Cofounder and Managing Partner, WestExec Advisors; Former Undersecretary of Defense for Policy, U.S. Department of Defense
Ira A. Lipman Chair in Emerging Technologies and National Security and Director of the Digital and Cyberspace Policy Program, Council on Foreign Relations
Peter G. Peterson Chair and Editor, Foreign Affairs
Gideon Rose discusses the September/October 2018 issue of Foreign Affairs magazine with contributors Michèle Flournoy and Adam Segal. The latest issue looks at the future of the internet as security threats appear and evolve constantly, disinformation floods the marketplace of ideas, real power is concentrated in the hands of a few private tech giants, and other great powers contest the United States’ digital leadership.
For further reading please see the September/October 2018 issue of Foreign Affairs, World War Web: The Fight for the Internet' Future, including the articles “When China Rules the Web: Technology in Service of the State” by Adam Segal, and “Battlefield Internet: A Plan for Securing Cyberspace” by Michèle Flournoy and Michael Sulmeyer.
ROSE: Hi everybody. My name is Gideon Rose. I’m the editor of Foreign Affairs magazine, and I want to welcome you all to this Council on Foreign Relations meeting to discuss the articles in and launch the September/October issue of FA.
We have a great lead package on the future of the internet and who will control cyberspace. We are greatly pleased to be able to showcase two of the wonderful authors in that package today: Michèle Flournoy, a cofounder and managing partner of WestExec Advisors, the former undersecretary of defense for policy at the Department of Defense, and everybody’s favorite technocratic wonk; and Adam Segal, who is the Ira Lipman chair in emerging technologies and national security at the Council on Foreign Relations and director of the Digital and Cvberspace Policy Program there, and author of I think the scariest piece that I’ve read in my magazine in the last year, which says something.
Before we get to the specifics of their pieces and the cyber challenge going forward—not just the cyber challenge, but the future of the internet challenge—let me just set it up by saying the more I pondered this package, the more I thought of Karl Polanyi. Polanyi famously argued that the way to understand capitalism was through a double movement of markets and resistance to markets, that the progress of markets, the progress of capitalist liberalization unleashed lots of wonderful passions, energies and dynamism in the economy, it took people out of their traditional contexts, broke things down. But it basically made people very stressed and independent and individual. It forced them to rely on their own resources, broke down the old world, and that was very scary.
It produced lots of great innovation and social and economic and other turbulence and dynamism, but people didn’t like being at the mercy of markets all the time and fought back and reasserted control in various ways. And this movement going back and forth of will you let yourself be dominated by markets or will you control them and resist them, will traditional society fight back?
Polanyi sort of died saying, OK, this is—we’ve now had the two stages. There have been people who have argued that, essentially, something like social democracy or the mixed economy that came up in the twentieth century, by midcentury and later, was a version of a resolution of that in which you seized popular control of the economy away from sort of pure libertarian liberals, but you let the market actually have things and run.
And why am I saying all this about Karl Polanyi and we’re talking the internet? Because what has happened in the internet strikes me as nothing less than the latest set of changes wrung on a very old story about the progress of capitalism and markets.
The United States government sponsored this wonderful project to build a connective platform for everybody. We all know the background of the internet in general, and it ends up bequeathed by the United States government to the world and run in partnership with the American private sector tech companies. And the internet that basically we know from the 1990s emerges in a wonderful, happy, good way from a sort of collaboration of the United States government resources and private sector platforms and operations and companies developing a lot of these things.
And then basically because we are good American, Anglo-American liberal capitalists, we sort of leave things like that and nobody runs it, nobody manages it, we just rely on markets to essentially move forward, and economic actors and players to do their own thing. And what happens? Soon we end up getting some of a(n) oligopoly. We end up getting major tech powers. We end up getting major platforms built on the basic thing. And we get a sort of lack of real cohesive regulation. And so all the wonderful benefits of technology and markets and progress move forward, but everybody also gets a sense that things are running out of hand, getting ahead of ourselves, that outstripping the regulatory powers, feeling stressed just like everybody has always felt stressed when markets take over from traditional things and bring change.
And so what we are seeing and what we feature in this package is a multifaceted pushback from several different sources. This is how I’ve come to interpret it, not what the authors say. Their pieces are all good, serious wonkery. But I tend to think of it as variants of Polanyi’s second movement. Right?
What’s happened over the last 15 years or so is that people have realized, no, I don’t want to have everything of mine controlled by a company or I don’t want to be at the mercy of all my data. And the flashpoint over these things has turned out to be data, that data is this wonderful commodity that everybody now realizes can be monetized hugely and has lots of value and interesting things and connects lots of different people, but who controls and governs data? We don’t know because we’ve never actually been in this exact type of situation before. And so what we are seeing is in the United States a sort of general feeling that the tech companies have gone too far and been penetrated and the internet is sort of problematic and that there are challenges from the outside and we need to reassert American control over what’s going on. This is one of the things that Michèle’s piece is about, right?
In Europe, you have a sense of the same kind of thing, this has gone too far, we need to protect ourselves, but we need to do via regulation by technocratic experts. Right? And this is sort of GDPR, this is the European attempt to reestablish control through high-minded regulation at the sort of regional level.
You have Indians coming at this same question and saying, no, we want to build something different and better from the group up. And Nandan Nilekani’s piece talks about the—in the package—talks about the Indian efforts to build a more public, spirited internet from the ground up.
And Adam’s piece talks about a Chinese response, which is basically, you know what, we’re not exactly comfortable and happy playing in this world, so we’re going to go build our own little playground on top of or separate from or different from yours and, you know, then we’ll see.
All of these, I would argue, are attempts to essentially claw back control from the totally unregulated markets or relatively unregulated progress in new areas in the first couple of decades of the internet era. And we don’t know what is going to happen. We don’t know who is going to control the commanding heights of the digital economy. Is it going to be governments? Is it going to be states? Is it going to be individuals? Is it going to be an international regulatory scheme? Is it going to be some measure of all of that?
That’s the general picture within which our day-to-day discussions about Russian hacking or somebody else’s piracy or espionage or this or that vulnerability are taking place. It’s not just a question of day-to-day policy. It’s not just a question of how do you respond in a symmetric tit-for-tat way against somebody else’s threat or defend yourself against that. It is, who is going to fundamentally regulate and run and manage this new area of the commons, which we have only recently started to colonize. That’s the big question.
With that, let me turn it over to the real experts and I will shut up now.
Michèle, why don’t you start by talking? We all read in The Times today the latest, full-scale update of the Russian attempt to influence the 2016 election and how that proceeded largely through digital means in various ways. Your piece, one of the key foci in the piece is cybersecurity and how the United States should respond to that sort of thing. Why don’t you take it from here and explain what you said in the piece and what people need to know about how America should run things better?
FLOURNOY: Thank you. Well, thanks to all of you for coming.
So what we argued in our piece is that we are entering an era of greater competition among great powers. And great powers will take that competition into every domain, including the cyber domain, and that we’re seeing that, not only the use of cyber for traditional intelligence-gathering operations, but now the use of cyber to try to seek economic advantage through stealing or theft of intellectual property, the use of cyber in asymmetric ways to achieve outcomes that you can’t necessarily achieve through military force or aren’t available to a particular actor and so they use cyber instead, and also the leveraging cyber as part of military operations and security competition.
So what we were—the battlefield internet idea is this idea that we might have originally talked about an expectation of some massive crisis, like a cyber Pearl Harbor, but what we’re actually seeing is a more steady, corrosive kind of competition that is presenting real challenges to a society that is probably most open, most dependent on the internet, increasingly so, including in the military domain and, you know, that we’re seeing this corrosive march of challenges and we’re not really adequately addressing them as a nation.
We have failed, in my view, to address, to respond effectively to the Russian meddling. We don’t have a clear policy or doctrine that lays out clear red lines, not that, you know, we’ve—red lines is sort of an overused term or one that’s fallen from grace in some ways. But we need to be very clear with our competitors, our potential adversaries where the lines are. What do we care about? What can they expect us to defend? We need to lay out consequences and cost imposition if those lines are crossed.
And then we need to build our dialogue and cooperation with the private sector who operates, owns and operates, much of our critical infrastructure, operates much of the cyber domain. We need to have a much tighter partnership to try to defend our society, our nation together.
And then we have to really look at how we’re organized. And I would argue the U.S. government is not organized well for cyber defense. We don’t have a human capital strategy that will give us the talent we need to be effective in the future. And we haven’t leveraged our alliances and partnerships to really build a coalition of likeminded states to enhance cyber rules of the road, cyber norms, and cyber defense.
So the article’s bottom line is we need some serious U.S. leadership in this area because the degree to which this is becoming a contested environment without an adequate response risks undermining fundamental trust in the internet. And that would be very much to everyone’s detriment.
ROSE: OK, let me stick with you for two hundred. The things you just described sound wonderfully sensible and appropriate and, in Washington even normally, let alone Washington today, entirely unimaginable. So given that, do you have any confidence that your recommendations will be followed? And if not, what will the consequence of the current trends playing out a few more years without U.S. leadership be?
FLOURNOY: I don’t see—I mean, we just had the administration release its latest cyber policy. I’ll let Adam, you know, comment on that as well. But I don’t see this administration taking the steps in terms of devoting serious leadership bandwidth to this question, organizing a whole-of-government approach, doing the outreach to the private sector that you’d want to see, doing the outreach to allies and partners.
I’m not saying none of it’s happening. There are some ad hoc efforts here and there, some good, but you don’t see a concerted effort as if this is a true national priority and we’re going to go after this and end up in a couple of years in a better position. I don’t see that focus or level of effort and I don’t see the resources being allocated to the threat.
ROSE: So project—OK. So let’s assume that continues, where are we five years from now if current trends just continue to roll on?
FLOURNOY: I think we’re going to see more and more attacks. And if we don’t have a clear policy and a clear cost imposition strategy that says there are consequences when you meddle in our election, there are consequences when you steal billions of dollars of our intellectual property, there are consequences when you, you know, otherwise if you were to attack our critical infrastructure, I think you’ll see competitors becoming more and more bold, testing the limits.
And my worry is you could start to see targeted attacks on critical infrastructure that would create civilian harm, which is a threshold that we really haven’t crossed in this country. We’ve seen it happen. Russia’s attacks on Estonia definitely crossed that threshold. You could argue that some of the North Korean attacks have crossed that threshold in minor ways with second and third-order effects on not the people they targeted.
But I worry that without a strong response, you know, we’re leaving the door open to malicious actors pushing and pushing and pushing to the point where it will become a serious—it is—become even more of a security problem for the United States, but also for Americans in their day-to-day lives, especially in the context of the internet of things.
ROSE: OK. So that’s depressing enough.
Adam, let’s turn to you. I gather that while we’re sitting here sort of dead in the water, letting trends sort of stagnate and proliferate and things slide down into the world that Michèle just described, somebody else is doing something more interesting to create a different alternate future. Is that the case, and can you explain?
SEGAL: Well, I think it’s important to remember that when Beijing first thought about the internet fifteen, twenty years ago, they had two big thoughts in mind. One was is that they knew that the flow of ideas inside of China was going to be destabilizing and they wanted to prevent that. Right? So from the very beginning, they knew that the U.S. and others would see the internet as a possible tool against the CCP’s dominance and that you had to be worried about how those ideas were flowing and who used them.
And the second idea was we’re going to adopt these technologies because we need them for economic growth, we need them for good governance, right, because the leadership actually uses the internet to know what’s happening at the local level because they don’t trust their own reporting, but we don’t want to be dependent forever on the West for these technologies. Right? And so from the very beginning, they also knew that dependence brought a huge amount of vulnerability.
And those two ideas have really directed China from the internet from the very beginning. And we’re seeing them play themselves out now as they project both, how do you create a governing system that’s both domestic and increasingly international for how you control information, and, two, what is the next wave of technologies that you want to make sure that you control or in the Chinese phrase are secure and controllable?
ROSE: So they’re actually building an entire new sort of hived-off sphere of their own?
SEGAL: Well, from the beginning it’s been fairly hived off. It allowed, you know, some degree of information to flow back and forth. But I think the more important issue is as they begin to project outward. Right? We always knew, OK, the Chinese internet was going to be different, but the assumption was is that everybody else would basically adopt the U.S. method or the U.S. approach. We would have some differences, right, with the—with the—
ROSE: How would you characterize that U.S. approach?
SEGAL: Well, the bumper sticker is open—global, open, interoperable, and secure.
ROSE: Globally open, interoperable, and secure.
SEGAL: Right. So free flow of information, a common set of technology standards, resilience, and security in the—
ROSE: So an actual information highway maintained at public expense or, you know, everybody can sort of travel on.
SEGAL: A global expansion of what we had in the—in the United States. And we would have—you know, clearly, we had difference with the Europeans about information control and content. Right? You couldn’t post Nazi material in France and Germany, but we said, all right, those are some differences there. And, of course, the differences over privacy and data as a human right and the GDPR. But the broad outlines were still fairly understood and we thought that was the route. And, of course, other countries would, as they entered the internet or went online, that they would see that as the more attractive model.
But I think both the experience that we are having now in the U.S. and in Western Europe more broadly about how do we think about information operations and the rumors and fake news and all those others and the economic costs of sending all your data to multinationals that are based in Silicon Valley, the law enforcement costs. You know, if you’re a judge in India and you want access to that data, you have to go through the multilateral assistance treaty and ask a U.S. judge for that data. You know, for an Indian or Brazilian judge, that seems like an unbelievable slap in the face from a sovereignty perspective. So lots of parts of the Chinese model seem pretty attractive and the Chinese have been increasingly assertive in promoting that through their diplomacy. And quite honestly, they have a lot of money to spend.
ROSE: So, wait, is their model come join ours or everybody have their own?
SEGAL: Well, the Chinese message basically is everybody should regulate the internet as they see fit. Right?
ROSE: So it’s like federalism, federalist regulation among the states rather than a national regulation for everybody. Instead of a global regulation, each country gets to do its own thing.
SEGAL: Cyberspace is a sovereign space like every other space. Why would we think of it any differently? And so, of course—
ROSE: Right. So there’s no—it’s not a public commons, in other words?
SEGAL: The Chinese never considered it a public commons.
SEGAL: Does the U.S. consider it a public commons?
FLOURNOY: Yes in the sense that—yes. I think there’s hesitation from legal experts about calling it a commons. But yes, it is seen as a public good and an open space that’s self-regulating.
ROSE: And is this basically the difference, which is that we see this as sort of an international public good that everybody should basically come together to regulate and others are saying no, this is just like another piece of territory and we’ll take our section of it and you take your section and you do what you’re going to do?
SEGAL: Yes. And then other countries also said, well, the U.S. keeps on saying this is a global, open platform, but who benefits most from that? The United States.
ROSE: So our poor management of that global public good helped others realize you know what, maybe we might as well do better off in our own kind of taking some of it. Well, OK.
Don’t have to agree with that.
Question for you. So is this the splinternet?
SEGAL: Yeah, I mean, a splinternet or we can’t say Balkanization any longer, but the fragmented internet. Yes, we clearly have—right now, still, technologically, interoperable, but we clearly have different governing ideas. And increasingly with big data and privacy and surveillance, we’re going to have different sets.
And also, looking at the way that the Trump administration has responded to the vulnerability of using Chinese tech, right, which is that we should increasingly perhaps remove our supply chains from China, we should think about, you know, how the reliance on Chinese products affects us. If you start unraveling that, then you get more and more two separate spheres.
FLOURNOY: And I think that private companies in the tech world are navigating some very hard questions that are at the heart of this tension between the two models. So, you know, China is probably going to have more internet users ultimately than other country in the world. But it—and, you know, if you’re a tech company, you want to be inside that market and serving that market. But if the price is accepting Chinese censorship of search or Chinese demands that you must turn over any data that passes through your system to the governing authorities on demand, you know, what are the moral compromises?
Similarly, you know, there’s a lot of Chinese investment in our tech supply chain and vice-versa, or at least a lot of our supply goes to China, and so how much will the two countries feel they have to nationalize those two supply chains? Are they comfortable relying on products that are injected into one another’s systems when you have this fundamental disagreement and tension?
ROSE: So a security competition or worries about cyber-sphere separation could bleed into the trade war and could basically help increase an escalatory spiral of great power competition in a divided world rather than the wonderful one world we thought we were going into?
FLOURNOY: Yeah. And I think it’s just—it’s also just very—so coming at it from a Defense Department perspective, one of the big challenges right now for the United States military to maintain its technological superiority into the future is to leverage cutting-edge commercial technologies. So you see all kinds of efforts for the department going out to Silicon Valley, Route 128, Austin, Texas, all these hubs to try to find commercial technologies that can be brought in. Well, you look under the hood of a lot of these companies, and in series A, series B, they took some venture capital from Chinese investors. Most people in DOD say that is a problem. So do you completely give up that capability or do you try to buy—find an American investor to buy out the Chinese?
I mean, this is a very practical problem, but it’s also very real because the Department of Defense doesn’t want, you know, a Chinese investor inside the development of capabilities it’s going to use to enhance our military capability over time.
ROSE: What do we do in the—in the defense industry about that? Like, you know, I mean, essentially, can you apply this? Can you port rules over from defense contracting?
FLOURNOY: Yeah. I mean, I think there are ways for the things you really care about to try to seek to, you know, either buy out investment that’s there or what’s being debated now on Capitol Hill is broadening the definition of what’s covered by what’s called CFIUS, which controls foreign investment key things. The problem is that’s—you know, we’ve defined that very clearly in defense and national security terms. But what happens when the window is open to a number of commercial technologies? It becomes a much more complicated set of decisions.
SEGAL: And it’s going to be extremely hard with AI, right, with artificial intelligence when it may—you know, AI may look like electricity, right, where many of the usages may have extremely broad usage that will have military use and civilian use. And the Chinese and American AI research communities are tightly, tightly intertwined. I mean, if you look at the flow of people from Baidu to Google and back again, it is going to be very hard to figure out where the line between U.S. and Chinese research begins and ends and how do you hive those things off.
FLOURNOY: And in our system where there’s no guarantee that the best AI work that’s done in the private sector is able to be leveraged by the U.S. government and the military and law enforcement and intelligence and so forth. In China, it’s a doctrine, it’s a requirement. It’s called military-civil fusion. And the expectation and the demand is that if you’re a civilian researcher in China and you have great—you make great strides in AI, you’re sharing it with the PLA because the state requires that. So it’s very asymmetric situations between the two.
ROSE: OK. This just further convinces me that this subject is going to get even more interesting going forward.
ROSE: Two questions to you guys before we throw it open to more general discussion.
First, what does all this look like in practice to ordinary people five, ten, fifteen years down the road? In other words, those of us who don’t sit there worry about ICANN or about this kind of thing or that kind of thing, we’re going to have ever-new products, we’ll be able to see different things? How will any of this affect me as a user rather than as a policymaker?
Either of you.
SEGAL: Well, I think from the U.S.’s perspective, I mean, the biggest impact is, as Michèle said, I think the threats just continue to go up, right? And the threats are not only just from your Yahoo account or your Twitter account, they become from your oven and your car and all of your internet-of-things devices. So that threat vector goes up a lot, and not only just data, but also possible physical outcomes that can damage you.
As a user, you know, U.S. users weren’t really using WeChat or, you know, using Baidu search anyway, so it’s unlikely that it would have made a huge effect. But we are probably all going to lose out on competition, right, which is going to drive innovation, I think, in both sectors faster. You’ll be, I think, more affected in third market. Right? So I think, you know, the U.S. will be in the—U.S. companies will be in the U.S. and Chinese companies will be in China. But in Brazil and in India and in third markets, there’s going to be a very intense competition and I think U.S. companies are going to be affected by that. And U.S. users, you know, when they go to a third market are going to find out, you know, are you—can you use Twitter, or do you have to rely on Weibo or WeChat or something like?
And I think practically for most daily users, for five years, it’s not going to have much of an effect.
FLOURNOY: I think over time, the increased sense of vulnerability, the experience of more attacks and disruptions will actually create a sort of public pressure and consumer demand for greater accountability, first for the companies that are providing products to have an expectation of it better be cybersecure and some expectation of liability or accountability if people are putting things in the market that are not, and second, I think much greater demands on the U.S. government to do something. You know, stop arguing about who protects .gov and .mil versus .com, like, solve the problem. And I think that’s going to take a different kind of organization.
Right now, we’re very Balkanized and we’re also separated from the private sector. I think you’re going to have to move much more towards—whether it’s a joint interagency task force model, a new agency with a different culture that really has a broader mandate that takes resources and talent from across the government. I’m not sure what exactly the answer is. And we’ve put out a couple of suggestions to be explored in our article, but we’re going to have to fix this because I think it’s going to become an issue that Americans get very fed up if they are increasingly—by being increasingly connected, they’re also increasingly vulnerable and at risk.
ROSE: OK. My last question to you guys: Why won’t the logic you just described, domestically, operate on a grander level internationally and economically to produce some form of cooperation? Because essentially, if things really are this awful or are headed down this path and if, because of the defense and other kinds of considerations on the internet-of-things considerations, it’s not just Boeing and Airbus competing in different markets for different things and everybody cares, but not that much about who gets a share—if it’s really threatening to create a world conflict or if there’s a (bolt-from-blue ?) things or if we’re all wondering, you know, whether Jin Yang is going to reprogram our fridge to tell us horrible things, what is it that is going to—why won’t the prospect of disaster, the prospect of a hanging in the morning concentrate everybody’s minds and make them cooperate in a good fashion?
Essentially, like, is this going to be a European Union crisis which resolves itself in a greater, closer union? Or one of those—or maybe the crisis that basically says no, no, no, all this is going apart?
SEGAL: I’m sorry, did you write your first piece as, like, how you were a neoclassical realist, I mean, and you’re asking us why there isn’t international cooperation on this issue? (Laughter.)
ROSE: Well, the question is—no, but we have been in something called a liberal international order—or some of us have called it that—for a few decades. And we’ve made ever-greater progress towards the collective addressing of global problems. And if this isn’t the sort of collective global problem with lots of mutual benefits for cooperation, I don’t know. So the question is, why aren’t the prospects of greater cooperation for mutual benefit producing a sufficient demand for competent global negotiations and policymaking to give the public the public goods that it should have? Or will just national interest and sovereignty and the collective action dilemmas screw this up and drive us all back into war? That’s the question.
SEGAL: You want to go first?
FLOURNOY: I’ll jump in. (Laughter.) No, I do think we’re seeing initial attempts in that direction. So you have companies like Microsoft is about to—is launching up at UNGA a Digital Peace initiative that tries to put a set of norms, cybersecurity norms out there, and build international consensus across private and public sector to support that. Creating, you know, a digital or cybersecurity response corps, like an NGO, that would be, like, first responders for helping those who are under—who recover from attack. I mean, there are all these ideas that are out there. And you also—you have the NATO alliance, for goodness sake, you know, in their own recent summit communique talking about greater cyber cooperation. So you will see efforts like this.
There are going to be some actors like China, like Russia that will never buy into that in any meaningful way. But building the consensus around norms, building international cooperation is still valuable, because when they do cross the line, having more collective action to hold them accountable and to pay a price for that becomes really important if you’re ever going to establish any kind of deterrence in cyberspace.
SEGAL: So I would say I’m less—I used to be more optimistic and now I’m less optimistic and I would think a lot of it has to do with how we think about the nature of cyberconflict and what cyberattacks, cyberoperations will be useful for. And if we do think about them as destructive attacks above the threshold—cyber Pearl Harbor—then, yes, I think we would get to some type of common shared interest. You can imagine a kind of mutually assured destruction, a world where we all kind of say, yes, these types of attacks are bad, we’re not going to do them.
But right now at least and as far as I can tell for the immediate future, cyber is not going to be a strategic weapon in that way. It’s as Michèle said, all the attacks are below the threshold, right, and they’re about deception and influence and sabotage and espionage and we have a terrible time controlling those things in the physical world, much less the digital world. So it is very hard for me to imagine how we ever get to an agreement about what would be considered a norm.
You know, Microsoft, of course, has the incentive to say we have these norms because Microsoft is the target and they want customers everywhere to buy these products. But it’s very hard for me to see how any state would say we’re not—we’re not going to do that. In fact, the United States has—you know, we haven’t—we have called out other countries for placing malware on critical infrastructure, but I think it’s widely assumed that the U.S. does the same thing to prepare for an attack in the future. It would be the responsible thing to do, quite honestly, to make sure that if the U.S. has to it has to respond. So right now, states are not willing to constrain themselves in any way.
I think the other issue also is just on the—on the data and privacy side. We just—it is a moving target, right? And, you know, this is often true at Council meetings, but, you know, we are just not the target audiences. The average age of the users in developing countries are much younger than everybody in this room, right, and they’re going to have a very different set of norms about how data should be used, privacy, identity, and all these other things. And to think that the system we have in place to define what that should be or at least convert those demands into governance, I think we’re a long way away from that.
ROSE: On that cheery note, I would like to invite members to join our conversation with their questions. A reminder that this meeting is on the record. Please wait for the microphone, speak directly into it, stand, state your name and affiliation, and limit yourself to one concise question.
Over here, first question.
Q: I’m Louise Shelley from the Schar School of Policy and Government at George Mason University.
Tonight we haven’t heard anything from our two speakers about the criminalization of the internet, the victimization of individuals through the purchase of opioids, other harmful pharmaceuticals, people’s bank accounts being stolen, the criminal side that also where the criminals are often recruited and serving the state. And does any of the issue address this problem of the criminalization of the web and its role in proliferating harmful illicit trade?
SEGAL: Well, I think that also points to the problem that Gideon—his final question, right? There is an international agreement, the Budapest agreement on cybercrime which is—
ROSE: We know how much Budapest agreements are worth. (Laughter.)
SEGAL: —you know, which is, I think now up to forty-four or forty-five countries. You know, Russia has not signed and many Eastern European countries haven’t signed, partly because of sovereignty concerns, but also because of the way that it plays out on investigation.
I think you are right that other countries are more than willing to use criminal hackers for state concerns, right? One of the most interesting, scary parts about when the investigation of the Yahoo hack came out, right, the FBI called the FSB and said, you know, we’ve identified two of the hackers we think are behind it and the FSB went to those guys and said you guys are really good, you work for us now. So there is, I think, a greater willingness in—
ROSE: Was one of them named Matthew Broderick?
SEGAL: And we saw with the indictments in Iran as well, that a lot of those guys either were criminal or working in the private sector. So other countries have been more than willing to adopt nonstate actors, mercenaries, criminal actors there.
I think it points to the larger point that Michèle was making about a loss in trust and when do individuals, when do they have enough of it, right? When do they start demanding more be done? And again, I’m less optimistic because we just seem willing to keep going and going and going. You would think that Equifax would have made a much, much bigger impact on people. You would think that the OPM hacks would have made a much, much bigger impact on people. But for the most part, we all just kind of keep going along, willing to lose our data.
ROSE: A little public service question: Is there any reason for any rational person to spend the money to get a dark-web scan to worry whether they are, you know, somehow—
ROSE: What? That is all just pure—
FLOURNOY: No. No. I mean, I actually think most of us would find that a lot of our passwords are compromised and information that you’d be horrified to know is out there is out there.
ROSE: So you should actually.
SEGAL: You don’t actually have to pay for it. You just go to a website called haveibeenpwned—P-W-N-E-D—
SEGAL: —and you just type in your account names and that will just tell you if you’ve been hacked.
FLOURNOY: But make sure you’re sitting down and you have some comforting thing to reach for after you get the results. (Laughter.)
ROSE: There you have it, public service announcement.
Next question? Yes, over here.
Q: Oh, here we are. Hi. Jan Lodal from The Atlantic Council.
So by my rough estimate, since the World Wide Web came to be part of the internet, the performance of the computers that run it has improved by roughly a factor of ten million. There’s different ways to calculate that, but, you know, it’s utterly unprecedented in human history that something has changed that rapidly. And so, so much of this problem that we have, as well as the success, is a result of that, it seems to me, because we run on an infrastructure that was designed for the one-ten-millionth case as opposed to today. It’s basically TCP/IP, it’s basically directory name service, it’s all that stuff. It’s been patched up a little bit. We have https, we have a few little things. But that—there was no concern about security at all. So when you talk about the basics here and you put security on there, we’re running on a platform that is almost impossible to secure the way it works now.
Now, I don’t think that security itself is impossible thanks to public key cryptography and so forth. We could make it pretty easy to authenticate, for example, almost every packet that comes in. And most of the kinds of problems that have happened wouldn’t have happened if that were to occur. But there’s nothing in your journal that even begins to talk about what I think is the core, fundamental, underlying problem here. It’s sort of like talking about nuclear weapons without any concept at all about how big the bang is when it goes off and how that compares to how big the bang wasn’t with the old type of weapons. That’s kind of what’s happened here.
So I just appreciate the panel’s comments.
ROSE: I should say that, Jan, you’ll like the next issue. The lead package in the next issue is about whether nuclear weapons matter and, if so, how and why and what the implications are with lots of different perspectives. So that’s a fun one there for someone like you with your background in controlling these various things.
Respond? Who wants to respond to Jan’s comment?
SEGAL: You’re right. I mean, I don’t—I think that has been a kind of fundamental critique of cybersecurity in the first place, right, is that it went from this small platform to a global platform and security has always been an afterthought or it has been jury-rigged to products and platforms that weren’t—that weren’t built for it. So to some extent, yes, the fundamental kind of basic sin is there and has kind of structured everything that has followed from that point on.
ROSE: And does that mean we’re—that all the other stuff is irrelevant because you’ll never be able to secure the base?
SEGAL: No, but I think as Jan said himself, you could secure things, and you can secure different layers of it.
SEGAL: You can—there are answers to this problem. There are tradeoffs involved all—
ROSE: So come back to the demand question of will people insist that something be done.
FLOURNOY: Yeah. It’s also—it’s not a destination, so you don’t reach a moment of cybersecurity and then you are secure—(laughs)—you know? It’s not a destination; it’s a—it’s an offense/defense game that constant, and dynamic, and ever-changing, and so it’s more can you—can you adapt and keep evolving how you protect what matters most and keep innovating.
And there’s—I mean, one of the fun things I get to do in my new job is see a lot of amazing start-up cybersecurity, AI, other companies—just eye-watering innovations, and they are coming along, and the challenges—making people aware of them and scaling because there is a lot of good stuff out there.
So I don’t want to—I’m trying to be—find my optimist gene in here, but I do think it’s something—we have a great strength as a society in innovating, in integrating, and in that resilience and constantly reinventing, and that should play to our favor.
ROSE: Let’s hope. From your lips to God’s ears, as they say.
Yes, over here, ma’am.
Q: Paula Stern. I’m glad the last comment was just made about America’s great strength in innovating, et cetera, because I’ve always thought that China’s great strength is just its sheer numbers, its market strength. I mean, I’ve always said, you know, he who pays the piper plays the tune—calls the tune.
The Chinese market is so enormous and will continue to be much bigger than the United States’ that I just wonder if we have a little hubris about how we’ve been so successful in the past and therefore our patterns, including the marketplace and our incentive system, et cetera, will work vis-à-vis the Chinese. I put Russia aside for a second. So it’s a comment but I would like very much for you to talk about what I think we are in, and it’s an extraordinary inflection point vis-à-vis China.
SEGAL: Well, I would say that, yes, the fundamental assumption has always been that we’re going to run faster, right, that we are going to innovate faster, and that we were willing to pay the piper in China, and often U.S. firms knew they were going to lose technology when they went to China, but they knew they had to do it to gain the market. And if you asked them, they’d say, yeah, of course it’s going to happen, but we’re going to run faster. So—but I don’t think it—
ROSE: Who is kidding whom?
SEGAL: Well, it—but it wasn’t just pure market, right? It was market plus mercantilism or techno-nationalism, so it was policy tools that are in place, and we are clearly questioning that bargain now, right? I mean, say what you want about the president’s trade war with China, the focus on the techno-nationalism was the right part of it, right—the forced joint ventures, the forced technology transfer, the IP theft, the cyberespionage—all of those things.
So I think you are right. We’ve reached this point where we’re not certain any longer that we can assume that we will run faster because of Chinese policy, also because Chinese companies have moved up the value chain much faster than we expected. I think there is still a significant gap on the innovation side between the U.S.’s ability on what I would call science-based innovation or new to the market. The Chinese have made up the gap massively in incremental or business process innovation. They are still not there on science-based innovation, but AI could be a game-changer, all right.
So AI is going to definitely be test to two different models, right? AI seems to be, on the Chinese side, top-down, big data, government cooperating very, very closely with the tech companies. In the U.S. we seem to be still relying on our old model, right—bottom-up, private-sector driven, and I don’t think we know yet. We don’t know which one is going to work better, but I think you are right that we are certainly questioning those assumptions.
ROSE: You can rent him out for parties as a buzzkill. Like, if your neighbors are having a really big party and you want to calm that, it’s just like—(laughter)—yeah, yeah, go—everyone will go and commit suicide.
Yes, in the back. Over there, back row.
Q: Alan Raul, Sidley Austin.
You’ve advanced the proposition that the United States has exercised too little cyber leadership—offensive or defensive. To what extent do you think it’s we’ve been inhibited by the global repercussions of Snowden, and do you think that the Obama-Xi Jinping meeting, which resulted in curtailing cyber-economic espionage from China—if you think it had that effect. Could that be a model? And do you think the Mueller indictment of the Russian email hackers is a warning shot over the bow in that it revealed just how much insight we have into exactly what the Russians are doing against on the cyber front?
ROSE: Michèle, why don’t you take that?
FLOURNOY: Well, you know, I do think that it’s—I do think that some communicating that we know who the perpetrators of attacks were and trying to hold people accountable is an important step. It’s a minor step, but it is part of what we need to be doing, communicating to our competitors or, in the case of Russia, the adversary in that case.
Whether or not how—that alone is not effective enough, and there is some debate among China watchers as to whether—as we named the officers we knew were responsible for one of the China hacks—whether that—and that this whole discussion about pulling back from economic espionage and IP theft—whether the instruction back to the hackers was just stop doing that, or keep doing it but don’t get caught.
And there’s—I think the preponderance of opinion in the intelligence community is the latter. So it’s not—
ROSE: I tell that to my daughter actually.
FLOURNOY: It’s not actually that they really stopped; it’s that they got smarter about trying not to be detected—how not to be detected when they are doing it.
So I think—I think the issues of accountability and deterrence have to go far beyond that, and we have to get—we have to get out of the cyber stovepipe and say, you know, look, if a cyberattack really holds—you know, comes at something we hold dear, like our democracy, something really fundamental, we need to look at the full range of our instruments of national power in how we respond. And we need to try to communicate, you know, some sense of consequences in advance in any hopes of deterring the future.
Right now my biggest worry is I can’t think of much that we’ve done vis-à-vis Putin that would, you know, prevent from doing the same thing and more in 2020, and that’s really a test that we don’t want our democracy to have to withstand, given the others ways in which it has been under attack recently.
SEGAL: I don’t think you can understate the kind of impact that the Snowden revelations had on the kind of coherence of U.S. cyber diplomacy, right? So free, open, and global is a great message. Snowden comes out, and we spend the next year and a half, you know, trying to explain the difference between legal surveillance and illegal surveillance, and patching relations with Brazil and Germany, which would have been incredibly important partners in promoting our view about how the cyberspace should be governed. We accelerate the internationalization of ICANN, in part because of Snowden, although the Obama administration probably wouldn’t admit that, but clearly we did it to take some pressure off from other countries saying you guys control the internet and you need to—you know, you need to give it up.
But also, most important, just, you know, the ability of the U.S. to work with U.S. companies was completely, you know—was wrest asunder, was separated, right? Because the companies, after Snowden, then adopt a strategy both of legal and technologically to distance themselves from the U.S. government, right, to challenge the U.S. government on surveillance requests and also the big one on encryption, right, so how do you promote this thing. So we lose that partner—the U.S. government loses the private sector as an incredible, important partner in pushing that view.
I don’t think we’ve really recovered, right? The White House’s strategy came out today. I only skimmed it very, very quickly before this meeting, but it also uses the language of global, open, and interoperable. It talks about multi-stakeholders, and as far as I can tell, it’s all the same language of the Obama administration.
The difference, I think, is where Michèle said, you know, are we going to build this coalition of like-minded countries that attribute much more quickly, respond more quickly, and punish more quickly. That’s where I think we would start beginning to see some leadership, and we really have to figure out what we’re going to say to the developing world, right? Telling the developing the developing world that the multi-stakeholder model is the best for them, and they shouldn’t have anything to do with the ITU in the U.N. is just—we can’t keep saying that over and over again. We need to put something else on the table because those countries have real capacity needs and real cybersecurity needs, and telling them not to go to the ITU or not providing an alternative is just not a strategy.
ROSE: In the back—sorry, yes, back there. Right here.
Q: Thank you very much. Philip Corwin. I’m policy counsel to Verisign. I would note that we operate dot-com and just celebrated the 21st anniversary of operation without one single second of downtime.
Now my question is on October 1, we’ll celebrate the second anniversary of the IANA transition in which the Obama administration relinquished the last vestige of U.S. control over ICANN and completely privatized it. As we look toward the ICANN meeting coming up in Barcelona next month, the number one issue and the greatest test that the multi-stakeholder model has ever faced within ICANN is how to conform the WHOIS data—registrant data collection and dissemination policy to conform to the EU’s GDPR. I was just wondering what observations the panelists might have about the fact that, two years after the transition, we’re caught up in conforming an ICANN policy to EU regulation and what this might mean for internet governance generally.
SEGAL: Thank you.
SEGAL: Yes. (Laughter.)
ROSE: She had Russia.
SEGAL: Yeah, Russia—I could do Russia.
Ah, so yeah, I’m afraid I don’t have an answer for you. I know that there is clearly a lot of worry in the U.S. that it’s going to affect security issues and investigation into issues about how WHOIS is interpreted with GDPR. According to some interpretations of GDPR, you will no longer be able to turn that information over.
I think clearly it’s going to be a test of how that model works. Can they come to an agreement that, as you said, negotiates with the EU? But I don’t have any sense of how that’s going to work itself out.
ROSE: Let’s take the last three questions together in a bunch so we can wrap them up.
Yes, one here, and then one here in the front, right? No, right here—the young woman, exactly.
Q: Thanks. Dylan Gerstel from CSIS.
I was—just wonder if we could talk a little bit about 5G, so how much should the U.S. be concerned about Chinese companies like Huawei influencing this process, and if we should be concerned, what can we do?
ROSE: OK, 5G. Next question.
Q: Right here. Hi, Ruth Jacobsen, Marine Corps Base Quantico.
My question is regarding—I think we really can’t complete this discussion without starting to think about how are we defining data, and when we start to—and that’s such a difficult question to answer, of course—you know health data and numerical data—and that’s really an oversimplification.
I was wondering, because I sort of have a hypothesis that, depending on the type of data, we may see different levels of collaboration between researchers in the United States and China and—or we may see different levels of interest in investment depending on the type of data. And I was wondering—I think this is really—how do you think the U.S. is trying to define data? Are we trying to organize data? What sorts of systems are we coming up with? How specific are we going to get? That’s just my question.
Thank you very much.
ROSE: Great. And then one last one on this side. Yes, over here.
Q: Ben Fernandes.
There’s a lot of discussion about setting rules and how we would respond to an attack, and so—but I haven’t heard a lot of specifics, so specifically I’ll give you three examples, and I’m curious how you would set the rules and respond to them.
One would be the North Korean attack on Sony, so what should the response that would prevent that from happening again? The second would be the democratic elections, and the third would be Russia sent the NotPetya virus, and in fact, a bunch to Ukraine, it was focused on Ukraine, but it got U.S. companies, right, and affected U.S. companies, and actually shut down some U.S. ports and shipping lines and stuff.
So how would you respond to those three things? What would the rules be?
ROSE: 5G, data and detailed deterrence plans. Who wants to take which? (Laughter.)
FLOURNOY: I’ll take deterrence; you go ahead with the others. (Laughs.)
SEGAL: So on 5G—so there’s the economic threat and the security threat. The economic threat—it’s too early to tell in the race, right? Again, it’s going to be partly on which model is going to work. I mean, the Chinese are going to roll out much faster, they’re going to roll out in more places because they have control over that, but 5G is an incredibly complicated technology. There’s hundreds of patents involved across whole different parts of the technology.
So right now, you know, Huawei is a massive patenter in the space, other Chinese companies are, but it’s probably too early to tell who is going to win, one way or the other if there is winning, because the patents are probably going to be fairly widely distributed.
The security risks, I think, are real; the problem is—going back to some of the points you made before about what U.S. companies want to do in other markets, in third markets. And I think there are probably very legitimate reasons why you want to keep Huawei or ZTE out of your 5G networks. The problem is that we just haven’t given them, or very clearly, right?
And, you know, people who know better than I do about telecom say if you can touch a telecom sector, the boxes, then you have access to them, and they are never going to be secure, right, which may be true, so that we should then explain that. But that means that U.S. companies are going to face the same risks.
So I would argue that the problem right now is just that we haven’t really been very consistent or coherent about how we argue against why we can’t use there, and if we want to make sure that we have more global standards about supply chains and national security, we should be better at describing that risk.
ROSE: Do you want to do the data one?
FLOURNOY: The data one—I think you are exactly right, but there is no way that anyone is thinking about that strategically across the board because, you know, the range of data sharing that we have with the Chinese must touch on almost every aspect of life, right, because just looking at university research across the board, we know that it—you know, is just a massive research structure, and some of it is going to be very sensitive, and some of it is not going to be sensitive. Some of the Chinese are very sensitive—the Chinese got very sensitive, for example, about, you know, medical information being taken out of China, and so they put a lot of restrictions on it.
I know people in the FBI are very worried about genomic data being taken out of the United States and being brought to China. So I don’t think we’ve had a very strategic vision of what—as you said, what data we are worried about, how do we define it, and how do we control it.
SEGAL: So in the time allowed I’m not sure I can answer your question completely, but I—let me tell you a little bit about how I’d think it through. I mean, I think that you have to think through different types of attacks in terms of how seriously they affect our interests. When it’s a vital interest—if you have a cyberattack that’s on the basic functioning of our core democratic processes, I think that’s a pretty, you know, vital threat and something that merits a very substantial response.
You know, you can use all of, you know, the conceptual elements of deterrence theory even in this case. You have deterrence by denial, which says, you know, we’re going to do everything we can to ensure that any future Russian meddling actually doesn’t undermine the fundamental process, whether it’s better security for the component systems, whether it’s paper trails—auditable paper trails for all of our elections so that—so you can deny Russia the outcome it’s seeking.
Or you can also have deterrence by punishment, by saying, look, if you touch something that’s absolutely vital and core to the health and well-being of the United States of America, you can expect a very significant response. And here, in my view, deterrence is very case-specific in the sense that you really have to understand what does that actor hold most dear and value. And the answer for Putin and Russia may be very different than the answer for Xi and China, or for the Ayatollah and Iran, or for the North Korean leader. And so I think it takes a lot of analysis and what would really affect their calculus and their behavior, and then how do we use all of the instruments of our power to actually—you know, to put those at risk.
So that’s how I would think it through. It’s not a, you know, complete answer to your three scenarios, but I do think it’s possible to develop, I think it’s possible to communicate, and then it’s possible to demonstrate, with some credibility, the next time someone tests.
ROSE: Issue clusters, in my experience, tend to fall into three phases. There’s the oh, my god, this is an issue! There’s OK, I know that’s an issue; what the hell do we do about it. And there’s OK, we know the issue, we know what to do about it; we know we can’t do it for all these reasons, so is this ever going to change.
Think of the Arab-Israeli one in the last category, think of climate change in the middle. We’ve had the good fortune, with CRISPR, the package earlier in the year, and now with this one to, I think, put together good packages on, essentially, oh, my god, you have to think about this. And it’s more complicated than you thought, and there are people doing it, and little wonky professionals, but suddenly those things that we thought we could ignore we can’t, and these are going to be issues that we are all going to be caring and learning about over time, and it’s really—I’m proud, frankly, that we can offer a platform to discuss them at this high level.
And with that, let me make the concluding comment by saying that technocratic professionals do not have high standing in Washington today, but I think what you’ve just seen is why they should. And I want to thank Michèle Flournoy and Adam Segal for enlightening all of us and alerting us to issues that we need—all of us—to think more about and more carefully about so as to head off some of the very bad things that could be coming down the pike if we continue to be complacent about this subject.
Thank you very much.
FLOURNOY: Thank you. (Applause.)