Council of Councils
Think Global Health
Online Store
'Dark Territory: The Secret History of Cyber War'
Fred Kaplan discusses 'Dark Territory,' his book on the untold story of the officers, policymakers, scientists, and spies who devised a new form of warfare â cyber war â and who have been planning (and, more often than people know, fighting) this kind of war for decades, from the 1991 Gulf War to conflicts in Haiti, Serbia, Syria, the former Soviet republics, Iraq, and Iran.
The CFR Fellowsâ Book Launch series highlights new books by CFR fellows. It includes a discussion with the author, cocktail reception, and book signing.
LINDSAY: Good evening, everybody. On behalf of Richard Haass, the president of the Council on Foreign Relations, I want to welcome all of you tonight. Thank you for coming, particularly leaving the absolutely gorgeous weather we have outside to come inside for this talk. I am Jim Lindsay. I am the director of studies here at the Council on Foreign Relations. I also want to thank everyone who is joining us via the Internet as we livestream tonightâs event. Youâre in for a real treat, as we have a very timely and important discussion. Tonightâs guest of honor is Pulitzer Prize-winning author, Fred Kaplan. Fred holds a Ph.D. from MIT, and he writes the War Stories column for Slate. Last year he was the Edward R. Murrow press fellow here at the Council. And weâre all here tonight to celebrate what Fred was working on during his year at CFR, namely his new book, âDark Territory: The Secret of Cyber War.â
KAPLAN: Secret history.
LINDSAY: Secret history, excuse me. Iâve been corrected. âSecret History of Cyber War.â So please join me in welcoming Fred Kaplan. (Applause.)
KAPLAN: Thank you.
LINDSAY: Because last time I threw my stuff on the floor, so. Congratulations, Fred, on writing the book and competing it.
KAPLAN: Thanks.
LINDSAY: I read it over the weekend, couldnât put it down. So let me being with sort of the obvious question posed by the title, what is dark territory?
KAPLAN: Ah. Well, you know, this is my fifth book. And each time I write a book, I say to myself, the title will emerge in my notes, and it never does. But this time I was going through my notes of an interview with Robert Gates, and heâs talking about how when he first became secretary of defense and he was getting these daily briefings about how many cyberattacks were coming into the Pentagon.
And he goes to some of his associates and colleagues and he says: Look, you know, we need to get together with the major cyber powers and figure out some rules of the road. You know, even in the worst days of the Cold War we had rules with the Soviet Union, like we didnât kill each otherâs spies, you know, things like that. We need to figure out what kinds of targets shouldnât be attacked with this kind of thing. And he said, and you know, because right now we are wandering in dark territory. And I said, thereâs the title of my book, dark territory.
But you know, I Google searched it because, you know, I didnât want toâI wanted to make sure I wasnât getting some euphemism for some obscene act or something. (Laughter.) And it turned out that dark territory is a term of art in the North American railroads to designate stretches of tracks that are not governed by signals. And Iâm thinking, wow, now, thatâs a great metaphor for cyberspace. So I send him an email and said: Did you know this? And he said, oh, yeah, sure. My grandfather was a stationmaster on the Santa Fe Railroad in Pratt, Kansas for 50 years. We used railroad terminology all the time when I was growing up.
So thatâs kind of the theme of this book, that we are in dark territory. Itâs a subject that has been encased in extreme secrecy, because it has been enveloped in the National Security Agency which, you know, NSA used toâthe joke that it stood for No Such Agency. You know, nothing goes in and nothing comes out. Itâs a black hole of the bureaucracy. And so nobody has beenânobody on the outside has been thinking about these issues. The Defense Science Board is just nowâhas a project going on to figure out what cyber deterrence means.
Theyâre so primitive that at one point I was interviewing some guy for the third time, and he was pretty high up in intelligence, and he said: You know, whatâs your thoughts about cyber deterrence. I said, I donât know. Iâm trying to figure out what anybodyâs thoughts are. And he goes, oh, thatâs too bad, because Iâm this DSB panel. I was hoping maybe you could join. And Iâm thinking, if theyâre asking meâfiguring on me to join this, which I wouldnât do anyway, but they must be in really sad shape.
LINDSAY: Well, let me ask you a question though before we turn to the substance, just on a matter of process. You just set out the fact that all of this is encased in a great deal of secrecy. So how does one write a book about secrets that presumably youâre privy to?
KAPLAN: Yeah, well, you know, we all have our tricks. No, this was a tough one. This was a tough one, becauseâtwo things I didnât know going into this. One, is that the United States has been doing cyber offensive operations for a very long time. Number two, all of these things are, by nature, classified, because theyâre covert operations. I have to say, I mean, there were a few thingsâtwo things that I put together and to confirmed by ashen-faced officials that I decided not to include in the book. And one of which, Iâm a little nervous that I even put it together.
But a lot of thingsâlook, you know, you learn a little bit from this guy, and then a little bit from this guy, and then you mention to this guy and he things that, you know, a lot of stuff. You know, itâs the usual things. But you know, this is a history.
LINDSAY: But you talked to a lot of people as well.
KAPLAN: I talked with over a hundred people, including six NSA directors, repeatedlyâsome of them helpfully. So, yeah, I got pretty deep. And you know, nobodyâs come to arrest me yet, so weâll see what happens.
LINDSAY: Well, I hope it stays that way.
KAPLAN: Yeah, me too.
LINDSAY: I was struck, one of the stories you begin with is a story I would not have expected to hear, and that involves a movie people of my generation or old may remember, called âWar Games,â which featured young Matthew Broderick and a computer named Jason, I believe. Can you tell me, how does that figure into your story?
KAPLAN: Well, this came as a surprise to me too. So the first weekend of June 1983, Ronald Reagan is up at Camp David. And heâs watching movies. And one night, he watches âWar Games.â Everybody remembers âWar Gamesâ? OK. So, he gets back to Washington. Thereâs a meeting in the White House the following Wednesday, not about this. Itâs aboutâactually, it was about the MX missile. Some of you might remember the perennial debate of the MX missile.
LINDSAY: Those were the days.
KAPLAN: Yeah, everything was so simple. At one point he puts down his index cards and says: Has anybody seen this movie âWar Gamesâ? Nobody had seen it. It had just come out. So he launches into this very lengthy plot description. And he turns to General John Vessey, the chairman of the Joint Chiefs of Staff at the time. And he says: General, could something like this really happen? Could someone just break into our most secure computer? And the general, Iâll look into that, Mr. Presidentâwhich is what generals say. And he comes back a week later and he says: Mr. President, the problem is much worse than you think.
And this led, a year later, to the first national security decision directive, NSDD 145, about communications securityâabout communications and computer security. And it said things like, you know, we face, you know, massive sabotage from foreign intelligence, from criminals, from terrorists, you know. Now, this took a little side turn, in that the NSA basically wrote this directive. And they wrote it in a way that essentially the NSA would set the standards for every computer in the United Statesâgovernment, military, private. So there were some people on Capitol Hill who didnât take well to this, so they revised it so that NSA secures .mil, classified, and the Commerce Department regulates everything else.
Well, of course, you know, the Commerce Department doesnâtâdidnât know anything about this. They couldnât do anything. At the time, the NSA had no interest in patching up flaws or securing it. If there was a hole that they found, they would exploit it. So for the next decade, nothing basically happened. A little P.S. on the âWar Games,â if I can dip back into history a little bit, all of thisâthis goes back further than âWar Games.â At the dawn of the Internet, in 1967 the ARPANET was about to go up. It was about to roll out. And there was a guy named Willis Ware. He was a computer pioneer. Heâd worked with Von Neumann at Princeton. He was the head of the Computer Science Department at RAND. And he was also on the Scientific Advisory Board of the NSA.
And he wrote a paper, it was secret at the time, thatâs been declassified since. Itâs a fascinating document. And he says, look, the thing about a computer network, when you haveâwhen you have multiple access from unsecured locations, youâre going to be creating inherent vulnerabilities. Youâre not going to be able to keep secrets anymore. And when I was doing my research, I talked with a man named Steve Lukasik, who was the deputy director of ARPA at the time. And said: So, did you read Willis Wareâs paper? And he goes, oh, yeah, sure. I knew Willis.
And I go, well, what did you think? He said, well, I took it to our guys. And I said, what do you think? And they said, donât saddle us with a security requirement. I mean, look how hard it was to do this. Itâs like asking the Wright Brothers that their first plane has to carry 20 people 50 miles. And you know, letâs do this one step at a time. And the Russians, theyâre not going to be able to do this for decades. Well, you know, itâs true. It took them two and a half or three decades, by which time whole systems and networks had been sprung up with no provision for security whatsoever.
And so I see this as kind of theâyou know, the bitten apple in the digital Garden of Eden. From the very beginningâthe P.S. on âWar Gamesâ is that when the guys who were writing âWar Games,â who also, by the way, later wrote âSneakers,â when they were researching the script, and they heard aboutâthey learned from some hackers about something called demon dialing or war dialing where, back in the days before the Internet, you had a computer program that would just dial every phone number in an area code, wait two rings, and if itâs hooked up to a modem it would squawk and it would record what that number was. Thatâs how he gets in.
So theyâre thinking but, you know, is this really plausible? I mean, certainly NORADâs computers, itâs got to be a closed system. We better talk to somebody who mightâso theyâone of them lived in Santa Monica. And he called RAND. And he said, who can we talk to? And they hooked up him up with Willis Ware. And Willis was a very nice guy. And he called them in. And he goes, yeah, you know, actually, itâs funny. I designed the software for that computer. (Laughter.) And you know, youâre right, it is a closed system. But, you know, there are some officers who like to work on weekends from home, and so they always leave a port open. And yeah, I guess, if somebody knew what that number was they could get it.
And then he said, you know, thereâs something that most people donât realize, and that is that the only computer thatâs completely secure is a computer that no one can use. And that was back in 1982 or â(8)3. And just a couple years ago, the Defense Science Board put out a paper on cybersecurity. And one of its line, they talked about the inherent fragility of our architecturesâinherent. In other words, you know, you could do lots of things. You know, things are much better now than they were before. You know, there are warning systems in place and so forth. But you know, every war game where theyâve had a red team trying to hack into the military networks, they always get in. They always get in.
LINDSAY: And your book recounts a number of occasions in which people got in.
KAPLAN: Yeah.
LINDSAY: Sometimes the good guys getting in doing red team testing, other times bad guys getting in, sometimes good guys watching bad guys so they can track the bad guys.
KAPLAN: Thatâs right.
LINDSAY: I guess, but I want to come back to this issue of the subtitle of the book, cyberwar. Now, youâve also mentioned the term cybersecurity. What do you mean by each and how do they differ, if they differ at all?
KAPLAN: Well, there is a fine lineâI mean, one thingâvery early on in my research I was talking to someone quite high up in intelligence circles. And I was going over some report where it lists the vulnerabilities of our systems, and different scenarios about how people can come in. And he said, listen, thereâs one thing that you need to realize, all of these reports, all of these scenarios, theyâre based on what we were actually doing to other countries. And then at some point, somebody says, oh, Jesus, somebody could do this to us at some point too. And thatâs where it all began. So we have not been, you know, innocent flower children in this arrangement.
Another thing about the fine line betweenâsometime in the â90s they came up with some terminology. There was CND, computer network defense. There was CNA, computer network attack. And then there was something called CNE, computer network exploitation. And that was where you just get inside the other guyâs networks and see whatâs going on. And you could call this a form of active defenseâin other words, we canât protect every single intersection between a network and the Internet. So the best way to do defense is to get inside the other guyâs network so we can see them planning an attack, if theyâre doing an attack. It could be that.
Or, itâs also just one step away from computer network attack. And so the difference between cybersecurity and cyberwar is largely academic, becauseâ
LINDSAY: Well, Iâm an academic, so I can ask the question.
KAPLAN: Yeah. (Laughs.) So if weâre seeing the Chinese inside our critical infrastructure, or theyâre seeing us inside their critical infrastructure, whatâs going on here? Are we just poking around to see what theyâre up to? Or are we, from their point of view, or even from our point of view, planning an attack, and vice versa? Nobody knows. And even if they did know, it could change on a dime. So thatâs why this idea got held forth that itâs all the same technology, itâs all the same skills. Thereâs only one agency that really knows how to do this, namely the NSA. And therefore the idea came about was to fuseâset up something called U.S. Cyber Command, have it commanded by the guy whoâs also the director of the NSA, have it headquartered at Fort Meade with the NSA.
And the frightening thing about this is that, you know, Cyber Command not has links with all of the combatant commands. They are recruiting thousandsâtens of thousands of people to come join Cyber Command or the service affiliates. Itâs fast-growing money. Thereâs money in it. You know, you go to West Point, you go to any of the academies, you know, where are you directing your elite students? Oh, cyber. Cyber, thatâs where itâs happening. And in the meantime, you still have the Defense Science Board trying to figure out what cyber deterrence means, what this is even for, what the second day of the cyberwar looks like.
And you know, the thing aboutâthe distinction between this and, say, nuclear weapons, is that with nuclear weapons thereâs a very thick bold red line between using nukes and not using nukes. And thatâs one reason why nobodyâs used nukes for a long time, because you donât know how toâde-escalation can go out of control very quickly. But there are a hundredâthousands of cyberattacks or attempted cyberattacks every day. Who knows whatâone personâs nuisance might be another personâs grave national security threat. Even in this country, I mean, all the cyberattacks thatâs going on, what was the first time that a president of the United States said that he was going to retaliate against a cyberattack? It was North Koreaâs hack of Sony Pictures. That wouldnât have been predicted by anybody.
So, and at the same time, you know, we have also said that we reserve the right to respond to a cyberattack through non-cyber means, because a lot of these countries donât have much cyber to attack, right? Theyâre notâ
LINDSAY: Weâre more vulnerable than they are.
KAPLAN: Yeah. And so once you start doing thisâitâs like, we might have the best rocks to throw at their houses, but we have the most glassy houses that far-less capable rocks can do a lot of damage to, because everything is plugged into computersâmilitary, society, everything. And, you know, do we really want to start something like this?
LINDSAY: But weâre doing it right now, and itâs being done to us, which leads to the next question.
KAPLAN: Yes.
LINDSAY: Itâs 49 years since Willis Ware said that any network is going to be inherently vulnerable. Last month, President Obama announced a national commission to look at cybersecurity. I take it from the book that part of the thinking is that maybe we should spend less time worrying about attacking and more time securing or defending against attack. So Iâm sort of left wondering, where are we sort of 50 years into the computer age? How secure are we?
KAPLAN: Well, you know, when peopleâwhen friends of mine askâyou know, when they learned I was doing this book, they would ask, well, what do you do? What can I do? And I would say, look, you know, if what youâre concerned about is a criminal, or just some punk, or just somebody trolling the net, there are things you can do toâyou know, to be OK. Itâs like, you know, Scoop Jackson, I think, once said the Russians were like the hotel thief that goes around trying all the doorknobs. You know, you got to lock your door. You can get a good lock. You can, you know, have a burglar alarm. You know, there are things you can do.
But if somebody really wants to come after you. If thereâs something that you have that he wants, and he really knows what heâs doing. And especially if the has the resources of a nation-state, and he has a lot of time. And he says, this is so important that Iâm going to spend a lot of effort on this, thereâs really not a whole lot that you can do. And thatâs whatâyou know, right now the Defense Department has said in some of its recent statements, you know, the big buzzwords going around are detection and resilience. I mean, yeah, theyâre going to get in. So the idea is, make sure you have stuff set up so you see them getting in very quickly, and that you can do something about it. You can repel them, and that you can repair and recover from the damage very quickly.
So theyâve kind ofâyou know, there are lots of ways. You used to think, oh, all we need to do is to take this computer and disconnect it from the Internet. They called it an air gap. Then they figured out ways to get over the air gap. And so finally, you know, they just kind ofâitâs not likeâthey havenât given up to the point where theyâre just leaving the doors unlocked, and theyâre making ever-improved locks, but they assume thatâyou know, they start from the assumption that theyâre going to get in, and then what do we do? And letâs focus on that. Thatâs the big policy challenge.
LINDSAY: At this point I want to bring the audience into the conversation. So if you have a question, I would ask you first of all to please wait for the microphone. When you get the microphone, speak directly into it. Please stand, state your name and affiliation. And please keep your question concise so we can get as many questions on the table as possible. So if anyone wants to ask a question, otherwise Iâll keep doing it. Sir.
Q: Hello. My name is Ben Freeman. Iâm with Congressman Jerry Nadlerâs office.
I was wondering if you could talk a little bit more about the sort of seeming disconnect in skills and personnel. It seems that the NSA is amazing at this stuff, but then you also have hacks of the OPM office and now weâre pulling the spies back from China because their identities are out there on the Internet. How is it that theâexcuse meâthat the NSA is so great at this, and then other agencies are falling behind? Is it training? Is it the right people claiming they have the skills, but not really having it? Cybersecurity is where the money is now, and everyoneâlike, after 9/11, everyone became a terrorism expert.
KAPLAN: Well, you know, the NSAâthey donât have the legal authority to go protecting civil or even civilian government networks. You know, so this is very unsecured. I think in hearing James Clapper was asked about OPM and he said, well, you know, that wasnât really a cyberattack. That wasâthat was an act of espionage, similar to things that we do once in a while, you know. Maybe heâs right.
Now, in fairness, theyâve never really defined. I mean, one time Gates got so frustrated he asked his legal counsel: At what point do attacks like this become acts of war? And it took two years for an answer to come back. And it wasnât even really an answer. It was, like, yes, under certain circumstances this might constituteâbut what that is, itâs something that really legal counselâitâs beyond their paygrade, so to speak, to answer this question. But nobodyâs answered the question. Nobody knows.
But the NSA, well, an interesting thing that I found out in doing this, the NSA is flush with lawyers. And as much as the potential for abuse is staggeringly enormous, the actual abuse, it doesnât really happen that much. And part of the reason isâ
Q: I was speaking more towards the technical skills involved. How is the NSAâ
KAPLAN: Oh, I see. Well, because they have the money. They have the resources. They have the technology. You know, at some point the Homeland Security Department was given, OK, NSA protects military. Homeland Security is going to protect the civilian government. Well, you know, youâre going to create a parallel NSA with the Department of Homeland Security. They donât have the money. They donât have the technology. They donât have the know-how. They donât have the history of doing this.
And you know, I donât mean to keep touting Robert Gates, but at one point he and Janet Napolitano, when she was director or Homeland Security, they kind of got together and they created thisâthey wrote a memorandum of understanding, where in the event of an attack on critical infrastructure, there would be a deputy director of the NSA that Napolitano would name. And he would be assigned to DHS. But in the event of an attack or something, he would have the legal authorities of DHS, but be able to draw on the technology of the NSA.
And there were meetings, they got together, and they were disasters because the DHS had no interest in doing this. Everybody at the deputy level of the National Security Council was kind of pissed that this arrangement was made without them. And so theyâNapolitano did pick this one guy who would have been perfect for the job, but he wasnât given the authorities that he would need to do this. So it became just another layer. So you do have all these layersâthese bureaucratic layers and these legal walls, some of which are there for a very good reason. And so, you know, thatâs why it doesnât transfer very well.
LINDSAY: Letâs me go over here to the other side of the room, if we may.
Q: Chris Miller from the Air Force Academy.
You just partially answered the question I was going to ask. But Iâm wondering, as you talk to all of the folks you talked to as you researched this book, does anybody have a vision for how to solve that problem where NSA is taking care of the .mil and no one is essentially taking care, systematically, of the rest of the country?
KAPLAN: Well, you know, General Alexanderâs solution to this when he was NSA, and how itâs become open-literature policyâthey talk about it in very, you know, code-word terms. I mean, not classified code-words. But if you decrypt, so to speak, and you put into English what theyâre talking about, itâs basically this idea, OK, we cannot sit on top of all the networks either legallyâyou know, over the years, the military has gotten pretty good at this, to the point where there are now only eight intersections between military networks and the broader Internet. And the NSA legally and technically can just sit on top of those networks.
Civilian government, they stop counting at, you know, 1,500. Broader industry, who knows how many? And you canât just sit on them. Itâs too expensive and itâs not legal and so forth. So the idea is, what is said, itâs CNE, itâs computer network exploitation. Or the way itâs stated in policy booklets is you detect the attack before it happens. And that means getting inside the other guyâs networks. So thatâs what weâre doing. Weâre doing cyber offensive operations, calling itâitâs not called CNE before. They came up with some other acronym, because every new administration has to have its own acronym for the same thing that the previous administration was doing. But itâs getting inside. And you know, we have to do a preemptive attack before they do.
I mean, itâs a hair-trigger situation, basically. Itâs as if in the nuclear balance everybody had land-based ICBMs not 30 minutes but 10 minutes away from each other territory, because this can happen instantaneously, you know. And thatâsâyou know, thatâs the kind of perilous thing that, though perfectly rational analysisâI mean, whatâs needed and what can and canât be doneâweâve created a system with hair-trigger possibilities and no doctrinalâno strategicâyou know, after the bomb was built, you know, there were some secrets about it, but everybody knew what it could do. Everybody kind of knew, the Smyth Report and all this, what it was made of, how much uranium different countries had, how many weapons they could build. And so people from the outside starting thinking about strategy, policy, what does deterrence mean, what does a nuclear war mean?
That is not happening in this realm, because itâs all been locked up with these crypto-people in the NSA who donât think about policy. You know, General Alexander was a brilliant computer geek. Had no interest in policy whatsoever. He was the first NSA director who understood this technology, really quite intimately. But his thing was faster, faster, more, and more. And this wasnât tied toâit had policy implications, but that wasnât his interest. And nobody else is able to really put the two things together.
LINDSAY: Sir, back there.
Q: Hi. Iâm Liam McKenna with the Senate Homeland Security Committee, though not on their behalf.
Iâm wondering if you can speak to attribution and how that might be more of a challenge in cyberwar than kinetic war, and whether that makes things more complicated.
KAPLAN: OK, attribution, figuring out who has launched this attack. Yeah, you know, with a ballistic missile, you can trace the arc of where it came from. Theyâre getting much better at figuring at where it comes from than they used to be, because, you know, you can launch an attack, it can go throughâyou know, through this server, then through that network, then over to that network. And a lot of people in the old days, they used toâthe original hackers, they would go through academic ports which had ties to military lies, which had tiesâbecause the academic ports it was all about openness. Anybody could get in. MIT.edu was a favorite port of entrance of people coming in to hack military networks.
Theyâre getting better at tracing these. And a lot of technology has developed that allows them to. But itâs still not 100 percent. I will tell you a story, though, about how we know that it was North Korea that hacked Sony. And this is the kind of thing they can do now. Remember when it first happened and the FBI was saying, well, they used similar signatures to what North Korean hacks have done before, and we noticed the same kind of this and that. And there were some computer experts who, at least initially, doubted all of this, and said, oh, I donât believe North Korea did this. This looks like it was an inside job.
But what had really happened is that the NSA had so thoroughly infiltrated North Koreaâs networks, thatâthough, not in real time; nobody was looking at what North Korea was doing in real time. But they could go back through the files. And they could actually watchâthe NSA people could watch on their monitors what the North Korean hackers were watching on their monitors while they were doing the hack. And it was that certain and that infiltrated. Often when China infiltratesâyou know, hacks into military networks, they see what the Chinese are doing. Some military secrets that the Chinese have stolen arenât real military secrets, theyâre phony military secrets that have been put there, sometimes with little honeypots attached, with beacons so that we can trace as they go back, and then see what they do with it.
Itâs a cat and mouse game that has a lot of cats and mice running around, of all stripes, and into holes of various provenance. You know, and all of which, as I say, is incredibly secret. And itâs been going for a long time. I have a chapter in the book about the first exercise that was done by the NSA, hacking into DOD networks. And they hacked into everything. But as they were roaming around inside DOD networks, this was in 1997, they found some French IPs wandering around in there, some real French hackers, which they were easily able to expel. And they kept that very secret. Even people who were briefed on this didnât know that. But this is 1997 French hacking into American computer networks. So you know, itâs been going on for a long time.
LINDSAY: Iâm going to go over here to the young woman.
Q: Hi. Iâm Dawn Scalici with Thomson Reuters.
I was wondering if you could comment on the debate about the rights or lack thereof of the private sector to undertake offensive cyber operations in retaliation for attacks on their networks. Some have questioned whether or not this is the domain just for the federal government, or whether or not the private sector has any rights in this regard.
KAPLAN: Yeah, this isâthis is an interesting issue that was hot for a while, and hasnâtâit hasnât been talked about much lately. But yeah, letâs say youâre IBM or something, and somebody has launched a major cyberattack on your stuff. And you know where it came from. Because, you know, there areâthere are really quite good information assurance departments inside these corporations now, some of which, you know, are populated by people who used to work at the NSA or the Air Force Information Warfare Center, or places like that. So they know what theyâre doing.
And some of them would like to strike back. But the law prohibits them from doing so. It would be likeâyou know, itâs kind of the equivalent of, you know, somebody breaks into your house, you want to take a gun and go following this guy and chase him, violating speed limits, and chase down his car and blow out his tires and maybe, you know, rob his house too. Youâd like to do that, but you canât. Itâs against the law. And, yeah, there is some movement afoot to getâespecially within the defense industries, which have a tighter relationship with some of the more highly classified cybersecurity things. They exchange information and that sort of thing.
I donât see it happening, I mean, for the reason that my analogy suggests, is that do you want a bunch of cyber vigilantes running around? But at the same time, you know, they say, well, then if I canât do it, why arenât you doing it, government? And then the government says, well, OK, do you want the NSA or the FBI, underâyou know, which is really theâdo you want us to be sitting on your networks all the time? And, you know, do you want that? Because thatâs reallyâif you want us to helpâyou know, because right now there are lots of programs. You know, weâll give you tools, weâll give you techniques. Come to our top secret level briefing, weâll tell you about best practices and that sort of thing.
But if you want us to do something, you want us to sit on your networks. And they say, well, no, I guess not. And you know, there was Richard Clarke, who is well-known to many of you, when he was in the White House he tried to do a couple of things. One, he tried to get mandatory security requirements for critical infrastructure companies. And this was resisted by lobbyists, by the companies themselves, and by people in the Commerce and Treasury Departments who thought this would be an impediment to R&D and, you know, making the companies less competitive because if you have to put security things on your servers theyâre not going to be as fast, and then people will go buy other companies.
And then at one point, he wanted to create a networkâa separate network for critical infrastructure industries that would be wired into a government agency so that if there were an attack the government could take action very quickly. Well, this leaked out and you had people on Capitol Hill shouting: Orwellian! You know, and things like that. And it is, sort of, but not entirely. But it got killed instantly. And even now, you know, President Obama passed an executive order a while back which had some very interesting things to it, but then there was the crucial sentence: None of this should be interpreted as a mandatory regulation. So it is a voluntary system. If you want help, we are here to provide help. But weâre not saying that you have to.
And so, you know, a question that has not been answered is, you know, what is the nationalâwhat is the governmentâs role in this? What is national security? If one bank gets hacked, is that something we should all be concerned about? What aboutâare there still a dozen banks? I donât know. If a dozen banks get hacked, is that something we should worry about? If a movie studio gets hacked, is that what? Is it really the governmentâs role? And if so, what is the obligation of the company in question to submit itself to a situation where the government can do the things that we have now all, as a society, decided is the governmentâs role?
These kinds of things, to the extent theyâve been addressed, theyâve been quashed instantly by political bureaucratic processes. And as long as thatâs the case, as long as these things are in private ownership, itâs hard to figure out howâA, what you want to do and, B, how you go about doing that.
LINDSAY: Letâs go right here.
Q: Joshua Gruenspecht, Skadden Arps.
So one of the problems with engaging in widespread attack, or even CNE, is that youâre basically widely distributing your zero days, your powerful new attacks.
KAPLAN: Wait, widely distributing what?
Q: Your zero days, your powerful new attacks, and leaving themâyou know, object code on servers. We saw, you know, aspects of Stuxnet turned back on the United States later on. And so I guess the question is, you know, if we truly do live in the glassiest of houses, is there someone whoâs thinking about the appropriateness of strewing stones across the world and waiting for them to get thrown back at us. You mentioned that the NSA really didnât sort ofâor, in your opinion, was not sort of engaging in a policy balancing of the value of engaging in that attack, versus, you know, sort of the other implications of that down the road. Is there anyone that youâve encountered? Is there some sort of policy discussion that you have seen? Or is anyone thinking about this critically?
KAPLAN: Well, there is. I mean, in the White House, you know, after this commission that Obama appointed to look into possible NSA reforms, one of their suggestions was, you know, to not exploit zero daysâthese are vulnerabilities that are undiscovered, that are unknown until somebody discovers them, so itâs zero day. Not to exploit them unless you really, really have a good reason to do it. And the White House Cyber Office laid out some criteria for when exploiting zero days is appropriate. And they created a rule that before you do this, you have to go through these questions. And these questions have to be weighed not by the NSA director, but by the principalâby a principals meeting of the National Security Council.
Now, in fact, Jim was asking me before, howâs that going? And quite honestly, I donât know. Maybe somebody in this room knows. I donât know. I asked around and, you know, I didnât get that far. This is mainly a history of to what extent they said, OK, we have a zero day for this, letâs go through the process and how does it work out. So I donât know. I mean, one thing about President Obama, you know, the Obama view or philosophy of war is thatâyou know, heâs very reluctant to get involved in wars that require a lot of troops and getting people killed. But things that can accomplish certain objectives and that donât involve a lot of risk or damage to ourselves, you know, heâs been pretty keen on that sort of thing. Drone strikes, for example, cyber operations.
I mean, one of the Snowden-leaked documents, PPD-20 Cyber Operations, that has a lot of very explicit stuff in it about cyber offensive operations. You know, planningâyou know, targets that would be appropriate for using cyber weapons when you donât want to use bigger weapons. So I suspectâand again, I say this out ofâwith no knowledge whatsoeverâthat if he came acrossâsome zero day options were presented, and it was deemed that, you know, we could accomplish something with this, and it could be over in a matter of days, and then we could patch it upâpatch the zero day vulnerability, I think under certain circumstances he would be OK with that. He would be more OK with that than some of the people on the commission, who were muchâwho weighedâwho lean much more toward security than leaving room for offensive capability.
LINDSAY: We have time for one last question. Before we take it, I want to remind everybody that tonightâs event has been on the record.
KAPLAN: Oh, no! (Laughter.)
LINDSAY: And the gentleman in the back is going to get the final question.
Q: Hi. Thanks. Alan Kronstadt, Congressional Research Service. Glad to get the final question.
Based on your remarks tonight, I feel prepared to leave here and walk into the Tidal Basin. (Laughter.) Iâm hoping you have some good news to share, and tell us that itâs not all bad. So please do share something to be optimistic of. Thank you.
KAPLAN: OK, well, Iâll go with you on that. As more and more countriesâas more countries become more and more wired themselves, you know, we have these SCADA systems where, you know, where everythingâtransportation, electrical power, waterworksâitâs all controlled by remote sensors and computers. And you donât have to blow up the dam, you can just hack into the controls and mess it up that way, which is what Stuxnet was, really. More countries are following our example of cyber-thoughtless efficiency, in this regard. And the more that Russia and China and places like this go the same route that weâve gone, then a mutual assured destruction kind of situation does arise.
A kind of a default passive deterrence does spring up. They will become more cautious. They will have the same, you know, lightbulb going on that, oh, if we can do this to them, they can also do it to us thinking. At the same time, countries like, you know, North Korea, Iran, Syria, you know, which have all developedâagain, theyâre not like the NSA or Israelâs Unit 8200, but, you know, they can do a fair amount. You know, thereâs not much there for us to strike back at in terms of cyber. Theyâre not so wired. Theyâre taking a huge risk if they do something drastic, because weâve said that, well, we have bombs too. You know, we can attack that way.
I guess, you know, the more that this is discussed and the more that people realize whatâs going and what has been going on for decades, maybe this induces a certain cautiousness in people who are thinking about doing drastic things like this. At the same time though, you know, I might be completely wrong. Maybe it induces the exact opposite. You know, the good news is that nothing terribly major has happened yet, at least not to us. I mean, you know, there was just this cyberattack on western Ukraineâs power grid.
LINDSAY: But why is that, Fred? Iâm just curious. To this point there hasnât been anythingâ
KAPLAN: Not on us?
LINDSAY: On us or more broadly.
KAPLAN: Well, you know, you do this thing for a reason. Itâs not like, gee, I think Iâll just blow up this. Iâll just turn off the lights in Pennsylvania tomorrow. This usually comes out of a crisis where youâre trying to exert leverage or pressure. And you know, we havenât been involved in one of these crises for a while. Ukraine is involved in a crisis like this, and Russia is turning off their lights every now and then. When the Russians invaded Georgia, not only did they come in with air and ground, but they messed with all of their networks too. They couldnât communicate with themselves, with their army, with other units. It was a very coordinatedâcyber was part of the operation.
LINDSAY: Thatâs one of the interesting points, you donât have to blow something up if people no long trust what theyâre hearing on their phones or through their computers, it changes the dynamics on the battlefield.
KAPLAN: Thatâs right. Thatâs right. And thatâs whatâthatâs what information warfare, as it was once called, is about. It wasâduring this war game that Jim mentioned, it was called Eligible Receiver in 1997, when this team of 25 NSA red team guys hacked into the entire Defense Department network using commercially available equipment. And people wereâyou know, they were sending out emails to people and they werenât getting there, they were getting rewritten, they were getting rerouted, fax machines were breaking down. And you know, somebody was, in fact, overheard and his phone line was tapped to. And it was recorded saying: I donât trust my command control anymore.
And thatâs what the object of these kinds of operations are, is to get insideâit used to be called counter command and control warfareâis to get inside the command and control to make it harder for the other side to do certainâto go to war, to fight successfully. And so, yeah, I mean, one reason why it hasnât happened is that we havenât really been in a political, strategic situation where this becomes a tempting option for somebody to inflict usâto inflict it on us.
LINDSAY: Well, I donât know if weâve given the gentleman a reason not to walk into the Tidal Basin, however I do think that youâve given us a lot of food for thought, Fred. And Iâd like to have everyone join me in thanking Fred and congratulating him on his new book. (Applause.)
KAPLAN: And Iâll be signing books back there.
LINDSAY: There are books back there. Fred will be signing them. And thereâs still more food, so please have at it. And again, thank you very much for coming out tonight.
(END)