The Future of Cybersecurity
Whitney Shepardson Senior Fellow, Council on Foreign Relations
Vice President, National Program & Outreach, Council on Foreign Relations
Robert K. Knake, CFR’s Whitney Shepardson senior fellow, discusses U.S. cybersecurity policy and internet governance in an increasingly interconnected world, as part of CFR's Academic Conference Call series.
Learn more about CFR's resources for the classroom at CFR Education.
FASKIANOS: Good afternoon from Washington, DC, And welcome to the CFR Academic Conference Call series. I’m Irina Faskianos, vice president for the national program and outreach here at CFR. Today’s call is on the record and the audio and transcript will be available on our website, CFR.org.
We’re delighted to have Robert Knake with us today talk to about cybersecurity. Robert Knake is CFR’s Whitney Shepardson senior fellow. His work focuses on Internet governance, public-private partnerships, and cyber conflicts. He is also an adjunct lecturer at Georgetown University’s McCourt School of Public Policy. From 2011 to 2015 he served as director for cybersecurity policy at the National Security Council. And in this role, he was responsible for the development of presidential policy on cybersecurity and built and managed federal processes for cyber incidents response and vulnerability management. He writes regularly for the CFR blog Net Politics. And you can follow him on Twitter at @RobKnake.
Rob, thank you very much for being with us. I thought you could get us started by talking about what exactly is U.S. cyber policy, how does it stand now, how has it evolved, and where is it headed?
KNAKE: Sure. Thanks very much, Irina. Let me start by making a minor confession. U.S. cyber policy is probably not something that has been clearly articulated in this administration. There is no national cybersecurity strategy. It is not something that this administration has focused on getting the message out about what policy actually is. But if you look back at what has happened and the evolution of policy over this administration and changes over this administration from the Bush administration, I think you can start to divine what that approach is, how it was arrived at, and why it is probably the best approach of the possible approaches that have been tried in the past and may be tried in the next administration. So I’m going to do a little bit here of defending what has been in this administration and painting a potential path forward for the next one.
The premise of the Obama administration on cybersecurity has been that the Internet is fundamentally a good thing, that it is something that has allowed for an unprecedented exchange of ideas globally, and it has allowed for a massive expansion in the economy, that it is in many ways something that we need to look at as wanting to preserve and extend the benefits of. We want to focus, in the words of the international cyber strategy, on an open, interoperable, secure and reliable Internet, that that’s the goal. So we have all these good things that come with the Internet. And then cybersecurity needs to deal with the bad things that also go over an open and interoperable network. And so the goal of cybersecurity in this administration has been to avoid doing anything that would fundamentally harm or fundamentally hurt the value of the Internet. Again, we want to extend that value. We don’t want to do anything that would decrease that value.
And so if you look back to the Bush administration, particularly to the last year, in 2008 there was something called the Comprehensive National Cyber Initiative. And this was an idea that fundamentally the best approach to cybersecurity was to take an intelligence-driven approach, it was to use the capabilities of the National Security Agency to create a veil of protection, not only for the federal government and DOD, but for the private sector, that essentially we would fight and win using intelligence. And I think that model turned out to be flawed, for a couple of reasons. But first and foremost, it really required a—would require a ubiquity of intelligence that has never been seen before and, post-Snowden, certainly will never be seen again. So I think that model has been quickly dispensed with.
Early in the Obama administration, there was a lot of focus on a military approach—the stand-up of Cyber Command, the creation of combatant units in cyberspace, and the idea that DOD could really make this problem go away, that we could use Cold War concepts like deterrence to address cybersecurity and vulnerabilities in the private sector. And that too, I think, has largely proven to be false. It turns out that it’s very hard to deter cyber criminals. It’s very hard to deter espionage activity. It’s not possible to create an umbrella of security for low-level threats that we see every day by threatening massive retaliation in cyberspace.
And then I think the last idea, which we come to and dismiss every time there’s a cyber crisis, is the idea that the federal government should simply be responsible for defense, that whether it’s the Department of Homeland Security or Cyber Command, that we should have government agencies sitting on the back of the Internet, looking at every packet, swatting down the ones that are bad, and allowing the private sector to go on about its business without having to invest in cybersecurity. And I think that model is flawed for a couple of reasons, and rejected for a couple reasons.
The first is technical. With the expansion of encryption, which I’m sure we’re going to talk about later, it’s really impossible to effectively use the backbone of the Internet as a choke point where you can stop bad cyberattacks. The second is that if you were to construct a system like that, it would also be about the best domestic surveillance system you can possibly imagine. The underlying technologies that are used for that kind of capability are also the kind of technologies that are used for lawful intercept, that are used for intelligence collection, and that are used for censorship by countries like China. So from that perspective, I think that seems like a bad idea.
And the final factor, I think, is just one is disruption. If you can imagine what a system like that would look like, it would be something comparable to TSA for the Internet. And that tends not to be a vision that many people who rely on the Internet to make their businesses run, to make their households run, to communicate with the friends and family like. The idea of government sitting in between, even for the benign purpose of protecting them, probably would introduce disruption and harm innovation in a way that would be bad.
And so what we’re left with is what the Obama administration has focused on, it’s the least-bad idea. And that is a private sector-centric approach. It’s the idea that private companies are going to have to protect themselves, and then government will do the things that only government can do. Government will engage in law enforcement investigations, diplomacy, the use of sanctions, intelligence collection, and information sharing of that collection—a handful of things that only government can do. And so the way I usually capture that approach is to call it the Home Depot model, right, if you’re familiar with the ad campaign from a few years ago: Home Depot, you can do it, we can help. In the case of government, what we’re talking about how is the idea that the private sector has got to be responsible for protecting themselves. And government’s role is going to be to support them and to nudge them along, to correct market failure, but not to take over security.
So let me end here, trying this back, very briefly, to Internet governance. Sometime next fall, with any luck, the Department of Commerce will end a contract for the IANA functions, the functions governing at a global level the Internet domain name system. Once that happens, and knock on wood that it will, that’ll be the end of a 30- to 40-year period in which the U.S. government has had a role in managing the Internet, in which the government has been transitioning out of that role to the private sector. So I think from that perspective, when that completes, the last thing we should want, as users of the Internet, as companies that operate on the Internet, as universities that allow on the Internet for research, is to invite government back in because of cybersecurity.
So let me wrap up there and turn it back to Irina. I’ve given some brief overall comments, but happy to take this in any direction. I’m sure somebody’s going to ask about Apple and the FBI. Happy to get into that, or whatever anybody else wants to discuss.
FASKIANOS: Right, Rob. Thanks for that overview. And let’s open it up to the students on the call.
OPERATOR: Certainly. At this time, we will open the floor for your questions.
(Gives queuing instructions.)
And we now have our first question, coming from Washington University’s School of Law.
Q: Hi, Mr. Knake. This is Ben Shantz from Wash U. Thank you so much for being on this call today.
The question we had was regarding the upcoming potential congressional decision to change the U.S. government’s role in Internet governance through changing the role of IANA. And I was wondering if you could talk a little bit more about that, and what potential changes overall that would have for the U.S. government’s Internet governance policy.
KNAKE: So this is one of the really, really fun issues, where it doesn’t actually look like the Obama administration needs Congress’s authority to transition these IANA functions. This was a contract that was established in the Clinton administration with the intent, always, that it would eventually and the functions would be taken over by the private sector. And so there’s no grounding in statutory authority for these functions. And so for Congress to somehow block this transition really would require that they pass a bill that the president signs. So they would have to attach it to as a rider to something that the president simply said I have got to sign and there’s nothing I can do about it.
And I think that’s unlikely to happen. I think this has been a bit of a political football, but it’s an issue that nobody really cares that much about. At a very surface level there’s been a reaction to it, which is, you know, we invented the Internet, we own the Internet, we should control the Internet, American supremacy, sort of rah, rah, rah is best I can describe it. And then I think when people dig into the issue and they realize that this contract is a zero-dollar contract, that the U.S. government has never paid any money for the performance of these functions, that it has simply assumed that it had this authority to carry out these functions and to contract for it, that there will be a quick move to put up some legislation, have it rejected, and move on.
The really interesting problem here that I think people in Congress are coming to understand is that there is no reason from a technical perspective why the root could not be split apart, that if we don’t go through with this transition and get it firmly in the hands of a private sector non-profit organization that’s beholden to no country, that China, the Russia, that possibly India joining with them, might say, OK. And we’re no longer going to play on your root system. We’ll establish our own root. And that’s what we call breaking the root. And that would be a very bad moment for the Internet, right? That would mean that we would fundamentally go from a single, global, interoperable Internet to at least two systems. And so I think when Congress comes to understand that this is not something that the U.S. government can necessarily hold on to, or wants to hold on to, they’re going to back away from it.
The last thing I’ll say on this is that I looked at this issue when I was in government and could not come up with a single instance in which the U.S. government had vetoed any changes to the root zone file that were proposed and accepted by ICANN, administrating the IANA function. They simply had never been that. It had simply been a checking the box exercise going back over 15 years.
FASKIANOS: Thank you. Next question.
OPERATOR: Thank you. Our next question comes from Adelphi University.
Q: Hello. This is Greta (sp) from Adelphi University in New York.
It was recently on the news that the Bangladesh government central bank accused the Federal Reserve that it is not doing a good job, that somebody hacking the Federal Reserve system because a billion dollars got stolen. And so in terms of the important role that New York plays in the world financial system, would you think, in the financial aspects, how can U.S. improve the cybersecurity? Thanks.
KNAKE: So, full disclosure, I haven’t seen this incident. It hasn’t popped up on my radar. I think what I will say on the financial sector in the United States is that we’ve been in an interesting situation in which the financial industry is the most heavily regulated industry for cybersecurity in the United States. And that focus has initially been on making sure that individual banks as enterprises are secure, and that the deposits at individual banks are secure, to protect the individual consumers and commercial clients of those banks. What we’re now seeing is a recognition that while the banks are not competing on security, they’re addressing those customer base concerns, regardless of what the regulations say. And they’re going well-beyond, in many cases, what regulations require.
What the financial regulators in the United States, including the Federal Reserve, are now concerned with are so-called systemic risks. What are the problems that could cause systemic meltdown caused by a cybersecurity attack? Where are the seams within the financial services industry that could be targeted, that no individual bank is responsible for? And so the new focus is on trying to understand those systemic risks and then trying to come up with mechanisms by which regulators can address these problems, even though those problems inherently require cooperation among the banks rather than a set of regulations for the banks. So I hope that answers your question, at least to a degree.
FASKIANOS: Thank you. Now, next question for Mr. Knake.
OPERATOR: Next question comes from Indiana University.
Q: Hi, Robert. This Dr. Matthew Bradley, IU Kokomo. Very nice overview.
A quick question, what role do you think Interpol will play in terms of policy, in governance, in the short term, long term, and so on, especially in regards to individual sovereignty, country sovereignty?
KNAKE: The role of Interpol is this long debate and question, right? Why isn’t Interpol a more effective mechanism for bringing together law enforcement internationally on cybersecurity? And I don’t know an answer to that. In principle, it should be the organization that solves a lot of the long-simmering problems on international cooperation, on law enforcement. But it hasn’t fulfilled those functions. So a brief background here is that when cybercrimes are committed, say in the United States, from somebody, say, in France, right, the process by which law enforcement cooperates on those issues are bilateral, right? They’re through mutual legal assistance treaties, two-party treaties, some that date back to the 19th century between countries.
And there really is no international system that exists, either through Interpol or through the Budapest convention, for validating and verifying these requests, for transmitting the information in a secure manner, and really, I think one of the most important functions, being the cop in the middle that monitors countries’ compliance with these requests, right? There’s nobody keeping score in the middle. And that’s something that, for a long time, people thought Interpol really should play.
So I’ve been in what we call track two diplomacy with China, where there have basically been shouting matches over facts, where the Chinese government stands up and says: We’ve made 175 requests this year to the United States for information on cybercrimes committed in China traced to IP addresses in the United States. And we haven’t heard anything back. And then the FBI attaché stands up and says: That’s not true. We received 64 requests and we responded to 40 of those, which have dual criminality, where we legally can respond. And the other 22 address issues that lack dual criminality—things like—that are protected by freedom of speech in the United States, not in China.
And there’s nobody referring that in the middle. What happened, I think, as part of the post-Snowden effort, is it really came to light that in many ways the United States was really unresponsive in this space, that when a foreign government makes a request for information stored by a U.S. cloud provider in the United States, it takes, on average, these are recent numbers, 10 months to get a response to that. And so if you’re trying to investigate a crime in Paris and you need information that’s stored in Google in the United States, that’s just an unacceptably long period of time. And so the thought is an organization like Interpol or something modeled on the Financial Action Taskforce could serve that purpose. But as yet, to date, it has not.
Q: OK, thank you.
FASKIANOS: Thank you. Next question.
OPERATOR: Thank you. Our next question comes from Robert Morris University.
Q: Hi. My name is Brendan Adams from Robert Morris University.
My question was: Due to the change that they want to—that ICANN wants to effect from IPv4 to IPv6, what with the financial costs on the private sector, would it be more beneficial for the federal government to send financial aid to these private sector companies to assist them financially to assist them financially in switching over from IPv4 to IPv6?
KNAKE: You’re raising one of the more interesting questions in public policy in terms of what the role of government is. I’ve been really, really surprised as I look at the cybersecurity statements that have come out, particularly out of Republican candidates this time around. And you see almost zero interest or zero support for the idea of using what is often a very popular public policy remedy for problems, which is tax incentives of some kind. There has been across the board no effort to say we should have any kind of tax incentives in any manner for buying cybersecurity equipment, for—and I think touching on your point—upgrading old IT systems to newer and more defensible IT systems. There’s been some talk—if you go back to the financial crisis and the stimulus, there were efforts in other areas that would mimic these kinds of transitions, the so-called Cash for Clunkers Program.
And I think what we’ve seen on the federal government right now with the IT modernization fund is a recognition that for cybersecurity to truly be effective it’s not just about buying IT products. It’s about modernizing IT so you have defensible architecture, so you have—you get rid of your legacy systems which are almost impossible to protect, or you’ve really got to find a way to awkwardly bolt on security rather than bake it in. And so from that perspective, I’ve been surprised that nobody has come out and said: We should have some kind of incentive to spur IT modernization for the purpose of cybersecurity.
One of the most interesting trends we’re seeing right now is that cybersecurity budgets are up across the board in the private sector, but IT budgets are flat or declining. So money is coming out of IT modernization and going into cybersecurity. And that’s probably the exact opposite of what we want to have happen. What we’d like to have happen is cybersecurity budgets go up at the same time as there are efforts to modernize the legacy IT systems that run everything from our financial industry to our power grid.
FASKIANOS: Thank you. Next question.
OPERATOR: Thank you. Our next question comes from St. Edwards University.
Q: I hope this is on topic, but speaking as a content creator and a fan of many content creators online, particularly those who create derivate content, I was wondering if you had any statement on the current state of Internet copyright law, and the Digital Millennium Copyright Act, and how you see that going forward.
KNAKE: That’s a little bit out of my area of expertise, I’m sorry to say. It is a very, very good question. And I think Karen Kornbluh at CFR would probably be the right person to answer your questions on that.
FASKIANOS: OK. Next question.
OPERATOR: Thank you. Our next question comes from University of Puget Sound.
Q: Hello. I was wondering if you could touch on kind of the efficacy of the United States with regards to cyber conflict, and if there’s any role for a greater use of maybe private companies in that policy.
KNAKE: This is one of my favorite topics, because I think there’s always this natural inclination to want to hit back, right? If you’ve been hit, you want to go bloody the nose of whoever hit you. And I think what we found is that from a tactical perspective, that’s not a terribly useful response. The way that modern cybercrime is carried out makes it very hard to, in a timely manner—in a timely manner, trace the attack back to its origin and be able to inflict any kind of damage in real time on those who carry it out.
That’s not to say that we have the problem many people perceive in terms of ultimately determining the attribution for a cyberattack. I think we’ve gotten very, very good at that. If you look at the evidence of the last couple years, right, we’ve gone from being able to identify a cyberattack as originating, say, in China, to being able to say it originated at this building in Shanghai, to being able to say it was these five guys, here’s what they look like, here are their hacker handles, here are their photos, and here are their names, ranks, and serial numbers. So from that perspective, we’re able to do attribution.
What we’re not able to do, say, is if you’ve got your network under attack, and somebody exfils data out of it, it’s almost impossible to able to trace that back in real time, get back to where they stole that data, and erase that data—which many people have held up as here’s what you would want to do with cyber offensive tools. And the reasons for that is the way that these groups operate, right? They hop from hot point to hot point, from compromised system to compromised system. They’re using virtual machines all along the way. They’re rolling up that infrastructure as soon as they’re done with it, and then they’re taking any information that they’ve stolen off the network. They’re putting it onto a thumb drive and then they’re walking away.
So your ability to get back to the computers that they used and destroy them to try and destroy the data is a little bit like the equivalent of firing a missile into an empty tent, right? It’s not going to be an effective tool. What it might be effective at, but I think is very dangerous to think in this way, would be to try and create some kind of strategic effect, right, that companies that are targeted by cyberattacks might hit back with the intention of causing harm or causing similar pain.
And I think the reading generally in the U.S. government, in the Department of Justice, and in the Department of Defense is that’s really not something that we want private companies to engage in. We don’t want private companies starting wars that the United States is going to have to finish. And so that activity remains, in the views of this Department of Justice, against ECPA and against treaty obligations that we have made to criminalize that kind of activity. And I don’t foresee that changing. I don’t think it’s an effective way to deal with a problem. And I think it would have very dangerous implications internationally.
FASKIANOS: Thank you. Next question.
OPERATOR: Thank you. Our next question comes from the University of Texas at Austin’s Lyndon B. Johnson School of Public Affairs.
Q: Hi. So I was wondering if you could comment on the budget for cybersecurity within the government, and how you might know if we’re spending the right amount. So the budget had been soaring incredibly fast over the past decade. Next year it’s up, you know, 35 percent over last year in the president’s proposal—up to $19 billion, plus the revolving fund that’s being established. And how would you know, other than that the idea is to send a signal that we care about this, if $19 billion was a plausibly appropriate amount to spend?
KNAKE: So I think it’s really important to break down what that—what that money is being spent on, where that proposal is. So as you mentioned, of the 19 billion (dollars), 3.1 billion (dollars) is proposed for IT modernization. That sounds like a lot. When you look at the size of the federal enterprise, it’s actually not, just in terms of the numbers of users, the numbers of systems, and the amount of data being held. If you talk to Tony Scott, the White House CIO at OMB, he’ll tell you that he thinks that the IT modernization need is more like 15 billion (dollars). So this is really just asking for a down payment on the IT modernization needs.
Much of the rest of the budget is taken up by the Department of Defense, which I think signals in many ways where a lot of the priority has been in the past few years, and in the past budget cycles. So what we’re seeing is more money being put towards defense versus offense. I think that is a good sign. I think that Cyber Commander has a very, very important mission to play on a very bad day—the kind of bad day in cyberspace we really have not seen yet. And yet, while we need to be prepared for that, there’s this everyday continuing onslaught that’s really best dealt with through investments in cybersecurity.
And so when you break down the budget, a lot of the money—the new money is to go to federal agencies to protect them, to keep the kind of data losses we’ve seen out of State, out of OPM, and out of the White House from happening. Where there really isn’t enough spending at this point, in my mind, is on the government’s role in supporting the private sector. That’s a very small percentage of what the Department of Homeland Security does. It’s a very small percentage of what the sector-specific agencies, like Energy and Transportation and Treasury, do. So I think we need to increase the spending in those areas.
The last point I would make is I think a lot of people look at these numbers and they say they’re just so huge, how can the federal government spend this amount of money and be insecure, is really to understand the scale of it. So if you look at what we know about the company that has been the most public about their cybersecurity spending, JPMorgan, right, they’re spending now, I believe, $600 million a year on cybersecurity to combat the level of threats that federal agencies have. That sounds like a lot of money, but it’s out of a total IT budget—these are publicly available numbers in their filings—of $9 billion. So you’re talking about less than 10 percent of their IT budget goes to securing that IT against the worst threats in the world.
You look at an agency like the Veterans Administration, which is about the same number of employees—250,000 employees. It holds the kind of data that is incredibly valuable to both nation-states and criminal organizations. Their IT security budget is about $100 million a year. So we can beat up on the VA all day long for failing to protect veterans’ information that is valuable to these adversaries, but we’re not resourcing anywhere near the way that private companies facing similar threats are being resourced. So I still think that there’s a big gap. But the target I would give would be to say, given all the legacy systems, we need to be looking for federal agencies on somewhere on the range of 6 to 10 percent of their IT spending needs to be going to cybersecurity. And that’s on top of what I think are some capital improvements that need to be made under this IT modernization fund, which I hope Congress will pass.
FASKIANOS: Thank you. Next question.
OPERATOR: Thank you. Our next question comes from Georgetown University.
Q: Hi. Yes, thank you so much for being on the call. My name’s Alyssa Welsh (sp). I’m a second-year Master of Science and Foreign Service candidate here at the School of Foreign Service.
My question is regarding the intersection between cybersecurity and national sovereignty. When do we draw the line? For example, I’m thinking with the case of Estonia, if Russia were to attack the Estonian government’s records online, could NATO invoke Article 5?
KNAKE: This is a really interesting topic. And it’s a bit of a fun one. If you look at statements out of this administration, there is a bit of schizophrenia on this issue, right? We don’t want to recognize an absolute right to sovereignty on the Internet. At the same time, we make pronouncements about the right to sovereignty for our own Internet space, right? So the obvious example here is China, right? China starts talking about absolute right to sovereignty, and we talk about the Internet as being open, interoperable, and global, right?
We then, when China does things like attack the Internet servers of Christian Chinese groups in the United States, or the Falun Gong, we say, hey, wait a second, this is our Internet space. We’re defining an IP address range as being in the United States, and with good reason. The servers are in the United States. At the end of the day, the Internet manifests itself in terms of physical means—either in terms of fiber optic cables or servers or radio waves, right? These are physical manifestations. And so from that perspective we’ve been a little bit schizophrenic on the issue of sovereignty.
Where I think we’re going really mirrors the shift that we saw post-9/11 on counterterrorism, where we began to asset that sovereign rights came with sovereign responsibility, that if you as a country were unable to secure your territory and keep an organization like the Taliban or al-Qaida from using your territory to launch attacks against the United States, that we, therefore, had a right to address that ourselves. And so out of that we’ve seen things like drone strikes, we’ve seen things like special operations forces, right? We’ve had these questions about what does it mean for Pakistan to be a sovereign country, if Pakistan’s incapable of keeping their tribal reasons from being used as a base for terrorism?
And so I think we’re seeing that same transition take place in cybersecurity, where we’re starting to look at the sovereign responsibility of countries, and what it means to use a foreign country’s Internet infrastructure to attack, say, a third party, and what it means in terms of being that third—that country whose infrastructure is used, and your obligations to that third party who’s under attack. So we’re starting to, I think, see a major shift in this area where we’re recognizing some responsibility to clean up your own cyberspace as a country.
And it’s an area where the rhetoric in the United States on this really hasn’t caught up with the reality, where we’ve been talking about the need for countries to be responsible actors in cyberspace, and yet we continue to host most of the botnets in the world, we’re the source of most command and control, where because we have so much computing infrastructure it is often taken over by adversaries and then used against foreign governments or foreign corporations. And so that’s an area where, I think, we’re going to see a major push in the next couple years to shift that, to make sure that U.S. cyberspace is not the source of most global attacks.
Every time we get into a discussion with the Chinese government or other governments about things like intellectual property theft, they always wheel around on us and say, well, you know, we don’t know who in our country’s responsible for this. We can’t possibly police all our cyberspace. And evidently, neither can you, given the fact that most of the DDoS traffic that hits us is coming from U.S.-based servers.
FASKIANOS: Thank you. Next question.
OPERATOR: Thank you.
(Gives queuing instructions.)
Our next question comes from Georgia State University. Please go ahead.
Q: Yeah, hello. My name is Shawn Powers. Robert, thank you for this.
I was curious, I know you were at RSA last week, where Secretary of Defense Ash Carter announced the creation of a Defense Innovation Advisory Board, which would be chaired by Eric Schmidt and work closely with the Pentagon, including new technology solutions and innovating the institution. I was curious to what you thought of the optics of this move. It seems that it could harm U.S. business interests. You know, Google in particular has lots of international business interests. And the closer they get with the Department of Defense, it seems to be problematic when they’re trying to break into markets like China and Russia. Thank you.
KNAKE: So what’s interesting about this, right, is you see—you see this schism in the federal government in terms of its relationship with Silicon Valley. And a lot of this has been reported recently in the press, right, where you have the FBI on one hand saying: We need to force Apple to help us gain information off of the San Bernardino shooter’s phone. And on the other side of it, at least according to The New York Times you had DOD saying, no, no, we can’t do that and we can’t do that for a lot of reasons.
We depend on iPhones. They’re all throughout DOD. They’re being used to contain information that if not classified is at least sensitive information in our NIPRNet. And so for that reason, no, we don’t want to do anything that might introduce a vulnerability. And we don’t want to do anything that, I think to your point, could compromise our relationship with Silicon Valley, where DOD is making a very concerted effort to make sure that the best and the brightest will play ball with DOD, will bring in technology to them, will want to take on some of the hard challenges that DOD has in the cyber space.
And so this is really a charm offensive that Secretary Carter has gone on with the private sector that, in the way it’s been couched, at least in the views of the companies that are participating, doesn’t actually threaten their market access in countries like China. It’s being perceived very, very differently than the FBI push on Apple, which is seen, if it succeeds, as something that could very much undermine Apple and other companies’ ability to sell in overseas markets. So it’s been very, very well done by the Department of Defense. I think Secretary Carter very much understands his audience in Silicon Valley, and has been able to pitch it to them in a very persuasive way.
FASKIANOS: Thank you. Next question.
OPERATOR: Thank you. Our next question comes from Syracuse University.
Q: Hi. My name’s Erica Mitchell. I’m a Ph.D. student in the I School.
And I read some of the pre-read stuff for this. And you’re asking for the private sector to do a lot of monitoring, but wouldn’t there be some constitutional concerns with them monitoring user computers for infection? I mean, what are the technical ideas behind that monitoring?
KNAKE: So I actually don’t think so. I’m not asking for it to be done on behalf of government, or to be done as an agent of the government, but that companies should take on this responsibility out of their own collective interest in improving cybersecurity. And so from that perspective, I think that the monitoring issues are dealt with a couple ways. Previously, it would simply be addressed through all those click-through agreements that we sign every single day anytime we do anything on the Internet.
Now, under CISA, the legislation just passed, it really makes it clear that companies my monitoring their own networks for a cybersecurity purpose, with or without the consent of their end users, that it no longer even requires even that their users consent to that, if it is for a cybersecurity purpose. So I don’t think that there’s a problem there from a legal perspective in moving in the direction. And there’s some very good evidence that programs like this have been very successful in stamping out botnet activity in the Scandinavian countries, Australia, and good evidence that Germany’s program is starting to turn a corner or that.
Your second question was on the technology to do that?
KNAKE: I mean, I think there’s any number of companies out there that are selling products that can detect botnet activity and help remediate it. I’d point to Damballa. I would point to CloudFlare, I would point to BitSight, which takes an interesting approach of—simply has a very large detection grid that is getting pinged constantly by botnets inside large enterprises, and consumer machines can therefore trace that back by IP address and time stamp to the individual ISP, and sometimes down to the individual company. So I think the technology is certainly there and certainly proven for a system like this.
FASKIANOS: Thank you. Next question.
OPERATOR: Thank you. Our next question comes from the Norwich University.
Q: Yes, hi. This is Eric Nakera (ph) at Norwich University.
Regarding what you said earlier about our shouting matches with China, with our current situation and competition and constant cyberwarring with China, how do you think this will affect our innovation in the next few years, and the future, which China and just overall?
KNAKE: So, I mean, it’s not—the story that’s emerging is not great news. If you look at what’s happened since the announcement and around the announcement, it looks like the main effect of the agreement last August for China to stop targeting U.S. intellectual property and sharing it with their countries (sic; companies) was to make the Chinese operatives be a little bit more stealthy, right? To say, OK, before we sort of would go with loud success. We would bang on a thousand doors, hope that we get into one. Go into one, suck everything out of it, and move on. They really didn’t care at all about getting caught. I think many times you can almost detect in the views out of the intelligence community on Chinese activity was an almost embarrassment on their part for their lack of operational sophistication. They seemed to take no pride in their tradecraft.
So I think what we’ve seen since then, at least if you look at the firms that have reported on this—CrowdStrike, FireEye—is that the activity has continued. It’s continued in a much more sophisticated, much more subtle way. And the real question is, does that mean that the scope and the scale is reduced? Are we effectively creating a situation in China—in which China has said, we really can’t be getting caught all the time, so therefore we’ve got to do fewer operations with better operational security, and make sure we don’t get caught? Or have they simply stepped up their game and the scale is as bad as ever and the intellectual property loss will be as bad as ever? And that’s, I think, something we don’t have a definitive answer on yet.
FASKIANOS: Thank you. Next question.
OPERATOR: Thank you. Our next question comes from Washington University School of Law.
Q: Hi. Thank you, again. We had a brief question going back to the likely, if your view, switch to—you know, changes to how the U.S. does its policy with IANA roots. Do you view that transition or its likely outcomes to be similar to what the current state of internet protocol administration is, where you have kind of continental, regional administrators in ARIN and RIPE NCC and some of these others? Or if not, how do you see that manifesting when the change likely occurs?
KNAKE: I think, honestly, this is going to look like—in terms of the way that the process flows now, right, if you are China, right, and you want to make a change to where a request to your top level domain point, right, to the IP address, right, you send that request into ICANN. ICANN validates that you have the right to make that request. They then push that request up to the Commerce Department to validate that at NTIA. Then they push that, if NTIA says OK, it goes back to ICANN, and then ICANN pushes it to Verisign to be updated in the root zone file.
I think the ultimate outcome when this is done is we’re just going to cut out that middle step. It will go into ICANN. ICANN will validate that the request is legitimate. And then they will push it to Verisign and it will be published. And it will not actually be any more significant change. I think when this transition happens, this will fade into the background and become the kind of thing that nobody ever thinks about, where there really are never any disputes about this. I think we’re not going to see the kind of shenanigans that many people worry about, like countries making requests for other countries’ top level domains, trying to knock them off the Internet or route their traffic through it.
I think this is going to become—this is a dangerous analogy because it lends itself to moving this to the U.N.—but it will become the same way that nobody really is in dispute over country codes for dialing internationally. It’s simply something that no matter what is going on in the world, nobody tries to knock a country off the international phone system. And so I think the way that it will work is as it does today, just without that extra, and largely useless step, of the U.S. validating those changes.
FASKIANOS: Thank you. Next question.
OPERATOR: Thank you.
(Gives queuing instructions.)
Our next question comes from Robert Morris University.
Q: Hi. My name is Jason Fusabong (sp).
And my question is, what is your opinion towards shared responsibility for private companies in the event of a breach?
KNAKE: When you say shared responsibility, you mean between government and the private sector, or between government—
KNAKE: OK. So this is a really interesting space. Suffice it to say, sometimes this spring there should be a new presidential policy directive that will outline what the government’s role is in responding to these kinds of incidents. And the sneak peek on that is I think the policy’s going to come out, and it’s going to say that private companies are responsible for the asset response. They are going to be responsible for securing their own network, for doing the forensics on their network to figure out how the intruder got it, and to figure out what they need to do to protect themselves moving forward. That’s going to be a private sector responsibility.
Whether that’s done in house, whether that’s done by managed security service providers, whether that means calling in Mandiant or CrowdStrike or Stroz Friedberg or PwC that will be up to the private companies, right? It’s not going to be a situation in which U.S. or the FBI or NSA’s blue team shows up and says, OK, we’re the government, we’re here to help. We’re going to put our fingers on your keyboard and we’re going to protect your network, right? The government’s role has really emerged to be one of threat response. OK, you do the forensics on your network. We need that data. We’ll take that data. And we’re going to figure out who is behind it.
And if it was a criminal activity, that will be pursued through law enforcement channels. And if it was a nation-state activity, that will be pursued through possibly military channels, possibly diplomatic channels, possibly law enforcement channels if the activity looks more like crime than traditional espionage or military action. And so I think the short answer is that private companies will remain responsible for their own protection and their own remediation post any event. It comes down to some really, I think, hard facts on the ground, which is that there’s simply no way for the government to judge the market size or the need for the government to actually take over that responsibility, right?
If the government was going to say, OK, we’re going to have enough teams at US-CERT that we can go in and do remediation anytime any company in the United States is hacked, that would be a massively sized organization that would have to be throughout the country. It would also be hard to know what the demand for those services would be. And so the answer has been that it’s really something that is best left to the private sector, and for market forces to determine.
The last point on that, and the reason that I think government has really resisted taking on that role, is that free services from government tend to really undermine markets, right? And if you know that the government’s going to come in and clean up your network and protect you, you’re going to not be very well-incentivized to make the investments to stop an incident from occurring in the first place.
FASKIANOS: Thank you. Next question.
OPERATOR: Thank you. Our next question comes from Norwich University.
Q: Hi. Good afternoon. My name is Michael Penn from Norwich University.
And I have a question regarding the structure—regarding the U.S. government’s intelligence information structure and its deployment strategies. I’m going to read a short excerpt from a CFR interview regarding Jeh Johnson on U.S. cybersecurity readiness, if I could do that, from one of his critics: Is one of the vulnerabilities of our reliance on contractors—he’s referring to the OPM hack last year—OPM’s reliance on contractors for security clearances.
So again, “Is one of the vulnerabilities our reliance on contractors—OPM’s reliance on contractors for security clearances?” And he says, “I would not—only in the sense that the more systems on which you have to rely to be the custodians of sensitive information, that’s a vulnerability. If you have to rely on five systems versus one to be the custodian of sensitive information, that’s always a vulnerability just by sheer virtue of the numbers. But I would not—I would not say that reliance on private contractors in and of itself creates a vulnerability. It might provide a lot of expertise, in fact.”
So he seems to outline two issues. And it seems to be a structural issue and a deployment issue on actually getting good talent for cybersecurity in government. So my question would be, with the—with the establishment of these new agencies to kind of close the gap on bloated government, like CTIIC and the NCCIC—much, much longer ago NCCIC and the US-CERT—what solutions does the U.S. government have to improve its structure and its high-talent employment strivers?
KNAKE: So the recruiting challenge has been something that I don’t think the federal government has cracked. And I think, to your point, when you look at a lot of the most capable organizations in the U.S. government, many of the people staffing those positions are coming in through contracting positions simply because they can be paid closer to market rates, though not at market rates, if they come in through contractors. And so that’s largely been the solution thus far.
The bigger problem is that even at what private companies are willing to pay for cybersecurity, there hasn’t been enough of a draw into the space. Those salaries haven’t addressed the market failure to produce enough technically minded, technically savvy and sophisticated cybersecurity operators. So this is a space where what I’ve been looking at when I was in government and since is, OK, well, paying more money isn’t simply drawing more people into the field. What’s the problem? And the trace back seems to go to—all the way back to junior high school and high school. We start off with too small a pool of people who are interested in STEM. We get to college, where we have too small a pool of people interested in computer science, and only a fraction of those are interested in cybersecurity.
So one calculation that a friend of mine did was that the open positions in the federal government for cybersecurity that require, at least on their surface requirements, a bachelor of science in computer science or similar degree, equals the total number of computer science graduates in the United States every year. And so from that perspective, we’ve got to come up with a different model of how we address this skills shortage. In other fields, we’ve been able to do that successfully. In cybersecurity we’re having a much harder time, right?
And so in the medical field, for instance, we have post-Bachelor degrees in medicine, in pre-Med, that can give you what you need to go into medical school. And it always surprises me that, god, you know, there are people who get through college, they spent four years studying English literature, and then sometime in their late 20s they decide they want to become a doctor. And they go back and they do two years post-Bach work, and then seven years of medical school, and almost when they’re 40 they come out of that process and are actually doctors.
We don’t have a process within cybersecurity that enables that. I think our best hope within government is going to look at what Cyber Command is doing, right? In other areas—nuclear power, commercial aviation—we’ve seen the military train people from the ground up and then move them into the private sector once they’ve completed their military commitments. So I think we’re likely to see that as a—as a model in cybersecurity.
What I always go-to on this, just to think about the way the training used to work in this space, is the nuclear navy, where it does not matter if you got a Ph.D. in nuclear science from MIT. That doesn’t matter if you want to join the nuclear navy. What matters as a prerequisite if you want to be an officer, is that you have two semesters of calculus. That’s the basic technical requirement. And then they teach everything else. If you’re on the enlisted side and, say, you just did very, very well on your entrance exams and you’ve shown high aptitude in the areas that are necessary in order to become a nuclear—a nuclear sailor.
And so I think that’s the model we’re likely to see in cybersecurity. I think Cyber Command is well on its way establishing the curriculum to be able to do that. What I’d like to see is the federal agencies on the civilian side start up a similar program for the large portion of potential hires in this space that aren’t going to be inclined towards military service, but might be inclined to work at somewhere like US-CERT or HHS or a federal civilian agency.
FASKIANOS: Rob, thank you very much. And thanks to all of you for your questions. We are unfortunately out of time. So we will need to end, but I think that’s a terrific way upon which to close. So thank you, Rob Knake, for doing this.
KNAKE: Thanks, Irina. My pleasure. Thank you all for the wonderful questions.
FASKIANOS: And again, you can follow Rob on Twitter at @RobKnake. It’s spelled K-N-A-K-E. And I hope you will join us for our next call on Wednesday, March 23rd, from 12:00 to 1:00 p.m. Eastern time. Michael Fenzel, this year’s U.S. Army military fellow, will talk about countering transnational threats. So please join us. You can also follow the Academic Outreach Initiative on Twitter at @CFR_Academic for information on CFR resources and upcoming events. So thank you all, again, for today’s conversation.
More from this series
Mary Elise Sarotte discusses the role of German leadership in Europe and the world.
Elizabeth N. Saunders discusses the foreign policy issues facing the Trump administration.