X Welcome to International Affairs Forum

International Affairs Forum a platform to encourage a more complete understanding of the world's opinions on international relations and economics. It presents a cross-section of all-partisan mainstream content, from left to right and across the world.

By reading International Affairs Forum, not only explore pieces you agree with but pieces you don't agree with. Read the other side, challenge yourself, analyze, and share pieces with others. Most importantly, analyze the issues and discuss them civilly with others.

And, yes, send us your essay or editorial! Students are encouraged to participate.

Please enter and join the many International Affairs Forum participants who seek a better path toward addressing world issues.
Thu. August 18, 2022
Get Published   |   About Us   |   Support Us   | Login   | Join Mailing List
International Affairs Forum
IAF Articles
IA-Forum Interview: James Lewis
Comments (0)

International Affairs Forum: First question - let’s define cybersecurity. James (Jim) Lewis: Cybersecurity is ensuring that the services and data on digital networks are resilient and free from easy attack. IA-Forum: The Wall Street reported in April that cyber spies “targeted companies helping to build the [$300 billion] joint strike fighter and stole design information that could make it easier for adversaries to defend against the airplane.” How vulnerable is the U.S. military today, in terms of cyber attacks? Dr. Lewis: It is very vulnerable mainly because it’s the primary target for so many countries in the world. DOD [Dept. of Defense] does a good job. They are probably one of the best, if not the best, agency in terms of protecting their networks, but they’re everybody’s favorite target. IA-Forum: The National Journal says the DOD is “sharing intelligence about cyber threats with defense contractors. What are the pros and cons of this expanded DOD cyber-perimeter? Dr. Lewis: The pros really outweigh the cons, and I actually talked to someone from DOD yesterday about this. It’s called the “Defense Industrial Base [DIB] Initiative”, and currently they have 29 companies - big companies - in it. The Deputy Secretary of Defense met yesterday with the 29 CEOs of these companies, and they said it was “a love fest”. This was Dick Schaefer from the National Security Agency/NSA. The first meetings were unhappy. They were unhappy because companies said “we don’t share with you because you’re going to retaliate against us when you find out we’ve done a bad job or we’ve lost something.” And DOD, of course, was shocked to find out some of the losses that they were experiencing. You know, this is sort of classic intelligence. The DOD hardened their own network so the opponents naturally went after softer targets. So this has really paid off in terms of making it harder for people to raid U.S. defense technology. IA-Forum: So you think that by bringing the defense contractors “within the wire” so to speak, the “cyber wire”, it actually helped harden the contractors’ networks? Dr. Lewis: I heard that at the first meeting where DOD gave the company CEO’s the classified briefing that they absolutely turned pale and almost fainted. The depth of the problem is much worse than is publicly acknowledged. IA-Forum: Russian Prime Minister Vladimir Putin made some comments on Russia’s efforts in cybersecurity at the World Economic Forum at Davos. He was confident about Russia being able to create and maintain its own cybersecurity with no outside help or alliances. Would you agree with Putin’s assessment of Russia’s cyber-capabilities? Dr. Lewis: Sure, because they’re a police state, right? It’s so helpful not to have any laws and to be able to use force and violence. So, yeah, they’re a police state that’s invested billions of dollars over decades to create a strong national monitoring system. Now, of course, it fell into disrepair in the 1990’s. But since Putin has been in office, they’ve made an effort to restore their capabilities. And so, sure, if you have a police state, you’re always going to be able to make it a little more secure. It’ll be easier to make it secure. IA-Forum: Melissa Hathaway is a Senior Advisor to President Obama on cybersecurity issues. In her Op-ed piece last fall she mentioned that international cooperation is vital. Who do you think are the best U.S. partners on this and why? Dr. Lewis: The problem is that there are like-minded countries (i.e. the U.K.), but we need to have partnerships with our potential opponents as well. We need to have partnerships with the Russians and with the Chinese. IA-Forum: How is that going to work? Dr. Lewis: You can start by parsing the problem and you can say there are some things we can all agree on and there are some things that we need to take off the table. For example, here’s an easy one. All of these countries have agreed they won’t support jihad, right? So there’s a simple agreement right there: “we won’t support jihad in cyberspace”. And that could be useful to have looking into the future. You could ratchet it up a little bit. You could say cybercrime. On cybercrime, you know, that would put the Russians in an awkward spot because they like cybercrime, but we might be able to get a deal with the Chinese. So, you know, on cyberwar, we might be able to say, what are the thresholds, what are sort of targets that are off limits, what are the rules for cyberwar? So there’s a lot we could do if we start trying to do it. IA-Forum: What constitutes cyberwar? In your opinion, when does an attack justify a military response? Dr. Lewis: Hardly ever. And so that’s one of the problems – we, the U.S., keep trying to shoe-horn this into a military mold, and it really is an intelligence and law enforcement problem. Cyberwar is something that will be part of any future conflict, and I think in a traditional conflict in a state versus state conflict; for instance, we get into a fight with China over the Taiwanese Straits. They will deploy cyber weapons just as they might have deployed aircraft or missiles or submarines. It’s just another weapon. So we should expect our power grids and other systems to be attacked with cyber weapons if we got into a conflict with China or Russia or some other country. Short of that, it’s hard to see where this qualifies as cyberwar. The rule of thumb I use is that if you translate it into the physical world, when would it be an act of war? The only thing that gets close to that is sabotage. If another nation sabotaged say a power plant in the U.S. using cyber weapons and we were able to discover it, that would start approaching an act of war. I say an “act of war” is ultimately a political decision. Suppose it was the North Koreans [who were behind the attack on U.S. websites] about a month ago and suppose instead of hacking websites and doing “denial of service” attacks, they had hijacked a U.S. Navy ship off the high seas, killed some of the crew, threw the rest of them in jail and pillaged this ship, would that be an act of war? And the answer is “no”. In 1968 when they did that, it was not an act of war. So people are looking for clear lines and bright lines and they don’t exist. IA-Forum: The 2008 Annual Report by the U.S. China Economic Security Review Commission states, “China’s current cyber operations capability is so advanced, it can engage in forms of cyber warfare so sophisticated that the United States may be unable to counteract or even detect the efforts.” Is China beefing up its cyberwar capabilities in lieu of building its traditional military resources? Dr. Lewis: No, it’s exploring all the avenues for increasing its military power. A few years ago, the Chinese were interested in cyber warfare as a way to compensate for conventional weakness. And there’s still some of that, but now they see (as do we and as do probably a handful of other nations), cyber conflict is just another aspect of warfare. IA-Forum: The White House has concluded its 60-day review on cybersecurity, and there seems to be a problem in selecting a “cyber czar”. Why is this and how would you describe who would be an effective leader in that position? In other words, what does someone need to bring to the job to succeed? Dr. Lewis: Cybersecurity is a low-level priority. What some people say is that we won’t take this seriously until the United States is really badly hurt again. By my count, we’ve been badly hurt at least twice, but those were espionage activities, and espionage doesn’t always get a lot of attention. IA-Forum: What were those two times? Dr. Lewis: In the late 1990’s we suffered massive losses of information relating to weapons, including nuclear weapons, and in 2007 there were a series of incidents, the full scope of which we do not yet know publicly, that probably led to yet another serious and damaging espionage coup by someone. IA-Forum: So if you were looking to pick someone for that job, what qualities or skills would they have? Dr. Lewis: You need someone who has a strategic vision, who has the ability to persuade, and you need someone who has the ability to do more than give speeches. You need someone who’s going to actually produce some results. IA-Forum: Should this person be at the NSA or should this be housed at the NSA? Dr. Lewis: No, because the NSA’s an intelligence agency. They operate under different authorities. They have different constraints on what they can do. They’re not a domestic agency. In the review we did here we thought that the White House was the only place they could do this because, you have [the Department of] State, you have Commerce, DOD, Justice, and DHS. Who is it that can herd all of those animals to move in the same direction? Only the White House. IA-Forum: The cybersecurity coordinator (or cyber czar; people are using different terms), will have the authority to affect the Office of Management and Budget (OMB) budget on cybersecurity. How does one build a budget for such a new and sweeping initiative and where are the major revenue streams? Dr. Lewis: It’s not clear to me they’re going to have that authority. They’ll have to work closely with OMB. The good news is that the new folks at OMB, the CIO (Chief Information Officer) and the CTO (Chief Technology Officer), are very cognizant and say they’re ready to cooperate. So this will be a cooperative effort rather than someone being able to command. The risk here is that we’ll either pick someone, a former CEO or a former general, who’s used to giving orders and having them obeyed. That’s not how it works in the government. The other problem is we’ll pick someone who’s really good at being an evangelist and giving speeches and doesn’t actually do anything. IA-Forum: So this a position that should have not only responsibility but also authority? Dr. Lewis: It needs some kind of authority to work. You need to be able to produce results, and the NSC (National Security Council) has authority, the NEC (National Economic Council) has authority and someone who knows how to use them. This has to be someone who can really know the inside of the interagency process. We don’t need a proselytizer. We need someone who’s played the federal game and knows how to get the trains to move. Whether we’ll get that, right now I wouldn’t take a bet on that. Second part of your question: where’s the money come from? Tons of money. In some areas we’re still not spending enough. If you look at how much we spend say on “bioshield” [a Bush Administration initiative regarding weapons of mass destruction], which is billions of dollars for a non-existent threat, versus how much we spend on R&D for cybersecurity where it’s millions of dollars for something where we’re damaged every day. Clearly an imbalance there and that reflects a lack of strategic vision. It’s an inherited lack. We’ll see if these guys fix it. CNCI, [Comprehensive National Cybersecurity Initiative] you know, the press figures put it at double digit billions for CNCI. The larger federal IT budget of existing spending is already in the tens of billions of dollars. So this isn’t really a money problem. This is an organization and management problem. IA-Forum: Do you think other countries are doing a better job in cybersecurity than the U.S. and if so, why? Dr. Lewis: Yes, other countries are doing a better job, and we are at a competitive disadvantage. One of the reasons of why we’re losing in the Great Power sweepstakes is because we can’t get our act together. China and Russia have some clear advantages that can be best defined as they have a different legal environment. They’ve invested billions, and they’re not at all shy about restricting civil liberties. They don’t have debates over privacy. That doesn’t mean we should copy them, but it means they’re ahead. France and Britain both have announced new cybersecurity strategies. They tried to time it with ours, but ours was delayed for so long, I think they finally gave up. Both of them did better. Now in France’s case it’s because the government still has such a large role in the companies that some of the debates we have here just don’t occur there. We have a debate, “should we make the electrical grid secure?” It’s kind of a stupid debate. That’s the debate we’re having. I asked the French cyber czar, “how come you’re not having this debate,” and he says, “the government still owns part of these companies. We’ve got two people on all the boards.” That gives them an immense advantage. The Brits, I asked them, “aren’t you sorry that you waited for us to come out with our strategy” and this was a senior intelligence official from the U.K. who said, “no, we’re not sorry because ours is better.” I said, “why is that?” And he said, “because ours isn’t politicized.” They aren’t having these debates over turf and privacy. You know, of course, they have that but they have been able to treat it more as a national security problem than we have. And so we’re sort of hampered by our inability to come to a decision. IA-Forum: If a nuclear weapon was launched as a hostile act, it’s possible to determine its nuclear fingerprint and locate the country source of the weapon. Is there a digital fingerprint in a cyber attack? Dr. Lewis: There could be, and one of the questions that we have not been willing to ask ourselves is how could we reinforce that digital fingerprint? Technically, this is possible to do, but for privacy and civil liberty concerns, we’ve chosen not to do it. IA-Forum: How so? Dr. Lewis: You could build unique identifiers into computer hardware that could not be changed that would make it much easier to determine where something came from. (You could still do a botnet, but it would be easier to track back.) You’d have to make some changes in the hardware and the software, but these are not impossible. It’s just that we’ve chosen not to do them. You could make changes on identity. I’ll give you an example today that’s sort of a funny one. Someone just tried to implant a virus Trojan on my computer here and the website I was going to to get that was a (U.S. Pacific Command) PACOM website. It’s beautiful; it was a PACOM website and they just had their big Spectrum Management Conference. What better plan; I admire these guys so much. You’re an intelligence officer, you wanted to ask yourself, “people who go look at this PACOM electronic warfare conference; they might be interesting targets to collect on.” So, you know what, “I’m going to put a malware so that when you go to that website, maybe I can get in.” Brilliant plan, right? So, talking about tightening up the digital fingerprinting – there are some things you could do on the hardware and the software that would make it easier to do forensic work on where does an attack come from. There are things you could do on digital identity that would make it harder to spoof or to launch an anonymous attack. DOD’s CAC (common access) card is actually relative successful. The smart cards or better authentication would reduce the ability of someone to wage a successful attack. But again, we’re kind of tied up in knots on that one, too. I mean people don’t want a national ID card. I understand that. But then the tradeoff is you’re going to have an insecure internet. IA-Forum: Cybersecurity is both an economic and national security interest. So how do we reconcile citizens’ privacy and national security as we tighten the U.S. cyberspace? Dr. Lewis: This isn’t impossible. It might be too hard for our current political process, but it’s the Goldilocks problem – not too hot, not too cold. But there are things you could do that would protect civil liberties, that would I think make it possible to engage in stronger cybersecurity measures. Here’s an example: “deep packet inspection”, which means that traffic comes in packets. We have technology that lets you look inside the packet for malware. It doesn’t read the content at all. This is what our law was designed for. Our law was designed for paper envelopes. So you opened the envelope and you read the letter to look for malicious code. You couldn’t help but know the content. Now we have a situation where a machine opens the letter and it doesn’t read the content, it just looks for that pattern of malicious code. It’d be like you opening a letter written in Urdu. You’d recognize the pattern, but you wouldn’t know the content. Our laws have not change to adjust to the fact that technology gives us a protection for civil liberties here, and these people who are so distrustful of the government that they don’t want to see any progress in this. The warrantless wire tap program, whether it was necessarily or not, only reinforced those people so we’re stuck. IA-Forum: The Pentagon is standing up the cyber command, CYBERCOM, under STRATCOM. What authority will the cybersecurity czar/coordinator position appointed by President Obama have regarding the Pentagon’s efforts? Dr. Lewis: This is an interesting one because a lot of us said to the incoming team, one of the mistakes of the Bush Administration was its failure to be transparent; they said, “we’re going to build this wonderful program, the CNCI, but we’re not going to tell anyone about it because it’s classified, top secret.” That was really dumb. Now in come the new guys and they are 80% transparent which is a big improvement. The one thing they weren’t transparent on was the relation of the cyber coordinator to offensive capabilities. That’s a part of the 60-day review but it wasn’t released. The only thing we know about it is there are a couple lines in the public document that say basically “the cyber coordinator will have some degree of oversight.” My assumption is it’ll be the traditional NSC role when it comes to military activities. IA-Forum: Can you expand on that a little bit? Dr. Lewis: Sure. The NSC is the place that coordinates the activities by all the agencies involved in national security to ensure they’re consistent with the President’s policies and executive orders. So an agency wants to do something that would implicate the President or involves the U.S. reputation, they’re supposed to check with home. The NSC is supposed to drive the policy process. Now for the last eight years it hasn’t done that because the Bush Administration NSC was the weakest NSC in history. The traditional process going back really to the Eisenhower Administration is for the NSC to coordinate military, intelligence, and diplomatic efforts. But if this NSC is able to recover, that’s the role you’ll see. IA-Forum: Various U.S. agencies such as DOD, Department of Commerce and DHS are reorganizing now to include a cybersecurity program within each agency. What do you think are the major elements that will make that succeed, and is this reorganization building more bureaucracy or will this produce the “trusted, resilient, flexible infrastructure” this Administration wants? Dr. Lewis: You know, the thing that’s necessary for success is coordination. You need a coordinated effort internationally so we all speak with one voice and we have a common objective and strategy. You need a coordinated effort internally so that people bring all the networks in the government up to some common standard. We need a coordinated approach when it comes to threat information. In 2007 I was talking to the CIO (Chief Information Officer) of a civilian agency, and he said the way he’d found out that his systems were being hacked, and the way he’d found out the DOD systems had faced the same hack and they’d developed a solution to it was he read it in the newspaper. So we got to get out of this. How do we coordinate? Well, we coordinate through the Washington Post. That’s where the role of a coordinator in the White House is important. This can’t be 10 people each with a musical instrument playing their own tunes at their own pace. We got to have somebody conducting the band. IA-Forum: What key skills will IT people need for cybersecurity jobs, either in government or the private sector, and how will schools adjust their curricular to meet the new demands? Dr. Lewis: That’s one of the issues that I think people have really started to focus on. We had [Deputy Sec. of Defense] Lynn here about a month ago, and he said that DOD produces 80 people a year from their schools and who are skilled in cybersecurity. Then we had Richard Schaefer who’s the head of the Information Assurance Division at NSC and the head defense guy. He said yesterday that the U.S. produced a trickle of the people they needed. So we got to think how do we get folks interested, how do we provide the training, how do we figure out what to teach them. And it’s got to be building secure networks, teaching them forensic skills, leading them to think both offensively and defensively. There are not a lot of programs that do this right now. We had an event at CSIS yesterday on competitions as a way to attract high school students. One of the competitions is an online game. Part of the rules of the game is you can hack the game. So somebody hacked the game to really gin up their score but that’s what you want. You want people who are thinking, “here’s a new place to play, here’s a new place where I get to think about it.” But that’s how it is in the real world, you know. Some of it, too, is we might want to think about the two-year schools. We need Ph.D.’s in computer sciences, but that doesn’t mean that we only need Ph.D.’s in computer sciences. We need people who can go to these schools, learn the skills. But we also need to create market demand for it. The market isn’t going to hire people until they think there’s some reason for them to do it. On the government side, you’re seeing that demand increase remarkably, but on the private sector side, that’s not there yet. So we might want to think about how do we, how do we create demand for security specialists? IA-Forum: Do you think the U.S. has launched cyber attacks? Dr. Lewis: Oh, sure. We’re in the top four or five countries that can do this. IA-Forum: And for what purposes? Dr. Lewis: Well, I’m sure that they’ve been related to counter-terrorism in some way, which is a little stupid. One of the problems for us is we don’t really have any good strategic sense of what it is we’re doing. So we’ve got a new set of toys and people want to use them. You know, cyberspace is not the fundamental weakness of jihad, and so hacking a website or two doesn’t really give us that much help in the war on terrorism. One of the things that’s difficult here is that you can have private individuals who mainly do website defacement and denial of service attacks, the Russians call them “patriotic hackers” and they exist in China. People here do it as well, and they’re in Israel and in Arab countries; it’s all over the world. This is just a new way of doing political protest. It’s not a big deal but it happens all the time. IA-Forum: CSIS just had a program on “U.S. Cyber Challenge, Can We Catch Up?” -- what were the two or three takeaway ideas or concerns that came out of it you could share? Dr. Lewis: I think one was that people are interested in this stuff, and we talk about how people who are currently in high school or in college are much more tech savvy in some ways. They’re using Facebook and computers and mobile devices, and there’s a real interest in learning more about cybersecurity. That’s the good news. The bad news is we only have a trickle of people going in now. A couple of takeaways: first, lots of people are interested, which is good, since we don’t have a good flow now; the second part, folks are beginning to think not about teaching this in a very academic sense in the theory, but basing it more on practice, basing it more on what actually happens in the real world. So it’s not going to be medicine according to some theory. It’s going to be medicine based on what people actually discover when they practice it, and I think that move to a practical basis is a positive one. IA-Forum: Thank you, Jim. James Lewis is a Senior Fellow at the Center for Strategic and International Studies (CSIS) and Director of its Technology and Public Policy Program. Before joining CSIS, he worked for the federal government and received his Ph.D. from the University of Chicago.

Comments in Chronological order (0 total comments)

Report Abuse
Contact Us | About Us | Support Us | Terms & Conditions Twitter Facebook Get Alerts Get Published

All Rights Reserved. Copyright 2002 - 2022