This symposium, held January 7, 2020, addressed the potential consequences of great power competition in cyberspace and examined the current state of Russian, Chinese, Iranian, and North Korean cyber operations, as well as how the United States is responding.
The keynote session was led by Angus King and Mike Gallagher of the Cyberspace Solarium Commission.
EDELMAN: While we get situated here, thank you so much. And thank you so much, Adam, for having us here.
And I want to take a moment and put in another plug for the Cyber Operations Tracker that exists online. I teach right now on issues that include cybersecurity, and there is no better tool in teaching the history of these operations and of nation-state activities in cyberspace than what Adam and his team have put together. So thank you for doing that.
Good morning. Welcome to CFR’s on-the-record symposium today entitled “Cyberspace and Great Power Competition.” I’m your moderator, David Edelman from MIT.
And we’re joined today by three distinguished panelists whose full bios are in the handouts that you all have on your chairs and running around. But just for a quick recap, we have Priscilla Moriuchi who’s here. She’s the head of nation-state research for Recorded Future. We have Jim Miller, my former colleague, undersecretary of defense for policy; now senior fellow at Johns Hopkins. And John Hultquist, who leads FireEye’s intelligence analysis team.
As mentioned, when we started thinking about this particular panel, of course we wanted to cover a whole range of topics. Some of them included Iran, but they didn’t necessarily start with Iran. But here we are in today’s news; we’re going to start with Iran because, obviously, all eyes are there this week. Iran is, of course, the rare country that has on some level been on both sides of destructive cyberattacks, and they’ve vowed revenge for this targeted killing of General Soleimani. So let’s just launch right in.
John, in the Washington Post yesterday you were quoted saying there are some serious questions about where the red lines are, and you said the Iranians may have a—may not have a problem with people getting hurt. The day before Chris Krebs, the head of the Cybersecurity Agency at DHS, told every company that it’s time to brush up on Iranian TTPs. They released another statement today giving companies sort of a one-on-one of what to think about. That was the one-on-one level. What are you thinking about? What are you telling your clients and what are you telling those around you about what to predict, what to expect, given this heightened tension state that we’re in?
HULTQUIST: Well, there’s two different—sort of two different problems that we’re concerned about. One is the espionage side and one is the cyberattack side.
So on the espionage side, we expect them to ramp up their espionage program. They’re going to be wanting to know what policymakers are thinking. The situation is incredibly dynamic right now. In June, when the situation was happening in the Straits, they were—they carried out a really large campaign probably against—that looked to be focused against people who would have that sort of information.
The other part of the espionage side that’s very disconcerting is we’ve seen them develop a surveillance capability. There have been—they’ve been compromising telecommunications providers, travel companies, and some other organizations that have a lot of personal information that you might use to identify and track people. Obviously, given the real physical threat associated with this actor and their history of terrorism, you know, we’re very concerned that people are being tracked and identified by the Iranian security services.
The other half of that—the problem, though, is the cyberattack issue. We saw a lot of it—we have seen it in the United States in the past. There was a destructive attack on U.S. business. There was a destructive attack against the U.S. financial sector. There was a tremendous probing campaign that targeted a lot of U.S. critical infrastructure. A lot of that sort of receded after the agreement, but the actors didn’t give up. They continued to improve; they just focused in the Middle East.
And we’re just—our big concern is, is this the red line where they sort of switch back to the United States or they grow—their campaigns now affect the United States again. We don’t think they’re going to bring the economy to its knees or turn out the lights, but for individual participants in the economy, companies like our clients, they could—they could cause some serious damage.
EDELMAN: So, Jim, you spent a lot of time thinking about/writing doctrine related to those red lines, a phrase that we tend to—(laughs)—not like to use nowadays. But when you think about that, right now let’s say you’re in the Pentagon and you’re advising the defense secretary on what to expect. What are you telling the defense secretary? What are you thinking about in terms of what U.S. defense readiness needs to look like? And how is DOD going to relate to the rest of the country when this is both a military and, as pointed out, a civilian threat to companies?
MILLER: David, I think first on the question of what Iran will do, break it down into three parts.
One is who they will attack through cyberspace. The answer is the United States and U.S. partners and allies in the region. The fact that this president hasn’t exactly fallen all over himself in making statements to defend our allies and partners, and the fact that we didn’t respond after a bombing on Saudi—in Saudi Arabia, means, I think, that Iran will feel a high degree of freedom with respect to what it can do to U.S. allies and partners. It’ll feel, I think, more constrained, both from a capability perspective and a threat or risk of retaliation, in going after the United States in cyberspace. But I think if you compare it to the 2012/2013 DDoS attacks that John mentioned or the other actions that APT32 has taken in the meantime, it’ll be a notch up. So we should expect pretty significant actions.
Iran is not going to try to take down the U.S. military. It’s going to try to impose costs on the United States and have something that they can claim is proportional retaliation. I think for that reason a second question is, what do they do besides cyber? And I—my view would be that they’re likely to undertake some form of physical attack as well, and my bet would be that it’s more likely to be against, again, U.S. allies and partners in the region or through proxies wherever they have the reach to do it. And so the fact that you’ve seen the military reportedly pause its counter-ISIS operations to button down is an indicator that Secretary Esper and others already got that memo.
And the third is—the third question is, do they attempt to signal that they have limited aims and that they don’t want to get into a war? I think they do that both through the places they attack, the ways in which they attack, and through—and through public statements as well.
EDELMAN: So, Priscilla, you’ve spent a lot of years looking at the APEC region, and obviously all our eyes are on Iran at this exact moment. So let’s move away from Iran. What are the Chinese, what are the North Koreans taking in terms of lessons from what they’ve seen play out just in the last few days and what—some of the scenarios that you just heard about that might play out in the future?
MORIUCHI: Sure. Do you mind if I touch on Iran real quickly?
MORIUCHI: So—(laughs)—only because I think that there are two other important elements to this whole sort of what’s the scope of cyber response.
And first is sort of what we might consider sort of attack creep, right? If a target network, for example, is located physically in region, in the Persian Gulf or the Middle East, right—computer networks, right, do not reside within geographical borders—so there’s always the potential that an attack or an intrusion, right, which is physically or strategically designed to only impact a certain geography or a certain network, creeps to other part of the network, right, whether that’s designed by the attackers themselves, right, or the vulnerabilities they exploit. That brings up a whole other range of possibilities and intent that you don’t always know as the victim, right, when you are victimized by that intrusion.
I think the second aspect is attribution. So over the course of the past three or four months, right, we’ve seen a number of reports come out—about three, actually—that have indicated that Russian, right, FSB-associated threat actor groups, right, have hijacked Iranian infrastructure—cyber infrastructure; domains, for example, malware, right—and used them for their own purposes, right, to conduct intrusions, Russian intrusions masquerading as Iranian, right? So that creates this element of uncertainty and another level or potential for what we call sort of inadvertent escalation, right, if a country perceives that they are attacked by Iran, right, but the reality was it was an attack that was executed by Russia.
So there’s just a lot. It’s a dynamic situation, as John said. But there’s also all these other factors that are sort of native only to cyberspace, right, and computer networks.
And so just to go back to the Asia-Pacific question, I think for North Korea, like, the answer is quite clear, right? North Korea has a nuclear capability, right, that can ostensibly reach the United States’ shores, right? Iran doesn’t have that right now. And that’s one of the, I think, factors that the Kim regime perceives as a limitation, right, on the military responses that the United States can take, you know, towards North Korea, right? So that’s one.
I think, second, both countries are just watching, right? China has already expressed support for Iran, but there’s no doubt that countries like even Russia, right—China/Russia/North Korea—are watching how this situation plays, how far Iran will push the United States. What networks, right, what are the red lines, right? Do we draw anything? And if not, they will learn a lot from if we do or if we don’t.
EDELMAN: So on this discussion of red lines but also of proportionate response, it seems there is uniform consensus, at least out on the commentators and certainly on this panel, that private-sector companies may well bear some of the burden here, that they may well be targets. If an Iranian counterattack, so to speak, focuses on U.S. companies, what’s a proportionate attack against a U.S. company? And if you’re then the United States, what’s a proportionate counterattack subsequent to a U.S. company being hit? Because traditionally, as last I checked, we’re not really in the business of disabling nonstate firms. It’s not a typical series of tactics that we engage in. But of course, the Iranians have themselves been innovators—think Saudi Aramco—in cases of going after particular companies with geopolitical significance. So how are we thinking about it? What does that escalation dynamic look like?
MILLER: David, if the U.S. wants to reestablish deterrence and reinforce deterrence not just vis-à-vis Iran, but also as Priscilla suggested vis-à-vis North Korea, China, and Russia as well, it needs to—it will need to respond in significant ways. And the significant ways need to be in the mind of the adversary decision-makers. So it’s the leadership of Iran. It’s the leadership of—perceptions of Xi Jinping and Vladimir Putin and Kim Jong-un and the people who advise them. So the U.S. should be imposing costs on them and imposing costs that make it challenging for them to sustain not just a cyber campaign, but in the case of Iran make it more challenging for them to sustain their public support.
Now, the Soleimani killing has, obviously, really reinforced the regime’s position, so this is a—this is not a near-term objective. But undermine their support from their public, which economic sanctions have generally done, and undermine their support in the region and particularly among our allies and partners so that we’re not the ones who are isolated, and then impose costs on the leadership, things that they value. And that includes—and it does include their assets of the IRGC and Quds Force, and it includes their ability to control their own communications internally, and to—and to engage in propaganda externally as well.
EDELMAN: So U.S. companies are going to be up against the Iranian Quds Force, IRGC components, I mean, you name it, plus who knows who else that might be sympathetic. Most companies, at least as far as I’m seeing from the DHS, are getting warnings. Hopefully, they’re getting some sort of additional flow of TTPs that might be associated with Iranian actions. Is that enough? I mean, is that ultimately going to be adequate to bring down any level of success? Particularly, they’re advising companies all the time. Are they going to be better defended today than they were two weeks ago? And are they prepared—your average Fortune 500 company—to deal with this nation-state threat?
HULTQUIST: We were getting questions from our government and corporate customers within an hour of the operation, and the good news is a lot of those questions included the actual names of—or the names that we’ve given to a lot of the operators that we believe are Iranian. They know these operators. I’ve worked with banks who are regularly going through cycles where they are renewing their look at the tactics of those operators and their defenses against those tactics. So this process has actually been ongoing. And one of the gifts of the sort of incident that we had in June is a lot of people refreshed their look around that time.
So the other good news is these actors did not give up. After we saw or the U.S. had all these incidents domestically, they didn’t go—the actors didn’t go away; they just shifted towards the Middle East. And so we’ve spent that time while they were in the Middle East learning a lot about them. We know the ways that they like to break into companies. We know the tools that they use. We know the flaws that their methods have. And we can—and we can pass that along, and we’ve been passing that along for several years now.
EDELMAN: So you’re comfortable with where Fortune 500 companies are right now vis-à-vis the Iranian threat? That’s good news. We never get good news in cybersecurity, I want to be clear. (Laughter.) This is a breakthrough moment.
MORIUCHI: I’m going to—I’m going to rain on that parade now.
EDELMAN: OK. (Laughter.) Back to—
MORIUCHI: (Laughs.) So many, many companies are prepared, right? Many companies completely understand, like John said, the environment in which they live, the vulnerabilities inherent within the systems that they operate, right? But many, many do not, right? And I think for the—for the private sector it touches on that larger question in which companies have been victimized by nation-states for two decades now, right, which is the government response has not ever been comprehensive, right, or if you talk to companies adequate, right, in their—in their—is what they would—might say. So whether we’re talking about Iran, or if you’re Sony Pictures Entertainment when you’re talking about North Korea, right, or other nation-states—China stealing intellectual property—you know, we’ve been dealing with this question for a long time. And perhaps this is a forcing function, right, in which this is a situation that may be unique, right? But I don’t—you know, I don’t see—we didn’t—while I was in government, I don’t know what the great response from the U.S. government would be, you know, if a media company or if a(n) oil and natural gas company, right, which I think we believe are some of the more likely targets, you know, in region, you know, does suffer a destructive cyberattack, right? Where is the recourse for replacing ten thousand computers, right? Is it with their cyber insurance? That’s not clear.
EDELMAN: What happens if the next Saudi Aramco is United Airlines?
EDELMAN: Hopefully, it’s not. You know, maybe American. Depends on what you fly. (Laughter.) All right.
MILLER: David, could I—
EDELMAN: Yeah, please.
MILLER: May I just add very quickly? Thinking about how the United States responds, including by imposing costs, is important. This Iranian situation today is a big test of the defend forward approach of this administration, which I have supported, including the work it did—I’ll say reportedly—to disrupt Russian interference in the—in the 2018 elections. This is a test. Waiting until the Iranians do whatever they are capable of doing and are willing to do vis-à-vis U.S. industry and vis-à-vis U.S. allies and partners is not a good strategy, and kudos to this administration, Paul Nakasone and others, for recognizing that and acting on it. This is a test now. Will they take preventive action? Will they do it in a way that our allies and partners support, and that can be explained to the public?
EDELMAN: So let me ask you about that, because obviously the actors we’re talking about here, particularly in the context of North Korea but Iran to some extent as well, these are asymmetric actors when it comes to, you know, one-on-one against the U.S. military, and so they’re going to be looking for those sorts of advantages. And cyber, obviously, has provided versions of that. Many of you may be familiar with a 2018 GAO report that I dropped my coffee upon reading about how—and I’m quoting here—“the Department of Defense likely has an entire generation of systems that were designed and built without adequately considering cybersecurity,” and then went through a number of weapons systems that themselves could be effectively hijacked or shut down from a standpoint of readiness by what we’d consider—certainly what these two would consider—to be very simple sorts of cyber operations.
And so what keeps you up at night on that kind of asymmetry? If we’re defending forward, but obviously an adversary is going to be—and a great-power adversary—is going to be wily, is going to be thinking about where they can get that additional advantage, is that the area? Is it in limiting military readiness? Are there other areas that you think where the Iranians might be dancing around defend forward or may have ways in that otherwise might not be contemplated by the defense establishment right now that is focused on what they’ve seen?
MILLER: David, I’m very concerned about the cyber vulnerability of U.S. systems. I’m sitting here looking at former Undersecretary for Acquisition Technology and Logistics Frank Kendall, who really began a systematic effort to address this. It’s a long-term campaign to improve the—or to reduce the vulnerability and improve the resilience of our—of our military systems. It’s going to cost over time tens of billions of dollars. It’s going to take not just a year, but a decade and more. That effort is underway.
I don’t worry about that issue vis-à-vis Iran. I worry about it vis-à-vis Russia and China, and worry about the—what I call a double whammy in which Russia and/or China can hold our civilian critical infrastructure at risk and then can at least impede, if not blunt any military response we might undertake, whether through offensive cyber operations, through long-range strike. They are certain to go after our command and control if we’re ever in a dustup. They’re certain to go after weapons systems. And we need to continue to work—the department needs to continue to work to address that problem. Not a fundamental issue vis-à-vis Iran; significant longer term vis-à-vis Russia and China.
EDELMAN: So this is important because, of course, we always speak in sort of shorthand Russia, Iran, North Korea, China as some of the capable cyber actors, but they’re not all created equal. And so, Priscilla, can I ask you, what changes have there been to let’s call them the league tables of cyber operations in terms of U.S. adversaries or even allies? What do we—what do we know now about capabilities and intentions that we didn’t four or five years ago? Have there been sort of major changes in how we think about any of the key actors here?
MORIUCHI: Sure. So I think, you know, because of the sort of situation that we’re in right now with Iran, we’ve focused a lot on the destructive/disruptive, right, capabilities inherent in cyber operations. But for some of these countries, North Korea in particular—and I sort of step back—all of these countries, their operations and their goals are, in the types of tools, right, and the organizations that they use, are tailored to the longer—both the short-term and the longer-term strategic goals, right? So even though we sort of lump these sort of four together, right, all of them have different goals over the short and medium term for their operations. They have different methodologies, right, different—whether the military plays a part, how big is that role, civilian intelligence service, contractors—for example, the criminal element. And sort of—and as we were sort of going before, you know, the actual—not all of these programs are designed with cyber espionage in mind, right?
So if we look at North Korea, for example, the North Koreans since about 2013/2014 online are now spending most of their time conducting operations to generate revenue for the regime, right, to decrease their financial isolation. They’re using, you know—we sort of talk about North Korea as sort of a criminal regime, kind of a mafia state in which, sure, they certainly are using some criminal tactics, right—stealing from banks, for example, a nation stealing money from banks, right, using the internet, right? So there’s one—(laughs)—something that doesn’t happen every day.
Two, cryptocurrency, right? North Koreans were interested, were mining and using cryptocurrency as early as 2015.
EDELMAN: They’re the bitcoin people.
MORIUCHI: When most of the world didn’t—
EDELMAN: That’s who was—OK.
MORIUCHI: (Laughs.) Most people didn’t even really realize what bitcoin was, right, and the North Koreans were already mining it and using it, right? So the North Koreans especially, and I think Iranians are also learning from this, other isolated regimes, have built up this model in which they can utilize the internet not just for cyber operations or destructive capabilities or disruption, but as a tool, right, to get around these kind of traditional structures that we’ve created, right, to isolate these kind of rogue regimes.
And it kind of takes us back to these red lines and for companies who have experienced destructive or disruptive cyber operations, right? You know, we—the traditional methods that the United States has taken—sanctions, indictments, right—aren’t particularly effective against countries that are already financially isolated, right? So there’s this idea that we have to create new tools, right, to address the goals that different countries have for the way that the operate in cyberspace.
EDELMAN: So, John, we have a startup bubble at North Korean embassies—(laughter)—just like in Silicon Valley. Who’s surprising you on the league tables? Obviously, this North Korea generating revenue is, you know, one of—one of the important examples of how, as Priscilla said, these regimes, these countries are pursuing their own aims to their own aims that may not be the same as ours we often mirror image back onto other adversaries. Anyone really surprising you of late or come way up in the league tables?
HULTQUIST: Well, China has shifted significantly. When I—when we started learning in the private sector how to really finally track China, you know, we could do it—when I was in the government we could do it, but it took us a while to figure out how to do it on the other side—it was all about the intellectual—you know, the intellectual property theft, and there’s still some of that going on. But what we’re seeing is it’s mostly dual use, it’s mostly outside of the United States and the West. It’s really focused on military technology. It’s just they’ve shifted away from that. And what we’ve seen instead of that, in lieu of that, a real focus on, again, the sort of surveillance mechanism. They are essentially exporting the Great Firewall. We see them digging in in places like telecommunications firms, where they can not only identify people of interest but they’re literally trolling for terms of interest, right? So if you are—
EDELMAN: You’re talking on firms abroad or in China?
HULTQUIST: Abroad. So you could be in an Asian country sending a text message about the premier and they’re reading that text message and keeping tabs on you. And so that’s one of the more disconcerting things we’ve seen lately.
I will say also, you know, the big surprise for me has continuously—I’ve been doing Russia for, I think, twelve years now, and every red line that I ever imagined existed has been blown through again and again and again and again. And I think the other actors are learning from each other, right? They keep pushing the lines, each one after another major incident.
But I mean, we’ve—right now we’re barreling towards, for instance, the Olympics. We believe that Russia attempted to disrupt the Olympics, like bring the games to sort of a(n) IT halt, which would have pretty much hurt its—disrupted the games. And nobody’s—aside from some cyber—a few cybersecurity companies, nobody’s publicly made that clear. And so here we are about to have these games again, and there’s no reason why they wouldn’t do it all over.
EDELMAN: And if any of you have not read the Wired article that just came out on this topic of the malware that attempted to shut down the opening ceremonies, highly recommended. Incredibly interesting, and in part because of what Priscilla said and Jim mentioned as well, that countries are starting to nest their operations in the operational infrastructure and tactics of one another to create a certain kind of frustration. I think one of the great changes we’ve seen, obviously, over the last decade—you know, ten, fifteen years ago, attribution’s impossible; on the internet, no one knows you’re a dog. Well, actually, it turns out now they do. And we’ve seen states at a level of their own satisfaction, including the United States, actually do attribution, and that’s been an interesting component.
Now, let’s talk about that piece a little bit. And I want to come back to deterrence as well because this notion of whether deterrence is even meaningful in cyberspace is one we’ll get to. But this idea of attributing states is something that companies are newly empowered with and is a role that I would argue has traditionally been reserved mostly for principally governments and occasionally the press when it comes to particular foreign policy activities. And now you have a suite of companies, some represented on this stage, that are in the position of outing nation-state operations—operations that they may not have wanted to get out, operations that I can just speak from my own experience sometimes the government didn’t expect would come out or didn’t even necessarily know about in exactly those terms.
How do you as companies—and then I want to come back to Jim, how do you think about it in the government as well—but how do you as companies think about the decision to attribute a nation-state for a particular operation or activity? I mean, are you engaged in foreign policy analysis of what are the second- and third-order implications, that it would affect broader geopolitics? Or is this fundamentally we’ve got client obligations, we want to make sure people know that we are on top of these threats? Walk us through that thought process.
MORIUCHI: So we do all of the above. And attribution is one of those questions people either love it or they hate it, right? They think it’s completely useless—
EDELMAN: Who loves it and who hates it?
MORIUCHI: (Laughs.) Depends on—(laughs)—
EDELMAN: Governments all hate it? They—
MORIUCHI: Well, like, you know, a lot of we would call them SOC analysts, right, or more technical folks, don’t—you know, I get this sort of thrown back at me a lot because I do think attribution is important—that, you know, I don’t care who’s behind it, I just want to stop it, right, clean my network. But for us, attribution is a fundamental question of defense, right?
So attribution is about understanding the larger environment in which your business or your government department or whatever lives, right? It’s not just about what’s the malware coming at me today and how do I stop that and how do I clean up my network, because if you don’t know who did it you can’t be certain that you have actually addressed the root problem, right, and maybe they’ll keep coming after you, right? So there’s a—you know, there’s a span, right, between, you know, what many criminal groups are after and what the North Koreans or the Russians are after in a corporate network. So for us, attribution is critical, right, to cleaning up an intrusion; preparing yourself if you haven’t, right, been victimized; understanding where you can prioritize vulnerability management, right—which patches you need to install first, which ones maybe can wait for a few weeks from now. And we take all of that into account.
Also the geopolitical. Like, when we were talking earlier about, you know, we went through this one set of analyses where we spent months trying to make sure that what we were seeing—which was Russian hijacking of Iranian domains, operational domains—was real, right? We needed to know. We needed to have high confidence there because of the implications for that scenario, right? So we’re not just, at least from our perspective, you know, trying to make sure that our clients understand that we’re doing our jobs, right, but we’re thinking about what is the impact that this information’s going to have in the public domain for everybody, right, who owns a cellphone and a computer and a network.
EDELMAN: So, John, what’s that hard call? What’s the key example or obfuscated example of when you’re on the fence of whether you’re actually going to do this kind of attribution, whether you’re going to come out with something like this publicly that might have these geopolitical implications?
HULTQUIST: So the first question is our clients. Usually, almost every time we’ve talked about attribution in public we’ve already discussed it with our clients, and usually our—specifically our intelligence clients get to watch that process as it grows and we go from sort of low confidence further up, and they’re already receiving intelligence as that builds. But we see it as a public service because we see it as extremely important.
Right now, for instance, there are a lot of people who are going to want to know whether or not the incident they’re looking at is Iranian or not. And then on top of that they’re going to want to know what type of Iranian actor, right? So there was I think—I think it was the Atlanta ransomware incident, I believe those were Iranian actors—Iranian criminal actors. So you know, imagine a situation where, you know, Atlanta realizes suddenly that this could be Iran. They have to start considering, well, maybe we’ll never get this—get this system back. So the second question is, are these state actors? And all these other sort of sub-questions.
And these are—these are not going to—there are no perfect answers to any of these questions, but that’s what real risk management’s about. It’s about the best answer for the situation. And that’s why we do this, right? We don’t believe—we don’t believe in perfect answers. It’s very difficult to do. But we’ve found that the internet is a great—there’s a lot of information in the internet. People leave tracks. We can learn about them. We do incident response all over the world, we have devices all over the world, and we know a lot about these actors, and we can deliver that out to the world and make it—make the world safer, we think.
EDELMAN: So, Jim, how does—the fact that companies on this stage and not on this stage, in the U.S. and not in the U.S., are able to do this kind of attribution, how does that change the way we do defense and strategy?
MILLER: David, two points.
The first is that, obviously, the private sector has improved its ability to attribute. Firms like, you know—like represented on this stage have devoted resources to it and they’ve gotten better. The government has devoted more resources to the intelligence side and it’s gotten better. Those two don’t always exactly match up in their conclusions, but most often they do over time.
Point two is that my view is that the truth will out. It’s a question of how long it will be before it comes out and how many lies will precede it, or misattributions in that sense. From a policymaker’s perspective in the government, you’d like to be able to control the time that you—the time, as you know, when you release the information. When you throw that ball against the wall it’s going to bounce back, and people expect you to be prepared to take action. If you need time to prepare that response, if you need to work with allies and partners, if you—thinking of a historical case I won’t name—if you don’t have the technical capabilities to respond through cyberspace to an actor who went against one of your private-sector companies—I’ll leave it at that—and you want to build a response package, you’d rather have it come later. So that time—any confidence you had in government that there would be either later—only later attribution or attribution you controlled, or even correct attribution, that confidence is gone. So it puts an onus on moving faster, on taking more rapid action, on applying intelligence resources, and applying the senior decision-makers’ time to take action quickly.
As this happens in the coming years it will—I think it will somewhat increase the chances of errors—in other words, acting on inaccurate information—particularly given the possibility and the reality that one actor may mask its activities under another one’s tools, and another actor may use proxies and so forth, and so attribution can get a little complicated. But no doubt that the time that policymakers thought they had a few years ago to think about it, have time to contemplate when to release the information, to control that, and to have a response in place, that’s hugely compressed.
EDELMAN: So this notion of time is actually a very interesting one as it relates to anything in cyber doctrine because, you know, for—you just mentioned, obviously, it’s compressing the decision-making time, but we almost need to elongate that window to do the sort of positive attribution that we expect, particularly given the sort of challenges that we’re seeing of countries using each other, TTPs. That’s in direct conflict with what we heard for at least eight years, which was we’ve got to react in the network at network speed right now, go, go, go; if it’s not an automated response, it’s not going to be effective. What I’m hearing is maybe that might not have been totally accurate. And that was not necessarily the doctrine of the entire government, but you heard that from a lot of folks that were on the ground and felt that there was a need for that sort of automated response to habituate in adversaries that there would be immediate consequences. Am I hearing that, in fact, maybe we need to take a little bit of a step back from reaction at network speed and respond at least at fast foreign policy speed?
MILLER: (Laughs.) That does sound like an oxymoron to me.
EDELMAN: Yeah, I don’t know if that’s fast or not. You all can tell me. (Laughter.)
MILLER: For prevention, for blocking, for mitigation, you need to act quickly, right? And I think we don’t have to unpack that. People get that. And some of that needs to occur at machine speed, and increasingly I think it will occur at machine speed.
If you’re going to—now, big break—if you’re going to take an action that involves either sending electrons across to disrupt or destroy something on the other side, or if you’re going to drop a bomb, or if you’re going to take other action, taking a few minutes to think about it first makes a lot of sense.
EDELMAN: Yeah, absolutely.
MILLER: Taking some time to make—to ensure that what you do has a high probability of being supported by your allies and partners, or at least many of them, that you have your narrative together, and that you—and I don’t—I don’t buy that you have to act immediately to have a deterrent effect. I think you need to act decisively and accurately to have a deterrent effect, and it helps if you can communicate that along with the action as well.
EDELMAN: All right. So we used the D-word. No conversation about cyber and foreign policy would be complete without a discussion of cyber deterrence, sort of. But I want to take a slightly different angle on it because, obviously, we—I want to hear more about is cyber deterrence, in the view of this panel, a thing. How is it obtained? Can we rely on it? Is it even meaningful? And I think there seems to be general consensus from what I’m hearing it’s in the context of broader foreign policy, it’s in the context of national security, in the context of what threats a state has comprehensively against a potential adversary.
But I actually want to go back to a narrower piece of it, which is this idea of what we’re seeing on the networks, because deterrence operates in a number of ways. One of them, of course, is at the strategic level. But another is at the operator level, right, the individual at the keyboard that might actually have some hesitation, that might be afraid that they’re going to cross a line, that there’s going to be unintended consequences, they’re going to get fired, or worse depending on what government they’re working for. And so the question that I—that I have for everyone on the stage, but particularly Priscilla and John: Are we seeing that sort of tactical cyber deterrence operate at all? Are you seeing adversaries that might have a lot of capability, a lot of accesses to network, a lot of potential maybe even destructive capability, and then pulling back, and pulling back maybe in response to geopolitical circumstances that they’re seeing as much as orders that they might be getting? Have we seen cases like that at all?
HULTQUIST: Oh, sorry, go ahead.
MORIUCHI: No, I just—maybe you have a pullback example.
So the way that I’ve sort of looked at this is the case of China over the past seven to ten years, right? So there was a period in time that sort of John alluded to where both in the government and in the private sector there was almost a fingerprint for Chinese intrusion behavior, right? There was a set of malware, right. There were TTPs—tactics, techniques, and procedures, right—that were quite easily identifiable because they were very bespoke capabilities that were used repeatedly by Chinese units, both military and civilian cyber units. And in about 2015, right, through a confluence of events, right, changes within the People’s Liberation Army, right, the anticorruption campaign raging within the Communist Party; potentially—depends, I mean, on who you ask—the U.S.-China cybersecurity agreement in September 2015 that year, right, China has, I would say, almost completely reengineered its cyber capability, right?
They’ve created a PLA command structure, right, that has consolidated command and control, right, operationally and organizationally. Their operations on net look completely different than they did ten years ago. Gone are the use of these sort of pieces of malware that were really bespoke capabilities. There’s a lot more use of what we would call commodity malware, which is malware that’s largely open and available, that can be purchased, right, on sort of criminal underground or even downloaded, right, capabilities for network scanning and reconnaissance that are used by criminals and nation-states alike. The use of, for example, virtual private networks or virtual private servers, right, hot points, to create this distance between the actual operators themselves and their targets. And all of these techniques are used largely by both criminals and nation-states today, and create a more convoluted environment in which there’s no longer a fingerprint for Chinese behavior, right, on attribution anymore. And they’re using a lot of the same tools that in some cases commodity RATs, for example, that Iran is also using—(laughs)—that criminal groups, both sophisticated and non-sophisticated, are using.
So I don’t—I don’t know that I have a great example of sort of pulling back at the keyboard. But this idea, right, that deterrence could have an effect on operations I think is a—is a valid one. I’d be interested—
HULTQUIST: I think, yeah, with the China example, the other thing we’ve seen is that—we’ve seen a push towards contractors where we can see it. We can’t always identify who has hands on keyboard, but a lot of the PLA operators or the ones that we suspected were PLA—in some cases we got very lucky and could actually identify—they seem to have sort of pulled back, and then we see more activity from operators that have either been identified as MSS contractors or we suspect are MSS contractors. So there’s a—they’re sort of being, you know, kept at arm’s length. Some of them are running criminal activity at the same—like, simultaneously.
Another example—I think sort of the opposite example—is Russia. So when I got into doing Russia a long time ago they were very quiet, and when they got caught they disappeared, right? And occasionally they messed up and there was a very loud incident, and you could—you could probably chalk that up to just a mistake. And then they disappeared, they burned everything to the ground, and they started again fresh.
And then we started recognizing Russian operators who didn’t care so much when they got caught, right? They didn’t care if you were observing them. They rarely burned everything to the ground. And then they started doing this sort of I/O hybrid activity where they started creating these personas and doing cyber sort of disruption and targeted leaks.
So I’ve actually seen sort of the opposite with Russia. Whereas, you know, the operator that we believe is probably FSB has always sort of remained super low key, some of their other operators have just continuously pushed the line again and again more aggressively, and it’s never really gone away.
EDELMAN: So before we get to questions from members who are assembled here, Jim, the last word on cyber deterrence? You wrote one of the first words on cyber deterrence back in government doctrine. So how’s it going? (Laughter.)
MILLER: So far, so good. (Laughter.)
EDELMAN: That’s called setting expectations. (Laughter.)
MILLER: So let me—a quick comment on—if I can, David, on the last question. I think what we’re seeing is there’s not so much people or countries pulling back, but two other features, one of which John alluded to.
One is withholds. You want some capacity to escalate. You want some capacity if things get tough to be able to go up the escalation ladder, if you will, within cyberspace. And there’s also the question of context. Why would a country go hard against our U.S. military systems today if they’re not feeling threatened by them? They’d want to withhold that.
And the second, I think we are seeing from Russia, is brandishing. So public reports through DHS about BlackEnergy and Havex being in our—being in our—malware in our grid and other intrusions, that gives leverage. That gives, you know—in a sense, WASTA (ph) as well. And so I think you’re increasingly seeing those two features be a part of it. And so the complement of deterrence is coercion. Brandishing is about developing coercive capability and credibility because there’s a perception on the other side—us, in this case—that they have that capability. So I think that we’re—I think that we’re seeing that, and their hope is that we will be deterred from coming to the assistance of an ally or partner because of—in part because of the threat to our civilian infrastructure and in part because over time we’ll have less confidence that our military systems will work.
So we need to get on the other side of that. And as you suggested earlier we need to take not just a view of how do we deter cyberattacks on the United States, which is important and includes cyber responses but not only cyber responses, as we’ve seen with economic sanctions and, you know, the high-end military response, but we need to think about how do we use cyber in order to bolster deterrence of coercion of our partners and allies, of coercion of ourselves, and to bolster deterrence of armed attack as well. And so that’s a place where the department I think has made some progress, has a lot of work to do, and where we need to—we’re talked about a national capability for cyber operations. My view is that we need to not just talk about it; we need to instantiate that, whether it’s a national cybersecurity center, whether it’s a joint interagency taskforce.
I think this administration’s made good progress in bringing together disparate parts of the—of the administration, including DHS, CYBERCOM, FBI, and so on. That needs to be instantiated for us to have a better posture for deterrence and for prevention and response.
HULTQUIST: One of my concerns, though, is that as we more aggressively use our offensive cyber—so the U.S. is probably the most sophisticated technical actor on Earth. The problem is we also have the most sophisticated technical economy on Earth, right? And Cyber Command, which has been allegedly according to media reports using offensive capabilities against military targets, it has been very recently—those incidents—Iran may not respond to those incidents in kind with a—it’s unlikely, I think, to respond to those incidents in kind with some sort of cyberattack against our surface-to-air missiles or our missile—Patriot batteries or something along those lines. I think they’re going to respond with an attack on some economic actor like a private-sector target. And so, you know, the asymmetry of the situation we need to continuously keep in mind. We are—our great advantage is also our great weakness.
EDELMAN: And on that cheery note, I’d like to invite all of you to join the conversation. (Laughter.) I’m sure we have a number of questions. Just a reminder, this meeting is on the record. And of course, the internet never forgets, but please don’t let that deter you. We have roving microphones. Please raise your hand. Please remember to state your name and affiliation.
Why don’t we start right here in the middle? Please, Shaarik.
Q: Shaarik Zafar, previously in the government, now at Facebook. It’s on the internet. If you google it, you’ll find it. (Laughter.)
EDELMAN: That figures.
Q: So there’s a report on Axios this morning that in addition to worrying about hard cyber threats that we also have to be prepared for soft information operations—influence operations, misinformation—misinformation. I’d really love the panel’s thoughts on how we should be worried about this in the context of post-Soleimani and Iran, but also great-power conflict writ large.
HULTQUIST: So we’re actually tracking—we work—this is public—we work with Facebook actually specifically to help them track threat actors. And one of our—you know, one of the things that we’ve found are Iranian threat actors. They are very aggressive. They’ve been rapidly developing their program. They’ve been sort of really interesting—they’ve sort of developed a lot of interesting schemes. That’s something that they have also done in the espionage space.
I think one of their great advantages is they’ve—what they’ve lacked in technical prowess they’ve often made up with really, really impressive, creative social engineering, and a lot of it’s been through social networks. So they’re very comfortable in that space. And as this news came out we saw them ramp up their program and start—and start pushing that stuff out.
I think it’s almost like weekly we find a new—we find a new state actor that’s getting into this game, and it is—it’s moving rapidly. It’s going to be very hard to fight.
MORIUCHI: Yeah, so I’ll tackle that one as well. So we’ve spent a lot of time over the past couple years looking sort of historically at nation-states, right, and how they’re building up their what we call sort of online influence operations capabilities, right? So this is leveraging, right, social media platforms, but also messaging platforms, right, like WhatsApp for example. And you know, interestingly, so most states have that capability right now. It’s sort of—from our perspective it’s separated into sort of these two elements.
The overt element of influence, right, which tends to be state-run media, right, consulates/embassies, that presence on social media, the message that they put out there, right, which can give you a really interesting perspective and insight into the country’s goals, right? So if you look at—if you talk about overt, right, messaging from China versus Russia—for example, right, we’ve done studies profiling Chinese overt messaging on social media using a bunch of sort of tools, sentiment analysis and others, right—the message that China is putting out is overwhelmingly positive, right, and it’s driven by this idea, right, and this desire to present China’s rise as good for the world, right?
And so the messages that are put out, you know, if you look at the whole to get, like, as a dataset, right—so there’s a lot of—I think a lot of anecdotal reporting when it comes to influence operations, right? Oh, China put out this message about the Hong Kong protests. Russia did this, right? Iran says that. But when you look at the holistic message, that’s where you get the insight, right? And so from the Chinese perspective, if you look at the messaging operations that their state-run media is engaging in, it’s overwhelmingly positive: China’s beautiful, right, the economy is amazing, right, come engage with us.
If you look at Russia, RT, right, Sputnik, they tend to focus very much, you know, on specific issues, right, that will create or amplify discontent, distrust in democracy institutions. Like, there was—there was a report about RT and Russia’s state media, for example, just in a few days how much time they’ve spent and how much print space focusing on the Epstein scandal, right, the suicide, right? Why, right? Why does Russia care about the—they don’t, right? They care about it because it’s an issue in the United States, right, and it creates distrust within our own systems, right?
In all these countries. North Korea have similar. Iran, right? This is a tool that’s used by militias, right, in Syria as well.
And so what we see are not just the embrace of influence operations on the large social media platforms, but increasingly to the places where we live, right, our lives, on messaging applications, right? Some of these actors—President Maduro in Venezuela, for example, has created his own application, right, for his supporters to download with pre-formatted social media messages that they can just click and post to whatever platform they choose, right? That’s a form of influence as well.
EDELMAN: Every U.S. presidential candidate just wrote that down. (Laughter.)
MILLER: Could I just—could I just pile in? Foreign cyber-enabled malign influence operations are a real problem. They are growing. We are not well-organized to deal with them as a government or as a country.
Domestic cyber-enabled malign influence operations are an equally large problem for our country and for democracy, and the answer cannot be, like, binary. Like, Twitter’s zero, OK; Facebook is one, right? It can’t be nothing gets through that has—is about political advertising—sorry, Dorsey—and it can’t be we’re not going to deal with this problem and pretend it doesn’t exist. And I understand that you guys are beginning to modify the initial response from Zuckerberg. The private sector has to step up. The government can play a role in helping to establish guidelines.
But I just want to encourage you in what you’re—in what you are doing, which is to get both Facebook and other institutions to step up and take this on. This is one of the biggest threats to democracy. And I’m talking about the internal, which the foreigners pile onto. We’ve got to do better.
EDELMAN: All right.
MORIUCHI: I see convergence. I just want to add one thing. I think what you’re alluding to is this convergence, right, this idea that nation-states are using for the short-term gain, right, this commonality with domestic groups, right, in which the long-term goals diverge but over the short term interests are the same and the tactics, right? So the interests and the tactics of the short terms are converging, right, even though the goals over the long term are different.
EDELMAN: All right. Next question, please. Yeah, we’ll go all the way in the back. Yeah, right behind you, please.
Q: Hi. Liz Kim (sp) from Voice of America.
Recently Microsoft took legal actions against a North Korean hacker group. Does that kind of move really help contain overseas threat?
MORIUCHI: Oh. I don’t know. (Laughs.) Right, North Korea’s a difficult case, right, because of how isolated they are.
But I think you’re sort of alluding to the larger question about whether things like indictments and court cases, right, actually have an impact on nation-state actors. And kind of the one sort of example that I have—sort of spans my time in government and private sector—is that of China. So you know, after their—FireEye’s APT1 report, which sort of broke ground for the private sector in doing attribution, the following year, in 2014, the U.S. indicted five members of the PLA, right, that were associated with this group, Unit 61398 or APT1.
I know from my time in government that the Chinese were incredibly angry, right, about those indictments, right, to the point where they called off sort of bilateral cyber discussions and would bring this up at every meeting subsequent to that, right: withdraw these indictments, right? And so whether that—how they feel today, right, in 2020, right, and how they felt then is likely different, right? But this idea that we will pursue as the United States government, like, legal action within our court systems, and that, you know, as sort of FBI agents would have said, the FBI never forgets, right? People come back to the United States and there are still indictments, right, and there are sealed indictments, and they get arrested, right, for things that they’ve done in the past. So does it have a larger deterrent effect? I’m not sure. But it certainly has had an effect.
MILLER: Can I just add—just add a little bit to that good comment? Microsoft announced a few days ago that it had gotten a finding, not from the—(laughs)—intelligence community but from a court, that allowed it to go back against North Korean actors. And I don’t—the number was, you know, something like eighty-two different instances or something like that.
This is new ground for the United States. I think it’s important that folks in government today have a good—a good, hard look at this. I think it’s an interesting model that we need to explore. But one thing I want to ensure is that—is that operations to impose costs, to damage other countries’ infrastructure, offensive cyber operations should be the sole domain of the U.S. government. And there are—there is a gray zone, if you will, between blocking and hacking back and so forth. But the U.S. government needs to continue to have the only legitimate use of force by Americans, and we should not outsource that to get vigilante justice.
I don’t believe that’s the case at all with Microsoft. I think they’re acting legally. I think it sounds like a good model to follow. But we need to be careful not of where—it’s not a red line the way we’ve talked about, but we need to be careful so that the government has a monopoly on the use of force.
EDELMAN: That’s a great point, alternatives to hack back. We’ve been talking about hack back forever. What else is out there that companies can use to get relief, to find some ways of actually engaging without necessarily going down the road that’s previously been reserved, of course, for government.
Other questions? Yes, please. Right here in the middle, red tie.
Q: The question asked—Edward Luttwak is my name.
The question asked by the presider, league tables, because I’m puzzled by this conversation as a non-expert, because in every other non-electronic activities the rankings, for example, are very clumsy, ineffective, fail all the time. Why would they be so great electronically? North Koreans we know are the world champions of cost effectiveness. Their whole ballistic missile program is cheaper than the stationery budget of the Defense Department. (Laughter.) The Russians, as we saw in the Macedonian case, the Macedonian referendum, spent about $12 or $15 to depress the attendance, which was their aim—the participation, to depress it well below 40 percent in a referendum where it should have been 90 percent.
So the Russians are skillful. The Chinese are numerous. The North Koreans are cost effective; indeed, they’re profitable. I wish our DOD earned money the way theirs does. And the Iranians, how come we talk a lot about the Iranians? Are they—is this cyber world a different world where being corrupt, clumsy, ineffective doesn’t matter?
HULTQUIST: Well, one—(laughter)—I’m going to take some heat. I’m going to take some—
EDELMAN: Get ready for that, John. (Laughter.)
HULTQUIST: I’m going to take some heat for saying this, but they’re contracting a lot. (Laughter.) Yeah, they’re contracting a lot. So when they started—when they started post-Stuxnet, sort of an inflection point, they started bringing in their nationals, hackers, to carry out a lot of these actions out. Some I think they’re quite—they’re pretty much paid by the government. They basically went legit. They set out a shingle and set up a website, called themselves penetration testers, and literally some of them list the government as their—as a client. Some of them got their military, their conscription, signed off on for their—for their work under that space. But they didn’t start out—(laughs)—like, they were not mature cyber actors from the—from the beginning. The good news is, is that you didn’t really have to be. There’s a lot of automated tools. There is a lot of knowledge that was out there. And they just—we’ve watched them slowly improve.
And while in the—one of the reasons I’m so concerned is that the actors that we saw during Operation Ababil, the targeting of the U.S. financial sector, during the destruction of—at a U.S. company many years ago before the nuclear agreement, have been improving in the Middle East and slowly improving their game there. And they’re just not the same actors that we’ve seen in the past. Part of that is they’re using a lot of off-the-shelf tools that are made for penetration testers that make it really easy to do the job, and they’re just scanning for things and looking for low-hanging fruit. Some of it’s they’ve developed a lot of interesting tactics.
The biggest thing—personally, the thing that consistently surprises me is how incredibly—these incredibly complex social engineering scheme they’ve developed. We’ve seen them create entire fictitious news agencies that exist across multiple social networks with thousands and thousands of sort of connections, and they’re all sort of supporting each other and building this legend of this fake organization behind it. And they’re using that to target all the way up to four-star level military officers.
And they just—they’re brash and they’re creative, and that makes a lot of difference. And there’s a lot of tools already out there.
EDELMAN: And so when John adds you on LinkedIn this afternoon be a little suspicious. It might not be him. (Laughter.)
All right. Other questions, please. We’re aiming for gender balance, but it’s not happening. So, please, everyone who has questions, please raise your hand. And we’ll go right over here next.
Q: Hi. I’m Kevin Sheehan of Multiplier Capital.
This is a question for John. John, as you know, you’re a principal in a book called Sandworm that is about the discovery of a GRU unit that’s been very active for many years, been very persistent, and in particular active in attacking civilian infrastructure in the Ukraine. And the scary conclusion is it wouldn’t be that difficult to conduct those same operations in the United States. How could—how could Sandworm be deterred, short of kinetic methods?
HULTQUIST: Well, I think the first—the first step would have to be a(n) open and fulsome conversation about Sandworm, right? There is bits and pieces, but we’re not really—the government, for instance, has not really issued some this is what this organization is, this is what they’ve done. And we’ve tracked this—for those of you who don’t know, Sandworm, we believe, is one of the GRU actors that we can connect to the Russian blackouts, the targeting of the PyeongChang Olympics, the NotPetya incidents that caused $10 billion and hundreds of millions of dollars at several U.S. companies including logistics and manufacturing companies. They were involved in some of the election shenanigans, as well, in the United States, as well as France. All connected to the same actor, and this story’s not really being told. It’s not really raised the level of consciousness. And we’re not really—the first step is we have to—we have to really talk about it.
The other thing is I wouldn’t necessarily see them turning out the lights like they did in Ukraine in the United States. Our grid’s probably more robust than that. But what they did is they started developing a more simplistic ransomware-based attack, and that’s what caused tens of billions of dollars of damage to U.S. companies. That attack, essentially, was designed to target Ukraine, it did target Ukraine, and it essentially leaked into other parts of the globe and still managed to do $10 billion of damage. So you can imagine the capability that’s really at hand, the economic damage that these guys are capable of.
But I really think the first thing is that we have to be talking about that actor. And the Olympics is a good place to start.
EDELMAN: All right. Further questions? Yes, please.
Q: Hi. Aynne Kokas, University of Virginia. Thank you very much.
So my question for you. We’ve been talking a lot about military threats and actions by state actors. But I’m interested when we’re looking at—what about legal investment in the United States? I’m thinking about companies like TikTok, which is not allowed on U.S. military phones now, but you know, on all of the kids’ phones—(laughs)—of all those same people, and the types of data-gathering activities that are actually very legal and could feed into these state activities. So particularly in countries like China, where there is—you know, where there’s civil-military fusion, how do we contend with issues like that? And how do—how do cybersecurity professionals in your fields deal with that when you’re—when you’re working with your clients?
MORIUCHI: Yeah. So you know, so you allude to a number of different sort of operations. So one—and John talked about this earlier—is what I would have called sort of SIGINT-enabling operations, right? And that’s kind of the surveillance, right, in which we see nation-states—China, Russia, Iran, others—moving into this sphere where the immediate victims of an intrusion, say a telecom for example, are not the intended final victims, right, in which the intrusion into that telecom is designed to enable intrusions into the telecom’s customers, right, or into the telecom’s services, right? So you know, that’s part of, you know, depending on your perspective, right, what you would either consider like a supply-chain threat, right, if you’re an end user—(laughs)—right, because the telecom is part of your software supply chain; you know, or you know if you’re a government, right, it’s an intelligence-collection threat, right? And so that’s sort of one, right, is like this idea that nation-states are using cyber operations to get information about us, right, that we don’t have control over, right, that exist in telecoms and other places.
Second are these—are the applications, right, and the data that’s collected on a second-by-second basis, right, about all of us, you know, using our phones and our devices. I think the—we are beyond the point where it’s a problem, right—(laughs)—and we are in—I firmly believe we’re in the space where we have to start talking about how do we define what’s legal and not legal in that space for both domestic and foreign companies. So if you take the example of TikTok, for example, or you know, sort of Chinese social media applications, right, there’s a fear—and I think that it’s founded, right—that China will be exporting some of its own values, right, in terms of openness in society and media. Whether that’s at a government directive, right, or not is a(n) important distinction, because if you look at some of the press reporting around TikTok some of the proactive censorship that has gone on in TikTok as an application was not necessarily the result of a government censorship mandate, right, but the way in which Chinese culture, right, views certain topics.
So there was a story a few months ago about—if we take TikTok for the example—about TikTok censoring certain videos that involved visibly disabled people to ten thousand views, right? And the perspective at TikTok was nobody would be viewing this video unless they were trying to make fun of the person with this disability, right? That’s not how we see it, right—(laughs)—in our country and in most of the West, right? So this was a proactive—what TikTok felt was a proactive way to address bullying online that was completely out of line, right, and not what most people are looking at.
So you know, legally, right, there’s not much that we can do around that, you know. But we’re at the point where—or beyond the point where that discussion has to happen. And we have to come together, if not as a global society, as countries with government, right, to help identify and enable the platforms to set their own boundaries as well.
MILLER: Yeah. Could I just add to that response to that great question? From a—from a Department of Defense or military perspective, hacks like the OPM hack and others that provided massive data about individuals, including in the government and in the military, are just a treasure trove for any country that has a long-term perspective in terms of gaining further intelligence, recruitment of assets, recruitment of spies, coercion of individuals whether through compromising material they find when they hack them or something else, attempts to demoralize in the context of a crisis, and to—and attempts to undermine confidence in their government. The list could go on.
If a country—and I think first and foremost of China in this regard—has a long-term perspective and is willing to play and wants to play a game of erosion and competition, this is just a treasure trove. And it’s something that we need to worry about as a country, and it’s something that the Department of Defense has taken initial steps but needs to do much more to defend against and to inoculate to the extent it can, because the penetrations have happened. The vulnerabilities exist. It needs to—it needs to work at the level of individuals and their families to deal with this.
It’s a great question.
EDELMAN: We have only five minutes left and a lot of hands, so we’re going to go to the lightning round. We’re going to take several questions and do our best to answer a few of them as best we can. Alan, and then—I’m going to rotate on sides—so Alan here, and then right here in the middle. Just ask your question. And then we’ll do one more over here, please, in the red tie. And then we will do our best to synthesize all of them. Maybe you’ll ask the same question.
Q: Alan Raul with Sidley Austin.
You’ve talked about the government’s role in attribution, deterrence, even forward defense. What about homeland defense, in particular of the private sector? Is the government doing enough to protect private companies? And is it being held accountable to do that? And whatever happened to cybersecurity information sharing? Has that been a success or failure?
EDELMAN: Great questions. OK. Great.
Q: Dennis Shea with the Navy’s FFRDC Center for Naval Analyses.
Returning to the event of last Friday that got us here, the assassination of an Iranian general, it’s been reported that POTUS was made several options to respond and that he chose the one in the upper right-hand corner, assassination. Can you speculate on what some of the offensive cyber responses that might have been offered to the president and why they would not have been an attractive option for him to choose? If you want to send a signal or change someone’s behavior, why not offensive cyber?
EDELMAN: Great question. And then last, right here.
Q: Peter Sharfman, MITRE Corporation.
This really builds on the last question. Iran, I believe, has a need, for the purposes of shoring up the long-term legitimacy of their regime, to make a response that is visible and conspicuous and preferably humiliating to the United States. Cyber warfare up to now has been conducted in the shadows. What kinds of cyberattacks provide high visibility, instant attribution, and great humiliation for the victim?
EDELMAN: All right. We’ve got defense and offense options, including Iran. Who wants to put it all together?
HULTQUIST: I’ll answer the last question—
EDELMAN: Hey, John, way to go. (Laughs.)
HULTQUIST: —because it’s all I remember at this point. (Laughter.)
I think a lot of the incidents that we’ve already seen could easily be sort of non-deniable, right? The thing that we’ve seen in a lot of the destructive and disruptive incidents is the adversary puts this sort of edifice or persona in front of it. For instance, when we had the incident at our—at our banks several years ago, they claimed it was a pan-Arab organization that was upset with the Innocence of Muslims video. They can just—really just get rid of that and let everyone kind of figure—(laughs)—things out for themselves. I don’t think that the work that they usually do on deniability is even really necessary.
EDELMAN: Jim or Priscilla, the cyber options before us or defending the homeland. Whither?
MILLER: I would prefer not to give a roadmap to the Iranians for how to—how to hit us. (Laughter.) But as I indicated before, I think they’ll use cyber because they can, and they will likely engage in some way in the use of kinetic force, if you will, because it’s visible. I think it’s more likely that they’ll do the latter against U.S. allies and partners and attempt to use it as a further wedge to reduce U.S. influence in the region, and we need to think about that.
Should I go on to a couple other points real quick?
EDELMAN: We’ve got two minutes.
MILLER: I would not attempt to—(laughs)—explain what’s going on in President Trump’s mind and why he selects an option. I hope that people took the lesson that only put options on the table that you think it would be sensible for the United States to implement. That would be a good approach in any event.
But clearly, there’s a view that—let me say Soleimani was an evil person who was directly responsible for the death of hundreds of Americans in Iraq and the hatching of nefarious plots throughout the region. It’s good that he’s dead. He will not only not be missed; it’s a positive. The way in which we did this, without consultation with allies and without support, is going to be very problematic. And so—but you know, just to—just to make that point.
Yeah, the cyber information—security information sharing continues to—I think continues to improve. I asked my colleagues on the—with respect to the U.S. government to private sector. What’s more impressive and what’s the biggest move in the last few years to me is the private-sector sharing that is going on through the Threat Alliance and through others. And I think that that game has improved, and I hope that that continues to go forward. I think both government and the private sector have another step function, at least, to catch up to today. And if we want to be ahead of the threat, not behind the threat, we got to take a couple big steps.
EDELMAN: Last word?
MORIUCHI: I guess—yeah, that was the only one that I was going to address. (Laughs.)
MILLER: I’m sorry. (Laughs.)
MORIUCHI: No, but it’s interesting that’s your perspective.
So when I was in government I felt that government was doing enough—(laughs)—and that partially a lot of this wasn’t our problem. But it is, right? And I think that there are a number of models around the world that we can use to test or to at least experiment with government involvement in protecting some private companies, right, if not all. The U.K.’s National Cybersecurity Centre, for example, is a model, right, in which the U.K. is quite explicit about which companies, what they’re protecting, you know, why, right, the services that they’re willing to provide for those companies and everybody else is kind of on their own.
In the United States, you know, we don’t have even those—the semblance, necessarily, of protection. Different agencies have different definitions, for example, even of what’s critical infrastructure, right? So we don’t have an agreement on whether one company’s industries is considered a critical industry or critical infrastructure or not.
So you know, I’d argue that I think that the government does have to step up. Whether it means doing more or doing less is not—I don’t necessarily have an opinion about. It’s about defining, right—helping private companies to understand better what they can expect from government when someone knocks at their door or when they experience an intrusion or when they’re asked to share information, right, when they have it. That’s a critical step that we’re just not at right now.
EDELMAN: So more work left to do.
Well, thank you so much for the wonderful questions. Please join me in thanking our panelists. (Applause.)