Paul Scharre and Richard Fontaine of the Center for a New American Security discuss Sen. Mark Warner’s, D-Va., call for a national cyber strategy with Defense & Aerospace Report Editor Vago Muradian at the think tank’s headquarters in Washington, D.C. The interview followed an address by Warner calling for a national cyber strategy — https://www.warner.senate.gov/public/index.cfm/blog?id=34CAC7A3-7E87-405D-A38B-D73156C8C907.
Richard Fontaine
Paul Scharre
Center for a New American Security
December 2018
Vago Muradian: Welcome to the Defense and Aerospace Report. I’m Vago Muradian here at the Center for a New American Security in Washington, DC after a fascinating panel discussion on cyber security and U.S. cyber strategy. That followed an address by Virginia Senator Mark Warner who is the Vice Chairman of the Senate Intelligence Committee, and joining us are Richard Fontaine who heads the Center for a New American Security and Paul Scharre who, a veteran, a Special Operator, who also heads the Defense and Technology program here as well.
Richard, let’s start with you on what you saw to be some of the key takeaways from Senator Warner’s speech. He was basically driving home the message that this is a lot worse than people think and why it’s imperative to take action, and I think he outlined sort of five actions at the end of the day.
Richard Fontaine: The first I think consequential point was the call to arms that he offered. He pointed out that we don’t need to wait for the cyber Pearl Harbor the cyber 9/11. This kind of thing is happening every day, the kind of interference that we saw certainly in the elections in 2016, but also the hacking and disinformation campaign that are going on in many spheres of American life. I think he offered a pretty comprehensive and thoughtful set of responses to it that ranged from imposing specific costs and announcing that specific costs will be imposed in response to unacceptable activities, to the building of norms, to what Congress’ role should be and leadership and everything else. It was a pretty expansive view, but now someone’s got to actually execute against some of these things.
Mr. Muradian: Paul, what were some of your takeaways?
Paul Scharre: To me, the biggest point he made that I think captured the overarching problem here is this idea that we have 20thcentury institutions trying to grapple with 21stcentury threats. He talked about how we’re got a $700 billion defense budget next year and it’s going towards things like short range fighter aircraft and aircraft carriers and ground troops, and meanwhile we have Russia and now other countries following suit that are going around all of this hardware, going all over military strength, to basically attack the central nervous system of American democracy.
Our discussions around our elections, our political processes is a huge problem and we’re not positioned to respond. We got rid of the U.S. Information Agency. Now whose job is it in the U.S. government to give warning to the American people that there is a Russian propaganda campaign underway and to counter that? Right now it’s nobody’s job, so no one’s doing those things.
So we have a huge gap in terms of our ability to respond.
I am encouraged that we can effectively adapt. We did this after 9/11. We built an extremely effective terrorism-fighting apparatus that gutted al-Qaeda. We are able to respond as a government. We also have to work with the private because of huge problems in not just the actual platforms on social media where this is being propagated, and we’ve seen the social media companies, they are responding, they’re finding ways. They’ve been criticized I think fairly for being slow, but they are now trying to find ways to respond and are doing things to crack down.
But also just basic cyber security hygiene. He talked about billions of IOT devices that are going out in the market that are hopelessly insecure and we can’t live in a world where we have all the digital technology that’s proliferated, that’s being worn on our bodies, that’s in our cars, that’s in our homes that’s insecure. There are huge costs to that. So there’s got to be a better effort underway between tech companies and the government to work together to try to solve some of these problems.
Mr. Muradian: One of the things the Senator said, when it comes to retaliation, we could turn off the lights in Moscow but that’s not going to be as bad as Moscow turning off the lights in New York City, for example. One of the other points that he made was, which I thought was sort of interesting, the forging, the video and audio forging technology that exists right now. If you put out a video, you combine that with a cyber operation, with the disinformation, that then ends up being particularly destructive.
One of the other things he pointed out, though, was that the response to this has to be an interagency response and it has to be led by the White House. There was a lot of criticism when the cyber czar that existed on the National Security Council went away.
Richard, talk to us a little bit about sort of what’s the way ahead here, if you have a President that’s very resistant, looks at the Russia investigation and all of these investigations as either witch hunts or something that doesn’t warrant any sort of White House response. The agencies are trying to do it on their own. Lawmakers are looking at trying to do a way forward. What’s the way forward absent some sort of high-level presidential involvement and engagement to bring the entire United States government together and then bring our allies together in what will have to be an allied response at the end of the day?
Mr. Fontaine: You certainly are going to need presidential leadership and presidential decisions on a number of these things where if we’re going to conduct, for example, offensive cyber operations against another country then only a certain amount of that decision-making is going to be delegated under any administration.
The whole issue of the cyber coordinator and before that the homeland security and cyber counterterrorism advisor and who reports to who in the White House has been tricky from the very beginning of this administration. They need to get through that. It’s not hard to figure out. Some decisions do need to be made and they do need to have someone who’s pulling all the threads together in the interagency because so many of these responsibilities are absolutely sprawling. If there is some sort of compromise, some sort of attack, by no means do we need to respond with a cyber effect ourselves. That means the Department of Justice has a role, the intelligence agencies have a role, the Treasury Department has a role in terms of sanctions and these other things. Someone’s got to pull all this together.
And then of course the international piece. One of the things that struck me in Senator Warner’s remarks was his emphasis on allied cooperation on this, and I think it’s absolutely right. When our elections were meddled with in 2016, it’s been considered an American problem, not a NATO problem, not an allied problem. When Australia has had intrusions by China in its democratic practice it’s been seen as an Australian problem. France had the same thing before its elections, so a French problem. But there’s nothing that is as core to the practice of democracy than these kinds of activities and this is a direct threat and it should be seen as a combined one and deserving of combined responses.
Mr. Muradian: What do you think a deterrent architecture needs to look like? One of the things the Senator rightfully gave credit to the administration for was devolving response authority, offensive response authority from the White House down to the services. Secretary Mattis has discussed that a little it insofar as he can.
But talk to us a little bit about what kind of deterrence architecture does the United States and its allies need? Because Paul wisely said that when you say norms and rules of the road, the norm is that the United States is vulnerable and there’s no repercussion to attacking the United States. So what do you think that architecture needs to look like as you would imagine it if you were back in your senior staffer guise, trying to engineer this from a senatorial perspective?
Mr. Fontaine: Deterrence is only going to work if the perceived cost is higher than the perceived benefit. Right now for almost all these activities the perceived benefit is higher than the perceived cost. So that equation has to be fundamentally changed. You can do that in a whole variety of different architectures, but the output has to be specific costs imposed in response to specific activities over time, and threatening specific costs for specific activities so that the adversary who might want to do this, who’s making the cost benefit analysis says, you know, A, it might not work because their defenses were higher now than they were in the past; and two, even if it does work I know that they’re going to come after me and impose costs higher than what the benefit’s going to be.
So the architecture, you can play around interagency wise and other things like that, but I don’t know that we have intellectually within the administration or even in Washington more broadly made a decision that we’re not going to let certain things stand without a response. And that’s where we need to get to.
Mr. Scharre: You also sometimes hear from people that deterrence doesn’t work in cyberspace because you’re so entangled with day-to-day operations. I think deterrence is absolutely a real thing in cyberspace. We are deterred. We have been deterred from responding to some of these attacks on American democracy because of concerns about how that might escalate, how Russia might respond against some of our critical infrastructure.
So deterrence is a very real thing. What’s missing here is not declaratory policies, it’s not more statements, more talk. What’s missing is action. What is the price that Russia paid for interfering in the U.S. elections in 2016? Very little. Very little price. Right?
Words are only effective so much as they are tied concretely to actions that are seen as credible. So the first thing needs to be that we need to show others that they pay a price. They need to see real costs, real consequences for interfering in U.S. democratic processes and institutions, and I don’t know that more threats alone, if they’re not tied to concrete actions that we actually take that we show that we are willing to take actions that are frankly mutually painful to respond, then people aren’t going to take us seriously.
Mr. Muradian: Carrie Cordero, one of your colleagues, and Ely Ratner also was on the panel, so it was an all-star, all CNAS panel. You even came off the bench and joined us, so thank you, from your lofty perch running this great institution. But one of the things Carrie said which was really compelling is had Chinese forces come up Pennsylvania Avenue and up Constitution Avenue and arrived at the Office of Personnel Management and started offloading thousands of boxes full of information and loading them up on flatbed trucks and trucked them off, we would have responded. And yet the OPM hack was exactly that. Right? We’ve had Chinese and Russian cyber forces and other people’s cyber forces who dwelled in our networks for extended periods of time.
What is it going to take to get that dynamic to change and to get serious about it? Just very recently the GAO found that the most advanced modern weapons are actually cyber compromised in a lot of ways. That password protections are very, very weak.
What sort of approach do we need to take and what needs to happen for people to take this remarkably as seriously as they should?
Mr. Fontaine: One, I think you have to start by recognizing that at least now and for the foreseeable future there is a psychological difference between things that are accomplished through cyber means and things that are accomplished through more traditional sort of kinetic means, right? So it is the position of the U.S. government that if a nation state were to conduct through cyber means some sort of activity that would be damaging enough that otherwise we would consider it an act of war, it’s an act of war like anything else, but you really think about this.
So let’s say the electricity grid in some portion of a state went off and it ended up resulting in deaths and horrible things through some cyber hack, that would be very, very bad. But now imagine that was actually done by a country flying planes above and dropping bombs on those very things and having exactly the same sort of physical manifestations and costs. The country would react completely differently. It is a psychological difference.
I think part of this is, cyber things are unseen, and there just is a human difference. The other thing is, this is new and you have to, I think as Senator Warner I think was trying to do, educate people about what the implications of this are going to be as an ever-greater percentage of human activity is mediated through and connected to internet connected devices. The vulnerability goes up and the potential cost associated with attacks through those means go up. It’s just something that I don’t think emotionally we’ve really internalized yet.
Mr. Scharre: I think Richard’s right, that he points out that what’s happening in cyberspace doesn’t fit our concept of what war is, or conflict, or what an attack is.
When I look at that, I think it’s 100 percent right and I see it as part of a pattern within the U.S. defense and military community when we keep seeing people do things that’s also not war. It’s irregular war. It’s asymmetric war. We have this very narrow concept of what warfare is or what conflict is.
I don’t know where that comes from. Maybe we all watched too many World War II movies and we’re stuck in this very specific paradigm of conflict that at one point in time was between organized nations who fought on a battlefield and they clashed with arms and there were bombs and —
Mr. Muradian: They followed the rules.
Mr. Scharre: They followed the rules, right? And this is like an over-used metaphor, but we’re complaining that the dog shouldn’t be allowed to play basketball instead of trying to figure out how to stop the dog from dunking on you, right? That’s where we need to focus our attention. Whatever you want to call it, we need to be responding. Part of it is increasing our own resilience and shoring up these vulnerabilities. Because that’s what is deterring us from responding in many cases, is our financial systems, our electrical systems, our weapon systems are all vulnerable to cyber attacks. So it’s got to be part of the equation, is that we’re shoring up our own defenses that then allow us to be able to respond to others.
Mr. Muradian: And the Gerasimov doctrine, right? Gerasimov is the head of the Russian General Staff and really an innovator in warfare, a couple of years ago said hey, the nexus of cyber and hybrid is where we’re going to go because you guys really have a lot of the conventional power superiority.
Let me ask you about the 2015 agreement, and maybe that’s the last question.
The last administration was criticized for not being as forward leaning or as aggressive. On the other hand, they struck an agreement that the threat of sanctions drove China to a negotiating table and actually worked relatively well.
Talk to us a little bit, Paul, about that incident and what it tells us, and how the United States has to make perhaps a more thoughtful link between cyber, military power, but also economic and diplomatic power in order to drive certain outcomes. Because we have set global rules of the road, even if you stand on the wrong side of an escalator sometimes, generally there are global rules of the road on that.
Mr. Scharre: I’ve got to give this administration credit that they understand at least intuitively these concepts of coercion and deterrence and going to the pain. They’re doing this on economic issues, right? They are doing this with trade conflicts and a trade war and tariffs with China. We’re not seeing this particularly with Russia in the cyber domain. So they’ve been shown in other areas that they’re willing to go to the pain. They’re willing to cause mutual pain if somebody doesn’t reach an agreement and change their behavior. Which I think in the case of working with China on trying to rectify some of the IP theft and other issues we’ve seen from China, that’s right on. But we need to see that same level of aggression with Russia and we’ve certainly not seen that to date.
Mr. Muradian: Richard?
Mr. Fontaine: The original problem, and it’s continuing with China, is that the U.S. position is that it’s legitimate for spies to steal secrets from companies and give them to their governments for intelligence purposes so that they sort of have a broader set of insights into what’s going on. But it’s illegitimate to give those same stolen secrets to companies for a competitive advantage, and the Chinese just don’t accept that dichotomy. They just don’t. And we’re not going to persuade them any time that they should accept that dichotomy. If they ever do, they will make it based on their own calculation of interest.
So what the Obama administration did in 2015, I think, is to stop trying to persuade them that they should see the light. Instead said we understand what you’re doing. This is our top priority in bilateral relations with you right now. This has got to stop. And if it doesn’t here are the things we’re going to do. And despite skepticism by many including me, it seemed to have an effect.
Mr. Muradian: That was a very large Chinese delegation that arrived in Washington.
Mr. Fontaine: It was. And I think they got the message, and by all accounts they responded.
But part of this is in setting priorities. For the Obama administration they made clear in 2015 this was number one. Our Chinese friends will listen to priority number one, a little bit less to priority number two, and a little bit less at three, and then you’re basically out of steam. Right now, at least as far as I can see, the number one priority is the trade deficit with China and market access in China. It is not theft of intellectual property and giving it to companies for competitive advantage. So you are likely to see China move on trade deficit issues rather than the issues that were more important in 2015. And until we reprioritize things I think that’s just going to be the way it is.
Mr. Muradian: And you don’t think that even pressure from the legislature, I mean Senator Warner said that there is, for example, on election hacking there’s a lot of support. He thinks he can get 80 votes, if I recall correctly. He’ll get the House, which is Democratic at this point. Do you think that Congress can lead on this? Or absent the President it really does stall?
Mr. Fontaine: Election hacking I put in a different category because the President has, obviously, some authority but not full authority. So much is done at the state and local levels or through the media and so forth. I think Congress actually can play a pretty major role.
When you’re getting into the shadowy world of stealing corporate secrets and who you give them to or who you don’t give them to, I think the legislature’s ability to manage that process is pretty circumscribed. It’s got to be seen as an executive branch, really a presidential priority, and understandings given at the presidential level.
Mr. Muradian: Let me ask you one last question before we go, and that is how much will this cost? We have time and again looked at, people were discussing fire standard safety, right? Here are X hard cyber security standards we need. And there was a lot of hemming and hawing, well, that’s too great of a penalty on companies, especially small companies. That’s going to be a burden. Let’s not be directive. There’s big brother again, or you know, sort of a nanny state being involved.
But at the end of the day we’ve found that if the government doesn’t set standards on this we wouldn’t have seat belts and we’d be burning alive in our beds still because of something as simple as a smoke detector.
I know you’ve looked at some of this, Paul. Is there a number, is it a $10 billion cost? A $20 billion cost? What do we have to do at this point and what is it likely to cost? And Senator Warner made a really great point, that for the cost of one F-35 Russia effectively undermined the elections of the United States, Brexit, as well as got involved in the French election. For the price of one F-35 fighter, which is coming down, by the way. I think the program office would like everybody to know
But what would the cost of this be? Because it’s a relatively inexpensive investment that’s driving some very large outcomes at the end of the day?
Mr. Scharre: I think it’s actually the wrong question, Vago. To me the question is, people have been framing it that way. People have been saying we could do more cyber security but there’s a cost that’s going to hold back industry. The question to me is, what is the cost of cyber insecurity? And we actually are seeing that cost now, when we see data breaches, when we see intellectual property theft, we see people’s personal data being exposed. That cost is massive. And the real challenge here is aligning those who are empowered to establish better security with where these costs fall. Because right now if there’s a data breach ad your personal information gets exposed you pay the price, but you can’t actually fix that security. Right? You can’t better protect the data [inaudible] of Equifax or OPM or Facebook or someone else.
So we’ve got to better align incentives with industry to make sure that those who can do better security are the ones who actually are going to do that and are investing in doing so.
Mr. Muradian: Paul Scharre who looks at the nexus of defense and technology; and Richard Fontaine who heads of the Center for a New American Security. Guys, thanks very much. Fascinating discussion, and we hope that someday, 20 years from now when people look back they’re going to point and say it was a CNAS that Mark Warner laid the chips down. Guys, thanks very much.
Mr. Fontaine: Thanks for having us.
Mr. Scharre: Thanks so much.
30
