Tue. October 21, 2014 Get Published  Get Alerts
HOME  |LOGIN
ABOUT | CONTACT US | SUPPORT US
Interview: Dr. James Andrew Lewis

Comments(0)
By Cynthia Iris, Senior Correspondent


International Affairs Forum: In a New York Times article on January 8th, you had said that there was no doubt within the U.S. government that Iran had been behind the wave massive attacks and online banks. Is there a digital fingerprint there?

Dr. James Andrew Lewis: It’s hard to say. The better answer might be that the U.S. has other means for figuring out what the Iranian government is up to. And that that probably contributed to, or buttressed, or expanded the digital fingerprint. So, in other words, we spy on the Iranians. The private sector guys who did the forensic investigation didn’t find enough to be conclusive. I think what happened is all the other things the U.S. does probably provided that conclusiveness. [Also], it’s not just the U.S. It could have been any number of countries who are looking closely at Iran.

IA-Forum: From your Profile Page on CSIS’s website, it seems you have an article on Stuxnet (a computer worm that attacked Iran’s nuclear centrifuges) coming out, entitled, “In Defense of Stuxnet”. Can you give us the top two ideas that you’re trying to convey in the article?

Dr. Lewis: Yes. (The article has been published in Israel). People don’t like covert action, but it’s been something that the U.S. has used against authoritarian regimes since World War II. And this is just a new tool in the long covert struggle with Iran.

IA-Forum: Russian President Putin ordered the Security Bureau, the FSB, to create a system to protect the government computers from cyber attacks. How effective can any government be, the U.S., Russia, etc., in this regard when many cyber attacks are undetected?

Dr. Lewis: That’s a good point. Putin’s intent was not to protect against cyber attack. It was to protect against political dissidence [it was focused on the media]. You don’t want to say I’d like to repress free speech. Even, that’s a bridge too far, even for the Russians. So you say “I’m going to protect against cyber attack by helping my media friends”. Ask yourself how you’d like the FBI to have complete access to your network? “To help you”. See what people say -- “gosh, I think it’s a swell idea”. So it wasn’t. There are things you can do. It’s not impossible to protect. But that was not the intent.

IA-Forum: So following along a piece of this, let’s talk about President Obama’s “Preemption Doctrine”. It’s hard to be successful with this approach because the target organization often doesn’t know its network has been compromised. What then?

Dr. Lewis: There’s a difference though between the target organization and the National Security Agency. Just as in the Cold War we had satellites and national technical means that could detect an imminent threat, there are similar sensors that can detect imminent threats in cyber space. They’re not perfect. And I don’t know what the success rate is. Is it one out of three? Is it two out of three? It’s somewhere in that range. So two out of three times we’ll know something’s coming and can block it. Does that mean it’s perfect? No.

IA-Forum: So let me follow that a little bit. I know we’ve got the technology, but are human assets, spies, back in demand because you said there were “two out of three” they could find. Where do human assets come into this cyber security equation?

Dr. Lewis: The way I look at it is cyber is just sort of like a new element to the larger equation of espionage. So you have spies, satellites. You have drones. And now you have hacking, right? So I think the part that often gets lost in translation is for major intelligence agencies, they’re using a portfolio of all these techniques.

IA-Forum: On Twitter, back in December, you wrote that cyber is an “inelegant” term. Why?

Dr. Lewis: So what are we talking about? We’re talking about network devices. And that’s not particularly elegant, either. We’re talking about network devices that have some computing capability. So, do you want to say “network computing devices”? So “cyber space”, it’s one of these portmanteau terms. We make it up. Like ‘globalization’. Because it covers a range of things. I mean, let’s just say one word rather than actually be descriptive. That’s where it becomes a substitute for thought.

IA-Forum: General Keith Alexander, the head of the DOD’s Cyber Command and head of the National Security Agency -- is he, by virtue of these jobs, America’s chief information officer (CIO), de facto?

Dr. Lewis: No. There’s someone the Office of Management and Budget (OMB) who has that role. [The head of the Office of E-Government and Information Technology in OMB]. He’s the CIO and they think about how (for the government and for the public) you get access to information, how you manage information systems, how you create the ability to easily find information and data.

IA-Forum: In Foreign Policy recently, you wrote, “The long-standing U.S. position that an open, free Internet is the best for innovation and growth is no longer persuasive. America needs a more compelling narrative to defend universal values. The battle for the Internet has begun, and we need better ideas if we are to win it.” Does the U.S. have a more compelling narrative now?

Dr. Lewis: No. That’s one of the things we have to do is develop that. I’m sort of working on it; other people are working on that. Here’s an easy illustration: ‘a free and open Internet is crucial for economic growth’. And that explains why China is growing at 10% and the European Union is in recession. And so the people we talk to it turns out are not dopes in other countries. They can figure this out, too. There’s been, for a whole set of historical reasons, a commercial argument to support free and open Internet. The commercial argument no longer makes sense.

Part of what’s puzzling to me is that there’s sort of a basic perspective here, which is that ‘democracy is good; justice is better’. And people don’t like that. A free and open Internet is a better guarantor of justice. But they say, “we can’t say that”.

IA-Forum: Why not?

Dr. Lewis: I don’t know. So we’re going to have to work on it.

IA-Forum: When you were on WBUR’s radio program, On Point, last week, you said that China is doing reconnaissance on civilian critical infrastructure, looking to effect --

Dr. Lewis: [General] Keith Alexander told me that.

IA-Forum: You said they’re potentially looking to affect U.S. military assets in the Pacific. And they go after our allies. You raised the idea of China and Japan moving towards an “unfortunate incident”. With the treaty that we have to defend Japan, do you see that scenario likely to become a cyber security problem in the near term?

Dr. Lewis: If it were to occur the answer would be ‘yes’. That we would need to think about how to support Japan in defending its information assets in defending its networks. Whether the Chinese would actually do anything -- people go through the same military calculus in thinking about cyber attacks that they do for any other weapon. What are the costs? How’s the international community going to react? Is it going to get me military advantage? It doesn’t mean they got the calculation right. But the Chinese are going to calculate. What would a cyber attack against Japan get me? And if they think it gets them something useful, they’ll do it. You could think about air defense, naval coordination. Those would be the targets.

IA-Forum: There’s a lot of chatter right now about North Korea about to do another nuclear test. If so, is there a Stuxnet worm with North Korea’s name on it out there?

Dr. Lewis: Probably not because the North Koreans -- this is why they’re not really yet a cyber threat. If you don’t have electricity, you’re very hard to hack. They’re one of the last countries on earth that isn't really computerized. And so they’re a hard target. You know, Iran, not as closed a society as North Korea. Strange, isn't it? And a little more modern in terms of its economy. And it turns out to being a backward economy with no electricity and no food is a plus in cyber defense.

IA-Forum: What about state sovereignty issues and who controls the internet? Russia and China have made proposals for control. This week [mid-February] the European Union is coming out with new regulations requiring private companies to report disruptions to government authorities. Who does control the internet; who should control the internet?

Dr. Lewis: The question I usually ask is, “why should the Internet be different from anything else?” I think the answer is, “it shouldn’t”. In the same way that in the U.S., the government has sovereign control of American territory, but it’s privately owned. There are rules about how government and the private individual interact on that ownership. I think that’s the direction we’re moving in. And each country will implement their control over the Internet, consistent with their national practices. People may not like that but the rest of the world has made up its mind, that’s where they want to go.

So who should control it? It should be the same kind of control you see for any other sort of activity. There’s a little bit for government. There’s a little bit for the private sector. But the idea that neither has a role is wrong. And the idea that somehow the state will be subordinate to private sector interests -- maybe in America, but not anywhere else.

IA-Forum: In the Christian Science Monitor, there was a piece a while back saying that a Pentagon official had called for the U.S. and Europe to cooperate on the NATO cyber shield, modeled after the nuclear missile shield that NATO was developing. Does that make sense? Would it work?

Dr. Lewis: It makes sense. There’s a lot of political obstacles. It would work in that the Europeans haven’t thought through how they act as a unified whole. So you have the member states want to maintain their control and the commission wants to do things across the EU. And NATO has an alliance defensive role. None of these actually fit together in ways that are seamless. So whenever there’s a seam, the seam is an opportunity for an opponent to exploit. So it would make sense. It’s just that the political difficulties turn out to be much greater than we thought. So think of it as the European debt crisis that’s carried over to the Internet.

IA-Forum: What would the advantage and the disadvantage be of having DOD’s Cyber Command come out from under STRATCOM’s control and be a full-standing command?

Dr. Lewis: Well, this is a new military activity so we’re going to go through a period of experimentation. And it’s like the travails of Space Command -- sometimes it’s independent, sometimes it’s a service. I bet we’re going to go through the same kind of moving around for this.

Right now, it is the only place where a four-star [general] reports to a four-star [general]. Now there’s a footnote here, which is that the head of U.N. Command in Korea is a four-star [general] who reports to the Pacific Command four-star [general]. But because it’s a U.N. command, it’s not the same thing. So we have an anomaly in how we’ve organized Cyber Command. It probably makes sense just for that reason, to split it out.

And one of the things that I think they’ve done is figure out the roles in different situations, for instance, what Cyber Command has the lead on. That’s helpful to know. From a neatness perspective, I think ‘separated’ for now. Whether it remains an independent command, I don’t know.

IA-Forum: Of the three mission areas in the new DOD Cyber Command proposal that’s just been released – which is the most critical to staff up first – 1) DOD’s own networks, 2) the military combatant commands, or 3) the “national mission” to cover critical “homeland” infrastructure? Personnel staffing, military and civilian, is supposed to go from about 900 now to 4900 in this ramp up.

Dr. Lewis: The first priority is defending DOD’s own networks. And that’s where they put most of their effort. Then there will be a split between the national mission and the support to combatant commands to regional commanders. Don’t know which will get priority there. My bet would be, absent some kind of regional crisis, it would be the national mission. But if we suddenly have a conflict in the Pacific, the regional combatant support will zoom up to be number two.

IA-Forum: When the U.S. government decides to move from a defensive cyber security to an offensive cyber security position, a preemptive position, what justifies the shift?

Dr. Lewis: The current approach isn't working. And the defensive approach, a reactive approach, always puts you at a disadvantage. We tried this at the end of the 19th century, where we thought we would have what they call ‘coastal defense battleships’. No offensive Navy for us. We would be peace-loving Americans and have coastal defense battleships, which were small, heavily armored, heavily-armed unseaworthy vessels.

A defensive approach is never going to be able to do it. And so when we’ve tried this in the past, you have to have a full-range military capability. And then you decide whether or not you’re using a defense or offense. You can’t just build half of it and then expect it to work.

IA-Forum: Do you think that there’s going to be a lot of pushback on this offensive effort? It may make sense practically speaking. But this sounds like it’s going to be a political problem, maybe an issue between civil and military partnership, do you think?

Dr. Lewis: No, the thing that surprises me in having seen them in action a couple of times, is that the Cabinet-level political types are very cautious about unleashing this. They want a lot of evidence. They want a lot of assurance there won’t be collateral damage. It’s not like the U.S. is going to go off wildly doing this. I see the emphasis on preemptive more as an effort to signal potential opponents that this is no longer a risk-free environment.

Up until now, you could do anything you wanted and you fixed absolutely no penalty. And signaling that that’s going to change is probably not enough. But it’s a good start. So I don’t think the threshold they set is high. And the caution they display in thinking about using this is high. So I’m not expecting to see anything soon.

The main thing was it was the signal to the Iranians. What they did to Aramco [the Saudi Arabian oil company] was fun. Don’t do it in the U.S. [Iran was suspected of launching a highly destructive cyber attack on Aramco’s corporate network in the summer of 2012].

IA-Forum: Thank you.



James Andrew Lewis is a senior fellow and director of the Technology and Public Policy Program at CSIS. Before joining CSIS, he worked at the Departments of State and Commerce as a Foreign Service officer and as a member of the Senior Executive Service. Lewis’s recent work has focused on cybersecurity, including the groundbreaking report “Cybersecurity for the 44th Presidency,” space, and innovation. His current research examines the political effect of the Internet, strategic competition among nations, and technological innovation.

Comments in Chronological order (0 total comments)

Report Abuse
Quick Links Twitter Face Book Get Alerts Contact Us Enter Ia-Forum Student Award Competition
International Affairs
Forum - (2014 Issue 1)

Available Now
ANNOUNCEMENTS
THE WORLD'S DISCUSSING...
12/15/2014: Modern Times in North Korea: Scenes from its Founding Years, 1945-1950 More
12/01/2014: Waking from the Dream: the Struggle for Civil Rights in the Shadow of Martin Luther King More
11/17/2014: The Men Who Lost America: British Leadership, the Revolutionary World, and the Fate of Empire More
10/28/2014: FAPESP-U.S. Collaborative Research on the Amazon More
10/27/2014: Synchronized Factories: Latin America and the Caribbean in the Era of Global Value Chains More
10/27/2014: Sino-Soviet Relations and the Dilemmas of Socialist Bloc Cooperation: Czechoslovaks in Shanghai, 1956-57 More
10/23/2014: “A Sort of Chautauqua” More
10/23/2014: World Population and Human Capital in the Twenty-first Century (Book Launch) More
10/22/2014: Ukraine, Russia, and the International Order More
10/20/2014: Global Health blog: UHC in Latin America: Learning from the Past, Planning for the Future More
10/20/2014: Mexico in Peacekeeping Operations: A Late and Controversial Decision - The Expert Take More
10/20/2014: The OAS Leadership Transition More
10/20/2014: Is China Unwinding its Foreign Exchange Reserves? Not Just Yet More
10/20/2014: Empowering Revolution: America, Poland, and the Moderates who Ended the Cold War More
10/20/2014: More Bad News for Airbnb More
10/20/2014: U.S.-Russia Relations: Beyond the Crisis in Ukraine More
10/20/2014: U.S.-Russia Relations: Beyond the Crisis in Ukraine More
10/20/2014: Jane Harman on The Daily Rundown More
10/20/2014: Global Health blog: Getting Hospitals Right: Dispatches from Our Cape Town Consultation Session More
10/20/2014: The Energy Security Renaissance in North America More
10/20/2014: Does Democracy Matter? More
10/20/2014: Dau Voi, Duoi Chuot (Head of an Elephant, Tail of a Mouse) More
10/20/2014: The Resistance in South Vietnam following the “Geneva Convention” More
10/20/2014: History of the Southern Resistance or History of the Communist Resistance? More
10/20/2014: Introduction to the Commentaries on the History of the Southern Resistance More
10/20/2014: L?ch s? Nam b? kháng chi?n and the Interwar Period More
10/20/2014: The Urban Movement and the Planning and Execution of the Tet Offensive More
10/20/2014: Caught Between Propaganda and History More
10/20/2014: Some Clarifications on L?ch s? Nam b? kháng chi?n More
10/20/2014: War on Poverty Turns 50: Are We Winning Yet? More
10/20/2014: CGD Publication: Costing a Data Revolution - Working Paper 383 More
10/19/2014: Bridging the Pacific: Toward Free Trade and Investment between China and the United States More
10/19/2014: Axel Weber: The Global Macroeconomic Outlook More
10/19/2014: Tensions Rising Dangerously in South Asia More
10/19/2014: Tensions Rising Dangerously in South Asia More
10/19/2014: Tensions Rising Dangerously in South Asia More
10/18/2014: Hans-Werner Sinn: The Euro Trap: On Bursting Bubbles, Budgets, and Belief More
10/17/2014: Building Peace Over Water in the Lower Jordan Valley: A Sister Cities Coalition More
10/17/2014: China Chart of the Week: Fishing in the South China Sea More
10/17/2014: Slovakia’s Road to Freedom and Democracy More
10/17/2014: Development blog: Nobel Laureate Jean Tirole’s Five-Step Plan to Fix the Climate More
10/17/2014: The Future of Food, Climate, and the Natural World: A Conversation With Jonathan Foley More
10/17/2014: Film Screening: "The Winter that Changed Us: The First Death" More
10/17/2014: U.S. Grand Strategy: World Leader or Restrained Power? More
10/17/2014: Does Moving Across International Borders Boost Migrants' Incomes, Happiness and Freedom Satisfaction? More
10/17/2014: CGD Publication: How Much Will Health Coverage Cost? Future Health Spending Scenarios in Brazil, Chile, and Mexico - Working Paper 382 More
10/16/2014: Development blog: Congratulations, Arvind Subramanian More
10/16/2014: Environmental Governance and Public Health More
10/16/2014: ONU-UN SI PER IL VENEZUELA E UN NO PER LA TURCHIA More
10/16/2014: ¿Cambiará Venezuela el balance de poder entre EE.UU. y Rusia en el Consejo de Seguridad? More
More...
About | Contact Us | Support Us | Terms and Conditions

All Rights Reserved. Copyright 2002 - 2014