The Realities of Cyber Threats
VI: What is the larger definition of cyber threats that would prompt a need for cybersecurity in American society and the world's liberal democracies? What threats are we actually facing?
Paul Rosenzweig: I box cyber threats into the three distinct groups. The first group, which was the earliest that we paid attention to, is threats to the mechanics of society that are operated by cyber means or infrastructure. That includes everything from the transportation grid to the electric grid to the financial system. That's Cyber Threats 1.0.
Cyber Threats 2.0 was a change in the availability of information about people through the phenomenon commonly called big data, that allows super-precise, predictive targeting of people. That has been exacerbated by advances in artificial intelligence in the last couple of years, which, to a very real degree, will call into question the fundamental premise of liberal Western Democracy which is your independence and human agency. If we are all manipulable then we've got problems.
Cybersecurity 3.0 includes the first instances of the weaponization and manipulation of big data which we saw in a rough and raw form in 2016 in the elections. What we're seeing today in China's efforts to discredit the protesters in Hong Kong, is likely to be even more exacerbated in the future by phenomenon like deep-fakes. Essentially you've removed the barrier between truth and falsity. After all, the fundamental premise of liberal Western Democracy is the ability to sort true answers from false answers, good answers from bad answers. If we can't do that anymore with any confidence we're in really deep kimchi.
VI: Let me drill down on these three categories. In the first category - transportation, electrical, infrastructure, and financial - does this also include the huge hacks of personal data that have happened to credit card companies and healthcare companies?
Paul Rosenzweig: It does include crime in fact, but the truth of the matter is that we've had crime and theft since there have been things to steal. If that were the only thing that was a cybersecurity concern, we would not see it as an existential threat. I have a suspicion we would be spending a lot less energy and effort countering it. We would be dealing with criminal cyber gangs in the same way that we dealt with the Mafia. These are real problems and significant resources need to be allocated to counter them, but nobody ever thought that defeating the Mafia had to rise to essentially the number one national security threat to the United States, which is where the Director of National Intelligence has put cybersecurity for the last four, five years. Cybercrime needs to be worked on, but we've got traditional mechanisms for dealing with that. I venture to say that it is really hard to find somebody who actually loses a lot of money in these thefts. Individuals for the most part get compensated back. I don’t want to minimize or disregard it, but also, that's not why the US government has freaked out.
The fundamental premise of liberal Western Democracy is the ability to sort true answers from false answers, good answers from bad answers. If we can't do that anymore with any confidence we're in really deep kimchi.
VI: What about the municipalities, hospitals, and other organizations that have been held hostage by ransom-ware attacks? They've paid out a lot of money - millions.
Paul Rosenzweig: They do but that is being worked on. Government is a critical infrastructure so I put that in a different category. The fact that I have at least four credit watches on me is because my credit cards have been compromised at least four times and it doesn't really affect me. Government is critical infrastructure in the same way that elections are critical infrastructure. That's actually part of the weaponization piece.
There is no US government privacy regulation at the federal level to speak of. There never has been.
VI: In other words, the actors doing these kinds of criminal activities in cyberspace are hackers coming from wherever?They may be countries that are testing their abilities to break into things and do harm, or they might be terrorist organizations looking to finance their operation?
Paul Rosenzweig: Yes, that's true. Terrorist financing is a thing that we deal with through the methodologies enacted to counter terrorism financing. I am trying to break off the pieces of cyber that are unique to it, that make it a different problem than anything else. There are things about cyber that are unique - I have designated the five “v’s”. It's velocity, it's volume, it's variety, veracity or lack of veracity, and valence, that is its ability to be targeted. This for me is the criteria that makes the difference from terrorists stealing money electronically, versus terrorists robbing a bank.
VI: Moving on to 2.0, the big data aspect of cybersecurity, which includes what Cambridge Analytics did in the 2016 election. They acquired data from Facebook and used it for their own purposes - to influence elections in designated jurisdictions by manipulating peoples' attitudes. Is not this kind of weaponization of data something to be quite concerned about?
Paul Rosenzweig: Yes, very much so.
VI: Do you think a government should prioritize trying to counter big data manipulation?
Paul Rosenzweig: I think all three aspects of cybersecurity are important. Don't get me wrong. Even though I'm minimizing the criminality in 1.0, I think that government has a huge role to play in partnering with the private sector for critical infrastructure protection of the parts that need to be protected like the transportation and electric grid.
In 2.0, the government has been pretty absent. There is no US government privacy regulation at the federal level to speak of. There never has been. The Europeans have just issued the General Data Protection Regulations. California has a new law that is just coming online. I confess I don't know what the right answer is because as the Obama White House's report on big data made clear, there are lots of plus values to large-scale data aggregations that allow for serendipity and synergies that we don't even know exist at this point. It seems clear to me that government is further behind the curve in Cybersecurity Threats 2.0 than it is in what I'm calling 1.0.
At the start of his administration, President Obama had a blank slate, "What should we be doing about Cybersecurity 1.0?" They came up with a lot of good stuff. Was it perfect? No, but were we better off after eight years of working on that problem based on what they found at the start? Yes.
Right now the fight is between privacy advocates who think that all intrusions are bad, and technology data aggregators who never met an accumulation that they didn't think was good. There's got to be a reasonable middle ground there. I am less certain about how that shakes out than I am about the 1.0, only because it's a newer problem and we need a lot more thinking about it. If I were a presidential candidate, that would certainly be an area where, at a minimum, I'd be talking about a process to decide on a way forward.
Nobody had really done that for the Big Data 2.0 problems. Right now the fight is between privacy advocates who think that all intrusions are bad, and technology data aggregators who never met an accumulation that they didn't think was good. There's got to be a reasonable middle ground there. I am less certain about how that shakes out than I am about the 1.0, only because it's a newer problem and we need a lot more thinking about it. If I were a presidential candidate, that would certainly be an area where, at a minimum, I'd be talking about a process to decide on a way forward.
VI: As for the studies that were begun under the Obama administration, were any of them implemented or were they all just recommendations that never found their way actually into policies, strategies, laws?
Paul Rosenzweig: Much of what came out of their policy review in 2009 eventually became policy or law. It led, for example, to an order allowing the president to seize the assets of Chinese companies that stole American intellectual property. This became part of the reason I think that President Xi essentially called a truce. All of these are complex problems, and saying for sure that I know how it happened is overstating my certainty. I think the Obama administration did a pretty good job of moving the ball forward.
VI: Has there been a retrenchment during the Trump administration or have some of these policies been carried out, made more robust, and further implemented?
Paul Rosenzweig: I think the fairest way to say it is the Trump administration is in neutral. At least in part because they see other problems as much more significant. No administration can really do more than two or three things. For President Trump, cybersecurity is not one of those three things. Immigration is, addressing the perceived trade problems is, that sort of thing. They're in neutral. They hired some good people early on but they're all gone. That's just the political reality. Kirstjen Nielson knew a lot about cybersecurity. She’s gone. Rob Joyce was the cyber czar - he's gone. Tom Bossert was head of the Homeland Security council. He knew a lot, He’s gone. There just isn't that focus in this administration. It's in neutral. Retrenchment is a good term.
I think the fairest way to say it is the Trump administration is in neutral. At least in part because they see other problems as much more significant. No administration can really do more than two or three things. For President Trump, cybersecurity is not one of those three things.
VI: While the United States government is idling in neutral, other countries are not. They're going full out to develop, experiment, and exploit cyber tools. Does this not constitute a threat to the United States and put us at a disadvantage?
Paul Rosenzweig: It could be. How should I say this? Cyber is a uniquely adaptive area where today's answers are no longer relevant to tomorrow's problems. An example is election security. Without a concerted focus at the federal level, which has been lacking, I worry about the security of the next election.
VI: Many do express this concern. But while there is a lot of rhetoric about securing elections from cyber attacks, there is very little action - where should the impetus and funds needed to confront these problems come from?
Paul Rosenzweig: Very little action, very little money. There was $380 million in March 2018. Don't get me wrong. The career staff at DHS up to and including the Head of CISA, Chris Krebs, understand the problem and they're working on it but their limited efforts doesn't help, right?
VI: Is part of the vulnerability the fact that in the US we have state-based electoral systems so the federal government is not really involved in the day-to-day operations of state electoral boards and their procedures and mechanics?
Paul Rosenzweig: That's right. Our states and counties are highly heterogeneous in terms of expertise and in terms of resources. Some do probably quite good jobs. Colorado springs to mind. Others are less good.
Cyber is a uniquely adaptive area where today's answers are no longer relevant to tomorrow's problems. An example is election security. I worry about the security of the next election.
VI: We now come to the 3.0 aspect of your categorization of cybersecurity where you do have the weaponization of data, the confusion between truth and falsity, and the ability to create influences that have direct impact on democracy. What are the repercussions when there is no longer freedom of choice and elections are not fair and free? Aren’t these the fundamental basis of our liberal democracy?
Paul Rosenzweig: I think that the metastasization of big data combined with the ability to actually blur the lines between truth and falsity is really strengthened. The fundamental premise of our liberal western democracy is that we believe that people are rational. What if they're not? I think they aren't.
VI: That's a frontier that is now being exploited, explored, an unknown territory. How do you go forward and meet these new realities and these new challenges? Is this totally a governmental responsibility or does the whole society have to become more aware of the times they're living in and take action to somehow counter this?
Paul Rosenzweig: Well, for starters, you've got to just admit there's a problem, which our government declines to do. Given that, nothing will happen, and that almost goes without saying. I don't know the answer yet, at least in part because we don't have a good understanding of how free will can be compromised. We can't change human nature. What if the fact that humans aren't rational is actually just true? I think it is just true. Then the idea of fighting that reality by trying to reinforce the thing that makes people rational is a loser's game. Maybe we're committed. The whole idea of liberal democracy is that you must have the assumption that people are rational. I confess I'm lost here. I don't know how to fight.
The fundamental premise of our liberal western democracy is that we believe that people are rational. What if they're not? I think they aren't.
VI: To bring this back to the 2020 candidates, what do they need to understand and make part of their platforms regarding the threats, challenges, and new frontiers of cybersecurity.
Paul Rosenzweig: I would say that they should embrace the existence of the Cyber Solarium Commission that Congress chartered to talk about malicious cyber threats from foreign entities. I would say that they should commit to a no preconception examination of the pluses and minuses of Big Data in Cybersecurity 2.0. I would say that they should commit to a whole of government educational campaign about the problems of deep-fakes and false data and how to deal with them. I would say basically that the main commitment would be to return to a recognition that this problem is new, it's different, and it ought to be on the administration's priority list.
VI: If you were scheduling presidential debates this fall, would you recommend a debate focusing on serious threats to the United States and that cyber issues should be high on the agenda?
Paul Rosenzweig: It would not just be my recommendation. The Director of National Intelligence lists the national security threats annually to the United States in rank order, and for the last six years, cyber has been up there at number one, ahead of terrorists; ahead of China; ahead of Russia as geopolitical threats. It certainly deserves very serious attention and any presidential candidate should clearly address their understanding of this vital national security reality.
VI: To sum up - you clearly see countering cyber threats as an urgent need. Despite an abundance of red flags, congressional commissions, directors of national intelligence reports, and the entire national security establishment articulating cybersecurity as their top priority - very little is being done. You have stated cyber threats are being neglected at the highest levels of the current administration. For the future security of the country, how can this be changed?
Paul Rosenzweig: With an administration stuck in neutral for the last two years, nothing appreciably has happened at a major level. That is not to say that the people toiling in the vineyards are not doing good work, but they cannot implement significant policies without higher authority. With a new administration that understands the urgency of cybersecurity, there are people in place and policy recommendations ready that can be put into high gear.
The Director of National Intelligence lists the national security threats annually to the United States in rank order, and for the last six years, cyber has been up there at number one
Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company and a Senior Fellow at the R Street Institute. He is also a Senior Advisor to The Chertoff Group. Mr. Rosenzweig formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Professorial Lecturer in Law at George Washington University and a Board Member of the Journal of National Security Law and Policy.