CyberWire Daily - The playbook for outpacing China. [Research Saturday]
Episode Date: September 7, 2024This week, N2K's very own Brandon Karpf sits down with Kevin Lentz, Team Leader of the Cyber Pacific Project at the Global Disinformation Lab, and they discuss the recent threatcasting report "Cyber C...ompetition in the Indo-Pacific Gray Zone 2035." This report, developed using the Threatcasting Method, examines how the U.S. and Indo-Pacific allies can coordinate their cyber defense efforts in response to future competition with China. It presents findings, trends, and recommendations based on twenty-five scenarios simulated by a cross-functional group of experts to anticipate and address emerging threats over the next decade. The research can be found here: Cyber Competition in the Indo-Pacific Gray Zone 2035 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Your organization could be at risk due to common password sharing practices.
Imagine this scenario.
You're out of the office.
A colleague pings you because they need access to some system that only you have credentials for.
Now, of course, our listeners would never send a password over email or Slack. We know that.
But what about your coworkers? How many organizations out there are sending logins back and forth in plain text?
Worse yet, how many just store all of their logins
on a shared spreadsheet?
Now, we all know human errors are the biggest threat
to your organization's security,
but did you know that it accounts for over 68%
of all data breaches?
What you need is a platform that allows you
to share credentials in a secure fashion,
set access permissions or time controls, and monitor the dark web for stolen logins.
Keeper Security Government Cloud is a zero-knowledge solution that does just that.
Plus, it is FedRAMP and StateRAMP authorized.
Want to see Keeper in action?
Schedule a demo or request a trial today by visiting keeper.io
slash gov. That's keeper.io slash g-o-v. And thank you to Keeper Security for sponsoring this episode.
Welcome to Research Saturday, brought to you by N2K CyberWire.
I am Brandon Karpf, the Executive Editor and Vice President of N2K Networks,
and your host for today's episode.
A naval cryptological officer doing routine duties offshore in the South China Sea, sort of looking at Malaysia.
And there's a vulnerability that has been exploited in a Japanese-installed port crane in Malaysia.
Over the last few years, we've seen a rapid increase in tensions and competition in the Indo-Pacific region,
specifically pitting the U.S. and China against one another and each other's allies and partners in that region of the world.
We've seen increases in cyber activity launched by Volt Typhoon,
the advanced persistent threat coming from the Chinese military and government. We've seen increased tensions caused by island building campaigns in the South China Sea.
And we've seen trade relationships rise and fall throughout the entire region.
Our discussion today is with Kevin Lentz, a graduate student at UT Austin and the team leader of the Cyber Pacific Project at the Global Disinformation Lab.
the private sector, the public sector, military, government, academia, and policymakers can do to ensure that the United States and Western nation allies prevail in a world of growing
competition and tensions in this region of the world. And this episode is brought to you
exclusively by our sponsor and partner, Keeper Security. So Kevin, the reason I invited you on, we got this threat casting
report around cyber competition in the Indo-Pacific Gray Zone 2035. I thought it was particularly
important for our audience, obviously given the relevance to cyber competition and cyber security,
and then ultimately national security. So before we dive into this report though,
can you give the audience a sense of what is threat casting?
Sure. It's a great question because it's not a very well-known technique, but I'll go ahead
and outline what it is. So it is a structured analytic technique, structured analytic foresight
technique, I should say. And this is a bit of a complicated process, but it breaks down
into identifying a question, assembling a panel of subject matter experts who can answer the
question or provide perspectives on it. And Brandon, you were one of those, and it was a
great contribution. And then assembling a few dozen relevant participants at a two-day workshop
who will crank out and work on scenarios that look about 10 years in the future on the question.
And the central premise is imagining a person specifically, which is what makes threat casting unique,
is you're imagining a future person experiencing a future threat in a specific place.
So a person in a place experiencing a threat.
And then you sort of ask the participants,
you break into small groups to build these models.
So each person that they generate as a model
with as much detail as possible and so by
putting these um putting the participants in the perspective of a future human um it kind of
personifies things and brings it to a level of detail and um okay practicality that is unique
and so then they create a bunch of models and then we gather all
those models and on the back end, a team of analysts, in this case, myself and some others
from the University of Texas and some other schools. And we go through the models and sort
of cluster significant findings, things that deviate. And when we do some further back-end
research on context, things like that.
And then a few months later, we produce a report.
Nice. So it seems like it's a way of developing strategy or insights into a future state of the world from numerous perspectives.
When it comes to this specific threat casting event that you hosted
and the report that you've recently published, what was that central question that you wanted
to answer? Right. So the central theme was, as you said, cyber competition and Indo-Pacific
gray zone 2035. And the question we were trying to answer was, what can and should the U.S. and Indo-Pacific allies and partners do to enhance
combined cyber defensive operations, sort of mitigate the threats that we're seeing in the
future and, you know, essentially prevail in the competition. Specifically in the Western Pacific
or any region of the Pacific? We took Indo-Pacific writ large. It ended up being focused around current hotspots,
East China Sea, South China Sea.
Got it.
So thinking about what you were saying,
some of the outcomes or some of the outputs
of this threat casting,
what were some of those personas or those stories
and the insights that you and the other analysts
were able to extract from this event?
Sure.
So one interesting story, and it's in the report.
So the report's not like a normal report, I should say, up front.
There is sort of an exum at the beginning and normal stuff,
but then peppered throughout it, there are sort of these fictional narratives of these models.
So one of the models that's in there, I think is interesting,
is from a naval cryptological officer sort of doing routine duties offshore
in the South China Sea,
sort of looking at Malaysia.
And there's a vulnerability that has been exploited
in a Japanese-installed port crane in Malaysia.
So, you know, it's a complex scenario already,
but it's, you know, Asia's complex place.
And so this vulnerability is exploited,
and there's chaos in Malaysia,
and there are simultaneous information operations
that are complementing the adversarial exploitation.
And the long and short is that it ends up costing U.S. and allies and partners politically Malaysia goodwill and cooperation.
Us today and other cyber professionals recognize the potential impacts.
We take the most recent event with CrowdStrike and Microsoft,
a very relevant analogy that had global implications.
To what extent were modern or current companies and technologies considered
when you and the other analysts and
participants were going through this exercise? Yeah. So they were, I mean, they're sort of the
bedrock, right? There's a certain amount of suspension of belief in trying to push the
boundaries. But in this case, I think what we came down on is that the parameters of cyber
are kind of set in a way. Obviously, things are going to change. LLMs are going to get better.
Fake everything will get a lot better. Yes, totally. Yeah. And that's going to hit,
you know, that'll hit a threshold where things change qualitatively, for sure.
But sort of the use that they are being used for and the companies producing them are kind of similar.
So, yeah, it was based on current companies and capabilities for the most part.
thinking about now that the report has been published and, you know, has a series of these vignettes as well as the contributed reports from various industry experts and analysts,
how do you envision the industry, the community using this report? You know,
who is the intended audience? How should people read this and why should they read it?
Yeah, thanks. That's a great question. So, one of the benefits of the threat casting model is that the audience is sort of baked into the process because in a large part, the and invited from across the spectrum.
We had, you know, intel, military, government, public sector, academia, and then folks in the private sector as well.
And so these folks come and they bring their institutional knowledge and experience.
And then the report goes, well, the network building and the report and the ideas of the report that they sort of come up with inherently go out with them. And they're sort of the first
tranche of recipients of the final report. So they're sort of the front lines. And then beyond
that, the report is intended to influence policymakers in this area as well as practitioners and that's broad but it is
I think a pro and a con of the report is that it we decided not to tailor it
specifically to a single institutional actor okay and so we get you know we got
a lot of interesting results from that. But I think as well, the report is intended to hit a
broad audience. And, you know, thinking about the audience that we're speaking to right now,
you know, probably about 20 to 30% are somehow associated with government defense technology or
what have you. But that leaves another 70, 80% of this audience who are primarily private sector.
How can private sector use this type of modeling,
this type of narrative storytelling, or this exact report
in their own efforts furthering the pursuit of cybersecurity?
On the one hand, the private sector uses a, you know, track casting model a lot more frequently than the public sector does.
As an aside, it was developed in the private sector by a guy at Intel who sort of developed it in-house and used it, and then he spun it out.
And that's sort of where that came from. So the public sector, rather private sector, this would definitely benefit them in terms of thinking about risk.
Because that's sort of the big thing nowadays is, you know, where do you make your investments when, you know, we're on this knife edge type situation and it's going to persist for a decade.
So that's on the one hand.
And then on the other hand, as you said,
is the private sector cybersecurity industry is huge
and it's only growing.
Yes.
And it's only going to grow, most likely,
if I had to guess, you know.
That's a safe bet.
And so I think there exists massive capabilities.
And this is one of the findings in the report is sort of like private sector, end up calling them king makers because they have the scale and the capability and the speed and the efficiency and everything to make or break efforts in cyber.
Right.
cyber. But maybe it would help for them to read it to sort of think about how to approach and tell the narrative of their companies and their interests and tie that into the broader
national strategic, national security picture. So that's a bit of a vague answer, but hopefully
it gets to what you're asking. Well, to all of the cybersecurity king and queen makers out there, read the report then.
It sounds like there's some valuable information in there for you and the way that you can influence.
All right, we're going to take a short break.
And when we come back, Kevin and I are going to dig into the key findings and his recommendations from the report.
We'll be right back.
The White House Office of Management and Budget Deadline for federal agencies to adopt some level of zero-tr trust architecture is this September 30th. Federal
agencies must move away from perimeter security architectures towards never trust, always verify.
Zero trust does not grant automatic trust to any user, device, or system. Every request for access must be authenticated, authorized, and continuously
validated. Keeper Security Government Cloud is FedRAMP and StateRAMP authorized and ensures that
users have complete knowledge, management, and control over credentials and encryption keys,
all with a zero-trust security framework. Want to see how Keeper can help your organization
achieve zero-trust? Schedule a demo or request a trial today by visiting keeper.io.gov.
That's keeper.io.gov. And our thanks to Keeper Security for sponsoring this episode.
So, Kevin, I want to give you an opportunity to cover what were the key findings from this report.
We'd really like to understand the major takeaways.
Yeah, I'll hit the key findings and then also the recommendations, which is only three, but findings wise, we had four.
And the first one is that this idea that third party cyber, we end up calling them king makers,
queen makers, like we were just talking about. And these are folks and institutions and agencies
between the two major contestants right now,
US and China, for, you know,
unfortunately, it's the way it is.
But there's these two groups of kingmakers,
on the one hand,
that can sort of make or break these efforts
that are going to be central to working with
and organizing and balancing to make anything happen.
So on the one hand, you have technological ones, and these are the companies, the cybersecurity industries,
but also the infrastructure providers, the folks actually building the cables, the platforms,
that are de facto sovereigns in terms of making law adjacent decisions on what stands in the
information environment, for example. So you have all those in one bucket and then the other one
is the political one. So thinking here of Southeast Asia, you have this constellation of
of extremely fast growing, young developing countries
with sort of a multi alignment strategy because they reaping benefits from both sides
of this competition from our perspective here.
And they'll continue to do that and that's great.
It's a win-win situation as long as things don't spill
into conflict.
Right, yeah, of course um but that
being said you know a country like indonesia for example vietnam making a strong stand this
seriously shapes um the strategic environment um and so that's one thing second finding fragmented
regulatory authority is going to continue to compound regulatory lag.
So that's a slightly convoluted, but a simple idea is that there's a legal and political, legal and policy gray zone, right?
In terms of who's in charge in cyberspace.
So because it hits us kind of right in the intersection of all these different authorities.
It's a domestic legal problem.
It's crime in a lot of cases.
It's like crypto and ransomware and everything.
But then it's being launched
as part of an international campaign by an adversary.
So who's in charge?
We don't really know.
And so you have CISA, for example,
but that's a young organization.
They don't necessarily have all the capabilities
and authorities they need.
And so more established actors are stepping in
and the picture is just getting very complicated.
And the example we pull out here
is cybersecurity incident reporting laws
or lack thereof.
There's all these different laws.
Every state's got one.
And there are multiple federal agencies that have decided that they have the authority to make a new law about it.
And so they have.
And then courts are involved.
So it's a messy situation.
It will continue to be messy.
will continue to be messy.
Third finding is that the irregular strategic competition
between the US and Chinese Communist Party
is going to set the overall parameters
for the use and development of cyber power.
And so this is basically just trying to underscore the idea
that conventional deterrence will hold for the most part.
We assess that it will.
And if it doesn't, you know, we're, you know.
We've got other problems.
Yeah, we've got a lot of other problems.
We're not going to be on a podcast talking, you know,
it'd be a different situation.
Right.
So the, you know, assuming conventional deterrence holds,
we're going to be in this situation that's a lot,
it resonates with the 50s.
And this sort of is another theme of the report.
We've kind of been here before the idea of the gray zone
actually first gets coined in the 50s.
So it's an old problem, but we're going to have
this sort of irregular warfare type situation
without the warfare.
So, you know, it's going to be dirty tricks,
sleight of hand, and subtlety, or lack thereof,
in this gray zone, and that will persist.
So that's sort of, and it's, you know,
the major two contestants are the U.S. and the Chinese Communist Party.
Sure, sure.
And then how about the, you mentioned there were the key takeaways,
and then recommendations.
So what were the key recommendations?
Yeah, recommendations.
The first one, it was unexpected but very interesting,
and that's that the U.S. should develop and operationalize
a distinct cyber economic trade and development strategy for the region.
Oh, okay.
Right.
So we have in the U.S., we say cyber is a functional thing,
and the Indo-Pacific is a regional thing.
And so we go at it from these two different perspectives.
But if you combine them, you know, cyber and cybersecurity is a development problem.
This is computers, computer networks.
These are expensive.
They require electrification.
They require all these things
that we take for granted in the U.S.,
but much of the world goes without
or is in the process of developing.
So there are efforts underway
in the Indo-Pacific economic framework
to sort of like tack on cybersecurity
as a sort of afterthought.
But they should be more centralized
because cyberspace is a unique domain
in that we're literally building it.
And so who builds it?
The rules they set when they build it,
configurations, this whole thing,
make the literal space of cyberspace.
So we can have a permanent uphill battle
or we can have like a level playing field.
Obviously, we want the latter.
Second recommendation is to rebuild and recenter political and information warfare capabilities
for the cyber competition cyber today we will probably talk about in five ways the same way
we used to talk about digital economy it's it's redundant the whole economy has become digital
there's not like a separate digital
economy now so our cyber problems are just our regular political problems and so in terms of
developing being competitive in the space it's going to require the government to speak with
a single voice consistently and hit on norms we want, behavior we want, this kind of thing.
And it's something that we lacked historically,
we still lack, and so we still need to develop it.
And then the final one is this idea
that we should work with allies and partners
to develop a Indo-Pacific cyber
and conventional open access intelligence clearinghouse.
In a permanent state of crisis, we're sort of tap dancing on a red line in the South China Sea all the time.
That's going to continue, that sort of cat and mouse.
But it's a situation where if country A doesn't have a clear idea of what happened in event X involving these two countries,
country B and country C or whatever,
country A and country B,
that increases the space for miscalculation,
misunderstandings.
Sure.
And the intelligence apparatus
and the way that it is organized and disseminated,
it's hard to get certain data
and certain information out there
if it's classified in the US.
You know, we have an institutional culture
of sort of going it alone,
not sharing with allies unless we absolutely have to,
but we've got to get faster at it.
And, you know, the sort of takeaway here is like,
maybe we should just circumvent this whole thing alone,
circumvent it altogether,
and build up a way to share this sort of,
you know, imagery, radio frequency, this kind of information from the ground up.
Because going through institutional reform and change, long process, difficult process.
So those are the three recommendations, Brandon.
Truly the hacker way, break down the problem into its constituent parts,
and why don't we just rebuild the whole thing?
There you go. Yeah, exactly.
Well, the report is a threat casting publication,
Cyber Competition in the Indo-Pacific Gray Zone 2035,
published by the Army Cyber Institute and the University of Texas.
We will have a link to that report in the show notes.
And Kevin, so great to have you on.
Thank you for filling us in. Brandon, really appreciate you having me on.
And that's Research Saturday, brought to you by N2K CyberWire. Our thanks to Kevin Lentz, team leader of the CyberPacific Project at the Global Disinformation Lab, for joining us.
The research is Cyber Competition in the Indo-Pacific Gray Zone 2035.
You can find a link and additional resources in the show notes.
We would love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like the show, please share a rating and review in your podcast app.
It really does help.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
This episode was produced by Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Iben.
Simone Petrella is our president.
Peter Kilpie is our publisher.
And I'm Brandon Karf.
Thanks for listening. How are you managing your organization's passwords and secrets?
How can you enforce the security of all the passwords within your enterprise?
Earlier, we talked about Keeper
Security, but did you know that Keeper is much more than just a password manager? Keeper Security
is a FedRAMP-authorized, zero-trust cybersecurity platform that seamlessly integrates enterprise
password management, secrets management, and secure remote connections into one intuitive
platform. Trusted by federal agencies including the Departments of Justice and Energy, KEEPR
is the leader in zero-trust password and passkey management, secrets management, privileged
access, secure remote access, and encrypted messaging. To schedule a demo or request a trial,
visit keeper.io slash gov. That's keeper.io slash g-o-v.
And our thanks once more to Keeper Security for making this episode possible.