22 December 2020

TEACHING TECHNOLOGY, INNOVATION, AND MODERN WAR AT STANFORD, PART 6: CYBER AND SPACE

Steve Blank

Editor’s note: Stanford University is hosting a brand-new class this fall—Technology, Innovation, and Modern War. Steve Blank, who teaches the course along with Joe Felter and Raj Shah, is writing about each class session—offering Modern War Institute readers an incredible opportunity to learn about the intersection of technology and war and hear from remarkable guest speakers. Read about previous sessions here.

Our guest speaker was Sumit Agarwal, former deputy assistant secretary of defense and DoD senior advisor for cyber innovation. Out of MIT, Sumit joined the US Air Force and was one of the first officers in network warfare. He’s spent almost twenty years in the National Guard. But in the private sector he’s done a number of amazing things: he headed up mobile at Google, then went back into the Pentagon where he was the youngest deputy assistant secretary of defense ever in the Pentagon. Then most recently, he cofounded Shape Security, one of the leading cybersecurity companies in the country. Earlier this year, Shape Security was sold to F5 for over a billion dollars.

I’ve extracted and paraphrased a few of Sumit’s key insights and urge you to read the entire transcript here and watch the video.

Safety and Security Online

The way we are going about creating safety and security online in cybersecurity and defending against cybercrime isn’t quite rational. In cybersecurity, any individual, any business of any size, from a small business all the way up to a giant bank, is at the end of the day subjected to the worst that adversaries of any sort—foreign nations, organized criminal gangs—can throw their way. And that makes no sense.

The thinking about online security is absolutely at odds with how we think about security in the land, sea, air, and space domains. Our Army, Navy, and Air Force defend our borders. So the result of no defenders in cyberspace is what one would predict. It’s a mismatch. The result is that we are less secure. You end up with companies that are losing more money online, losing more assets that belong to them and more customer data that they’re entrusted with, than they would ever lose in an offline context. And so that’s a really strange thing in the domain that we created—we are having a harder time safeguarding and securing ourselves than we do in the other domains.

I think that it’s a matter of understanding who has the authorities and the norms to defend. Who has the right to defend? Who has the obligation to defend? So that was my thesis when I left the Pentagon in 2011.

How Would You Architect a More Secure Environment?

It’s not okay the way it is. It’s as if the military said, “Hey, we protect US citizens as long as they’re hanging out on a military base. I’m sorry, but if you’re not on a military base, you are totally exposed to any form of threat that can possibly exist in the world.” That is absurd in the real world.

I think that there are two or three fundamental components to it. The first one is, we as a society have spy agencies like NSA that have the preponderance of cybersecurity expertise and capability. At the national level, there really are not a lot of other agencies that have that level of expertise. What you end up with is a choice that we as a society have been unwilling to make, which is: Do we let a spy agency safeguard us domestically at home on the internet? Or do we say, it’s the Department of Homeland Security who is the only one chartered with the mission and has the authorities to safeguard US persons or people at home?

That choice is profoundly broken because DHS does not have the necessary level of capability. So with the benefit of hindsight, I think what we need is an agency that has every bit the level of technological expertise that NSA does in the area of cybersecurity, but that is not a spy agency. And that agency would need to have the titles and the authority, and the charter to protect US persons. And you see that same dichotomy in the FBI versus the CIA. The CIA is externally facing, it’s effectively a spy agency. FBI is all about domestic issues that exist primarily at home. So that is a very clear, bright shiny line, which we didn’t really realize in the ‘80s and ‘90s, was going to become such a problem. But at this point, we have two unpalatable choices. You can let a spy agency be in charge. Or you can let DHS, which has the charter but doesn’t have the expertise, be in charge. And so what you end up with is no defense. So that’s what I would do at the national level in terms of creating an agency and organizing things differently and better.

On the second piece, which is how you create a little bit more clarity between what’s real and what’s fake, that is very challenging, because anonymity is a key, cherished belief system and value online. We all prize privacy and anonymity. So if you swing the pendulum over to say, “We would have a lot more secure online experience if everybody had a hard identity, and you needed to basically jack your driver’s license into a little key card reader in order to get online,” you would have a more secure environment (i.e., a CAC card for civilians). You would have a lot less vitriol, you’d have a lot less trolling, you’d have a lot less of the nasty things that we don’t like online, including crime. But what you would lose is anonymity and privacy. A CAC card is what we use in the military.

I’m not sure if there’s a good answer to how would I balance the reality that it’s a totally insecure, “Wild West” on the internet with the idea that the privacy and anonymity of the internet, in many countries, is really important. It’s allowed the internet to be a tool of great good, not just great bad.

What Trends Are You Seeing That Attackers Are Doing?

Attackers are always going after the softest targets. So in many ways, the softest target is everybody in society. The people who are least capable of defending themselves against sophisticated attackers are not the large corporations that have billion-dollar cybersecurity budgets, that have IT staffs and teams of professionals. It’s either small businesses, or individuals.

The number one thing that we see attackers doing is emulating real people. This is my work in identity and the idea of real versus fake on the Internet. You know, in 1993, there was that New Yorker cartoon with the dog logging onto a computer and it said, “On the Internet, no one knows you’re a dog.“ But ironically, twenty-seven plus years later, on the internet, no one knows if you’re Joe dot Felter at Gmail, or Raj Shah at diux.co, or whatever.

Identity and Truth on the Internet

Online you can be almost anybody you want to be. And it is so easy to social engineer, to phish, to put malware on someone’s machine and to gain access to the things that represent their identity. If you know someone’s username and password, you’ve effectively got their identity. There’s no holographic mark in the upper left corner. There’s no signature in the background, there’s no watermark, there’s no special place that can validate those photos. I mean, it’s literally less secure than college kids cutting photos out to get into bars with identities that don’t belong to them on a driver’s license. It’s that insecure.

And so amazingly, the internet still works despite this profound lack of true security. But the trend that I always follow is how you tell what’s real from what’s fake. Is the thing interacting with you a human or a nonhuman? So much of what criminals do is really about writing programs and bots that simulate human behavior to do human-like things. They then use those stolen identities to have what is truly a fully synthetic actor.

It’s a little bot that has some aspect of your identity, and it will run around on the internet trying to log into something or trying to represent itself as you. And the impact of this is far worse than the economic harm of losing $1,000. Banks are probably losing hundreds of millions of dollars on a quarterly basis. No consumer knows about it, because those funds are silently put back. No bank wants you to know how porous the banking environment is. They simply want to absorb those losses so that you don’t lose confidence. And that’s actually okay from a societal point of view.

Coordinated Inauthentic Behavior

A far worse aspect of the usage of synthetic identities is what we call “coordinated inauthentic behavior,” or CIB. For example, bad actors getting on Facebook, Twitter, or TikTok and creating what appears to be a groundswell of activity and effort and belief around a particular ideology, a particular idea or a concept, none of which are true.

Even right now in our election there is coordinated inauthentic behavior that is pushing ideas and concepts that are driven by actors that are trying to interfere in our election. (In 2016, it was absolutely rampant. There’s less of that happening in 2020.) So what happens when there’s interference by CIB? When there are millions of actions, likes and posts and clicks and forwards, that are inauthentic, you end up with a perversion of democracy. So this idea of real versus fake is incredibly pernicious. And it’s something that I think, is worthy of a lot of time and attention by anybody that that wants to pursue a career in cybersecurity.

Deep Fakes

Deep fakes are a really, really challenging problem. So far, there are a few technological solutions that can do frame-by-frame and pixel-by-pixel comparison and figure out when various kinds of algorithms are being used to make a mouth move saying words other than what was said in the original video. The same is true for images.

I’m not aware of what the fundamental long-term defense is going to be against deep fakes. However, we can create more security around official communication. If I wanted to have an official White House video, or even an official video from me, I could create that. There are long-standing concepts that have nothing to do with cybersecurity that you could use.

I think what we’re going end up with is the following: official communication, like a video of Biden or Trump is eventually going to have enough watermarking and fingerprinting technology, that the major social media platforms will be able to verify authenticity. You could even use blockchain-related concepts to say, here’s the original source of that video that’s been uploaded to the public blockchain. And we know how to verify against that.

The part I have a lot more difficulty with is user-generated content. What if the video we care about is not necessarily that of a famous person? How do you solve the problem that there is no real authentication mechanism when a video or a photo is being shared and propagated and virally explodes on social media? There is no one thing to say, is this authentic? Does it have the right watermarks and digital fingerprints? When it is content that’s being generated by individuals I think it’s going to be hard for us to decide whether that video is real or fake. So it’s a very, very complicated space that’s still emerging.

What Are Some Developments in Cyber That Might Change Offense and Defense?

I think there are two. The first one is homomorphic encryption (fully encrypted communication, without having to decrypt the underlying data.) We’re getting to the point where the compute burden on being able to take two numbers—just take the number one and the number two—and let’s encrypt them. We don’t want anyone to know what two numbers we’re adding together. And we want to add them to get the solution, which is three. In the traditional way, you share keys, exchanging secrets with whoever you want to be able to perform that computation. They decrypt the two numbers, add them up and get the solution—three. And they encrypt the answer and then they transmit that back to you. So that’s the old school way of doing things. And it has two fundamental problems. One, it’s vulnerable, because you have to decrypt the things that were meant to be secret. And anywhere in the process, if you have to decrypt them, that’s problematic. And the second is, you have to exchange secrets with anybody that you want to do business with.

That is fine at a limited scale, when you have a small number of partners. But when you want to have a heterogenous environment, maybe an international coalition, it doesn’t scale very well. So for a long time, DARPA has been chasing after this idea of being able to perform computation on encrypted data without decrypting it. And the problem was that as of 2010, when I was at DoD, there was a ten to the sixth compute penalty. So a million-x compute penalty on adding the number one and the number two together if you left them encrypted. And so over the last ten years, we’ve been knocking down that exponent, and I think we’re right on the verge of being at the level of ten to the first or ten the second. And that’s a very tolerable cost for fully encrypted compute, without having to decrypt the underlying data. That’s one exciting area.

And the other one is quantum computing. We’re getting very, very close to the point that quantum computing, certainly for defense, may be available. And that is going to change everything about security online. Because the core of security online today is about computational expense of factoring very large prime numbers. And quantum computing gives you so much more capacity that you can in fact find many more such primes.

Do Our Constitutional Protections in the United States Put Us at a Disadvantage Compared to Adversaries That Don’t Share Our Values?

I think the answer is 100 percent yes, at a tactical level, some of those constitutional freedoms put us at a slight disadvantage. But the answer is less about cybersecurity and more about liberal democracies. I think that the question is, do liberal democracies do better than more authoritarian regimes over a much longer period of time? Because when it comes to getting something done, you don’t need to develop political will in an authoritarian regime to the same degree as in a liberal democracy.

What Do You Think Needs to Happen for Liberal Democracies to Prevail and Feel Safe?

I think that the future of warfare is going to be less and less overt, less and less hot. It’s going to be less and less about putting kinetics on a target. It’s going to be about influencing large numbers of people in very subtle ways. If you can influence people, it’s that old thing about winning hearts and minds. If you can just influence them in a certain direction, you may be able to win without fighting at all. And so you end up with a war of ideology and a war of culture in open countries.

I think that the big challenge for liberal democracies is, how do we ensure that the conversation we’re having is a real and authentic conversation with the people we think we’re having it with? I think the conversation happening on Facebook right now is incredibly polluted by people who have ill will and Ill intention. And I worry. I’m going to devote a large number of my career years to figuring out how to kind of stem that tide of inauthenticity.

In terms of what the government can do, I think we’re going to have to take a more active role. We’re going to have to figure out a contract with American society that does that in a way that you’re comfortable letting us help create a lot more safety and security.

There’s a distinction between policing what happens on a social media platform—that seems very active and heavy handed—versus saying, “We can ensure authenticity without compromising security and privacy.” There are a lot of companies that are failing to take steps that are readily attainable that would help with this problem. And so I think that there’s also a regulatory component that says that you have to safeguard yourself using these technologies that we’ve identified. We need a much more robust framework that says that if you’re going to have an online system, this is what security means.

I’ll give you one of my favorite examples. The doors that separate your bedroom from the hallway, or the hallway from the garage are rated for a certain number of hours that they can burn in the event of a fire. So the idea of safety and security in the real world is baked into every component of the physical world with which we interact. That level of intensity has got to go into constructing a major website or a major web platform if you have any hope of it being safe or secure. That’s very different from the current regime, which is really “everybody do their best and we’ll hope it doesn’t turn out too badly.”

What Gives You the Greatest Optimism Looking Forward?

Over the long haul a freer and more open, more liberal society can suffer a lot of bruises and bumps but can find its way back to a civil discourse. As much as the brand-new tools of communication and aggregation and finding community are creating craziness like QAnon and extremist behavior, I think that there’s still an opportunity for some better version, some good version of communication, collaboration and people coming together to exist. It’s hard to point to quantitative examples of that right now, but I do believe that we will get there. These are growing pains, and growing pains take a decade or two to work their way through the system. But the entire internet, the way we know it, is barely twenty-five years old. So it’s barely a young adult. There are a lot of stories still left to be told.

No comments: