Following the Atlantic Council Cyber Statecraft Initiative’s excellent panel on “Lessons From Our Cyber Past,” the panelists and attendees engaged in an insightful discussion on history, technology, intelligence, and cyber. The discussion was moderated by CTOvision editor and Crucial Point LLC CTO Bob Gourley, who also has extensive cyber intelligence experience as the former Defense Intelligence Agency CTO and Director of Intelligence (J2) of Joint Task Force Computer Network Defense (JTF-CND). The panel was filled with a diverse group of cyber and intelligence veterans with unique perspectives. The panel consisted of Rear Admiral Samuel J. Cox, Director of Intelligence (J2) for US Cyber Command, Matt Devost, President and CEO of FusionX with decades of experience as an intelligence and security entrepreneur, Jason Healey, Director of the Cyber Statecraft Initiative and former Director for Cyber Infrastructure Protection at the White House, and Sean Kanuck, National Intelligence Officer for Cyber Issues.
Gourley began with his own question for the panelists. Can we meaningfully explore the history of cyber in an unclassified way? Jay Healey, who is currently the lead investigator for the Cyber Conflict Studies Association’s cyber history book, thought you could. Right now so much information comes from the private sector, and hence is unclassified. Today’s model of cyber information sharing relies on the private sector to provide the intelligence, as it is typically their networks and infrastructure that comes under attack. In the theoretical division of labor, it is then the government’s role to solve the problem, but in practice, it has always been the network owners and private companies that take action, suggesting that the relationship should be reversed. As it stands, classified information isn’t terribly important as it stays within the government anyway. Devost added that while classified information is valuable and government agencies should be studying that history themselves, we can still form a cogent story without it for the private sector. Sean Kanuck noted that the unclassified parts of the story are typically the most important. More critical for the full story is including two kinds of cyber analysis that work best together: the forensic, which is done both by government and industry, and the analytic, which can determine why the attack occurred and is performed by the intelligence community but also by business intelligence. RADM Cox answered that while the classified aspects of history are required to get the full picture, the account without them can still be a useful and accurate one.
The first comment from the audience was that when we study history to understand cyber, we should go back even further, which led to a discussion of valuable historical works that can inform intelligence. Some suggested reading from audience members and panelists included Machiavelli, Alvin and Heidi Toffler’s War and Anti-War, the 1999 Chinese PLA manual Unrestricted Warfare, international law and humanitarian law textbooks, and The Victorian Internet, which explores the first cyber attacks and cyber espionage using telegraphs.
An audience member then asked whether CYBERCOM has the necessary authority to use its tools. Currently, the administration says that war powers don’t apply to cyber as we are not actually sending troops into hostilities. While this is far from a new concern, there is still work to be done on this subject so that decisions about authorization can be made at a rapid pace.
Another audience member asked for declassified examples of cyber intelligence victories and failures. Devost was able to come up with several private sector wins from his time as a consultant such as with iDefense, which got an early warning of an incoming cyber attack and sent it out to its customers. Jay applauded the question, as he thought we needed to hear more about “cyber Midways,” where intelligence turned the tide, not just “cyber Pearl Harbors.” Among his wins, Jay recounted his time with Goldman Sachs where, knowing that physical protests beget cyber attacks, he predicted a string of attacks on banks after a 2002 “Day of Action.” As an example of a loss, he mentioned the attacks against Estonia, which were a surprise despite ample warning and physical protest. Jay noted that most major attacks can be predicted like Estonia, with a cyber component on top of physical upheaval, rather than by PhD’s examining 1′s and 0′s. Sean answered that every time the government finds a threat through all-source intelligence and warns the private sector, that’s a win for intelligence, but a failure was insufficient work on education and awareness, allowing for rampant phishing and unpatched vulnerabilities. Sam Cox added the Defense Industrial Base pilot, where the government shares cyber threat data with a select group of contractors, to the list of intelligence successes.
The next question was on the roles of human and technical intelligence for cyber. Sean Kanuck pointed out that cyber is adapting to Big Data and TECHINT now relies not just on data but meta-data, and meta-meta-data. Jay said that the best source for intelligence on cyber attacks is the foreign press, as it allows you to see who’s angry, who’s making threats, and who’s getting ready to do something. Matt Devost mentioned tremendous recent gains in TECHINT but reminded the audience that they don’t diminish human intelligence and human analysis. Because the opponent isn’t a 1 or a 0, intent matters. Bob added that the two work best together, and noted that we’ve also been known to turn foreign assets as a source of HUMINT.
Lastly, an audience member asked if openly discussing cyber attacks and espionage by China and Russia has made a difference. Bob used the historical analogy of the Soviet Military Power declassified periodical that was put out to deal with the open secret that the Soviet Union had nuclear weapons. We need a similar declassified information source that we can give to the press that explains what the threat is, who is behind it, and what we need to know. Jay Healey pointed out that with China, our conflict isn’t spy versus spy as with the KGB. Rather, it’s non-state groups, and more of a crime than a counterintelligence issue. Matt pointed out that now, with the perpetrators of attacks against the U.S. out in the open, the next step is establishing norms and a common understanding that such behavior is not ok.
The panelists concluded the event with some final thoughts. RADM Cox noted that the “global cyber arms race” was greatly exaggerated, as actors with the capability to develop sophisticated malware have already been doing so. He also warned of applying the term “cyber attack” sloppily, as most so-called attacks are exploitation and espionage. Sean Kanuck called for a broad societal discussion of cyber that involved physical, technical, legal, and other aspects. Matt Devost added that the study of cyber was multidisciplinary, and required thinking not only of the future but also the far future. Bob Gourley closed the event with hopes that the new crop of policymakers will be better informed about cyber history and that, as intelligence is about the threat, cyber intelligence must be about penetrating the threat and getting that information out to the decision makers.