The View from Washington: The State of National Security
Best of: Internet Summit - 2017
- Avril Haines - Former Deputy National Security Advisor, Obama Administration
- Moderator: Doug Kramer - General Counsel, Cloudflare
Transcript (Beta)
Okay, well, here we go. First thing in the morning. Try and get us off to a good start.
We've got a great conversation, I think, set up to get us going. And most importantly, we will stay on time because I will not be forgiven if I miss on that cue.
But in my mind, no better way to start than a really good conversation, I think, with Avril Haines.
In the Obama White House, I don't think there were many people that were trusted more than Avril, and I know that there was no one that worked harder than Avril.
And this made her a commodity in high demand. She started in the administration as the legal advisor to the National Security Council, which is just a job too impossible to get into.
Because not only did you have to have an opinion about what was going on in the world, you had to be right about it, which isn't always easy to do.
So because of that, she was later nominated to go be the legal advisor at the State Department, but that was pulled back because when John Brennan became director of the CIA, he had to have Avril working with him.
So she became the first female deputy at the Central Intelligence Agency.
And a couple years after that, Brennan lost a battle when President Obama had to have Avril back at the White House as Deputy National Security Advisor.
So she didn't have a lot of sleep until January of this year.
She's recovered a bit and is now settling at Columbia University this fall.
So I am happy that Avril is here because I know a few people that are more thoughtful about what is going on in the world of national security and has a lot of thoughts about the way that the Internet and cyber security and all that plays into that.
So thank you, Avril, for being here today. Very happy to be here.
So I wanted to start with something that I don't think has gotten a lot of attention.
I know before you all left the White House, you had sort of stood behind the proposal of taking cybercom, which is the part of the military that works on cyber operations, affirmative cyber operations, and taking that out of the NSA and elevating that.
And that's a decision that the Trump administration confirmed this August.
And it's something that not a lot of people talked about much, even though I think it's something that marks a real change in the way that we think about the way that military operates and the way that cyber will play a role in those sorts of operations.
So I wanted to get your sense of what you take as the change that this recognizes, the ways in which some of the rules may still apply, some ways in which the rules will be completely torn up and rewritten when it comes to these sorts of activities.
Sure. So let me take a step back, because I think one of the purposes of this type of summit is that there's an opportunity for people from different parts of the community, in a sense, to hear from each other and hear how the conversation may be different in different areas of the community.
And from the national security perspective, the way I thought about cyber and the rules governing cyber, in a sense, was very much in the context of what I would term asymmetric threats around the world.
And let me focus in on an aspect of it that I think is particularly important that the U .S.
government was struggling with, certainly during the Obama administration, will continue to struggle with, I think, in the Trump administration going forward, which are state actor asymmetric threats.
And when people talk about asymmetric threats, they frequently talk about non -state actor asymmetric threats.
But I'm thinking about state actor asymmetric threats.
And what I mean by that is as follows.
Where an adversary, a state actor, let's say, looks for places where we have, as in the U.S.
government has, very high value assets that they can hold at risk at low cost to them, right, and in a way that is not necessarily conventionally escalatory.
So to your rules point, one of the things about cyber is, first of all, the United States, both the U.S.
government, and by the U.S. government, I mean the national government but also state and local authorities and so on, is more technologically advanced and relies on cyber more and more, and more so than many other countries around the world, right?
The private sector does so similarly.
We are, as a consequence in many respects, more vulnerable to cyber threats than many other countries around the world.
And it's one of these spaces where at a relatively low cost from another state actor's perspective, they can look to hold at risk things that are important to us.
And the key point about not conventionally escalatory is as follows.
In the conventional world, we have a long history of rules that tell us when another country has used force, when what they do constitutes an armed attack, and therefore when we have a legal basis to respond to it in a kinetic way or in other ways, right?
In other words, where a country's done something that's unacceptable but doesn't constitute a use of force but is nevertheless a violation of international law, there may be other consequences.
In the cyber realm, we've been moving into this space, trying to figure out what's unacceptable, what's not, what constitutes a use of force, but we are not nearly there yet, and it's very difficult.
And it's not that, as a lawyer, for those of you that are lawyers in the audience, I suspect you will appreciate this.
There are times when your client wants an answer, but in fact giving a defined answer is not necessarily the right thing at that moment, right?
There may be ambiguities, there may be things that you're trying to think through, there may be untold implications, and you realize they are untold implications, but you need to do more work to figure out what those are.
And as the U.S. government has struggled with this, they've been thinking a lot about the fact that, right, if you have another country, if you say that that's a use of force and that constitutes an armed attack, that's also something that can be used against us, right?
So we have to make sure that whatever it is that they're doing that we're saying, you know, is a violation, is something we're willing to live with as being a violation.
So this is an area where I think it is incredibly important for us to continue to work.
I think it is a framework that needs to be developed. I think U.S.
leadership is critical to it, and that's partially because I think, frankly, we have the most to lose in many respects around the world from having a framework that doesn't work, but also because, frankly, we generally, as a society, tend in these situations to develop frameworks with different parts of the population involved in crafting that framework.
And the private sector is utterly critical to crafting a framework that's going to work, right?
The private sector has a lot, owns a lot of the infrastructure that cyber is on, right?
Maintains it, deals with it on a regular basis, and has a tremendous amount to lose if the rules that we set up are not the right rules.
So this is an area where I've seen on asymmetric threats across the board, it's been critical for the U.S.
government to exercise leadership in developing those kinds of frameworks.
And it's not just for our reaction that we want to do that for, it's because we want to have widely accepted norms and rules that we can then go to other countries and say, look, X country is doing this, and that's a problem, and you should join us in an appropriate response to that action, right?
Because then we are just much stronger, we can deter the action before it occurs, we can have a better response when it does.
So it's an area where I see a lot of issues. To your initial part of the question on cybercom, this is, you know, not to spend too much time on this, but I think in many respects it's an organizational issue.
That's how I look at that piece of it.
We still have to do everything that we were doing before, we just have to do it better in a sense.
And part of what is important about the split is that you really do want to think through where your organizations and workforces are using, and what happened was essentially with cybercom in NSA, NSA spent so much time and effort training folks in cybercom, this is just one aspect of the problem, but it gives you a sense of it, training folks in cybercom because the way the military works is a constant rotation, right?
And folks in NSA from the civilian side were long-term things, that they weren't spending as much time on other aspects of their mission that they needed to.
And that's just another thing, thinking about your workforce and how you organize to address these issues is critical across the board.
I know all of you know that as well or better than I do, but it's something I really learned.
This is one tiny aspect of it, but I saw it in just a myriad of ways.
So let me jump a little bit though, you're talking about asymmetric threats, and then this idea of the need for norms and rules, right?
And as you said, when it talks about the use of force, you have borders, you have people crossing borders, taking action that clearly crosses those red lines, and that's already been a bit of a gray area when it comes to things like intelligence or spying, going back decades, right?
An intentional action by one state against another state that's trying to get their information, if a spy gets caught or something like that, it was viewed as a bit of a game, right?
Very different than sort of rolling tanks over a border or firing a missile over a border.
And from what I'm hearing you talk both with asymmetric threats and then sort of the nature of these cyber activities, that seems to make that even more murky, and that seems a bit terrifying, that we're going to end up with, that this is one place in which those bright lines and rules of adverse action by a state against a state is a good thing.
And when you can sort of mess around the edges in these virtual sort of attacks, that seems to be quite concerning.
So do you share my pessimism on that, or do you think that there is an opportunity as the battlefield sort of moves online, that there really can be accepted norms that will restrain people from crossing bright lines?
I think it's not without challenge, but I think there is a way to work this, and maybe that's just my eternal optimism.
And I would say part of what your question raises is something that I've had concerns about.
It's very easy to think about cyber as a battlefield, and I have to say, from a national security perspective, I don't do that.
I think of it as part of conflict, right?
It's very rare, if ever, that I can consider where a state actor basically takes on a cyber attack or initiative in a vacuum.
It's not just in the cyber battlefield, right?
In other words, it's across the board. It's in concordance with other things that they're engaging in, whether diplomatically, militarily, or otherwise.
And that is part of, I think, the way we need to think about these issues, is really in a kind of comprehensive way.
And that affects also how you think about responses, because I worry, and I think actually this is an area where there's consistency between the Obama administration and the Trump administration, because I heard Bossert recently indicate as well, that it's important for us not to think about just responses to cyber in cyber, right?
We have to actually break out of that kind of conception.
But I do think that one of the things that cyber raises generally, and maybe this is sort of part of where you're going, Doug, we've talked about this a little bit together, is that I do think there's very interesting increasing tension, this is how I think about it, between political structures and the way we organize ourselves as human beings in many respects.
And I'll just give you maybe two structural examples of this. One is, you think of our political structures are based on geography, right?
You sort of have your mayor and your governor and your president, and so on.
And yet more and more, all of us, personally, professionally, are part of virtual communities with people who are not in our geographic area, right?
And that actually creates a certain amount of tension between the way we're being governed and the way we're organizing ourselves.
Another way to think about this structurally is with the urban population explosions, right?
We see how rural communities with less of a population sometimes have more of a voice politically than they used to when the structures were initially identified, right?
So we see that kind of increasing tension.
There's other ways that I see tension in this that are related to the Internet.
One is in governance challenges. So one aspect of this, I think, is it used to be that most people in a community would get their news through a sort of a local news network, right, and a national news network.
And if you were a politician, you at least knew what the news was that most of your constituents was getting, right?
And you had maybe some influence over that conversation in some respects.
Nowadays, people get their information through so many different challenges.
Politicians really have influence, let alone access, to many of the channels through which people are getting information, right?
There's that kind of issue.
And there's a whole question of how it is that you actually have a kind of a public societal conversation on issues within communities if you're not all paying attention to the same fora and contributing to them, and you're actually breaking into some of these areas.
So it's a really interesting area, and it's something I'm hoping to learn more about today.
Yeah, and I want to follow up on that a bit, right?
Because when you think about sort of the evolution of law and legal standards, which I think is hitting a challenge here, right?
Traditionally, in terms of borders, again, bright lines.
And even as our activities move to the air or to the sea, you know, the law of the sea famously is this difficult to define sort of circumstance.
But as you move online, you know, and those borders really don't exist at all.
We've seen that challenge, you know, but not only in the corporate world, how they deal with taxation, how they deal with, you know, all sorts of different content standards we're running into.
As you move to a world without borders, the application of laws gets very challenging, right?
But what I hear you saying is that it maybe even goes a bit, you know, beyond that, in that the way we're organizing ourselves now doesn't really have a geographic location.
I mean, there is this urban, you know, rural divide. But in addition to that, the people that we associate with and the people we get to know or resonate with has no bearing on whether or not they're down the street or around the world.
And how do you see, you know, we talked a little bit about the military.
This is now, I think, more of a bit of a diplomatic and rule of law question.
What do you see the challenges being in trying to reconcile that? So as we talk about where the Internet is going, how do you make sense of bringing that back into our traditional ways of enforcing laws and having relationships across nation states?
Yeah. I feel like this could be like a three-day conversation instead of a 30-minute conversation.
But you're absolutely right. I see maybe two sets of issues.
And let me use the law of the sea example that you raised, which I think is a really good one.
The law of the sea is an area of international law that is so developed.
It's been developed over really an extraordinary amount of time.
It's an area that I find utterly fascinating. But you're right.
It's a very good example of how we dealt with a situation where there were a variety of nebulous issues, right, where we're, our interest, and it's very much, in my view, similar to the asymmetric threat that we're facing in cyber, frankly.
We have an enormous interest, the U.S. government, in freedom of navigation around the world.
Those are areas that are nowhere near our territory, right?
We have no ability, in a sense, to create rules in that jurisdiction. And yet they're critical.
And we don't want to have to use force every time somebody doesn't allow our ships to transit through an international street.
And so we developed this extraordinary framework.
And it is so precise as to be able to tell you that if a rock does not appear above the water at high tide elevation, but does appear below the, you know, above the water at low tide elevation, it has this kind of privilege around it with respect to the territorial sea and so on.
In fact, it doesn't have a territorial sea.
If it applies, you know, above the water at high tide, then it does have a territorial sea.
You as a state then have a right to certain resources within a certain area around that rock.
I mean, so there's an extraordinary amount of detail to it.
And there's a lot of detail to what we can and can't do around the world.
And it allows us to bolster that kind of thing. And so it's another reason for why I have optimism about us being able to get into these areas and really think them through in a serious way.
But to your broader question, I think there's that framework.
But I also think we are going to be rethinking many of our political institutions.
I see another evolution of our political institutions as a consequence of the fact that there is this increasing tension.
Because I just I don't see how we can make this work. As lawyers, I know you and I, it's we have seen how the regulatory structures, for example, that we apply in a variety of, you know, sort of real world things are simply not, not only are they unenforceable, and really, you know, difficult to apply in the context of, they don't make sense in our world today, and in the way in which we communicate and disseminate information and do things.
And so it's, it's just another distortion that you're seeing in the system.
And as the distortions become more significant, I think the harder it is to maintain.
So I don't want to sort of bait you into sort of talking about classified information you may have seen or whatever, but you you through viewing a lot of that almost consistently on a daily basis for seven, eight years, probably have some sort of judgment, some sense, are you seeing this idea of virtual communities and the way that people find their allegiances these days, you know, maybe moving away from the nationalistic, patriotic and into sort of a cultural, ideological, global sort of community?
Are you seeing that already play out?
Or do you think that that is something that might still be a generation or two down the road, how people really at their core, you know, identify their base allegiances?
How, what, if anything, are you seeing on on that arc?
So there is a global trends report, this is sort of a classic thing that the intelligence community does.
And last year, they report, they pushed out this report, it's publicly available.
And it looks 10 to 15 years ahead, essentially. And it tries to identify mega trends that they've, you know, determined are out there.
And, and sort of give the sense to policymakers, here are some of the big things that we see happening.
Here are the potential implications of those big things. Here are some of the tectonic shifts that are occurring, as they call them, in some respects.
And then also, what are the game changer things so that you as a policymaker can think about how do you affect this.
And two of the mega trends that they identified were individual empowerment.
And I hope I'm getting this right and diffusion of power, which kind of goes to your question.
And we have no laws and no control over the people trying to follow the laws.
Not so much. You said you were optimistic on this.
You were suggesting you were an optimist. But it's what they talk about is the role of non state actors in both as spoilers to government action, but also as increasing, you know, empowerment, essentially.
And, and to my mind, this is another part of what we're seeing in what I was describing between the increasing tension, political institutions and the way we organize ourselves, but also the challenges that it presents to governance.
And as we see individuals being more empowered, right, and we see them relying on public institutions less and less for the things that they used to rely on them, I mean, with things like blockchain technology and other, you know, it's just you can see how it's possible now to organize, for example, Bitcoin money, you know, without having a public institution, right, there are a variety of things that are occurring.
And so non state actors are really increasingly potentially having power in this area.
And by non state actors, I don't just mean terrorist groups, although those are obviously non state actors as well, but also cabals of companies of variety of actors across border.
And I think the the challenge for us as society and citizens is that those actors are not subject to the same rules that we subject our public institutions to, right?
So are we comfortable with them filling that gap that they are currently filling between what it is that the government used to be, and what it is that the private individual had?
And I'll tell you, I am increasingly surprised as I'm now out of government, and I talked to CEOs and others, how many companies now have their own foundation are doing a lot of things that governments used to do.
And, you know, and with greater or lesser success, I think, in creating walls between their company agenda and their foundation agenda.
So it's a very interesting space. Okay, so we've got a few minutes left before we're going to try and take a couple questions.
I have one quick hidden question that's a bit unfair, because I didn't prep you on this.
So it's putting you on the spot.
So feel free to pass, although most of the people will be disappointed if you do that.
And then I've got one other question close. So I mean, going back, I'm interested in your discussion of asymmetric threats, right?
And I wonder if you have a prediction, or at least could sort of speculate when we might, as I understand it, sort of cross a line, right?
So if you imagine the last four years, there are reports without asking you to confirm any of this that, you know, the United States government might have listened in on phone conversations of Angela Merkel, you know, a leader of a foreign country, things like that.
There are allegations some of you might have seen, if you read a newspaper once every six months, that the Russian government might have been involved in trying to influence our election process, right?
You could also then imagine in the future, offensive cyber operations doing things like trying to shut down the FEMA website as a hurricanes approaching our shores, right?
Things that start to get more and more tangible and get closer and closer to real impacts going after the financial system, any of that.
What do you think could be the first cyber attack that is just like, okay, now we're sending in the tanks, this is a step too far.
Like, I think it's a big jump.
And people don't want to think about doing that, but at some point that has to happen, right?
You can't just keep being, you know, poking people with a stick in the virtual world and not have it lead to, you know, kinetic sort of military action, right?
Like, do you see a day when that happens? And what do you think is sort of the prod there that gets it to that point?
Yeah, but sure, there could be just a cyber attack on its own.
It seems to me that could invoke a military reaction.
And, you know, we've already, in many respects, in trying to define what's a use of force in an armed attack, we've already taken positions about, yeah, like, so if you do through cyber, what you could have done essentially by dropping a bomb, you know, it is an armed attack, right?
And there are certainly ways that you can imagine the corollary of that occurring.
But my guess is it's much more likely to be in a scenario where the cyber is right next to the military.
So, I mean, George is a perfect example, and a relatively early one, and an obvious one, right, about basically Russia, not just using their military, but also using cyber as a way to attack another country.
And certainly in Ukraine, you see aspects of this as well.
And I think, you know, each of these situations evolves as they do.
And I think that's the scenario that you're most likely to see a response on.
So I'd be remiss having you here based on your experience specifically at CIA, and not talk to you a little bit about what do you see in the next five or 10 years, the challenges or the evolution that the intelligence community is thinking about when it comes to, you know, cyber attacks, online communities, the Internet, all of that.
What are they thinking about looking out five and 10 years, do you think?
Yeah, it's, I have to say, it's very interesting, because I think a lot of the conversation around cyber and the intelligence community is, while the intelligence community is able to collect so much more information than they used to, that kind of thing.
And in fact, cyber presents some enormous challenges to the intelligence community.
One is, I suspect some of this will be obvious to you, but the digital footprint that everybody makes, right, and how difficult it is to actually keep things secret in today's world, which really means for a lot of intelligence communities, and I watched this while I was at the agency, what you see is a lot of services going through a kind of crisis of how do we keep things secret?
Can we actually do this job anymore?
And what does that mean? How do you think about that? And that's really separate, in my mind, from the transparency conversation that needs to be had, just to put a bookmark on that, because I do think that one value of, you know, the years that we've gone through, through the Obama administration, but previously, frankly, and certainly in today's world, Trump's administration will be facing this issue.
I think there is great value in being as transparent about what work the intelligence community does in broad, in other words, what's the framework within which they are operating, so people understand that and can have a conversation about it as much as possible.
But the details of what an intelligence community does, needless to say, have to be secret if they're going to be effective.
So that's one aspect of it. Another is, frankly, Mike Dempsey, who is the Deputy Director of National Intelligence and the Acting Director for a little while, just wrote an article in Wired that talks about this, that I think is worth reading, that talks about how challenging it is in today's world for the United States to maintain an information edge, right?
Given how much information is publicly available and how much information there is that's out there, the reality is it's very hard for the U.S.
government's intelligence community to really bring something useful and new to the table, in a sense.
That's not true across the board.
There are still some countries where it's very hard to get information, like North Korea or other places.
But it is true that for the analysts, I remember a former director of the CIA coming to talk.
We did a sort of an armchair interview for the workforce.
One of the things he said was, I thought the day I left, I would absolutely sort of miss the PDB, the access to the PDB, the President's Daily Brief, every morning, right?
This information, this treasure trove of information that you'd get every morning.
And he said, and then I started reading the New York Times.
There's a lot of very good analysis that's out in the public source, and it's hard for analysts to say what's the edge they're providing in those situations.
There's a lot of challenges that you may not recognize in this context.
Well, good. Well, thank you. We have time for a couple of questions. So I think we have folks in the back with microphones who want to raise your hand.
And I think I see a hand over here.
So why don't we start with you. Yeah, go ahead. Yes.
So some years ago, we had Y2K, which was a great scare that all the computers would fall apart because of the year 2000.
And although it may or may not have happened, it seems to have been a success in terms of infrastructure investment in computers.
What will it take to do a Y2K style investment in security infrastructure because of all these old, creaky computers out there that are security civs?
Yeah, it's an excellent question. I mean, we spent a lot of time on working with Congress, trying to get money appropriated for and in support of the institutions.
I think it's, to your question, I think it's not just about investing in upgrading, but also in really thinking through in a comprehensive way, how it is that you actually upgrade everybody and you start to develop standards and security practices that go across the US government.
And that is an extraordinarily difficult challenge.
We developed some mechanisms that we hope will continue to live on, and we'll start to actually see the benefits of over time.
The Obama administration was not alone in trying to break down stovepipes in certain areas, and this is one of them.
And it's not something that's going to happen in the life of any one administration, which is also one of the problems.
It's something that has to happen over years, and there really has to be just a consistent, continued investment.
But I hope that it's happening. I don't know whether or not it will or not.
Well, I think it's fair to say if the rest of the session today provide as much information and raise as many important questions as Avril has in 30 minutes this morning, nobody will have any room left in their brains.
So if you need to do anything complicated, get it out of the way this morning.
So thank you so much, Avril, for being here. I'm ready. Thank you.