WEBVTT 00:02.423 --> 00:05.180 - Hello and welcome again to another edition of 00:05.180 --> 00:08.870 Strategic Studies Quarterly, Issues and Answers. 00:08.870 --> 00:13.870 Today the issue, cyber. Or cyberspace if you prefer. 00:14.410 --> 00:18.670 Over the last 20 years, cyber capabilities, threats, 00:18.670 --> 00:22.010 and vulnerabilities have been ubiquitous in our 00:22.010 --> 00:24.040 national security discussions. 00:24.040 --> 00:27.040 And also critical to our national defense. 00:27.040 --> 00:30.040 Here to examine many of the aspects of the 00:30.040 --> 00:34.426 cyber domain is my guest, Doctor Pano Yannakogeorgos. 00:34.426 --> 00:38.290 He is the Dean of the Air Force's Cyber College. 00:38.290 --> 00:42.030 He holds a PhD in global affairs from Rutgers University 00:42.030 --> 00:46.670 and is a widely published author on cyber security. 00:46.670 --> 00:48.720 Pano, welcome to Issues and Answers. 00:48.720 --> 00:50.060 - Absolutely Mike, thank you for having me. 00:50.060 --> 00:53.110 - You know we've published a lot on cyber. 00:53.110 --> 00:55.340 We've published two special additions in fact, 00:55.340 --> 00:58.250 on cyber over the last 12 years. 00:58.250 --> 01:01.060 In almost every edition of Strategic Studies Quarterly, 01:01.060 --> 01:05.600 we have articles addressing some aspect of cyber. 01:05.600 --> 01:07.380 So let's get into a couple of issues 01:07.380 --> 01:08.913 and answers on that topic. 01:09.920 --> 01:12.070 First I'd like you to give us an overview 01:12.070 --> 01:15.000 of what you see are some of the greatest threats 01:15.000 --> 01:17.360 facing the United States and cyber. 01:17.360 --> 01:20.680 Would you be able to classify those as hackers, 01:20.680 --> 01:23.130 criminals or our adversaries? 01:23.130 --> 01:24.550 - So I'm gonna break it down, Mike, 01:24.550 --> 01:27.540 into an actual threat probability. 01:27.540 --> 01:30.851 So, we see right now the greatest threat to the 01:30.851 --> 01:33.620 United States comes from criminal actors who are 01:33.620 --> 01:37.160 looking for profit By stealing peoples' personal 01:37.160 --> 01:39.400 identifiable information and re-selling it 01:39.400 --> 01:42.290 on the dark web or just stealing money 01:42.290 --> 01:43.700 straight out of peoples' bank accounts. 01:43.700 --> 01:45.790 So that's what we currently see right now 01:45.790 --> 01:50.470 as the greatest threat to the civilian population. 01:50.470 --> 01:54.290 However, we also have another greater threat 01:54.290 --> 01:57.030 to U.S. National Security which can be broken down 01:57.030 --> 02:00.030 into Nation-State sponsored activities. 02:00.030 --> 02:03.240 One is a Chinese theft of intellectual property 02:03.240 --> 02:06.120 from U.S. corporations, including defense contractors. 02:06.120 --> 02:10.450 And then the other is actually the targeting 02:10.450 --> 02:15.400 of the electoral process by the Russians, as is well known. 02:15.400 --> 02:18.033 So on the Chinese side, for me, that's the more, 02:18.988 --> 02:22.464 the greatest turf threat of all because 02:22.464 --> 02:25.700 at the end of the day, our American companies 02:25.700 --> 02:27.840 are innovating, putting a lot of investments 02:27.840 --> 02:29.330 and research and development into 02:29.330 --> 02:30.750 the research and development. 02:30.750 --> 02:33.380 As a result, when the Chinese steal that money, 02:33.380 --> 02:34.920 they don't have the put that investment in. 02:34.920 --> 02:38.720 They can re-create the products, like the C-17 02:38.720 --> 02:42.213 which was re-developed as a Y-17 aircraft, 02:43.405 --> 02:45.190 and not have to 02:46.900 --> 02:47.950 actually go out and 02:47.950 --> 02:49.350 do all the hard work themselves. 02:49.350 --> 02:51.960 So they're almost able to leapfrog our military 02:51.960 --> 02:53.640 capabilities so the United States effectively 02:53.640 --> 02:56.393 becomes a Chinese research and development laboratory. 02:57.340 --> 02:59.540 - So it sounds like the threat is, I would call 02:59.540 --> 03:02.120 it a conglomeration of threats. 03:02.120 --> 03:06.340 And you mentioned, on the civil side particularly first, 03:06.340 --> 03:09.160 what would you consider the weakest link 03:09.160 --> 03:14.110 in that civilian side of this vulnerability? 03:14.110 --> 03:16.620 - The weakest link are the platforms and the software. 03:16.620 --> 03:20.120 So by platforms, I mean the hardwares that 03:20.120 --> 03:22.530 corporations create and deliver into the market 03:22.530 --> 03:25.150 and the software that creates the applications 03:25.150 --> 03:27.560 that allow users to interact 03:27.560 --> 03:29.520 with each other across the world. 03:29.520 --> 03:33.000 So, over the past three decades and the brief 03:33.000 --> 03:35.340 history of cyberspace that we have, 03:35.340 --> 03:37.680 industry has not provided us with 03:39.190 --> 03:42.480 software and hardware that is secure by design. 03:42.480 --> 03:43.620 They're more interested in getting the 03:43.620 --> 03:46.660 products out to market and as a result, 03:46.660 --> 03:50.930 they don't conduct the best coding practices 03:50.930 --> 03:53.770 to make sure that their software is secure. 03:53.770 --> 03:55.700 And as a result, this vulnerability 03:55.700 --> 03:57.560 proliferates throughout society and 03:57.560 --> 03:59.040 that's what I believe the greatest 03:59.040 --> 03:59.950 vulnerability is right now. 03:59.950 --> 04:02.619 The actual software and hardware that 04:02.619 --> 04:05.935 exists in the consumer market today. 04:05.935 --> 04:08.220 - Maybe the answer to this next question 04:08.220 --> 04:10.010 may be quite obvious, but how would 04:10.010 --> 04:11.940 you decrease that vulnerability? 04:11.940 --> 04:14.900 What would you propose to decrease that while 04:14.900 --> 04:19.260 still maintaining cyber efficiency or effectiveness? 04:19.260 --> 04:22.250 - To be fair, to follow on, it's a hard problem 04:22.250 --> 04:26.910 because the gross national product is 04:26.910 --> 04:30.087 dependent on our IT services so we can't 04:30.087 --> 04:32.940 expect them to decrease their profit margin 04:34.023 --> 04:37.280 by taking time to produce that 04:37.280 --> 04:38.640 hardware and software that's secure. 04:38.640 --> 04:41.550 What can be done today, though, is that the consumers 04:41.550 --> 04:46.100 either at a personal level or at an enterprise level 04:46.100 --> 04:49.040 or at a U.S. government military level, 04:49.040 --> 04:52.420 can start asking through a contract for 04:52.420 --> 04:54.560 companies to implement cyber security 04:54.560 --> 04:57.970 features by design or by implementation into the 04:57.970 --> 05:01.050 products that are being delivered to large corporations. 05:01.050 --> 05:02.390 - To make that a requirement? 05:02.390 --> 05:03.223 - Correct. 05:03.223 --> 05:05.460 - You mentioned the government in there so 05:05.460 --> 05:07.673 that's sort of a lead into my next question. 05:08.929 --> 05:11.530 What do you think the DOD itself is 05:11.530 --> 05:13.033 most vulnerable in and why? 05:13.950 --> 05:16.410 - So that's a very interesting question. 05:16.410 --> 05:19.360 The Government Accountability Office, the GAO, 05:19.360 --> 05:22.600 issued a report back in October 2018 05:22.600 --> 05:25.950 that covers cyber weapons, cyber 05:25.950 --> 05:28.033 vulnerabilities and weapons systems. 05:29.101 --> 05:30.440 And it's a long lengthy report and I'll 05:30.440 --> 05:32.100 just summarize the gist of it. 05:32.100 --> 05:34.470 That is probably the greatest risk 05:34.470 --> 05:35.980 right now that the DOD faces. 05:35.980 --> 05:39.170 The actual cyber vulnerabilities within our 05:39.170 --> 05:41.830 military platforms that could potentially be 05:41.830 --> 05:44.480 exploited by a threat actor. 05:44.480 --> 05:46.650 - That has some of those vulnerabilities that 05:46.650 --> 05:49.100 the companies produced initially, it makes sense. 05:50.340 --> 05:54.160 Okay same question, on the DOD side, what should 05:54.160 --> 05:56.750 we do, what's the best way to fix those vulnerabilities? 05:56.750 --> 05:59.563 And what's not being done now that we should be doing? 06:00.510 --> 06:03.560 - The one thing is to focus on again, the 06:03.560 --> 06:07.220 contractual relationship we have with companies. 06:07.220 --> 06:09.540 We need to educate and train our lawyers, 06:09.540 --> 06:12.080 our acquisitions professionals to be cyber 06:12.080 --> 06:14.890 savvy and to understand what keeper parameters 06:14.890 --> 06:18.110 can be included in a DOD acquisition contract 06:18.110 --> 06:21.110 that could hold a company culpable or liable 06:21.110 --> 06:24.260 for hacks that happen as a result of poorly 06:24.260 --> 06:26.430 designed systems or systems that did not 06:26.430 --> 06:29.298 have cyber security designed within them. 06:29.298 --> 06:31.510 There are certain steps that are being taken 06:31.510 --> 06:34.980 right now within DOD to actually start 06:34.980 --> 06:37.590 processes like this but it needs to be incultured 06:37.590 --> 06:40.710 within the acquisitions and the legal communities. 06:40.710 --> 06:43.428 - So we're not at that level quite yet. 06:43.428 --> 06:44.261 - (Pano) No. 06:45.260 --> 06:48.320 - Do we have the right talent to get to that level? 06:48.320 --> 06:50.750 And if we don't, how do we get it? 06:50.750 --> 06:55.750 - So, educating those non-cyber career fields 06:56.280 --> 06:58.410 is the most important thing and the 06:58.410 --> 07:01.470 Air Force is headed in the right direction 07:01.470 --> 07:03.780 with the standard of the Air Force Cyber College 07:03.780 --> 07:07.420 where educating the legal communities, acquisitions 07:07.420 --> 07:09.760 communities, and others on how to start 07:09.760 --> 07:12.720 asking the right questions to start 07:12.720 --> 07:14.920 re-shaping the technical environment, 07:14.920 --> 07:17.713 at a policy and strategic level. 07:19.648 --> 07:22.170 - Well I'm gonna ask this next question, 07:22.170 --> 07:23.800 and it has to do with Congress. 07:23.800 --> 07:26.140 And we've seen a lot of action from 07:26.140 --> 07:29.070 Congress over the past few years. 07:29.070 --> 07:32.220 Is that level of involvement, Congressional 07:32.220 --> 07:34.870 oversight, in your opinion is it too little, 07:34.870 --> 07:37.521 too much or just too late? 07:37.521 --> 07:40.090 - I think it's just right. (both chuckle) 07:40.090 --> 07:42.893 I'll stick with that from the Goldilocks paradigm. 07:43.988 --> 07:46.580 So, you don't want Congress to get too 07:46.580 --> 07:48.904 heavily involved in offering regulations 07:48.904 --> 07:52.300 'cause that could generally stifle innovation. 07:52.300 --> 07:54.800 I think a softer, cared and stick approach 07:54.800 --> 07:56.980 is to try to reshape the environment 08:01.172 --> 08:03.520 through measures such as re-defining the 08:03.520 --> 08:05.910 acquisition process and things like that. 08:05.910 --> 08:07.910 If the environment doesn't improve over time 08:07.910 --> 08:10.120 then it might be the right opportunity 08:10.120 --> 08:11.690 to ask Congress to do more. 08:11.690 --> 08:14.230 They have been including the right language, 08:14.230 --> 08:16.870 the appropriate language in the most recent 08:16.870 --> 08:19.130 National Defense Authorization Act. 08:19.130 --> 08:21.171 And right now, that's been a great 08:21.171 --> 08:23.820 way to kind of signal to industry 08:23.820 --> 08:26.580 and also within the DOD of the importance 08:26.580 --> 08:29.710 that cyber security and cyber mission 08:29.710 --> 08:32.087 assurance should be taking for the DOD. 08:34.170 --> 08:36.130 - I know you've heard and read 08:36.130 --> 08:38.790 a lot about this next topic. 08:38.790 --> 08:42.440 It's more of a specific nature to one 08:42.440 --> 08:45.860 of the concerns some people have in cyber 08:45.860 --> 08:47.100 in the United States right now. 08:47.100 --> 08:49.140 And that's the issue of Huawei, 08:49.140 --> 08:52.273 the Chinese company Huawei and its 5g network. 08:53.630 --> 08:55.380 Is that really something we should be 08:55.380 --> 08:57.380 concerned about or worry about? 08:57.380 --> 09:01.720 - Absolutely. So, I'll give you an example. 09:01.720 --> 09:04.580 Let's not use the 5g network as an example, 09:04.580 --> 09:06.390 let's just take it up a higher level and talk 09:06.390 --> 09:10.610 about the Chinese behavior currently in cyberspace. 09:10.610 --> 09:12.620 The Chinese have been pilfering intellectual 09:12.620 --> 09:15.320 property using existing networks that 09:15.320 --> 09:18.880 they don't own and control, like Cisco routers 09:18.880 --> 09:21.120 they haven't developed and other things like that, 09:21.120 --> 09:22.910 in order to steal secrets to actively 09:22.910 --> 09:25.843 and aggressively go after intellectual property. 09:27.810 --> 09:30.010 If they now have an additional level of control 09:30.010 --> 09:32.010 over the physical infrastructure through 09:32.010 --> 09:35.070 Huawei's 5g equipment, I'm pretty sure 09:35.070 --> 09:36.820 their strategic culture is not automatically 09:36.820 --> 09:38.487 gonna shift overnight and they're gonna say 09:38.487 --> 09:40.690 "Okay, now that we have Huawei in your networks 09:40.690 --> 09:42.100 we're gonna stop hacking you". 09:42.100 --> 09:43.420 So I'm pretty sure the trend that we've 09:43.420 --> 09:45.320 seen in the past will only be amplified 09:45.320 --> 09:49.230 as a result of more and more Chinese equipment 09:49.230 --> 09:50.893 being put on networks globally. 09:51.790 --> 09:54.170 - So it sounds like that risk is pretty great. 09:54.170 --> 09:55.003 - Absolutely. 09:58.350 --> 10:00.593 - In the winter 2019 edition, 10:02.739 --> 10:05.330 the upcoming edition at the end of this year, 10:05.330 --> 10:09.070 will be a special edition on great power conflict. 10:09.070 --> 10:12.800 Can you briefly mention how you think cyber 10:12.800 --> 10:16.140 may play out, or play a part in a great 10:16.140 --> 10:18.360 power conflict maybe before, during, 10:18.360 --> 10:20.460 and after a great power conflict? 10:20.460 --> 10:21.293 - Absolutely. 10:22.652 --> 10:24.710 We kind of break it down as a two way. 10:24.710 --> 10:27.750 So cyber catastrophe or cyber peacemaker. 10:27.750 --> 10:29.740 And the cyber peacemaker is more of a tongue and cheek. 10:29.740 --> 10:32.490 But I'll start with cyber catastrophe. 10:32.490 --> 10:34.293 Before the great power conflict, 10:35.600 --> 10:39.210 nation-states will have been implanting 10:39.210 --> 10:41.410 software on each others critical infrastructure, 10:41.410 --> 10:43.270 they will have been stealing information 10:43.270 --> 10:45.500 from each other to better understand their 10:45.500 --> 10:47.470 military plans, policies, procedures, 10:47.470 --> 10:50.240 they will have developed equipment based on America's 10:52.030 --> 10:55.783 greater technological innovations and copied it. 10:56.740 --> 10:58.450 So when the great power conflict starts, 10:58.450 --> 10:59.890 they'll take all the advantage they've 10:59.890 --> 11:01.860 had in cyberspace and start acting on it. 11:01.860 --> 11:04.560 So the military secrets or political secrets 11:04.560 --> 11:06.560 that they would have stolen, they'll be able 11:06.560 --> 11:08.980 to reshape their own military strategies 11:08.980 --> 11:10.493 to best counter ours. 11:11.460 --> 11:13.930 The military platforms that they will have developed 11:13.930 --> 11:17.130 as a result of stealing our military 11:17.130 --> 11:20.100 developmental secrets will enable them to 11:22.970 --> 11:26.830 have equipment that is as capable or more capable 11:26.830 --> 11:29.360 than our own on the battlefield. 11:29.360 --> 11:33.210 So that's the cyber catastrophe scenario, 11:33.210 --> 11:35.500 where things are going on in the traditional 11:35.500 --> 11:37.230 domains of warfare and then at the same time 11:37.230 --> 11:39.410 with all those implants that are implanted 11:39.410 --> 11:42.360 across the cyber domain, things could start 11:42.360 --> 11:44.640 exploding and have kinetic effects as 11:44.640 --> 11:46.330 a result of someone on the other side 11:46.330 --> 11:47.830 of the world pushing a button. 11:48.770 --> 11:50.810 But the thing is with great power conflict, 11:50.810 --> 11:53.470 you have all sides doing this to each other. 11:53.470 --> 11:56.910 So this is where my cyber pacifier example comes in. 11:56.910 --> 11:59.900 Where you have all the airplanes and all 11:59.900 --> 12:01.890 the modern military equipment taken off 12:01.890 --> 12:03.610 and because the hackers have been so good 12:03.610 --> 12:05.510 at what they do, they just turn around 12:05.510 --> 12:07.810 and land again, or crash. 12:07.810 --> 12:10.350 And a result, there is no conflict as a result 12:10.350 --> 12:14.855 of the adeptness of great powers to hack each other. 12:14.855 --> 12:16.030 (laughs) 12:16.030 --> 12:17.450 - I like the way you characterize 12:17.450 --> 12:19.283 that as cyber pacifism. 12:20.750 --> 12:23.360 Last question. You and I have talked before 12:23.360 --> 12:24.940 and we've published several pieces 12:24.940 --> 12:28.680 on the offensive nature of cyber, offensive 12:28.680 --> 12:31.740 cyber capabilities, particularly hack-backs. 12:31.740 --> 12:33.810 I remember you sharing some thoughts 12:33.810 --> 12:35.483 on that several years ago. 12:36.507 --> 12:39.529 What are your thoughts on the subject now? 12:39.529 --> 12:43.330 The subject of hack-back and/or offensive cyber operations. 12:43.330 --> 12:46.420 We've just seen the President recently 12:46.420 --> 12:49.300 within the last year saying, "The military, 12:49.300 --> 12:52.016 we're going to sort of release you to do 12:52.016 --> 12:53.179 more of these kinds of things". 12:53.179 --> 12:56.800 And recently in the news, we've seen some examples of that. 12:56.800 --> 13:00.533 So, what are your thoughts on the offensive cyber. 13:01.510 --> 13:03.170 - I think there's too much attention paid 13:03.170 --> 13:05.053 to offensive cyber, I'll start there. 13:08.212 --> 13:11.410 Around the world, countries are developing 13:12.550 --> 13:14.150 cyber commands or something 13:14.150 --> 13:16.020 that looks like a cyber command. 13:16.020 --> 13:18.700 And a lot of the purpose of the cyber command 13:18.700 --> 13:21.360 is to start trying to think of offensive ways 13:21.360 --> 13:24.130 to integrate cyber into military operations. 13:24.130 --> 13:26.424 I think the better thing to do to create 13:26.424 --> 13:29.000 more stable global cyberspace is to focus 13:29.000 --> 13:31.940 on defensive measures like the United States is doing. 13:31.940 --> 13:33.520 When we're talking about the American side 13:33.520 --> 13:35.330 of the command we're focused on cyber protection 13:35.330 --> 13:38.610 teams and things that are being done 13:38.610 --> 13:43.500 in order to defend our assets and insure 13:43.500 --> 13:45.610 that our military operations can 13:45.610 --> 13:47.910 achieve the commander's intent. 13:47.910 --> 13:50.340 So that's my own personal view of where we think. 13:50.340 --> 13:54.620 But now my general thoughts of offensive cyber 13:54.620 --> 13:57.130 are that if countries and nation-states 13:57.130 --> 14:00.460 try to develop offensive cyber capabilities 14:00.460 --> 14:03.210 they have two real models to look after. 14:03.210 --> 14:06.460 First is Stuxnet and the second is NotPetya. 14:06.460 --> 14:10.260 Stuxnet example is one that had a cyber 14:10.260 --> 14:12.830 capability that was deployed against 14:17.064 --> 14:17.897 an illegal nuclear activity within our end. 14:20.300 --> 14:21.300 It was meant to disrupt the program 14:21.300 --> 14:23.300 in accordance with the United Nation's 14:23.300 --> 14:25.570 Security Counsel's resolutions. 14:25.570 --> 14:27.390 When it got out into the wild and spread 14:27.390 --> 14:29.380 around the world, there was no effect. 14:29.380 --> 14:32.580 It just laid there dormantly on systems worldwide. 14:32.580 --> 14:35.630 So that's an example of an offensive cyber 14:35.630 --> 14:40.630 capability that states can look at as a model 14:40.840 --> 14:44.900 for what a responsible way of using a cyber weapon is. 14:44.900 --> 14:46.943 A new responsible way is NotPetya. 14:48.475 --> 14:51.650 NotPetya was where the Russians hacked into 14:51.650 --> 14:54.510 a Ukrainian tax software that the Ukranians 14:54.510 --> 14:58.113 used in order to conduct a ransomware attack. 14:59.034 --> 15:03.310 NotPetya went beyond the borders of the Ukraine 15:03.310 --> 15:05.260 and went around the world it caused millions 15:05.260 --> 15:06.740 and hundreds of millions of dollars 15:06.740 --> 15:09.440 in economic damage worldwide because 15:09.440 --> 15:11.830 it was ransoming everything it touched. 15:11.830 --> 15:14.830 So that's an example of a cyber, offensive 15:14.830 --> 15:18.690 cyber capability that is irresponsible 15:18.690 --> 15:21.360 and could actually be leveled at a war crime. 15:21.360 --> 15:23.170 Because at the end of the day, anything 15:23.170 --> 15:25.560 that a military feels in cyberspace 15:25.560 --> 15:28.710 has to abide by international laws and rules 15:28.710 --> 15:31.410 and norms of responsible state behavior 15:31.410 --> 15:33.563 and also laws of armed conflict. 15:34.400 --> 15:36.360 The hack-back question is a perplexing one 15:36.360 --> 15:39.640 because by that I understand it to mean 15:39.640 --> 15:40.880 private sector hack-backs. 15:40.880 --> 15:44.250 So a company gets hacked and lots of companies 15:44.250 --> 15:46.850 are demanding that they have the right to hack back. 15:46.850 --> 15:48.760 I think that's a very dangerous situation 15:48.760 --> 15:51.340 because you want to allow the state to 15:51.340 --> 15:54.400 still have monopoly over the use of force, 15:54.400 --> 15:57.640 over having legitimate law enforcement mechanisms 15:57.640 --> 15:59.870 to tackle hacker organizations. 15:59.870 --> 16:02.540 If we start to allow private companies 16:02.540 --> 16:05.080 to go out and cause destructive activities 16:05.080 --> 16:07.370 to counter hackers that are attacking their networks 16:07.370 --> 16:09.420 there could be broader implications 16:09.420 --> 16:12.483 that create more instability in the domain as a result. 16:14.790 --> 16:17.059 - Well it sounds pretty scary and in the last 16:17.059 --> 16:20.260 few minutes, you've given us a lot to think about. 16:20.260 --> 16:23.210 I suspect that cyber will remain very important 16:23.210 --> 16:26.480 to our national security and to our lives. 16:26.480 --> 16:29.260 So on behalf of team SSQ and the entire 16:29.260 --> 16:31.990 SSQ audience, Pano thank you very much. 16:31.990 --> 16:33.470 - Absolutely. Thank you for having me again. 16:33.470 --> 16:34.303 - My pleasure.