'Dark Territory: The Secret History of Cyber War'
Fred Kaplan discusses 'Dark Territory,' his book on the untold story of the officers, policymakers, scientists, and spies who devised a new form of warfare — cyber war — and who have been planning (and, more often than people know, fighting) this kind of war for decades, from the 1991 Gulf War to conflicts in Haiti, Serbia, Syria, the former Soviet republics, Iraq, and Iran.
The CFR Fellows’ Book Launch series highlights new books by CFR fellows. It includes a discussion with the author, cocktail reception, and book signing.
LINDSAY: Good evening, everybody. On behalf of Richard Haass, the president of the Council on Foreign Relations, I want to welcome all of you tonight. Thank you for coming, particularly leaving the absolutely gorgeous weather we have outside to come inside for this talk. I am Jim Lindsay. I am the director of studies here at the Council on Foreign Relations. I also want to thank everyone who is joining us via the Internet as we livestream tonight’s event. You’re in for a real treat, as we have a very timely and important discussion. Tonight’s guest of honor is Pulitzer Prize-winning author, Fred Kaplan. Fred holds a Ph.D. from MIT, and he writes the War Stories column for Slate. Last year he was the Edward R. Murrow press fellow here at the Council. And we’re all here tonight to celebrate what Fred was working on during his year at CFR, namely his new book, “Dark Territory: The Secret of Cyber War.”
KAPLAN: Secret history.
LINDSAY: Secret history, excuse me. I’ve been corrected. “Secret History of Cyber War.” So please join me in welcoming Fred Kaplan. (Applause.)
KAPLAN: Thank you.
LINDSAY: Because last time I threw my stuff on the floor, so. Congratulations, Fred, on writing the book and competing it.
LINDSAY: I read it over the weekend, couldn’t put it down. So let me being with sort of the obvious question posed by the title, what is dark territory?
KAPLAN: Ah. Well, you know, this is my fifth book. And each time I write a book, I say to myself, the title will emerge in my notes, and it never does. But this time I was going through my notes of an interview with Robert Gates, and he’s talking about how when he first became secretary of defense and he was getting these daily briefings about how many cyberattacks were coming into the Pentagon.
And he goes to some of his associates and colleagues and he says: Look, you know, we need to get together with the major cyber powers and figure out some rules of the road. You know, even in the worst days of the Cold War we had rules with the Soviet Union, like we didn’t kill each other’s spies, you know, things like that. We need to figure out what kinds of targets shouldn’t be attacked with this kind of thing. And he said, and you know, because right now we are wandering in dark territory. And I said, there’s the title of my book, dark territory.
But you know, I Google searched it because, you know, I didn’t want to—I wanted to make sure I wasn’t getting some euphemism for some obscene act or something. (Laughter.) And it turned out that dark territory is a term of art in the North American railroads to designate stretches of tracks that are not governed by signals. And I’m thinking, wow, now, that’s a great metaphor for cyberspace. So I send him an email and said: Did you know this? And he said, oh, yeah, sure. My grandfather was a stationmaster on the Santa Fe Railroad in Pratt, Kansas for 50 years. We used railroad terminology all the time when I was growing up.
So that’s kind of the theme of this book, that we are in dark territory. It’s a subject that has been encased in extreme secrecy, because it has been enveloped in the National Security Agency which, you know, NSA used to—the joke that it stood for No Such Agency. You know, nothing goes in and nothing comes out. It’s a black hole of the bureaucracy. And so nobody has been—nobody on the outside has been thinking about these issues. The Defense Science Board is just now—has a project going on to figure out what cyber deterrence means.
They’re so primitive that at one point I was interviewing some guy for the third time, and he was pretty high up in intelligence, and he said: You know, what’s your thoughts about cyber deterrence. I said, I don’t know. I’m trying to figure out what anybody’s thoughts are. And he goes, oh, that’s too bad, because I’m this DSB panel. I was hoping maybe you could join. And I’m thinking, if they’re asking me—figuring on me to join this, which I wouldn’t do anyway, but they must be in really sad shape.
LINDSAY: Well, let me ask you a question though before we turn to the substance, just on a matter of process. You just set out the fact that all of this is encased in a great deal of secrecy. So how does one write a book about secrets that presumably you’re privy to?
KAPLAN: Yeah, well, you know, we all have our tricks. No, this was a tough one. This was a tough one, because—two things I didn’t know going into this. One, is that the United States has been doing cyber offensive operations for a very long time. Number two, all of these things are, by nature, classified, because they’re covert operations. I have to say, I mean, there were a few things—two things that I put together and to confirmed by ashen-faced officials that I decided not to include in the book. And one of which, I’m a little nervous that I even put it together.
But a lot of things—look, you know, you learn a little bit from this guy, and then a little bit from this guy, and then you mention to this guy and he things that, you know, a lot of stuff. You know, it’s the usual things. But you know, this is a history.
LINDSAY: But you talked to a lot of people as well.
KAPLAN: I talked with over a hundred people, including six NSA directors, repeatedly—some of them helpfully. So, yeah, I got pretty deep. And you know, nobody’s come to arrest me yet, so we’ll see what happens.
LINDSAY: Well, I hope it stays that way.
KAPLAN: Yeah, me too.
LINDSAY: I was struck, one of the stories you begin with is a story I would not have expected to hear, and that involves a movie people of my generation or old may remember, called “War Games,” which featured young Matthew Broderick and a computer named Jason, I believe. Can you tell me, how does that figure into your story?
KAPLAN: Well, this came as a surprise to me too. So the first weekend of June 1983, Ronald Reagan is up at Camp David. And he’s watching movies. And one night, he watches “War Games.” Everybody remembers “War Games”? OK. So, he gets back to Washington. There’s a meeting in the White House the following Wednesday, not about this. It’s about—actually, it was about the MX missile. Some of you might remember the perennial debate of the MX missile.
LINDSAY: Those were the days.
KAPLAN: Yeah, everything was so simple. At one point he puts down his index cards and says: Has anybody seen this movie “War Games”? Nobody had seen it. It had just come out. So he launches into this very lengthy plot description. And he turns to General John Vessey, the chairman of the Joint Chiefs of Staff at the time. And he says: General, could something like this really happen? Could someone just break into our most secure computer? And the general, I’ll look into that, Mr. President—which is what generals say. And he comes back a week later and he says: Mr. President, the problem is much worse than you think.
And this led, a year later, to the first national security decision directive, NSDD 145, about communications security—about communications and computer security. And it said things like, you know, we face, you know, massive sabotage from foreign intelligence, from criminals, from terrorists, you know. Now, this took a little side turn, in that the NSA basically wrote this directive. And they wrote it in a way that essentially the NSA would set the standards for every computer in the United States—government, military, private. So there were some people on Capitol Hill who didn’t take well to this, so they revised it so that NSA secures .mil, classified, and the Commerce Department regulates everything else.
Well, of course, you know, the Commerce Department doesn’t—didn’t know anything about this. They couldn’t do anything. At the time, the NSA had no interest in patching up flaws or securing it. If there was a hole that they found, they would exploit it. So for the next decade, nothing basically happened. A little P.S. on the “War Games,” if I can dip back into history a little bit, all of this—this goes back further than “War Games.” At the dawn of the Internet, in 1967 the ARPANET was about to go up. It was about to roll out. And there was a guy named Willis Ware. He was a computer pioneer. He’d worked with Von Neumann at Princeton. He was the head of the Computer Science Department at RAND. And he was also on the Scientific Advisory Board of the NSA.
And he wrote a paper, it was secret at the time, that’s been declassified since. It’s a fascinating document. And he says, look, the thing about a computer network, when you have—when you have multiple access from unsecured locations, you’re going to be creating inherent vulnerabilities. You’re not going to be able to keep secrets anymore. And when I was doing my research, I talked with a man named Steve Lukasik, who was the deputy director of ARPA at the time. And said: So, did you read Willis Ware’s paper? And he goes, oh, yeah, sure. I knew Willis.
And I go, well, what did you think? He said, well, I took it to our guys. And I said, what do you think? And they said, don’t saddle us with a security requirement. I mean, look how hard it was to do this. It’s like asking the Wright Brothers that their first plane has to carry 20 people 50 miles. And you know, let’s do this one step at a time. And the Russians, they’re not going to be able to do this for decades. Well, you know, it’s true. It took them two and a half or three decades, by which time whole systems and networks had been sprung up with no provision for security whatsoever.
And so I see this as kind of the—you know, the bitten apple in the digital Garden of Eden. From the very beginning—the P.S. on “War Games” is that when the guys who were writing “War Games,” who also, by the way, later wrote “Sneakers,” when they were researching the script, and they heard about—they learned from some hackers about something called demon dialing or war dialing where, back in the days before the Internet, you had a computer program that would just dial every phone number in an area code, wait two rings, and if it’s hooked up to a modem it would squawk and it would record what that number was. That’s how he gets in.
So they’re thinking but, you know, is this really plausible? I mean, certainly NORAD’s computers, it’s got to be a closed system. We better talk to somebody who might—so they—one of them lived in Santa Monica. And he called RAND. And he said, who can we talk to? And they hooked up him up with Willis Ware. And Willis was a very nice guy. And he called them in. And he goes, yeah, you know, actually, it’s funny. I designed the software for that computer. (Laughter.) And you know, you’re right, it is a closed system. But, you know, there are some officers who like to work on weekends from home, and so they always leave a port open. And yeah, I guess, if somebody knew what that number was they could get it.
And then he said, you know, there’s something that most people don’t realize, and that is that the only computer that’s completely secure is a computer that no one can use. And that was back in 1982 or ‘(8)3. And just a couple years ago, the Defense Science Board put out a paper on cybersecurity. And one of its line, they talked about the inherent fragility of our architectures—inherent. In other words, you know, you could do lots of things. You know, things are much better now than they were before. You know, there are warning systems in place and so forth. But you know, every war game where they’ve had a red team trying to hack into the military networks, they always get in. They always get in.
LINDSAY: And your book recounts a number of occasions in which people got in.
LINDSAY: Sometimes the good guys getting in doing red team testing, other times bad guys getting in, sometimes good guys watching bad guys so they can track the bad guys.
KAPLAN: That’s right.
LINDSAY: I guess, but I want to come back to this issue of the subtitle of the book, cyberwar. Now, you’ve also mentioned the term cybersecurity. What do you mean by each and how do they differ, if they differ at all?
KAPLAN: Well, there is a fine line—I mean, one thing—very early on in my research I was talking to someone quite high up in intelligence circles. And I was going over some report where it lists the vulnerabilities of our systems, and different scenarios about how people can come in. And he said, listen, there’s one thing that you need to realize, all of these reports, all of these scenarios, they’re based on what we were actually doing to other countries. And then at some point, somebody says, oh, Jesus, somebody could do this to us at some point too. And that’s where it all began. So we have not been, you know, innocent flower children in this arrangement.
Another thing about the fine line between—sometime in the ‘90s they came up with some terminology. There was CND, computer network defense. There was CNA, computer network attack. And then there was something called CNE, computer network exploitation. And that was where you just get inside the other guy’s networks and see what’s going on. And you could call this a form of active defense—in other words, we can’t protect every single intersection between a network and the Internet. So the best way to do defense is to get inside the other guy’s network so we can see them planning an attack, if they’re doing an attack. It could be that.
Or, it’s also just one step away from computer network attack. And so the difference between cybersecurity and cyberwar is largely academic, because—
LINDSAY: Well, I’m an academic, so I can ask the question.
KAPLAN: Yeah. (Laughs.) So if we’re seeing the Chinese inside our critical infrastructure, or they’re seeing us inside their critical infrastructure, what’s going on here? Are we just poking around to see what they’re up to? Or are we, from their point of view, or even from our point of view, planning an attack, and vice versa? Nobody knows. And even if they did know, it could change on a dime. So that’s why this idea got held forth that it’s all the same technology, it’s all the same skills. There’s only one agency that really knows how to do this, namely the NSA. And therefore the idea came about was to fuse—set up something called U.S. Cyber Command, have it commanded by the guy who’s also the director of the NSA, have it headquartered at Fort Meade with the NSA.
And the frightening thing about this is that, you know, Cyber Command not has links with all of the combatant commands. They are recruiting thousands—tens of thousands of people to come join Cyber Command or the service affiliates. It’s fast-growing money. There’s money in it. You know, you go to West Point, you go to any of the academies, you know, where are you directing your elite students? Oh, cyber. Cyber, that’s where it’s happening. And in the meantime, you still have the Defense Science Board trying to figure out what cyber deterrence means, what this is even for, what the second day of the cyberwar looks like.
And you know, the thing about—the distinction between this and, say, nuclear weapons, is that with nuclear weapons there’s a very thick bold red line between using nukes and not using nukes. And that’s one reason why nobody’s used nukes for a long time, because you don’t know how to—de-escalation can go out of control very quickly. But there are a hundred—thousands of cyberattacks or attempted cyberattacks every day. Who knows what—one person’s nuisance might be another person’s grave national security threat. Even in this country, I mean, all the cyberattacks that’s going on, what was the first time that a president of the United States said that he was going to retaliate against a cyberattack? It was North Korea’s hack of Sony Pictures. That wouldn’t have been predicted by anybody.
So, and at the same time, you know, we have also said that we reserve the right to respond to a cyberattack through non-cyber means, because a lot of these countries don’t have much cyber to attack, right? They’re not—
LINDSAY: We’re more vulnerable than they are.
KAPLAN: Yeah. And so once you start doing this—it’s like, we might have the best rocks to throw at their houses, but we have the most glassy houses that far-less capable rocks can do a lot of damage to, because everything is plugged into computers—military, society, everything. And, you know, do we really want to start something like this?
LINDSAY: But we’re doing it right now, and it’s being done to us, which leads to the next question.
LINDSAY: It’s 49 years since Willis Ware said that any network is going to be inherently vulnerable. Last month, President Obama announced a national commission to look at cybersecurity. I take it from the book that part of the thinking is that maybe we should spend less time worrying about attacking and more time securing or defending against attack. So I’m sort of left wondering, where are we sort of 50 years into the computer age? How secure are we?
KAPLAN: Well, you know, when people—when friends of mine ask—you know, when they learned I was doing this book, they would ask, well, what do you do? What can I do? And I would say, look, you know, if what you’re concerned about is a criminal, or just some punk, or just somebody trolling the net, there are things you can do to—you know, to be OK. It’s like, you know, Scoop Jackson, I think, once said the Russians were like the hotel thief that goes around trying all the doorknobs. You know, you got to lock your door. You can get a good lock. You can, you know, have a burglar alarm. You know, there are things you can do.
But if somebody really wants to come after you. If there’s something that you have that he wants, and he really knows what he’s doing. And especially if the has the resources of a nation-state, and he has a lot of time. And he says, this is so important that I’m going to spend a lot of effort on this, there’s really not a whole lot that you can do. And that’s what—you know, right now the Defense Department has said in some of its recent statements, you know, the big buzzwords going around are detection and resilience. I mean, yeah, they’re going to get in. So the idea is, make sure you have stuff set up so you see them getting in very quickly, and that you can do something about it. You can repel them, and that you can repair and recover from the damage very quickly.
So they’ve kind of—you know, there are lots of ways. You used to think, oh, all we need to do is to take this computer and disconnect it from the Internet. They called it an air gap. Then they figured out ways to get over the air gap. And so finally, you know, they just kind of—it’s not like—they haven’t given up to the point where they’re just leaving the doors unlocked, and they’re making ever-improved locks, but they assume that—you know, they start from the assumption that they’re going to get in, and then what do we do? And let’s focus on that. That’s the big policy challenge.
LINDSAY: At this point I want to bring the audience into the conversation. So if you have a question, I would ask you first of all to please wait for the microphone. When you get the microphone, speak directly into it. Please stand, state your name and affiliation. And please keep your question concise so we can get as many questions on the table as possible. So if anyone wants to ask a question, otherwise I’ll keep doing it. Sir.
Q: Hello. My name is Ben Freeman. I’m with Congressman Jerry Nadler’s office.
I was wondering if you could talk a little bit more about the sort of seeming disconnect in skills and personnel. It seems that the NSA is amazing at this stuff, but then you also have hacks of the OPM office and now we’re pulling the spies back from China because their identities are out there on the Internet. How is it that the—excuse me—that the NSA is so great at this, and then other agencies are falling behind? Is it training? Is it the right people claiming they have the skills, but not really having it? Cybersecurity is where the money is now, and everyone—like, after 9/11, everyone became a terrorism expert.
KAPLAN: Well, you know, the NSA—they don’t have the legal authority to go protecting civil or even civilian government networks. You know, so this is very unsecured. I think in hearing James Clapper was asked about OPM and he said, well, you know, that wasn’t really a cyberattack. That was—that was an act of espionage, similar to things that we do once in a while, you know. Maybe he’s right.
Now, in fairness, they’ve never really defined. I mean, one time Gates got so frustrated he asked his legal counsel: At what point do attacks like this become acts of war? And it took two years for an answer to come back. And it wasn’t even really an answer. It was, like, yes, under certain circumstances this might constitute—but what that is, it’s something that really legal counsel—it’s beyond their paygrade, so to speak, to answer this question. But nobody’s answered the question. Nobody knows.
But the NSA, well, an interesting thing that I found out in doing this, the NSA is flush with lawyers. And as much as the potential for abuse is staggeringly enormous, the actual abuse, it doesn’t really happen that much. And part of the reason is—
Q: I was speaking more towards the technical skills involved. How is the NSA—
KAPLAN: Oh, I see. Well, because they have the money. They have the resources. They have the technology. You know, at some point the Homeland Security Department was given, OK, NSA protects military. Homeland Security is going to protect the civilian government. Well, you know, you’re going to create a parallel NSA with the Department of Homeland Security. They don’t have the money. They don’t have the technology. They don’t have the know-how. They don’t have the history of doing this.
And you know, I don’t mean to keep touting Robert Gates, but at one point he and Janet Napolitano, when she was director or Homeland Security, they kind of got together and they created this—they wrote a memorandum of understanding, where in the event of an attack on critical infrastructure, there would be a deputy director of the NSA that Napolitano would name. And he would be assigned to DHS. But in the event of an attack or something, he would have the legal authorities of DHS, but be able to draw on the technology of the NSA.
And there were meetings, they got together, and they were disasters because the DHS had no interest in doing this. Everybody at the deputy level of the National Security Council was kind of pissed that this arrangement was made without them. And so they—Napolitano did pick this one guy who would have been perfect for the job, but he wasn’t given the authorities that he would need to do this. So it became just another layer. So you do have all these layers—these bureaucratic layers and these legal walls, some of which are there for a very good reason. And so, you know, that’s why it doesn’t transfer very well.
LINDSAY: Let’s me go over here to the other side of the room, if we may.
Q: Chris Miller from the Air Force Academy.
You just partially answered the question I was going to ask. But I’m wondering, as you talk to all of the folks you talked to as you researched this book, does anybody have a vision for how to solve that problem where NSA is taking care of the .mil and no one is essentially taking care, systematically, of the rest of the country?
KAPLAN: Well, you know, General Alexander’s solution to this when he was NSA, and how it’s become open-literature policy—they talk about it in very, you know, code-word terms. I mean, not classified code-words. But if you decrypt, so to speak, and you put into English what they’re talking about, it’s basically this idea, OK, we cannot sit on top of all the networks either legally—you know, over the years, the military has gotten pretty good at this, to the point where there are now only eight intersections between military networks and the broader Internet. And the NSA legally and technically can just sit on top of those networks.
Civilian government, they stop counting at, you know, 1,500. Broader industry, who knows how many? And you can’t just sit on them. It’s too expensive and it’s not legal and so forth. So the idea is, what is said, it’s CNE, it’s computer network exploitation. Or the way it’s stated in policy booklets is you detect the attack before it happens. And that means getting inside the other guy’s networks. So that’s what we’re doing. We’re doing cyber offensive operations, calling it—it’s not called CNE before. They came up with some other acronym, because every new administration has to have its own acronym for the same thing that the previous administration was doing. But it’s getting inside. And you know, we have to do a preemptive attack before they do.
I mean, it’s a hair-trigger situation, basically. It’s as if in the nuclear balance everybody had land-based ICBMs not 30 minutes but 10 minutes away from each other territory, because this can happen instantaneously, you know. And that’s—you know, that’s the kind of perilous thing that, though perfectly rational analysis—I mean, what’s needed and what can and can’t be done—we’ve created a system with hair-trigger possibilities and no doctrinal—no strategic—you know, after the bomb was built, you know, there were some secrets about it, but everybody knew what it could do. Everybody kind of knew, the Smyth Report and all this, what it was made of, how much uranium different countries had, how many weapons they could build. And so people from the outside starting thinking about strategy, policy, what does deterrence mean, what does a nuclear war mean?
That is not happening in this realm, because it’s all been locked up with these crypto-people in the NSA who don’t think about policy. You know, General Alexander was a brilliant computer geek. Had no interest in policy whatsoever. He was the first NSA director who understood this technology, really quite intimately. But his thing was faster, faster, more, and more. And this wasn’t tied to—it had policy implications, but that wasn’t his interest. And nobody else is able to really put the two things together.
LINDSAY: Sir, back there.
Q: Hi. I’m Liam McKenna with the Senate Homeland Security Committee, though not on their behalf.
I’m wondering if you can speak to attribution and how that might be more of a challenge in cyberwar than kinetic war, and whether that makes things more complicated.
KAPLAN: OK, attribution, figuring out who has launched this attack. Yeah, you know, with a ballistic missile, you can trace the arc of where it came from. They’re getting much better at figuring at where it comes from than they used to be, because, you know, you can launch an attack, it can go through—you know, through this server, then through that network, then over to that network. And a lot of people in the old days, they used to—the original hackers, they would go through academic ports which had ties to military lies, which had ties—because the academic ports it was all about openness. Anybody could get in. MIT.edu was a favorite port of entrance of people coming in to hack military networks.
They’re getting better at tracing these. And a lot of technology has developed that allows them to. But it’s still not 100 percent. I will tell you a story, though, about how we know that it was North Korea that hacked Sony. And this is the kind of thing they can do now. Remember when it first happened and the FBI was saying, well, they used similar signatures to what North Korean hacks have done before, and we noticed the same kind of this and that. And there were some computer experts who, at least initially, doubted all of this, and said, oh, I don’t believe North Korea did this. This looks like it was an inside job.
But what had really happened is that the NSA had so thoroughly infiltrated North Korea’s networks, that—though, not in real time; nobody was looking at what North Korea was doing in real time. But they could go back through the files. And they could actually watch—the NSA people could watch on their monitors what the North Korean hackers were watching on their monitors while they were doing the hack. And it was that certain and that infiltrated. Often when China infiltrates—you know, hacks into military networks, they see what the Chinese are doing. Some military secrets that the Chinese have stolen aren’t real military secrets, they’re phony military secrets that have been put there, sometimes with little honeypots attached, with beacons so that we can trace as they go back, and then see what they do with it.
It’s a cat and mouse game that has a lot of cats and mice running around, of all stripes, and into holes of various provenance. You know, and all of which, as I say, is incredibly secret. And it’s been going for a long time. I have a chapter in the book about the first exercise that was done by the NSA, hacking into DOD networks. And they hacked into everything. But as they were roaming around inside DOD networks, this was in 1997, they found some French IPs wandering around in there, some real French hackers, which they were easily able to expel. And they kept that very secret. Even people who were briefed on this didn’t know that. But this is 1997 French hacking into American computer networks. So you know, it’s been going on for a long time.
LINDSAY: I’m going to go over here to the young woman.
Q: Hi. I’m Dawn Scalici with Thomson Reuters.
I was wondering if you could comment on the debate about the rights or lack thereof of the private sector to undertake offensive cyber operations in retaliation for attacks on their networks. Some have questioned whether or not this is the domain just for the federal government, or whether or not the private sector has any rights in this regard.
KAPLAN: Yeah, this is—this is an interesting issue that was hot for a while, and hasn’t—it hasn’t been talked about much lately. But yeah, let’s say you’re IBM or something, and somebody has launched a major cyberattack on your stuff. And you know where it came from. Because, you know, there are—there are really quite good information assurance departments inside these corporations now, some of which, you know, are populated by people who used to work at the NSA or the Air Force Information Warfare Center, or places like that. So they know what they’re doing.
And some of them would like to strike back. But the law prohibits them from doing so. It would be like—you know, it’s kind of the equivalent of, you know, somebody breaks into your house, you want to take a gun and go following this guy and chase him, violating speed limits, and chase down his car and blow out his tires and maybe, you know, rob his house too. You’d like to do that, but you can’t. It’s against the law. And, yeah, there is some movement afoot to get—especially within the defense industries, which have a tighter relationship with some of the more highly classified cybersecurity things. They exchange information and that sort of thing.
I don’t see it happening, I mean, for the reason that my analogy suggests, is that do you want a bunch of cyber vigilantes running around? But at the same time, you know, they say, well, then if I can’t do it, why aren’t you doing it, government? And then the government says, well, OK, do you want the NSA or the FBI, under—you know, which is really the—do you want us to be sitting on your networks all the time? And, you know, do you want that? Because that’s really—if you want us to help—you know, because right now there are lots of programs. You know, we’ll give you tools, we’ll give you techniques. Come to our top secret level briefing, we’ll tell you about best practices and that sort of thing.
But if you want us to do something, you want us to sit on your networks. And they say, well, no, I guess not. And you know, there was Richard Clarke, who is well-known to many of you, when he was in the White House he tried to do a couple of things. One, he tried to get mandatory security requirements for critical infrastructure companies. And this was resisted by lobbyists, by the companies themselves, and by people in the Commerce and Treasury Departments who thought this would be an impediment to R&D and, you know, making the companies less competitive because if you have to put security things on your servers they’re not going to be as fast, and then people will go buy other companies.
And then at one point, he wanted to create a network—a separate network for critical infrastructure industries that would be wired into a government agency so that if there were an attack the government could take action very quickly. Well, this leaked out and you had people on Capitol Hill shouting: Orwellian! You know, and things like that. And it is, sort of, but not entirely. But it got killed instantly. And even now, you know, President Obama passed an executive order a while back which had some very interesting things to it, but then there was the crucial sentence: None of this should be interpreted as a mandatory regulation. So it is a voluntary system. If you want help, we are here to provide help. But we’re not saying that you have to.
And so, you know, a question that has not been answered is, you know, what is the national—what is the government’s role in this? What is national security? If one bank gets hacked, is that something we should all be concerned about? What about—are there still a dozen banks? I don’t know. If a dozen banks get hacked, is that something we should worry about? If a movie studio gets hacked, is that what? Is it really the government’s role? And if so, what is the obligation of the company in question to submit itself to a situation where the government can do the things that we have now all, as a society, decided is the government’s role?
These kinds of things, to the extent they’ve been addressed, they’ve been quashed instantly by political bureaucratic processes. And as long as that’s the case, as long as these things are in private ownership, it’s hard to figure out how—A, what you want to do and, B, how you go about doing that.
LINDSAY: Let’s go right here.
Q: Joshua Gruenspecht, Skadden Arps.
So one of the problems with engaging in widespread attack, or even CNE, is that you’re basically widely distributing your zero days, your powerful new attacks.
KAPLAN: Wait, widely distributing what?
Q: Your zero days, your powerful new attacks, and leaving them—you know, object code on servers. We saw, you know, aspects of Stuxnet turned back on the United States later on. And so I guess the question is, you know, if we truly do live in the glassiest of houses, is there someone who’s thinking about the appropriateness of strewing stones across the world and waiting for them to get thrown back at us. You mentioned that the NSA really didn’t sort of—or, in your opinion, was not sort of engaging in a policy balancing of the value of engaging in that attack, versus, you know, sort of the other implications of that down the road. Is there anyone that you’ve encountered? Is there some sort of policy discussion that you have seen? Or is anyone thinking about this critically?
KAPLAN: Well, there is. I mean, in the White House, you know, after this commission that Obama appointed to look into possible NSA reforms, one of their suggestions was, you know, to not exploit zero days—these are vulnerabilities that are undiscovered, that are unknown until somebody discovers them, so it’s zero day. Not to exploit them unless you really, really have a good reason to do it. And the White House Cyber Office laid out some criteria for when exploiting zero days is appropriate. And they created a rule that before you do this, you have to go through these questions. And these questions have to be weighed not by the NSA director, but by the principal—by a principals meeting of the National Security Council.
Now, in fact, Jim was asking me before, how’s that going? And quite honestly, I don’t know. Maybe somebody in this room knows. I don’t know. I asked around and, you know, I didn’t get that far. This is mainly a history of to what extent they said, OK, we have a zero day for this, let’s go through the process and how does it work out. So I don’t know. I mean, one thing about President Obama, you know, the Obama view or philosophy of war is that—you know, he’s very reluctant to get involved in wars that require a lot of troops and getting people killed. But things that can accomplish certain objectives and that don’t involve a lot of risk or damage to ourselves, you know, he’s been pretty keen on that sort of thing. Drone strikes, for example, cyber operations.
I mean, one of the Snowden-leaked documents, PPD-20 Cyber Operations, that has a lot of very explicit stuff in it about cyber offensive operations. You know, planning—you know, targets that would be appropriate for using cyber weapons when you don’t want to use bigger weapons. So I suspect—and again, I say this out of—with no knowledge whatsoever—that if he came across—some zero day options were presented, and it was deemed that, you know, we could accomplish something with this, and it could be over in a matter of days, and then we could patch it up—patch the zero day vulnerability, I think under certain circumstances he would be OK with that. He would be more OK with that than some of the people on the commission, who were much—who weighed—who lean much more toward security than leaving room for offensive capability.
LINDSAY: We have time for one last question. Before we take it, I want to remind everybody that tonight’s event has been on the record.
KAPLAN: Oh, no! (Laughter.)
LINDSAY: And the gentleman in the back is going to get the final question.
Q: Hi. Thanks. Alan Kronstadt, Congressional Research Service. Glad to get the final question.
Based on your remarks tonight, I feel prepared to leave here and walk into the Tidal Basin. (Laughter.) I’m hoping you have some good news to share, and tell us that it’s not all bad. So please do share something to be optimistic of. Thank you.
KAPLAN: OK, well, I’ll go with you on that. As more and more countries—as more countries become more and more wired themselves, you know, we have these SCADA systems where, you know, where everything—transportation, electrical power, waterworks—it’s all controlled by remote sensors and computers. And you don’t have to blow up the dam, you can just hack into the controls and mess it up that way, which is what Stuxnet was, really. More countries are following our example of cyber-thoughtless efficiency, in this regard. And the more that Russia and China and places like this go the same route that we’ve gone, then a mutual assured destruction kind of situation does arise.
A kind of a default passive deterrence does spring up. They will become more cautious. They will have the same, you know, lightbulb going on that, oh, if we can do this to them, they can also do it to us thinking. At the same time, countries like, you know, North Korea, Iran, Syria, you know, which have all developed—again, they’re not like the NSA or Israel’s Unit 8200, but, you know, they can do a fair amount. You know, there’s not much there for us to strike back at in terms of cyber. They’re not so wired. They’re taking a huge risk if they do something drastic, because we’ve said that, well, we have bombs too. You know, we can attack that way.
I guess, you know, the more that this is discussed and the more that people realize what’s going and what has been going on for decades, maybe this induces a certain cautiousness in people who are thinking about doing drastic things like this. At the same time though, you know, I might be completely wrong. Maybe it induces the exact opposite. You know, the good news is that nothing terribly major has happened yet, at least not to us. I mean, you know, there was just this cyberattack on western Ukraine’s power grid.
LINDSAY: But why is that, Fred? I’m just curious. To this point there hasn’t been anything—
KAPLAN: Not on us?
LINDSAY: On us or more broadly.
KAPLAN: Well, you know, you do this thing for a reason. It’s not like, gee, I think I’ll just blow up this. I’ll just turn off the lights in Pennsylvania tomorrow. This usually comes out of a crisis where you’re trying to exert leverage or pressure. And you know, we haven’t been involved in one of these crises for a while. Ukraine is involved in a crisis like this, and Russia is turning off their lights every now and then. When the Russians invaded Georgia, not only did they come in with air and ground, but they messed with all of their networks too. They couldn’t communicate with themselves, with their army, with other units. It was a very coordinated—cyber was part of the operation.
LINDSAY: That’s one of the interesting points, you don’t have to blow something up if people no long trust what they’re hearing on their phones or through their computers, it changes the dynamics on the battlefield.
KAPLAN: That’s right. That’s right. And that’s what—that’s what information warfare, as it was once called, is about. It was—during this war game that Jim mentioned, it was called Eligible Receiver in 1997, when this team of 25 NSA red team guys hacked into the entire Defense Department network using commercially available equipment. And people were—you know, they were sending out emails to people and they weren’t getting there, they were getting rewritten, they were getting rerouted, fax machines were breaking down. And you know, somebody was, in fact, overheard and his phone line was tapped to. And it was recorded saying: I don’t trust my command control anymore.
And that’s what the object of these kinds of operations are, is to get inside—it used to be called counter command and control warfare—is to get inside the command and control to make it harder for the other side to do certain—to go to war, to fight successfully. And so, yeah, I mean, one reason why it hasn’t happened is that we haven’t really been in a political, strategic situation where this becomes a tempting option for somebody to inflict us—to inflict it on us.
LINDSAY: Well, I don’t know if we’ve given the gentleman a reason not to walk into the Tidal Basin, however I do think that you’ve given us a lot of food for thought, Fred. And I’d like to have everyone join me in thanking Fred and congratulating him on his new book. (Applause.)
KAPLAN: And I’ll be signing books back there.
LINDSAY: There are books back there. Fred will be signing them. And there’s still more food, so please have at it. And again, thank you very much for coming out tonight.