CyberWire Daily - Best of: Tom Wingfield
Episode Date: December 28, 2016Our podcast team is taking a break this week for the holidays. We’re revisiting some of our favorite interviews from 2016. Tom Wingfield is Professor of Cyberspace law at the National Defense Un...iversity, and one of the authors of the Tallin manual, an academic study of how international law applies to cyber conflicts and cyber warfare. We interviewed Tom Wingfield back in October, on location at the 2016 ASUA meeting in Washington DC. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
I'm Dave Bittner in Baltimore.
Our podcast team is taking a break this week for the holidays,
but don't fret, we'll be back next week with all new episodes of our show.
In the meantime, this week we're revisiting some of our favorite interviews from 2016.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta
brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Thank you. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant.
and keep your company safe and compliant.
Tom Wingfield is professor of cyberspace law at the National Defense University and one of the authors of the Talon Manual,
an academic study of how international law applies to cyber conflicts and cyber warfare.
We interviewed Tom Wingfield back in October,
on location at the 2016 AUSA
meeting in Washington, D.C. We've encountered an increased co-mingling of kinetic and cyber
warfare, and we've heard a number of times that the norms of cyber conflict remain immature.
Do you agree with that? I agree with it up to a point. The norms of cyber conflict are immature, but the norms of conflict in general are very mature.
Most countries agree on most norms almost all of the time, and the trick is in applying those near universal norms to these new cyber targets and these new cyber problems.
cyber problems. You're one of the authors of the Talon Manual, which has acquired the reputation of being one of the more comprehensive and influential sources of the norms in conflict
in cyberspace. So how closely does the Talon Manual adhere to other earlier codifications
of such international norms, the laws of armed conflict, the law of the sea, the just war
tradition? Very closely. The whole point of the Talon Manual was not to write new law,
but rather just take the core of existing law that almost all of the countries agreed on
and apply it to a new battlefield.
Just as we had the San Remo Manual apply law of armed conflict to naval operations
and the Air and Missile Warfare Manual do that for that area,
it was just meant to take the part we agree on and apply that to cyber operations.
Can you take me through the process, take us behind the scenes,
what went into creating the Talon manual?
Well, absolutely. It actually had an unusual beginning.
At the very beginning, right after the attacks on Estonia in 2007,
I was asked to go out to the brand new CCD COE there and brainstorm some ideas. One of the ideas I had was, wouldn't it be great if we could
get the 20 smartest law of armed conflict professors in the world together for a few years
and have them write the San Remo manual for cyber.
And they thought it was a great idea, and they gave us the money,
and I recruited 19 other professors, and we did it over three years.
I want to ask you about NATO's Article 5.
Some of the newer members of the Atlantic Alliance have been on the receiving end of cyber offensive operations,
and like you mentioned, we're thinking of Estonia here.
Would the alliance be likely to invoke Article 5 over a cyber incident?
If it were a sufficiently dangerous situation, if it caused sufficient damage, absolutely.
We haven't seen anything in the purely cyber realm that would rise to what we call an armed attack.
Not even a mere use of force.
So we're just at the very early stages. If it ever did get to the level of an armed attack,
a smoking hole in the ground, a significant loss of life,
then there's not a doubt in my mind that Article 5 would be invoked.
I want you to, if you would, to talk us through how you see traditional just war theory
finding its application in cyberspace. Yes, we see the traditional just war theory informing
our policy and how we choose to use the instruments we have. But in reality, the USADBELM,
the law of conflict management or the law that governs how we go to war, is actually much, much simpler than that.
While we use the seven traditional Thomistic standards to inform our decision policy-wise, legally, it's only a two-part test, and it's pretty simple.
The first part is, is the cyber event military in its quality? That is, not espionage, not diplomacy, not crime,
not politics, not something else, not economics, but is it military in its character qualitatively?
Once we've decided that, that it is a use of force and military, then we have to make a
quantitative description of it to see if it's
bad enough in its scale and effects, those are the two magic words, if qualitatively the scale
and effects are serious enough to merit a military response. If it's true, we call that an armed
attack, and that permits a unilateral response, no Security Council permission, and no requirement to use only
cyber means to respond to a cyber attack. What about use in bello, which is, you know,
talking about discrimination and proportionality? Those four basic rules, discrimination or
distinction, necessity, proportionality, and chivalry. They apply in cyber the way they apply anywhere else.
The standards are very straightforward, and so far, not a single country in the world
has come forward to say they do not apply in cyberspace.
The Russians and Chinese are uncomfortable with the way use cogens, known law, and customary law applies to cyber.
They would prefer a treaty, but no country has come forward and say
those four fundamental tenets of the use in bellow do not apply to cyber operations.
U.S. policy with respect to cyber attacks has been to impose costs.
That's the phrase they use whenever an actor can be identified. And those costs range from naming and shaming, to prosecution of individuals,
to the imposition of sanctions. Do you have any thoughts on the efficacy of that approach? Do we
need less or do we need more? Or is it about right? I think we need more. We're feeling our
way because it's a new area. But using all of the instruments of national power, I think, is the solution. So at the highest levels, orchestrating what we do in diplomacy with how we use our information
when necessary, the military instrument, and especially economics. I'll give you a very quick
example of that last one. The Computer Fraud and Abuse Act was designed for the government to
prosecute domestic crimes against the federal government.
But there's a component in it that gives a private cause of action to individuals and businesses
that are victims of those seven federal cyber offenses to actually sue and get damages against the individuals, whether they're U.S. or not, and they only have to meet the lower 51% mere preponderance standard of evidence,
much easier than a beyond a reasonable doubt criminal prosecution.
We haven't seen much of that, so if I had to make one legal guess for the future,
I would see the government using that more, informing corporations and citizens more that this is
another potent weapon in our cyber arsenal. And I think that'd go a long way toward deterrence on
the front end and justice on the back end. Do you see in terms of, you know, I'm thinking of
both rattling cages and also kind of, you know, testing your neighbors, that sort of thing.
Where do you see things going?
Where are the likely places where nations are going to be testing their neighbors,
testing their adversaries, to see where this new type of conflict can go? Well, one surprising area that I see, you know, a year ago, I would have told you that serious offensive cyber
capabilities were the province of a handful of cyber powers. And we all know that handful of
countries. But over the last year, I've come to realize in my travels and in talking with experts
that many smaller countries are looking for offensive cyber capabilities to serve as an inexpensive deterrent that offense can be
thought of as a cheaper than a competent system-wide defense and we may see many medium and even small
sized countries trying to gain an offensive capability in cyberspace one way or another
to to threaten those by whom they feel threatened and i'd be very surprised if we didn't see some of those countries
testing some of those capabilities to calibrate their ability and see what they're able to do.
What about attribution?
Attribution is tricky and often tough when it comes to cyber attacks,
but I could see it as being a way, because of that,
nation states perhaps can feel as though they can get away with testing the waters
if it's difficult to point the finger at them directly.
Yes. Joseph Stalin once said that there were two permissible answers to him.
You could either say, yes, sir, or up to a point, sir.
So I'd say up to a point in that area.
Okay.
When it comes to attribution, there are really two
separate ideas that we worry about, at least that lawyers in this area worry about. One is how
involved was a state in doing it? We know from international law that if a state is merely
providing some financing or some political cover, that's not enough to attribute
a non-state actor, hacktivists, terrorists, criminals, to their actions to a state against
whom our deterrence could work and some other things we could do would work. We also know under
international law that if the state is the one picking the targets, almost all countries agree that that is enough for us to attribute the
actions of non-state actors against to a state. And then we have a wide range of tools we can use.
There's a big gray area in between those two extremes, and different countries peg state
attribution at different levels. The second thing we have to worry about is how certain are we? We can't wait for a beyond a reasonable doubt standard as
we would in a courtroom. 99% certainty can't happen that fast in an area that
we don't control the crime scene, so that's unrealistic to expect that level
of certainty. But with mere preponderance, 51% that we have in civil cases,
that's not good enough either
if we're going to be doing
some serious damage overseas.
So what we see from the Americans,
from the British, even from NATO,
are statements that now use the phrase
we have clear and compelling evidence
of X, Y, and Z,
and therefore we are using force,
whether it's cyber or kinetic.
And clear and compelling is in between those two. It's about 75% sure. So if we're about 75% sure
that a state is doing more than providing mere low-end support, but enough support for attribution,
then we check the two boxes and the lawyers say,
you may attribute it. And then it goes over to the policy people who have to decide
what kind of tools we can use against the adversary. I think that there are two things
that are very important, at least in the legal world. One is the need to have an overlap between
what the lawyers understand and what operators do. That's why we're hoping as the next Talon manual,
3.0, is going to be an operational law handbook, we hope, that would look at these problems,
not from a law professor's perspective, but rather from the questions and problems that
operators have now in this immature field. And we hope to be able to build the legal advice in
cyber as the US Army does a great job of doing for the operational law handbook
for broad-spectrum operations the second thing perhaps more interesting is the
rise of lethal artificial intelligence we're legally responsible for what those
agents do at cyber speed.
And if they start causing serious damage or perhaps even loss of life in the not-too-distant future,
the last human in the loop, the operator, the commander,
we would be on the hook for what those things did in our name.
So we would have to train them to know the cyber legal outer
limits of what they could do so we wouldn't end up as war criminals for releasing them into the
wild. It reminds me of, you know, Asimov's rules for robotics. Absolutely. We would start there
and then add on the rules we give to frightened 19-year-olds that we send into combat, the same rules would have to be taught and burned into our AI agents
so that whatever else they did while they're fighting at cyber speed,
they would not go afield of the rules that define us as us.
All right. Thomas Wingfield, thanks for joining us.
It's been my pleasure. Thanks for having me.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Thank you. executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers. I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI
and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.