The Logic of Deterrence in Cyberspace: a conversation between Ted Koppel and Keith Alexander
Ted Koppel interviewed former NSA Director General Keith Alexander (US Army, retired) about the current state of cyber conflict. Koppel opened their discussion (after some graceful words from Alexander complimenting Koppel's book on the cybersecurity of the electrical power infrastructure) with a question about attempts to influence the upcoming US elections.
Attribution and imposing costs: when is it dangerous to "look like a bunch of wimps?"
"We are at the moment confronting what looks like a cyber assault on our democratic processes," Koppel said, observing that Vice President Biden has said, in effect, that this will not stand. "If we are really going to do something, would we talk about it? And politically, don't we look like a bunch of wimps if we don't take credit for what we've done?"
Before we even consider doing something, Alexander replied, we should be sure we have a defensible architecture. "Before we throw rocks, we should be prepared to receive rocks. We're not prepared." That can be fixed—Alexander thought under the right circumstance, such preparation might be achieved within two years—but there are tremendous obstacles to doing do, and the solution to overcoming those obstacles is political, not technical. As far as wimps might be concerned, we've got to be, Alexander said, "wise wimps," and he added that when you see National Security Council debates on topics like this, US national leadership actually works quite well. Deliberations in matters like this include considerations of what happens if the adversary responds, how we might then respond, the laws that constrain what we might do, and the circumstances under which one might go from a cyber to a kinetic operation.
After chiding Alexander (in a matey way) for not answering his question, Koppel posed it again. "We are arguably the most vulnerable nation in the world in that we are about as dependent on the Internet as any country in the world. You're saying, yes, we could come up with a defense, but we face political problems. You told me, absent those political problems, it would take us a couple of years to prepare ourselves." Since Moscow and Beijing know this, what might we expect them to do? To this Alexander answered, alluding to the previous day's Mirai-driven denial-of-service attacks, "I can't think of any reason for doing what happened yesterday other than as a rehearsal."
Koppel suggested an alternative explanation: "I can. I might want to demonstrate how costly Vice President Biden's reprisal might be." "Good," Alexander replied, "maybe closer to the truth than what I said. But they would want to know that what they did could work. Russia or anybody else learns by doing." But Koppel's question remained: if you're an adversary of the United States, and you know we're technically two years away from a viable defense, wouldn't understanding that vulnerability be likely to provoke action of some kind?
Alexander thought that wasn't necessarily the case, because one could also respond in other ways. Attribution is difficult (although we're getting better at it). The world is fragile, and the US owns perhaps 40% of its infrastructure, "which gives us a lot of baggage." Countries like North Korea, he said, effectively have nothing to lose. But Russia sees our vulnerability as an opportunity to make us stop and think before we take other options. "If Russia goes into Eastern Ukraine, we'll be put on notice with increasing cyberattacks."
Demonstrations of cyber power.
Koppel asked if the Ukrainian power grid hack a demonstration for our benefit. Alexander thought not, at least not primarily—it was an action directed against Ukraine. "But it also showed the world what was possible." It highlights the problems we would face, and our system is more automated than Ukraine's.
Turning to politics, Koppel said, "When you talk about the theoretical possibility of creating a defense in two years, I know the electric power industry would prefer anything to re-regulation." If you look at the legislation concerning the power grid that passed the Senate, that legislation calls for the power industry to share information with the Government. And industry would get to scrub that information before passing it on the the Government, specifically to the Department of Homeland Security, which before sharing it further would also get to scrub those data. Only then might it get to NSA. "We're dealing with a style of warfare that happens in microseconds, but have created a system that puts days in place before the agency that can do something about it gets it." What, he asked Alexander, makes you think you can get that solution through?"
Alexander didn't think it would get through. "We don't have a snowball's chance. Nothing is too hard for those of us who don't have to do it. But I do think it's technically achievable." It's difficult to build a policy that embodies understanding of how we'd actually fight in this space to defend the country. Consider an analogy with radar, he suggested. Would we not share data among radars because we were afraid it might contain PII? "Absurd." But it would take a major attack to change this mindset. One of the issues on the table is privacy, but, Alexander said, "The facts about this aren't on the table."
Koppel quoted former Homeland Security Secretary Tom Ridge as saying that we're a reactive society. We haven't yet reached a point at which we're willing to react, in spite of the fact that our news media carry stories of cyber threats every day, and that we can see a cyberattack as an existential threat to the United States.
"I believe that when a nation prevents us from doing something somewhere in the world because of a cyberattack, then we'll have to take a step back," Alexander said. A nation state will go after a nation state by going after a combination of sectors and governments. Those who wish us harm could do us far more damage than we've seen. We don't really believe this, however, because we've never seen it happen.
Has the memory of 911 distorted our thinking?
"We're prisoners of our emotions," Koppel agreed. "We're more invested in the notion of a repetition of 911. Dreadful as that was, no politician is able to go out and say we're confronting potentially something in the sphere of cyberwar far worse than anything we've seen in conventional terrorism." We have some 3200 power companies. The big ones are investing a lot in cybersecurity, but they're part of a network. "If you can break into the small ones, you're in. They're in. They're there. It's only a question of what's going to provoke them into doing it." If they know we're on the verge of a truly viable defense, doesn't it make an attack more likely rather than less?
Alexander still disagreed. "I don't think so. If Russia goes into Eastern Ukraine, they will want to limit US sanctions. They see this as an option short of physical war. If sanctions are raised, we'll see more attacks. And we're not ready. The adversary will look at the tools and craft its campaign accordingly. Russia is interested in Eastern Ukraine. In the next four months, the question will become, what's your move? What will you do? That's a tough issue." But even given this, he believes the National Security Council, the Intelligence Community, and the military will work through the options and think their way through this. "But the issues we put on the table with cyber are ones most people don't really believe will happen."
"Do you believe it will happen?" Koppel asked. Alexander answered, "I do."
If you believe we'll receive a devastating attack, how should we prepare?
Koppel agreed, and then followed up with questions about preparation. "Would it not be a prudent interim step for the Federal and state governments to do a few prudent things, among them establish a sufficient food supply? Do we not need a plan understood by the states, that urban populations could be moved to rural areas prepared to take them in? A six-month supply of freeze-dried food? At the moment, we don't have a plan. DHS doesn't have it, and FEMA doesn't have it," although FEMA has plans for hurricanes and other natural disasters. Given what Koppel takes to be the real possibility that significant sections of the country might be without electrical power for one, three, or six months, doesn't it make sense to have such a plan?
Alexander thought we should indeed plan. "It's almost a cost-benefit set. The urbanization of the world creates huge problems you've just laid out. What happens if a city goes dark, and eight million people don't have water? That planning process is important."
Koppel summarized their discussion. "Theoretically we could develop an adequate defense against cyberattack within two years, given the money, will, and authority. Can it be done without the absolute cooperation of private industry?" Alexander's answer was a simple "No." He thinks that key players want this risk off the table. "The financial sector is already there." The issue that complicates the problem is the divide between Silicon Valley and our Government over civil liberties and privacy. "We've got to educate people how you can protect these and also protect the country. And this same program could and should be shared with our allies."
A failure to communicate the threat of thermostats.
Koppel concluded by observing that the argument he heard earlier in the day over the Vulnerabilities Equity Program exemplifies the problems we face. One of the biggest of those problems is communication between the cybersecurity operators and the rest of the country. "We don't understand what you're doing. We don't know how and why we're supposed to do things. That attack yesterday, what did they use? Thermostats." His final plea was, "Learn to talk to us."