President and CEO, Fortalice Solutions LLC; Former Chief Information Officer, White House (2006–2008)
National Security Correspondent, New York Times
Ira A. Lipman Chair in Emerging Technologies and National Security and Director of the Digital and Cyberspace Policy Program, Council on Foreign Relations
Partner, Covington & Burling LLP
Panelists discuss the rise of cyber attacks during the race for a COVID-19 vaccine, the role of various actors in carrying out these attacks, and their geopolitical consequences.
ANDERSON: Good afternoon, everyone. Welcome to the Council on Foreign Relations Virtual Roundtable. Our topic today is “Cyber Attacks in the Age of COVID-19.”
My name is Trisha Anderson and I’m a partner at Covington & Burling, practicing primarily in the area of cybersecurity and national security.
We have a terrific set of speakers today. I will introduce them briefly and then engage them in discussion for about thirty minutes, and at 3:00 p.m. I will ask the operator to open it up to Q&A from the participants.
So let me start with Theresa Payton, who is the CEO of Fortalice Solutions, a cybersecurity consulting company, and co-founder of Dark Cubed, a cybersecurity product company. She started her career in financial services, serving in executive roles at Bank of America and Wachovia, and she was the first female chief information officer at the White House under George W. Bush. She speaks and writes frequently on cybersecurity and data privacy and is the author of several books, including Manipulated: Inside the Cyber War to Hijack Elections and Privacy in the Age of Big Data.
Next, we have David Sanger, who is a national security correspondent and senior writer at the New York Times. He’s been on three Pulitzer Prize-winning teams, and his newest book is The Perfect Weapon, which examines the emergence of cyber conflict as changing the nature of global power among states. He’s also the author of two New York Times bestsellers on foreign policy and national security, The Inheritance and Confront and Conceal, and for the New York Times, Sanger has served as White House correspondent during the Bill Clinton and George W. Bush administrations, among other roles.
And, finally, we have Adam Segal, who is the Ira A. Lipman Chair in Emerging Technologies and National Security, and director of the Digital and Cyberspace Policy Program at CFR. An expert on security issues, technology development, and Chinese domestic and foreign policy, Segal is the project director for the CFR-sponsored Independent Task Force reports Innovation and National Security: Keeping Our Edge and Defending an Open, Global, Secure, and Resilient Internet. His book, The Hacked World Order, describes the increasingly contentious geopolitics of cyberspace. And before coming to CFR, Segal was an arms control analyst for the China Project at the Union of Concerned Scientists. He’s been a visiting scholar at numerous universities and writes for numerous publications, and his writing can be found now on the CFR blog Net Politics.
So given that we only have thirty minutes, we’ll dive right in, and I think all of us that have lived through the last several months have seen, most notably, the increasing dependence of businesses, individuals, and governments on information technology to maintain our work, our social relationships, our governmental operations.
So I’ll start by asking Theresa but, of course, welcome others to jump in, how this increased dependency on IT infrastructure has changed the cyberthreat landscape and, in particular, whether we should be thinking about new areas of vulnerability or new threat actors, or whether it’s really an intensified version of the existing threat landscape.
PAYTON: Thanks, Trisha. Really, it’s great to be here with all of you and I’m excited to hear the dialogue that unfolds today.
And I would say, to answer your question in a real simple way, it’s an all-of-the-above scenario. So it’s definitely accelerated existing forms of cybercrime but we’re also seeing new and different types of approaches leveraged by cyber operatives with nefarious intent, cyber-criminal syndicates and nation-states.
I mean, really, the pandemic created that goldmine of opportunity for cyber crimes. So as businesses and organizations were sending employees to try to attempt to work from home and figure out this sort of interim new normal and were reimagining their operations, cyber criminals were reimagining as well, and at my firm our incident response line just started buzzing with calls.
So what have we been seeing and, like, where do I think they’re going? Just real quickly, unauthorized logins, especially attacking any organization in the health care ecosystem. They were definitely being hit with sort of these unauthorized access points: remote desk protocols, remote logins, VPN access, as well as account access.
We also saw business email account frauds resulting in wire transfer, monies going to the wrong place, really accelerate like a hockey stick. Ransomware attacks against all different types of industry verticals also went off like a hockey stick, and for the first time in a long time not only did ransomware increase, but my team and I have seen new deviants and new strains of ransomware that have not been previously identified either by law enforcement or by some of the larger security and product companies.
And so that’s been really a little frustrating, really, for businesses.
I think the other thing that was interesting about this is that the State Department noted, and we also track misinformation campaigns, that sort of this weird, almost like a collusion marketing effort by Russia, North Korea, Iran, and China to actually promote to their own citizens they were handling the pandemic very well, that the EU was not, that America was not, and promoting these misinformation campaigns including state-run media promoting the idea that maybe the U.S. military actually created COVID-19, and we needed to sort of explain that.
The other thing I do want to mention is, you know, just in case people are thinking, well, maybe since you’re on the front end, you know, Trisha, and I know you deal with incident response as well in your role, that maybe we were just sort of seeing an anomaly.
Towards the end of May, the U.N. disarmament chief actually said that they had seen a global increase in malicious emails of 600 percent just since the pandemic had hit. So if you think of that January through May time frame, and those are the ones that have been reported and identified.
This is going to translate into not just short-term impacts for the pandemic, but as we start to reimagine business operations coming out of the pandemic there will be long-term impacts because businesses will be moving to contactless everything wherever possible, and as they implement these technologies in sort of a rapid innovative approach, that contactless, whether it’s Internet of Things, Bluetooth technologies, has inherent design flaws, which makes it hard to secure. And cyber criminals, nation-states, and cyber operatives with nefarious intentions will be ready to pounce.
But other than that, everything is great. (Laughter.)
ANDERSON: Adam or David, did you want to add anything there?
SANGER: The only thing I’d add is this. You know, crises like this don’t tend to create new schisms but they tend to open up existing ones, and so we have seen new opportunities that are being exploited by the same old actors. One of the oddities is I think that the infrastructure has held up in the United States as well as it has, given the number of people who are working from home, though any of us who are out in rural areas, as I am right now, are seeing the strain on the cable networks and all that.
What that does tell you, though, is that we have opened up new attack surfaces, because with everybody coming in from home, they’re coming in from systems that weren’t designed to handle this kind of traffic and weren’t designed necessarily for this level of security. Some of that’s going to be overcome by VPN and other technologies, but much of it won’t. And so you’re seeing some strange things happening.
Intelligence officials tell me that they’re kind of stuck because they would have to go into the office in order to work on their classified systems. That’s a pain these days. So the reality is, of course, that a lot more information that ordinarily might be flowing over a classified system is probably flowing over an unclassified system, with people praying that there are not interceptions of it. I think it’s all made us more aware of what the vulnerabilities would be when we move to 5G systems if we’re reliant on Chinese or other supply chains.
I think the last thing that’s really interesting about this particular moment is that we are beginning to see companies and the government recognize that we’re not going to get back to something that looks exactly like what we had before. So we have to think about internet security in a very different way if you’ve got to spread it out in such a broad way to everybody’s houses.
You know, it’s the problem it had for a long time in my neighborhood in Washington, where only very senior officials would get secure systems, you know, run into their basements. Well, now a lot of people are going to have to have pretty secure systems as standard equipment into their basements.
SEGAL: I’ll just add that I think, as David and Theresa have both said, it’s accelerating a number of discussions. And so, on the response to the nation-state attackers, I think we’re seeing many of the issues we’ve been talking about before come back up.
So what type of attacks under COVID are beyond the pale and sort of international norms—are there certain discussions about attacks on health-care networks? Are those outside of international law, or how should states respond? We saw the Australian signals-intelligence organization basically threatening that they would respond with cyberattacks if they were going to disrupt. And we saw, you know, the FBI and CISA warning U.S. actors about attacks from nation-states.
So I think the debate is happening—kind of replicating, reduplicating itself on what the norms of behavior should be in this space. And we clearly have—you know, we don’t have a lot of answers and we don’t have a lot of tools to try to shape that behavior.
ANDERSON: So that brings us, I think, to a good topic to pick up on. And Theresa obviously mentioned the increased impact on the health-care industry with attempts to gain unauthorized access, but also efforts by nation-states to engage in misinformation campaigns. And it does implicate interesting questions about cyber norms and the extent to which that behavior is acceptable for states or other actors to engage in.
It might be useful to talk about what some of the geopolitical implications are or are likely to be with respect to those types of activities, efforts—as we’ve seen, you mentioned, Adam, the FBI and CISA announcement about the Chinese efforts to hack into vaccine-related data. What does that mean? Are we entering into a competitive environment among states for a race to the vaccine or treatments? And how do you see that playing out?
Adam or others, if you want to take that question.
SEGAL: Yeah. I mean, I think, as you said, we’re clearly seeing a race for the vaccine and we’re seeing nation-states trying to, if not steal what their competitors are doing, at least have a better sense of where they might be in the vaccine production schedule.
We’re seeing attacks on international organizations, so Russian and Iranian and North Korean attacks on WHO and other public-health agencies also for information-gathering. And then, as Theresa mentioned, we’re seeing the disinformation around the narrative of COVID and who is responding more effectively and less effectively and using it to bash geopolitical competitors.
SANGER: The only thing I’d add to that is in our own reporting we have, of course, you know, recorded what you’ve seen from the U.S. government about increased attacks on those working on the vaccine. It’s not clear that that is necessarily for the vaccine itself. It may simply be, as Adam suggests, to understand where they are in the race.
And remember, this is sort of a three-way race right now. It’s got a number of American competitors, a few Chinese competitors, including some backed by the PLA. So there’s very little doubt that the PLA would use units that it’s long used for these kind of purposes to make sure that they are where they want to be; and then the Europeans as well—Oxford, Sanofi, others—who are in this; and I think a really hard question for the offensive side of U.S. Cyber Command to go deal with and the NSA, because this is essentially industrial spying, but it’s also a national-security issue because it deals with the health of the entire country.
And it may be a while before we’re able to sort of suss out what it is that is being done to defend many of these companies, but whether persistent engagement, active defense, as Cyber Command likes to call its offensive operations, are being used in what is also at least partly a commercial context here.
PAYTON: Yeah, Trisha, the only other thing I’d add—I agree with what Adam and David both just laid out here. The other thing that I would add is don’t forget about the insider threat and the potential for insider threats. We have kind of the nation-states and cyber operatives, as well as cybercriminal syndicates want to be able to monetize anything they can get their hands on and certainly anything around supply-chain orders, you know, how things are going to unfold in, you know, kind of that intellectual property of the vaccines. That’s all information that could be monetized if they can get their hands on it.
But the other piece is the insider threat. And although insider threat is more rare, when it does happen, because they’re on the inside, have authorized access, it can often be sometimes the most damaging type of attack that happens. We actually worked a case where the individual is in jail. This is in the clean-energy industry, where the engineer was actually taking information and selling the secrets to China, and they were an American citizen. So the insider threat is also just one other thing that I would add that’s a little harder to detect than traffic coming from, you know, different parts of the world and looking for tactics, techniques, and protocols.
ANDERSON: So I’ll pick up on one thing that David said, which was—David, you alluded to, you know, there being some uncertainty about what the governmental response, in fact, is, in light of, you know, classified information, the fact that our military typically does not, you know, publicize its cyber—offensive cyber operations or its active defense.
You know, what is your prediction, either David or others, for how the government is going to respond to some of these trends? You know, we’ve seen a little bit more public activity in the very—relatively quick announcement by FBI and CISA about attributing the attempted vaccine data hacks to nation-states. Is that sort of more of what we’re likely to see? What predictions do you have for the kind of governmental response that will unfold in response to all of this?
SANGER: Well, we certainly have seen—and I think you have to give the Trump administration credit for this—more attribution of bad actors more quickly than we’ve seen in past administrations. It happened a little bit in the Sony case and so forth in the Obama administration. But early in the Trump administration North Korea was identified as the bad actor in one major hack, Russia in another. And you’ve seen as recently as recent—just the past few weeks, Russia named again for other attacks, mostly on email systems.
The problem is that there’s no particular evidence right now that these name-and-shame efforts actually act as much of a deterrent. You know, we’ve been naming Russia since the 2016 election and it does not necessarily seem to have cut the level of their activity.
So then the question comes: Could you see the United States intervene in the COVID case and in the vaccine case as the way it intervened in 2018 to send a shot across the bow of Russian actors who were beginning to look at the midterm elections? And you’ll remember at that time that Cyber Command, with NSA help, shut down the Internet Research Agency for a few days, sent some warning shots to members of elite hacking teams in some of the Russian intelligence services, and so forth. Easy to do for an election because in that case you’re protecting a clearly all-government function.
A little more complicated in the American system when you’re stepping in on behalf of manufacturers. Who do you step in on behalf of? Do you protect Johnson & Johnson because it’s an American firm? Or one of the other American competitors? Do you do the same for other Western firms that are working perhaps outside the United States? This is pretty tricky territory. And usually we’ve not seen the U.S. use its cyber capability on behalf of American firms other than to block attacks. But the interesting question here is are they willing to go further. And we simply don’t know yet.
ANDERSON: Adam, do you have any thoughts about it?
SEGAL: I agree with David. I would—I would add that the—I think the other component on the Trump side which is also praiseworthy, although we’re not really sure what the effect is, is that the attribution is not happening alone. It’s happening, you know, with—usually with the Five Eye partners, but also the Dutch and others who I think are becoming more of leaders in this space. I think David’s right, though. We haven’t really seen a significant drop in activity, but it certainly helps create a sense of shared norms among the likeminded about what we might respond to.
You know, on the defense side we clearly see, as you said, attribution happen faster with the FBI. CISA I think is doing a fairly good job of sharing information. But other than that I don’t—I don’t think we’re going to see a lot of dramatic change. We have a playbook, right? The Solarium Commission released its findings, you know, a very strong set of recommendations that have been, you know, floating in the air for a long time. But they brought them together. They issued a white paper that speaks to the pandemic in particular. So I think there are lots of things that people have on the table to do. IoT security, reappointing the cyber director in the White House in the assistant level, and the secretary of state level. So there’s lots of ideas out there. I don’t suspect we’ll see a lot of traction on that, though, on the domestic legislative side right now.
PAYTON: You know, Tricia, David and Adam, they brought up something I think that’s really important, which is, you know, not only do you have sort of the separation of, you have the Five Eyes, you have our three-letter agencies and the federal government, and then you have the private sector, who’s largely on private sector infrastructure solving problems for the nation, but really in a private sector way. So where do the lines blur to protect and defend that information both nationally, and then also internationally with our allies. And many of the companies who are working on this here are global companies, not just American headquartered companies.
And so I think one of the challenges we also have to look at here is that every dollar that is spent on securing the infrastructure and doing threat hunting, and trying to look for tactics and protocols, and looking for digital evidence that maybe there is a problem—every dollar and every resource spent on that is a dollar and a resource diverted for the race for the cure, for the vaccine, for better identification tests, for treating people who actually catch it. And so we really do have this dilemma where, you know, a dollar on security is a dollar diverted from the actual effort that we’re trying to undertake.
And so who should bear the cost, as well as who should bear the burden of prioritizing resources to focus on that? So not only do we have the challenge of that’s a real gray area of protecting private sector endeavors using the Five Eyes, and the three letters, and the federal government, but also having the best and the brightest trying to secure the digital elements of this ecosystem is very, very challenging.
ANDERSON: Agreed. Before we get to the Q&A section I did want to touch upon the issue of election security, which David touched upon briefly, drawing that distinction—interesting distinction between the government’s defense of the private sector versus its approach to defending an election. How do you see the leadup to November—the November elections playing out? Are the threat actors the same? Are they different? Are there different playbooks that we should be thinking about that they are likely to be using? Theresa or others, if you want to jump in and handle that question.
PAYTON: Yeah. Just a couple of thoughts on that. You know, for starters, I think our dry run during sort of the caucus and what happened in Georgia and, you know, just sort of the primary elections, who needs hackers when you implement technology and people aren’t trained and they’re not sure what the process is, and we kind of trip on our own feet? So that’s unfortunate. Hopefully, lots of lessons learned there. I am very encouraged with all the work that DHS, CISA, and the states have done, and vendors, and the ethical hacking community have done. I’m very encouraged that a lot of work has been done to secure the elections.
But the misinformation and manipulation campaigns are still a real challenge. I am seeing as far as tracking on COVID-19 on the antiracism movement, as well as all other kind of big social issues that are very important to the presidential election. The misinformation, manipulation campaigns attempting voter disenfranchisement. And the playbook has changed. I mean, I think the Muller report did a great job laying out the parts of the Russian operation that were known. I talk about in my book—I believe that some of that was designed to be found, and that was the part that, you know, they didn’t want to be found out, but if it had to be found out, you know, this was one operation. There’s others.
But the other piece is there—we can’t legislate our way out of this issue with misinformation, manipulation campaigns. We can’t just count on the user and we can’t just count on big tech and social media to solve it. It’s going to be an international everybody’s got to be all in spotting and detecting and reporting misinformation and manipulation campaigns. They’re doing burner accounts. They’re taking true organic American citizens who are posting something and then amplifying it. They’re leveraging artificial intelligence chatbots that look like organic human-controlled behavior of accounts. And then once real humans start arguing with each other, they kind of move onto the next issue.
So they’ve definitely changed their tactics. I believe the social media companies have done a really good job trying to combat this, but it’s going to take individual citizens, the international community, big tech. And I don’t think legislation alone is going to solve this issue.
SANGER: I’ll throw in a few thoughts as we’ve began to work on this. I would agree with everything that you just heard about how they’ve got to go change the playbook. And they do have to change the playbook because the Russians understand that the same playbook is not going to work a second time. The U.S. is going to see them coming this time. Facebook will. Google will. Twitter will. So what have we seen happen?
As Theresa suggested, we’ve seen more of a move to trying to convince individual Facebook users to pick up a meme so that it’s not coming out of the Internet Research Agency. It’s coming out of your neighbor’s house, right? And at that point, it’s protected First Amendment speech, right? It’s within an American citizen’s right, even if they are being duped by the Russians. They’re doing a very good job of just amplifying things that come up out of our own natural divisions. And then again, you know, I’m not sure that you can necessarily say that that is foreign interference. It’s foreign amplification of issues we have underway at home.
It’s the infrastructure of the election system, though, that I think is changing to some degree. Obviously, the coronavirus issues are leading many states in a very patchwork way to move to more vote at home, vote by some kind of paper ballot that you would mail in. On the one hand, that’s good, because it leaves a paper trail. On the other hand, it puts a much bigger vulnerability aura around the registration systems, because this only works if the registration database and the pollbooks are all coordinated so that you’re mailing out the ballots to everybody who needs to have one mailed out. And if they mail one back in, they then can’t show up at the polling place and vote a second time.
And the Russians understand, and others understand, that you don’t need to hack into that registration system all over the country. You just need to hack into the most vulnerable small parts of it and create the aura that you have done a much bigger hack. And that’s all it would take for President Trump or others to say: See, I told you the system was rigged. And you’ve already heard those words come out of his mouth more than once. So I think our focus ought to change at this point to making sure that those registration systems are really locked down.
My biggest fear is that you could have a ransomware set of attacks, similar to those attacks you saw across Texas and elsewhere last summer, because most small towns and cities don’t have the money to put into this kind of security. They certainly don’t now that they’re dealing with reduced revenues because of COVID-19 and other issues. And again, all we have to do is lock up a couple of big cities—think about Baltimore and Atlanta and what they already suffered from—in order to create the impression that somebody has gone into the entire network of voting systems.
SEGAL: I think everything’s been said. I’ll just add that I think David’s point about aura and impression is really the main one because in some ways it doesn’t matter what we do. We know there’s going to be some glitches that are going to be, as Theresa said, self-inflicted. And already the debate is about foreign interference. So no matter who loses they will be able to point to those events and say: We think those were, you know, foreign interferences and the process was rigged. And so in many ways it strikes me that it doesn’t matter that much what the outside actors do, the foreign actors do, to change their playbook. We’re already existing in an environment where it will be contested and contested in politically divisive ways.
ANDERSON: All right. Thank you, Adam.
At this point we’re just past the 3:00 mark. So I will invite participants to join our conversation with any questions they may have. Just as a reminder, the roundtable is on the record. So, operator, if there are any questions could you please let us know?
STAFF: (Gives queuing instructions.)
Our first question will come from Kate Moore.
Q: Hi, everyone. I’m Kate Moore from BlackRock. Thanks very much for your really interesting comments and insight today.
One question I wanted to dig a little bit further into was the coordination between companies and the government. There were some comments made that there’s going to have to be better coordination going forward. But, you know, one complaint we’ve heard from a lot of companies has been that there are lots of independent operations, that the network is not necessarily connected, and that a global, or at least a national, infrastructure doesn’t exist for fighting cybercrimes. So if you guys could comment a little bit more on that, that would be helpful. Thank you.
ANDERSON: Theresa, would you like to take this one?
PAYTON: Yeah, I’ll start off, and I’m sure David and Adam probably have some insights here as well to help. But I don’t disagree with you. I think that is an incredible challenge that we face, because I work on incident response. And we have a really great relationship with FBI, which has their InfraGard, which can be sort of a local chapter where offices are and where headquarters are, as well as with DHS with CISA, they also have a team who will get involved in incident response. Both teams will brief companies proactively, put out indicators. They are putting out more joint bulletins, which is really helpful. And during an incident response, I oftentimes will ask the client, either we could do it for them anonymously or not anonymously, if we would have permission to get those entities involved during a ransomware event, or incident response.
So I agree with you. I think it’s real challenging for a business to know, how do I get information proactively? Once I get it, how do I consume it and turn it into something actionable that I can actually, you know, just have it work and actually help protect and defend the organization. And when I have an issue, do I call my lawyer first? Do I call an incident response team first? Do I call DHS or FBI? And I think that is an ongoing challenge. I do see in my time in working in the cybersecurity space that the collaboration and coordination is better. But it is still confusing.
ANDERSON: Unless there are other comments that David or Adam wanted to share, operator is there another question?
STAFF: Yes. We will take our next question from Maurice Tempelsman. Maurice, please accept the unmute now prompt. OK, maybe the hand raise was a mistake. At this time we don’t have any other questions.
ANDERSON: All right. Excellent. Well, that gives us a chance to get into supply chain issues, which I think is a really interesting topic, and it intersects in ways that—with the COVID-19 that we wouldn’t have anticipated, you know, when we were talking about supply chain more generally back even a few months ago. Obviously here in the U.S. there’s been a great deal of concern about supply chain reliability and vulnerability that’s led to efforts to relocate or regulate supply chains. And so my question for the panelists is whether you all see this trend as one that’s likely to continue, and relatedly whether we might see a parallel with data. In other words, a trend toward data localization increasing as well.
SANGER: You know, I think we saw this already underway before COVID happened, but it’s really accelerated. Think about the 5G debate. So a year ago Secretary Pompeo was traveling around Europe trying to convince countries not to account Huawei as a supplier and saying that if they did they’d be cut off from U.S. intelligence. The Europeans basically called his bluff and began to sign up with Huawei, usually not on the core of the system but on the radio networks and so forth. And that’s where I think we’re headed until we saw COVID spread.
And suddenly countries began to ask the question: Do I really want to be dependent on a Chinese network any more than I want to be dependent on Chinese suppliers for respirators, for ventilators, N95 masks? And you know, if you don’t want to be dependent on a Chinese supplier for your N95 mask, then it doesn’t make much sense to be dependent on a Chinese supplier for your power grid or for your 5G network. And so you’ve seen, particularly in Britain but not just in Britain, some rethinking of this. I don’t think it’s as much going to affect the localization of data.
That was happening with Chinese regulation making companies localize the databases in China, and some by the Europeans and others. But now I think you’re going to see it much more with domestic supply. And here in the United States President Trump has certainly accelerated it with an effort to try to make sure microelectronics and so forth are being supplied domestically. I don’t think they’re going to manage to go revive a 5G manufacturing capability here. I think that may have to wait for the next generation. But certainly there is an effort underway.
SEGAL: So, I mean, I think it’s also important to distinguish between what we think is going to happen to the supply chains. And I think there’s a greater focus now on the resilience of the supply chains.
A lot of those are not going to be reshored, right. When you look at the surveys that the European Chamber and the Shanghai-American Chamber did, in most of those companies they’re still saying that they’re going to invest in China for the China market, and if they do relocate supply chains, it’s going to be to Southeast Asia, not back to the United States. So I think they are going to be able to do some resilience in the supply chains, but not necessarily move them back to the United States.
The one thing I’d add to David’s narrative about what I think has shifted the debate on 5G is the most recent round of commerce sanctions, the May 2020 sanctions that are going to really focus on TSMC, the Taiwanese chip manufacturer, which allowed the British and the intelligence agencies to kind of reopen the debate and say, well, we’re no longer sure where Huawei is going to be able to supply its chips from. And so that adds a whole new level of insecurity, which allowed them to kind of open the door and reopen the debate, which then, I think, lets things fall into place with other—perhaps the Germans and the French as well.
So I think, on that level, the tightening of the Commerce Department’s restrictions really was an important kind of move that shifts that debate.
PAYTON: The only thing I would add there, Trisha—because I think David and Adam covered some really fabulous points there—is that this is absolutely the right time to take a look at your business continuity and resilience and incidence-response playbooks and update them and ask yourself the tough questions. How much redundancy do you actually have in both sort of the materials of the supply chain that you need? Because we had clients who were waiting on things that they had paid for sitting on planes. And when China decided that they needed it for themselves, they canceled the order, refunded the money, and kept the supplies. And this wasn’t just health-care supplies.
So there’s sort of that physical element of the supply chain for whatever the core business is that you are in and whether or not you have redundancy in that.
I would say the second piece is if you do find yourself leveraging different technologies that suddenly end up on sort of the kind of the bad list or this-could-be-bad list or the sanction list, what’s your go-to backup plan, again, from not just a cybersecurity perspective but a business-continuity and resiliency perspective?
And so that would be the only other thing I’d add is just make sure you take a moment to take those lessons learned while we were in sort of the—I call every week a new normal. (Laughs.) So as we’re in sort of each pandemic week’s unfolding of the new normal, take those lessons learned and update those playbooks.
ANDERSON: I’ll just remind participants that they should feel free to raise their hands to ask a question, if anyone is interested in asking a question. And we’ll keep going if not.
STAFF: There are no questions at this time.
So, Adam, I will turn to you maybe to speak a little bit more about the overall trajectory of, you know, how some of these phenomena that we’ve been talking about today will impact the broader U.S.-China tech war. A number of you have alluded to the kind of increased actions designed to tighten—by the U.S. government to tighten restrictions on Huawei or other Chinese entities.
You know, where do you think all of this is headed, and what has been the impact of some of these impacts of the coronavirus on the U.S.-China relationship?
SEGAL: Yeah, I don’t think we’ve seen the bottom yet. I think we’re waiting to see how the sanctions on Huawei play out. Is the Commerce Department going to allow some workarounds like it did for the first year and how the sales are going to work? We’ve seen some expansion of the sanctions to companies that are involved in surveillance and AI technologies. We see a lot of bills that are focused on Chinese students, and in particular some students that might have some connections to the PLA or the military-industrial base in somehow—in some shape or measure.
So I think there’s still a lot of discussion going on among China hawks in particular about how you can cause more pain to Huawei specifically, and then to slow Chinese technology development more broadly.
And then we have the question about, you know, how the Chinese are going to respond. You know, on the domestic side, we saw coming out of the two sessions a focus on technology infrastructure, so about 1.3 trillion (dollars) in investment on technology infrastructure. But it may be very hard for the Chinese not to retaliate if there’s real damage to Huawei, given how much in the Chinese press and coming from Chinese spokespeople about—talking about Huawei and the unfairness of U.S. actions.
So, you know, we haven’t seen very much specific retaliation. You know, some outlets, like the Global Times, have, of course, suggested it. But that is still, I think, waiting in the wings for the Chinese to really consider.
SANGER: Let me just add in one thought here. Let’s say that the Washington strategy is successful beyond its wildest dreams and that the United States, its NATO allies, and a handful of allies in Asia don’t go with Huawei. Huawei will still have probably 40 percent of the world’s communications, just because with China alone, and then states that are willing to go sign up, states that are developing nations, states that are taking this as part of Belt and Road, a fairly large number of nations will be on a Chinese Huawei-dominated network. And that won’t just be Huawei.
And those that aren’t will still be using newly laid Chinese undersea cable, because while we’re laying some new cable, mostly by Facebook and Google and Microsoft and others, the Chinese are laying out new cable along the way, partly through a subsidiary of Huawei or what was a subsidiary of Huawei.
So we’re going to have to, as Sue Gordon, the former deputy director of national intelligence put it, learn how to live in a dirty network. We’re going to have to learn how it is that we manage our communications knowing that they’re going to flow through Huawei networks even if the Huawei hardware is not present here.
And I think that too much of the discussion that I hear, particularly on Capitol Hill, seems to suggest that if we can just ban Huawei from our networks and our allies’, we’ve solved the problem. And we haven’t. And this is where it rolls right into the encryption debate, because if you don’t have truly solid encryption, you’re not going to solve the problem you were intending to solve by keeping Huawei out.
PAYTON: David, that’s such a great point.
And Trisha, just to add a little bit more to what Adam and David said on this, this is where, from a development standpoint, whether it’s the mobile apps, the Web apps, whether it’s the communications themselves, focusing purely on the network is not enough. There’s multiple layers here that are being, you know, potentially overlooked that need to be secured.
And so we need to be taking more advantage—this is where, if we can containerize our development and think about transactions as their own independent element, regardless of what the transaction is transported on, what it’s transported to, that actually helps us with mitigating the risks in this global supply chain we find ourselves in.
So, you know, everything is not made in the same country anymore, whether it’s an Internet of Things device like Google Home or Alexa or your Ring doorbell. Everything is not all created in one country or even in one factory, right. It’s all distributed across different organizations, different companies. So the supply chain is very complex.
The way you reduce your attack surface when you have a very complex supply chain is you actually look at the transactions themselves. So it’s encryption. It’s tokenization of each transaction, and when I’m done and I have what I need, I don’t ask for it the same way again. It’s all the different types of elements for the data and the apps themselves. And if we can start focusing on containerizing those and actually making each and—each one of those components more secure in and of itself, then we’re able to help whether it’s 5G and Huawei or any other part of the supply chain to actually have a more secure experience where we’re not relying on the human, the user, to, oh, make sure you have multifactor authentication; don’t forget, don’t click on links and open attachments even though it’s a core part of doing your job; you know, all those things that we put the burden on the user.
You’re right, David and Adam. Just deciding who provides the 5G network doesn’t mean our job is done. There’s so much more to it.
ANDERSON: I really like the phrase that David used, learning how to—learning how to live in a dirty network I think is really apt here.
We’ve touched a little bit upon the governmental response to some of the cyber threats that we’ve been talking about, and I think—with Adam, who I think expressed some gloom or pessimism about the likelihood that we would see legislation. To the extent we have seen legislative efforts, they have really focused on the hardening of the network and exclusion of Chinese entities from 5G and the network generally. Is there—do you see any efforts, or do you have any thoughts about the role of government in terms of moving to that different strategy of learning to live in a dirty network? Or is that something that it’s just still lagging behind and we don’t really see the government yet taking action in that regard?
SANGER: Well, I think governments are conflicted a little bit because of the encryption debate.
So what’s the—what’s the fear of letting Huawei in? There are two fears. One is that they could shut a network down in time of conflict. And you can pretty well solve that by keeping their parts out of the network, although you’re, obviously, always going to have some Chinese components in it.
The second fear is the one of interception of data. Now, I would argue the Chinese did a pretty good job intercepting data in the old, boring 3G and 4G worlds, right? I mean, Unit 61398 did a nifty job stealing industrial secrets when we weren’t even thinking about 5G yet. So we’re not going to solve that problem entirely.
But the more that governments step out and say we can’t live with complete and total encryption because our law enforcement capability needs a way in, the more they are tripping on their own message about network security from China and others. And what I think I’ve seen in my reporting is that government officials do not like to see this correlation made. They want to think as if they can have their encryption debate purely in terms of law enforcement and being able to get into your iPhone or your network to find out where a missing child is, which is certainly a very reasonable argument about why they may want to do that. But they want to do that thinking that they’re not along the way compromising the rest of their network security, and of course, they are.
SEGAL: I mean, I think we’re probably seeing some thinking in the Defense Department about operating in dirty networks. I think probably most of the thinking now on the—on the tactical or operational side is based on an assumption that, you know, the networks are not going to be as reliant, no matter who supplies them, as we think they’re going to, and you have to have redundancies and backups and analog and all these others things that are—that are going there.
I think, as David said, at the policymaking or the kind of U.S.-official point of view, no, I mean, U.S. officials always think they’re going to have their cake and eat it too—that we’re somehow going to achieve both, you know, perfect transparency into our opponents and complete security for us, and that somehow the other actors are not going to do things to prevent that. And so, you know, I think there is a kind of inability to see that others are just not going to passively accept how we shape those networks and they’re going to kind of operate in ways that are, you know, going to force us to be more strategic and make some difficult decisions, make some compromises about which things we’re willing to give up in return for what we think are either national security interests or law enforcement interests or widespread commercial encryption usage that defends, you know, more people.
ANDERSON: So I’ll just invite participants, if there are any questions, to please raise your hands. I’ll pause for a moment.
If not, then I will ask each of our panelists to wrap up by—
STAFF: Trisha, we do have a question.
ANDERSON: Great, OK.
STAFF: If you don’t mind me interrupting.
ANDERSON: Of course. Absolutely.
STAFF: Take our next question from Josh Green.
Q: Hi. This is Josh Green from S&P Global.
I appreciate the comments today, though it does seem to paint a pretty bleak picture for the future. And I’m curious if there’s anything that’s giving you optimism about the path forward specifically around our ability to operate in a—in a secure environment.
ANDERSON: That’s an excellent question on which we can end. So I’ll ask each of the panelists to give their thoughts on this question. Theresa, do you want to start?
PAYTON: Yeah, sure. So what’s interesting is—thank you for asking that so we can end on a high note. Some of the things that I’m incredibly encouraged around is actually removing the friction of security for the user by leveraging technologies such as machine learning, artificial intelligence to actually do the behavioral-based analytics in real time and to be able to say: Does this transaction make sense, or is this transaction an anomaly where I need to actually layer back in more friction just to actually validate and authorize the user? So I think we’re finally at sort of the place where we have enough information about you, about how you do business; we have enough computer processing power and technology to actually start to make your interactions with technology more secure.
So I see a lot of hope and promise there. We’re not quite there yet, but I do see a lot of hope and promise there, where things like implementing encryption for a transaction and the tokenization of that information in the moment that you need it being something that’s easy for a business to implement and easy for you to consume, and those are the key elements. And then to be able to use that behavioral-based analytics and machine learning to analyze a transaction in real time, and if something doesn’t look right about it ask more questions about it, and if it seems like the transaction is not legitimate to be able to actually stop it in its tracks. So there’s a lot of promise there.
Also, some of the frameworks that have been rolled out, both the international frameworks but some of the ones rolled out such as NIST, some of the things coming out of Department of Defense, the FedRAMP certification for cloud, those frameworks are starting to pay off. I don’t want to see them used as checklists because checklists don’t stop bad things from happening, but they are starting to create a level of rigor and discipline that’s sort of like a basic pay-to-play that I think is incredibly helpful.
So you put the two together, if we can always make sort of security be a warm hug around the user instead of an add-on, that’s a good day in my book. And we’re approaching that.
SANGER: Oh, I’d add in that we’ve come a long way since 2016. The Russians may have done us an enormous favor, because while they created a fair bit of paranoia and so forth, I’m not sure at the end of the day they actually affected the outcome of the 2016 election. And I think it’s going to be hard for them to get away with things unseen except at the very last moment in the coming election.
Every upside has got a downside to it, and the downside is that we have learned that the psychological benefits of interrupting a process, a network—as Adam and I were discussing earlier, just creating a perception hack can do a lot of damage. But we have a much more cyber-savvy electorate today than we had four years ago, and I think that’s going to be—make it easier for people to recognize that, in fact, they are hearing from a bot; that, in fact, the registration system may be messed around with by a foreign power or it may be a case where simply the state has made an error, the way Georgia made a series of errors in training the other day for the primary. So I think we’re a lot more savvy. That doesn’t mean we’re safe.
SEGAL: I don’t think I’ve ever ended a cyber talk on a positive note, but I will—I will try. I think there’s lots of interesting things happening in the—on the public-private side, that we’re seeing a lot of groups like the Cyber Threat Alliance and others that are, I think, doing a very good job of popularizing, reaching out, benchmarking, providing guidelines, reaching new audiences internationally and domestically, and providing some of the solutions.
I think also the efforts on the international level of the private sector to shape the norms discussion has been interesting. I don’t know long term how effect it has been, since states still say this is still a state realm. But they’re certainly, I think, affecting the debate and putting new ideas in the discussion.
ANDERSON: Thank you so much, Adam.
Well, we covered a lot of territory today, and I just want to thank all the participants for joining the Virtual Roundtable. And thank you so—(inaudible, technical difficulties)—to our speakers. (Audio break, technical difficulties)—and posted on the CFR website. So thanks again, everyone.
SEGAL: Thank you.