READ FULL TRANSCRIPT
I’m Alexander Heffner, your host on The Open Mind. When I recorded my first ever program here in 2014, the subject with digital scholar and educator John Palfrey was the very real possibility of a digital Pearl Harbor or 9/11 in our lifetimes. It’s clear from our evaluations on The Open Mind that such a crisis played out during the 2016 campaign, but not as we expected. We lacked the imagination foresight and most of all political will to respond as governments, citizens, and corporations, which often were hosts of malignant disinformation and enablers of massive security breaches. Joining me today is Christopher Painter, commissioner of The Global Commission on the Stability of Cyberspace. For over two decades, painter has been at the helm of American Internet policy as a prosecutor of high-profile cyber crimes. And then as a senior official at the Department of Justice, FBI, National Security Council, and finally the State Department. In his most recent role as the nation’s top cyber diplomat, Painter coordinated and led the diplomatic efforts to advance an open internet and information infrastructure, establishing the office of the coordinator for cyber issues dedicated to advancing the diplomatic aspects of cyber issues ranging from national security to human rights. Welcome, Chris.
PAINTER: Happy to be here. Thanks.
HEFFNER: Thank you for being here. You were pivotal in brokering an accord, or at least theoretically an accord between the US and China in 2014. What were you and your colleagues attempting to accomplish and has it been enduring?
PAINTER: So we were faced with a situation where there was widespread theft of commercial information, trade secrets, other business and proprietary information by China, not just in the US but around the world. And this was becoming not just a cyber issue, but really a core economic issue and national security issue. And you know there was a strong feeling that this really had to stop. This was stealing the life’s blood of our economy going forward. So what we’re trying to get is that to stop frankly and, and we were looking at different aspects to do that and one of the aspects was trying to get China to agree that this is something that should be prohibited and not done. Now I will say there is a difference between a theft of intellectual property to benefit your own commercial sector and espionage. Every country gathers information. Every country will for all of time. They have from the beginning you can’t really prohibit that, but this is a specialized kind that we don’t do and we don’t think any country should do. So.
HEFFNER: Cambridge Analytica was really at the intersection of the for profit commerce and espionage.
PAINTER: Yeah, it was a little different though. I mean there were, it was for-profit espionage in a sense which is not necessarily all that new. Although the way that was done was I think a new form of this, but the kind of theft of information that you use. So let’s say you steal the plans is something or the trade secret for something and then you give it to your own commercial sector and then they become competitive, and they use that to become competitive and really displace your own industry. So that’s what we were trying to stop. And it did, it was interesting. It took really from the president on down strong messaging to China that this was unacceptable that this was just not a cyber thing.
It affected the overall relationship and we eventually got an agreement with them and you asked if it’s been enduring. I think after that agreement was reached, which didn’t prohibit all hacking because that’s not realistic, but prohibited this kind of hacking. A lot of people saw that activity drop dramatically after that. And it did for a while now, right? Recently it’s gone back up again. And that’s a big concern. But I think partly that’s due to the fact that the reason China wanted to reach this agreement, it was an irritant in the overall relationship, but with something that China cares about, the way it’s perceived, it was a big problem, not just in the cyber realm but across the board with the US. It was a problem with Russia or with, I’m sorry, with Germany, with Japan, with Australia and other countries around the world, the UK.
And so they agreed to do it, but now the relationship is really frayed, I think they don’t see any real need or benefit to comply with that. And that’s the problem we have now.
HEFFNER: Are you referring to the implementation of the tariffs?
PAINTER: I think if you, the overall relationship between the US and China, I think it’s fair to say it’s not very good right now and there’s a lot of reasons for that. There’s certainly the trade conflict, war, whatever you call it going on, which I think is a, is a concern for them and I think their feeling probably is, and I’m not in the Chinese mind, but I think that, what their thinking is why do we need to comply with all these agreements we made if the relationship is so bad already, we’re not improving the relationship. And maybe it’s even a bargaining chip who knows?
HEFFNER: The current President speaks lovingly of China and at times at least the Premier, the President, and yet has taken actions that obviously have injured that relationship, so that souring effect has materialized in the way that the United States and Canada are negotiating a potential resolution with someone in their technology sector who is accused of breaking the Iran sanctions.
PAINTER: Well, that the person who’s been accused at Canada is accused of violating the sanctions have of taking actions that violates them. It’s against the law. There is no, you know I see no issue of when you see violations of the law as a former prosecutor going after them. I think the larger question is, how can you address all these issues, how can you make sure this doesn’t happen? And look, the trade imbalance with China is a big issue and we do have to address it. How we address it and how we message I think is important. You raised a really interesting point though, when you say that Trump speaks lovingly, sometimes of President Xi, that messaging is as kind of a problem. If your messaging doesn’t match your actions, it undercuts your own negotiating and undercuts your own deterrent value. I think the classic example, certainly with Russia, where despite all the evidence, despite all the things that even this administration has done, Trump constantly calls into question whether Russia was responsible. It doesn’t matter what you do in terms of sanctions or other things if you’re a top leader, is not consistent in messaging, and Obama was very consistent in messaging with China for almost two years.
HEFFNER: Even if he decided not to prosecute forcefully enough the case against cyber espionage from Russia during the ‘16 campaign, behind the scenes and in public he was consistently critical of Wikileaks, Assange, and those criminals. There was a digital Watergate…
PAINTER: Do you mean Obama?
HEFFNER: Obama, right. That there was a digital Watergate and the plumbers and dirty tricksters were Russians as a country, and I think this is testified to in ongoing support for the special counsel’s investigation. This country has not seen accountability in the area where you prosecuted cyber criminals. When is there going to be accountability/
PAINTER: Well, that’s a great question. I think you have to divide this into two spheres. One is nation-states and the other is individuals and criminals. Individuals and criminals we need to go after using our criminal tools. You know, sometimes it’s difficult to reach them for various reasons, but we need to continue to do that and that’s one aspect when you’re talking about nation states, we have been just terrible at deterring or punishing nation states for activity that really violates all the norms, that goes beyond, you know, the kind of things we, we believe very acceptable conduct. So yeah, a good example certainly is Russia, when you’re trying to deter someone, there are two aspects. One is timely and the other is something that actually makes a difference. It’s going to change your calculus in the future, and punish them for past conduct.
Now, the Obama administration did come up with a series of package of expulsions and sanctions at the end of the administration. That was pretty late. I mean, frankly, I think it was clear we needed to act as sooner we needed to act more strongly. I don’t think that those things really punished Putin or changed his calculus could certainly he’s engaged in this again and again after that and then in this administration there’s been sanctions. There’s been some other targeted events. Russia has not limited their malicious cyber activity to election interference. They released this big what’s called computer worm the NotPetya worm that was – several countries attributed to them. Yes, the US and Australia and others have attributed, this conduct to Russia, but you’re not going to name and shame Russia, you know, you’re not going to – you might China, but Russia or North Korea, that’s not going to have an impact. It’s a, it’s a good foundation, but then you have to follow it up with action. The Ashley will make a difference to them and then as I said before, you have to couple it with consistent and strong messaging. You can’t say, well, I don’t know if they really did it, it’s okay. He said he didn’t do it. I mean those, that, those undercut all the actions you’re trying to do to actually punish that conduct and make sure there’s accountability and I absolutely agree with you. We have to be far better at imposing those costs.
HEFFNER: The kind of reciprocal action that could be meaningful is allowing the young people of Russia to have digital freedom and use the grassroots technologies that infuse our politics here and through the web to bring about reform.
PAINTER: We have always been seen as the leaders in terms of freedom and democracy and my colleagues at the State Department, and we work closely with them, champion this idea of Internet freedom, freedom online and helping those communities who are often oppressed or monitored try to escape that monitoring to express their views. And, you know, there is something called Freedom House, which measures the level of freedom in the world online every year and they’ve seen that level of freedom decline year to year, which is a real concern around the world. And if the US is not championing those causes, if the US is saying for political or whatever, expediency you know human rights are important, but they’re not so important that we’re going to take them seriously and factor them into our larger policy. That gives them carte blanche to these countries, these dictators, these more repressive regimes around the world.
And it’s a good parallel to cyber because, you know, if you don’t have consequences for your actions, then you’re creating a norm of it’s okay, we can just do this. And the same is true in this area and you can’t look at cyber security totally separate than human rights or economic policy. They have to be looked at together.
HEFFNER: Where are you hopeful based on your own prosecutions in the United States? There is not really a criminal court or tribunal to adjudicate this and that doesn’t even work when there’s genocide to the best of its ability. So what is the best hope based on your own prosecutions? You started doing this when cyber was just being born in the 90s.
PAINTER: Back when it wasn’t cool? Laughs.
HEFFNER: So, so how is it working here in America in terms of the ongoing pursuit of justice with domestic actors who hack us or attack our infrastructure?
PAINTER: I think we’ve gotten better. I don’t think we’re there yet. I think I’ve seen, there are a couple of trends that I’ve seen over the 20 some 5 years I’ve been doing this. One is that we have been getting better, not just catching the criminals here, but also overseas and it’s trivial for a cyber criminal to route their communications through several different countries to evade detection. So in an unprecedented way you have to have real international cooperation. We’ve gotten better at that. You know, it’s still not perfect. I think a lot of criminals still see this as a cost free or risk free enterprise, but we’ve done a lot of big cases where we’ve wrapped up a lot of criminals around the world and that sends an important deterrent message. So that’s good. We’ve trained more people around the world. More countries have cyber security law, so they didn’t used to have them back, I don’t even remember years ago when the, I Love You worm came out; it was traced back to someone in the Philippines. The Philippines didn’t have a law to punish that, so that’s changed and that’s changed around the world. So I’m hopeful about that and I’m hopeful about the kind of cooperation I’m seeing. It’s a steep hill to climb still, which is an issue. I’m also hopeful that, you know, we have done these joint attributions. So one of the things that may be surprising is the Trump Administration came out with its strategy, its cyber strategy recently. We did these in the Obama Administration as well. The Trump cyber strategy is really very much like the Obama cyber strategy. It’s not really very different and that’s actually a good thing, you’re building on what you’ve done before. You’re looking at this in a more holistic way and saying we really don’t have to create a whole new regime. We need to do this. And there was a portion of that that talked about deterring bad actors including state actors and it talked about and it had language in there that said we are better acting together than with other countries than we are acting alone. That doesn’t sound very America First-is, does it? It sounds actually very collaborative. And that gives me hope too. So you know, I think that those things are continuing to go on, which is good. You know, there’s lots of things that I’m worried about as well but I think that there’s some positive aspects. And the other thing I’d say is people care about this more. I mean, back when I was doing some of the early parts occasions, people thought, well, that’s really cool. That’s a neat thing. Or you know, it’s a Robin Hood sort of thing.
These hackers are cool. Where now, they really care about it. And, and you know, I think we’re at the stage where, you know, back when I used to go and talk to, if you went to talk to the attorney general, if you want to talk to, although Janet Reno was exception, she cared about this deeply. If you went to talk to a cabinet official in our system or a minister, and in Europe you went to talk to the CEO about this and their eyes would roll back in the back of their heads and they will run from the room. They didn’t want to deal with these issues. There were technical issues. You technical people deal with them and now there’s a recognition this is a core issue of our, you know, economic policy our national security policy or human rights policy. And our foreign policy.
That’s a big deal because it takes it out of that technical realm. Technical aspects are still important, but it really makes it a core policy issue. Now the problem is people recognize it as an issue, they just don’t know what to do about it.
HEFFNER: Right. They recognize it and it’s heartening to hear the copying and pasting of the Obama manual, if in fact it’s being implemented, which you mentioned,
PAINTER: Which is a key question, yes.
HEFFNER: Right. But at the same time, this lack of concern was revealed when these folks’ emails were hacked, and that was an impetus, whether it was State Department officials or business executives, they became aware and concerned about it after their materials became,
HEFFNER: In effect, declassified stolen, hacked, publicized, which is, and it’s, there’s a learning curve. So now they’re up to speed potentially,
PACKER: Not sure they’re up to speed, but
HEFFNER: Or in the process of..
PACKER: And look, it makes a difference when like the executive that head of Sony pictures lost their job because of that.
HEFFNER: Sure, sure. So here’s my question to you as a fellow viewer of Mr. Robot,
HEFFNER: So when does this reach the point of a 9/11 or Pearl Harbor? And I’m thinking economic insecurity as a function of a hacking that is so basic to the necessity of our livelihood as Americans or as global citizens. You know, of course there are vulnerabilities that are particular to Bitcoin in new currencies. But, what about that scenario of a hacking that completely disrupts the economy?
PAINTER: Well, we, we’ve talked about this literally for 20 years. We’ve been worrying about the kind of cyber attack that would be against critical infrastructure, the financial system, the electrical power system, the, you know, food distribution, something that would have catastrophic and really rolling consequences that, you know, blackouts, things like that. And there’s no shortage of movies about this too.
PAINTER: So I, you know, my, I tried to make my office unique in the State Department. I had movie posters where hackers or computers where the main character, so I had like 30 of them up there and they’re all dystopian movies. There are very few really happy movies there. That said we haven’t seen that kind of crippling cyber attack. We’ve seen cyber being used and wore a like in Georgia by Russia. We’ve seen some of the activity obviously with our election and others. We’ve seen certainly very serious activity, but not that kind of crippling 9/11 or Pearl Harbor or something like that. I also, I’m not that fond of those terms and the reason I’m not fond of them is if we keep waiting for that before we do something, we’re never going to do anything, you know, so we need to, we need to think about what’s happening every day and the conduct is pretty serious.
HEFFNER: Chris, is that because only state actors would have the bandwidth to do that and the rogue elements like an ISIS in a cyber unit of an ISIS or a like terrorist organization just doesn’t have the equipment to perform it.
PAINTER: I think there’s a couple of aspects. One, yes, sophisticated actors in Russia, China, North Korea and Iran are always rated as the most sophisticated state actors, have more capability, but even there, if you’re talking about taking down like the electrical power grid, not just taking it down but keeping it down. So that requires a lot. That’s not just an instantaneous conduct. And yes, you know, this is an asymmetric area where people without much resources can cause kind of large disruptions, but can they really keep that disruption going in a way that’s going to substantially affect the economy. So I think that that’s a part of the issue and you know, in terms of terrorists, we had been thinking about terrorists and literally I remember giving a speech about this maybe 17 years ago where we were worried about terrorists turning to this and attacking critical infrastructure and there’s two reasons they haven’t.
One, they’re not really interested in doing that. They’re interested in using the Internet to communicate, to plan to proselytize, to raise money, all those things. And they do that a lot. We’ve certainly seen ISIS do that a lot, but they’re not interested in really attacking critical infrastructure when what they want to do is they want to attack physical targets and cause death and destruction that’s going to have more of an impact. Now, maybe in the future they could do that in a way that’s going to have a large level of impact. Maybe you’re going to a couple a physical attack with an attack on say, emergency communications that’s going to magnify it. We just haven’t seen it yet. Now we’re always worried about it, but it’s, I think interesting that we haven’t seen that so far.
HEFFNER: Well, the net effect of closing the power grid,
PAINTER: Oh yeah.
HEFFNER: Turning off the lights,
HEFFNER: Especially when it comes to the market and being able to produce the necessities of life and companies handicapping their ability to provide goods and services that are central to our health and wellbeing, that that could be pretty serious.
PAINTER: It could be. They could always borrow capabilities, they could rent capabilities so you can get other people to come in and bring capabilities. You know, I think we haven’t seen this from nation states by and large because there’s lots of reasons it doesn’t make sense for them. I mean,
Yes Iran and North Korea have been more active because they don’t have much to, or especially North Korea does. Russia used to be much more stealthy, but now it’s much more active as we’ve seen because again, it’s positioned after the Ukraine invasion the world community is very different. So there’s reasons that the nation states don’t want to deal with or they worry about escalation and reprisal.
Terrorists, you know, there is still a chance, but it’s again, having that widespread effect that they want to have and that long-term effect,
HEFFNER: It’s perhaps more likely to come from the yellow vest type movement.
PAINTER: You don’t want to also shoot yourself in the foot. You don’t want to take down infrastructure that’s going to have an effect on your own life too.
HEFFNER: No I’m not condoning it whatsoever. I’m just saying that it seems that the dystopian of some of the fictional
PAINTER: Yeah, yeah.
HEFFNER: accounts are not so far in our, our future. I mean there, I think that a lot of the grassroots protests that have grown up and are now marching in the streets or causing havoc, are a function of economic discord.
PAINTER: True. And we look, we’ve had hacktivists so for quite some time and they haven’t targeted these kinds of systems. And again, I think it’s harder and we’re getting, we are getting better at protecting these systems. We’re getting a better at protecting electrical power grids. We’re getting better at protecting financial systems. It is not perfect yet and there are scary times. Like for instance, when Russia shut down, part of the power grid in the Ukraine, then we saw some, what we call prepositioning, a malware on some of our power grid systems that looked like it was from Russia as well. Look, there’s real concern about that, but, you know, I think we also have to look realistically at what, you know, what we’re doing to protect ourselves, which we absolutely have to do. We have to do a far better job and we are, I think in protecting those systems and have resilience so if something happens, we can bounce back from it. So you’re not down for a long period of time and it’s still not easy. It’s not easy to have that sustained effect.
HEFFNER: What about the idea of a generator in effect, having a generator to turn that on in the event of one of one of these incapacitating cyber, national cyber terrorist acts,
PAINTER: Having a generator that’s.
HEFFNER: A kind of a kind of backup plan.
PAINTER: Yeah, that’s. Absolutely, that’s the resilience aspect. So you know, you have to assume that sophisticated actors, particularly state actors, if they really put their mind to it, can get into a system and can affect systems. Now what that means is you do everything you can to protect your system. That’s the, that’s the cyber security part of it. You make sure there are consequences for people who break in. That’s the deterrence part of it. So they don’t do it in the first place. They don’t see a benefit in doing it. And then the last part is you have to have resiliency.
You have to have backups so that even if they succeed in doing this, you can get back up and running very quickly. There was a case a few years ago about Saudi Aramco where a hackers got into their system and basically destroyed all their computers wiped all the data from all their. And interestingly, they didn’t have that backed up. Now I think people realize that you have to have that all backed up. You have to make sure that you have those things so that you can reconstitute yourself. One of the big worries I have that we haven’t seen yet is dealing with the integrity of information. So yes, we see all these attacks, we see the theft of information, but the integrity of information means that if I, for instance, was able to hack into your medical records and change your blood type, so the next time you got a transfusion you died.
That’s pretty significant. Or if I could somehow get into the stock exchange and make it unreliable in terms of the settling trades that would have a widespread effect. We haven’t seen that yet.
HEFFNER: Is your commission working with these sectors?
PAINTER: What our commission is doing is we’re looking. So there’s various aspects of this issue, right? And part of the aspect is what are the long-term rules of the road. What is the, what is the framework we want that states will agree to over time. So there’s been work between governments on this, international law applies, which is important. It’s not a free fire zone, but what are the rules of the road what are the voluntary, at least in the beginning, rules of the road, things like don’t attack critical infrastructure absent war time, more time. There’s different rules, but don’t do it in peacetime. Don’t attack the Cert, the computer emergency response teams.
It’s like going after the ambulances. The commission has come up with things like, don’t attack the public core of the Internet because we do that. You could take down the Internet for everyone. Don’t, you know, the industry has an obligation to look at their software to make sure the vulnerabilities are not there to the extent they can. That states should have vulnerability equities processes, that election machinery should be off limits too the states should not attack that. Does that mean that everyone will abide by those norms or embrace them? No. But what it means is that if they don’t do that, then you have to have that level of accountability. And, and we don’t have that firm understanding. There’s a lot of uncertainty in cyberspace. You don’t know what the rules are. You don’t know what the consequences are and we have to change that.
HEFFNER: Right, and in the seconds we have left; you’re really attempting to resurrect the Geneva Accords or something like that for…
PAINTER: Not so much a treaty, because the Geneva Convention applies to cyber. I mean, I think the worry is when you say we need a Geneva Convention for cyber, the Geneva Convention applies to cyber, things like proportionality to say all these things that have brought us safely into the 20th and 21st century, those are things that apply to cyber. We have to figure out how they apply, but they apply,
HEFFNER: But do we need a new body that is going to…
PAINTER: I don’t think we need a new body. I think what we need to do is get countries to accept these rules of the road and then we need to start enforcing them. I think if you create a new body, that’s a lot of overhead,
PAINTER: And you don’t necessarily get the payoff you’re looking for.
HEFFNER: Chris, a pleasure to be with you today.
PAINTER: Happy to be here. Thanks.
HEFFNER: Thanks and thanks to you in the audience. I hope you join us again next time for thoughtful excursion into the world of ideas. Until then, keep an open mind. Please visit The Open Mind website at Thirteen.org/OpenMind to view this program online or to access over 1,500 other interviews and do check us out on Twitter and Facebook @OpenMindTV for updates on future programming.