CSO Perspectives (Pro) 4.24.23
Ep 5565 | 4.24.23

Bonus: 2023 Cybersecurity Canon Hall of Fame inductee: "The Hacker and the State" by Ben Buchanan. Interview with Andy Hall.


Rick Howard: You're listening to the 2012 song, "Hall of Fame", by The Script and will.i.am, which means it's that time of year again. The Cybersecurity Canon committee has announced the Hall of Fame inductees for the 2023 season to coincide with the RSA Conference, and I got to interview the winning authors and Canon committee members who recommended the books. As you all know, N2K and the leaders of the Cybersecurity Canon project team up each year to highlight this valuable and free resource for the entire InfoSec community to find the absolute must-read books for the cybersecurity professional. And the first book we're going to talk about, the first inductee into the Canon Hall of Fame this year is "The Hacker and the State" by Ben Buchanan. So hold on to your butts.

Unidentified Person: Hold on to your butts.

Rick Howard: This is going to be fun.

Rick Howard: My name is Rick Howard and I'm broadcasting from the CyberWire's alternate Secret Sanctum Sanctorum Studios located underwater somewhere along the San Francisco Oakland Bay Bridge in the good ol' USA Today. And the interns can't be more ecstatic for this change of venue. Hey, hey, hey settle down back there. This is only temporary. It's back to the Baltimore underwater layer next week.

Unidentified Person: Oh.

Rick Howard: You don't want to give them too much hope. And you're listening to "CSO Perspectives", my podcasts about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis. Before we get started, the CyberWire will be out in force at the RSA Conference this year. Dave Bittner and crew, including me, will be hanging out at the Marriott Marquis hotel, second level, Foothill H Boardroom. If you're in the vicinity, stop by. If we're not doing a live interview, we would love to see you. As for me, I'm giving a presentation on Wednesday afternoon, 26th April at 2:25 p.m. called "The Emperor Has No Clothes About The Evolution And Current State of the CSO Position" with my pal, Todd Inskeep. And immediately after, I'm signing copies of my book, "Cybersecurity First Principles: A Reboot of Strategy and Tactics", at the conference bookstore in Moscone South from 3:30 to 4:30. And speaking of books, if you're looking for your next cybersecurity book to read, besides mine, of course.

Unidentified Person: Oh, yeah.

Rick Howard: Members of the Cybersecurity Canon committee will be at the bookstore Monday, Tuesday, and Wednesday from 2:00 to 3:00 p.m. to help you decide your next most favorite read. They can point you into a direction to match your interests. So with all those announcements out of the way, it's time to talk about the book. The reason that I'm not talking to Ben Buchanan about this book, "The Hacker and the State", is that between the time that he published it in 2020 when he was an assistant teaching professor at the Georgetown University, Walsh School of Foreign Service and the time that Canon committee selected it for the Hall of Fame, President Trump tapped Ben on the shoulder for a cushy government job as the assistant director of the White House Office of Science and Technology. And then President Biden asked him to stay on as the director of Technology and National Security on the National Security Council at the White House. He's a busy guy. And because of his position, he's not allowed to talk about his personal projects like writing this fantastic book while he's serving the government. So I asked my good friend, Andy Hall --

Andy Hall: Hi, my name is Andy Hall and I'm a associate professor at Marymount University in Arlington, Virginia.

Rick Howard: -- to help me out.

Andy Hall: I have been at Marymount for three years and I am a Canon committee member and I've been with the cybersecurity command in for about five years.

Rick Howard: As Andy said, he's a veteran Canon committee member, but he's also a retired US Army colonel. And in his last army job, he was the director of the Army Cyber Institute. I started out by asking him why Ben's book, "The Hacker and the State", is a cybersecurity Canon Hall of Fame inductee. Andy, I have to admit when the committee selected this book to be inducted into the Cybersecurity Canon Hall of Fame, I was a bit skeptical. I hadn't read it yet, but my first and admittedly shallow thought bias was something along the lines of, what can a policy wonk like Ben Buchanan know about cybersecurity? How is what he brings to the table going to be useful to a general purpose security practitioner? So I immediately dove in and then I couldn't put it down. I finished it in like three days and was completely blown away by how good it is, how valuable the information is for all cybersecurity practitioners, which is the mandate of the Cybersecurity Canon project to find the best books about cybersecurity that applies to everybody in the field. So before we get into all the reasons that I think it's good, let me ask you, what makes "The Hacker and the State" cyberattacks and the new normal of geopolitics a Cybersecurity Canon Hall of Fame book?

Andy Hall: I think that the fact that it does come from the perspective of the policy wonk helps us, as a cybersecurity professional, understand the community we're communicating to. And there's many things in this that, as you said, are really interesting. There's some unique perspective. But I think that it provides a overview of what the others in -- that are just outside of our community but looking over the fence at us think about the work that we're doing. Well, I really -- I do think that the information where it talks about the role of geopolitics, it's important to understand how we fit into that part of what can happen on the global stage.

Rick Howard: Oh, well, you and I've been doing this for a long time, right? And clearly, half of our time is spent on thinking about nation state cyber adversaries. And I think Ben's book here gives us a frame to, you know, think about what those organizations are trying to do. There's a concept that Ben -- is a kind of a theme through his book. He talks about political statecraft in how you influence your enemies, your frenemies, and even your allies. And he talks about it in terms of signals in shaping. Can you talk about what the difference is between those two?

Andy Hall: Well, when you're thinking about signaling, signaling kind of goes back to the notions that we had from the brinksmanship or from the nuclear warfare kind of shellings ideas, where you're taking a look at game theory and you're kind of trying to show a move. And so you often want somebody to know your opponent, to know what your strengths are and you want to be able to signal to them that the -- you have the ability to do something. Whereas when we take a look at something like a shaping operation, you -- you're actually trying to get some sort of an actual effect. And who did the shaping is not as important as was signaling. If you don't know who did the operation, it's very hard to signal any strength. Whereas with the shaping operation, trying to change some element of the environment. And so you get slightly different ideas out of the two. There's some competition between signaling and shaping. And some of the other parts of government are very interested in being in the shadows and other ones want to be forward. The standard military-type activity of deployment where you send planes full of soldiers, you put boots on the ground, so to speak, is a -- can be a clear signal that you have the ability to do it, especially if you're doing something that is an exercise. But -- so -- that being able to do that is a signal. But then if you take a look at when you're actually trying to have an effect, something like when you put the 82nd Airborne Division in the desert, you could also say that that was a shaping operation that they were actually taking effect. So when you look at our cyber operations, you try to figure out whether what we are doing is shaping the environment. And I think you can argue that that's easy to do. But the signaling where you're trying to show somebody your strength, that becomes really hard.

Rick Howard: So it's really a difference between what, you know, spies do versus what statesman do, you know, international negotiators. And Buchanan likens it to a poker game. He says that signaling is kind of hinting at the card you have or maybe, you know, on a fake that you have, that's a signal. But if you're trying to influence the game in a different way, you might steal an opponent's card or you might have a trick deck or, you know, put an extra Aces in the deck. OK, that's shaping the environment so you can win. And I liked those two ways, but he says that politicians have been using -- have been trying to use offensive cyber to do both shaping and signaling. And his whole thesis is it's pretty -- it's probably not that good for signaling but really good for shaping. Is that what's your understanding of the book is, too?

Andy Hall: Yes, that's right. And his argument even in the conclusion, he tries to stomp his foot that it's not working for signaling.

Rick Howard: So can we play devil's advocate about that? Because the one signaling operation I thought was very effective was the Russian cyber offensive influence operations against the US presidential election in 2016, right? The -- talking about signaling that you are very good at what you can do and making everybody afraid of it. How is that not a success story for the Russians in a signaling type of way?

Andy Hall: Because there's this notion of the bluff, like you said, with the card game with regard to signaling. And I think that that's where -- when you take a look at the entire Russian operation, they were definitely trying to shape the environment. And I think that any signaling was kind of a byproduct. You look at the way that the operation went. There were several times when they were quiet, several times when they were allowed. But I don't think that there was any activity that they were hoping that the United States would take as a regard to a signal. I think it was just -- they were looking to cause chaos.

Rick Howard: Yeah, that could be. So you say it wasn't their primary mission to signal, but it was to shape it and cause confusion. That was the primary directive. Is that what you're saying?

Andy Hall: That's what I think.

Rick Howard: So let's be clear about what's going on here then, right? So when you're shaping, that's nation state activity stealing intellectual property or destroying critical infrastructure. It's those kinds of things, not hinting about what you're doing but actually trying to do things that will improve your view of the world. Is that right?

Andy Hall: That's right. I think that when you're signaling, you're trying to show strength to influence your neighbor. And if -- there's this notion that you're not using it. So in the nuclear weapons type idea, you have a signal of strength, but you're not actually using it. And so that's kind of the difference with the cyber operations, you have to use them to shape. And so you can get some signaling benefit from shaping it and saying, "We could do this, this once. You can imagine what we could do in the future." But you have to take the action to shape. I don't think you can just signal.

Rick Howard: After the break, Andy and I will discuss Buchanan's description of what I would call the NSA's underestimated surveillance capability. And the other Cybersecurity Canon Hall of Fame books that complement Buchanan's book. Come right back.

Rick Howard: So I mean, so that's the basic thesis, the book is that offensive cyber is more conducive to shaping than signaling. And I totally agree with that. But I -- what I really liked about the book is there's all these details about cyber operations that we've all heard of that I didn't really know about or at least I didn't remember that I knew about them, right? That -- was that your experience, too, reading the book?

Andy Hall: There were a few new ones that come out that there's quite a few of the topics that are covered, that if you've read Kim Zetter's book on Stuxnet, nothing that he says with regard to Stuxnet is going to be interesting. If you've read "Sandworm", you know, that's got another set of Russian operations that are going to be well covered. And so he does a good job of covering those in kind of a survey as opposed to the deep dive that you get if you read those other two books. And so I guess that's one of the strengths is that it does have several -- he covers quite a few. And he -- quite a bit of it, he does reference popular culture or the newspapers as opposed to just going straight to the Snowden leaks because that's the other thing is that so much of the information that's come out in this era is out of those Snowden leaks.

Rick Howard: I was reading all that when the Snowden leaks happen, you know, just a gust of everything that became public knowledge. But he threw some things in here that, you know, I didn't know, right? And so what I was really fascinated with, one of them was the NSA's man-in-the-middle underwater fiber tapping capability. I guess I knew that they could do that, but it didn't occur to me that it was so extensive. According to Buchanan, not only can the NSA tap into fiber cables, you know, on the ocean's floor, but they have a way to do man-in-the-middle attacks that allows them to steal credentials as those things go across the wire, and therefore have lots of credentials they can use to spy on our frenemies and enemies and all that kind of stuff. I thought that was really interesting. The other one I -- I guess I knew this, too, Andy, but I hadn't considered that the -- there's a really high probability that the NSA can crack the Diffie-Hellman key exchange algorithm. Did you know -- that really surprised me. I didn't think that was possible.

Andy Hall: I don't know if crack's the right word, but I believe that they can crack almost anything. And if you go back to the story of Enigma, that is something that -- which should have been almost uncrackable and yet they were able to come up with it. And so with a Diffie-Hellman and with some of the backdoors or helping create different security protocols, I think that they can make it easier for themselves. But then with the compute power that they have, I believe that they can pretty much solve any -- I think they can pretty much back out any cryptography that'll come out in the future, too.

Rick Howard: I mean, I kind of expected that they had that capability. But I've said, you know, the -- this algorithm, we've all been using now for 20 years to secure our transactions on the internet. I said it must be really hard and it can't be done on a regular basis, but after reading Buchanan's book, I think the odds are that it can be done on a -- routinely by the NSA if they need to get it done. And that was a change in viewpoint from my side of the world. The other thing he does really well, though, is like you mentioned these books that we typically go to to understand nation-state activity. You mentioned Zetter's book, "Zero Day", "Sandworm" from Andy Greenberg. I would add David Sanger's "The Perfect Weapon" as another book that if you put all those three things together, it gives you a very good sense of nation-state capability. I didn't think we would need another one, but I'm going to have to add Buchanan's book to this because it's -- it kind of rounds some things out in language that not very technical people can understand. Would you agree with that?

Andy Hall: I would agree. And the other book, you know, "They Told Me This Is How The World Ends" that was -- that came on at the Canon with this year, also, interestingly, tells a lot of the same stories, but they come at it from a different approach. And so depending on what you're really interested in, if you're interested in statecraft, then this is definitely one that will have some really nice examples for you to use. And the other thing to really think about is that when you -- each one of those other books is looking at a particular singular effect. And see -- so you often don't think about what we're doing. And so when you think of all the allies that we have and the things the United States is doing, I think that Buchanan does a great job of saying, statecraft, espionage, these are things that states have done since the beginning of time. The United States does it. China does it. All our allies do it. And so it's really becomes -- it's a tool. And so when do you choose to use the tool? When do you choose to use the different tools of espionage? And when does these tools go over and cross from statecraft into war? And those are some of the topics that are put in the other books. You know, you can make an argument on whether or not Kim Zetter's book is what should have been considered a story of an act of war. And the same with both Sanger and Greenberg. I mean, those all could be considered parts of war. I think with what you're seeing in the Ukraine, we definitely have seen a lot of cyber activities that led up over the last, you know, 10 to 15 years that kind of brought us to where we are with Ukraine.

Rick Howard: Well, you're right. With those sort of books we've been talking about, Zetter's book gives you a sense of one operation between the US and Israel. With "Sandworm" in the Greenberg's book, that's a Russian operation. With Sanger's book, though, it's more of a free for all for everybody except the US, OK, and then you get a little bit of UX activity but not a lot. But in this book, he does cover a lot of what the US has been doing. So now we have a complete picture of the big operators in cyberspace on the offensive side. So that's why I would recommend it to anybody. What are your last thoughts about this book? Well, if you're trying to convince a newbie to cybersecurity, what would you tell them about this book?

Andy Hall: I tell them that it give them an overview of what is happening across the world, but it also takes off the rose-colored glasses of any -- when thinking that it's only something that other people do to us, but it is a -- it's a tool of statecraft. And that, by means, is that everybody does it. And we hope that -- as American citizens, we'd hope that we do it better than anybody else. But it does give you some glimpses on what he likes to call the home-field advantage. And in the world, the US actually has a home-field advantage vise some of our adversaries.

Rick Howard: That's a perfect way to sum it up. OK. And so I appreciate it, Andy. Thanks for coming on and doing this.

Andy Hall: Well, thank you very much. I enjoyed the time with you.

Rick Howard: That was Andy Hall, currently an associate professor at Marymount University in Arlington, Virginia, and a longtime member of the Cybersecurity Canon committee. I'd like to thank him for coming on the show and talking to us about the latest Cybersecurity Canon Hall of Fame inductee, "The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics," by Ben Buchanan. If you'd like to learn more about this book, as well as all the other books in the Cybersecurity Canon series, surf on over to Ohio State University, the official sponsor for the Canon project at cybersecuritycanon, all one word, .com. And if you're attending the RSA Conference this year, there will be Canon committee members sitting at the RSA Conference bookstore, Monday, Tuesday, and Wednesday from 2:00 to 3:00 to help you find your next best cybersecurity read, which we all know will be my new book, "Cybersecurity First Principles: A Reboot of Strategy and Tactics". Links to all of this are in the show notes. And that's a wrap. The CyberWire's "CSO Perspective" is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented, Elliott Peltzman, who also does the shows mixing and sound design and original score. And I'm Rick Howard. Thanks for listening.