of their economic competitors. And the talking to the third-party groups, the CrowdStrikes, Mandiants — you’re going to hear from CrowdStrike later today — and along with government analysis we saw a decrease in change in the behavior. Now, it was very narrow. It — it fit exactly in that bucket and it only was companies when they were headquartered in the U.S.
We are now seeing that they are moving away, according to analysts, from that agreement during a period where there’s a lot of trade churn. I think it shows, though, if you can — you can change the behavior, but it takes continual raising of the costs. And you have to do it as part of a strategy that includes not just use of criminal indictments, but use of Treasury Department sanctions, the Commerce Department authority to designate certain entities as those with whom if you do business is contrary to the national security interests of the United States, so you — they can no longer rely on our supply chain.
Diplomacy, so that it’s top of the president’s talking — the Commander in Chief’s talking points every time they meet with their counterpart, all the way down our system and — and you need an off ramp. You need an exit strategy that says if you stop the activity and it’s measurable, then we will stop escalating the costs so there’s a — they can change the cost-benefit analysis.
And I think that is the drive behind the recent announcement by the attorney general of the United — the former attorney general of the United States — two weeks ago. But that — I just interviewed the — the lead person in charge, who is my successor. John Demers is the assistant attorney general for national security. They said, even though there’s a switch of attorney general that approach will continue, that says that the Justice Department is going to continue that all-tools approach.
ZARATE: And the Justice Department, thanks to your leadership, innovated this use of indictments to get more information out, to attribute these kinds of attacks. And so, you’ve seen indictments of Chinese officials, Russians, certainly the Mueller investigation, Iranians as well. So I want to — I want to make sure to credit you John appropriately because you — you really did innovate this idea of indictments as forms of attribution as well as a — as part of a deterrent policy.
Let me ask you two — two more questions quickly, because we’re running out of time.
You talked about the private sector, the private sector uniquely targeted and affected, especially in this domain. What more can the private sector do or demand, especially of the U.S. government?
CARLIN: So I think the private sector should demand action in this space with the concept that there was a — there was a time I think where people were hesitant on action because they saw more opportunities for business in place — places like China than they saw risk.
But as we’re seeing in sector after sector, if you allow the military and intelligence services to be directed against you, you’re not going to win that fight, and the 2025 plan does not involve U.S. business success in China.
So you need government help to change that — to change that calculus. And then we have to do a better job — you know, when I talk to private sector, understandably there’s a lot of confusion that they’re going to be regulatorily punished or civil action if they go tell people about the threats.
So the current cost-benefit analysis inside our own C-suites is often let’s not tell someone about a threat, or it’s so privacy-focused, which is important, but at the end of the day, I don’t know about you, but as a consumer, I’ve been told my information has been stolen something like 15 times.
My daughter’s first, you know, mail addressed to her by name was a notice that her identity had been stolen and she was a baby because she was in my OPM — Office Personnel Management forms. We can’t do a lot with that information as consumers.
We need to encourage the conversation to be with the right parts of government that could take action.
ZARATE: Yeah, and there may be a need for more collective action within the private sector within particular sectors.
ZARATE: You’ve seen this, for example, in the banking sector. Last question, I know our time’s up but I — I have to ask this question because in John’s book he talks about the failure of imagination. Part of it is just not realizing where the threats are coming from, how the vulnerabilities manifest.
What’s — what’s your concern about what we’re failing to imagine at this point?
CARLIN: Yeah, if there could be one call — call to action today, it’s read science fiction and look at the world that they depict. You look at so many of the threats that we face, they all were — from the word cyber itself, which comes from a — a William Gibson book, “Neuromancer,” to many of the threats we’re facing, they’ve been articulated in our movies and in our books.
The Internet of Things — so the — we are moving forward at rapid speed without doing that same risk calculus that we did with the books and papers to digital form. So we have already put pacemakers into people’s hearts that were not encrypted so an 11 year old can hack and kill and then realize hey that’s a problem so they’ve rolled out a patch.
Now I don’t know how many of you have had some glitches with your Windows system — that’s one thing when it’s happening with your, you know, computer at work, it’s another thing when it’s the pacemaker in your heart or the cars on our road where we had a similar recall of 1.4 million jeeps because we realized that you could hack from the entertainment system, hop over to the brake and steering system and take over the car, and it also happened with drones in the skies.
We’re at an inflection point, because we are moving in that direction. So we need now congressional action, we need action by companies to incentivize security by design on the front end before we move into that world where everything we have is connected and still using an insecure medium.
There is time to do that, but we need to act now.
ZARATE: Fantastic. John Carlin, author of “Dawn of the Code War,” great opening to the conference. Thank you John for your time and your work.
CARLIN: Thank you.
ZARATE: That was great.
CARLIN: Thank you.
RAVICH: Thank you John and — and Juan, that was really fascinating.
CEEW Threats from Russia and China
Dr. Samantha F. Ravich, Principal Investigator, FDD’s project on Cyber-Enabled Economic Warfare; Vice Chair, President’s Intelligence Advisory Board
Daniel Hoffman, former Chief of Station, Central Intelligence Agency
Dr. Larry M. Wortzel, Commissioner, U.S.-China Economic and Security Review Commission of the U.S. Congress
Michelle Van VAN CLEAVE, former National Counterintelligence Executive
RAVICH: I — I encourage the folks that are standing in the back, you know, come up, sit — sit, have a seat. You know, I was particularly struck by how John was talking about how to map the threat and how to deduce what the adversary’s doing strategically from what we’re seeing and what they’re doing and how they’re doing it.
And it is leading to a very robust conversation that is happening I think throughout the national security ecosphere on deterrence versus things like persistence and how it will vary depending on the adversary that we’re dealing with.
And, you know, building on these themes, let me welcome our next discussion focused — focused on cyber-enabled economic warfare threats from Russia and China. Because when you look at the top — these top cyber powers, these nations, China and Russia, kind of lead the bad guy side of the ledger.
And to lead the conversation on the scope of the threat and what the U.S. needs to do about it, let me introduce Michelle Van Cleave, who will moderate our panel and introduce the other speakers. Michelle’s full bio, as well as those of the rest of the panelists is in your program booklet.
But let me just highlight Michelle’s service as National Counterintelligence Executive, which she held the position a few years back and the insight she brings about the ways that cyber technology has exponentially enhanced the espionage capability of our adversaries.
Michelle, thank you and — and over to you.
VAN CLEAVE: Thank you Samantha. So do I — can I do that from here? I don’t have to get over to the podium, do I? Excellent, thank you. So hello everyone, and I think that the first presentation this morning made a good stage — stage setter for the conversation this panel is going to have.
I have to begin by saying however that I am currently with the Jack Kemp Foundation, and Jack was my first boss in Washington, D.C., long ago in the early ’80s, and I’ve been close to him and his family over the years and I know from that experience that — if I’m not mistaken, tell me Samantha, that Jack was one of the founding forces behind the creation of the Foundation for the Defense of Democracy.
So I’m especially pleased to have the opportunity to be here to see your good work being carried forward, I know he would be so pleased. This panel is comprised of a — a number of very interesting people that bring different perspectives to the panel.
As you know, your — you can find their bios, but if I could very briefly, from the left, Dan Hoffman served for 30 years in United States government and served in several high-level positions in CIA, including Senior Executive Clandestine Service Officer and Station Chief I suppose more than once — we’ll need to talk about that.
Ed Wilson — Major General Wilson is the Deputy Assistant Secretary of Defense for Cyber Policy, where he helps formulate the policies and strategies to improve the Defense Department’s ability to operate in cyberspace, so we’re glad you’re here, Ed.
And last but not least is Dr. Larry Wortzel, who is an eight-term Commissioner of the U.S.-China Economic and Security Review Commission, so a broad reach of talent on this panel so let’s get into it.
I — I think it would be good to start by looking at a broad strategic perspective of how a cyber-enabled economic warfare plans and activities support the advance of strategic objectives, policy objectives of China, Russia, and what the U.S. strategy or policy has been needs to be in response. So if we can start as sort of that — something of a 30,000-foot level, Larry. So how do these activities fit in with China’s general strategy and policy toward the U.S.?
WORTZEL: If I could, I’d like to start with the most recent arrest and indictment of Xu Yanjun, who managed to penetrate a number of aviation companies with a whole network of people. The past panel discussed a little bit of it.
But I want to focus on turbine fan blade, and turbine jet engine technology. We lead on that. We — we lead the world on that. And I’ve been watching China for far too long, but they are terrible at it, and they always have been.
I mean, they tried to crack the technology with G.E. wind turbine engines. And I visited their factory, talked to a bunch of the engineers. And they just could not manage the metallurgy and the quality control.
So here we’re leading the world in the engines that power our bombers, our combat aircraft, our civil aviation. And the Chinese can’t make it. That leaves them with a one-time use army.
So their intent may not have been to cripple the United States, but what they did — well, with that sort of a penetration, was potentially leap themselves forward, and change their air force from an air force that could be used once, and then they had to go back to the Russians and beg for more engines. And that’s going to take some time to, potentially, being able to put out a military, and an air force, and a naval air force that can reconstitute itself in a war.
And at the same time, my — my greatest fear is that we — if they are able to navigate a network that well and in so many companies, we really don’t know what they injected into the network. So you’re really talking about cyber-enabled economic warfare.
VAN CLEAVE: So in addition to that, there’s a rather active Chinese exploitation of cyber networks for the acquisition of — of information. And I’ve got say the — the espionage piece of this obviously interests me quite a bit. I — and — and there’s something about it that, genuinely, puzzles me that I would like to get your response to.
I — I think, you know, certainly, the attack on OPM…
VAN CLEAVE: … and the — and the exfiltration of 11 million personnel files and — and records of all of the intimate details that that — and anybody — of us who’s had a security clearance are well aware of all the very private information that is — that is posted in there about your family, your health, your finances, the people you know, the places where you got all of these things.
So the — those personnel files, and the personnel files that they lifted out of contract as doing background support, those things I understand well — and Dan could tell us — I understand well the value of that kind of insight for potential recruitment, and human espionage that is — is very — very obvious, the value of that.
But I’ll tell you what I don’t understand. There are all of these attacks on — on health records, on credit card records, you know, on the — the Ashley Madison type of stuff who have nefarious people engaging in things they probably wish their family didn’t know about.
It — it kind of looks as though that they may be building files on individual Americans with — with this kind of Social Security information, and all of the things that they’re reaping, what’s the endgame here?
WORTZEL: Well, I think the endgame is being able to know who to target, know who is traveling where, identify our own clandestine service officers that may travel to meet their people. And — and a lot of these cyber penetrations initially became — began with, either, fishing attacks, or actual recruitments, or handing somebody a flash drive. So — so it allows them to do an awful lot of things.
And they — they really keep great records. I mean, the Russians do too. I — I — I was in Singapore with five GRU and KGB fellas who ended up in China with me. And they — they remembered my wife — this was 1982 — really enjoying lemon vodka.
I ran into their station chief in Japan in 2003. We had dinner. He saw me to the airport and handed me a half gallon of lemon vodka for my wife. So the records are good.
VAN CLEAVE: Nice. Well, that’s a good segue, maybe, to Russia. Could you — Dan, do you want to speak about that a little bit? I mean what is the perspective…
VAN CLEAVE: … and the differences that — that we see with the — the main avenues of approach that the Russians have, given their strategic interests and their objectives?
HOFFMAN: So just one comment on China, just what we see from Russia and China, a very symbiotic relationship between cyber and HUMINT, cyber-enabling human operations. When you — when you steal people’s health records, you know vulnerabilities. You know if people need help with one or another medical condition.
And then there’s HUMINT-enabled cyber where the Chinese and the Russians in particular but not exclusively those two nation states, might seek to recruit individuals with access to private industry or a government cyber infrastructure, and use that to their advantage.
As far as Russia is concerned, look, we’re under siege from massive Russian cyber attacks while they impose cyber sovereignty on their own people to deny them the freedom of expression which would threaten Vladimir Putin’s regime security, which is all that matters to him.
They’re seeking to penetrate our cyberspace. And — and they do it in a multitude of ways. They’ll conduct traditional espionage operations which are the ones that none of us will see because they’re run by Russia’s intelligence officers, their Foreign Intelligence Service, the SVR and the GRU. Less so, they’re the ones that kind of bungle things. If you read the Bellingcat report, their tradecraft isn’t always up to par.
And then, they’re running what I like to call discoverable influence operations. Vladimir Putin served in East Germany supporting illegals, so I like to use the Hansel and Gretel metaphor. He’s leaving a lot of bread crumbs with a Kremlin return address and what he’s doing to us by buying ads in Facebook with rubles, and a Kremlin return address back to the Internet Research Agency.
He does those things because he knows the best way to soil our democracy is to intertwine it in some conspiratorial fashion with the Kremlin. It doesn’t mean that he’s not doing things that are non-discoverable in cyberspace, for sure he is.
But he’s run a series of these operations against us with that in mind. And then, lastly, what I would say is Russians are seeking to make us pay a price just like the Chinese for doing business in Russia. So they demand that if you do business in Russia you turn over your source code.
And banks and other elements in the private sector, I think, really struggle with those requirements imposed upon them by Russia’s FSB. And that’s with only thing in mind, which is to penetrate our — the Russians don’t draw a distinction between our private sector and the public sector. For them it’s all one big, giant target. That’s why you see them targeting energy infrastructure, our electrical grid and other things.
VAN CLEAVE: So could you elaborate on that a little bit. I mean the Dragonfly 2.0 attack on the energy infrastructure seems especially startling?
HOFFMAN: Yes, so…
VAN CLEAVE: Can you speak to what you think is going on there.
HOFFMAN: … if you look back at Russian history over the past 10 years, start with the massive DDOS attack against Estonia, and then the first ever hybrid war against Georgia, which the Russian Army Chief of Staff Valery Vasilyevich Gerasimov wrote about in a military journal, 2013. This is concurrently finding on land, air, sea, maybe even space, and then in cyberspace concurrently. And so it’s war fighting, and that’s why the GRU were the ones responsible for hacking into our social networking and media sites. It’s also why they’re seeking to probe our infrastructure. And they’ll do it in a way often to show that — that — to show us that they’re capable of doing it, as a measure, I think of deterrence, so that if we target them, we’ve talked — this administration has indicated that they’re interested in mounting offensive cyber operations at the point of attack to damage the Russian entities that are targeting us. The Russians want to show us that they can get us as well.
We’re in a — in an arms race with Russia. It’s not just intermediate range ballistic missiles with a nuclear warhead; it’s all about cyberspace as well.
VAN CLEAVE: So I think that’s a good setup, Ed, to turn to you. I was struck with the issuance of the national cyber strategy earlier this year with this passage in which it raised a purely technocratic approach to cyberspace as insufficient to address the nature of the new problems we confront. The United States must also have policy choices to impose costs if it hopes to deter malicious cyber actors and prevent further escalation.
Can you elaborate on what that is all about?
WILSON: So, first, Michelle, thanks for hosting us and really, for the FDD organization in setting this up. A great opportunity to really have a good discussion here.
I think maybe backup just a second and look at the strategy, the national cyber strategy, and just to put it in context, and then maybe I’ll speak — what I’d like to speak to the national security implications of that.
So, when it comes to the economy, I mean, clearly this nation — and it’s articulated in our national cyber strategy — it’s the prosperity of citizens and our way of life, as well as our allies and partners. I mean, that’s one of the key components of the national cyber strategy.
And to preserve that and to secure that, we want use all the power of the — the tools of power for the nation, along with our like-minded nations and our allies and partners.
And so, we do reserve the right when required, to step in, whether that’s cyber-effects operations, or sanctions, or all of the tools of the nation.
When you look at what the Department of Defense’s perspective on this, what we’ve seen is two revisionist powers, in the form of China and Russia, really beginning to — those are our pacing threats in the way that we think about the national security landscape.
And each country uses a suite of tools with, but they’re operating, from our perspective, below the traditional thresholds that we would typically respond with traditional military power.
So what do we mean by that? That’s theft of intellectual property. That’s malign influence, potentially in elections, or just in society at large, drive divisions across different segments of society, whether that’s here in the United States, as Dan highlighted, in Georgia. We’ve seen it in Europe, Estonia, as other countries. This isn’t — we’re not the first country that’s been targeted by Russia.
When you look at China, it’s more of a manipulation in terms of economic tools of power, if you will, to seek to gain strategic advantage. And so the department has leaned forward in support of the national cyber strategy, and we’re really looking at all of the mechanisms that we can bring to bear, and the Department of Defense has some unique capabilities. We are typically externally focused, threat focused. That’s our job in the Department of Defense. And so we align ourselves to those threats and bring to bear capabilities. That may be within cyberspace, but we also operate, as Dan highlighted, in you know, land, air, sea, space and cyberspace. And so we’re beginning to normalize our operations and the actions that we would be able to take within cyberspace.
Is it the only solution, cyber-effects operation, whether defensive or offensive? By no means. We want to make sure that that’s in concert with all of the other elements of power from the nation.
VAN CLEAVE: So a part of this is a defend-forward strategy?
WILSON: Exactly. And so from a Department of Defense perspective, our uniqueness is that we understand the threat externally, and that we bring to bear a unique set of capabilities and what we describe as defend-forward. So we need to be able to see and understand the threats that are forming against the nation from a national security perspective. In doing that, we are able to identify threats, no matter what threat that is, and then to be able to work as a whole of government to counter that threat.
It may be a Department of Defense solution, but in many cases, and I would point maybe to recent efforts underway with election security, where we have unique arrangements in place now with the Department of Homeland Security, where we share information, intelligence about particular threats so that we can make their defenses more robust. Does that mean that the Department of Defense is taking any aggressive action? By no means, but we think the insights that we have gained alongside the intelligence community, the defense community, and share that with our other interagency partners, departments and agencies. And that’s been very effective, in terms of raising the bar associated with the homeland’s defense.
VAN CLEAVE: So, I — I was reading the Defense Science Board report from last year, and I’ve had the opportunity to serve with them in various capacities over the year, and this conclusion is — is troubling with implications. I wonder if you would discuss it. They say, “The unfortunate reality is that for at least the next decade, the offensive cyber capabilities of our most capable adversaries are likely to far exceed our ability to defend our key critical infrastructures.” Now looking at the infrastructure defense piece of that. How do we — how do we deal with that? What is the — what is the — what is the approach?
WILSON: Right. So we — in concert with the national cyber strategy being issued, the department issued an the updated DOD cyber strategy, and we deal with that concern. It’s really deterrence in cyberspace. A lot of people use the term “cyber deterrence,” but I beg to differ. I think there’s strategic deterrence that’s underway, and we use cyber-effects operations, alongside all of the other tools of power for the nation to be able to choose some deterrent.
And so there’s really two components. Traditional deterrence at play would be, one, deny the benefits to the best of our ability, and I think that’s where the Defense Science Board had it right is, that’s a very difficult proposition in today’s society, as the threats have increased dramatically.
VAN CLEAVE: And different if you are speaking about China or Russia I assume… the deterrence approach is adversary dependent.
WILSON: Any nation-state that is wielding these types of capabilities, but clearly the most potent threats are emanating from, you know, the more mature threats, Russia, China being examples.
So we want to deny benefit, and so that’s what you see with regards to the department assisting and partnering with other departments and agencies, to information sharing, bringing to bear unique expertise that we might be able to bolster their defenses and working with industry and partners through the ISACs, et cetera, to be able to do that. And so we’re beginning to work through a series of pathfinders and pilot projects to take that — that burden on, to be able to assist in a more effective manner.
The other is, is to be able to impose or increase cost on an adversary. So the risk, the decision calculus becomes more complex.
And so increasing costs, that is standing up and being able to have — at-bear, you know, when directed by the President or the Secretary, to be able to deliver affects operations when required.
And so it’s really hand-in-glove. It’s both. And it’s not only cyber effects operations, it’s alongside the other tools of power, sanctions.
The attribution you see, very — we’ve been very — as Larry highlighted here just recently, attributing and indictments. You know, attributing actors, designating specific organizations, indictments, trade sanctions, et cetera. And then in tandem with that, if required cyber effects operations.
So it’s not only about cyber-on-cyber.
VAN CLEAVE: Did you want to jump in and…
WORTZEL: I — I really did. I mean, this is — there’s an old debate. Vice Admiral Arthur Cebrowski in 1999 raised the issue of offensive operations versus defensive operations in cyber.
We’ve been debating it. I — there’s Harvard Law School articles. But — but let’s look at some of the major exfiltrations of U.S. data that improved Chinese capabilities. Lockheed Martin, G.E., Northrop Grumman.
Now, Northrop Grumman, I don’t think the government’s the answer to this, frankly. Northrop Grumman, for our China Commission, published the first name-and-shame report on the cyber unit for the PLA in Shanghai.
And then — you know, I’m glad the government followed up. Finally, the government decided, “Well, maybe that’s a good idea. Let’s expose it.”
I’m more interested in pursuing Cebrowski’s idea of defense. I mean, think of the — the concept of a castle defense law that applies to cyber.
Lockheed Martin, G.E. and Northrop are quite capable of putting together an offensive cyber effort. They don’t need the government, and the government’s not going to be able to cover them.
These companies — I mean, there’s a lot of legal arguments against doing it — could deploy their own honey networks to figure out who’s trying to penetrate.
And could put out honey pots in those networks that are full of malicious data, as — it could ruin their — what — they think they’re getting something great, it’ll ruin their engines. They’ll blow up. They could put in malicious information that’ll put down a computer system.
It — it’s kind of a dog-eat-dog world. And I just don’t think the government’s got the assets to protect these big private actors. The government and homeland security, in my opinion, can help small businesses and people. But banks and the Northrups, that really affect the U.S. economy and warfare, are quite capable of doing it themselves.
VAN CLEAVE: So that sort of leads me to ask, is this one of the things you consider to be the — among the greatest dangers, I guess? That’s really the next question to all of you. Where — what are the areas where you think are a genuinely dangerous for the future?
HOFFMAN: I’ll just add one other point. But first, I want to — I agree with you 100 percent. it’s about — in the private sector, it’s about hardening your own — your own facilities, your own installations.
And a cyber-attack isn’t a lot different from a — a terrorist attack. There’s surveillance that’s conducted before the attack, and that’s where you need to detect who’s out there targeting you, and then seek to learn who that — who that — where that threat actually came from.
And we’ve talked a lot about state actors. What also concerns me are the cyber capabilities of non-state actors, terrorists in particular who might seek to target our critical infrastructure…
VAN CLEAVE: The only reason we haven’t gone into that, because our host asked us to just talk about China and Russia.
HOFFMAN: Got it, I’ll stay away from the terrorists, then. Even though it just occurred to me. But I’ll tell you that the challenge on Russia is that the lines are often blurred there.
The Russians use criminal hackers and — to accomplish their mission, often. And those hackers could also be doing the mission of others as well, and that, I would just — I have to say, that’s of great concern to me. It’s a little bit off the tangent of Russia, but I have to highlight that.
VAN CLEAVE: What else?
WORTZEL: Well, for China, I mean, if you — actually FDD’s own publication on China mentions Dai Qingmin, who wrote the Chinese doctrine on integrated network electronic warfare follows old Soviet radio-electric combat. Combination of cyber strikes, electronic warfare, penetrations and precision fires.
But other Chinese authors — military authors since then have advocated attacking through cyber, ports of embarkation in the United States. Going into our NIPRNet, our non-classified military networks that would deliver logistics.
If you did that, you could knock out the shipping of spare parts out into — well, let’s assume Asia, anywhere. You could slow down and misdirect airplanes, thinking they’re going to refuel in one place and send the refuelers someplace else. You could shut down trains, you could shut down ports.
That’s what scares me.
VAN CLEAVE: So, Ed, you have a good big portfolio, figuring out how to deal with all of these things. What is it from your perspective, that most concerns you? The hardest nut problems.
WILSON: So just to put it into context, I think when we step back and look from a historical perspective, we see a lot of the same behaviors from the key nation-state actors of Russia, China in particular. But I think the challenge that we have right now, fundamentally, is the pace, the sophistication, the proliferation of these threats.
This domain behaves differently. It’s a man-made domain. And it’s those — these — these threats accelerate. That’s one of our key challenges.
And so as large as the Department of Defense, really the nation, these threats present unique challenges. And I don’t believe we’ve seen in history to the degree we have over the last decade or so.
Does that mean that we throw in the towel and — of course not. And so clearly, I think there needs to be a public-private partnership. We’re actually — have begun to look very, very keenly at our partnership with the Defense industrial base in particular.
We’ve done that in the past. We’ve actually brought to bear, a task force to begin to address some of the key findings that we’ve been seeing, based on behavior over the last few years.
It — it’s coming to — it’s coming, really, to a culminating point. And so we’re beginning to take different types of actions, looking at contracting language, in other words, to qualify to compete, those types of activities.
Our acquisition and sustainment community’s been very vocal over the last few weeks about that. We’re looking at, how can we share information in a more agile sense. How can we then help with sensors, especially on the smaller companies. The larger corporations typically do fairly well. It’s the second- and third-tier suppliers that are the most at risk, and where we see a lot of the exfiltration occurring.
It’s because they just don’t have the means to be able to go up against, really, a nation-state. It’s not a fair fight. And so, it’s not one solution. There’s really a variety of solutions we have to bring to bear.
VAN CLEAVE: Well, there’s a variety of problems too, when you think about…
WILSON: That’s right.
VAN CLEAVE: … think about trying to prohibit exfiltration of technology we don’t want out. Then there’s also to protect the infiltration of technology we don’t want in, which brings to mind…
VAN CLEAVE: … the whole question of the supply chain manipulations, which we haven’t really talked about yet. But — but the — that frightening business with — what was it? — Supermicro was the company out in California where — can you tell us a little bit about that, where the — the motherboards that were imported — that were manufactured and — and — and promulgated by — sold by Supermicro, and it got into so many different systems across the country.
WORTZEL: Yeah — yeah, I mean it’s — it’s really an unsettled accusation. I mean it’s really…
VAN CLEAVE: Is it?
WORTZEL: Yeah, it’s — it’s debated, but — but the fact of the matter is that the Department of Defense alone and State — I’ll include State — has no idea of their supply chain. They only know their primary suppliers.
Our commission several years ago went to Army, Navy and Air Force with four ongoing weapons systems under development and said give us your supplier’s supply chain to the fourth tier. They couldn’t do it. They still can’t do it.
So they don’t know what they’re getting and what’s going into their systems.
WILSON: It’s one of the fundamental challenges that we’re — we’re facing and we’re taking — beginning to take actions to resolve that, yes.
VAN CLEAVE: Well, just so the breadth of this — of this topic — I’d like to go back to — Dan, something that you — you mentioned in your earlier comments, influence operations. I — I wonder — I mean we’ve seen the state of play with respect to influence operations directed at trying to affect elections, influence the decisions in — of voters and viewing — what about — what is the future of influence operations?
I — I — I wonder, is there a potential here? Am I making things up? And is there a potential here for influence operations directed at other things to affect public confidence in markets or in products or — or other things?
What do you — what do you see coming down the pipe there?
HOFFMAN: Yeah, I mean — I think we — we look at cyberspace, a manmade domain completely unregulated as a force multiplier for economic growth and freedom of expression, and what Russia sees is OK, that’s the critical backbone of our — of our democracy in the United States and that’s why they want to target it.
And they want to degrade our trust in cyberspace and then simultaneously use it to influence our population to the extent that it serves their interests. I’m not sure that we’ve seen any evidence of Russia seeking to influence our economics as much as we have our politics.
And again, what we’ve seen so far, these — what I like to call discoverable influence operations, but the Russians are good enough to run misattributable political influence operations if they want to support one candidate over another and not have a Kremlin return address.
This goes back to Soviet days, when they — you’d have journalists in their pay. Essentially what — what we’re seeing in cyberspace from Russia really isn’t a whole lot different from what Soviet intelligence officers were doing to us, it’s just the technology has changed.
The idea, the strategy is — is pretty well — pretty well the same as it — as it always has been for them. And it’s — it’s cheap and it’s asymmetric warfare, and I will just highlight based on the many years I served at CIA — I served five years in Russia as well as in South Asia and — and the Middle East, but — but the years I served in Russia, I can tell you the most important thing that — that our intelligence community could do is — is make human source penetration so that we understand where the Kremlin is headed strategically.
And we can use that intelligence to give us the threats, the indications in warning so that people like Ed and our other colleagues in the government can harden our defenses and then share that — that — that threat warning intelligence with the private sector to protect them, as well.
VAN CLEAVE: Well, that calls to mind a question maybe for Ed. The process by which our intelligence requirements are generated is so significant for the decision maker to be able to get their arms around difficult problems.
And — and — and I — I wonder, from your — from your perspective, and — and Larry and Dan, chime in as well, but from your — your perspective, what are the big unknowns? What are the areas where our insights are perhaps not as robust as you would like them to be?
What are the big — if you had a magic wand and you could say, all right, this is what I want to know in order to be able to plan correctly — blue sky this for me. I mean what is it you really, really want to — to know that we don’t?
WILSON: I’ll — let me address that, but I — just would — pile on with Dan, I think we’ve seen a history, especially from Russia in particular, of behavior that’s targeting institutions of trust. And so one of those that we have abiding faith in in the United States is the elections process.
It’s — it’s the core of really who we are in terms of a structure of freedoms and choice here in — in the United States. And so Russia sees that as a center of gravity, if you will, using my military speak, but to go after it — and it doesn’t necessarily have to tear down the elections process, but our faith and confidence in the elections process.
So that’s what we see, and it’s Russian, really Soviet behavior, from generations back. That’s not — nothing new, it’s just tools of the trade that are being used — really have been brought into the 21st century in scale at a — scope and magnitude that we haven’t seen before.
And the — the technique of using proxies associated with that gives them a sense of deniability. And so we see that behavior not just in the United States, but really around the free world. And so whether that’s striking at the institution of NATO, our elections process in the free countries, that’s really what you’ll see over and over again and that’s what we’re combating.
So with regard to the question of the — the priorities, we — we always have, as one of our top priorities, is to understand the thinking and the motivations, the intentions of senior leaders, and you don’t — adversary nations.
And so that will never go away, that’s always at the height of what we’re after. In terms of being able to counter that, and to be able to put in place confidence building measures, et cetera, to be able to backstop and give us some stability, especially in this space, is going to be key every step of the way.
VAN CLEAVE: Ed, from your perspective?
WILSON: Well, I — I think the Chinese are — actually, if you can read a little Chinese, pretty transparent about their broad strategic objectives. I mean the literature’s out there, the doctrine’s out there, there’s tons of meeting results.
What — what we really don’t know because of the way they’ve exfiltrated data — so you talked about all of this health and personnel and travel, is who their targets are. So — and — and — and Chinese intelligence services have really shifted targets.
They used to go and — and try and recruit the diaspora, ethnic Chinese. Today, they’re happy to get anybody and target anybody and either pay them or coerce them. So I — I — I — if I could have my way, I would want to get into their targeting.
That’s what I’d want to know, who are they targeting? What are those weaknesses? Is it — double agent operations are very difficult, but could — could some of these be turned into double agent operations, either with — with malicious cyber tools or through human agents?
VAN CLEAVE: Dan, you… your perspective?
HOFFMAN: No, I think those are all great points, and it just highlights the value of intelligence so that we know our enemy.
And then I would just highlight too if we think about what we’re going to do about it, the last thing we want to do is curtail our own free speech.
So the deal — the way we deal with Russian and other disinformation in our cyberspace is with more free speech. And the private sector has actually done well in exposing Russian disinformation efforts, including on Twitter with the Hamilton 68 site, for example.
I think that’s — it’s always important to think about the intelligence you’re collecting, and then ultimately how are you going to analyze it and then what you’re going to do with it. And in this case, I think exposing the Russian disinformation for what it is is the best way to educate our citizens, so that they can step out smartly and discern what’s real and what’s not.
VAN CLEAVE: So on — I’m wondering a little bit about something we were talking about before the panel started, Larry, which was a concern that you mentioned, with respect to the management of crises to be able in time — to be able to respond in times of crises and how some of the activities that we see now may be, if I can use the term, sort of an operational preparation of the battlespace to be able to execute certain operations to make things difficult, especially difficult for us.
So from your perspective, Ed, as the — and — and — and I hope you’ll speak to that a little bit more and elaborate on what you were talking about. But your perspective, Ed, is there a particular emphasis at looking at crisis management and the effects of — of these cyber-enabled operations in times of crisis that are of concern and — to your — your office, and the things you’re doing?
WILSON: So we’re one department across the interagency, and so we look at this quite often. And so we do tabletops, war games, et cetera. So we look at a threat and how it may manifest and then from whole-of-government perspective and we exercise that. So that’s part and parcel to how we handle any type of crisis management.
In cyber, with regards to the threats that’s put a lot of emphasis behind the types of threats that we’re talking about. And so from a department perspective, with all of our geographic combatant commanders, we include cyber threats as part of our traditional mechanisms that we at the very senior levels look at in terms of preparation and being able to counter and respond to crisis.
So absolutely, it’s just part of who — what we are and who we are as a department. That’s our job is to prepare for those moments.
What we see now is the need to be able to handle those types of threats across the interagency. It’s not just a Department of Defense job. It’s not just a national security problem. But it manifest itself in critical infrastructure segments, et cetera, and so that’s why you see a much heavier lift being paid and a much stronger dialogue between DHS and all of the other sector leads in the department. And so — which is why the secretary has moved us in the direction, Secretary Mattis, in terms of a new agreement with DHS, the Department of Homeland Security and DOD in terms of how we can support DHS in particular with the other departments and agencies in information sharing, understanding threats and the right kind of support to include if there was a crisis how would we respond and bring the weight of the DOD into a crisis response.
VAN CLEAVE: So this something that factors into Chinese planning and operations, Larry? Is there…
WORTZEL: Very much. And — and — and that’s in a way why I like the idea of cyber-enabled economic warfare. Not all of Chinese penetrations are designed necessarily to attack or weaken the U.S. but there are points in crises — you know, we have steady-state penetrations that go on all the time. But there are points in crises where suddenly you know space is going to get involved. You know, you don’t do global cyber, in a lot of cases, without space.
We know that are critical infrastructure, by their own doctrine, at times as you move into crisis is going to be attacked. So you can sort of use some of this as indications and warnings that there is a crisis or that they’ve decided to have a crisis. Once the Politburo’s standing committee and central military commission make a decision to take some action, it’s very difficult — you probably won’t turn it around.
But if you had the indications and the warnings of what it looks like in the cyber domain when they are preparing for that, you — you — you have a chance to react and maybe turn that around.
VAN CLEAVE: So, Dan, in Russian planning and thinking, do you see — correct me if I’m wrong, it looks like they’ve been using Ukraine off and on as sort of a proving ground for some of the variety of things that they do and their concept of hybrid warfare. Does that fit into their thinking as well?
HOFFMAN: You know, I think absolutely it does. I think we saw Russia deploy the hybrid warfare in Georgia and we’ve seen it in Ukraine. I think it just highlights the importance of an incident response plan.
We want to deal with these threats in left of boom. And we want to — we want to detect the surveillance before the attacks take place, and maybe even consider mounting an attack or deter somehow the attack. But you’ve got to have an effective incident-response plan.
And I think Estonia, which is a place where I’ve served many years ago, has been absolutely at the forefront of — they — of course they were the victims of a massive Russian attack, but they’ve been at the forefront of helping NATO build an effective national security cyber strategy, including a really effective incident-response plan.
Everyone in Estonia votes online. And so in order to insure the integrity of their voting, they need to have that incident-response plan worked out, and I think that’s a good lesson for us in this country as well.
VAN CLEAVE: So incident response is certainly a big part of what…
WILSON: Yes, let me just echo. I think Dan hit on a key point is, it’s not just the incident response, but it’s seeing eminent threats, understanding the threat as early as possible, being able to message if need be that we see that threat.
But how do we make ourselves in a more resilient fashion hardened systems, whether that’s critical infrastructure for the department or national security systems? And then in a worst-case scenario we need to have the mechanisms in place to be able to respond with incidents, response teams, et cetera. So the resiliency in terms of response, and then reconstitution and when required. And so that serves as a deterrent. A — when we have a viable responses and a response mechanism, and so that’s what we’re working hard on across that whole full spectrum.
VAN CLEAVE: We’ve got a few minutes left. I think it would be a good time to open up to audience questions if we have anyone out there who has a question mark there — a question for us — for the panel rather. There’s a microphone coming and my request to you would be that you identify yourself and ask a question.
QUESTION: Sure. Zach Biggs with the Center for Public Integrity.
I wanted to ask broadly the idea of allowing companies to attack back or to counter attack, which was raised earlier in the panel, and in particular I’m curious what General Wilson thinks of that idea.
But I’d say across the panel, what’s the — the response to the idea that companies might need to attack back, and whether that’s a viable option to try to improve the security for the private sector, in particular defense firms?
VAN CLEAVE: Go for it.
WILSON: You lead us and I’ll pile on.
WORTZEL: I — I can only tell you that the — the law enforcement community hates the idea, and — and so does Justice, but I’m a — I’m kind of a simple person, you know?
The city in the United States that has one of the lowest home invasion rates is Kennesaw, Georgia, that requires every citizen to have a gun.
WILSON: Do you live there?
WILSON: So I think within bounds — I think industry, private citizens there should have the ability to defend themselves. I think the — there is a unique nature within cyberspace with regards to offensive activity. We — I think you want a stable environment, we want an increase, you know — the stability within this arena as much as possible.
And so abiding by and reinforcing the norms of behavior that we’ve sanctioned with the United Nations alongside a whole, you know, other nations, I think is going to be key here.
And so to have industry that is picking up in a kind of rogue environment I think is a — is a destabilizing influence.
And so I think there’s a unique aspect from a government perspective as — not just the United States but all governments, for security purposes and that’s what you see at NATO, that there’s nations that have stepped up and said in a collective defense arrangement if we have attacks on nations that we would respond in kind as appropriate alongside other like-minded nations.
And so I think to have stability, to have a — a — a variety of industry partners out there taking unique actions offensively may not be in the best interest of — of the — of the domain called cyberspace.
HOFFMAN: I’d just add one point there. I’m from Massachusetts. We don’t have guns in our houses up in the north like you all do in Georgia.
But talk — I’ll propose another idea, and I’ve been — only been out of the government for a year and a half, but — but if you want to regulate this a little bit, hypothetically you might have a set number of companies that essentially give the private sector some insurance.
And if you’ve been hacked, you could go to these companies, present the information you have, and then those companies might be authorized to hack back. It — it — this is one that’s been discussed a lot. There’s been a lot of testimony in the Congress about it. And I think the idea for me has some — some value, but at the same time, it can’t be unregulated. So maybe that’s a middle ground between the two answers you’ve got.
WORTZEL: And — and I would only add that if — if you want to back away from my first answer, the — it — there’s no reason that the Department of Defense and Justice can’t go to selected defense industries in black, secret programs and actually deploy defensive systems and malware that — which would both discourage attacks and would be a little more controlled.
VAN CLEAVE: So we have another question out here?
QUESTION: Thank you. Giovanna Cinelli with Morgan Lewis.
The panel’s insights were extraordinary. You talked a lot about external cyber intrusions, penetrations into system.
I’d like to ask you whether you’re considering what we call internal threats, which are through the foreign direct investment process moving into the second, third, fourth, even sixth and seventh tier supply chain to come in from within and basically get access that way and allow for external penetrations as well as internal.
How are you looking at that? Is that part of the overall strategic approach?
VAN CLEAVE: Ed, do you want to jump in on that?
WILSON: Yeah, I’ll — I’ll touch on it. Won’t get into too much detail because that’s being worked by the Department of Commerce and others, but the Department of Defense is clearly part of the solution. And so understanding the relationships with mergers and acquisitions, and then how suppliers are providing in the second, third, fourth — and I highlighted that earlier — we don’t have enough insight at this juncture in many cases. And so the task force that’s up and running is one of the key areas that we want to try to really focus on so that we have visibility to the behavior of those sub-tier, the lower, smaller corporations that are providing some of the bedrock in terms of capability.
Secretary Shanahan has spoken on this at length. We see that as a — an area that we need to improve. So we’re in the process of generating some fixes. Those are under deliberation within the Department, and so we’ve got some work to do.
VAN CLEAVE: Do — do you also envision a more robust role for the Committee of Foreign Investment in the United States? Might look at some of these larger acquisition issues in more detail?
WILSON: So in general, I mean I think we’re blessed with the ability — we have CFIUS in place to be able to look and be able to put in counters when required. We get approached many times by other nations that are looking to replicate that model.
I think it’s a great starting place, the CFIUS — the construct that’s in place within the United States is pretty powerful when used. And so the question is how do we carry it forward in the future?
VAN CLEAVE: Do we have time for another question now – we’ve got one up here.
VAN CLEAVE: That’s OK. You need to wait for the microphone. You’re doing it right.
QUESTION: Yeah, a cyber threat there.
Fred Roggero with Resilient Solutions.
Just a quick question on the security, or the insecurity of the cloud. If you look at around Dulles and even Manassas, the cloud lives out there evidently.
But have we just created another center of gravity for attack for cyber commerce?
WORTZEL: I mean, I have my opinion, and you know what they say about opinions, but I think the cloud — because so many of our major software companies have had to turn source code over to both China and Russia to do business there is the most insecure thing you could possibly do, unless you know where it is and you know it doesn’t leave — and the data, the new data laws in China, the new legal restrictions mean that any data stored in China is Chinese data.
VAN CLEAVE: So that does kind of raise the big question about the — which we haven’t had a chance to talk about, and now it’s too late, but the whole matter of international standards for the Internet of things, and the whole — the — the struggles that are going to go on in trying to define whose laws, who’s in control, who’s in a power position with respect to data.
Is that something that we worry about?
WILSON: Well, I was just going to add, I think clearly cloud-based technologies, machine learning, A.I. technologies offer a tremendous amount of opportunity, right, so if you’re in business, to be able to generate productivity, efficiencies, savings in an operated scale are clearly — merit the shift and we see high transition in the Department of Defense, we’re moving in that direction as well.
The — the — the challenge is — is are we creating additional threats? And so I think the way that you transition to cloud-based technologies has a lot to do with trying to minimize those — those risks, if you will.
And so looking at qualifying vendors, looking at the way we shape the ability to have insights into how those services are being provided, not leaning on our traditional CSIS-P structures that we would have in a network environment.
I think we need to take a hard look at that, and that’s, as you’ve heard our CIO, Mr. Deasy, has been highlighting with — with clarity here over the last few months. And we’re in the process of moving a large section of the department over the next few years, to cloud-based technologies. And so that’s — that’s why we’re very, very focused on it.
VAN CLEAVE: Do I have any more inquisitive members of the audience that have something to raise? No? We’ve got one up front.
QUESTION: Thank you. Jonathan Ward from Atlas Organization.
So I wanted to ask a — a sort of broad question about what kind of consensus we need, and what kind of, you know, interactions do we need between the national security community and the business community, and also the finance community.
Because I feel like there are still narratives on China that are being spread throughout our society by those doing business in China, that are really actually very counter to long-term U.S. security.
And at what point do we sort of get this broader picture and what kind of consensus does the United States need to address these challenges?
VAN CLEAVE: So, Larry, I think you could take the lead on that one. But…
WORTZEL: Well, I think the chambers of commerce — American Chamber of Commerce, the U.S.-China Business Council and — and most of the businesses are more aware of the threats from China.
They’ve — all their hopes that they would penetrate the Chinese market, kind of China 2025, took that apart. They’re becoming more realistic. They’re moving some of their operations into southeast Asia and other places.
I — broadly speaking, I think across the government, at least — certainly across the Congress, there’s a greater recognition of the problems that exist with China. And I think that’s a very good thing. I hope that — I hope that responds.
VAN CLEAVE: So other thoughts before we wrap this up, on what is required from our private sector?
HOFFMAN: I guess what I would just add on — on Russia is, I think we have a really effective means by which to share terrorist threat information with the private sector.
When the intelligence community detects that there’s a threat out there, overseas or domestically, we share that information so that we don’t get to the right of boom-incident response.
And I think we’re building the connectivity right now, in the area of cybersecurity. But I just don’t think we’re quite there yet. And in a sense, it’s a little bit of a clash of civilizations because our private sector is wide open.
When you look at some of the social media and networking companies that have been targeted so ruthlessly by the Russians, many of their employees come from those criteria countries like China and Russia.
And if you think that those people aren’t under a lot of pressure to share everything they know about everything to do with those companies, it just — it just creates a — a real challenge for us, and a lot of work yet to be done.
But I think the connectivity is important, and maybe you could speak to that.
WILSON: So I think fundamentally, we all realize that the homeland is no longer a sanctuary with regards to the threats that we’re seeing within cyberspace. And so that’s — that’s had — that’s created the — really, the catalyst for fundamental change that you’re seeing across the whole of government over the last several years.
For the department, we’ve revamped and — and looked at how to defend forward. It’s really — we offer some unique capabilities and assets associated with that, as well as looking to how can we defend the homeland and be more active partners alongside the Department of Homeland Security and FBI in particular, to be able to counter the types of threats we’re seeing.
And so the department is much more active, much more proactive. Though I would describe the strategy as compared to what we’ve just recently released, it’s a much more proactive strategy in terms of trying to get ahead. See the threats, mitigate the threats. And then in worst case, if we have a — an incident, a significant incident in this country, as being able to respond and mitigate that threat to the best of our abilities.
And so it is a change. We have shifted in a big way. One of the fundamental differences within the department that’s different, if you look in the rearview mirror four or five years ago, we didn’t have a Cyber Mission Force. The nation made a decision in the 2012-13 time frame, to establish that.
That force has now been built, and now we’re in the process of employing it, mostly in the defensive fashion. But when directed, we can flip in the other direction.
And so that’s a unique set of capabilities that has come on board and allowed us to be a bit more proactive in this space, alongside the other departments and agencies in the U.S. government.
VAN CLEAVE: So I think time is up.
VAN CLEAVE: Thank you all so much. I really enjoyed sharing this conversation with — with each of you.
Thank you, Samantha.
RAVICH: Thank you, Michelle.
I want to thank the — the panel. Two quick points from what they were speaking about. One, something that Dan mentioned. You know, could there be a class of companies that would have the ability in the authority to, quote, “hack back?”
I urge you all to take out what I hope is your handy-dandy pocket Constitution. And look at articles — letters of marque and reprisal which are, of course, in our Constitution, that would be able to grant private actors authority from the government to take on hostile adversaries.
The other thing is, the — Larry was great and mentioned that we do have monographs — Juan mentioned as well, on the strategies of — of China and Russia, and North Korea and Iran.
The Russia piece sometimes gets underappreciated because we focus on, of course, bad actions they’re doing in our electoral system and — and now in the grid.
But there is a significant cyber-enabled economic warfare component in the Russia calculus as well, which we explore in our monograph, “Kaspersky and Beyond,” which I — I urge you to read.
CEEW Threats from Iran and North Korea
Dr. Samantha F. Ravich, Principal Investigator, FDD’s project on Cyber-Enabled Economic Warfare; Vice Chair, President’s Intelligence Advisory Board
Dmitri Alperovitch, Co-Founder and CTO, Crowdstrike
Frank Cilluffo, Director, McCrary Institute for Cyber & Critical Infrastructure Security, Auburn University
David Maxwell, Senior Fellow, FDD; 30-year veteran of the United States Army
Ellen Nakashima, National Security Reporter, The Washington Post
RAVICH: All right. So now, let me welcome our next panel to the stage to discuss the cyber-enabled economic warfare capabilities and strategies of — of North Korea and Iran.
You know, as we know, both of these nations are subject to significant U.S. economic sanctions. Of course, to change those countries’ policies and strategies and orientations.
So you have to wonder, at what point — if you’re an adviser in — in Tehran or Pyongyang, you know, you say to your boss, “Hey, boss, you know, we — we have to be — how can we change this? You know, we’re under sanctions and they’re constraining our economic capability.”
You know, “What can we do? And now potentially in cyber, we have the capability to do it — to constrain America’s economy in order to change the decision calculus in Washington?” Right? So that’s the — that’s what we’re going to explore now.
So I’m going to turn it over to Ellen, national security reporter with The Washington Post, to draw out what cyber-capabilities and cyber-enabled economic warfare look on the Iran and North Korea front. Thank you.
NAKASHIMA: Thank you, Sam, for that introduction. And as we are the last panel before lunch, I see some — see it starting to empty. Maybe everyone should just stand up and stretch and do a couple of jumping jacks first and then we can start.
But I’d like to quickly introduce my panelists here. We have to my immediate right David Maxwell, a senior fellow at FDD who served for 30 years in the U.S. Army, including as Director of Plans, Policy and Strategy and the Chief of Staff with Special Operations Command Korea.
Frank Cilluffo directs the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University and was recently appointed to the congressionally mandated Cyberspace Solarium Commission. And to his right is Dmitri Alperovitch, co-founder and CTO of Crowdstrike and a thought leader on cyber security strategy and tradecraft.
And as Samantha mentioned, our panel will focus on the other two of major competitors or adversaries with the U.S. in cyberspace. You heard about Russia and China earlier, we’ll talk now about North Korea and Iran and the way in which they conduct their cyber operations to advance their interests, the extent to which those undermine — those activities undermine U.S. economic and national security, and then strategies to counter that maligned influence.
I thought I would start with you, David, to give us a brief overview of — of North Korea’s cyber operations, who’s conducting it, who their targets are, what their aims are and what the — from a threat perspective, the impact is on our economic and national security.
MAXWELL: Well that’s a lot to cover.
NAKASHIMA: A lot to cover in two minutes, but you can do it.
MAXWELL: OK, all right, well first let me acknowledge my co-author and colleague Mathew Ha. Only one of us could be up here, and I think we flipped a coin and I — and I won, so Mathew was really the backbone of — of our report here, so let me acknowledge — acknowledge him.
You know, the World Economic Forum yesterday published a report that said it’s like cyber attacks is the biggest concern among business leaders — some 12,000 business leaders in 140 countries, you know, in Europe, Asia, and North America.
So I think it’s pretty timely that we’re — we’re talking about this. And of course General Hayden wrote this morning in an article in Cipher Briefs that the cyber cavalry is not coming to your rescue. So I think — I think that’s very, very important.
Although North Korea’s cyber capabilities do not match Russia and China perhaps, we should expect that they are going to continue to develop and improve. Eli Cohen and John Gooch wrote a book about military failures, or in this case, national security failures.
And all failures are a result of failure to learn, a failure to adapt and a failure to anticipate, and our report is really about anticipating what — what might occur. And of course John and Juan talked this morning about failure of imagination.
I think that’s another way to look at — at the failure to anticipate. And so the six case studies we look at, you know, are really characterized as — as cyber attacks, economic attacks, cyber terrorism. Of course we talked — we heard about Sony this morning, we can talk more about that — cyber extortion, cyber-enabled theft.
Again, we heard about the $81 million stolen from Bangladesh and — and the like. So North Korea is conducting cyber heists, and really it’s only a matter of time before they go from really trying to make money to being able to use their capabilities to support other — other operations.
And I’d — you know I’d — I would not — I’d look at this as North Korea really mapping the cyber battlespace, mapping the terrain for future exploitation. We haven’t seen significant attacks yet — I mean Sony’s significant, $81 million is significant, but really not significant direct attacks against the U.S., U.S. government, and the great majority of attacks are of course against our ally, South Korea.
And so I think it’s really important that we look at — at North Korea’s use of cyber through its strategy.
MAXWELL: And you know despite — you know the – maybe peace is breaking out, although after reports of the 13 missile sites this week and the criticism of — of our — our talks with North Korea, you know we still need to consider its strategy.
And its strategy has really long been based on, you know — for seven decades on achieving dominance of the Peninsula. You know, ultimately unification under northern control through the use of subversion, coercion, extortion and use of force to unify the peninsula to ensure regime’s survival.
And so, subversion, coercion and extortion are all elements of its strategy, and of course cyber can contribute to — to each of those. And I think those case studies that — that we’ve outlined in our report do illustrate various forms of that.
So I’ll — I’ll stop there …
NAKASHIMA: Great, so from a cyber perspective, their primary target at this point is — is their neighbors to the south, South Korea, and what — what they’re doing right now is primarily income — revenue — revenue generation throughout — throughout the world through the cyber heists and Bitcoin.
But they could possibly elevate — move on from there to more destructive attacks.
MAXWELL: You know, I think you — you see really from — as they’ve evolved, they keep getting better and better.
MAXWELL: And I think that — you know again, it’s only a matter of time before they expand and of course if there’s conflict or anything like that, we should really expect that they’re going to exploit their capabilities.
NAKASHIMA: Thank you. Frank?
CILLUFFO: Thank you Ellen, and — and like David, I’d want to be sure to underscore and — and — and thank my co-author for this, Annie Fixler. She clearly was the backbone for — for our paper, as well. A pleasure to be here.
A couple of points I want to pick up, sort of maybe do a little compare and contrast…
CILLUFFO: … with North Korea and then go into Iranian intentions and capabilities. I think first and foremost anyone analyzing, assessing and evaluating the intentions, capabilities of our cyber adversaries, it cannot be divorced from understanding the geopolitical objectives and aims any of these adversaries have.
So cyber’s a tactic, a cheap one relatively speaking and a technique and a procedure that allows them to achieve whatever military, political, or economic objectives they may have. So I think that often gets lost, and — and that’s one of the really challenging issues when the government tries to get the — the right people around the room to tackle these issues.
You need to have a — a — regional expertise and you need to have cyber expertise, and — and I think one of the things that FDD did really well was bring people with all those backgrounds together. So I think a hat off to them — there are a lot that have geopolitical, there are a lot that have cyber, but rarely do the two come together.
CILLUFFO: Secondly, I think that when you think cyber, technology changes, will continue to change. There are going to be those that are first adopters, whether it’s in a — in an economic sense or an adversarial sense, but human nature remains pretty consistent.
So when thinking about — about the Iranian challenge, they have long turned to asymmetric means to achieve their objectives. They’ve long turned to proxies to achieve their objectives. Just think of Hezbollah, to a lesser extent Hamas.
Cyber is a new way for them to be able to achieve some of the objectives they perhaps can’t militarily, economically or diplomatically. So a long-winded way of saying history may not repeat itself, but it tends to rhyme, to steal a phrase from Mark Twain, and when you look at Iran’s intentions, there are — they’re escalating pretty quickly.
So they’re by no means on par with Russia and China.
But they don’t have to be. To have a drive-by shooting capability, you don’t need to integrate it as fully as maybe Iran or China are, into their military strategies, doctrine and war-fighting capabilities.
So I think we need to appreciate that the old way of thinking about how you rack and stack adversaries doesn’t fully add up in cyber. Because you need that one-time drive-by shooting capability.
The truth is, is Iran is spending a lot of money on cyber. They’ve spent a lot of time, and they are starting to integrate electronic warfare and cyber means in their — in their military strategy.
So — and — and I think we tend to dismiss the threat when, in reality, I think we need to think about it a little differently. So cyber-enabled economic warfare in particular.
I — I mean, if you think about their big — their first series of — of major attacks, it was on the U.S. banks. No surprise there. Ostensibly, in response to what was allegedly a U.S. operation with Stuxnet, they immediately went to hit the U.S. banks.
They followed that up also in 2012, with cyber-enabled attacks on, what, Saudi Aramco. Again, banks, energy. Both economic targets. Both had significant economic effect. And it fulfilled their broader objectives beyond just the — the — the cyber-enabled means.
And then they also went after one that also had a dual effect in terms of Sands Casino, because they were upset with Adelson, and — and they also had the effect of turning computers into bricks.
And the Saudi Aramco case, by the way, that was over 30,000 computers that were turned to brick. So relatively significant at that time.
Let’s fast-forward to this past year. So the Saudi Aramco attacks were Shamoon. Shamoon 2, more recently — not necessarily a much more sophisticated attack. But what they’ve been able to do is cobble together tactics, techniques and procedures that others have engaged in, and put that into one place.
So they’ll take other people’s techniques, tactics. And in this case, that is relatively unique. Because normally, you can — it’s pretty easy to identify who the perpetrator is, based on modalities and tactics they’ve used.
This was a cobbling together of different techniques. And — and quite honestly, I believe it was actually intended to be a dry run. I didn’t think it would have as much effect as it actually had initially.
And this is David’s point. And, Ellen, you put a — a fine point on this. All of these countries — Russia initially looked to Estonia, now they’re looking to Ukraine as their practice field.
The North Koreans look to South Korea and Japan as their practice fields. Iran has looked extensively to Saudi Arabia, UAE, increasingly other North African and Middle Eastern countries as — as their practice field. China’s looked to everyone as their practice field.
But the bottom line is — is, these are all movies that are coming to a theater near you. They’re using it to refine their tactics. They’re using it to refine their techniques. And I think Shamoon 2 did show an escalation in terms of capability, that we shouldn’t dismiss.
NAKASHIMA: Who — where — where was Shamoon 2 targeted, at who?
CILLUFFO: Saudi Arabia. Sorry…
NAKASHIMA: Saudi? OK.
CILLUFFO: … so this was phase two. And — and it was a combination of different TTPs they’ve used, and other…
CILLUFFO: … tactics, techniques and procedures in other environments.
NAKASHIMA: Thank you.
CILLUFFO: I’ve gone on way too long.
NAKASHIMA: No, no, no. It was great.
So — So, Dmitri, you get the hard part. Integrating the two very excellent overviews, can you compare and contrast these two near-peer adversaries in cyber, in terms of their — their tactics, their capabilities, their aims and their impact on…
NAKASHIMA: … our national and economic security?
ALPEROVITCH: Thank you for having me. I would say — I would not necessarily call them near peers. The North Koreans have actually been interested in cyber for almost 30 years.
So it goes all the way back to 1990 when Kim Jong Nam, the now-deceased half-brother of Kim Jong Un, who was assassinated in the airport in Malaysia, started the Korean Computer Center in Pyongyang and started to gather elites to study computer science.
And later on, many of those people went on into various institutions within the Korean government, and were forming their initial cyber forces. So they’ve been interested in this for a very long time.
And I would actually call — despite the fact that they may not have the technical sophistication of Russia, China or, certainly, the U.S., I would call the North Koreans the most innovative threat actors in cyberspace.
If you look at what they’ve been able to do over the last two decades, they’ve really, in many ways, pioneered the tradecraft that others have adopted since then. They were one of the first ones to use destructive cyber-attacks, going all the way back to the mid-2000s, against South Koreans. They’ve targeted — government networks have, targeted critical infrastructure networks — media, banking and energy. They’ve leveraged botnets — excuse me — they’ve leveraged botnets very extensively for their attacks. Yeah.
And of course, with Wannacry, they were one of the first nation-states that were (ph) to actually use a global worm capability as a disruptive attack. And they’re using cyber-crime as a way to actually fill in the coffers of many of these agencies.
Just as an aside, it’s really interesting to know why exactly they’re — they’re executing these financially motivated attacks. Of course, it is to — to support the regime. But more specifically, it’s actually to fill in the gaps in budgets at these agencies.
They’re executing these attacks, because in North Korea, unlike in other countries, if you’re in a military intelligence agency or civilian intelligence agency, you’re given certain missions and priorities, but you’re not necessarily given the full money to support those missions. But yet you’re still expected to execute on them. So you have to fill in the gap somehow.
And as a result, we’ve seen over the course of many decades, the North Koreans use counterfeiting and drug trafficking, weapons trafficking, and now cyber as a way to compensate for those gaps and — and make up for the — for those shortfalls.
In terms of the primary threat actors, they’re actually a number of them in North Korea, one of the main ones is RGB, their military intelligence agency. So roughly equivalent to the GRU in Russia.
You also have MSS, Ministry of State Security, the largest SIGINT, signals intelligence agency. And then you have the general staff department that is part of their military leadership, that would really focus on cyber in times of war.
Most of the attacks that we have seen on Sony and the like are believed to have come from RGB and — and units — Bureau 121, famously — within — within RGB.
But this innovation that we’ve seen from the North Koreans has really been adapted by many other nation-states. So when you look at — as Frank mentioned — Shamoon, it came a number of years after the North Koreans first tried destructive attacks.
And in some ways, borrowed some of the trade craft, whether there was overt communication or not. They certainly paid attention and — and adopted some of those techniques.
So in many ways, North Korea is a trailblazer in cyberspace, for other nation-states including those, frankly, with — with more sophisticated capabilities.
So for now, of course, they’re in a charm offensive this year. I — I expect that it’ll come to an end, probably next year, as they have shown zero interest in dismantling their nuclear program, and I expect that — that to come to a head with — with the — with the United States sometime next year, and we’ll start to see a resumption of offensive attacks from the North Koreans.
They’ve never really stopped the financial theft they’ve been engaged in, but the more overt destructive attacks…
NAKASHIMA: Has — has that financial theft really affected the U.S.?
ALPEROVITCH: You know, for the most part they targeted sort of easy pickings. So they’ve targeted large financial institutions in other parts of the world — Bangladesh, Chile just got — recently in June was a — an attack where they infiltrated the banking system Bank of Chile, stole $10 million, and then destroyed the network of the bank to make forensics really, really difficult.
NAKASHIMA: So why have they targeted or been able to get to U.S. financial institutions? Because our banks have good defenses or …
ALPEROVITCH: I — I actually think that the North Koreans — you know, we — we always talk about them as — as this reckless actor in the — in international affairs.
I actually think that they have probably the — the most brilliant foreign policy of any nation, because for the last 70 years they’ve been able to achieve literally everything they ever wanted without giving an inch by knowing how to use blackmail to maximum effect and walks up right to the line without crossing it and endanger the regime.
So when you look at what they’ve been doing with the U.S., they’ve actually been extremely cautious, right? So they — they’ve never really launched destructive attacks against the U.S., Sony aside, where you could argue that was a personal affront to the leader, and, frankly, Sony is a Japanese company after all.
But you know, in terms of even kinetic actions, we’ve seen them shell islands, we’ve seen them try and sink ships, never really the United States — against the United States. So they’ve been very, very cautious I think for many, many years in terms of provoking the U.S. before they were fully ready with their nuclear delivery capability to deter us.
So — realizing that a war with the United States is not in their best interests. So I do think that they will remain cautious for the — for the foreseeable future in terms of attacking the homeland, unless they believe war is imminent.
NAKASHIMA: So in terms of our economic security, North Korea’s not as great a threat as, say, Iran, in your view — your — either one?
CILLUFFO: No, it — absolutely, and — and one thing — cause this came up in everyone’s remarks and it came up earlier, but I think it’s worth sort of highlighting.
The truth is if you can exploit, if you’re involved in intellectual property theft, if you’re involved in economic and or military or industrial espionage, if the intent is there you can also exploit, cause what makes this a little — I mean attack — what makes this a little different is the — the exploitation medium can easily be utilized for an — an — an attack medium.
So I think again — and it’s not to overstate this point, but you can’t look at cyber as a black magic away from everything else that these countries are intending to do.
NAKASHIMA: So what Dmitri seems to be saying is the intent from — on — on the part of North Korea is not there yet — yet.
CILLUFFO: I’m not sure I fully — I — I love Dmitri and we agree on almost everything, but — but I think that — I think Sony was a pretty — and it was Sony USA that was actually hit. It was a pretty destructive and disruptive attack and I — I actually think the SWIFT hacks did affect the global market.
And the big concern I have with banks is not the attack — not the 9/11 equivalent, I’m more worried about erosion of trust and confidence in the system, and — and SWIFT really is that single point failure that all financial institutions and central banks depend upon — are 100 percent dependent upon.
So I — I — it’s not that I disagree with Dmitri, I think that we have a little different accentuation. But the one point I do want to say is Iran has been comfortable engaging in disruptive and destructive attacks, just as they have been very comfortable in engaging in terrorism.
ALPEROVITCH: And I — and I would add that on Iran specifically, now that JCPOA has been torn apart and the sanctions are back in place, we certainly expect that the disruptive attacks and other types of destructive attacks, primarily probably against our financial sector, would resume once again as — as they had launched them back in 2012, 2013 time frame.
They stopped when we engaged in negotiations. I think now that’s a naturally way for them to head back …
CILLUFFO: Stopped against the U.S., not globally.
MAXWELL: Yeah, I — I — Dmitri makes a great case, but I — I would be hesitant to accept that and you know, Sun Tzu said, you know, never assume the enemy’s not going to attack, you know, make yourself invincible.
And I think as we continue our maximum pressure — and it’s going to be maximum pressure from the United States — at some point, I think we should expect more aggressive attacks by North Korea against — against the United States.
And you know — and one of the reasons I think is that, you know, we rarely responded to North Korea with any kind — I mean the last time we responded, the last really kinetic action against the United States was 1976, and we responded with a pretty strong show of force.
And so, you know, since then — I mean now — Sony attack now, we’ve just indicted Mr. Pak there four years later, which I think illustrates — and I’d defer to you on how — how difficult it is for attribution, you know, and why it took that long to — to do that, so …
NAKASHIMA: Remind the audience who he was, this …
MAXWELL: Well he is a computer programmer from North Korea who was indicted in September by the U.S. government for the Sony hack.
NAKASHIMA: I think the first time the U.S. government has obtained such an indictment against a North Korean …
MAXWELL: Against a North Korean as — as far as — as far as I know, yeah.
(UNKNOWN): But they — they did sanction people …
… Sony, so — cause the — cause the indictment comes much later, it does not necessarily mean that they didn’t know …
MAXWELL: Sure, sure, but I think — I think it would be — we would be remiss in — in — you know, in ruling out the possibility and I think in North Korea — and again, Dmitri has pointed out they are very adaptive and innovative.
And I think that — that we need to expect that and prepare for it.
NAKASHIMA: Is it possible their restraint is a result of these sanctions or …
ALPEROVITCH: I — I think — I think they’re concerned with one thing and one thing only, which is regime preservation and until they’re confident that they have the capability to actually land a missile in the United States with a nuclear weapon on it — which they’re not yet there, but close, I think they will continue taking a cautious approach.
Now, once they do that — and I think that the greatest problem with nuclear non-proliferation in North Korea is not that they’re going to actually launch a nuke at us, but that will give them a complete free hand at launching all types of attacks, including cyber, without fearing that we would launch a kinetic — kinetic action response.
CILLUFFO: Just to — I — I agree. So I probably know the least about North Korea, and every time I try to think about them, my head hurts.
But — but the reality is — is that is the only prevailing set of issues — its regime — is to maintain the regime and ensure its survival over the long-term. And right now, cyber crime is — I mean they’re being cut out of the global market.
So I mean what they were doing in terms of their super bills, those were the most sophisticated counterfeited bills that the U.S. had seen ever, and that’s North Korea that came up with it. They were smuggling it through diplomatic pouch, so you can’t separate the state from the criminal activity.
And they are a state sponsor of crime, so there might be a — a — a decision made where the — maybe we’re really ramping up some of our — our security efforts, where they — they could turn to destructive attacks. But — but I think by and large, they’d be biting the hand that feeds them because it’s been a very successful corporate operation.
MAXWELL: But I think it fits into a — you know, a — its other asymmetric capabilities. You mentioned counterfeiting. Counterfeiting cigarettes, counterfeiting medication.
MAXWELL: You know, the slave labor trade around — you know, that it’s conducting all of these. You know. And then you said, cyber is a tool, you know, a tactic…
MAXWELL: … and so I think that you know, going against American financial institutions, I don’t think it’s out of the question because I don’t think that they expect a decisive response from us.
I think that’s one of the things — you know, we talk about…
MAXWELL: … a decisive response, but are we really — you know, and have we demonstrated that we’re willing to do that. And so I think that without that, that will embolden them over time.
NAKASHIMA: Yeah. That’s always a big question in cyber, right, is the decisive response. But what does that look like? What — what do you all, as experts, think a decisive response would look like, that wouldn’t invite undue escalation that we cannot dominate in the U.S.?
CILLUFFO: Start with Dmitri. This is my…
ALPEROVITCH: Go ahead.
CILLUFFO: No, you start, you start. I’ll try to be quick.
ALPEROVITCH: Well, I think any time we look at cyber-attacks and we’re thinking about response, we should not be limiting ourselves with — with cyber-response. Nor should we even, perhaps, start with a cyber-response…
NAKASHIMA: Yeah. We’ve had indictments and…
ALPEROVITCH: … we should be looking at…
NAKASHIMA: … and sanctions, right.
ALPEROVITCH: … what — what objectives we want to achieve. And you know, that can include anything from military to sanctions, indictments and everything else in the toolkit.
Of course, the challenge with North Korea is that our primary problem with them is not cyber, not even close…
ALPEROVITCH: … it is the nuclear weapon program. And we have not been able to, so far, make a whole lot of progress on that front. So our levers of power against them are extremely limited, short of going to war.
The Chinese are not willing — and I would argue also not able, really, to do a whole lot to put pressure on them. And as a result, you have a regime that really can continue doing what it wants without much repercussion, knowing that only if they trigger that red line, whatever it may be — though (ph) it provoke a kinetic response, would they actually be in danger.
CILLUFFO: Yeah. I — you know, the reality is is, what cyber-deterrent strategy do we have. And — and there have — and the — everyone’s been recognizing the fact that we need to ensure that there are consequences on bad behavior.
But it’s not just the perpetrator of that particular incident. Everyone else watches how you respond. So right now, whether it’s Russia, whether it’s China, whether it’s North Korea, the U.S. doesn’t have a very effective narrative. And there have to be consequences on bad behavior.
CILLUFFO: And to me, it’s a dissuade, deter, compel. Obviously, you don’t want to limit it to cyber. But cyber needs to be visible. I mean, what is the nuclear test equivalent for cyber? I don’t know. But we need to start thinking about some of these things a little differently.
And — and right now, we’re blaming the victim. I mean, the reality is, we’re blaming Sony. We’re blaming JPMC.
CILLUFFO: We’re blaming — and — and I’m not suggesting companies shouldn’t do more. They must. But the reality is, is we have to start articulating or going beyond the nouns into the verbs, and ensuring that there are some consequences for bad cyber behavior.
And that’s across the board. Whether any of the countries we’re discussing here, and every other country that has a modern military, has a cyber capability.
NAKASHIMA: Yeah. I think you all may have a raised a good point, here, though, which is that the main problem with North Korea is not cyber. It’s — it’s the nuclear — the regime issue.
Until that gets solved, I mean, you know, you’re always going to have a cyber problem. And you — one might argue that the cyber, the nuclear test equivalent in cyber is Stuxnet (ph).
But what — what that, you know, generated was then a — sort of a new arms race, and a lot countries then started building up their own cyber-offensive capabilities.
But anyway, let’s move to Iran for a minute here.
The last disruptive attack against the U.S. was I think — Frank, as you mentioned, 2012, with the DDoS’s against the banks, right?
CILLUFFO: It continued through 2013 and all the way …
NAKASHIMA: OK, and then there was the stands (ph), yeah. But tell me, what — what was the intent of — of that operation? It didn’t really — it didn’t — it didn’t destroy anything, it was public facing systems, it didn’t — they didn’t — well they — they lost some hundreds of millions of dollars I guess too, but what was the intent?
Was it saber rattling? Was it to say this is what we can do, beware, we have more capabilities …
ALPEROVITCH: I — I think that this was their thinking about an asymmetric — a symmetric response, a proportional response to what they felt was economic war — warfare launched against them by the United States in terms of sanctions, really choking off their economy and they’re saying well, you know what, you’re going to do that to us we’ll do — we’ll try to do something against your economy and target a financial system.
Of course it wasn’t very effective, the DDoS attacks were mitigated very well by most of the banking institutions. I think that the Iranians probably thought that — that the attacks were a lot more effective than they — they were in — in response.
And you know how it is in — in big bureaucracies, you may have people that are launching those attacks that are reporting up and telling the leadership how great this is, but not necessarily that being the reality of the situation.
But Iran — Iran is quite different from other countries in the sense that a lot of their activity is being launched by contractors. So not necessarily military and intelligence officials like you would have mostly in Russia, China and North Korea, but companies that are working on behalf of the two primary actors in Iran, IRGC — Iran Revolutionary Guard and MOIS — Ministry of — of Intelligence.
And those people have some level of concern because they tend to travel, they — they tend to get educations in lesser (inaudible) countries, as well as UAE and other places. You regularly find them in Dubai attending conferences, and then they go back and start companies.
And they do a variety of things, some — some of — some of their efforts are focused on cybersecurity efforts, and they’re also moonlighting for the government in offensive tradecraft, as well.
And as a result, you have a little bit of a separation between sort of the orders going out from the regime saying go do this and what actually happens with these contractors and — and the level of control probably is not as tight as — as it would be in other countries.
CILLUFFO: You know — now I wouldn’t dismiss the impact those DDoS — they were the most sophisticated at that time, Distributed Denial of Service attacks, and — and when people thought cyber disruptive weapons, that’s what they were thinking at that time.
There’s also some indication that maybe that was even a diversion, that there were other activities going on at that time as other actors have done when they have engaged in DDoS sorts of attacks. But it was — the — the thing is is I wouldn’t compare-contrast Stuxnet to — Stuxnet was — if the U.S. had any involvement, I — I don’t know, but if — it was very discriminate.
It was going after a nuclear set of capabilities. Iran’s response was quite indiscriminate, it’s going after our economy. So when we start thinking of proportionality, there are certain things that don’t add up and aren’t equal, and I think we just need to think about it.
I don’t think actors like Iran would have any concern about targeting some of the more socially unacceptable targets.
NAKASHIMA: In terms of the response though to those DDoS’, I know the banks were divided. Some of them felt that the U.S. Government should have done more, taken a harder stand and others felt that …
CILLUFFO: If it happened today we would. So, in a weird way, that was, at that time, it was an effective attack from Tehran’s perspective. Did it have long term implications? No. It actually — but it still signaled what they wanted to signal and that was that, hey, we’re here, we’ve got a capability and everyone’s potentially a target.
The other thing that I would say, and Dmitri’s very right in that, so the IRGC does over — have a — play a major in Iran’s offensive cyber capabilities and we lay out some of the actors and who they are in our paper, but there was a big — so they initially focused all their efforts on their own population.
So, think back to the Green Revolution, how aggressive Iran was going after their own — trying to disconnect the people of Iran from the rest of the world and the activities that were occurring at that time.
So, at that time Iran — the IRGC had a hard time pulling in all of these hacking communities that existed for many years. Ashiana network, there many that were — that exist and they were quite good, but then they’ve recently started focusing their efforts a little more externally as well and IRGC, in essence, took control of all these, what were at one time, autonomous and independent hacking communities. There was a question whether or not they’d be able to pull that off, and sadly, I think it’s fair to say they pulled it off.
So, moonlighting maybe, but when they need them they’re there.
NAKASHIMA: Yes, and so does the fact that these hackers who moonlight, like to travel? Does that suggest another way to get at the deterrents or response in punishment by say, sanctioning or indicting these people who may, in fact, want to travel out of Iran? So, give us a bit of leverage.
ALPEROVITCH: Well, we were at an event last week with John Demers, who is the Assistant Attorney General for National Security.
He was talking about this very issue, that indictments probably would have a very hard time deterring people that are actually working for Foreign Intelligence Services and militaries, just like if our intelligence professionals were indicted in China, that would not stop their work and would not have any impact on their ability to execute the mission.
But contractors probably would think twice because they’re not in uniform, they’re not getting the orders, they do have a right to not take contracts and for them it’s much more of a financial gain, cost reward analysis, and that might deter some of those players from participating in the secret (ph) system.
CILLUFFO: Absolutely. It’s been very — I, so — I think it does have a significant effect on those that may engage in such activity, because we have become quite creative in terms of finding countries where we have extradition treaties and being able to get people over there, about three cases ongoing right now.
Russia got so concerned that they put out a travel warning to their hacker community, an official travel warning, saying don’t go to country — don’t visit countries that have extradition treaties with the United States. So, it does have some effect, but not only in Iran, but in North Korea.
So, most of their operations are being driven not out of Pyongyang alone, but China, Southeast Asia, so there are opportunities to pluck these individuals and use law enforcement as an instrument.
MAXWELL: And I think another way to respond to that is, those countries that host networks, we really need to pressure them to dismantle those networks, not familiar with Iran as much, but certainly North Korea operating outside in China and in Southeast Asia, really need to pressure those countries to dismantle those networks.
NAKASHIMA: Have we begun to do so with China, with respect to North Korea …
MAXWELL: I am not aware of — of any — any attempt to — at that.
ALPEROVITCH: I — I don’t think China has a lot of incentives to help us right now.
NAKASHIMA: OK. What — what kind of leverage the — does the U.S. have against Iran right now, do you think, to prevent destructive cyber attacks, now that the most crippling sanctions have been re-imposed?
ALPEROVITCH: Well, ironically, I think the threat of sanctions probably was a deterrent effect that is now gone now that they’re back in place. You know, what else can we do to them?
Perhaps escalation of sanctions, although they’re — they’re already pretty tough and the administration is talking about making them even tougher. And at that point, once you reach the limit on that, your only option is war. And I don’t think a lot of people have an appetite for that.
NAKASHIMA: Do you think…
CILLUFFO: There are discriminate techniques, tactics and capabilities that can be brought to bear. And — and when you think about — just think about the sanctions discussion. It used to be you sanctioned a country, now you can continue to do that, but you can also sanction individuals …
NAKASHIMA: Right, with …
CILLUFFO: … personalize it, and there are ways where you can tighten some of those screws. I know that Mark at FDD has been doing some very good work on some of the SWIFT activity in terms of way you can be discriminate and calibrate some of your responses there.
So I wouldn’t say that we’re out of options, I — and — and short of actual military conflict, but we do have to be creative ourselves in terms of how we make an impact.
NAKASHIMA: Can we really — can anyone think of anything creative that would work with Iran, or even in the cyber realm, that — something that would be discriminate, proportionate and not be unduly escalatory?
CILLUFFO: Well the — we do it all the time with …
NAKASHIMA: With demarches …
CILLUFFO: … different sorts of activities. So part of it is — and …
NAKASHIMA: But that would be effective, I mean …
CILLUFFO: Yeah, that’s — that’s — that’s a longer conversation.
ALPEROVITCH: Well look, I mean we — we have a bigger problem with Iran being a sponsor of terrorism and we haven’t been able to do a whole lot in deterring that activity in — in certain areas like activities in Syria and Yemen and other places. So …
ALPEROVITCH: … those would be much higher on the priority list than — than probably most things that would be in cyber.
CILLUFFO: I actually agree.
NAKASHIMA: With — I wanted to get in a quick question here about influence operations. We know Facebook recently took down a number of Iranian-linked or Iran-linked accounts before the midterms.
How concerned are you about Iran beginning to move into this world of cyber-enabled influence operations and what would they be taking a page from Russia — what do you think?
CILLUFFO: I think every country’s thinking about this right now, and — and — and Iran’s been doing it in one form or another for a number of years, long before Facebook. So the reality is — is I don’t think — just like you can’t separate cyber from overall geopolitical …
CILLUFFO: I don’t think you can separate the perception, management, psychological operations and information operations element from the cyber equation. We play by queen’s rules, but no one else really does.
And if you actually look at what Russia — I think cyber is a piece of their broader information warfare campaign rather than the other way around. So should we be concerned? Absolutely. Is it only Iran? Heck no.
MAXWELL: And I think we don’t see North Korea conducting influence operations so much against us — social media, but certainly against South Korea. We don’t see that in the Korean language (ph) since we — and so that’s ongoing.
Now, I — I would say that North Korea is becoming more sophisticated. I know at the Committee for Human Rights in North Korea, a subject of — of a lot of phishing attacks — suspected North Korea and North Korea is suspected of defacing the — the — the website, but the staff notices their improved English and improved sophistication and it may be only a matter of time before we see North Korea trying to conduct influence operations beyond South Korea and so I think we have to be – to be on the lookout for that as well.
NAKASHIMA: Dmitri, any thoughts on that?
ALPEROVITCH: No, I would agree with that by the way that one interesting point about the North Koreans is that they’ve been having a dedicated effort of actually attracting foreigners to come into Pyongyang and teach courses at universities. I actually know some Americans who have gone over there to teach computer science of all things.
In fact, training perhaps the future generation of cyber warriors that will be used in action against us.
NAKASHIMA: OK, so I think we may have a few minutes now to get into questions from the audience and we have I think microphones coming around and if you could first introduce yourself and then ask a question. OK great.
QUESTION: Is this on?
QUESTION: OK. From the Wilson Center.
What — question was also relevant for the last — the previous panel, what does this panel in Iran or North Korea sound like when it considers the American threat — the American cyber threat and how should that influence our policy? This is not a one-sided game. I mean more than one.
MAXWELL: Well certainly North Korea would view this as part of our hostile policy. You know that we recognized their cyber capabilities and the fact that we might consider offensive cyber operations against the North. You know they would view this as very hostile.
I think it’s interesting to look at the Panmunjom Declaration (ph) in April and the North and South agreed to cease hostile activities in all domains and then it said including air, land and sea. It did not include cyber and you know whether that was on a mission deliberate or you know just based on an oversight error or I think that the North looks at cyber operations that we’ve conducted in Iran and you know and any capability that we have would be part of our hostile policy against North Korea. So they would view this I think very negatively.
NAKASHIMA: Anyone else?
CILLUFFO: I’m not in the business of advising Tehran or Pyongyang or Moscow or Beijing, so — and never will be but, you know, we obviously have a ton of capability in the cyber domain but I would argue we have actually quite restrained in terms of how we utilize it.
ALPEROVITCH: Perhaps overly restrained.
CILLUFFO: What’s that?
ALPEROVITCH: Perhaps overly restrained.
CILLUFFO: And I would say clearly overly restrained. So where you will see cyber come into play in a U.S. context is more in combination with other means, so cyber as a component of other sorts of operations. I actually think we need to be comfortable discussing our offensive capabilities, acknowledge that we’re never going to firewall our way out of this problem alone. We’re never going to defend our way out of this problem alone. Use restraint but when you use it you fight and you fight to win.
And I actually want them worried about U.S. cyber capability. I just wouldn’t be all that worried based on the track record so far so I feel like now is the time where we can. So your question I actually think that when they do start really worrying about that I’m feeling pretty good.
NAKASHIMA: Well in fact the Department of Defense just issued a new cyber strategy that talks about persistent engagement with adversaries defending forward and preempting attacks at their source including protecting critical infrastructure — U.S. critical infrastructure in that way I think that might be signaling to our adversaries that we’re willing to be a little more aggressive. I don’t know whether we’re starting to see the results of that change in strategy yet but you know, time will tell. Yes, in the front row.
QUESTION: Zack Biggs with the Center for Public Integrity.
So I wanted to ask, obviously the parallel between these two countries is their nuclear programs. When you look at Stuxnet which was used against Iran’s nuclear program, that occurred a very different time period. Setting aside the technical constraints that might impact the ability to use cyber weapons against the North Korean nuclear program. From a policy perspective, are we in a different environment now? Would something like Stuxnet be a viable technique or tactic now against a nuclear program or has the world changed sufficiently in terms of the view of cyber that that’s no longer a viable option?
NAKASHIMA: That’s a great question.
CILLUFFO: Really good question.
ALPEROVITCH: Yes, the important thing about Stuxnet, it was never designed nor could it ever have been a way to stop the program. It was a delaying tactic; you know at best the estimates are that it may have delayed them by about eight to nine months. So it’s a way to give you space to hopefully solve the issue through other means but it is not a solution in and of itself so that’s the best way to think about a lot of cyber capabilities actually.
CILLUFFO: You know I’m going to disagree with a point I brought up earlier, so with myself.
But not in the way that I really mean. But the reality is I do feel we need to be more forward leaning but we also have to be willing to inoculate others that are not part of the govern — because the private sector pays for the real or perceived sins of government in any of these cases. So we’ve got to get to the point where we — if we launch we better be ready and prepared and do the due diligence and have the responsibility to enhance the security of the front lines in the cyber domain and that’s the energy companies, the lifeline sectors in particular — the most critical of our critical infrastructures.
So I think that the — your question is a really good one. I don’t know whether the U.S. was thinking about some of this activity in Pyongyang of late and either it didn’t work or decided it wouldn’t work or didn’t even think about it but the reality is is I think all conflicts going forward of any kind is going to have a cyber element or dimension to it. I just don’t think we should think of it as a silver bullet.
I don’t think of cyber as a weapon. I think of cyber as an enabler to do everything we do to doing it better more efficiently sometimes anonymously and we want to play to where we’re strong not necessarily where others are.
NAKASHIMA: Yes, I mean the thing about Stuxnet was it wasn’t intended to become public — it kind of broke out and broke loose and then cyber security researchers around the world noticed it and tracked it back to Natanz and figured out it was very likely Israel and the U.S. But you know, I think the main purpose there was to sow confusion and doubt in the minds of the engineers.
ALPEROVITCH: It was an information operations.
NAKASHIMA: It was in information operations — cyber-enabled information operation, which was working beautifully at least initially, right? And then…
ALPEROVITCH: But there’s a limit to that, right? So you know, the goal of Stuxnet clearly, based on technical analysis, was to was to convince the Iranians that their centrifuges were effective and the Iranians actually destroyed more of those centrifuges than the worm ever did, because it actually wasn’t designed to cause destruction. But at some point you learn — right — so there’s a natural limit to how long you get out of operations like this.
So it’s not a permanent solution by any means.
CILLUFFO: And by the way, there are World War II analogies where people would jam radar to the point that you think it’s just not working. So — so there is — whether it was meant to be an information operation or not, it seems to have had that in that effect.
NAKASHIMA: Maybe that’s another tool in the toolkit we need to start discussing more publicly in terms of response options.
CILLUFFO: I do think — I think transparency’s a good thing in this case. And don’t be afraid to discuss our offensive capabilities. But that’s me.
MAXWELL: I think from a North Korean perspective, we think its’ too insular, it’s hard to penetrate. But I have to believe that we — you know, there are people that are working on the capabilities to do that. And from policy perspective, if we have the capability, we need to be ready to use it, whether to employ it directly to achieve an effect or from an information influence perspective as well. We really need to keep all our options open from influence to actual conduct of attacks if it’s in our interest.
NAKASHIMA: OK. Any other questions from the audience? There’s one right there on this — that.
QUESTION: Thank you. Abe Shulsky from Hudson Institute.
I was wondering in terms of the deterrence aspect of this question whether we have a deterrent, especially with respect to Iran, of actual information operations — cyber-enabled information operations that would address the public itself. I mean Iran is I think considered one of the most wired — connected nations in the world in terms of its citizenry. Obviously different from North Korea in that regard. But at least with respect to Iran, would there be possible cyber ways of conducting, you know, old-fashioned sort of information operations, propaganda that the regime might see as sufficiently threatening to it that they would be willing to pull back on other stuff in order to get us to stop?
ALPEROVITCH: Maybe or it may lead to escalation, right? So you never know. I mean, the final problem (ph) with deterrence, it is a game of chicken, right? You’re trying to convince the other party not to do something because of repercussions. And really the only way you can do that is by making very clear to them that this is a serious priority for you, perhaps your top priority. And the problem with most cyber actions is they’ll — they never get to that level, right? You know, our main problem with Iran and North Korea are nuclear programs, it’s not cyber. It won’t be cyber for any foreseeable future, if ever.
So unless you make it your top priority, you really have little chance of deterrence and, you know, probably one of the few, if not the only, examples where we’ve actually had, at least for a time, successful deterrence was against China in 2015 when we got them for a period of time to back off and not to conduct economic espionage. The only way we got there is the president of the United States came out and said, this is my number one issue with China. I’m not sure I even agreed with him that that’s the number one issue with China when we had South China Sea…
CILLUFFO: As a cyber guy, I did, but…
ALPEROVITCH: … and North Korea and everything else that was involved, but he said at the time, this is my number one issue and he made it very clear to the Chinese. And they started to realize that there would be serious repercussions. Until you make that your number one problem, you’re not going to get any deterrence out of it.
CILLUFFO: You know, I — I — I agree with –with Dmitri 100 percent. But, Abe, you’ve done some really good work on deterrence theory historically and — and — and information operations over the years. And I think we sometimes get caught up in the technology when it’s really what are the intentions and capabilities and how do we figure out the best way to get the outcome we want.
And there’s mixed spotty record in terms of where perception management fits into all of this. But here’s my one issue, whether it’s perception management or whether it’s computer network attack or whether — we’ve got to get to the point where we don’t allow our adversaries and episodes that define strategy.
We’re letting the Russians define our strategy. We’re letting the Chinese define our strategy. We’ve got to be proactive and by that I mean it doesn’t necessarily mean we’re going to find the dupe that does something stupid and we come with the hammer — cyber hammer immediately.
But we are so — we’re letting episodes define rather than what are our strategic outcomes, objectives and goals. So I feel like we’re constantly whip sawing every time there’s a cyber incident.
Very thoughtful reporters will call me and it feels like we’re having that same conversation over and over. We should be defining that.
ALPEROVITCH: I said this a long time ago…
CILLUFFO: We should be defining…
ALPEROVITCH: We do not have a cyber problem. We have a China, Russia, Iran and North Korea problem, but we (inaudible).
CILLUFFO: Cyber flavor (ph).
NAKASHIMA: So in other words, we don’t need a global cyber strategy, we need a China strategy, a North Korea strategy, Iran strategy of which cyber is…
CILLUFFO: Well cyber deterrence. You need — you need separate deterring mechanisms around all that and — and you need a deterrent strategy that cyber factors in and you need a cyber specific…
NAKASHIMA: (Inaudible) cyber is fundamentally a tactic and not a strategy, then…
ALPEROVITCH: We don’t have a strategy to deter tank warfare, right, we — or enable warfare. We think about it as deterring warfare, and cyber is just a tool in a toolbox.
NAKASHIMA: We have time for maybe one more question, if there’s anyone out there. Don’t be shy. No? Yes.
QUESTION: Michael Martel (ph) from the National Security Archive.
I was wondering if we saw or if you had seen any instances where cyber capabilities were exported out to proxy forces or proxy partners, either by Iran or North Korea?
And in what way you see that potential — potential shaping power balances in the regions?
CILLUFFO: That’s a great question. I don’t…
MAXWELL: I — I have not seen any North Korean use of proxy. I don’t know…
ALPEROVITCH: There is a lot less sharing of capabilities in cyber space than you might think amongst nation states. Most hold it closely to their chest. Just like, you know, in other parts of the intelligence apparatus, you don’t share your best tradecraft even with your best of friends, right.
For the longest time the British would not tell the Americans all the details about the Enigma project that they had in World War 2. It took a lot of effort to convince them to actually open that up, so this is something that you hold very close to your chest.
Because frankly the more you share it, the more likely it’s going to leak and compromise your abilities to execute operations in the future.
CILLUFFO: You know, and I agree with everything that was said by both my colleagues here on that question. But I’m not sure you always know, because I mean countries are utilizing proxies themselves.
And the reality is — is when you think of the deep web, dark net, obviously they’re not going to be selling the most sophisticated TTPs or zero days (ph).
But it’s sort of like that Star Wars bar scene, the old Star Wars bar scene. I mean you’ve got Han Solo, you’ve got Chewbacca and you’ve got someone with 11 eyes and you’ve got someone with 13 feet. And the reality is is they are sharing and they don’t necessarily know who those cutouts are.
And it was sort of even in the espionage world, there were days where you had fellow travelers who were dupes. I’m sure you have the cyber equivalent. That’s not to suggest that for direct operations I — I don’t know but I’m not sure we would know necessarily if that’s existing.
NAKASHIMA: How active is Hezbollah in cyber?
CILLUFFO: So there is a cyber Hezbollah and then there’s Hezbollah, the Lebanese Hezbollah organization that is engaging in cyber so they’ve used it largely for perception management issues right now. Lebanese Hezbollah. Cyber Hezbollah…
ALPEROVITCH: And espionage.
CILLUFFO: And for espionage. They do — and very targeted discriminate espionage. So but the cyber Hezbollah which is a little more amorphous is quite active, so.
NAKASHIMA: All right, well I wanted to thank the panel for a wonderful, great discussion and the audience for some really wonderful questions. Thanks, everyone.
MAY: Thank you very much to the panel. I’m going to take just a couple more seconds of your time before you go out to refresh yourself and converse. By the way, I’m Cliff May, and for those who don’t know me, I’m the founder and president of FDD. You heard about various reports and we have hard copies of those; we can guarantee the cyber security of all the hard copies so feel free to take some and just to sum up a little bit, you know after World War II American power, American leadership and rapidly advancing technology brought us really an extraordinary period of peace and prosperity.
Now, however our adversaries are attempting to turn our political and economic openness and our high technology against us. In particular they’re using cyber means to undercut American industry and innovation as well as to increase their military capabilities and to degrade our military capabilities. So the challenge as great as we have heard today but so is or can be our response, our creativity, our ingenuity.
As just one small example let me highlight a new FDD project, the transformative cyber innovation lab where we are identifying the technologies and policies that can begin to solve the hardest cyber problems. We partnered with industry and government to shorten the lag between idea and piloting and between piloting and widespread adoption of solutions to defend our national and economic security.
The task before us, here at FDD and here in America is enormous and daunting. But each problem we solve is one less avenue for the bad guys to use against us. Before we conclude I want to take a moment to thank the entire FDD staff. Every member of this absolutely extraordinary team, they make this look so effortless but we know how much hard work goes into making events like this a success, so thank you.
And to FDD’s investors in the room and who may be watching on our streaming, a reminder that this conference, like all our work is possible thanks to you, only thanks to you. Thanks to your generous and enlightened support and we thank you for that. Let me also take a moment to recognize again Samantha Ravich (ph) and her clear-eyed thought leadership.
She has zeroed in on how America’s authoritarian and undemocratic and un-free adversaries are using cyber-enabled economic warfare and she thought of this long before many others in the policy community understood the scale of the threats that we face. We should all be pleased that she’s been recruited to the president’s intelligence advisory board and the newly-created Cyber Space Solarium Commission. These tasks will be synergistic with her work here at FDD.
And finally to those joining us here today via our live stream, thank you for coming and for tuning in. All of us at FDD look forward to continuing to work with you on these important issues.
Again, thank you all for your patience and for your attention today. Glad to see you. Thanks.