Maurice R. Greenberg Senior Fellow for China Studies and Director of the Digital and Cyberspace Policy Program, Council on Foreign Relations
President, Council on Foreign Relations
Adam Segal discusses 'The Hacked World Order,' his new book on how governments use the web to wage war and spy on, coerce, and damage each other.
The CFR Fellows’ Book Launch series highlights new books by CFR fellows. It includes a discussion with the author, cocktail reception, and book signing.
HAASS: Well, good evening and welcome to the Council on Foreign Relations. I’m Richard Haass, and it is Wednesday night, and it is book night for the second time this week, And, stunningly enough, it’s the second book this week which deals with one of the most complex, pressing, interesting, important national security challenges we face, which is how to manage cyberspace.
In this case, the author is none other than Adam Segal, who is in residence here. He’s the Maurice R. Greenberg Senior Fellow for China Studies, and he’s also director of the Digital and Cyberspace Policy Program here at the Council on Foreign Relations. Adam is the producer of a new book, “The Hacked World Order.” He also wins the award for longest subtitle of the week, “How Nations Fight, Trade, Maneuver, and Manipulate in the Digital Age.”
Did it take you longer to think of that than it did to write the book, or?
SEGAL: I actually never remember, actually, what comes after the colon, but—(laughter)—I know there’s “maneuver” and a “manipulate” in there, but—
HAASS: OK. M&M.
We’re going to talk for a few minutes, and then we’re going to open it up to you all.
Since I was just teasing you about the title, let’s go back to the title. Why the title?
SEGAL: Before I answer, I want to thank you, Richard, for support of the book and the—and the Digital Program, and everyone at the Council for all of their support as I—as I researched.
I was addressing what had become a very utopian view of cyberspace as a(n) ungoverned space, one that was going to radically empower individuals and bring this widespread free flow of information. And what I saw in what I call year zero, from June 2012 to June 2003, was the radical reassertion of states back into cyberspace to exert their sovereignty and control. And as they’re doing that, they’re creating a new order—a hacked world order.
HAASS: OK. So just imagine. You may not have heard—anyone in this room may not have heard this, but rumor has it there’s a presidential campaign going on. (Laughter.) And if we’re lucky, by November the campaign will be over and we will—we’ll have a—we’ll have a nominee—a president-elect. He or she will take office in January. And just say you were called upon to frame the challenge that person, that individual and the new administration would inherit. How would you do it?
SEGAL: I think you’d want to frame it both as the domestic challenge and the international challenge.
So the domestic challenge is the one that we’ve been struggling with for 20 years; this, how do you actually create some greater security, right? How do you create the incentives for companies to spend more on cybersecurity and build better barriers? How do you get the government to clearly identify what it’s responsible for? And how do you get the public and private sector to work together, all right? Where does the responsibility for the government to defend the private sector begin and end?
I think, on the international front, we have this—as you said, this new emerging space, and we have—we have basically no rules, right? We had 60 years of the nuclear age where we had very—a very clear set of rules. We had arms control agreements. We had multilateral institutions. And none of this—well, either—it either doesn’t fit or is going to require some significant reform.
HAASS: So let me unpack both of those, then, and drill down a little bit, which is on the first. You mentioned security and cooperation between the commercial sector, if you will, and the public sector. Let’s look at security. But security also has got to be a tradeoff with efficiency. You can make—it’s almost like borders. You could make it far more difficult for goods to get into the United States, but you could also essentially stop trade. So I assume in cyber land there’s also tradeoffs between efficiency—the fact that virtually I expect every person in this room is carrying a mobile device; many of them, if not all of them, have computers back in their offices or in their briefcases and whatever; virtually all the gadgets in their home have computer chips or something in them. So how does one deal with the need for ubiquity and efficiency on one hand and security on the other?
SEGAL: Yeah, I think—I think engineers say efficient, secure, convenient—pick two. (Laughter.) You can’t—you can’t have all three of them. And we really have this—we’re moving towards a world, as you said, where everything is being connected, right?
My neighbors renovated their kitchen. They invited us over for dinner. And I said to them, do you realize that your oven is talking to my wi-fi? (Laughter.) And they didn’t. They had no idea that they had a wi-fi-enabled oven. Because if you want to turn it on before you get home, it would be very convenient, right? You could start the roast before you got through the door. But I suspect that the password on that oven is “12345”—(laughter)—or “GEoven” or something like that, and I could easily reset it.
HAASS: But what good would that do you?
SEGAL: Well, I could turn their oven on and off, I guess, if I wanted to. (Laughter.) They bought a puppy, so I guess if the puppy yaps too much I could, you know, get back at them or something.
But we’re moving towards this world where increasingly vulnerable because, as you said, for efficiency, and we don’t really—we haven’t thought about the tradeoffs yet. And people think, oh, can I connect it to the Internet? And they do.
HAASS: Well, let’s get, then, to the other set of—actually, push one last thing on that one, which is, OK, but if one has to have a slight bias or tilt, and you said pick two out of three, what would be your two? What would you pick?
SEGAL: I think we’re at the point where I would go for secure and efficient. You know, we had this massive growth—the reason why the Internet grew so quickly in part was because it was so open, right? Anybody could connect anything to it. It didn’t matter when it was only 20 scientists who all knew each other, but once it became 3 billion people around the world, then it became a much bigger problem. I think now, with the Internet of Things, we’re better off think about secure and efficient.
HAASS: So let’s talk about the partnership angle. You know, as the Apple-FBI law enforcement case suggests, the partnership, it’s like a lot of partnerships I know—it’s kind of headed, you know—not exactly smooth. And the—how does one make that work? Because, again, the priorities—and I’ve worked a lot more in government than I’ve worked in the private sector, but the priorities and the mindsets are really different, and the definitions of success are fundamentally different. So how does one begin to think, I mean, about making a partnership work—not just, say, Apple and the FBI, but even more broadly?
SEGAL: Yeah, I think, as you said, one, it’s a radically different mindset, and increasingly market pressure, right? All of these companies are trying—the greater share of their revenue is coming from China and India abroad, and with the Snowden revelations they had economic and other reasons to distance themselves from the U.S. government. And one of the ways that they’ve done that is through encryption and by showing we are always going to defend the user.
Encryption is going to be incredibly hard to solve, and there is no—despite what the U.S. government keeps saying, there is no technical solution to it, right? We can’t create magic doors that only good guys can get in and bad guys can’t. So we’re going to have to require a real debate that Congress is going to have to get involved in, that is going to require who can get access to data and who can’t.
HAASS: And do you think—in the case of Apple and the FBI, can you imagine an outcome that you think is in the—passes what you would call the Solomonic, or reasonable, test?
SEGAL: I’m not sure this is the case for it. I think, in this case, the FBI is overstretched because what they’re asking Apple to do is, again, basically build a back door. But I do think there is a Solomonic solution out there. Luckily, we have many commissions put in place, and I know you know how useful commissions are going to be in solving these problems. But I do think we’re starting to have a serious debate about where we want to draw that line. And we can’t have it without Congress and the public involved.
HAASS: Since this is not an event on that issue, I won’t take you on. But there’s no consensus up in this platform. (Laughter.) But this is his night, not mine. (Laughter.)
Let’s turn to the international side. I guess the question is really a two-part question. Can you imagine a set of rules for the global governance, if you will, of cyberspace that would deal with protecting and promoting commercial usage, free flow of ideas and information? And then you’d also have to deal with espionage, commercial espionage—also known as intellectual property theft, questions of preparing the ground for attacks, actual attacks. Can you imagine anything—one, could you design it? And, two, do you imagine you could get significant collective buy-in?
SEGAL: I don’t think we can get it for all of those things, right? All of those things are clearly separate siloes that are going to have—you know, we’re never going to agree with the Chinese and the Russians on the free flow of information. We’ve made much more progress on commercial espionage than I would have ever predicted, but the evidence of that is still—we’re still waiting to see.
I am most optimistic on an agreement that the big powers will agree to that will basically be—because it’s in their self-interest—about preventing some types of attacks, and perhaps what you referred to as preparing the battlefield, certain types of intelligence-gathering during crises, right? So for the defender, an attack that may be for espionage is going to look very similar to an attack that’s preparing the battlefield, right? Once you’re in someone’s network, you’re not going to know why they’re there. And it may just be one or two different touches to the keyboard that changes something from collecting information to destroying or attacking information.
So you can imagine that the United States and China and Russia have a real shared interest in preventing those types of attacks, especially when there’s already significant tension between the two—or the three, right? U.S. and China naval vessels in the South China Sea run into each other, all of a sudden we see Chinese hackers in the power grid. That’s going to be incredibly destabilizing because we’re not going to know what they’re—what they’re doing and how quickly they could move from espionage to an attack.
Right now, the Chinese seem to think that they are less vulnerable than we are, but that’s going to change over time. The Chinese economy is—GDP, about 4 percent came from the Internet economy. The PLA, the People’s Liberation Army, looks more and more like the U.S. military. It’s dependent on satellites and command-and-control structures. So you can imagine that the two sides eventually get some shared interest in mutually assured destruction in that space.
HAASS: So it was interesting, if you put aside the free flow of information, what you’re suggesting is that over time the idea of some—a degree of convergence between the United States and China in this space is not a pipe dream.
SEGAL: Not at that very narrow level, yes. I think you’d have to try to silo that. But yes, I think in that space.
HAASS: Just a little bit more broadly, you know, the Internet is, to me—it’s truly odd in some ways as a way it’s managed. I mean, it doesn’t really have anyone running it, kind of grew up from the ground up as opposed to from the top down. You’ve got a lot of private individuals and organizations involved. You’ve had this group which was overseen by the Commerce Department handing out domain names. It was—it was a kind of structured anarchy, in some ways, in international relations. Can that last? And, if not, do we inevitably move towards a world where governments have a bigger hand, and rather than having a single Internet it basically begins to—almost like the trains in Europe used to be, when you went to the border you had to stop for half an hour because the gauge wasn’t the same? Are we going to have the equivalent with the Internet?
SEGAL: I think we’re already seeing nation-states re-exerting control over the borders. All countries do it, for numerous reasons. Some of them do it for positive reasons, right? France and Germany, you can’t put pro-Nazi paraphernalia online, and the—and the French and Germans will take that offline. Some do it for less positive reasons, right? We know about the Chinese firewall and the censorship there. Lots of countries now do it for economic reasons, right? You want to store data locally because you think it’s going to help create cloud industries and other things, and you want your law enforcement to get access to it. So I think we’re already moving into that world, although it will still be pretty open on the free flow.
I think you’re right, though, that the governance is changing, right? The system that to the United States we always described as privately-led and bottom-up, to the rest of the world always still looked like it was dominated by the U.S. And in particular, as you—as you said, this agreement between the Department of Commerce and ICANN, the group that hands out domain names and numbers. That is actually changing. So the U.S. has said we are going to end this agreement, and the institution that’s going to replace it is going to be this incredibly complicated, not government-led, and not completely private kind of structure. And we have to wait to see if that’s actually going to succeed.
HAASS: Let me ask one or two more questions, then I want to open it up here.
In terms of—coming back to the domestic again, in terms of vulnerability. You know, in the nuclear age, we could never talk about invulnerability. We always talked about various levels of vulnerability. Is that pretty much the same thing here? So to the extent—to answer my own question, I assume we can’t eliminate vulnerability, for obvious reasons. How is it, then, we promote security? What’s the template? What’s the—what’s the image we should have on our minds?
SEGAL: I mean, I think, one, we—like you said, we want to move away from this idea of absolute security. We’re never going to keep the attacker out. You know, one of the definitions of cyberspace so far seems to be that the attacker already always has the advantage because they only have to be right once, and the defender has to be right all the time across millions of line(s) of codes and thousands of devices and many, many networks.
I think, one, we want to think about resilience, right? So—
HAASS: So what would resilience mean in cyberspace?
SEGAL: Cyberspace would mean, if somebody takes down a critical system, are there backups, right? Can we operate?
And so somebody was saying—I was just out in California on Monday, and somebody was saying that, you know, if you’re now a midshipman at the Naval Academy, you have to learn how to use a sextant, right, which they haven’t done probably for decades. So how do you have some redundancy built into that that’s not relying on networks?
I think also—
HAASS: We’ll be handing out slide rules later, not to worry, so. (Laughter.)
SEGAL: Also, you want to—you know, you want to know what’s on the network, what’s important to you, right, and can you survive without getting it.
But there’s a lot of, you know, things we can do. Sometimes people will say that, you know, 80 percent of the attacks could be taken care of with very simple what’s called, in the very ugly terms, cyber hygiene, right—patching your software, two-factor authentication, things like that.
HAASS: Not using “1234” or “0” as your password. (Laughs.)
SEGAL: Not using “1234” as your password.
And, you know, there’s another crazy number going on. That’s over 90 percent of the attacks happen on something that there already is a patch to, that people just haven’t done it. They just haven’t updated their software. So, while we think about all these attacks as being incredibly sophisticated and the cyber hackers getting in, most of them have to do with just people not getting around to it or laziness. And, look, people are always going to do dumb things, right?
One of the most sophisticated attacks that happened against the U.S. military networks was a—was a network that wasn’t connected to the Internet, right? It was what’s called air-gapped, so it was very well-protected. And what we think happened is that U.S. servicemen bought thumb drives in a—in a market in Kabul, or they were at a conference and they found thumb drives in the bathroom or in the parking lot, and they went home—they went to work and they said, oh, a thumb drive, and they stuck it in. People are always going to do that kind of stuff.
HAASS: That’s reassuring. (Laughter.)
So you spent several years in the—in the—writing this book. What did you—I mean, and your background—Adam’s one of—you know, one of our leading China experts, and you’ve sort of come into this from that direction. So to end with two last questions, one is about China, which is whether their whole approach to this is different than ours, just given culture, history, and the rest.
And the other one’s a more general question, which is, what did you encounter in the course of this book? Because this book, by the way, let me just make clear, this is as close as there is to a primer on this subject. So if you are only going to read one book, I suppose this book you could read—I like the idea of reading a hard version of it. It’s a little bit of an oxymoron. But it is—it was, for me, a very valuable introduction just to get comfortable with a lot of these—with a lot of the issues and how we got to where we are. There’s a lot of the history of all this. What didn’t you expect to find that you found?
SEGAL: So the—on the first, I think the Chinese in many ways are similar to the United States, in that the Chinese want to shape cyberspace globally like we want to shape it globally. So we’re both—we both see ourselves as the major power there. We, of course, invented the Internet and we helped grow it. But on just pure demographics, the Chinese now have 650 million Internet users, which is more than twice the U.S. population.
I think what is happening is that the Chinese now have a strategy to reshape the Internet from the very chip to the very top, right? So at the very chip level, the Chinese don’t want to rely on technology from foreign suppliers, and so they are figuring out how they move up the value chain. They want to keep certain information out because they are incredibly afraid that it’s the threat to domestic stability and regime legitimacy. And that is their primary motivator, right, how do you make sure that the Communist Party stays in power. And then they want to reshape this governance structure we were talking about.
So we have conflicts with them at all of these different levels.
HAASS: Just one follow-up on that. To the extent there’s a struggle or tension between the Chinese using the Internet to grow their economy and the rest and maintaining party control, centralized control, how’s it—how’s it going?
SEGAL: So there is this very famous Bill Clinton quote that, you know, the Chinese would lose this battle against history, that trying to control the Internet is like nailing Jell-O to the wall. It turns out the Chinese are really good at nailing Jell-O to the wall. (Laughter.)
I think right now it’s pretty depressing, right? So we’ve seen Xi Jinping reassert technological control over the Internet, both through some kind of technological changes, but also just through a broader process of intimidation and arrests and other things. You know, the larger question about can they build this innovative economy I am pessimistic about, and which is, you know, the argument of my last book, which was that they can’t truly build it without having an open, free society.
HAASS: Yeah, they want the benefits of an open society without having an open society.
SEGAL: And we’ve seen that every time the Chinese have exerted control over VPNs—virtual private networks, which is a lot of way the people get around the Great Firewall in China—the people that complain the loudest are Chinese scientists and tech entrepreneurs, right—the people that you want to be, you know, out there and doing stuff.
What I was actually most surprised by is how long all of these debates have been around. And, you know, the—everyone throws the word around, “cyber,” that it’s so radical and everything is so new. But, you know, when people started first thinking about the Internet and global Internet in the ’70s and ’80s and ’90s, they had all of the same debates: where the public comes in, where the private comes in, can we have some international agreements. So I was surprised about how frustrating it was that there are so many of these debates that just don’t seem to have moved forward.
HAASS: Well, let’s continue the debate. Raise your hand and—start with Jamie. And we’ll—just let us know who you are and ask pointed questions of Professor Segal here.
Q: Jamie Metzl. Adam, congratulations again.
My question comes back to the first question about your friend’s oven. Can you talk a little bit about the Target hack, and the connectivity and the vulnerability of the Internet of Things?
SEGAL: Yeah. So, for those of you who remember, you know, Target was hacked and several tens of millions of email—personal IDs and credit cards were all stolen. The way that the attackers got into the Target system was through the HVAC, right, through the air conditioning system. So it’s not enough just to protect your own networks; you also have to think about the networks that are attached to you and those networks that are attached to them, right?
So what we know about, for example, how the U.S. seems to have gotten into the Iranian nuclear program in Natanz, you know, we might have used a Siemens’ repairman, right, because those were the controllers that were being used. So we insert the malware someway that way. So it becomes very hard to think about where you draw the border, the firewall, right? And that’s why the firewall model doesn’t really help you, because you have to keep drawing it broader and broader. And you have to think about more active ways of either keeping the intruder out or just monitoring your network to know that they’re in.
HAASS: There’s a gentleman—oh, that’s a young lady sitting there. I can’t see that far. Yes, ma’am.
Q: Natasha Cohen from Columbia University.
I wonder if you could talk a little bit about the prospects for international control or—of cybersecurity technology, especially in light of the State Department’s recent announcement that they’re going to try to renegotiate Wassenaar.
SEGAL: Yeah. So there is a growing black market in malware, in malicious software. Lots of companies will sell malware. Some of them will just sell it to the U.S. government. Some of them will sell it to foreign governments. Some of them will sell it to criminals. And so one of the ideas was we should control it, like we’ve controlled other technologies, right, dual-use technologies, through the Wassenaar Agreement, which came after the Cold War. The problem with the controlling of these things is that everything is really, really dual use. So what you think about an offensive weapon is always used is for defense. It’s called penetration testing. If I want to try to get into U.S. networks, I do penetration testing. And those type of things are being controlled.
So the U.S. government first said, well, no, we can help with the definition. We can try to get around it. They’ve now reached the stage where they said, actually, no, the definitions are not going to work. We totally need to renegotiate it. My sense is that trying to control the flow is a losing game. The definitional problem is not going to be solved. It’s always going to have a dual use. And controlling math is almost impossible. And it’s going to hurt us, right, keeping researchers from doing the things we want them to do and makes us safer. I think there is a possible solution in end users, right? So who are you selling to, which is not perfect, right, because people can do cut outs and buy through multiple things. But we’ve used that in other areas and we might cut down the market a little bit that way.
Q: Hi. I’m Alan (sp)—(inaudible). I’m a reporter.
The question I have is about bit multinational companies like Google, Apple, Alibaba—you know, pick one, pick them all. How different are they in terms of threats to privacy than developing closed, I guess you call them ecosystems, on the Internet? How different is that from nation-states?
SEGAL: Well, I guess it’s a question of what do you think the tradeoffs and costs are, and if you enter them willingly, right? So we—you don’t have to join Facebook, but you have chosen to give your data to Facebook for the service that is valuable to you. Clearly, look, after the Snowden revelations, and the president made that comparison. He said, you know, we collect a lot of data on you, but you also give all the data to these companies.
I think there is a conscious decision for most people when they do that. But I think that we have to have some sense of how the data’s being used and who has access to it and what it’s being used for. That, I think clearly we need more discussion about, right? Everybody signs the user agreement, 35 pages long. We have no idea what that says, right?
Q: I agree are the most dangerous words in the English language.
SEGAL: Yeah, I mean, you get the EULA. When you click on it—you know, there’s no way that anybody reads that. So there has to be kind of more discussion about what that data is and who has access to it.
HAASS: Sure. Stanley.
Q: Stan Heginbotham.
I’d be interested in your personal threat assessment. There are all sorts of the bad guys, bad institutions, bad governments out there. Which ones scare you most, feel—you feel are most out of control? And who has responsibility for doing something about them? (Laughter.)
SEGAL: So you know, the hierarchy is generally like this: The Russians are the most skilled and probably the most dangerous, just in capability. The Chinese are the most persistent, right? So they’re just constantly knocking on doors and they just keep doing what they have to do. I would be more worried in some ways by the North Koreans than the Iranians, even though they don’t have the same capabilities, because they’re not operating under the same deterrence calculus that these other two states are, right? Deterrence in cyberspace is a loaded term, but right now the Chinese and the Russians for the most part of have shown self-restraint. The North Koreans and the Iranians are trying to figure out where that red line is. So from a national point of view, that would be my hierarchy.
From a personal point of view, you know, most of us, or all of us, in this room would be of interest to, you know, Chinese and Russian hackers for cyberespionage reasons. You know, it’s no secret to say the Council is a target. But I am also worried about, you know, off-book topic here would be non-state actors, right? We’ve seen that groups who don’t like the Council or other places would want to embarrass the Council or other people by putting private information online. And I think for most people that is a very high kind of threat, with a high level—
HAASS: Sort of what happened to Sony.
SEGAL: To Sony, you know, or President Bush’s pictures being hacked by that guy—by Guccifer. So you know, on a personal level that kind of stuff would have the most impact.
HAASS: Sure, in the front row.
Q: Richard Drucker.
To what extent is there sort of cooperation, global cooperation, among governments? I mean, there is a regulation of satellites, for example. Is there any effort to address this? Is it regional? Is it global? Is the U.N. involved? And what are your thoughts?
HAASS: Do you want to say a little bit about kind of the global governance structure?
SEGAL: Yeah. So as we mentioned before, the global governance structure we were talking about before has to do with the maintenance and running of the Internet, right, which is very specialized technical organizations. The U.N. wants to be more involved, the U.S. doesn’t want it. On the security front, right, this discussion about cybersecurity, there are regional discussions, right? So the OSCE, the OAS, and the U.N. plays a role. Probably the most prominent and likelihood of progress so far has been a group at the U.N. called the Group of Government Experts. It’s 20 countries. And they have begun to discuss some of the norms of cyberspace. What are the behaviors?
So far, it’s a pretty low bar, right? So they came out last year with four norms. One of the norms was: You shouldn’t attack another country’s critical infrastructure during peacetime. You’re not supposed to attack other countries during peacetime anyway, so it’s a pretty low bar.
HAASS: It’s kind of what makes it peacetime. (Laughter.)
SEGAL: But the Chinese and the Russians signed off, which was important. And we’re going to have to build on that over a long time frame. So there are kind of these discussions that are happening, but we often get definitional issues involved, right? So the Chinese and the Russians often want to talk about what they call information security. Information security includes the flow of information, right? Twitter and Facebook and things that they see as threats to domestic stability. We don’t want to talk about that in that framework. We want to talk about can we keep the networks safe.
So we’re at the beginning stages. The Obama administration has been very active in kind of engaging many, many different venues. There’s a whole process that the British run that came out of—there’s things growing up in Asia. So we’re at the beginning stages.
HAASS: Yes, sir.
Q: Hi. It’s Barry Merrick (ph).
Just if we kind of look ahead into the future and think about cybersecurity and cyberwarfare, what would you say is the worst possible outcome—like, the disaster scenario? What would you say is the best possible outcome? And what do you think is actually most likely?
SEGAL: Well, the worst—the worst-case scenario, right, is that attacks that can cause physical destruction and death become widespread. You know, right now we’ve only had one known attack that caused physical destruction, which was the U.S.-Israel alleged attack in Natanz, the Iranian nuclear program. That seems to have been incredibly technologically sophisticated and required a huge amount of intelligence. So it’s fairly limited in how widespread that’s going to be. But you can imagine a future where if somebody—where Live Free or Die Hard 4, right, where an individual can do that becomes a reality, that’s a pretty scary future, OK, where that’s happening all the time, where non-state actors can do it, you know, widespread—derailing trains, causing chemical eruptions, all of that.
I think, you know, the more—the safer or the more secure environment would be one where it still remains out of the hands of most individual users, but nation-states still have those capabilities, but they are restrained in using them, right? They only use them when they see vital interests threated or they’re already involved in military conflict. I suspect we’re moving not all the way to the worst-case scenario, but closer to that than to where we are now, just given the move to the Internet of Things. It’s going to be easier to cause damage and destruction than it is now.
HAASS: If the new president, to come back to my earlier question, said: Here is an extra X billion dollars, or here’s an extra degree of authority, is there something you would have us do differently, either organizationally, policy-wise, physically, if we had either the authority or the resources?
SEGAL: I think it’s more of a question of authority than it is money, right? So the president did announce another $19 billion in his most recent plan. And he created this position of CISO, you know, chief information security officer. But that person doesn’t have authority, right, and he doesn’t have a budget. So they can try to tell all the different agencies to do what they’re supposed to, but they don’t have to listen. So we’ve always kind of fought having one person at the top with the authority to tell people that you need to reach this standard. I think that’s what we need. I’m also afraid is that one of these destructive attacks is going to happen, and then we’re going to have a whole rush of bad policy decisions.
HAASS: So it’s almost a 9/11 parallel.
SEGAL: We’re going to have, you know, something—because the private sector has fought regulation tooth and nail, for good reasons and for bad reasons. I mean, the good reasons are, you know, the government giving you a list of what you’re supposed to do is likely to turn into kind of a checklist, which is not going to keep you safe, right? Cybersecurity is not fire safety. We know the physics of fire. Cybersecurity, the hacker is always going to change their attack. So that said, though, we can, I think, do better at figuring out what best practices are and having more costs for companies that don’t meet them.
HAASS: Yes, sir.
Q: Hi. Andy Siwo.
What do you think is going to be the outcome of this Apple case? And how does it differ than, let’s say, the NSA receiving phone records from telephone companies?
SEGAL: Well, I think it differs in that in this case, right, the government is asking Apple to build something into their product that’s already there, right? We already ask the telecoms to do that, right? The telecoms have to do that under the CALEA, the Communications Assistance Law Enforcement Act. But the technologies companies have generally been immune to that. But in this case, they’re asking them to build a type of weakness into it that is likely to weaken the security of all their users.
The surveillance—the widespread mass surveillance was collecting data that was already out there. It was a different type of collection, although in many cases the NSA did try to weaken security. We know they tried to weaken types of encryption. We know they broke into other types of service. But on the larger front, I think the mass collection is a different kind of category. They’re collecting things that are already out there.
I don’t see a resolution unless the Congress gets involved. But they have to change the laws the way that they stand right now, or, you know, the court case is going to go to the Supreme Court, from what I can tell. You know, there seems to be both a kind of legal argument against this specific case and a technical argument. You know, I’m not a lawyer, but there are people who question the All Writs Act being used for this kind of case. And then the technical argument, again, as I said before, the technology community is very strong that you can’t build a backdoor for one type of person. It’s going to be used for everybody else. We may decide that that risk is worth it, all right.
HAASS: Let me just push you on that. Why couldn’t you build—again, rather than putting something in devices or building a weakness, you would ask Apple to develop software that under certain controlled conditions, both physically and legally, could then be made available, under control, so it would not leave custodianship? I mean, can’t you devise something that wouldn’t necessarily go out into, if you will cyberspace?
SEGAL: Well, I think part of the problem in this is that nobody can defend anything, right? So even if Apple could be build that device, and they said, all right, we’re going to hold it securely, nobody would necessarily believe that they could hold it securely, because nobody can hold anything securely. So I think that’s one of the threats, is that we build this tool, eventually it’s going to get out there and it’s going to be used. But I think you’re right, Richard, that we could—there is a solution, right? There are policy solutions. And we would have to decide if it’s worth it, right? Is the security—the loss in some cybersecurity worth it for the privacy terrorism gains?
In my sense right now, this case isn’t worth it, right? This phone was—you know, was his work phone. He destroyed his private phone. It seems to me very unlikely that there’s any evidence in here. The FBI messed up. They could have gotten the information on the phone another way. There’s so much information we’re all generating every day anyway. So I don’t think this case is worth it. But I’m not arguing with you that there could be a case where, yes, we have to make this decision about, you know, as the president said, not all data is inviolate, right? At some point we have to turn it over for security.
HAASS: So lots of interest. Yes, ma’am.
Q: Congratulations, Adam, on the book. Really, I’m a huge fan of your regular session as well.
I had a quick question about what your view as a potential product liability to make the United States more secure. So I work in an industry—the financial industry, where if we don’t follow regulatory guidelines for what we should do to be more secure there will be consequences. What do you think about product liability?
SEGAL: So I think that’s definitely happening at the board level, right? More and more boards know that they will be liable for if they don’t follow best practices for security. There has been a long debate about software product liability—very, very long debate, right—because software operators generally think let’s get it out the door and we’re not responsible for what happens. It came up again a couple weeks ago. We were out in California having this discussion and somebody I didn’t expect brought it up. But everybody else in the room was like, that’s a bad, bad idea.
So I don’t think software liability is the way to do it. I think what so far has happened is partly, as you said, the financial industry increasingly has to report attacks, they have to say what they’ve done. We’re going to see that across many, many sectors, right. One of the things the president signed was an executive order developing a cyber framework through the National Institute of Standards and Technology. I think more and more boards are going to look to that and say: Are we doing what we’re supposed to do on that front? And the more transparency we have, the more cyber insurance will actually reflect the real risk. And your premiums will go up and down based on what you’ve done or haven’t done.
Q: Doron Weber.
Do you speculate in the book, or can you speculate for me, on the possibility that a we have more increasing dangers in cybersecurity people will actually pull back and maybe come off the Internet a little bit, and even—and go back to the future where you have more analogue systems? Is that even theoretically possible?
HAASS: So should we all be buying pigeon futures? (Laughter.)
SEGAL: You know, there—(laughs)—there was—there was this story that was circulating that after Snowden the Russians were moving back to Selectwriter—IBM Selectwriters (sic; Selectric typewriters). But that doesn’t do you any good, because the NSA could read the vibrations off the window. That was, you know, an old story. (Laughter.)
I don’t see any evidence of it. You know, I think resilience and redundancy built into it with some analogue systems side-by-side, but you know, I fought Internet banking for a long time. I wasn’t going to do it. But eventually the convenience got to me. I still am probably not going to hook up my oven to the Internet. And I’m not going to hook up my doors and things like that.
HAASS: So you care more about your dinner than you do about your money? Got it. (Laughter.)
SEGAL: Well, the incentives are different there, actually. If my money is stolen, the bank covers the loss. If my house burns down, you know, I’m in big trouble.
But I don’t think—I think we’ll—you know, there are some people that have done scenarios and wondered, are you going to kind of withdraw? I don’t think that’s a real solution right now. We may choose to keep some systems totally offline. That probably makes sense.
HAASS: But just to answer your—but terrorists do that. What you see is terrorist groups to some extent go offline just for the reasons you suggested. They decrease their visibility, quote, unquote, as targets.
SEGAL: Yeah. I mean, I once met the guy—I think he was Finnish—who was in charge of Finland’s cybersecurity defense policy. What was going to happen if there was a massive attack? And has he described it, it was written on four pages, kept in a safe, right? They didn’t put it on a computer anywhere. So that kind of stuff I think you’re going to still have.
HAASS: I think we got time for one last question. There’s a young man back there.
Q: Hey. I’m Dan Guido (ph) from Chellabits (ph).
Back in September 2015, the White House signed a landmark agreement with China to chill commercial espionage that was PLA sponsored. How do you see that evolving in the future? And do you fear that thousands of Chinese hackers are now out of work? (Laughter.)
SEGAL: So there’s the good story, the bad story, and the I-don’t-know story. The good story is that, you know, I was one person arguing for a long time arguing that the Chinese would never sign off on that type of agreement, because it didn’t make any sense in their system, right? There was no distinction between the public and private sector. And they didn’t see a distinction between commercial and private—commercial espionage and espionage for national security reasons. And so I was very surprised when they signed the agreement. Then they went off and signed it with the Brits a couple months after. And they signed it at the G-20 in Turkey. And they’re going to sign it with the Germans. So from a diplomatic perspective it’s an interesting kind of push on the norms there.
The I-don’t-know story is has it had an effect? And here, the evidence has been pretty mixed, right? I mean, besides the fact that we just might not know because maybe the Chinese are getting better, right, and not being as noisy, and so they’re taking stuff, just much more quietly. But we don’t know because when it first—when the agreement was first signed, and there was a couple reports, you know, from CrowdStrike and some others that said, no, we see this massive campaign directed at the pharmaceuticals and other things. And the national intelligence director has basically refused to weigh in. He’s said, we don’t have enough evidence yet to see if it’s working. So that’s the I don’t know.
The bad is, as you suggested, is that maybe what’s happening is that the Chinese are in fact reducing the commercial espionage from the PLA, from the People’s Liberation Army, and they’re shifting it, one, to the Ministry of State Security, and they’re cutting lose some guys who used to make their money this way. And that might be why we’ve seen a rise in what used to be considered just the premise of criminals, ransomware, right? So ransomware is when you get a virus on your computer, it encrypts your hard drive, and then they hold you hostage. They say, you know, pay me a couple hundred dollars and then we’ll decrypt your hardware.
HAASS: It just happened. (Laughter.)
SEGAL: And the Chinese didn’t seem that interested in it. It was mostly Russian hackers. But there’s a report that came out this week that seems that the Chinese are getting into that. So that could be the possible bad.
HAASS: OK, since our lights are just going out—(laughter)—clearly someone listening in did not approve of what we were saying here. As you just heard, though, over the last 45 minutes, Adam has really, I think, emerged as one of this country’s leading authorities on these issues. I think the fact that he wasn’t trained as an engineer, but was trained as a political scientist, and essentially has gotten up to speed on this, it makes it much more accessible. And it was one of the things I liked most about the book, it didn’t assume a lot and it took people like me, who have trouble working their remotes—it got me through this web of issues and took me through the history. So if you’re here, if you’re watching this, I really do recommend this book.
And it’s part—I’d just sort of say, to explain up for us, we’ve made a real priority on this set of issues. We do think it’s one of the critical emerging issues in international relations and in American foreign policy, about whether—and if so, how—cyberspace will be regulated, governed, managed so good sorts of behaviors are defined and encouraged and bad sorts of behaviors are defined and discouraged. And this is one of the areas, as someone who’s worked in government, where I think outsiders can make a real difference. Government is behind the technology. And people in government are looking for new, original thinking about how to go about this task of, again, dealing this this new domain. And I think this work and the work that Adam’s doing and the work we’re doing here makes a real contribution.
So again, the book is called, “The Hacked World Order.” We don’t have time for the subtitle—(laughter)—but again, congratulations. (Applause.)