CyberWire Daily - Cyberspace in Peace and War author Martin C. Libicki
Episode Date: November 21, 2017Today's show features an extended interview with Martin C. Libicki. He holds the Maryellen and Richard Keyser chair of cybersecurity studies at the U.S. Naval Academy. His most recent book is Cybersp...ace in Peace and War. Topics include the differences between cyber war and cyber espionage, the possibilities of a cyber Pearl Harbor or Cyber 9/11, and the risk of nations overreacting to cyber attacks. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Our podcast team is taking a break this week for the upcoming Thanksgiving holiday.
But don't fret, we've got a brand new extended interview for you today.
And you can still get your daily dose of cybersecurity news on our website, thecyberwire.com, Thank you. My guest today is Martin C. Labicki. He holds the Mary Ellen and Richard Kaiser Chair of Cybersecurity Studies at the U.S. Naval Academy.
His most recent book is Cyberspace in Peace and War.
Cyber war is something that I define as the systemic use of cyberspace operations, notably cyber attack, for political advantage.
operations, notably cyber attack, for political advantage, in much the same way that war can be described as a systematic use of tools of force, of the armed force for political advantage.
It seems to me like particularly our leaders have been hesitant to draw lines in the sand
when it comes to cyber war. They don't want to define exactly what it is.
I can understand that, because if you start defining what it is, at least in our political
tradition, you have an obligation to actually carry it out. I think there's some levels of
confusion. We tend to, and by we, I mean pretty much everybody, tend to confuse cyber espionage,
which is a legitimate state activity, subject to a few caveats, andionage, which is a legitimate state activity subject to a few
caveats, and cyber attack, which is not a legitimate state activity. In cyber espionage, I'm reaching
into your system and I'm grabbing information, maybe once, maybe on a continuous basis. In cyber
attack, I've affected your ability to use your systems. I can do so by making it difficult for your systems to connect to the
internet, by making it difficult for your systems to operate at full capacity or operate at all,
by changing the instructions or the data that your system holds. In other words, it's sort of like
the difference between espionage and attack. Espionage, I'm just learning something about you.
Attack, I'm making it difficult for you to do certain things.
I am destroying or at least delaying your use of things that you own.
And I think cyber attack is best defined as something very similar.
One of the chapters of your book is called What the Government Can and Cannot Do.
And it begins by talking about should the government do anything.
Can you take us through that argument?
I was educated as an economist,
and one of the tenets of economics basically says
that if the private market can do something well,
the government shouldn't step in
because it's not likely to improve matters.
If you talk about protection,
there are all sorts of risks that organizations have.
And by and large, organizations tend to be competent to assess their risks and then decide what kind of mitigations to employ in order to make themselves better off.
For instance, if one of the risks is weather, we have roofs, we have wind guards, we have all those sorts of things to protect us from weather.
We have many devices such as locks and fences to protect us from crime. So the question is, to what respect is cyber
protection going to be any different from all the other protections against risks,
which we rely on other folks to employ? And part of the answer is that if you're an organization and the consequences of having insufficient cybersecurity
are consequences to you, for instance, I can't do things or I can't do things reliably or I can't
keep secrets, then I would argue it's pretty much up to you in order to protect yourself,
just as it would be up to you to protect yourself in most of the other realms that we talk about.
Now, that being so, there are a number of useful things that the government can do.
It can sponsor research and development.
It can collect intelligence and provide it in terms of threat assessment to organizations.
It can and should prosecute cybercrimes.
If the cybercrimes are actions of states, there are certain state activities that can be carried on, such as sanctions, and the list can go on and on.
But essentially, all these are adjuncts.
All these are aids to an organization or an individual's responsibility to protect their own system.
Let me just add one other thing. One of the reasons that I think it makes sense to focus the responsibility on the organization or the individual is that the organization, the individual are the ones that have the best understanding of their own system and their own approach to cyberspace.
think of so many of the cyber adversaries as coming from overseas. And so I could understand some people thinking that the federal government had a responsibility to, for lack of a better
description, you know, protect our virtual borders. Yes, I'm aware of that. I mean, if you try to take
that in the most literal way possible, you start thinking of a gigantic federal firewall. And then
you start thinking about all the problems with firewalls that they have in the first place.
They can't catch things they haven't seen before.
They're not very good at protecting against zero days.
They're not very good at defending against attacks that come in through hardware.
They're not very good against protecting attacks that are already in your system before the firewall goes up.
They're not good against insider threat.
that are already in your system before the firewall goes up.
They're not good against insider threat.
They're not good against a class of attacks in which the inputs are legitimate but the behaviors aren't expected, such as structured query language injection or SQL injection.
And it turns out to be a large panacea.
The U.S. government is spending well more than half a billion dollars a year
with a huge firewall just around the.gov domain,
bad folks still get through. And it's costing us an arm and a leg. And if you extract it to
the entire country, we're talking tens of billions of dollars, which is something which is, frankly,
unaffordable. Who do you maintain it should be the responsibility for fighting these cyber wars?
Is there a traditional militaries or other
parts of government? It's got to be both public and private. In other words, the private enterprise
buys the cybersecurity products and services, attends to its own architecture, attends to its
own authentication mechanisms, carefully segregates the things that are high risk and are more
protected from the things that are low risk and are less protected.
And the government basically uses tools of statecraft to discourage other countries.
It uses the tools of criminality in order to target individuals who might be part of the cyber war effort.
effort. And I mentioned this because a lot of actions that take place by nation states are actually actions that take place by criminals who are working with the nation states. And I'm
thinking in particular of Russia. The federal government, as I mentioned, can use intelligence
that gathers to inform. The federal government can improve the basic cybersecurity through indirect
methods such as research and development and standards. The federal government can improve the basic cybersecurity through indirect methods such as research and development and standards.
The federal government can encourage the growth of a talented cybersecurity labor pool.
There are a lot of tools that the federal government can employ.
But to actually go out and defend the electric power grid is something that the federal government does not really have the capabilities or the information to do.
is something that the federal government does not really have the capabilities or the information to do.
You know, one of the tools of statecraft is if there's no other way to bring the problem down to manageable level,
to do unto others or to threaten to do unto others as they are doing unto us.
And sometimes that works well and sometimes it doesn't work well.
Depends who those others are. I used to joke about this almost 20 years ago, right?
If the North Koreans decided
to take down the New York Stock Exchange, there would be no point in us threatening to take down
the Pyongyang Stock Exchange because the North Koreans have forgotten to establish a stock
exchange. Similarly, if your threat is from cyberterrorism, the threat to carry out hacking
attacks on terrorists is probably going to be less than fully persuasive.
You know, you have a chapter on attribution, and one of the things that caught my eye was you touch on the subject of
when can countries be blamed for what started within their borders?
And, of course, we know attribution is difficult, and, you you know this notion that perhaps a lone person
could for example uh cause damage to our power grid and the sort of asymmetrical nature of that
strikes me there is a great deal of asymmetry but i think over the last 10 or 10 years it's
become relatively more difficult for lone individuals to do serious damage.
That most of what we're seeing that is of serious concern is either carried out by countries or nation states as sometimes we call them or well-organized criminal organizations.
Now, let us say that we found a cyber attack coming from Peru, right? I don't think I always I like to use Peru as an example, because it never seems to bother anybody. And I have very few Peruvians in my audience when I say
this. Okay. Okay. So we can't say to Peru, okay, you did it. Just as we can't necessarily say to
Mexico, okay, you did it because our drug economy is affected by the Mexican cartels.
What we can ask Peru to do, however, is join us in targeting those folks who carried out the attack,
which is a combination of asking Peru to use its investigative methods to figure out what's going on
and to cooperate with the United States as the United States uses the investigative methods that it owns itself. Finally, as we continue going through this process and continue getting more information
and we continue getting necessary cooperation from the Peruvian government, at some point we
may say, well, Joe did it, and we'd like to bring Joe up for trial. Or we'd like to have Joe brought up for trial in Peru,
depending on their laws and customs.
At that point, I think it would be a good idea
to expect cooperation from the Peruvians.
Now, countries vary in how much cooperation they give
to the United States in this issue.
For instance, we have a great deal of cooperation
with the European countries,
particularly those in NATO and the neutrals as well.
We don't get any cooperation from Russia.
We sort of get some cooperation from China because we put them on notice that their state
is responsible if they don't.
We get zero cooperation from North Korea and zero cooperation from Iran.
In which case, you've taken the cyber crime issue and you have to ask yourself, does this
rise to the level of something that we can call a national security issue, or at least something
that who's concerned that we can elevate? And that is an intensely political question.
What about things like the Talon Manual?
The Talon Manual, I think, is a very good rundown of the applicability of existing laws of armed conflicts into cyberspace.
The people who put it together are competent.
I think they know what they're doing.
But the problem is that when you go through the Talon Manual, you find out that a lot of the key questions about cyberspace aren't covered by the Talon Manual at all.
For instance, the Talon Manual basically says
that cyber espionage is acceptable state activity, that no country has a basis within international
law to object to cyber espionage. Why is this true? Because we have likened cyber espionage
to traditional espionage for which there are no treaties whatsoever. Actually, for which there is
no international law whatsoever. There may be bilateral treaties. But one of the things that
the United States has been insisting on since 2010 is that cyber espionage pursued for the
purpose of economic advantage is not considered legitimate state activity. And we pursued this
with the Chinese. And in 2015, we got an agreement with the Chinese in which they promised to cut it out. And in fact, we took the agreement into
the group of 20 nations and they all said, yes, this is a very good idea. So here we have our
first exception. And our first exception is that cyber espionage is OK unless you're using it for
commercial advantage. Now, I would maintain that the United States, or at least would have under the Obama administration, have come close to a second norm, which is to say cyber
espionage is okay unless you use it to help criminal activity. After the OPM hack, there were
a lot of concerns in the United States that the information would be sold in the black markets.
And if you recall, OPM's palliative after they were hacked
was to offer everybody credit monitoring. As it turns out, in all likelihood, the information
was stolen for espionage and counter espionage purposes. And there's no evidence that whoever
took it, which is to say the Chinese actually used it for criminal enterprises.
If they had, in an alternative world in which the Chinese had sold the information in the criminal markets,
I think we would have objected very strongly to the Chinese.
But there are other countries for which their association with criminality is very troubling.
One of them is Russia. If you recall about a year or so ago, we indicted four Russians for complicity in the Yahoo hacks. Two of them were private citizens. Two of them,
however, employees of the FSB, part of the Russian intelligence community. And with North Korea,
it's probably not even embarrassing that their country goes along and steals information from
people.
So that's sort of a norm number two. You can't use cyber espionage for criminal purposes.
Now, norm number three, which we're sort of feeling our way towards, has to do with the relationship between cyber espionage and political activity. This is the basis under which we
retaliated against the Russians for their role in the DNC hack. Because if you remember, the basis under which we retaliated against the Russians for their role in the DNC hack. Because
if you remember, the basis of that was they carried out cyber espionage on the Democratic National
Committee and then published the material. If they had simply carried out cyber espionage on
the Democratic National Committee, I don't think we would have had any cause to raise the issue
with Russians, because the Russians probably would have said correctly that you do similar things, right? Countries examine what other countries have in their secret spaces.
But when they put it out on WikiLeaks and DCLeaks, they were turning the information into
unwanted political influence. The Talon Manual says that cyber espionage is fair game. But you
can see the United States moving towards norms
in which we say, no, there are a lot of exceptions here. It is not always fair game. You have to play
under certain rules. But these rules are in no way codified under international law, because what
happens when you move from regular espionage to cyber espionage is in many ways several orders
of magnitude difference in the effects you can produce.
We'll have more of my conversation with Martin C. Labicki after a short break.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on
point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1 thousand dollars off.
In a darkly comedic look at motherhood and society's expectations, Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking
and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io. In the foreword of your book, you talk about how back in the 90s, I believe, you didn't really anticipate that industrial control systems would be hooked up to the Internet.
As you look towards the horizon now, what do you suppose we're going to be seeing in the next 20 years?
Well, what do people talk about?
People talk about the Internet of about? People talk about the Internet
of Things. People talk about the rise of artificial intelligence. Both of them create more scope for
cyber mischief. The Internet of Things creates scope for cyber mischief because a hacker can
make things go haywire. More everyday notions is that if you haven't guarded your Internet of Things and you
connect them to the Internet, it can be an access point to your entire network. I think there was a
story several months ago about a corporation that got hacked by people who accessed its fish tank.
The rise of artificial intelligence, I think, has an unanticipated and underappreciated effect on
cybersecurity. Because what it does is it creates new forms of
vulnerability. If you think about artificial intelligence as taking, and one element of
artificial intelligence is taking inputs from the outside world and turning it into decisions.
As a programmer, you would hope that your artificial intelligence, in fact, does this
correctly. But inevitably, they're going to be inputs that cause unexpected outputs. Whereas the odds that these inputs come up accidentally
or randomly, maybe very small, if I'm an adversary and I want to mess with your system and you're
using artificial intelligence, I'm going to look for inputs into that system that make
your own system behave in ways you didn't expect and in ways that are
harmful that you didn't expect so what artificial intelligence does is that it creates a new set of
vulnerabilities not necessarily that allow what's called remote code exploitation but ways to make
a system go haywire ways of making a system misbehave in serious ways. The other element of artificial
intelligence is that if machine learning becomes important, the
tried and true method of taking a badly infected system
and restoring it to factory conditions isn't going to be a costless one
anymore. Because if you return it all the way to factory conditions, you
lose all the learning that you've got in the meantime. So I think artificial intelligence is going to have a very
serious effect on cybersecurity. Now, that's the bad news. The good news is I hope that people are
getting conscious enough of cybersecurity to be able to make intelligent decisions about what to
connect to what and who to connect to what kind of process. Furthermore, I'm very encouraged by the iOS model of cybersecurity.
iOS, as a platform, is one or at least an order of magnitude harder to get into than Android,
and probably two orders of magnitude harder to get into an unpersonal computer,
because it's got an architecture which does not absorb third-party code very easily, except down some narrow paths.
When I take a look at iOS, I'm not suggesting that we all do everything on iPhone.
But I am suggesting that there are techniques that we could use, which at a small or modest discomfort, can actually make us considerably more secure.
discomfort can actually make us considerably more secure.
You know, from time to time you hear people bring up the notion that perhaps we'll have some sort of cyber Pearl Harbor or a cyber 9-11. Do you have any thoughts on that?
Okay, I would make a differentiation between a cyber Pearl Harbor and a cyber 9-11.
Pearl Harbor was an event that took place in the military. And Japan's motive in trying to
disable the Pacific fleet
was to allow them to be able to conquer the countries of Southeast Asia
without U.S. interference.
And it by and large worked.
We were unable to get engaged in much battle until basically Coral Sea,
which was well after Japan had conquered most of the countries
that they were interested in in Southeast Asia.
I think something like that is quite possible, but it's going to be a function of the geostrategic decision at the time.
So I think a cyber Pearl Harbor is one of those threats that the Department of Defense should take seriously.
But a cyber 9-11 is a different animal.
A cyber 9-11 would be something like taking down the entire grid at once.
Cyber 9-11 is implausible for two reasons.
One, particularly when you deal with the United States, you're dealing with a very heterogeneous infrastructure in which a lot of things have to go wrong at once in order to have a geostrategic effect.
And the other is you don't have an encore, right?
Okay, I took down the U.S. power grid.
Now what?
What good did that do me?
What did it allow me to do that I couldn't do before?
With a cyber Pearl Harbor, you can answer that question.
With a cyber 9-11, there is no good answer to that question.
Now, what do I see as two possible futures for the country,
or basically if the cyber world gets dark one of them is what i would
call a cyber three mile island in other words there's a cyber event that convinces people
that the way they've been going down the road in cyber security isn't going to work very well
anymore okay in other words as with nuclear power we took a look at three mile island we stepped
back and we didn't install a new power plant for well over three decades. I could imagine a cyber Three Mile Island in which we say the architectures that
we've been using for designing systems and building systems and relying on systems has a serious flaw
and we've got to step back and consider how we're going to become dependent on computers and on what
terms. The other possibility comes from the NatPetya incident, which was
enormously expensive. And because the hackers were fairly clever, didn't get nearly as much
notice as WannaCry, because it came right after WannaCry and it looked like it was another
ransomware attack. But in fact, it wasn't a ransomware attack at all. It was a very disruptive and destructive attack on particular industries
almost randomly chosen. It cost several billion dollars, and that's just to a handful of companies
we know about, not the ones that we don't know about. In other words, if you think of a cyber
9-11, you think about people going after the hard targets of society, the critical infrastructure.
But if you think of a not Petya, you think of people going after the hard targets of society, the critical infrastructure. But if you think of a not-Petya, you think of people going after the office automation
and data processing parts of society, which are nearly as hardened as our infrastructure is,
and is therefore subject to a lot more damage.
Our editor here at the Cyber Wire, John Petrick, likes to make the point that
perhaps rather than a Cyber 9-11, we could have something like cyber Tonkin Gulf incident, which it was a naval skirmish that led to the United States being more
directly involved in the Vietnam War. What are your thoughts on that?
If you recall the Tonkin Gulf, particularly if you're a little cynical about that,
we took a small incident and made it the justification for something we wanted to do
anyhow. Okay. So the potential that people will use a cyber attack against them, one whose attribution, by the way, is anything but a clear cut and sort of wave the flag can't be dismissed.
I'm more and I hope this doesn't sound like a difference distinction without a difference.
I'm more worried about a cyber Sarajevo.
a difference. I'm more worried about a cyber Sarajevo. In other words, something takes place in cyberspace, maybe accidental, maybe inadvertent, maybe deliberate, in which the other side overreacts.
For instance, they get into their head that somebody might want to start a war, particularly
somebody might want to start a nuclear war, when it turns out that the only thing that happened
was an accident. You know, if you have complex systems running, your sensors are running in your intelligence community, they're going to fail from time to
time. And if your first suspicion is, you know, my enemy did that to you, you can imagine that
your reaction is going to go out of control. I don't know how likely that is, but I think it's
something that we have to worry about. And in many ways, it's the opposite of worrying about cyber,
because the way we worry about cyber is, oh, my God, I can't let somebody do cyber badness to me. But the way we get into a cyber Sarajevo
is to say, oh my god, somebody did cyber badness to me. And if I don't respond,
it's only going to get worse. So I've got to do something.
That's author Martin C. Labicki. The book is Cyberspace in Peace and War.
This is Cyberspace in Peace and War. businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs safe and compliant.
Hello, dearest listener.
In the thick of the winter season,
you may be in need of some joie de vivre.
Well, look no further, honey,
because Sunwing's Best Value Vacays has your budget-friendly escapes
all the way to five-star luxury.
Yes, you heard correctly.
Budget and luxury all in one place.
So instead of ice scraping and teeth chattering,
choose coconut sipping and pool splashing.
Oh, and book by February 16th with your local travel advisor or at...
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers. And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.