Cyber Scene #79 - Tech Driving Geopolitics; Cyber at the Wheel
Cyber Scene #79 -
Tech Driving Geopolitics; Cyber at the Wheel
In the 1990's, Harvard Kennedy School's Dean Joseph Nye described the world as a three-dimensional chess board: the dimensions were political, economic, and military. In 2023, according to the UK's new National Cyber Force (NCF) Commander James Babbage as interviewed by The Economist in "Cyberwarfare: All in the mind" cyber is the "greatest cognitive effect" which derives from "tilting the playing field imperceptibly." Some readers may believe that cyber has turned the world upside down. Unlike diplomacy, economics, and military might, cyber is the invisible hand doing the tilting.
Babbage goes on to explain that this cognitive effect--responsible cyber power--is precise, calibrated, and accountable to a small group of ministers and Parliament. Simply put, in the Ukrainian theater of the Russian invasion, disruptions include "…influencing generals in their headquarters, rather than colonels in the field." Cyberwar is becoming far less bits and bytes and far more sophisticated.
A greater depth of this discussion comes from former Google CEO Eric Schmidt, who also co-authored "The Age of AI: And Our Human Future" with Henry Kissinger. In Foreign Affairs' "Innovation Power: Why Technology Will Define the Future of Geopolitics," Schmidt, like Babbage, maintains that "The ability to innovate faster and better---the foundation on which military, economic, and cultural power now rest…" is business as usual which will no longer prevail. Schmidt cites foresight and out-of-the-box thinking: Ukrainian President Zelensky's versatility in reconfiguring Ukraine's communications infrastructure when Russian attacks hobbled the existing ones; historic examples including Pizarro's defeat of the Incas; and Commodore Perry's steamboats to open Japan. But Schmidt avers, after discussing AI, that given the reliance of economies and the military on digital infrastructure, "…any future great-power war is likely to start with a cyber-strike." He concludes that while the U.S. still retains "pole position" in innovation for the present, he cites Silicon Valley's mantra: "innovate or die." While he focuses on the U.S., China and Russia in a broad perspective, President Zelensky would apply it quite personally in his country.
The Economist again looks at "the virtual front." Russia is bumbling no more and is unfurling its spring cyber-offensive. Dan Black, the former head of NATO's cyber-threat analysis branch, now working for Mandiant (part of Google), explains that since October 2022, Russia has extended it cyberattacks into its former, now NATO, countries and reinvigorated its cyber capacities including leaning on the GRU (Russia's military intelligence agency) to ratchet up. By January 2023, all three main Russian intelligence services were in the mix, attacking the governments and military of 17 European countries.
Black's beliefs are supported by the Washington Post's Craig Timberg, Ellen Nakashima, Hannes Munzinger and Hakan Tanriverdi's unusual disclosure of Russia's "trove of secret cyberwar ambitions." The 5,000 documents were sent by an anonymous contractor working for NTC Vulcan, first to a German reporter and then to a German-led consortium of news organizations. The documents include a wide swath of cyberattack plans as well as specific work by the hacking group Sandworm, which has been named responsible for Ukraine's blackouts, the 2018 Winter Olympics disruption, and launching NotPetya, "the most economically destructive malware in history." The documents cover a period from 2016 through 2021. Vulkan is based in Moscow, but some of the 135 employees have come to work in the U.S. while those in Moscow intended to use U.S. hardware for its Russian security services. Many examples of these treasures follow in this article for those readers who want to dig deeper into the treasure chest.
Even as Ukraine prepared for the worst, criticism regarding the West comes from Adm. James Stavridis (ret.), in a Bloomberg Opinion column whose own positions as both the U.S. European Commander and Supreme Allied Commander Europe (SACEUR) provide an educated perspective. He goes as far as stating that both sides of the Atlantic are guilty of giving Putin "a green light" due to their "digital appeasement" regarding cyber. He cites the invasions of Georgia (2008) and Ukraine (2014), Ukraine's blackout in December 2015, malware galore, and SolarWinds/Colonial Pipeline, inter alia. He offers that the West's diplomatic corps needs to appreciate the "digital dimension of geopolitics." He believes that a red line for cyberattacks should be established and "vague descriptions of cyber-aggression" should be avoided. The reluctance to escalate in response to an attack, according to Stavridis, should be balanced to avoid unchecked cyber-aggression. And lastly, he notes that there has been a false sense of security and that the U.S. needs to work instead on a sense of deterrence in cyber, likely with more aggressive responses.
Two weeks later, the New York Times' (the Times), Steven Erlanger picked up on the issue of deterrence. He discussed the changes in ramping up since the 2014 invasion of the Crimea, first citing Camille Grand, until recently NATO's Assistant Secretary General for Defense Investment who states: "The debate is no longer about how much is too much (for fear of upsetting Moscow) but how much is enough." As reported by Robert G. Bell, who has served as defense adviser to the U.S. NATO mission (2010-2017), countries can drag their feet or try to opt out, but if one country is heading in the wrong direction, a "consensus minus one" vote can rein that country in. The present SACEUR, General Christopher Cavoli, is dealing with how to maximize the 13 corps of 40,000 to 50,000 troops and how to best benefit from Finland's, and likely this summer Sweden's, accession to NATO. The former U.S. Permanent Representative to NATO, Ivo Daalder, notes that NATO had little fear of defending its own territory. "It did that for 40 years, and even if the muscles have atrophied, the muscle memory is there. The key is to have people and governments who never lived through this, learning how to do it."
Back on the Beltway cyber ranch, the recent release of the White House National Cybersecurity Strategy addresses all and additional issues cited earlier in this Cyber Scene edition. With the approved $65 billion in the Bipartisan Infrastructure Law as a key foundation, the National Cybersecurity Strategy is implementable. Of particular importance is the expressed requirement of close collaboration not just across civil society, State, local tribal and territorial governments, nor only allies and partners—countries to be held accountable—but particular to this readership, the need for close private sector engagement. President Biden states:
"…Our world is at an inflection point. That includes our digital world. The steps we take and choices we make today will determine the direction of our world for decades to come. This is particularly true as we develop and enforce rules and norms for conduct in cyberspace. The United States is prepared to meet this challenge from a position of strength, leading in lockstep with our closest allies and working with partners everywhere who share our vision for a brighter digital future."
The concise Strategy Introduction underscores the importance of robust public-private sector collaboration which "is essential to securing cyberspace." The five pillars that follow in the next 34 pages include defending critical infrastructure; disrupting/dismantling threat actors; shaping market forces to drive security and resilience; investing in a resilient future; and forging international partnerships for shared goals.
Not surprisingly, two discussions surfacing within a few days see the strategy coming to fruition.
The Times' David E. Sanger addresses the Strategy's assignment of responsibility to tech firms He underscores that the Strategy's good-faith efforts in the private sector are not enough, and that minimum cybersecurity standards need to be defined and required. Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Tech, adds "…that a voluntary approach to securing critical infrastructure and networks is inadequate." Sanger points out that while some of the implementation of the Strategy is in place, other issues would need Congressional approval. With the Senate and House split politically, that may be difficult.
A cybersecurity strategy is not new. Sanger notes that one started with George W. Bush, and with every president since. The key difference is that if enacted, new regulations and laws would "…perhaps impose liability on firms that fail to secure their code, much like automakers and their suppliers are held liable for faulty airbags or defective brakes."
Acting National Cyber Director, Kemba Walden, explained that "It just reimagines the American cybersocial contract…in our critical infrastructure." As explained more vividly by the former National Security Agency General Counsel Glenn S. Gerstell, "In the cyberworld, we're finally saying that Ford is responsible for Pintos that burst into flames because they didn't spend money on safety." As noted earlier in this Cyber Scene, Neuberger also used the early days of Russia's invasion of Ukraine as an exemplar of digital success where Ukrainian laws were changed quickly to move databases to the cloud to keep the Ukrainian government up and running.
C4ISR's Colin Demarest and Molly Weisner report that the Pentagon is changing as well: it is assessing how to transition its 225,000 employees in the cyber workforce to and from private industry. The article cites the Department of Defense (DoD) 2023-2027 Cyber workforce Strategy released in late March including four "human capital pillars" that look to "unprecedented levels of cross-pollination with the tech industry." The DoD strategy supporting the White House strategy reaches beyond tech: it points to "collaboration inside and outside government, academia and allied nations, and…a talent-exchange pilot project."
Given the long reach of the new National Cybersecurity Strategy, many lives of this readership may be touched. Stay tuned!