Research Saturday 9.7.24
Ep 345 | 9.7.24

The playbook for outpacing China.

Transcript

Brandon Karpf: Welcome to Research Saturday, brought to you by N2K Cyberwire. I am Brandon Karpf, the Executive Editor and Vice-President of N2K Networks, and your host for today's episode. [ Music ]

Kevin Lentz: A naval cryptological officer doing routine duties offshore in the South China Sea, sort of looking at Malaysia, and there is a vulnerability that has been exploited in a Japanese-installed port crane in Malaysia.

Brandon Karpf: Over the last few years, we've seen a rapid increase in tensions and competition in the Indo-Pacific region, specifically pitting the U.S. and China against one another and each other's allies and partners in that region of the world. We've seen increases in cyberactivity launched by Volt Typhoon, the advanced persistent threat coming from the Chinese military and government. We've seen increased tensions caused by island-building campaigns in the South China Sea, and we've seen trade relationships rise and fall throughout the entire region. Our discussion today is with Kevin Lentz, a graduate student at UT Austin and the team leader of the Cyber-Pacific Project at the Global Disinformation Lab. They recently published a report on cyber competition in the Indo-Pacific Gray Zone 2035, a Threatcasting activity that they ran earlier this year, exploring what the private sector, the public sector, military, government, academia, and policymakers can do to ensure that the United States and Western nation allies prevail in a world of growing competition and tensions in this region of the world, and this episode is brought to you exclusively by our sponsor and partner, Keeper Security. So Kevin, the reason I invited you on, we got this threat-casting report around cyber competition in the Indo-Pacific Gray Zone 2035. I thought it was particularly important for our audience, obviously given the relevance to cyber competition and cyber security, and then ultimately national security. So before we dive into this report though, can you give the audience a sense of what is Threatcasting?

Kevin Lentz: Sure. It's a great question because it's not a very well-known technique, but I'll go ahead and outline what it is. So it is a structured analytic technique, a structured analytic foresight technique, I should say. And this is a bit of a complicated process, but it breaks down into identifying a question, assembling a panel of subject-matter experts who can answer the question or provide perspectives on it, and Brandon, you were one of those, and it was a great contribution, and then assembling a few dozen relevant participants at a two-day workshop who will crank out the and work on scenarios that look about 10 years in the future on the question, and the central premise is imagining a person specifically, which is what makes Threatcasting unique, is you're imagining a future person experiencing a future threat in a specific place. So a person in a place experiencing a threat, and then you sort of ask the participants, you break into small groups to build these models. So each person that they generate is a model with as much detail as possible. And so by putting the participants in the perspective of a future human, it kind of personifies things and brings it to a level of detail and practicality that is unique. And so then they create a bunch of models, and then we gather all those models. And on the back end, a team of analysts, in this case myself and some others from the University of Texas and some other schools, and we go through the models and sort of cluster significant findings, things that deviate. And we do some further back-end research on context, things like that. And then a few months later, we produce a report.

Brandon Karpf: Nice. So it seems like it's a way of developing strategy or insights into a future state of the world from numerous perspectives. When it comes to this specific threat-casting event that you hosted and the report that you've recently published, what was that central question that you wanted to answer?

Kevin Lentz: Right. So the central theme was, as you said, cyber competition in Indo-Pacific Gray Zone 2035, and the question we were trying to answer was, what can and should the U.S. and Indo-Pacific allies and partners do to enhance combined cyber-defensive operations to sort of mitigate the threats that we're seeing in the future and, you know, essentially prevail in the competition?

Brandon Karpf: Specifically in the Western Pacific or any region of the Pacific?

Kevin Lentz: We took Indo-Pacific writ large. It ended up being focused around, you know, current hotspots, East China Sea, South China Sea.

Brandon Karpf: Got it. So, you know, thinking about what you were saying, some of the outcomes or some of the outputs of this threat casting, what were some of those personas or those stories and the insights that you and the other analysts were able to extract from this event?

Kevin Lentz: Sure. So one interesting story, and it's in the report. So the report is not like a normal report, I should say up front. There is sort of an exome at the beginning and normal stuff, but then peppered throughout it there are sort of these fictional narratives of these models. So one of the models that's in there I think is interesting is from a naval cryptological officer sort of doing routine duties offshore in the South China Sea, sort of looking at Malaysia, and there is a vulnerability that has been exploited in a Japanese-installed fort crane in Malaysia. So, you know, it's a conflict scenario already, but it's -- Asia is a complex place. And so this vulnerability is exploited, and there's chaos in Malaysia, and there are simultaneous information operations that are complementing the adversarial exploitation. And the long and short is that it ends up costing U.S. and allies and partners politically in Malaysia's goodwill and cooperation.

Brandon Karpf: Us today and other cyber professionals recognize the potential impacts. You know, we take the most recent event with CrowdStrike and Microsoft, a very relevant analogy that had global implications. You know, to what extent were modern or current companies and technologies considered when you and the other analysts and participants were going through this exercise?

Kevin Lentz: Yeah. So they were, I mean, they're sort of the bedrock, right?

Brandon Karpf: Okay.

Kevin Lentz: There's a certain amount of suspension of belief in trying to push the boundaries. But in this case, I think what we came down on is that the parameters of cyber are kind of set in a way. Obviously, things are going to change, LLMs are going to get better. Fake everything will get a lot better.

Brandon Karpf: Yes, totally.

Kevin Lentz: Yeah, and that's going to hit, you know, that'll hit a threshold where things change qualitatively for sure. But sort of the use that they are being used for and the companies producing them are kind of similar. So we, yeah, it was based on current companies and capabilities for the most part.

Brandon Karpf: And you know, thinking about now that the report has been published and, you know, has a series of these vignettes as well as the contributed reports from various industry experts and analysts. How do you envision the industry, the community, using this report? You know, who is the intended audience? How should people read this and why should they read it?

Kevin Lentz: Yeah, thanks. That's a great question. So one of the benefits of the Threatcasting model is that the audience is sort of baked into the process because in a large part, the audience is comprised of the participants. So we had over 30 participants and these are folks we kind of handpicked and invited from across the spectrum. We had, you know, intel, military, government, public sector, academia, and then folks in the private sector as well. And so these folks come, and they bring their institutional knowledge and experience, and then the report goes, well, the network building and the report and the ideas of the report that they sort of come up with inherently go out with them. And they're sort of the first tranche of recipients of the final report. So they're sort of the front lines. And then beyond that, the report is intended to influence policymakers in this area as well as practitioners, and that's broad. But it is, I think, a pro and a con of the report is that we decided not to tailor it specifically to a single institutional actor. And so we get a lot of interesting results from that, but I think as well, the report is intended to hit a broad audience.

Brandon Karpf: And you know, thinking about the audience that we're speaking to right now, you know, probably about 20 to 30% are somehow associated with government, defense technology, or what have you. But that leaves another 70, 80% of this audience who are primarily private sector. How can private sector use this type of modeling, this type of narrative storytelling, or this exact report in their own efforts furthering the pursuit of cybersecurity?

Kevin Lentz: On the one hand, the private sector uses a, you know, Threatcasting model a lot more frequently than the public sector does. As an aside, it was developed in the private sector by a guy at Intel who sort of developed it in-house and used it, and then he spun it out, and that's sort of where that came from. So the public sector -- rather private sector, this would definitely benefit them in terms of thinking about risk, because that's sort of the big thing nowadays is, you know, where do you make your investments when, you know, we're on this knife-edge type situation, and it's going to persist for a decade? So that's on the one hand, and then on the other hand, as you said, is the private sector cybersecurity industry is huge, and it's only growing, and it's only going to grow, most likely, if I had to guess, you know? That's a safe bet, and so I think there exists massive capabilities, and this is one of the findings in the report is sort of like private sector, I end up calling them king makers, because they have the scale and the capability and the speed and the efficiency and everything to make or break efforts in cyber.

Brandon Karpf: Right.

Kevin Lentz: But maybe it would help for them to read it to sort of think about how to approach and tell the narrative of their companies and their interests and tie that into the broader national strategic national security picture. That's a bit of a vague answer, but hopefully, it gets to what you're asking.

Brandon Karpf: Well, to all of the cybersecurity king and queen makers out there, read the report then. It sounds like there's some valuable information in there for you and the way that you can influence. All right, we're going to take a short break, and when we come back, Kevin and I are going to dig into the key findings and his recommendations from the report. [ Music ] We'll be right back. [ Music ] So Kevin, I want to give you an opportunity to cover what were the key findings from this report? We'd really like to understand the major takeaways.

Kevin Lentz: Yeah, I'll hit the key findings and then also the recommendations, which is only three. But findings wise, we had four, and the first one is that this idea that third-party cyber, we end up calling king makers or queen makers like we were just talking about, and these are folks and institutions and agencies between the two major contestants right now, U.S. and China for, you know, unfortunately, it's the way it is. But there's these two groups of king makers on the one hand that can sort of make or break these efforts that are going to be central to working with and organizing and balancing to make anything happen. So on the one hand, you have technological ones, and these are the companies, the cybersecurity industries, but also the infrastructure providers, the folks actually building the cables, the platforms that are, you know, de-facto sovereigns in terms of making law-adjacent decisions on what stands in the information environment, for example. So you have all those in one bucket, and then the other one is the political one. So thinking here of Southeast Asia, you have this constellation of extremely fast-growing young developing countries with sort of a multi-alignment strategy because they're reaping benefits from both sides of this competition from our perspective here. And they'll continue to do that, and that's great. You know, it's a win-win situation as long as things don't spill into conflict.

Brandon Karpf: Right. Yeah, of course.

Kevin Lentz: But that being said, you know, a country like Indonesia, for example, Vietnam, making a strong stand, this seriously shapes the strategic environment, and so that's one thing. Second finding, fragmented regulatory authority is going to continue to compound regulatory lag. So that's a slightly convoluted, but a simple idea is that there there's a legal and political -- legal and policy gray zone, right, in terms of who's in charge in cyberspace. So because it hits us kind of right in the intersection of all these different authorities, it's domestic, it's a domestic legal problem. It's crime a lot of cases, like crypto and ransomware and everything, but then it's being launched as part of a international campaign by an adversary. So then you so who's in charge? We don't really know. And so you have CISA, for example, but that's a young organization. They don't necessarily have all the capabilities and authorities they need, and so more established actors are stepping in and the picture is just getting very complicated.

Brandon Karpf: Sure.

Kevin Lentz: And the example we pull out here is cybersecurity incident reporting laws or lack thereof. There's all these different laws. Every state's got one, and there are multiple federal agencies that have decided that they have the authority to make a new law about it. And so they have, and then courts are involved. So it's a messy situation. It will continue to be messy. Third finding is that the irregular strategic competition between the U.S. and Chinese communist party is going to set the overall parameters for the use and development of cyber power. And so this is basically just trying to underscore the idea that conventional deterrence will hold for the most part, like we assess that it will. And if it doesn't, you know, we're you know?

Brandon Karpf: We've got other problems.

Kevin Lentz: Yeah, we've got a lot of other problems. We're not going to be on a podcast talking. You know, it would be a different situation. So the assuming conventional deterrence holds, we're going to be in this situation. That's a lot. It resonates with the 50s, and this sort of is another theme of the report. We've kind of been here before. The idea of the Gray Zone actually first gets coined in the 50s. So it's an old problem.

Brandon Karpf: Right.

Kevin Lentz: We're going to have this sort of irregular warfare-type situation without the warfare. So, you know, it's going to be dirty tricks, sleight of hand and subtlety, or lack thereof, in this gray zone, and that will persist. So that's sort of -- and it's, you know, the major two contestants are the U.S. and Chinese Communist Party.

Brandon Karpf: Sure. Sure, and then how about the -- you mentioned there were the key takeaways and then recommendations. So what were the key recommendations?

Kevin Lentz: Yeah, recommendations. The first one, it was unexpected, but very interesting, and that's that the U.S. should develop and operationalize a distinct cyber economic trade and development strategy for the region.

Brandon Karpf: Oh, Okay.

Kevin Lentz: Right. So, you know, we have in the U.S. we say cyber is a functional thing and the Indo-Pacific is a regional thing, and so we go at it from these two different perspectives. But if you combine them, you know, cyber and cybersecurity is a development problem. This is computers, computer networks. These are expensive. They require electrification. They require all these things that we take for granted in the U.S. but much of the world goes without or is in the process of developing. So there are efforts underway in the Indo-Pacific economic framework to sort of like tack on cybersecurity as a sort of afterthought. But they should be more centralized because cyberspace is a unique domain in that we're literally building it. And so who builds it, the rules they set when they build it, you know, configurations, this whole thing, make the literal space of cyberspace.

Brandon Karpf: Yeah.

Kevin Lentz: So we can make we can have a permanent uphill battle or we can have like a level playing field. Obviously, we would want the latter. Second recommendation is to rebuild and recenter political and information warfare capabilities for this cyber competition. Cyber today, we will probably talk about in five ways the same way we used to talk about digital economy. It's redundant. The whole economy has become digital. There's not like a separate digital economy now. So our cyber problems are just our regular political problems. And so in terms of developing, being competitive in the space, it's going to require the government to speak with a single voice consistently and hit on norms we want, behavior we want, this kind of thing. And it's, you know, it's something that we lacked historically. We still lack, and so we still need to develop it. And then the final one is this idea that we should work with allies and partners to develop a Indo-Pacific cyber and conventional open access intelligence clearinghouse. In a permanent state of crisis, we're sort of tap dancing on a red line in the South China Sea all the time. That's going to continue. That's sort of cat and mouse. But it's a situation where if country A doesn't have a clear idea of what happened in event X involving these two countries, you know, country B and country C or whatever, country A and country B, that increases the space for miscalculation, misunderstandings.

Brandon Karpf: Sure.

Kevin Lentz: And the intelligence apparatus and the way that it is organized and disseminated, it's hard to get certain data and certain information out there if it's classified in the U.S. you know, we have an institutional culture of sort of going alone, not sharing with allies unless we absolutely have to, but we've got to get faster at it. And, you know, the sort of takeaway here is like maybe we should just circumvent this whole thing alone, circumvent it all together, and build up a way to share this sort of, you know, imagery, radio frequency, this kind of information from the ground up because going through institutional reform and change, long process, difficult process.

Brandon Karpf: Sure.

Kevin Lentz: So those are the three recommendations, Brandon.

Brandon Karpf: Truly the hacker way, break down the problem into its constituent parts, and why don't we just rebuild the whole thing?

Kevin Lentz: There you go. Yeah, exactly.

Brandon Karpf: Well, the report is a Threatcasting publication, "Cyber Competition in the Indo-Pacific Gray Zone 2035," published by the Army Cyber Institute and University of Texas. We will have a link to that report in the show notes. And Kevin, so great to have you on. Thank you for filling us in.

Kevin Lentz: Brandon, really appreciate you having me on. [ Music ]

Brandon Karpf: And that's "Research Saturday" brought to you by N2K Cyberwire. Our thanks to Kevin Lentz, team leader of the Cyber Pacific Project at the Global Disinformation Lab for joining us. The research is "Cyber Competition in the Indo-Pacific Gray Zone 2035." You can find a link and additional resources in the show notes. We would love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. It really does help. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Tre Hester. Our executive producer is Jennifer Eiben. Simone Petrella is our president. Peter Kilpe is our publisher, and I'm Brandon Karpf. Thanks for listening. [ Music ]