December 5, 2016, 1:30 pm - June 6, 2020, 11:42 pm


Carnegie Endowment

, (Map)

The Middle East Institute and Raytheon hosted a conference on "Strengthening U.S.-Arab Cyber Security Policy Cooperation." Sean Kanuck (Attorney and Strategic Consultant; former National Intelligence Officer for Cyber Issues) focused on global information threats.


Sean: Well thank you very much for that kind introduction Ambassador Chamberlain and it’s a pleasure to be here with you all and I would like to underscore what a great program you have. I know a lot of your speakers who come after me and they’re perfect for the points of the discussion they’re going to participate in, whether it says, you know, former White House National Security Council members or Jim Lewis, of course, repertoire for the UN group of governal experts for a couple instances of that, and obviously leading the efforts over at CSIS.

So it’s an honor to be a part of this. I’m going to talk for about 30 minutes from the area of my former work and expertise. The strategic analysis, the risk assessment, estimate of risk assessment, what do I see as the threat landscape. I’ll try to make it particular apposite to the Middle East area and Arab policy, but if there are specific aspects that we want to explore further, we will have time for Q&A in that area. So I’d like to start with just acknowledging that when I was at the National Intelligence Council, for four of the five years that I was there, in fact the last four, cyber was the first thing that Director Klapper discussed in his annual worldwide threat assessment to Congress.

Now if you were doing it alphabetically, Africa and counterterrorism would have come first and it’s also quite surprising that it wasn’t weapons of mass destruction or other things, and that’s because cyber is increasing a part of all of your other national security concerns, including critical infrastructure protection itself. So if you go back and you read those testimonies 2014, 2015, 2016, we kept saying things about the nature and the severity and the sophistication of this threat increasing and the range of actors, targets and vectors of penetration expanding and increasing.

The message we were giving was this problem is becoming more and more relevant, and if you take one takeaway, I’m going to tell you that not only do I think that’s continuing, but for reasons that we’ll explore in a minute or two, I think it’s just about to really take off on the exponential cart. This year, the worldwide threat assessment started with page one. Anyone know? The Internet of things and artificial intelligence.

Not what we’d normally think of in a national security assessment, but the reason is every aspect of our lives are increasingly depending on this and as we go to a grid, a network, where your critical infrastructures are dependent on a myriad set of devices that are geographically distributed, that are communicating with each other and running every aspect of your life to keep it efficient and productive, that increases the vulnerability surface area or the threat landscape.

So I’d like to start with a conceptual framework of how I think about his. I was invited to give a speech in Tokyo earlier this year and they asked me to talk on international cyber security and I respectfully asked instead if I could make a presentation on global information risk. I changed all three words and for reasons that I think are really important for us all to understand. International to global. This is not just an issue for governments and it’s not just and issue to be decided between governments.

Those of you who follow the Internet governance discussions, you’ll know there’s that distinction between multilateral and multi-stakeholder. Multi-stakeholder including the panoply of civil society, whether its industry, academia or other non-governmental organizations’ activist groups, all of them being relevant to what the Internet is going to be going forward. I also say global because that’s the way the entities that run the Internet, the real infrastructure activities and the way that businesses that are seeking to profit from it think.

If you are a multinational corporation, regulations and compliance are just a transaction cost. That is not the way you want to be running your business. You do to be compliant and adhere to the laws in all the jurisdictions where you’re doing your business. But you think of scale, you think of efficiency, you think of speed. You’re thinking about trans-border data flows.

You are thinking about locating your data centers in the most advantageous area where it will be cost effective with reliable energy, electricity, etc., and physical protection, police power available to protect your assets. Those who are really doing this think global and they don’t just think that everything they’re pursuing is going to be done through a sovereign nation sitting at a UN meeting or an ITU meeting with a government name placard in front of them. So I encourage you all, think global when you think about these issues, not just international. Secondly I changed cyber to information for two reasons. First, cyber is a very ambiguous term which means a lot to some people and almost nothing to others. Back in the forties it was an engineering term, the cybernetics of decision theory. In the eighties it was a term captured in a fiction novel. It’s now become a part of pop culture. In the west - North American, Western Europe - we equate cyber usually with critical infrastructure protection. It’s the way we in the United States have largely dealt with it as a policy matter since the war on terrorism started. We’re talking about protecting our networks, making sure the pipes worked.

If you go to some of our Eurasian colleagues – Russia, China, others – they think about the content that’s flowing through the pipes as what really matters. Read the Russian Federation’s information security doctrine. It talks about things like mass broadcast media. It talks about a national cultural information space. In the United States, we have an incredible liberal first amendment where we permit a wide range of things to transit those pipes, some of which would be illegal even in our close allies like the United Kingdom, so we’re at one antipode of that spectrum.

Others look at it as an area to protect public safety, ensure the political prestige and continued rule of certain political parties, etc. So we need to understand how the rest of the world is thinking of this and we need to go back to some of our own literature from the late nineties. Joint Pub 313 from the Defense Department in ’96 and ’98 was talking about information warfare and information confrontation, the same kind of things you’re seeing today and you’ve have seen all along the last few decades in some of the military doctrine of countries like Russia and others.

So think about the information itself. The second reason I say think about the information itself is because cyber is really nothing more than a means to an end. You’re trying to earn business revenue. You’re trying to exert coercive military power. You are trying to do something else in cyberspace is for a reason, and sometimes I use the kitsch example of you’re emailing a cookie recipe, a holiday cookie recipe. That recipe does you no good until you actually act upon the information and bake the cookies. Okay?

The simple sending zeros and ones, printing, none of that matters until you can actually operationalize it and take action on it. If you’re running an enterprise, whether it’s a government or a company, it is the information value that matters to you, not cyber in some ambiguous sense. The last work I changed is security. I changed it to risk because I don’t believe perfect cyber security has been, is or will ever be possible. It is a contested environment. It’s one where there will continue to be adversaries and criminals, sort of like the counter-intelligence world that I’m familiar with from my prior career and you expect you need to continue your mission and succeed despite the fact that you will have antagonism and degradation of that environment. Thing about everything else we do in a public policy context. Whether its traffic safety on American highways, where we balance a speed limit for effective interstate commerce with approximately 30,000 human lives lost in the United States every year on our roads.

We’ve had a public policy decision, a consequentialist decision if you want to think of it philosophically, about where we want that balance to be in our society. Pair that when we think about terrorism or cyber security, we expect it to be zero. We expect the casualties to be zero. I hate to say it but I do not think we are going to live in that world and if you talk to micro-economists, they will tell you you do not want to live in a society with zero crime. You want to come close to that asymptote, reduce the limit, but you do not want to live in a police state that is able to prevent any kind of violent crime.

Think about it. Democracies, privacy, business, so I encourage you all as we go through the next, you know, bit of our discussion and through your whole day, think global, think information and think risk because that’s the way you’re going to have to be dealing with this issue going forward. And now I want to talk about the global part, global interoperability. I believe you’re going to have the physical connectivity across all regions of the world and I think that’s going to continue. You hear talk about vulcanization of the Internet and are you going to have these enclaves.

Well I don’t think it’s going to happen at the physical level. I can maybe think of two or three countries who have wanted to have some degree of actual isolation and even that is getting more difficult in today’s world with satellites as well as fiber. So then I go to the technical functionality. Will those different jurisdictions be able to interface? Think about the analogy to eighteenth and nineteenth, nineteenth and twentieth century rail gauges.

There were some countries, Russia, Czarist Russia, who intentional had a different rail gauge than Europe because they didn’t want munitions and armies quickly being able to roll through into the east. They had learned from some historical experience. Now that came with a transaction cost for commerce. You used to have to shift cargos to be able to do that international trade.

Today we tend to have a set of standards and protocols that most of the world is using, TCPIP being the main one for Internet communications, and even where you might have jurisdictions that would use the equivalent of different rail gauges, you’re going to have private sector solutions that are going to interpret or bridge those gaps, so I don’t think it’s going to be on a technical functionality either.

Where I think you’re going to see rifts, and I think we see it with some of the domestic regulations in areas of the Middle East and that’s where I’m going to focus today because of the audience and our purpose, but there also is in east Asia where I could give similar examples, but you see the equivalent of passport control booths and customs toll booths being set up, okay? A decision of which packets can enter or not, filtering, or an effort to tax and raise state revenue from some of those communications.

Think about how long distance telephone communications used to work in the past. The country receiving the call, often in the developing world, would charge the calling end a rate. Well that, one of the discussions in the past in the ITU conversations was should the Internet be working in a similar way? Is there tax revenue to be gained from here? We even see that domestically in the United States with the question of should there be an Internet sales tax. I don’t want to dwell on this issue but the point I want to make before moving on is I think the limitations to freedom of information data flows are going to be regulatory.

I don’t think they’re going to be technical and I don’t think they’re going to be physical impasses, and that’s important when you think about policies, because what we’re seeing is a massive convergence at a series of levels. The devices we’re using. We pretty much nowadays carry one smart device instead of phones, palm pilots, computers, etc. We also have networks that have converged. Most countries do not have dedicated circuits for the military and government officials.

We may encrypt and virtually tunnel the information we’re sending, but it’s going over that exact same piece of fiber that you may be sending that holiday cookie recipe to me on. That means we have single points of failure. It means we’ve co-located our military with our civilian assets. Lots of policy and legal implications in these issues, especially as the environment becomes more contested. Lastly, the protocols are increasingly converging as well, and that’s of course for efficiency purposes.

We now see audio telecommunications going by TCPIP data packets as well, just as a simple example. Convergence is also happening at a conceptual level. We’ve seen the infrastructure being considered more as a utility but in the complexity of the information infrastructure into the system, if you will. Think about how you interact with plumbing and water sanitation in the city you live in. You largely have a bullion interaction with a very complex network. Think about how you interact with electricity. Right? Now think about how you interact with cyber security. Are you off buying a firewall?

Are you installing, it’s much more complex at the user or consumer end than most traditional utilities and what you’re going to see with the Internet are things an automated infrastructure is more of that move and hopefully moving some of that complexity back to the manufacturers and the infrastructure operators. Now that’s good in one sense of efficiency. It’s also more of challenge for people who are trying to do security on those networks because the minute you outsource anything, you’re also outsourcing the security of it.

The physical security, the personnel vetting, the information security, the critical infrastructure dependence. I don’t know if we have any information security officers in the room but sometimes when I speak to industry I ask them how many of you have gone and visited the physical perimeter security on the electric transformer for the electric company that provides electricity to the cloud service provider in whatever country you’ve outsourced your data to. Of course zero hands go up.

But if you’re a digital information company, if you are a financial institution, if you are an ecommerce site, that is your most valuable asset and many of them don’t know what’s actually protecting them. They don’t actually know the risk they’ve assumed. It doesn’t mean it’s a bad idea to use cloud providers. Wonderful opportunities there, but if you are a government leader, if you are a CEO, you need to know where your risk is, how you’re hedging it, how you’re managing it, and then of course, in a highly interface interdependent world, your upstream and downstream integration within your industry are all of the retailers in a certain segment dependent on a single wholesaler, a single logistics point of failure.

Are you dependent on a single supplier of your inputs? Are you critically dependent on other sectors who may have very different cyber security standards than yours? Quite frankly, every critical sector identified by DHS relies on the electricity sector today. They pretty much all rely on the telecommunications sector as well. Think about finance. You’re not doing stock trades without electricity and telecommunications. I would offer the financial sector one of the most forward leading and best positioned, not perfectly, but best position to deal with cyber security issues, yet they themselves are dependent on other sectors, which may not be as forward leaning.

I’ve already noted that the pace of technological change is dramatically increasing. My old work, we were looking at data analytics, machine learning, artificial intelligence, even auto guns and reality and additive manufacturing. The changes that are upon us, and we’re not even looking at the synergies yet and my discussion with bio and nano as they come into information technology.

Your world, the world we are experiencing, is going to transform at a rate that will make the information change we’ve seen to date look slow and boring and that’s really tough for a lot of people to understand, but talk to people in the innovation side of things, whether it’s in Silicon Valley or another place in China, Israel, etc.  

You’re about to see that really take off and quite frankly the speed with which government procures hardware and software or gives out contracts, the race to marketplace is causing people to bring Internet of things, devices on line, very quickly without putting in the kind of ex-ante security testing and implementation that you would want, especially when these devices are going to be communicating with your infrastructure.

You’re going to have household appliances and solar panels, windfarms that are already feeding energy back from the grid, giving information that will be used to determine infrastructure flows. This year the Director of National Intelligence, on that very first page, talked about the potential opportunities for malevolent actors to try to influence those automated systems by feeding them inaccurate information.

These are concerns we need to be thinking about and we need to be thinking about before all these devices are in place. The Middle East is obviously an area of a lot of political tension and historical conflict, unfortunately current today as well and we’ve seen the use of cyber activities. We are familiar with the distributed denial of services against the U.S. financial sector in 2012 and 2013. We’re familiar with the disruptive attacks on Saudi Aramco and RasGas.

We’re familiar with the problems caused to Las Vegas Sam’s Casino Company, of which the Director of Intelligence in the past has attributed to Iranian actors and we’re also familiar with things which have happened in other countries in that region. We’re familiar with the stuxnet code and other activities. So it’s an area where there’s geopolitical conflict and there’s been a substantial amount of cyber activity, either happening there or allegedly happening form there.

So what are the cyber-attack trends that I see? As an easy pneumonic, a few of these all start with the letters IN, so I talk about it as cyber trends, trends in cyber-attacks. First intervention, and I’m not saying armed attack, because what I’ve noticed and observed is most of the conflict is intentionally occurring at a level below what would traditionally trigger Article 24, Article 51 of the UN Charter. Its coercive activity that is meant to happen below the level at which a kinetic military reprisal would be warranted or accepted by the international community.

That’s important. That means this tool is being used as an asymmetric coercive tool to use against actors who may not be willing to get into a military conflict weapon. To put into a Middle East context, there are a lot of countries who historically have learned that they do not want to be in a hot military conflict with the United States military or the Israeli defense forces. Fiber may be a means of pursuing political objectives without getting into those hot military conflicts. I think that’s what we’ve seen. My next to IN’s are industry and infrastructure.

Unfortunately I’m increasingly seeing a trend in private sector entities getting attacked when countries or non-state actors can’t attack the government they really want to. We see that happening in the financial sector for example. If you can’t cause harm to a central bank, we seem malevolent going after commercial banks in that same country. We’ve seen issues with the power suppliers, power grid entities in Ukraine.

So that’s very concerning because we had a trend from the end of World War II on embodied in the Geneva Conventions, that civilians and civilian infrastructures were supposed to be protected from geopolitical conflict and military conflict. In cyber space, we almost see the opposite trend. That is very concerning to me and should be concerning to all people in the policy realm. My next N is indirect. You can’t get to where you want to be, you’ve already said the private sector is one option, but can you go somewhere else in that chain upstream, downstream, nearby, to cause an impact on the entity you want. Think about the Syrian Electronic Army’s penetration of The Associated Press’ Twitter account, where they put out a false tweet which had a five minute impact on the U.S. stock indexes. Arguably the Dow Jones moved, I think it was about 140 points for five minutes based on this allegation, soon to be proven false five minutes later, that there had been an explosion at the White House a couple years back, and eventually that’s disproven and the money comes back into the marketplace, or the value comes back into the marketplace, but that was a massive redistributive event.

The value didn’t go back into all the exact same brokerages and funds who had held it earlier. So you indirectly went after a journal, a media outlet and you caused a financial sector impact. Unfortunately adversaries and criminals are thinking along those lines. If I can’t get directly where I want to be because it’s well protected, can I cause that impact indirectly, and then as the Syrian Electronic Army example used and also there are others or more recent note, it went after the integrity of information.

Remember I said it’s not about cyber; it’s about the value of information? The minute you turn out the lights in my building, I know I have a problem and I can start my remediation efforts. If you read some of the private cyber security experts and their reports, they say that many entities don’t know they’ve been hacked for 200, 300 even 500 days I think was the average for Asian companies. Half the problem in this game is knowing you’ve been penetrated and knowing you have a problem.

The nefarious aspect of an integrity of information attack is you may now know when it started. You may not know how long it’s been impacting you and it may be very difficult to remediate. So let’s talk about attributing and responding. Real time, high confidence attribution remains difficult. It is true that both public and private sector entities are getting much better at being able to definitively attribute things when they can put in the necessary time and resources to do those forensic investigations.

But at the speed of cyberspace, if you are a military commander trying to decide if what’s happening on your networks is a foreign military adversary or if it’s just a teenage criminal in your own country, you probably will not have that high confidence answer within the two minutes, one minute, 15 seconds you would want if that were really an effort to decapitate your command and control capabilities. Think about the nuclear era. I’m not a nuclear expert but I’m told you had something like 15 minutes to determine if there really was a launch of an ICBM coming over the pole and to get your Commander in Chief on the phone with your Chairman of the Joint Chiefs of Staff or your Secretary of Defense to decide what policy response was going to hold sweat. In cyberspace do you have 15 minutes, especially if there’s been operational preparation, the environment’s in a dance or someone’s forwarded deployed malware. You have 15 seconds?

You think you can get your President on the phone with the Secretary of Defense within 15 seconds? Does that mean you have to automate your response and take us into a Dr. Strangelove world without a human in the loop? There are all really serious questions and especially in an era where you have ongoing conflicts and we know we have malevolent characters.

So just like I had my N’s for trends in cyber-attacks, I have three C’s for attribution response. Certainty. How good does your attribution need to be? How certain do you need to be to take a response action? Think about this in the context of the Russian hacking of the Democratic National Committee’s mail databases. How long did it take before the Director of National Intelligence and Secretary of Homeland Security gave a definitive attribution?

Secondly do you have the capability to respond to whoever the perpetrator was, and those two are important in conjunction because it goes to your credibility, the third C. If you publicly say that that is the perpetrator and you cannot do anything to respond to them, do you have a credible deterrent going forward? Significant issues when we think about strategic deterrence, and that comes in two flavors.

Deterring that entity who did it to you, and in that instance you could actually do something that was non-public that they would notice but that the whole world wouldn’t, that could deter them in the future. I call that second party deterrence. But that kind of a private response doesn’t work for third party deterrence of trying to dissuade others who might do something similar in the future.

Currently in cyberspace we don’t have that kind of strategic equilibrium or balance of known rules of the road of how things happen. There are normative proposals from the United Nations, some regional organizations, even a couple companies, but that hasn’t all been worked out the way we worked it out in the nuclear era over 20, 30 years of strategic academia and think tank and international work. I think we’re about in the early 1950’s in the nuclear strategic thinking model for cyberspace.

We have these powerful tools. In this case many more entities have these tools than just two nuclear powers, yet we don’t know how the strategic dynamic works. In my last job as NIO, strategic forecasting was a part of it. Trying to look out three, five, ten years if possible and figure out what we need to be estimating to help our executives in the various departments and branches figure out what they needed to do. So let’s think about that in cyber.

There’s a reason that our standing rule on my team was we didn’t write products looking out more than five years. For the technologists, that’s three terms of Moore’s law, pretty tough to predict what the technology’s going to look like, three turns of the attribution, or the innovation ratchet. Let’s put this in context. Let’s go to the Arab Spring. Arguably it starts in what, December 2010 with the immolation of the two nation merchant. If you had asked me to do a predictive cyber assessment five years before that on the role that social media might play, would I have been able to do that?

Probably not because Facebook would have just left Harvard’s campus in 2004 and Twitter would not exist until 2006, so how could I in 2005 give you a five year estimate out of the impact of social media on democratic movements in the mall grab of the Middle East. I couldn’t. What’s the important message there? It’s the difference between disruptive technologies and the disruptive applications of technologies. In the Battle of Britain in World War II, radar was deployed very effectively to help defend Great Britain.

But the phenomenon, the electromagnetic phenomenon of radar was well known to scientists around the world. It was the application of it that was novel. What I just talked to you about in the Arab Spring issue, it wasn’t a novel application of social media. It was a novel new technology that came about in those five years. So the challenge to public policy makers and strategic analysts and military planners is to prepare for planning for disruptive technologies, not just disruptive applications of known technologies and that actually complicates our world a lot.

Your vulnerability surface areas expanding the Internet of things, yet your ability to predict where and in what form the threat and challenge is coming from, much more difficult. Your responses, be they technical or your agility of your policy apparatus to respond has to be much more adaptive. That’s of course, quite a challenge, especially in a region that has had long time historical conflicts, entities who have been at war for decades, arguably in some cases centuries or millennia. How do we prepare a policy environment where when an incident starts to occur, you can come to some kind of real time resolution or determination that this is an existential threat to your country or your organization or it’s something where you need to take the time, work collaboratively, even possibly with people who aren’t your regular friends, to deescalate and diffuse the situation.

I don’t have those answers but I think that’s where the critical policy challenges are going to be and I think one way forward to helping entities and nations being the ability to take that little bit of extra time is by building resilience. I think we need to assume a compromised environment. That means being able to continue your society and your governmental core functions, even in the face of a degrading cyber attack. How many Ukrainians lost their lives in the power grid failures in last December?

Right. Zero. I am told that maybe partly responsible or attributable to the fact of the occasional unreliability of the power grid in that country, that certain critical infrastructures are prepared for occasional blackouts. I question if that same few hours had occurred in Buffalo, New York, Maine, where we are, single points of failure and dependent on certain things, how would we have fared? So expect to be in a compromised environment in a risk context, not a security context.

Avoid single points of failure in your devices, in your networks, in your protocols and in the vertical integration of your sectors and in the horizontal dependencies between your different sectors. I’m asking for a lot here, a tall order and I realize it’s not cheap, but if you’re looking for way forwards to deescalate cyber security conflicts in the future, there has to be some degree of confidence that you can wait the extra five or ten minutes to figure out what’s really happening, and obviously we have heard discussions of existential threats in the Middle East and that makes this region all the more vulnerable to the kinds of concerns that I hope we can collectively avert.

I’ll leave you on a thought I don’t want to dwell on from my end, but I’m happy to discuss in the Q&A and it will probably come up. Obviously there’s a whole range of other public policy and legal considerations. I was talking mostly about the security context because that’s where my expertise has come from. But I’m aware the issues of privacy, surveillance and encryption matter in a lot of these societies and they matter in ways different than they do in the United States because they have different political cultures and legislative frameworks. Freedom of expression, welfare and economic development, these are all possibilities and potentialities that the Internet brings us but they’re going to apply differently in different societies and interestingly what you see in parts of the Middle East are legislation and regulations limiting certain kinds of content from flowing through those pipes, yet the potential for citizens to actually still access that through other means be it encrypted Internet connections, be it satellite footprints that extend into that region from other jurisdictions.

I don’t have the answer for how those are going to be balanced, but those problems certainly aren’t going away and I think you’re going to continuously have more and more private sector technical solutions offering more and more access. Where each of those jurisdictions comes down, how hard they seek to prevent violations of their national legislation will be for them to determine. I would just offer as an American from a certain political culture, I want to limit crime; I don’t want to live in a police state that can prevent every and all crime. I think we need some degree of decorum and peace on the Internet. I don’t want someone looking over my shoulder every time I turn on a keyboard watching every single key stroke. That said, I do want to know that my vote is secure and my banking transaction is secure.

So where do we find the right balance? I think that’s a collective challenge and an individual challenge for each of the countries in the jurisdiction or the region we’re talking about here today. But I hope I’ve given you a little bit of a framing of where I see the cyber trends going and highlighted some of what I think are the very poor issues that will either escalate or deescalate conflicts in this region going forward.  Thank you.

Mark: Sean, thank you very much. You’ve given us quite a bit of things to think about. I’m Mark Scheland, Director of Programs and Government Relations here at MEI. We can take about ten minutes or so for a few questions for Sean.

Sean: Absolutely.

Mark: If it’s okay, maybe we’ll bundle two or three at a go.

Sean: May I ask you to –to that my answer is tell me.

Mark: Please a show of hands. We have two colleagues of Mike’s, this gentleman in the red tie first. We’ll take two or three questions and then let Sean respond in a group, so please sir.

Scott: Hi. Scott Klumpner from the Washington Institute for Near East Policy. How far off are private sector cyber defense solutions from what a nation might have as terms of capability? I’m not talking about Kaspersky but, you know, other, you know, your private sector cyber defense going up against a national state actor, will they ever be in parity or is that a gap that will always exist?

Sean: Not going to answer right now, but just to be clear. You’re asking me private sector defenses compared with nation state offenses. Defense to offense.

Scott: Yes.

Sean: Got it.

Paul: Paul Salem from the Middle East Institute. I wonder if you would reflect on sort of the cyber vulnerabilities between advanced societies like the U.S. and so on where so many grids are automated and on cyber and a region like the Middle East. Where are the sectors in sort of the developing world or the Middle East that are more vulnerable to cyber-attacks when you compare it to a country like the U.S.?

And my second question, I was intrigued by what you said about in a way one of the best defenses is a kind of underdevelopment, like occasionally if your electric grid goes down, that’s a good test for companies and private sectors and even the government to adjust and protect itself. Has that at all been developed into approaches? I mean how do you train societies and systems using that very interesting logic?

Sean: Take one more and then I –I’m taking notes here.

Alex: Thanks, Alex Ozaga, Middle East Institute. I was wondering if you could tell us anything about the marketplace out there. When certain countries have certain viewpoints on the issue of Internet, freedoms of Internet and so forth, specifically on the question of Russia, China and Iran if I may, there’s a lot of transfer of technological know-how apparently going into Iran from countries like China and Russia. What does that mean for the rest of the world when you have certain actors with certain interests trying to put their mark on how the Internet is run globally?  Thanks.

Sean: Okay, let me take that tranche and we’ll try to do them in order. Private sector defense solutions versus nation state offensive capabilities. I think defenses are regularly improving but as you heard from me, I think the vulnerability surface area or vulnerability space is expanding exponentially so I think that’s going to be a challenge and what you have is think about the metaphors of the chain and you only need to break one link or think about the castle wall.

You only need to breach one parapet, right? If a very sophisticated, well-resourced and determined adversary and substantial nation state, is coming after one link in an infrastructure architecture chain, he’ll probably be able to break that link, okay? It has to do with balancing the resources and the competencies and the problem is your cyber is more akin to maneuvered warfare where the offense has an advantage than to a trench warfare or attrition warfare model, we’re getting the World War II, World War I analogy there.

If you can bring that combined effort against an entity that with an Internet of things node or device that was created by four people working in a garage in California, well the hundred military planners at a nation state are going to be able to probably penetrate that device. So it’s the imbalance where the conflict would actually occur that’s going to determine that outcome, and unfortunately in today’s world, you can often reach one small area and expand widely through the network or even into other networks.

So I think defenses are dramatically improving. I hope they continue to do so, but I am still of the belief that most information security practices protect the naïve from the unsophisticated and if someone really, really wants to get in and has the wherewithal and the resources, I think we have to be prepared that they may get some access. I spent 17 years in our, 16 years in our intelligence community. You don’t assume you will never have a spy inside the community.

You plan to deal with it and I think that’s where my risk mitigation framework or conceptual framework comes from. Question two. Cyber vulnerabilities in the U.S. versus the Middle East and developing world. Number one, at least go talk to Singapore about their smart city initiative. Please go talk to Estonia about their e-government. In certain ways the U.S. is an innovation leader but we also have a very large population and a very expansive geographical jurisdiction.

Okay, we don’t have high speed Internet going everywhere in the country. We don’t have cell coverage everywhere in the country, so in certain areas we are the world leader. In other aspects, we’re actually not. So you talk about cyber vulnerabilities, there are some countries that may even have more. Compared with the Middle East and the developing world, I think we’re certainly ahead of many of them. I think Israel is a top global player in information technology. If you live in the glass house of being technological dependent, that’s a risk, you’re also able to innovate and develop defenses and offenses, so it’s a mixed bag.

Where it comes out is going to depend on who your adversaries are and who you’re playing against, okay, and that actually brings me to the fourth question. I’ll come back and get your other one, sir. Because you have that question about Russia’s, China’s, Iran’s and sharing information and working together. There’s a lot of cooperation going on in the world on development of their information and communication technologies and a lot on defenses, okay, and that’s happening in the western world.

It’s happening in the Eurasian marketplace, in the Middle East like you were talking about. I’m not the least bit surprised that you’re going to have Chinese experts working with Iranian experts on cyber defenses. What I don’t think you’re seeing as much as some people may fear, is a country like Russia going somewhere and giving away its best offensive cyber technology. There’s probably two reasons for that. First, if you give away your silver bullet in this world, it’s not available for you to use later. Okay? There is a perishability to cyber capabilities.

Secondly, would you loan your rifle or your handgun to a stranger not knowing what they want to use it for? You’re writing a blank check. So I think you see a lot of cooperation and capacity building on a defense side and on the societal development side. I’m not convinced you’re seeing a lot of that on the really good offensive capabilities being passed around. I’d be more concerned that some of these nation states are going to be getting it from criminal underground elements and some of those criminal capabilities are as good as some of the nation state capabilities used to be five, six, seven years ago.

Coming back to the resiliency of the underdeveloped, I don’t think you want to stay underdeveloped here, so it’s not an argument, this isn’t an argument for lies, right? Instead it’s an argument for realizing that co-locating all your and your military networks makes it a single point of failure and an obvious military target. Okay? Is it time where we need to think about building a separate dedicated network that would be a legitimate military target under the Geneva and Hague law but would not be and your civilian network would then not be an acceptable target. If you had that that would actually be a lot easier to implement many of the norms that are being discussed at the U.N., at the ASEAN Regional Forum, as the OECD, though my argument is not for staying underdeveloped. It’s for developing smartly and I think that’s the real way forward with an appreciation of what resiliency can bring you in security.

Mark: Sean thank you very much for your time, for your remarks. You’ve kicked us off with a very thought provoking, very stimulating, insightful view of the landscape. It’s a great start to our deliberations this afternoon. We’re very grateful. Please join me in thanking Sean Kanuck.