CyberWire Daily - Establishing international norms in cyberspace. [Research Saturday]
Episode Date: November 10, 2018Joseph Nye is former dean of the Harvard Kennedy School of Government. He served as Chair of the National Intelligence Council, and as Assistant Secretary of Defense for International Security Affairs... under President Clinton. He serves as a Commissioner for the Global Commission on Internet Governance, and is the author of over a dozen books, including, “Soft Power: The means to success in work politics,” and “The future of power.” Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making
apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps,
not the entire network, continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Well, we have a long way to go, but the glass is not empty.
That's Joseph Nye. He's the former dean of the Harvard Kennedy School of Government.
He served as chair of the National Intelligence Council and as assistant secretary of defense
for international security affairs under President Clinton. He currently serves as a commissioner
for the Global Commission on Internet Governance and is the author of over a dozen books,
including Soft Power, The Means to Success in World Politics, and The Future of Power.
In general, it takes about 20 years if we look back to the nuclear example for states
to adjust to a new disruptive technology.
And we're about 20 years into the cyber era in the sense of the internet becoming the substrate for economics,
politics, and social interactions. Obviously, the computer age goes back much earlier and the
internet goes back to the early 70s, but it's only really in the last 20 years that you've seen all of our social and economic systems become dependent upon cyber connections.
And that creates that interdependence, creates vulnerability and vulnerability, creates insecurity.
And so in that sense, the modern age of cybersecurity really is about 20 years.
And it's interesting, again, to compare this to
the nuclear era. It was about 20 years after nuclear weapons were first burst on the scene,
so to speak, that you had an agreement between states, which was the Limited Test Ban Treaty in 1962 and the Nonproliferation Treaty in 1968. So in that
sense, even though the technology is totally different, in terms of reacting to a disruptive
new technology, we're about where we were in the nuclear era.
we were in the nuclear era.
Now, in terms of that comparison, it strikes me that one of the differences might be that there's no barrier to entry that there is, for example, in the nuclear club, if you will.
Oh, that's right.
And the technologies are totally different.
But the interesting question is sort of the meta question
is how long does it take states and societies to begin to cope with the meaning of a new
and disruptive technology? So cyber is totally different in terms of barriers to entry.
Also, cyber has many more benign effects.
Nuclear was supposed to produce electricity
too cheap to beat it.
Of course, that didn't turn out that way.
Cyber has obviously become a major factor
in economic growth and in widespread social benefits.
So while it's created new insecurity,
it also has created great benefits. So while it's created new insecurity, it also has created great benefits. And the ratios or proportions are very different from the nuclear technology,
and the participants are very different. But nonetheless, it takes time for societies to
adjust to new technologies. And so when you look along that timeline and you note where we are,
what do you think we have ahead of us?
Well, I think the immediate point is to begin to consolidate some of the gains that have been made.
There is a norm of prudence of not disrupting the basic structure of the
internet. In other words, if you interfere with domain name systems, you're not going to be able
to have communications. And in that sense, we don't have disruption at that level. And I think
you could say there's sort of a norm of coordination there. In addition,
if you look at the report of the United Nations group of government experts in 2015,
they laid out some broad norms about not attacking civilian targets, which are a start. And you have some areas,
for example, the Budapest Convention on Cybercrime, where a set of states have agreed on
procedures they'll take to deal with crime. So there are areas where there are norms against,
and there are obviously large areas where we haven't solved the normative problem.
Now, what about efforts, I'm thinking of like the Talon Manual, where folks are trying to describe the interaction between, the rules between cyber conflict and kinetic conflict.
Is that a good step along the way?
Absolutely.
I'm a great admirer of the work Mike Schmidt and others have done on the Holland Manual,
but it touches an area, which is how does cyber relate to the law of armed conflict?
And that's very important. to the law of armed conflict.
And that's very important. And having states agree that international law,
including not only law of the UN charter,
but the laws of armed conflict apply in Cyprus
is a very important step.
But there are lots of issues
that it doesn't take care of, obviously.
So, yeah, big plus, but fills out a little bit more of that glass partly full.
Now, what about the asymmetry when it comes to cyber conflict?
You know, it doesn't it doesn't take a lot of money for a nation state to spin up powerful cyber capabilities.
How is that going to play out
on the global stage? Well, the asymmetry is important. I mean, we tend to think that anybody
can, that cyber is a leveler or equalizer and anybody can do the same thing. It depends what you're talking about.
If you want a denial of service attack or an ability to launch a ransomware attack,
lots of actors can get into that.
You can buy kits on the dark web for some of this.
On the other hand, if you're trying to produce something which is an elaborate attack, like
the stocks met attack on centrifuges in Iran, that takes a major investment, not only technical,
but also human resources.
The world isn't level for that type of sophisticated attack. So people, I think,
would still say that countries like the U.S. and Russia, China, France, so forth, have capabilities
which are much greater than other states' capabilities. But it is interesting to see Iran and North Korea and
others begin playing the game. Now, we see stories of nation-states reaching out and
exploring each other's critical infrastructure, the power systems, and I think there's a lot of
concern about that. What is your take on that in terms of where that,
is there a point where there starts to be serious pushback
against those sorts of explorations?
How do we handle that from a diplomatic point of view?
Well, there are press reports that the Russians and the Chinese
have entered the American electrical grid.
I wouldn't be surprised if that's reciprocal.
There is the question of what's called general intelligence,
so preparing for potential escalatory situations. There's also situations where this type of exploration has become an
attack, which is what the Russians did with the grid in Ukraine in 2015 and 16. You get situations
where, for example, Russian hacking into Ukrainian banking or tax revenue system, I guess, as
part of their hybrid warfare in eastern Ukraine led to this vast collateral damage that characterized
the NotPetya attack last year. So those are examples where things have advanced far beyond the general
reconnaissance type of intelligence. And I think that's the area that's particularly
worrisome. On the question of general, what's called, computer network exploitation or general intelligence gathering,
you shouldn't be too surprised by that. But the kinds of attacks that you've seen
in Ukraine, and particularly ones like NotPetya with its enormous collateral damage,
some people have estimated it may have cost the world $10 billion. That's something
different. What is an appropriate response to something like that? Even if the damage is
unintentional, which it seems as though in that case it may have been, what's the proper way for
the global community to respond? Well, I think you need to have deterrence, and that means the capacity to both deter by denial and by retaliation.
Denial means the hardening of your system so that the benefits of attack are less easily obtained.
And retaliation means that there's punishment for it.
Whether the Ukrainians are able to handle that kind of retaliation, I'm not sure.
I think the United States could.
And one of the problems I think we saw after the Russian interference in the 2016 American presidential elections was that the Americans did not take
strong enough retaliatory action to effectively create deterrence for the future. And only now
are we beginning to realize that. And of course, I suppose the attitude of the current administration
doesn't help that effort. Well, the problem in terms of retaliation for the 2016 attack is it
got wrapped up in domestic politics. The president's concern that the charges of Russian collusion or interference in the election undermined the legitimacy
of his election victory, which, of course, was an electoral college victory, not a popular
vote victory.
That's made him very sensitive and an unwillingness to take strong actions.
I mean, it's interesting that last month the president did sign an executive order
authorizing sanctions, including economic travel and other type of sanctions,
against actors who interfere with elections. We'll have to see how well that's applied.
We'll have to see how well that's applied.
Now, what about this tendency for some of these nations, I'm thinking of China certainly and to a certain degree Russia,
a sort of splintering off their Internet access, limiting what citizens can see and do, what they can search for.
How does that all play into this? The old view of the 90s, the sort of libertarian view of the internet as above states and transnational, which led to the so-called internet freedom agenda, I think that's been
proven to be mistaken. The internet is a hybrid affair. The servers, the physical apparatus, relies upon physical presence within sovereign boundaries. by confiscating assets from a company or internet service provider or by locking up a particular
individual because software and control was there.
Now the interesting thing is that China and Russia and other authoritarian states have have tried to fence off the political and social aspects of the internet,
but maintain its economic benefits.
In other words, the benefits that come from communication.
And they've been much more successful at this than people expected.
Now, of course, you are very well known for pioneering the theory of soft power.
I was wondering, could you explain that to us, first of all, and then sort of extend it to
how you think soft power and also the notion of smart power applies to the cyber domain?
Well, soft power is the ability to get what you want through attraction rather than coercion or payment.
It does affect states' reputations.
For example, if a state wants to preserve its reputation to make itself more attractive
to others, then it may decide to refrain from certain actions which violate taboos. For example, a state which held biological weapons would be basically undercutting its own soft power.
The Biological Weapons Convention has very little of the way of verification or enforcement
just as states report violations to the UN Security Council.
On the other hand, the calumny or the cost to a state's soft power, why states will sometimes refrain from actions which the cost would be out of proportion to the benefits.
What is the role of the United States in this in terms of leadership, of helping to establish what will be the norms going forward for cybersecurity?
Well, the U.S. has had a strong position for quite some time that it's in our interest to try to
develop norms in this area. As some people say, you know, we live in the biggest, glassiest of glass houses.
So if all we do is rely upon the threat of throwing stones, it's a part of a defense, but it's not sold. decide that they will not risk their soft power or reputation, the better it will be
for us, this asymmetrical interdependence that different states have on cyber.
And so if you look at the Russians proposed a treaty, a UN treaty, on cyber or information technology, as they put it, all the way back in 1998.
The US said this is unverifiable and a bad idea.
But in 2004-5, the UN group of government experts on information technology was created.
And over the next decade, they managed to produce some interesting principles to limit cyber conflict.
And the U.S. took a leading role there. the steps that were implemented, they can some of be traced back to statements in a
speech that Secretary of State Kerry gave in Seoul, Korea some years ago.
And the work of American diplomats at working level like Chris Painter and Michelle Markoff and others
really were important steps in this larger strategy of saying that it's in
American interest to see the development of norms. It's not going to solve all
these problems. We do need deterrents as well, but it may make some of it easier for us to manage.
Our thanks to Joseph Nye from the Harvard Kennedy School of Government for joining us.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. The Cyber Wire Research Saturday is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Valecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening.