1 00:00:02,423 --> 00:00:05,180 - Hello and welcome again to another edition of 2 00:00:05,180 --> 00:00:08,870 Strategic Studies Quarterly, Issues and Answers. 3 00:00:08,870 --> 00:00:13,870 Today the issue, cyber. Or cyberspace if you prefer. 4 00:00:14,410 --> 00:00:18,670 Over the last 20 years, cyber capabilities, threats, 5 00:00:18,670 --> 00:00:22,010 and vulnerabilities have been ubiquitous in our 6 00:00:22,010 --> 00:00:24,040 national security discussions. 7 00:00:24,040 --> 00:00:27,040 And also critical to our national defense. 8 00:00:27,040 --> 00:00:30,040 Here to examine many of the aspects of the 9 00:00:30,040 --> 00:00:34,426 cyber domain is my guest, Doctor Pano Yannakogeorgos. 10 00:00:34,426 --> 00:00:38,290 He is the Dean of the Air Force's Cyber College. 11 00:00:38,290 --> 00:00:42,030 He holds a PhD in global affairs from Rutgers University 12 00:00:42,030 --> 00:00:46,670 and is a widely published author on cyber security. 13 00:00:46,670 --> 00:00:48,720 Pano, welcome to Issues and Answers. 14 00:00:48,720 --> 00:00:50,060 - Absolutely Mike, thank you for having me. 15 00:00:50,060 --> 00:00:53,110 - You know we've published a lot on cyber. 16 00:00:53,110 --> 00:00:55,340 We've published two special additions in fact, 17 00:00:55,340 --> 00:00:58,250 on cyber over the last 12 years. 18 00:00:58,250 --> 00:01:01,060 In almost every edition of Strategic Studies Quarterly, 19 00:01:01,060 --> 00:01:05,600 we have articles addressing some aspect of cyber. 20 00:01:05,600 --> 00:01:07,380 So let's get into a couple of issues 21 00:01:07,380 --> 00:01:08,913 and answers on that topic. 22 00:01:09,920 --> 00:01:12,070 First I'd like you to give us an overview 23 00:01:12,070 --> 00:01:15,000 of what you see are some of the greatest threats 24 00:01:15,000 --> 00:01:17,360 facing the United States and cyber. 25 00:01:17,360 --> 00:01:20,680 Would you be able to classify those as hackers, 26 00:01:20,680 --> 00:01:23,130 criminals or our adversaries? 27 00:01:23,130 --> 00:01:24,550 - So I'm gonna break it down, Mike, 28 00:01:24,550 --> 00:01:27,540 into an actual threat probability. 29 00:01:27,540 --> 00:01:30,851 So, we see right now the greatest threat to the 30 00:01:30,851 --> 00:01:33,620 United States comes from criminal actors who are 31 00:01:33,620 --> 00:01:37,160 looking for profit By stealing peoples' personal 32 00:01:37,160 --> 00:01:39,400 identifiable information and re-selling it 33 00:01:39,400 --> 00:01:42,290 on the dark web or just stealing money 34 00:01:42,290 --> 00:01:43,700 straight out of peoples' bank accounts. 35 00:01:43,700 --> 00:01:45,790 So that's what we currently see right now 36 00:01:45,790 --> 00:01:50,470 as the greatest threat to the civilian population. 37 00:01:50,470 --> 00:01:54,290 However, we also have another greater threat 38 00:01:54,290 --> 00:01:57,030 to U.S. National Security which can be broken down 39 00:01:57,030 --> 00:02:00,030 into Nation-State sponsored activities. 40 00:02:00,030 --> 00:02:03,240 One is a Chinese theft of intellectual property 41 00:02:03,240 --> 00:02:06,120 from U.S. corporations, including defense contractors. 42 00:02:06,120 --> 00:02:10,450 And then the other is actually the targeting 43 00:02:10,450 --> 00:02:15,400 of the electoral process by the Russians, as is well known. 44 00:02:15,400 --> 00:02:18,033 So on the Chinese side, for me, that's the more, 45 00:02:18,988 --> 00:02:22,464 the greatest turf threat of all because 46 00:02:22,464 --> 00:02:25,700 at the end of the day, our American companies 47 00:02:25,700 --> 00:02:27,840 are innovating, putting a lot of investments 48 00:02:27,840 --> 00:02:29,330 and research and development into 49 00:02:29,330 --> 00:02:30,750 the research and development. 50 00:02:30,750 --> 00:02:33,380 As a result, when the Chinese steal that money, 51 00:02:33,380 --> 00:02:34,920 they don't have the put that investment in. 52 00:02:34,920 --> 00:02:38,720 They can re-create the products, like the C-17 53 00:02:38,720 --> 00:02:42,213 which was re-developed as a Y-17 aircraft, 54 00:02:43,405 --> 00:02:45,190 and not have to 55 00:02:46,900 --> 00:02:47,950 actually go out and 56 00:02:47,950 --> 00:02:49,350 do all the hard work themselves. 57 00:02:49,350 --> 00:02:51,960 So they're almost able to leapfrog our military 58 00:02:51,960 --> 00:02:53,640 capabilities so the United States effectively 59 00:02:53,640 --> 00:02:56,393 becomes a Chinese research and development laboratory. 60 00:02:57,340 --> 00:02:59,540 - So it sounds like the threat is, I would call 61 00:02:59,540 --> 00:03:02,120 it a conglomeration of threats. 62 00:03:02,120 --> 00:03:06,340 And you mentioned, on the civil side particularly first, 63 00:03:06,340 --> 00:03:09,160 what would you consider the weakest link 64 00:03:09,160 --> 00:03:14,110 in that civilian side of this vulnerability? 65 00:03:14,110 --> 00:03:16,620 - The weakest link are the platforms and the software. 66 00:03:16,620 --> 00:03:20,120 So by platforms, I mean the hardwares that 67 00:03:20,120 --> 00:03:22,530 corporations create and deliver into the market 68 00:03:22,530 --> 00:03:25,150 and the software that creates the applications 69 00:03:25,150 --> 00:03:27,560 that allow users to interact 70 00:03:27,560 --> 00:03:29,520 with each other across the world. 71 00:03:29,520 --> 00:03:33,000 So, over the past three decades and the brief 72 00:03:33,000 --> 00:03:35,340 history of cyberspace that we have, 73 00:03:35,340 --> 00:03:37,680 industry has not provided us with 74 00:03:39,190 --> 00:03:42,480 software and hardware that is secure by design. 75 00:03:42,480 --> 00:03:43,620 They're more interested in getting the 76 00:03:43,620 --> 00:03:46,660 products out to market and as a result, 77 00:03:46,660 --> 00:03:50,930 they don't conduct the best coding practices 78 00:03:50,930 --> 00:03:53,770 to make sure that their software is secure. 79 00:03:53,770 --> 00:03:55,700 And as a result, this vulnerability 80 00:03:55,700 --> 00:03:57,560 proliferates throughout society and 81 00:03:57,560 --> 00:03:59,040 that's what I believe the greatest 82 00:03:59,040 --> 00:03:59,950 vulnerability is right now. 83 00:03:59,950 --> 00:04:02,619 The actual software and hardware that 84 00:04:02,619 --> 00:04:05,935 exists in the consumer market today. 85 00:04:05,935 --> 00:04:08,220 - Maybe the answer to this next question 86 00:04:08,220 --> 00:04:10,010 may be quite obvious, but how would 87 00:04:10,010 --> 00:04:11,940 you decrease that vulnerability? 88 00:04:11,940 --> 00:04:14,900 What would you propose to decrease that while 89 00:04:14,900 --> 00:04:19,260 still maintaining cyber efficiency or effectiveness? 90 00:04:19,260 --> 00:04:22,250 - To be fair, to follow on, it's a hard problem 91 00:04:22,250 --> 00:04:26,910 because the gross national product is 92 00:04:26,910 --> 00:04:30,087 dependent on our IT services so we can't 93 00:04:30,087 --> 00:04:32,940 expect them to decrease their profit margin 94 00:04:34,023 --> 00:04:37,280 by taking time to produce that 95 00:04:37,280 --> 00:04:38,640 hardware and software that's secure. 96 00:04:38,640 --> 00:04:41,550 What can be done today, though, is that the consumers 97 00:04:41,550 --> 00:04:46,100 either at a personal level or at an enterprise level 98 00:04:46,100 --> 00:04:49,040 or at a U.S. government military level, 99 00:04:49,040 --> 00:04:52,420 can start asking through a contract for 100 00:04:52,420 --> 00:04:54,560 companies to implement cyber security 101 00:04:54,560 --> 00:04:57,970 features by design or by implementation into the 102 00:04:57,970 --> 00:05:01,050 products that are being delivered to large corporations. 103 00:05:01,050 --> 00:05:02,390 - To make that a requirement? 104 00:05:02,390 --> 00:05:03,223 - Correct. 105 00:05:03,223 --> 00:05:05,460 - You mentioned the government in there so 106 00:05:05,460 --> 00:05:07,673 that's sort of a lead into my next question. 107 00:05:08,929 --> 00:05:11,530 What do you think the DOD itself is 108 00:05:11,530 --> 00:05:13,033 most vulnerable in and why? 109 00:05:13,950 --> 00:05:16,410 - So that's a very interesting question. 110 00:05:16,410 --> 00:05:19,360 The Government Accountability Office, the GAO, 111 00:05:19,360 --> 00:05:22,600 issued a report back in October 2018 112 00:05:22,600 --> 00:05:25,950 that covers cyber weapons, cyber 113 00:05:25,950 --> 00:05:28,033 vulnerabilities and weapons systems. 114 00:05:29,101 --> 00:05:30,440 And it's a long lengthy report and I'll 115 00:05:30,440 --> 00:05:32,100 just summarize the gist of it. 116 00:05:32,100 --> 00:05:34,470 That is probably the greatest risk 117 00:05:34,470 --> 00:05:35,980 right now that the DOD faces. 118 00:05:35,980 --> 00:05:39,170 The actual cyber vulnerabilities within our 119 00:05:39,170 --> 00:05:41,830 military platforms that could potentially be 120 00:05:41,830 --> 00:05:44,480 exploited by a threat actor. 121 00:05:44,480 --> 00:05:46,650 - That has some of those vulnerabilities that 122 00:05:46,650 --> 00:05:49,100 the companies produced initially, it makes sense. 123 00:05:50,340 --> 00:05:54,160 Okay same question, on the DOD side, what should 124 00:05:54,160 --> 00:05:56,750 we do, what's the best way to fix those vulnerabilities? 125 00:05:56,750 --> 00:05:59,563 And what's not being done now that we should be doing? 126 00:06:00,510 --> 00:06:03,560 - The one thing is to focus on again, the 127 00:06:03,560 --> 00:06:07,220 contractual relationship we have with companies. 128 00:06:07,220 --> 00:06:09,540 We need to educate and train our lawyers, 129 00:06:09,540 --> 00:06:12,080 our acquisitions professionals to be cyber 130 00:06:12,080 --> 00:06:14,890 savvy and to understand what keeper parameters 131 00:06:14,890 --> 00:06:18,110 can be included in a DOD acquisition contract 132 00:06:18,110 --> 00:06:21,110 that could hold a company culpable or liable 133 00:06:21,110 --> 00:06:24,260 for hacks that happen as a result of poorly 134 00:06:24,260 --> 00:06:26,430 designed systems or systems that did not 135 00:06:26,430 --> 00:06:29,298 have cyber security designed within them. 136 00:06:29,298 --> 00:06:31,510 There are certain steps that are being taken 137 00:06:31,510 --> 00:06:34,980 right now within DOD to actually start 138 00:06:34,980 --> 00:06:37,590 processes like this but it needs to be incultured 139 00:06:37,590 --> 00:06:40,710 within the acquisitions and the legal communities. 140 00:06:40,710 --> 00:06:43,428 - So we're not at that level quite yet. 141 00:06:43,428 --> 00:06:44,261 - (Pano) No. 142 00:06:45,260 --> 00:06:48,320 - Do we have the right talent to get to that level? 143 00:06:48,320 --> 00:06:50,750 And if we don't, how do we get it? 144 00:06:50,750 --> 00:06:55,750 - So, educating those non-cyber career fields 145 00:06:56,280 --> 00:06:58,410 is the most important thing and the 146 00:06:58,410 --> 00:07:01,470 Air Force is headed in the right direction 147 00:07:01,470 --> 00:07:03,780 with the standard of the Air Force Cyber College 148 00:07:03,780 --> 00:07:07,420 where educating the legal communities, acquisitions 149 00:07:07,420 --> 00:07:09,760 communities, and others on how to start 150 00:07:09,760 --> 00:07:12,720 asking the right questions to start 151 00:07:12,720 --> 00:07:14,920 re-shaping the technical environment, 152 00:07:14,920 --> 00:07:17,713 at a policy and strategic level. 153 00:07:19,648 --> 00:07:22,170 - Well I'm gonna ask this next question, 154 00:07:22,170 --> 00:07:23,800 and it has to do with Congress. 155 00:07:23,800 --> 00:07:26,140 And we've seen a lot of action from 156 00:07:26,140 --> 00:07:29,070 Congress over the past few years. 157 00:07:29,070 --> 00:07:32,220 Is that level of involvement, Congressional 158 00:07:32,220 --> 00:07:34,870 oversight, in your opinion is it too little, 159 00:07:34,870 --> 00:07:37,521 too much or just too late? 160 00:07:37,521 --> 00:07:40,090 - I think it's just right. (both chuckle) 161 00:07:40,090 --> 00:07:42,893 I'll stick with that from the Goldilocks paradigm. 162 00:07:43,988 --> 00:07:46,580 So, you don't want Congress to get too 163 00:07:46,580 --> 00:07:48,904 heavily involved in offering regulations 164 00:07:48,904 --> 00:07:52,300 'cause that could generally stifle innovation. 165 00:07:52,300 --> 00:07:54,800 I think a softer, cared and stick approach 166 00:07:54,800 --> 00:07:56,980 is to try to reshape the environment 167 00:08:01,172 --> 00:08:03,520 through measures such as re-defining the 168 00:08:03,520 --> 00:08:05,910 acquisition process and things like that. 169 00:08:05,910 --> 00:08:07,910 If the environment doesn't improve over time 170 00:08:07,910 --> 00:08:10,120 then it might be the right opportunity 171 00:08:10,120 --> 00:08:11,690 to ask Congress to do more. 172 00:08:11,690 --> 00:08:14,230 They have been including the right language, 173 00:08:14,230 --> 00:08:16,870 the appropriate language in the most recent 174 00:08:16,870 --> 00:08:19,130 National Defense Authorization Act. 175 00:08:19,130 --> 00:08:21,171 And right now, that's been a great 176 00:08:21,171 --> 00:08:23,820 way to kind of signal to industry 177 00:08:23,820 --> 00:08:26,580 and also within the DOD of the importance 178 00:08:26,580 --> 00:08:29,710 that cyber security and cyber mission 179 00:08:29,710 --> 00:08:32,087 assurance should be taking for the DOD. 180 00:08:34,170 --> 00:08:36,130 - I know you've heard and read 181 00:08:36,130 --> 00:08:38,790 a lot about this next topic. 182 00:08:38,790 --> 00:08:42,440 It's more of a specific nature to one 183 00:08:42,440 --> 00:08:45,860 of the concerns some people have in cyber 184 00:08:45,860 --> 00:08:47,100 in the United States right now. 185 00:08:47,100 --> 00:08:49,140 And that's the issue of Huawei, 186 00:08:49,140 --> 00:08:52,273 the Chinese company Huawei and its 5g network. 187 00:08:53,630 --> 00:08:55,380 Is that really something we should be 188 00:08:55,380 --> 00:08:57,380 concerned about or worry about? 189 00:08:57,380 --> 00:09:01,720 - Absolutely. So, I'll give you an example. 190 00:09:01,720 --> 00:09:04,580 Let's not use the 5g network as an example, 191 00:09:04,580 --> 00:09:06,390 let's just take it up a higher level and talk 192 00:09:06,390 --> 00:09:10,610 about the Chinese behavior currently in cyberspace. 193 00:09:10,610 --> 00:09:12,620 The Chinese have been pilfering intellectual 194 00:09:12,620 --> 00:09:15,320 property using existing networks that 195 00:09:15,320 --> 00:09:18,880 they don't own and control, like Cisco routers 196 00:09:18,880 --> 00:09:21,120 they haven't developed and other things like that, 197 00:09:21,120 --> 00:09:22,910 in order to steal secrets to actively 198 00:09:22,910 --> 00:09:25,843 and aggressively go after intellectual property. 199 00:09:27,810 --> 00:09:30,010 If they now have an additional level of control 200 00:09:30,010 --> 00:09:32,010 over the physical infrastructure through 201 00:09:32,010 --> 00:09:35,070 Huawei's 5g equipment, I'm pretty sure 202 00:09:35,070 --> 00:09:36,820 their strategic culture is not automatically 203 00:09:36,820 --> 00:09:38,487 gonna shift overnight and they're gonna say 204 00:09:38,487 --> 00:09:40,690 "Okay, now that we have Huawei in your networks 205 00:09:40,690 --> 00:09:42,100 we're gonna stop hacking you". 206 00:09:42,100 --> 00:09:43,420 So I'm pretty sure the trend that we've 207 00:09:43,420 --> 00:09:45,320 seen in the past will only be amplified 208 00:09:45,320 --> 00:09:49,230 as a result of more and more Chinese equipment 209 00:09:49,230 --> 00:09:50,893 being put on networks globally. 210 00:09:51,790 --> 00:09:54,170 - So it sounds like that risk is pretty great. 211 00:09:54,170 --> 00:09:55,003 - Absolutely. 212 00:09:58,350 --> 00:10:00,593 - In the winter 2019 edition, 213 00:10:02,739 --> 00:10:05,330 the upcoming edition at the end of this year, 214 00:10:05,330 --> 00:10:09,070 will be a special edition on great power conflict. 215 00:10:09,070 --> 00:10:12,800 Can you briefly mention how you think cyber 216 00:10:12,800 --> 00:10:16,140 may play out, or play a part in a great 217 00:10:16,140 --> 00:10:18,360 power conflict maybe before, during, 218 00:10:18,360 --> 00:10:20,460 and after a great power conflict? 219 00:10:20,460 --> 00:10:21,293 - Absolutely. 220 00:10:22,652 --> 00:10:24,710 We kind of break it down as a two way. 221 00:10:24,710 --> 00:10:27,750 So cyber catastrophe or cyber peacemaker. 222 00:10:27,750 --> 00:10:29,740 And the cyber peacemaker is more of a tongue and cheek. 223 00:10:29,740 --> 00:10:32,490 But I'll start with cyber catastrophe. 224 00:10:32,490 --> 00:10:34,293 Before the great power conflict, 225 00:10:35,600 --> 00:10:39,210 nation-states will have been implanting 226 00:10:39,210 --> 00:10:41,410 software on each others critical infrastructure, 227 00:10:41,410 --> 00:10:43,270 they will have been stealing information 228 00:10:43,270 --> 00:10:45,500 from each other to better understand their 229 00:10:45,500 --> 00:10:47,470 military plans, policies, procedures, 230 00:10:47,470 --> 00:10:50,240 they will have developed equipment based on America's 231 00:10:52,030 --> 00:10:55,783 greater technological innovations and copied it. 232 00:10:56,740 --> 00:10:58,450 So when the great power conflict starts, 233 00:10:58,450 --> 00:10:59,890 they'll take all the advantage they've 234 00:10:59,890 --> 00:11:01,860 had in cyberspace and start acting on it. 235 00:11:01,860 --> 00:11:04,560 So the military secrets or political secrets 236 00:11:04,560 --> 00:11:06,560 that they would have stolen, they'll be able 237 00:11:06,560 --> 00:11:08,980 to reshape their own military strategies 238 00:11:08,980 --> 00:11:10,493 to best counter ours. 239 00:11:11,460 --> 00:11:13,930 The military platforms that they will have developed 240 00:11:13,930 --> 00:11:17,130 as a result of stealing our military 241 00:11:17,130 --> 00:11:20,100 developmental secrets will enable them to 242 00:11:22,970 --> 00:11:26,830 have equipment that is as capable or more capable 243 00:11:26,830 --> 00:11:29,360 than our own on the battlefield. 244 00:11:29,360 --> 00:11:33,210 So that's the cyber catastrophe scenario, 245 00:11:33,210 --> 00:11:35,500 where things are going on in the traditional 246 00:11:35,500 --> 00:11:37,230 domains of warfare and then at the same time 247 00:11:37,230 --> 00:11:39,410 with all those implants that are implanted 248 00:11:39,410 --> 00:11:42,360 across the cyber domain, things could start 249 00:11:42,360 --> 00:11:44,640 exploding and have kinetic effects as 250 00:11:44,640 --> 00:11:46,330 a result of someone on the other side 251 00:11:46,330 --> 00:11:47,830 of the world pushing a button. 252 00:11:48,770 --> 00:11:50,810 But the thing is with great power conflict, 253 00:11:50,810 --> 00:11:53,470 you have all sides doing this to each other. 254 00:11:53,470 --> 00:11:56,910 So this is where my cyber pacifier example comes in. 255 00:11:56,910 --> 00:11:59,900 Where you have all the airplanes and all 256 00:11:59,900 --> 00:12:01,890 the modern military equipment taken off 257 00:12:01,890 --> 00:12:03,610 and because the hackers have been so good 258 00:12:03,610 --> 00:12:05,510 at what they do, they just turn around 259 00:12:05,510 --> 00:12:07,810 and land again, or crash. 260 00:12:07,810 --> 00:12:10,350 And a result, there is no conflict as a result 261 00:12:10,350 --> 00:12:14,855 of the adeptness of great powers to hack each other. 262 00:12:14,855 --> 00:12:16,030 (laughs) 263 00:12:16,030 --> 00:12:17,450 - I like the way you characterize 264 00:12:17,450 --> 00:12:19,283 that as cyber pacifism. 265 00:12:20,750 --> 00:12:23,360 Last question. You and I have talked before 266 00:12:23,360 --> 00:12:24,940 and we've published several pieces 267 00:12:24,940 --> 00:12:28,680 on the offensive nature of cyber, offensive 268 00:12:28,680 --> 00:12:31,740 cyber capabilities, particularly hack-backs. 269 00:12:31,740 --> 00:12:33,810 I remember you sharing some thoughts 270 00:12:33,810 --> 00:12:35,483 on that several years ago. 271 00:12:36,507 --> 00:12:39,529 What are your thoughts on the subject now? 272 00:12:39,529 --> 00:12:43,330 The subject of hack-back and/or offensive cyber operations. 273 00:12:43,330 --> 00:12:46,420 We've just seen the President recently 274 00:12:46,420 --> 00:12:49,300 within the last year saying, "The military, 275 00:12:49,300 --> 00:12:52,016 we're going to sort of release you to do 276 00:12:52,016 --> 00:12:53,179 more of these kinds of things". 277 00:12:53,179 --> 00:12:56,800 And recently in the news, we've seen some examples of that. 278 00:12:56,800 --> 00:13:00,533 So, what are your thoughts on the offensive cyber. 279 00:13:01,510 --> 00:13:03,170 - I think there's too much attention paid 280 00:13:03,170 --> 00:13:05,053 to offensive cyber, I'll start there. 281 00:13:08,212 --> 00:13:11,410 Around the world, countries are developing 282 00:13:12,550 --> 00:13:14,150 cyber commands or something 283 00:13:14,150 --> 00:13:16,020 that looks like a cyber command. 284 00:13:16,020 --> 00:13:18,700 And a lot of the purpose of the cyber command 285 00:13:18,700 --> 00:13:21,360 is to start trying to think of offensive ways 286 00:13:21,360 --> 00:13:24,130 to integrate cyber into military operations. 287 00:13:24,130 --> 00:13:26,424 I think the better thing to do to create 288 00:13:26,424 --> 00:13:29,000 more stable global cyberspace is to focus 289 00:13:29,000 --> 00:13:31,940 on defensive measures like the United States is doing. 290 00:13:31,940 --> 00:13:33,520 When we're talking about the American side 291 00:13:33,520 --> 00:13:35,330 of the command we're focused on cyber protection 292 00:13:35,330 --> 00:13:38,610 teams and things that are being done 293 00:13:38,610 --> 00:13:43,500 in order to defend our assets and insure 294 00:13:43,500 --> 00:13:45,610 that our military operations can 295 00:13:45,610 --> 00:13:47,910 achieve the commander's intent. 296 00:13:47,910 --> 00:13:50,340 So that's my own personal view of where we think. 297 00:13:50,340 --> 00:13:54,620 But now my general thoughts of offensive cyber 298 00:13:54,620 --> 00:13:57,130 are that if countries and nation-states 299 00:13:57,130 --> 00:14:00,460 try to develop offensive cyber capabilities 300 00:14:00,460 --> 00:14:03,210 they have two real models to look after. 301 00:14:03,210 --> 00:14:06,460 First is Stuxnet and the second is NotPetya. 302 00:14:06,460 --> 00:14:10,260 Stuxnet example is one that had a cyber 303 00:14:10,260 --> 00:14:12,830 capability that was deployed against 304 00:14:17,064 --> 00:14:17,897 an illegal nuclear activity within our end. 305 00:14:20,300 --> 00:14:21,300 It was meant to disrupt the program 306 00:14:21,300 --> 00:14:23,300 in accordance with the United Nation's 307 00:14:23,300 --> 00:14:25,570 Security Counsel's resolutions. 308 00:14:25,570 --> 00:14:27,390 When it got out into the wild and spread 309 00:14:27,390 --> 00:14:29,380 around the world, there was no effect. 310 00:14:29,380 --> 00:14:32,580 It just laid there dormantly on systems worldwide. 311 00:14:32,580 --> 00:14:35,630 So that's an example of an offensive cyber 312 00:14:35,630 --> 00:14:40,630 capability that states can look at as a model 313 00:14:40,840 --> 00:14:44,900 for what a responsible way of using a cyber weapon is. 314 00:14:44,900 --> 00:14:46,943 A new responsible way is NotPetya. 315 00:14:48,475 --> 00:14:51,650 NotPetya was where the Russians hacked into 316 00:14:51,650 --> 00:14:54,510 a Ukrainian tax software that the Ukranians 317 00:14:54,510 --> 00:14:58,113 used in order to conduct a ransomware attack. 318 00:14:59,034 --> 00:15:03,310 NotPetya went beyond the borders of the Ukraine 319 00:15:03,310 --> 00:15:05,260 and went around the world it caused millions 320 00:15:05,260 --> 00:15:06,740 and hundreds of millions of dollars 321 00:15:06,740 --> 00:15:09,440 in economic damage worldwide because 322 00:15:09,440 --> 00:15:11,830 it was ransoming everything it touched. 323 00:15:11,830 --> 00:15:14,830 So that's an example of a cyber, offensive 324 00:15:14,830 --> 00:15:18,690 cyber capability that is irresponsible 325 00:15:18,690 --> 00:15:21,360 and could actually be leveled at a war crime. 326 00:15:21,360 --> 00:15:23,170 Because at the end of the day, anything 327 00:15:23,170 --> 00:15:25,560 that a military feels in cyberspace 328 00:15:25,560 --> 00:15:28,710 has to abide by international laws and rules 329 00:15:28,710 --> 00:15:31,410 and norms of responsible state behavior 330 00:15:31,410 --> 00:15:33,563 and also laws of armed conflict. 331 00:15:34,400 --> 00:15:36,360 The hack-back question is a perplexing one 332 00:15:36,360 --> 00:15:39,640 because by that I understand it to mean 333 00:15:39,640 --> 00:15:40,880 private sector hack-backs. 334 00:15:40,880 --> 00:15:44,250 So a company gets hacked and lots of companies 335 00:15:44,250 --> 00:15:46,850 are demanding that they have the right to hack back. 336 00:15:46,850 --> 00:15:48,760 I think that's a very dangerous situation 337 00:15:48,760 --> 00:15:51,340 because you want to allow the state to 338 00:15:51,340 --> 00:15:54,400 still have monopoly over the use of force, 339 00:15:54,400 --> 00:15:57,640 over having legitimate law enforcement mechanisms 340 00:15:57,640 --> 00:15:59,870 to tackle hacker organizations. 341 00:15:59,870 --> 00:16:02,540 If we start to allow private companies 342 00:16:02,540 --> 00:16:05,080 to go out and cause destructive activities 343 00:16:05,080 --> 00:16:07,370 to counter hackers that are attacking their networks 344 00:16:07,370 --> 00:16:09,420 there could be broader implications 345 00:16:09,420 --> 00:16:12,483 that create more instability in the domain as a result. 346 00:16:14,790 --> 00:16:17,059 - Well it sounds pretty scary and in the last 347 00:16:17,059 --> 00:16:20,260 few minutes, you've given us a lot to think about. 348 00:16:20,260 --> 00:16:23,210 I suspect that cyber will remain very important 349 00:16:23,210 --> 00:16:26,480 to our national security and to our lives. 350 00:16:26,480 --> 00:16:29,260 So on behalf of team SSQ and the entire 351 00:16:29,260 --> 00:16:31,990 SSQ audience, Pano thank you very much. 352 00:16:31,990 --> 00:16:33,470 - Absolutely. Thank you for having me again. 353 00:16:33,470 --> 00:16:34,303 - My pleasure.