Cyber: The New Frontier in State Warfare

♪♪ ♪♪ ♪♪ Well, hey, everyone. We're here, the last discussion of the day. I'm Doug Kramer. I'm Cloudflare's General Counsel. This is Lisa Monaco, who, among other things we'll talk about, was President Obama's, an assistant to President Obama for Homeland Security and counterterrorism, which means we're going out with a bang. Come on, come on. You need something like that. We'll have some good war stories. Painful. Okay, that's the pun. So Lisa's here to really talk to us about the cybersecurity threat and how we evaluate that in the present day, what the current state of that is, and I can really think of no one better positioned to do that. Lisa had a very long tenure at the Department of Justice and the FBI before President Obama nominated her and the Senate confirmed her to be Assistant Attorney General for National Security in 2011, and then it was 2013 that she came over to the White House, again, to be assistant to President Obama. Since the end of the Obama administration, she really has just become a guide to all the smartest people in all the best places thinking about these issues. She's a distinguished senior fellow at NYU Law School, also a fellow at the Belfer Center at Harvard, chairs the Aspen Institute's cybersecurity group, and is a principal at West Exec Advisors. So join me in welcoming Lisa Monaco to the Cloudflare Summit. Thank you. So, Lisa, I want to do a little bit deeper dive on your day-to-day as Assistant to the President for Homeland Security and Counterterrorism. That meant she was always the person to deliver the bad news, the hard news, be the point of the spear to advise the President when something had gone very, very wrong, and then lead the White House's effort to coordinate a response to that. These are things like the Ebola crisis, things like the Boston Marathon bombing, which I think, as I recall, was your first week on the job, or about your first week? Third week. Third week. So you had some time to unpack your office supplies, find the restroom. Actually, I didn't. And then do all of that. So on a daily basis, she would look at the best information, the most information about risks, foreign and domestic, in cyber and everything else, and it was her job then to distill that down to how the President would think about these things. So the first thing I want to talk to you about is using those skills and maybe not access to all the classified information you have, but still quite a bit, what is your take on the threat as we sit here in October of 2018? What's the current state of that, and are we perceiving it the right way? So thanks very much. Thanks for having me. I'm acutely aware that I'm standing between you and cocktail hour, so thanks for that. I want to thank Matthew and Michelle and Doug and others for having me. It's great to be back out here. So the threat. You rightly describe my role. It also is a role and a job that, in addition to giving me the longest title, I think, in the history of the world, it earned me a nickname, mostly affectionate, I think, from the President of Dr. Doom, literally. Dr. Doom. So that's a little bit something to get over. When you showed up off the schedule, it was never good. It was never to celebrate someone's birthday. So with respect to the cyber threat, I think you can characterize it as follows. It is more diffuse than it has ever been with the range of actors, including nation states, non-state actors, basic garden variety criminal actors, and politically motivated hacktivists, with them all displaying more sophisticated and more dangerous and destructive tools and tactics and techniques and having a more destructive impact than they've ever had before. What I would also say, though, I see today the nation states emerging as front and center and being the most concerning element of that threat, of that diffuse threat, than ever before. And in that category, Russia, China, Iran, North Korea. Okay, so one of my questions was going to be, and I may still come back to this, what is sort of the face plant you do when you sort of see people all focused on one issue and realize their eye is off the ball over here? I would say a couple of years ago, we were very focused on terrorist organizations and what they might do even in the cyberspace and all of that. You don't see that discussion anymore. It is much more focused on nation state actors and all that. Do you think that is sort of a right sizing and a correct focus of where we should have been all along? Or do you think we've sort of lost focus on non -state actors? Where do you think that balance lies right now? So, the person who held the Doctor Doom title is never going to say, I'm not worried about terrorists with any means of ability to do us harm. And actually, I just recently got into a bit of a debate with David Petraeus, former head of the CIA on this. He said recently that his concern is the cyber weapon of mass destruction. And by that, he means a non-state actor, a terrorist actor, using cyber as a means for destruction. He would and did acknowledge, however, that the likelihood of that is actually fairly remote. That was his characterization. I, of course, am worried about that. But I'm actually more worried on a day-to-day basis about the more silent impact. So, what do I mean by that? I mean the cyber attack that does not have the visible impact, that does not have the kinetic, what we used to call in the Situation Room, the kinetic effect. I'm worried about the attack that we don't see, but then ultimately shakes our confidence in the information that we need to structure and go about our daily lives. Of course, there's a lot of talk just in the last half hour on information operations, but I mean the millions of financial traits that whiz around the world every day that arrange our financial system. The ability of nation-state cyber actors to manipulate information, to shake the integrity of that information and our confidence in it is something that I'm profoundly worried about. So, on the different actors involved in the current state of the threat, definitely nation -states, and we'll talk about that a little bit more. The terrorism threat is always out there. When it comes to rogue actors, unconnected rogue actors that aren't sort of acting at the behest of a nation-state as a third party, do you see a significant threat there? I mean there is going to be a threat, but compared to putting our focus in the right places, are there rogue actors or sort of other groups we're leaving out here, or have we already discussed most of the focus? I think a threat that I would highlight in that category, it does not rise for me to the level of the nation-state actor at this point, but I think it is something we should be cognizant of and we should not lose sight of it, and that is the terrorist actor using cyber means in what many experts have described as the blended threat. So ISIS basically contracting with a criminal actor or hacker to, and this actually really happened, to get information about, for instance, our service members, and put that out on the Internet and then extol their followers to go take action, violent action against those individuals. So the mixture of non -state actors doxing and using basically mercenaries to do that is something that is real. Okay, so if you had the platform, and you have a platform here to stand up and say, you know, gosh darn it, everybody pay attention to this. There's just not enough attention being paid to this. We've got to focus more on this issue. What would that one issue be for you in the current threat? So the point I just made about the integrity of information, but on a kind of enterprise-wide level, the Internet of Things security or lack thereof, right? Everyone has heard the statistic. By any measure, the conservative estimate is 20 billion Internet of Things devices connected by 2020. That's the low-end estimate, by the way. Half of all new businesses by 2020 will be run by Internet of Things devices. So that is an expanding attack surface for that whole range of malicious actors that we just talked about. And the problem is getting bigger, right? Because we are not building in security at the front end. So the challenge that I think folks are not focusing on, and it is a really hard challenge, to drive us to a culture of building in security by design, what are the incentives that we're going to have to do that? I don't think we're looking at a mandate anytime soon. What are the incentives? What are the standards that we can agree on? That is, I think, a big, big, big challenge that we are not tackling right now. And on the opposite side, then, are you in sessions with people who are thoughtful in this area or even in just conversations about this, and you just are sick of hearing about X? And you're like, I just wish we would move on from that because, yes, it's important. Yes, it's a threat, but it is outsized in the amount of oxygen it takes up in the conversation. Yeah. That's a harder one because if then that comes to fruition tomorrow, we've got you on tape and it looks bad. Yeah, I'm also acutely aware of that. Well, look, I think, and it's not going to be a surprise to this audience, but the focus, the outsized focus on thinking that you, as a company, as an organization, can have some kind of perfect defense, right? There's, you know, any number of vendors out there trying to sell you some product that's going to, maybe some of you in the audience, trying to sell you a product that's going to give you the secret key to a perfect defense. The reality is we need to be focusing on risk mitigation and measuring the response time to the problem, the response to the incident, how long have they been in the network, how long does it take you to get them off, right? This is not a question of if but when. Yeah. Okay, I want to shift our focus a little bit and talk about something that we have talked about, which is a little bit, I want to take some time with it because it's a difficult subject, and it revolves generally around this. There are very clearly established norms and laws on the use of force by one nation against another. You know, one example that I was raising before is there's a law about the authorized use of military force that if you send sort of any kinetic element into a foreign country across a border, a helicopter with two soldiers aboard to go rescue someone or pick someone up, within very short order, 36 hours or something, you have to make a report to Congress, whatever. And when those things happen, they are clear and they trigger all sorts of a response, and it's viewed as a very significant infringement on a country's sovereignty or their interests or whatever. You can have, however, it seems, very large, coordinated, impactful cyber events that are intentionally aimed at another country and have impacts inside those countries, and we don't seem to know what to think about that. To some extent, it's like, well, that's just spy versus spy or it's sort of something that happens over there, and we don't take the same sense of, umbrage is a woefully insufficient word here, but it doesn't seem to have the same attachment. And A, do you agree? Why do you think that is? And are we ever going to get to a place where that starts to be thought about in the same way as a more physical attack? So I think you have examples of where folks have tried to apply that same language. So the language you're talking about is really governed by mostly international law, the sense that if I send my army into your country, that is a breach of international sovereignty, of international norms around the sovereignty of nation states, right? Which isn't to say there isn't disagreement about that, but you have a big body of law and multilateral agreement on that norm and what constitutes a breach of it. We do not have the same set of norms around cyber activity. So there is, I think, a agreed kind of level of cyber activity, including malicious cyber activity, that kind of operates below the line, I would call it, that is espionage, that is spying, right? Then you have, all the way up here, the malicious use of cyber activity to have an actual kinetic effect. And there may be, particularly, if that is deployed in peacetime against another nation's critical infrastructure, their power grid or what have you, most nations would agree that constitutes an armed attack equivalent to your dropping a bomb in that country. The problem in the cyberspace is, this distance, that is a very, very large gap, which we have not decided, as an international community or domestically, how to treat that, how to treat that space. There is a very kind of robust dialogue about it, but we do not have agreement. We tried, in the Obama administration, to lead an effort to try and establish a set of international norms around this, not just so you could have some beautiful, nice thing on a piece of parchment, but so that you could try and isolate malicious actors and nation states who operate outside those norms. And you could employ and impose costs on them for violating those norms and try and drive a set of behaviors. Okay, so let's do this. Let's turn that gap into a bit of a role play, right? So, you have a carefully crafted meeting in the Situation Room today, where you're chairing a Principals Committee meeting, and it was all laid out, and you had career staff working for months to tee this up. Maybe two years ago. Well, two years ago, but we've got to take today's events. So, we magically wave a magic wand as we all wish we could and put you back in there. And all of a sudden, your agenda is just thrown to heck, right? Because everybody wakes up this morning, you see what's happened in Russia, you hear about reports out of China this morning, and also North Korea. So, your agenda is now that, right? Because this is the news of the day. And you've got the principals there, and you're saying, okay, how are we as the United States government going to respond to this? And what are we going to recommend to the president that he do in response to these actions? We've got three different nation state events that sort of got uncovered to some extent today. How do you process and go about what the response would be there? Or do you just sort of shrug your shoulders and say, there's just another day's newspaper? So, no. No shrugging of shoulders. So, it doesn't have to be hypothetical. In 2011, I was the Assistant Attorney General for National Security in the Justice Department. And I got sick of seeing intelligence reports showing that the Chinese and members of the People's Liberation Army deployed on behalf of the nation state were stealing intellectual property from our companies. We began, during my tenure, an investigation that ultimately ended up with, and I believe it was 2014 or 2015, the indictment of five members of the PLA for cyber-enabled economic espionage on behalf of the country. And these were guys who were, we had ended up really identifying these guys in their uniforms, at the keyboard, stealing from a whole range of U.S. companies. And we had lots of meetings and discussions about how we would make that public, what would be our diplomatic message, how we would, because this roiled a few folks in Beijing and caused some consternation in our own government. Although I would say the companies that we worked with were really thankful that finally their government was standing up for them, much like any victim of a crime would feel like, you know what, I'm glad the prosecutor is levying charges on these guys who stole from me. So that was the kind of first in a, basically a philosophy and an approach and a strategy to say we're going to identify the actors, we're going to use all of our tools to understand who did this, the intelligence community, et cetera, we're going to make that public and then we're going to impose costs. You saw the same thing happen with the Sony attack in 2014. We identified that it was North Korea. The FBI worked very closely with Sony Pictures and the executives there and the corporation and ultimately decided to impose sanctions against North Korea for doing that, right? Now my point being that there's a whole range, our approach on this was much like we've done against the terrorism threat, treat this as an intelligence-led, threat -driven approach to this problem and then put all the tools on the table. Say all elements of national power are going to be at your disposal to choose from a philosophy as we're going to impose costs against the malicious actors. Sometimes it'll be law enforcement, sometimes it'll be diplomacy, sometimes it'll be financial sanctions, sometimes it may be military or intelligence action, but it ought to be, in my view, all of those tools ought to be on the table. You ought to have a policy discussion about what is in the best interest of the United States as to which tool that you choose. So I'm going to reward those of you who have been here all day. For those of you who heard Jeff Immelt this morning, one of the questions that he got was this question about the China news this morning. For those of you who haven't seen it, Bloomberg's reporting that some Chinese spies had implanted chips and microprocessors that then made it into hardware of a lot of significant American tech companies. And the question really was, boy, can you ever have a global supply chain again? Does this mean that we just have to sort of seal off the United States and China, never, at least for a couple decades, to come back together? What's your sort of prognosis for what happens there? What's the best way to manage that situation? Do we just sort of send each side to their opposite corners and do that, or is there a way forward here? So I agree with what it sounds like Immelt said, which is it is not foreseeable, not practical, and not advisable to kind of hive us off. In our globalized world, that doesn't make any sense. That's not in the interest of the United States. I think, and it's not a galloping insight, that there is efforts by nation states and others to try and intrude in our supply chain, right? But the news today was quite sobering, and it is an example of the threat we talked about at the outset, right? Nation states using cyber as a tool of geopolitical statecraft, right? So the Chinese intruding in our supply chain, the Russian indictments today against seven members of the GRU, that's the Russian Military Intelligence Unit, and then also news story today about the North Koreans stealing billions from the international financial system, the SWIFT trading system, largely because the sanctions we in the international community have been imposing on them have left them with some destitute coffers, right? They need to generate some cash. So I would argue the approach of imposing costs really does work. So that would be my answer to the question, right? Come together, and as an international community, to try and isolate those bad actors for violating those norms, and to try and drive a change in behavior. And very quickly, all three of those, same approach, or is North Korea a different special case, a problematic case there, or do you think there's also an opportunity there? So I personally think we could be doing more in terms of sanctions, and particularly vis-a-vis North Korea, the banks in China that are actually providing them a lifeline, and some of the work that the Chinese are doing or looking the other way on that is providing North Korea still a lifeline for their financial system. Well, we have time for a couple of questions. So if you have a question, raise your hand. We have some microphones around, as you know. Do you want to? Right here. Okay, great. Oh, that's amazing of me. So maybe just a quick one. What's the most positive in your worldview right now? What's getting better in terms of North Korea? That's, yeah, that's really... He's helping us end on a high note, which I don't think I had sort of keyed up the conversation well enough on that point. So what I would say is we have been, I think, beating the drum, at least when I was in government for a long time, for the private sector and companies to treat cybersecurity as an enterprise threat, right? To say, you know, it's not just an IT problem that you can have your eyes glazed over. You've got to bring it into the boardroom. And I think there are a number of sectors, the financial services sector in particular, has really taken that on board and are really leading the way in many respects on this. And so I think folks are getting that message. I think it's got to cascade down more. Healthcare sector's not where it needs to be. But so the short answer is the appreciation of the threat, I think, has grown markedly in corporate America. But we can't just admire the problem, right? There's a whole set of work to do on what the standards are, what are the best practices. Great. Any other questions? We've got one back there, too. So when acid rain floats from the US over to Canada, Canada complains to us. Yeah. When acid IP traffic floats from China to the US, we have no one to go to. We can't say, China, your IP blocks are polluting the network. Fix it. Push down at your ISPs. Do whatever you need. And if it doesn't stop, you know it's government activity. If it stops, you know they've solved their network cleanliness problem. When are we going to get to the point where we have international treaties governing the cleanliness of the network? Huh. I don't know about cleanliness, but you've got folks, very, I think, thoughtful people on this more broadly, like Brad Smith, who's advocating a kind of digital Geneva Convention and doing a lot of work, including last week at the UN when all the world leaders came together in New York to try and generate some focus on a kind of international rules of the road. All of this is in line with what I was talking about earlier, coming up with some set of norms to try and drive behavior in this realm. We've got one more question back there. I think we've got time for it. As you pointed out, cyber warfare and disinformation has become a tool of statecraft, and it seems that the traditional defenses that a nation-state would build up to defend against those things are not up to the task and are not the right kinds of capabilities to deal with changes in social cognition, which are essentially aimed at eroding our social and governmental institutions. Is there anything happening right now in government to have a change in our capabilities to more align with this asymmetric threat? Well, first and foremost, recognizing that the use of cyber tools is really one of an asymmetric threat when used by nation-states, right, and coming at it that way, which goes back to whether or not in your response as a nation-state, you're going to be mindful of the dangers of escalation. That's one of the reasons this space that I talked about is so hard to operate in, right? The danger of miscalculation and misinterpretation when you are dealing with an asymmetric threat for perhaps your cyber response, the target of that could dangerously miscalculate whether or not you're there to spy on that battlefield or try and execute on that battlefield, and that is the quintessential challenge of an asymmetric threat. Well, we talked before. You don't get to talk happy talk too much, your good news, but I think the larger point is, I think I've always felt better, and I think folks in the room, knowing that people like you have been in these positions, continue to sort of take on these challenges so that we can all sleep at night even though you may not get many good night's sleep. So, thank you for that, and thank you for being here today to talk about all this. Hi, we're Cloudflare. We're building one of the world's largest global cloud networks to help make the Internet faster, more secure, and more reliable. Meet our customer, AO.com, an online retailer specializing in electrical goods from washers, dryers, and refrigerators to televisions and home entertainment systems. They transact over £1 billion per year. My name's Austin Davis. I'm a DevOps engineer at AO.com. We work on solutions to make development teams go faster. One of the challenges faced by AO.com was to be the best amongst their competition when it came to site performance. Faster web performance for the business is very important in our industry. In e-commerce, speed is a differentiating factor. You can literally buy any product from us. You can get that from other retailers. But what you can't get from other retailers is speed. Having the best security for their business is another major differentiator for AO.com. Web security for the business is hugely important. We're seeing more attacks. We're seeing our competitors get breached. If we ever have downtime, even if it's just for 10 minutes, the cost to our business is huge. AO.com saw immediate benefits by selecting Cloudflare as their performance and security provider. From quick production adoption, to ease of use, to competitive pricing. With Cloudflare, it seems like security is through and through in all the products, constantly in the forefront of what they do. With things like workers, with things like the security, they all seem to be miles ahead of the competition. With customers like AO .com, and over 10 million other domains that trust Cloudflare with their security and performance, we're making the Internet fast, secure, and reliable for everyone. Cloudflare, helping build a better Internet. Cloudflare Stream makes streaming high -quality video at scale easy and affordable. A simple drag-and-drop interface allows you to easily upload your videos for streaming. Cloudflare Stream will automatically decide on the best video encoding format for your video files to be streamed on any device or browser. When you're ready to share your videos, click the link button and select Copy. A unique URL can now be shared or published in any web browser. Your videos are delivered across Cloudflare's expansive global network and streamed to your viewers using the Stream Player. Stream provides embedded code for every video. You can also customize the desired default playback behavior before embedding code to your page. Once you've copied the embed code, simply add it to your page. The Stream Player is now embedded in your page, and your video is ready to be streamed. That's it. Cloudflare Stream makes video streaming easy and affordable. Check out the pricing section to get started.