What Would Joe Do?
Peggy Aycinena is a freelance journalist and Editor of EDA Confidential at www.aycinena.com. She can be reached at peggy at aycinena dot com.
Computer History Museum: the Future of War is Here
November 16th, 2017 by Peggy Aycinena
That’s because their conversation wasn’t really about war; it was about the lives that you and I are living in the here and now. And those lives – at least the privacy and security concerns associated with those lives – are mind-numbing in today’s
So, are you worried about cyber-security?
Are you worried about nefarious entities hacking your email, your social media accounts, your dating history, your purchasing history or credit scores? Worried that they’ve got access to your phone, your laptop, your watch, your Alexa, your TV, refrigerator, light bulbs or thermostat? Worried that they’ve infiltrated your bank, your doctor, your medical insurance provider? That they’ve cyber-attacked your power grid, regional emergency response capabilities, state and national legislatures, your federal government, your Army, Navy, CIA or FBI? Even your elections?
Well, if you’re not worried, you should be. Because according to Perlroth and Fick, the horse is out of the barn, the genie’s out of the bottle, the evil’s escaped Pandora’s box. In other words, we’re all screwed.
And Perlroth and Fick let us know all this even before they finally got around to talking about war itself, what it looks like today and will look like going forward, our modern version of Apocalypse Now.
And what does war look like these days?
Nicole Perlroth ticked off some of the more infamous nation-state cyber-attacks of the last few years, highlighting perpetrators such as North Korea, China, Iran, and Russia,
Nate Fick responded by summarizing each nation state’s mind-set: Russia is on the march and very aggressive in the area of cyber-attacks, singling out oil, energy, and the US elections.
China is assertive, but at the same time somewhat measured. They want to be global players, so they have something to lose if they do not reduce the frequency of their cyber-attacks – most of which target theft of industrial IP and are orchestrated by subsidiaries of the Chinese Army.
Iranian cyber-attacks have also tailed off, in the wake of the nuclear agreement with the US, because that nation-state suddenly has something to lose if they didn’t lighten up.
North Korea, on the other hand is a rogue state – unpredictable and without a clear rationale behind their persistent cyber-attacks. They see themselves as having absolutely nothing to lose, so there are no deterrents that actually work against their cyber-aggression.
In response to his characterizations, Perlroth asked Fick about deterrents that have been developed – in particular by the US government – and why they have not been successful.
Fick responded with his 10-second history of the world since World War II: “Since the end of 1945, US power has kept the lid on great power wars. Yes, there have been some stupid policies but no power wars, given the extension of the American umbrella over NATO and the Japan/Korean theater.
“In these 70 years, we have seen the growth of American military, informational, economic and diplomatic power – much of which has been threatened, but not used – and how it has enforced a set of rules of behavior in the world.
“All of that power has worked pretty well in the kinetic world. But that power, and threat of power, has not extended successfully into the cyber-domain.”
“Take the Russians and Chinese, for example,” Fick continued, “and let’s look at things as a national security issue.
“If a foreign power had used kinetic means to attack us – missile strikes or agents on the ground – we know what the American response would look like. It would include everything from sticks to knives to guns.
“But in the cyber-domain, our adversaries know they can get away with it. The Russian interference in our elections, or the Chinese stripping of IP.”
Perlroth completed that line of thinking: “And in the case of some of our adversaries, you can’t even be sure where the attack is coming from.
“In Russia, they rely on proxies. In China, they relay on contractors. Who do we retaliate against when we can’t even be sure who the perpetrators are?”
Fick offered a bit of consolation: “After the 9/11 attacks, one of the things the Bush administration got right was trying to make the asymmetrical symmetrical again. They said, the US will enforce its interests against terrorists groups, or the states that harbor them.
“That was a recognition that non-state actors [such as the Taliban] are working with the boundary of a nation-state [such as Afghanistan]. These were sins of omission [not expelling the non-state actors] rather than sins of co-mission.
“Now there is an analog in the cyber-sphere. It’s no coincidence that the kinds of cyber-attacks we are talking about emanate from either places linked to the host government [perpetuating the attacks], or places where the rule of law is weak and they can get away with it.
“We could square that asymmetry by saying we will retaliate against any nefarious cyber-actors and against the states that harbor them.”
“These [hackers] are just human beings working in an actual place,” Fick said, “using the infrastructure of that place [to mount] cyber-attacks.
“Our deterrents wouldn’t be perfect, because there’s a difference between technical attribution and intentional attribution, but if we were more full-throated in linking cyber-activity to a state or state-sponsored actor, our deterrents would be more successful.”
Perlroth responded: “Putin says hackers are just artists and will do what they want to do, but we are saying we will hold the artists [and those who harbor them] culpable for the attacks.”
Perlroth also emphasized that successful cyber-attacks need not be sophisticated.
When North Korean went after Sony in 2014, for instance, she said the attack wasn’t fancy but was devastating and made the point: “With a nuclear weapon, you need materials. With a cyber-attack, you just need code.”
Fick, a veteran who served tours of duty in Afghanistan and Iraq, offered a military point of view: The lack of sophistication in many cyber-attacks does not come as a surprise.
“The David and Goliath scenario,” he said, “is one where the insurgent force brings to bear simple weapons to cripple a major armed force.
“Similarly, our thinking in the US that we can take refuge in being the most sophisticated [in the age of cyber-warfare] does not actually make us the strongest, but instead the most vulnerable in these conflicts.”
Perlroth seconded that pessimism: “Yes, we are sophisticated at offense, but we are the most digitally connected country in the world, so people don’t realize that we are also the most vulnerable.”
“In addition,” she continued, “in cyber-war, the enemies learn from each other. People don’t realize that there’s always the possibility that [when we use cyber-weapons], the code can get out there and be used against us in our own backyard.”
Which begs the question, per Perlroth: “Under what circumstances should we be using some of these tools [if they can be turned against us]?”
“Of course,” she added, “President Obama said [with respect to the North Korean attack on Sony] that we would decide the date and time of our response.
“Undoubtedly there was a response, but [for the sake] of security considerations, we never knew what it was.”
“Yes, we took out all eleven of their Internet sites for three whole days,” Fick retorted, getting a hearty laugh from his audience.
But Fick also noted there’s a time when cyber-attacks do warrant the use of sophisticated offensive cyber-weapons, even at the risk of revealing their existence: “If we threw 1000 boomerangs out into the darkness and had razors attached to their tips, yes they could come back and get us.”
But if the use of such weapons deters additional kinetic escalations, Fick said, the risks are warranted.
He then invoked his academic background in the classics to address the philosophical underpinnings of war: “You have to go back 1500 years, to St. Augustine and the laws of war that originated out of his body of thought.
“It’s the law of proportionality. If a child throws a rock at me, I can’t kill his family. Civilian combatants are illegitimate targets of war.”
Obviously, there are problems when the adversary isn’t wearing a uniform and hides among the people, Fick noted: “But bombing an electrical substation is different from attacking a hospital, even though damage from bombing the substation can be widespread and uneven in its reach.
“We need to use force in the cyber-domain in accordance with the same laws that govern our behavior in the kinetic domain of war. We must not think of a cyber-response to a cyber-act. The point is to decouple the two, and think of other responses.
“I remember in Afghanistan, after our air campaign, there were no more targets. Similarly in a cyber-campaign, you’ll run out of targets really quickly, so you have to use non-cyber means to respond to a cyber-attack.
“It’s a delicate argument. First, you have to believe in having a force and a doctrine [that does not] launch a tomahawk missile in response to a cyber-attack.”
And this is when things at the Computer History Museum turned truly dark, as Fick continued.
“After all, this is not machine on machine,” he said, “it’s actually people on people and we are losing this battle every single day.
“As the cyber-attacks are getting more crippling, we are locked into a losing game – in the cyber-attacks on our institutions and in the personal management of our data.
“The Equifax hack effectively [violated] every adult in the US. When does it stop? When will we change the game? We can’t keep building 12-foot walls [when our adversaries] have 14-foot ladders.
“Governments exist primarily to provide security for the people, but our government is failing to secure our cyber-domain. Unless, and until, our government extends itself into the cyber-world to keep the peace, the Wild West will continue to prevail.”
This seasoned kinetic warrior, turned corporate cyber-entrepreneur, then concluded: “I’m a believer in talking as a deterrent to war. We must keep talking and talking until we are blue in the face, until all alternatives have been considered.”
And so the hoped-for Future of War is no war at all – be it kinetic, cyber, or otherwise.
Undoubtedly, something that St. Augustine would have agreed with. Of course, his was not a Digital Age.
At one point during Wednesday evening’s discussion, Nicole Perlroth asked, “At what level can we ever really protect ourselves?
“Recently, I wrote a story about an energy firm, a company that [successfully warded off] some of the most sophisticated cyber-attacks in the world. They were attacked by China, but even China failed to hack into the company.
“Then the Chinese operatives decided to look at the social media of some of the employees at the energy company. They found that the employees were ordering take-out Chinese food from a restaurant near the company’s headquarters.
“So the cyber-attackers planted malware on the PDF take-out menu that the energy company employees downloaded to order their meals. And so the Chinese cyber-attackers got in.
“Really, you can spend as much money as you want to on cyber-security, but eventually they’ll just get in through the take-out menu.”
.. a venture-backed security software company that automates the pursuit, containment, and mitigation of the most advanced cyber-threats.
.. has been CEO of Endgame since 2012, and is also an Operating Partner at Bessemer Venture Partners. Before joining Endgame, he was CEO of the Center for a New American Security.
Fick led Marine Corps infantry and reconnaissance units in combat in Afghanistan and Iraq. His book about that experience, One Bullet Away, was a New York Times bestseller, a Washington Post Best Book of the Year, and one of the Military Times’ Best Military Books of the Decade.
Fick has a BA from Dartmouth, and is a graduate of the Harvard Kennedy School and Harvard Business School. He serves as a Trustee of Dartmouth and is on the Military & Veterans Advisory Council of JPMorgan Chase & Co. He is a member of the Young Presidents’ Organization and a life member of the Council on Foreign Relations and Trout Unlimited.
.. covers cyber-security for The New York Times. She is the recipient of several journalism awards including best technology reporting by the Society of Business Editors and Writers. Prior to joining the Times in 2011, Perlroth covered venture capital and start-ups for Forbes Magazine.
She is currently at work on a cyber-security book, This Is How They Tell Me The World Ends, for Penguin/Portfolio. Perlroth is a guest lecturer at the Stanford Graduate School of Business, has a BA from Princeton and an MA from Stanford.