Jonathan Reiber is a security expert currently serving as Senior Advisor at Technology for Global Security, a think-tank in Palo Alto, California, and a Visiting Scholar at UC Berkeley’s Center for Long-Term Cybersecurity. A frequent public speaker, his writing and work has been featured in Foreign Policy and Literary Hub and highlighted by the Atlantic and The New York Times. A previous Chief Strategy Officer for Cyber Policy in the Office of the Secretary of Defense during the Obama administration, he sat down with the Berkeley Political Review to discuss cybersecurity’s role within the United States’ grand strategy, the danger of newer cyber ‘soft attacks’ like the Russian interference in the 2016 U.S. presidential election, and major cybersecurity threats both in the U.S. and in Asia.
The role of American cybersecurity
Berkeley Political Review: What is the role of cyber security within the American national security grand strategy? How is it similar to or different from what we would think of as more conventional operations like naval or military components?
Reiber: With our national security strategy, the principal purpose of cybersecurity is to secure the most important data that we have in the country.
The Defense Department has three missions in cyberspace principally. The first is to defend its own networks and data because it needs to be able to continue all of its own missions in the event of attack. Number two, the mission that was given to the Defense Department by the president in 2012, is that the Defense Department needs to plan to defend the United States against cyber attacks of “significant consequence,” and [in the DoD Cyber Strategy of 2015] what “significant consequence” is is left open and determined on a case-by-case basis by the national security team.
However, you can imagine that something like the Russian influence operation of the 2015-2016 period would count as a significant consequence; it has undermined Americans’ faith in the media, in the presidency, and the legitimacy of the elections and fundamentally the overall security of our electoral systems and the processes surrounding it. Ostensibly, therefore if you were to anticipate that another such attack like this was to come up, you could imagine that the Defense Department may be called upon by the president to conduct a cyberspace operation to defend the United States against it.
The third mission is that the military needs to be ready to provide cyberspace operations and options to forces active in theater to achieve America’s national security objectives. Those could be defending U.S. forces in a theater, or options that could facilitate the termination of a conflict on terms favorable to the United States. So an example there could be: under the law of armed conflict and in the event of a contingency with an adversary, are there ways for the U.S. military to design cyberspace operations to disrupt adversary weapon systems that could be pointed against U.S. forces or American interests to terminate the conflict on terms favorable to the United States?
A doctrine of restraint
Reiber: Now, we’ve bound cyberspace operations within the Law of Armed Conflict and within the governing principles that define how the U.S. military operates in the world overall. We also have what’s called a “doctrine of restraint,” which means that if an adversary is conducting an operation against us, in cyberspace, the default position for the military or other aspects of the government is not going to necessarily be to respond in-kind through a cyberspace operation. There may be other ways that you could achieve the same effect.
For example, if there is a malware campaign being conducted against elements of critical infrastructure with servers in Germany and Vietnam and France, the firm is the first layer of defense. It needs to try and secure its own network defenses to harden [them] against the attack. The second thing within this doctrine of restraint is law enforcement officials in the United States would call law enforcement officials in Germany, France, and Vietnam and say “please shut off these servers or arrest whomever is using the server to blunt the attack.” So in that way, our law enforcement partners abroad would conduct a legal domestic operation within their own countries to stop the attack from ongoing.
If that can’t work, that’s when we might begin to think about conducting a cyberspace operation to blunt or stop an incoming attack. If it can’t work then, and it’s significant enough that it’s causing an imbalance in deterrence, or raise tensions between the United States and another nation, there may be other options that we’d peruse to include kinetic operations, although it would have to be a very significant attack for that sort of kinetic threshold to be crossed.
The danger of ‘soft attacks’
Later in the interview, Reiber spoke about the Russian interference campaign in the 2016 United States presidential election and the consequences of a new more internet-connected age.
Reiber: We assumed for a long time only hard attacks would be the ones that would cause the greatest damage, but what we saw was that the softest systems in our society, which are these open-facing social media systems, are so easy to manipulate.
Consider that the Internet expanded rapidly from 1983 to today. If you look at the invention of TCP/IP in 1983, we went from zero to 14 million users in the first 10 years. And then you had this astronomical growth over the last 20 years, where you are adding billions of users every decade or less. And we’re now at 3.8 billion since 1983, so we went from zero to almost half of humanity being online in 35 years, which carries a tremendous change in the way that we imagine the world. So the definition of cybersecurity may also be changing in that way because we’ve seen real-world impacts through digital manipulations.
I think there’s an argument to be made that the way we think and imagine the world has changed because of the way that we use digital technologies. And that’s a change in my own thinking — for a long time, I was mostly worried about near-peer adversaries breaking infrastructure, which still could carry the most grave potential loss of life. If someone was to open up the Hoover Dam and flood parts of the Southwest or something like that — this could be really tremendously dangerous. But I think we’re now at a place whereby technology has penetrated so much of the way we understand each other and talk about each other as people that we have to expand the definition of cybersecurity and, ultimately, work to put some distance between ourselves and our technology.
‘This is the thing that I worry the most about’
Berkeley Political Review: What do you see as the most potentially harmful outcome that could arise from cybersecurity breaches or threats in the next 20 years?
Reiber: The greatest concern would be manipulating the intelligence and technology that underpins our nuclear deterrent. If a leader was to anticipate that something was happening when it wasn’t, and initiate any kind of missile launch simply because they have false information — this is is the thing that I worry the most about in general. Anytime when you have significant military capabilities that can be manipulated or conflict initiated through technology in any way, that gives the adversary a potential advantage that we have to try and undercut. As one of my mentors Richard Danzig likes to say, the president can’t just look out the window of the Oval Office to determine whether a missile is coming in. They rely on all this technology, so that to me is really the greater threat.
You could also imagine scenarios in the future: with increased automation across society, there are levels of factors of production that could be manipulated over time, whether it is food or public health systems whereby you may be getting too much medicine when you think you’re getting the right amount, or you might be getting food that you can’t actually have in your diet. Over time we could see cyberspace enabling ever more niche attacks on individuals through those kinds of vulnerabilities in health and nutrition. I’m also very worried about the networking of our power and energy systems: smart power systems, smart grids. These are the sorts of capabilities that could be manipulated over time as we come to rely more and more on smart technologies. Consider, of course, that car companies are now hiring cybersecurity specialists to secure their cars against attack.
The Asia Scenario
Later Reiber talked about his recently released study, “Asian Cybersecurity Futures: Opportunity and Risk in the Rising Digital World,” which looks at the impact of digital technologies on emerging economies and anticipates future cybersecurity and technological risks.
Reiber: In India and China, where you’ve got unresolved territorial disputes and ongoing nationalist movements, we could see more and more cyberspace-initiated or cyberspace-based conflicts between people depending what they do online: how they express themselves and whether, given their political agendas, they ever decide to pursue cyberspace operations against the state.
Consider that over the next five to seven years it’s likely that a billion new users will come online just between India and China alone. That presents a potential vulnerability for states across Asia, where more and more groups could arm themselves in cyberspace and communicate politically online at this nexus of hate speech and enclaves that could make what happened to us in the 2015-2016 period look like Act I of influence operations.
I pick the territorial disputes in Asia because there are so many, and while states are unlikely to want to go to war over any issue, because it’s a significant cost to them, aspects within a society could begin to use cyberspace operations to pursue a number of different political objectives that may be at odds with the state or aligned with it. My point is simply that as more people come online, they will both express themselves online and pursue political objectives, potentially through operations in a way that we can’t anticipate. Vulnerable groups could band together and form anti-state groups that then conduct operations against the state to meet their own needs.
Here is another good example of how digitization could impact Asian societies: we have a scenario in the Asia study [conceived by Arun Mohan Sukumar of the Observer Research Foundation] about farmers using drones across India. The drones then get hacked — it’s not clear who did it — and the hack forces drones to over-fertilize the fields of India. This leads the farmers to lose a lot of crops. It causes economic and nutritional impacts for the country. So you could see this sort of impact of cybersecurity over time.
Chinese Political Interference?
Berkeley Political Review: Do you think China will use cyber operations to influence United States politics in a way similar to how Russia did in 2016?
Reiber: I’m not going to try and predict anything; none of us could predict the rise of Donald Trump, for example. I would never rule out that China would intervene in our election. I think we have to assume that any state is going to look at what Russia did and say “I can use the internet to do all sorts of things, and also I will look at the fact that the United States did not take a significant punitive action against Russia…it looks almost like I can operate free of any punishment.”
However, having said all of that, I think the Russia and China cases are very different. China is so much more interconnected with the American economy than Russia is. Russia is a shrinking economy, it’s a shrinking population; the country doesn’t look like it has a great future. It once had a great future, during the Cold War it once had the sense that it had a great future ahead, and now it only looks back on the past with nostalgia and probably a fair amount of frustration over the future that never came.
China, on the other hand, has a magnificent economy. The entrepreneurs in China are incredibly hardworking and dynamic — powering some of the most dynamic companies in the world, like Tencent, Alibaba, and Baidu. It’s in everyone’s interest for China to continue their economic rise because it’s good news for everybody. So their incentives to enter into any kind of prolonged or disruptive conflict with the United States has got to be relatively low. Of course, from a U.S. security planning standpoint, we have to plan and worry about long-term competition with China but it’s much more in our interest to have China rise peacefully and economically.
Featured Image Source: UC Berkeley Center for Long-Term Cybersecurity