Adam Segal, Maurice R. Greenberg senior fellow for China studies and director of the Digital and Cyberspace Policy Program at CFR, joins CFR Senior Vice President James M. Lindsay to discuss 'The Hacked World Order,' his new book on how governments use the web to wage war and spy on, coerce, and damage each other. Segal outlines the main themes of his book and addresses contemporary topics in cybersecurity.
The CFR Fellows’ Book Launch series highlights new books by CFR fellows. It includes a discussion with the author, cocktail reception, and book signing.
LINDSAY: Good evening, everyone. On behalf of Richard Haass, the president of the Council on Foreign Relations, I want to welcome you all here tonight. I want to thank you all for coming, particularly given the rather unpleasant weather we have outside. You are real troopers to make it here through the storm. I am Jim Lindsay, the director of studies here at the Council on Foreign Relations. I also want to welcome everyone who is joining us via the Internet as we livestream tonight’s event. Whether you’re here in the room or seeing us in virtual space, you’re all in for a great treat, as we have a timely and important discussion.
Tonight’s guest of honor is Adam Segal. He is a tremendous talent. It is my great honor and pleasure to introduce him, and also to be his colleague. Adam is the Maurice R. Greenberg senior fellow for China studies here at CFR. And he is director of the Council’s Digital and Cyberspace Policy Program. He is a China-hand by training, he has written widely on security issues, technology development, and Chinese domestic and foreign policy. In recent years, he has applied his many talents to cyber and digital issues. He runs the CFR blog Net Politics, while still contributing to another Council blog, Asia Unbound, both of which you can find on CFR.org. And importantly, given the fact we are in the modern age of communications, you can follow Adam on Twitter at @ADSChina. I’ll repeat that again: @ADSChina.
Tonight, though, we’re not here to talk about what Adam has done in the past or about the blog, but rather we’re going to talk about the publication of his terrific new book, “The Hacked World Order: How Nations Fight, Trade, Maneuver, and Manipulate in the Digital Age.” So please join me in welcoming Adam Segal. (Applause.)
SEGAL: Thank you. I mean, and the Chinese can clap for themselves.
LINDSAY: Let me sort of—I’ll get it, I’ll get it. I’ll open with a question. You call your book the “The Hacked World Order.” So, what is the hacked world order?
SEGAL: Thanks very much, Jim. And I want to first thank you and the Council for the support of all my work, and the support of the program, and support of the book. And a number of people in the room have been involved in the Council taskforce on digital issues and the working group. And I want to thank them. I’ve learned a great deal.
The hacked world order really came from the idea that we have seen an explosion of concern from nation-states about cyberspace, right? We had portrayed cyberspace as a kind of digital utopia where the individual would be empowered, groups would have access to information, we’d have this free flow of data, and that nation-states would kind of wither away over time. But what we in fact have seen—in fact we have seen, is a tremendous reassertion of state power and sovereignty into cyberspace. And in particular, you can look at June 2012 to June 2013 as a—as a time when states really stood up and forced their way back into cyberspace.
LINDSAY: Let me push you on that, because you didn’t use just how a phrase you use frequently in the book, and that is zero year. What happened in round about June of ’12 that sort of changed things from this utopian world we thought we were in, and we discovered we were in actually someplace very different?
SEGAL: Yeah, I mean, year zero is an inflection point, right? We had hacking before then, right? We had massive hacks of T.J. Maxx and Home Depot. The U.S. military used cyber weapons in Serbia and Iraq. But the inflection point in June of 2012 was the first leaks about Stuxnet, right, and the use of malware, allegedly, by the United States and Israel against Iran’s nuclear facilities at Natanz. And then the end in June of 2013 is the NSA contractor Snowden—Edward Snowden showing up in Hong Kong. So if you look at that year, we had a whole range of events. We had Iranian attacks on U.S. banks. We had a Saudi Arabian oil producers. We had a massive year of Chinese cyberespionage. So that was really an inflection point where the states, again, really reasserted their sovereignty into cyberspace.
LINDSAY: So, explain to me what world we live in right now? How dangerous is it? How much have states exerted themselves? In particular, are you arguing that we’re about to face a—I guess it’s called a digital Pearl Harbor?
SEGAL: Yeah. I am not a proponent of digital Pearl Harbor, or cyber 9/11, or any other type of kind of out of the blue destructive attack, right? We know that actually creating physical damage is pretty hard, for now, right? It seems to be concentrated in nation-states. Maybe five or seven of them can do it. And it’s very unlikely right now that we would get an attack that’s totally out of the blue. So the threat is not that. The threat is espionage, disruption. But the threat is going to change over time, and in particular because our vulnerability is going up, right? Our vulnerability is going up in particular because of what’s often called the Internet of Things, right? All of our—
LINDSAY: Just for me, at least, maybe people in the audience, what exactly is the Internet of Things?
SEGAL: The Internet—one way to think about the Internet of Things, is my neighbors refurbished their kitchen.
SEGAL: And they invited me over for—us over for dinner when they finished. And I said to them: Do you realize that your new oven is speaking to my wi-fi, right? Because they have a new GE oven, which you can, you know, turn on and turn off before you get there. They had no idea that their oven was wi-fi enabled. And this is a very small case. The more dramatic example, and there’s a great video of it, is cars, right? So cars are now Internet-enabled through wi-fi and Bluetooth and other things. And two hackers, one of them who used to work for the NSA, from about 10 miles away took over the car. First they turned the radio on and off, then they played with the heater and the air conditioning. They had the windshield wipers go back and forth. And then eventually they just turned it off while—
LINDSAY: I think that was an episode of CSI. (Laughter.)
SEGAL: Well, I don’t know which one came first.
LINDSAY: First? OK.
SEGAL: And that’s the—that’s the world we’re moving to, right? We’re moving to all these devices being connected, and security is an afterthought. And as those vulnerabilities spread—
LINDSAY: But let me ask you, why is security an afterthought, given that we’ve had many, many breaches, many of them quite well-known? I have, I think, five, six, maybe seven different identification protection programs running now that I got for free because I had the misfortune of going to Wal-Mart, then to Home Depot. And apparently some government agency gave away my application. So why is that?
SEGAL: Yeah. One, there’s the original sin, right? When Internet was created, as ARPANET, as part of the advanced research program, the idea was to help a small number of scientists access supercomputers—or, at the time, were supercomputers, but probably had less computing power than my cellphone does now. And there was no need for security. Everybody knew each other, right? You just—so once that was built, and the idea was, well, we’ll just put security on it. Then there’s clear market incentives, right? The companies have an incentive to get as many users as possible as quickly as possible, right, to create networks affects. And so their model has traditionally been, let’s push the product out of the door. And then, if we find a security flaw, we’ll fix it. Plus, you know, every time you sign up for a new product, there is a user’s agreement, right? It’s usually 35 pages long.
LINDSAY: Do you read those?
SEGAL: Nobody reads them. And you click on it. (Laughter.) And the user agreement says the software producer is not liable to any damage that happens from a security vulnerability. So we have a whole range of market vulnerabilities that have created this situation that now we have more attention to it might change over time.
LINDSAY: So, how might it change? Because, again, we had these stories. Everyone knows there’s vulnerability. You’re talking about the rise of the Internet of Things, where you can talk to my stove, or thermostat in my house, or to my car, or perhaps to a power grid, and wreak havoc. So how are we doing in dealing with this vulnerability?
SEGAL: Well, we’re not keeping up, but we are making some progress, right? So there’s always been the problem that the technology changes faster than policy can act. But we have been—one, it’s now a problem that is widely recognized at the highest level of government, right? So the president has spoken about it several times in his State of the Union, written several op-eds about, just announced a new plan. And quite honestly, if you are in the C-level of a company, you know that you are vulnerable and there are responsibilities that are involved. So we’ve had a move towards greater transparency. Like, before companies never had to report that they were vulnerable or breached. Now there are breach laws. And so we are beginning to move to a place where the economic incentives are aligning more with the actual vulnerabilities.
LINDSAY: Help me think about the threat and where it’s coming from. What I heard you say a few moments ago is that there are only about maybe five or seven states capable of doing this on, I guess, a broad scale. Is that the way it’s likely to be for a sustained period of time? Is it the case that, given the technology spreads, in a couple of years what only a state actor could do a few people with a little bit of training could do themselves? How do we assess the nature of the threat?
SEGAL: Yeah. I think part of the problem has been the typology, right? So any attack is seen as a cyberattack or cyberwar. And so it helps to break down what it is that states are trying to do and the attackers are trying to do. So, destructive attacks, creating physical destruction, is limited to these six or seven countries. Disruption is pretty widespread, right? The Iranians could knock banks offline. The North Koreans can do a lot of disruption by destroying data for Sony. Individuals can create a lot of disruption by knocking websites off, or by embarrassing, right, creating—doxxing, taking documents and putting them online.
Espionage is also widely spread, right? Not only can nation-states do it, but you can buy malware on the open market. And so all of those capabilities, I think, are fairly widespread. The ability for individuals to create widespread destruction, I think, is 10-15 years off. But it is going to happen, right, because the vulnerabilities are going to become more widespread. And we know the capabilities are proliferating, right? We know that the market for malware—for malicious software is spreading. And we know that lots of companies have incentives to develop exploits and sell them on the black market.
LINDSAY: So, but tell me how, from the vantage point of someone being attacked, you determine who the attacker is? I guess this is called the attribution problem. Now, I’ve heard told that the attribution problem is very difficult to resolve, which raises the possibility of being attacked and being unable to respond because you’re not sure who the attacker was. Or other people argue that the attribution problem can be overstated, that you can actually—I’m not quite sure, I’m not a technical person—be able to ferret out with some pretty good confidence of who the attacker was.
SEGAL: Yeah, the attribution problem, if you have time and resources, is not as difficult as is generally thought. So I think the way that DNI Clapper framed it was: Attackers so no longer expect—should no longer think that they won’t be detected. They should no longer think that eventually they won’t be identified. But we will still have a difficult time identifying who ordered them to attack, or under what authorities they were attacking. So what we’ve seen is that over time the U.S. government can, with a high degree of confidence, identify certain attacks. It takes a while, right? The Sony attack, it took several weeks. And we relied on several technical means, right, which is U.S.’s own intelligence capabilities, that the question is not can we do it, but do we want to reveal it, right? So if you want—you can provide evidenced that may be suggestive, but if you want to provide evidence that seems more conclusive, then you have to make a political decision to reveal certain types of intelligence.
LINDSAY: Let’s talk about one country that has been accused a lot of spying, which is a country you know very well, China. In September of 2015, last September, President Xi was here. They signed an agreement. I’m not sure how best to characterize it. We’ll do a little bit less commercial espionage, is that a fair—I’m not sure. I’ll let you summarize it. What did the Chinese actually agree to, and do we have any sense that they’re abiding by their agreement?
SEGAL: So the agreement says that neither side will conduct or knowingly support cyberespionage for commercial advantage. All right, so breaking into Apple or Google or any other technology company, or any other company, and stealing their business secrets to help individual companies. The Chinese have repeated that. They signed an agreement with the United Kingdom soon after they signed one with the U.S. They signed onto an agreement that came out of the G-20 in Turkey that repeats that phrase. They’re supposedly going to sign one with Germany sometime this year. So they’ve repeated that phrase several times. They’ve never admitted hacking in the first place, so there is a question about if you say you’re no longer going to do something that you’ve never done before, how much are you going to value it?
What we’ve seen in my perspective is fairly mixed, right? So again, DNI Clapper has said that he hasn’t seen any evidence about what has gone done. The cybersecurity companies, which has provided a lot of the intelligence for this, originally reported in the first couple months no turndown, that there was a campaign against pharmaceuticals and some other types of companies. Now they’re reporting that what we’re seeing in a shift in the hacking, that some of the hacking is going from PLA hackers, from the People’s Liberation Army, to the Ministry of State Security, to the intelligence bureaus, which would make sense given that what we’re seeing in China right now is a professionalization of the PLA. So you can imagine that it would make sense for the PLA also to move some of this unnecessary kind of intelligence gathering, which lends itself to corruption, an economic kind of thing, out of the PLA.
But right now, I think the evidence is, at best, mixed that China is going to abide by it. And the incentives are still very similar, right? China did it because they don’t want to be stuck in a technology trap, they want to move up the value chain. And they did it because it was easy. And those are still present.
LINDSAY: Yeah, one of the things that I was struck by reading the book and other things you had written is this discussion about even if you identify who your attacker is, it’s not necessary obvious how to respond—maybe I should rephrase that—that because you were attacked by cyber or digitally that a digital response is the best way to respond. Sort of walk me sort of the challenges that a government, you know, finds when they discover they’ve been hacked, whether it’s espionage or one of these things designed just to disrupt? How does that operate?
SEGAL: Yeah, I mean, I think North Korea’s a great example of that, right? So here was an attack that was a digital attack on Sony. And eventually, the United States decided it was worth responding to because of threats to the American freedom of speech and other issues like that. But the chances of us using a cyber weapon to respond to North Korea are pretty slim, right? North Korea has fewer IP addresses in total probably than the three blocks around the Council in D.C., right? So, you know, there aren’t enough targets to think about we have to respond by a cyber weapon. And there are lots of reasons why you wouldn’t want to respond by a cyber weapon, because the other—lots of other countries you’re trying to deter might now see it, right?
So Sony went—sorry—North Korea went offline, was knocked offline soon after the president announced that we would retaliate in a time and place of our choosing. And everyone said, oh, this must be the U.S. But in the end, it probably was not the U.S. There would be a reason to do it that way publicly, because you send a message to other countries, but most cyberattacks would not be seen. And so you can imagine that sanctions are a pretty useful tool because you’re sending a signal: Here is a line, and there is going to be a public response.
LINDSAY: Let me shift gears a second. You directed the Council’s taskforce on cyber policy back in 2013. And as I recall, one of the main arguments or hopes that the taskforce report laid out was the desire to keep the Internet open and free. And one of the fears that you raised was what I guess is sometimes now referred to as the splinternet, that rather than being this unimpeded highway where people all around the world can connect with each other, that countries are opting or putting up roadblocks at that. What is the status of that? And to what extent should Americans be concerned?
SEGAL: I often think about that week before the taskforce came out, because the taskforce was built on three assumptions: That the United States was basically seen as a positive force, that we had, you know, a consistent message about a global, open, reliable Internet; that we had an important partner in the U.S. technology community, and that we—of course, we had some differences, but we were pushing in the same direction; and that we had important new partners, in particular in Germany and Brazil, that these were—could be very useful kind of partners as we promoted our vision of cyberspace. And I felt pretty good about all three of those assumptions. And then Snowden showed up in Hong Kong and all three of those were blown up, right?
It became very hard to think—all of those things kind of fell away. And even in the time that we were making—we were writing the taskforce report, there was a debate internally, was the world splintering or fragmenting, or had it already happened? And I think there was this sense in the report that it was already happening, but we should still push forward this goal of an open Internet. And in the book, I use the analogy of kind of arms control. You know, the president has announced that a nuclear-free world is our ultimate goal, but nobody expects for him to achieve that in the immediate near-term. And the same is true with the global, open Internet. That should be our long-term goal. But we’re going to face severe challenges to that. And we can see that across the board. You know, China, of course, is the easiest example, with its push for cyber sovereignty. But we see it with, you know, the European Union and the demands for data localization. We see it in Brazil. We see it across the board.
LINDSAY: The taskforce report came out just before the Snowden revelations. Your book has come out just as U.S. government has asked Apple to help it unlock an iPhone. And Apple has declined, now leading to what I assume will be protracted legal wrangling. How does that all fit into your assessment of where we stand in the hacked world order?
SEGAL: It fits in the sense that one of the predictions I make in the book is that we’re never going to put the U.S. government and the companies back together again, basically in part because of this encryption debate, which is driven by foreign markets, right? And the U.S. companies, you know, are now doing the majority of their revenue abroad, right? And last year, for example, Apple—25 percent of revenue was in China. And without that, you know, they would have a 1.6 or 1.7 growth rate. So it was all coming from China. Facebook, Intel, all of these companies rely on foreign markets.
And the Snowden revelations created this situation where U.S. companies has to create as much distance between themselves and the U.S. government as possible, and encryption has been one of the ways of doing that. That’s not going to change. Foreign markets are still going to be dependent—companies are still going to be dependent on foreign markets. And the ability to craft a solution that allows companies both to respond to what the U.S. government has a legitimate right to and the Chinese government says it has a legitimate right to is going to be almost impossible.
So in the book, I basically say: That’s going to be really hard. There are lots of little, easier things we can do to rebuilt trust. You know, government procurement is really bad. We should get that to be better. Talent is a real issue. We could work on that. But you know, this Apple encryption thing is going to go on for a long time. And you can—you know, I’ve lost count of the number of commissions that have been created or are being created to study this issue.
LINDSAY: One last question before I bring in the audience in our conversation. You started out by noting that there were great hopes at the beginning of the digital age that we were going to get a utopia that was going to break down boundaries, and discovered that if we ever were in the Garden of Eden, we had since been expelled. We’re now in a jungle. You’re worried about sort of a very Hobbesian world. The United States in some sense is competing with the others to craft and define what the digital world will look like, what the rules will be for cyberspace. So what are your policy recommendations to this administration, but most importantly to the next administration that comes in next January?
SEGAL: You know, I actually—I give the current administration a lot of credit. I mean, we’re not going to have treaties. Everyone has kind of basically said that arms control treaties are not going to fit the model for cyberspace. You can’t trust and verify, right? You can’t count cyber weapons. You can’t position them close to the border so you can do a flyover. So treaties are not going to be the place. And we have to develop certain rules of the road to how we’re going to behave. And it’s going to take a long time. These things always take a long time. But the administration has made some important steps through this process at the U.N. called the Group of Government Experts. It’s a pretty low bar right now. One of the norms we’ve agreed to is, you know, you should not attack another country’s critical infrastructure during peacetime. Well, you’re not supposed to attack other countries during peacetime anyway—(laughter)—so it’s a pretty low—a pretty low bar right now.
So it’s going to be a long process. There’s been a debate constantly between how do you go about doing this? Do you get right with your like-minded friends first, and then go to the people that you have difficulties with? Or do you try to engage as broadly as possible? And I’m in the like-minded school. I think it’s probably going to be easier, and because I think the world is fragmenting, that we need to get right with our friends first. We need to have a clear set of what the thresholds are, where we can draw some lines, what things governments are going to respond to, and which ones are the private sector’s responsibility are. And after we decide that with the Europeans, hopefully the Brazilians and the Indians, then we can turn around and talk to the Chinese and the Russians.
LINDSAY: And you put the odds of that at? Are you an optimist, a pessimist? Did Paris make a difference?
SEGAL: I always like to say—I’m like Gramsci. I’m an optimist of the spirit and a pessimist of the intellect. (Laughter.) So I am not particular optimistic, but I do think we have made some progress, particular with Brazil, right? Brazil moved a lot closer to our position on things like how the Internet should be governed. And we have a particularly strong relationship with India right now. So we could make more progress. And that would be expected.
LINDSAY: OK. I want to bring the audience into the conversation. I’m going to ask people if you would like to ask a question raise your hand. I’m going to ask that you wait until we bring the microphone to you. When you receive the microphone speak into it. But first, before you ask your question, state your name and affiliation. We’ll go here right in the front.
Q: Louise Shelley, George Mason University.
I know that you’re focusing on state actors, but some states are using criminal and non-state actors to achieve their objectives. And are you addressing this in your book?
SEGAL: I do. So one of the distinctions I make about how states think about it, is their willingness to use proxies. And so what we’ve seen is for the most part the liberal democracies are pretty uncomfortable with the idea of proxies for offensive operations—either disruptive or destructive. But China, Russia, North Korea, Iran are much more comfortable with it. And how to deal with that is going to be a real issue for us, right? We have Title 10 and Title 50 and Title 18. We have, you know—
LINDSAY: What are those, just for people who—
SEGAL: Title 10 deals with what the DOD deals with.
LINDSAY: This is federal law.
SEGAL: Federal law about what the responsibilities are, right? All of these things were written at a time when there were external threats and internal threats. But the thing about cybersecurity is their threats are both external and internal at the same time. And other states—nation-states don’t have worry about those distinctions, like we do. So one of the divisions that I do talk about his how states are going to break on that question. Are they going to see cyber as a precision weapon that is tightly controlled by the military? Or are they going to see it as—mostly as politically disruptive, and use lots of different instruments to push it out?
LINDSAY: Can I just ask—oh, there you go, in the back.
Q: I’ll just use the old voice. Oh. Tell me your view as to whether the federal government is getting together its act and going after this with the intensity that it needs to be addressed? And particularly given that the responsibility within the federal system is divided between the military and Homeland Security and so forth, you know that, do you see the stovepiping coming in? Is that a problem? Or are we having a good, coordinated effort among the several agencies and departments?
LINDSAY: Thank you, Senator Warner.
SEGAL: Yeah, I think the stovepiping is still a major problem, right? And one of the things I think we need to get right is a clear set of understandings about who is responsible for what. And that has been harder to work out. You know, we saw this with the Sony attack, right? How did we define it? The president eventually came down on cybervandalism, which was not a phrase that had been widely used before, or had a clear policy implication. Senator McCain prefers cyberwar, right, which has a clear indication, that it should be DOD or NSA or others that respond to it.
So I still think that we’re struggling to figure out who should be responding. And this has been happening for 20 years, right? We’ve had a constant debate about, well, should it be a civilian agency, as you know, should it be the DHS? Or we all know that most of the expertise is in the NSA. So how do we make sure that the two work together? And we’ve been trying that through information sharing and other things that have those agencies work together. But I think the issue, and I think the president’s appointment of a CISO, of a chief information security officer, is an attempt to work through the stovepipe problem. But without, you know, budgets and the ability to convene, then I’m not particularly optimistic about that.
LINDSAY: Up here in the front.
SEGAL: Thank you. David Bray, Federal Communications Commission, chief information officer.
Question of, are we possibly trying to apply the wrong analogies? There’s nothing in the physical world that guarantees 100 percent security. I don’t think any one of us would stand up and say, I never want to get sick again. And so maybe we need to look more towards where public health or resiliency, which is more defense in-depth and more of a response that is about rapid identification, rapid containment, mitigation of it, as opposed to trying for the goal of 100 percent security.
SEGAL: No, I think that’s exactly right. I think, you know, part of that comes from using the term cyberwar, right, and the focus on digital Pearl Harbors, and the idea that you can stop the attack, right? We’re never going to be able to stop the attack. And so I think there has been great work on, you know, as you said, ecological models or environmental models, or other things that think about cyber as an externality, right? A market externality. And the focus should be on deterrent—or, I’m sorry—resilience. We can see that in the military side too, right? We’re never going to have complete deterrence on cyberattacks, and so we should be talking about deterrence through denial, right? The attackers should think they’re not going to be able to accomplish their goals, or it’s just going to cost them so much time and effort just to get in.
So you know, I think that’s an important—an extremely important point. And certain countries I think are better at it than we are. They tend to be smaller, right? Japan, which traditionally has more focus on resilience given earthquakes and other natural disasters, their cybersecurity report is a lot of discussion about resilience. And a lot of the smaller countries are focused on that.
Q: Thank you. Esther Brimmer, George Washington University, and the Council on Foreign Relations.
You commented about the importance of actually working with our friends. Could you comment a bit more about the role of NATO, which has also tried to work on cyber issues. What’s the role of the alliance in dealing with resilience?
SEGAL: Yeah, so NATO has been an interesting case, right, because as with all systems NATO doesn’t have its own capabilities. And it has struggled to figure out who’s defending what, and to coordinate better with the EU. NATO has also been a great example of where do you want to draw the line, right? So the first cyberwar, although it wasn’t a cyberwar, the first kind of cyber conflict was Russia’s attack on Estonia. And there was a huge debate, would Article 5 be invoked? The Estonians never officially asked for it, and if they had I wouldn’t have been invoked because there was no, again, physical destruction.
And we have reached a point now where NATO says there are instances where cyber could invoke Article 5, but we’re not going to tell you what those instances are, which makes sense in part because you don’t want to draw the red line. But as with all these things with cyber, we have to wonder if the ambiguity at some point becomes counterproductive. There were some interesting reports about, you know, how do we better integrate, because for a while it looked as if the U.S. was not doing a very good job of—other than the Brits—of briefing and discussing our capabilities. I think that’s improved since kind of the early stages of the administration.
LINDSAY: Yes, sir.
Q: Dennis Shea with CNA.
Cyber as a military offensive weapon seems so immature and just clouded with uncertainty. You know, the vulnerability that you’re trying to exploit today might not exist tomorrow, the access to the enemy’s network that you have today might not exist when you need it, and all the collateral damage that a military target might be connected to a hospital or, worse, a factory that manufactures, you know, baby formula. So do you envision it will ever get to the point—what should the military do? Should they be—will we get to a point where you can actually depend on these weapons and rely on them as—
SEGAL: No, I think that’s a great point, right? And so much of our knowledge about offensive operations are things that didn’t happen, right, for all the reasons that you suggested, right? We saw several leaks around the operations in Libya, that the U.S. considered using cyberattacks on Libyan air systems, but then decided against it for many of the reasons that you suggested, that would it work, would they be patched between the first attack and the second attack, how would we know that they worked, right? When you blow things up you know it worked right away. Would it spread to other systems? So I think that’s why we haven’t used them at all, quite honestly, because—
LINDSAY: Well, but to be fair, if they were to use them they aren’t necessarily going to brag about using them.
SEGAL: No, that is also true. But the limited cases we have a public—even those debates still came in, right? So in the Iraq War, there was a real concern about spreading from one financial system to the next. I think we’re moving to a point, right, where that certainty is going to go up, but it’s never going to be as high as it is for physical—we’re never going to have the Rand Wheel, right, that shows you the explosion and how far the explosive waves go out, and what the damage is going to be. I think it’s going to be a limited use weapon for the most part, especially for the U.S. which is going to, you know, have conventional superiority over many if not most of its potential opponents. For other countries, they may be more willing to risk it.
LINDSAY: Yes, Jessica.
Q: Jessica Mathews, Carnegie Endowment.
I take your point that at a simple level counting warheads or counting weapons, there are not lessons in arms control. But I wondered, how hard you looked at—both deeper at arm’s control, and at other issues of widespread, mutual vulnerability. You know, Jim mentioned Paris, and I assumed he meant the terrorist attacks, but I was thinking climate. For lessons—so that we don’t have to invent the wheel completely, do you feel like we’ve really plumbed the depths of what we’ve learned already in other issues?
SEGAL: You know, so there are people who have turned, for example, to biological and chemical weapons treaties, right? Those are—would match to cyber more, right, because it’s more dual use, and it’s harder to figure out where things are located, and they could be spread out. So that might give us some of the model. But again, you know, you’re trying to control math. And it’s going to be very hard, I think, to be able to have a degree of certainty. It may be that we will settle for what we got for biological and chemical, which had widespread cheating, right? So we may accept that on the thing.
I think the idea of mutual vulnerability is what’s happened—or is happening with the great powers, right? So the Chinese have traditionally thought that they were less vulnerable that the United States. But that’s changing over time, right, both because the Chinese economy is—GDP now—Internet-based economics is actually higher than the U.S., about 4 percent to 3 percent. And the PLA, the People’s Liberation Army, wants to look more like the U.S. military, right? It’s becoming more net-centric. So they’re going to have many of the vulnerabilities that we have.
And so you can imagine that we do get to a point of some shared vulnerabilities, where you could then begin to start having some discussions that look more like traditional arms control, but it is going to be, I would think, trust based and would fall—could easily fall apart once a conflict started. They would be, you know, arms control agreements for before a conflict.
LINDSAY: All the way in the back. Sorry, my eyesight’s bad, I apologize.
Q: (Coughs.) Excuse me. Hi. I’m Rebecca MacKinnon. I’m with the New America Ranking Digital Rights Project. (Coughs.) Excuse me, I have a cold.
I have a question, just in this new environment, one of the other dimensions is you have states carrying out cyberwarfare against their own citizens, or against other groups—and as an expert on China, you’re very familiar with how that happens—or against other non-state actors that states consider to be their enemies, for various reasons, including companies. And of course, the reason why Google pulled much of its operations out of China was because the Chinese government was carrying out cyberattacks against its own people, or trying to, via Gmail.
And so in this case, and this sort of brings us back to the Apple situation, individuals that are under attack by states, the entities that they turn to for defense and security are not governments, primarily, but companies, right? And so companies are playing a very interesting, I think, cross-cutting geopolitical security role, which is very much foremost in Apple’s mind, obviously, in the decisions its making. But also, you have other companies that are serving as arms dealers for the governments that want to wage war against their citizens or political opponents and so on.
And so I’m curious about your thoughts on how these new dimensions that are completely different in the security—in sort of security thinking from, you know, conventional warfare, how this relates to the way in which we deal with power, how we hold power accountable, how citizens and individuals can be secure from abuse and attack, even in many cases by their own governments?
SEGAL: Yeah. So the first point is another one of my breaking points, of how you break—you put states in categories, right? So there are, you know, as you also well-know, that there’s a category of states that see the threat as not only to national security, but to regime stability and legitimacy, right? So China, Russia, lots of other authoritarian states. And they have a different vision than the U.S. The end point is that we both try to collect as much data as possible, right, because we’re looking for the needle in the haystack, so we collect the haystack. And the Chines are worried about, you know, a social protest that spreads like wildfire, and so they have the great firewall and all the other data collection that they have. But the concern for the Chinese and others is, as you said, also domestically focused. So that is one—I think, one of the great splits in this hacked world order. How does a state think about the threat? Is it just national security, or is it also domestic stability and regime legitimacy?
Then the second part of it is, also as you said, we have all these private actors who are now acting as states, right? So not only in the case of—you know, I just saw that Google just announced a new shield, right, to defend a new—websites from massive—DDoS attacks and other types of attacks. But the cybersecurity companies, right, are acting like intelligence agencies, right? We learned about Stuxnet because, you know, Ralph Langner and Symantec and all these other people put it out in the public. And we’ve learned about numerous NSA operations, Kaspersky, and all these other things. So the other big question is, how do the states think about these private actors, and how do they harness them for their goals? And you know, that used to be one of the great strengths of the U.S., is that we were generally pushing in the same direction. Now we’re pushing in many, many directions.
It’s easier for China and Russia because, you know, state—the distance between the state and private actors is much narrower. And I’m certainly not optimistic long term about where China’s going to be. But as Chinese companies become global, they’re facing some of the same pressures, right? You know, Xiaomi had questions asked about where are you storing the data for Southeast Asian users. And they had to come up with some kind of response. I don’t believe it, but somebody from Huawei the other day said, oh yeah, we support Apple, right? They should be encrypting everything. You know, it doesn’t cost Huawei anything to say that, but—so you can imagine that the pressures are similar on Chinese companies as they go global.
And you know, the example with Baidu and the Great Cannon, right, so that was a case where Chinese government seems to have taken traffic that was happened on Baidu, the search engine, and used it to knock off some websites—GitHub, which is a website that was supporting ways to get around the Chinese firewall, right? And that—Baidu must have been pretty angry about that, because it—they’re trying to build a global brand. And if they look like they’re in the pocket of the Chinese government, then they face the same problem that U.S. companies do with the NSA.
LINDSAY: OK, we have time for one last question. Before I take it, I want to remind everybody that tonight’s discussion has been on the record. And, sir, you get the last question.
Q: Hi. My name’s Charles McLaughlin, from Censeo Consulting.
And I wanted to ask how you think about, or what your advice is, on how we should think about sort of time horizons of sort of the synthesis that you’re offering and some of the—some of the predictions of how things are developing. In your view, sort of, when you make those, how long are you making them for?
SEGAL: Yeah. If the book seems really relevant in 20 years, I will have really succeeded beyond my wildest expectations, in the sense of that technologically there could be numerous black swans that change the way that this space plays out, right? Quantum computing and quantum communications would be a big one. We could have some technological innovations that make the defense much, much stronger in cyberspace, and so that balance would totally shift, and then it just may become a much more traditional kind of space. So if we can have, you know, the 10th edition 10 years from now, that would be awesome. Five years from now, I suspect that some of the expectations about the technological playing field will seem a little wobbly. But you should still buy it now. (Laughter.) Definitely buy it now.
LINDSAY: I will note there are copies available in the back of the room. Let me just say, I think you had a sense of why we in the David Rockefeller Studies Program are very delighted to have Adam Segal as a member, and having him run our digital and cyber policy program. So please join me in thanking Adam. (Applause.)