How are cyber attacks shaping international relations? In this episode, Brandon Valeriano, Ph.D., Chair of Military Innovation at the Marine Corps University, discusses the potential future of cyber warfare. Is the U.S. prepared for the next generation of cyber attacks? Where do we draw the line on cyber attacks? Learn how criminals are using the internet and technology to cause chaos.
The ever changing world of cybersecurity looms. Nations leverage technologies and threaten a new age of conflict style – cyber warfare. Is this a new era of war?
The world of cybersecurity changes on a daily basis. There used to be a time when I would jump on a plane and I would land in another country and I'd be worried that everything had changed. And it seems like that sometimes. But in reality, the contours of the cybersecurity world are just like the contours of the normal international relations world. States hate each other, states dispute, and states will leverage technologies to try and one up the opposition. But the evolution of the technologies that are leveraged against states has been remarkable.
[This is Horizons, stories about what's next in the world. Powered by Compass Data centers.]
Using computers for harm is the basic way you would describe what cybersecurity is. And the goal is to use digital protections to make ourselves more safe and more secure, over time. Russia has a political goal of disrupting the west. They want to ensure that democracy is chaotic. That democracy is problematic, and that was to suggest that their system is just as good or if not better than the Western democratic system. So, they enjoy chaos, but they often don't create chaos. The chaos is created by those who have financial motivations. So there's this kind of symbiotic relationship where the criminals are operating to create chaos in the west and the Russian government is looking the other way. So those things can work hand in hand. Other states, like North Korea, are very much interested in financial payoff and gain because they're not connected to Western or global financial networks.
So, it makes sense for them to try and seek out cryptocurrency or other sorts of options. But other states are really just focused on trying to modify the behavior of the opposition and cyber isn't really a great tool to do that.
War is violence between two groups meant to destroy and kill the opposition. Cyber isn't very great at killing. And quite often, I make this joke about the James Bond movie Skyfall, where they blew up MI6 through a cyber attack. And my basic claim is if you can blow up MI6 from a cyber attack, you have a plumbing problem; you don't have a cyber problem. So this is really the challenge is that if something goes bad internally, it's really of your making and your design that you're allowing someone to access your power plant from Russia, that you're allowing someone three states away to mess with your water facility treatment plants.
How does the role of journalists play into the narrative of cyber warfare? News organizations are purveyors of information, but boring news isn’t worth much. Will more nuanced and less destructive attacks be overlooked for the rare case of a catastrophic cyber attack?
Well, there's a few different things about the journalism issue is that, for one, journalists are gonna hype up the most extreme examples in this space, because that's what leads the news. And to start a news article with everything's fine, we had a cyber attack, but we just rerouted something and nothing happened. Isn't gonna lead the newspapers. So that's one of the challenges is that the more nuanced, the more, less destructive, the more common is often avoided by the news, but that's part of their job. But the other thing is that journalism, they're the purveyors of fact, they're the purveyors of information. And in some ways, of course, they've gone down the wrong path where people are masking themselves as journalism when they're not being the purveyors of fact. But every day I still like to live on Twitter and I know that that's not an accurate reflection of the world, but it's a reflection of the news of the world. And I try and get a sense of the currents of how the news is working each and every day, particularly in my field of cybersecurity, through these other inputs, which are mainly journalists, and we have to give some respect to them. But on the other hand, this idea of truth and fact has kind of declined over time.
The cost of education and the general social status of technology-focused jobs creates a paradox between what we need and what is accessible in today’s society. Brandon Valeriano, Ph.D., discusses his views on shifting perception of technology jobs from a prestigious, expensive career path to a more common career choice.
Well, I think the main thing we've fallen behind in, in college, is the cost of education. And we haven't controlled the cost of education, which other countries, and I've taught in Britain before they've done a lot better in controlling the cost. And if we don't control the cost, we don't really democratize education. We don't really ensure that there's a diversity of people coming into the education system. And instead you get the same types of people with the same types of background coming through and leading the system into the future. And Iwanna do better than that. I think that quite often, the way we've set up our education system, we're fighting with one hand behind our back because some of the people who could contribute to the American system aren't allowed to contribute to the American system. I think the difference in the United States is we see technology as a, I don't know, a higher industry, an industry that pays more an industry that has a certain amount of status connected to it.
But the reality is, I think we need to treat technology as a little bit more commonplace, as like a different path, as like a path away from common forms of education, towards more of a trade school idea of what technology really is. And in some ways, education and training actually hinders people who develop technology because they're taught to think inside the box and you really need to think outside the box. So, being a little bit more free in terms of how we educate people in terms of technology is gonna be more important into the future, but also at the higher ends, in terms of policy making, we need people who are better able to explore data and explore information because we can't get back to this idea of using isolated events to determine how you view the world. That's not how the world works. You know, you can't go outside, find that it's snowing in October and say, every time it's snow, it's gonna snow in October all the time. It's not how the world works. It's a challenge.
The future currency is information. Get a glimpse of how the data we share can be used freely by companies, systems, governments, and more.
Information in the future is going to be currency. It's not so much about goods and services. It's really about information and what we can do with information, particularly with AI, because I think what a lot of people forget about artificial intelligence is that artificial intelligence requires data and inputs and all these data points. Everything you say to your Alexa, everything you do with your phone, everything you do with your map system, is gonna be valuable data moving into the future. And we haven't thought very well about protecting our data. In fact, a lot of people are just very flippant about their data and kind of let anyone have it and anyone take it. But this is gonna be part of our sense of self moving into the future. And we have to do better to train people, to think about what their data is and who has access to it in the future.
The most to gain right now actually is the people developing AI systems. And you know, as much as we talk about AI being our future, it’s very limited without data. So the ones who really have [something] to gain are the people who are developing these emergent algorithms that we're gonna control and run our lives. And as we see, if you put bad data into these algorithms, you get bad data out and you get problems where, you know, there's racial problems where like a AI system can't recognize a non-white face or, you know, it might mistake you for someone else. And then you're never able to fix that, you know, think about it in the future, where the only way we can get on a plane is through facial recognition, or what if facial recognition is just messed up for you and they always confuse you with someone else.
And you're never able to get onto a plane. These are gonna be coming challenges that we haven't really even thought much about.
Oh, it's in our near future. I think within five years facial recognition will basically start to do everything for us. We're already like, you know, we can't get into our computers and our phones without facial recognition. So the challenge is gonna be, is it accurate? Is it right? We have this other idea of what we call the poison frog – the idea of introducing contamination into the data and people using these forms of contamination for protection. So things are gonna get a lot more confusing in the future as we start to rely on facial recognition and AI algorithms. And, as people start to mess with AI algorithms.
Cyberwar off-ramps are ways to mitigate and distract from larger war activities using cyber technology. Learn more about how off-ramps helped the U.S. avoid a full-blown war with Iran.
Well lately, I've been looking at what we call off-ramps to cyber war and just expanding the notion of what cybersecurity can do. And the main idea is that basically in a run up to war, which almost happened in the summer of 2019, with Iran in the United States, you can use cyber technologies to actually dampen the crisis in providing an off ramp and what the United States theoretically did as we reported in the media. Not that I know anything special. [The U.S.] shut down Iran's ability to monitor shipping in the Persian Gulf, and we shut down their air defense systems. And after that things changed and things quieted down for six months. And this demonstrates that we can use technology not to destroy, but to provide other options for discussion between two states.
What does the U.S.’s defensive infrastructure look like? Brandon Valeriano, Ph.D., discusses how our society can build defensive infrastructure to protect against cyber warfare.
We don't really have a defensive infrastructure. We have agencies and we have groups that are working for the defense. But as I recently heard in D.C., if we really want to defend ourselves in cyberspace, we should actually try defending ourselves. I don't think we've actually done that very well. If not, we generally focus more on the offense than the defense, but we're starting to enable structures, particularly CSA, the cyber infrastructure security agency through the DHS. The FBI has become more capable over time. And then of course you have cyber command in the department of defense. So we have individuals, we have groups, but we don't have a lot of great infrastructure. And the emerging infrastructure is two things that I'm very dubious of. One would be insurance. Cyber insurance is a way of protecting ourselves as a society because when you get insurance, you're told to do certain things, you get out insurance, you get insurance on your bike. You have to get a certain lock. You have to get a certain security system. Theoretically cyber insurance would start to push people to do that. But right now it's very ad hoc.
Brandon Valeriano, Ph.D.
Chair of Military Innovation – Marine Corps University
The challenge with democratic or western states is that they have a very open system when considering online networks, making them more vulnerable to cyber attacks. That is the tradeoff of freedom of speech. Anyone can search for anything and find [almost] anything.
In the COVID-19 pandemic era, we’ve made connecting online even easier. Thanks to the necessity of remote work, we see more and more facilities go cloud-high – making their resources and activities accessible remotely on any device. This can lead to more cyber-attack activity.
For example, leading up to Superbowl LV, a water facility plant in the host city, Tampa, Florida, was attacked. Unknown parties tried to poison the main water lines. The threat was stopped in time, but why should someone a state away be able to affect water facilities in Florida? Facilities such as water treatment systems and nuclear plants are clear examples of places that need more protections. We might have made access easy for employees, but we’ve also made it easy for our enemies.
While we do see people using cyber security for harm, especially when we consider digital currency, cyber technology isn’t a very coercive technology. You can’t force people to do things.
When we think of cyber attacks, the result is usually only causing harm to internal systems, such as accessing a water plant or getting access to a politician’s emails. Behaviors of those audiences are not changed, and it only means the systems themselves need to be updated and protected to avoid these attacks. External attackers are not very successful at changing the behavior of the opposition using cyber technology, making it a mediocre tool for war.
But, if you have internal audiences you want to hurt, like individual people or companies, that’s where cyber technology can do harm. It’s less a tool for war in these cases.
When the threat of war is knocking on your door, offramps provide a way to dampen the crisis. Online technologies are used to mitigate issues before large-scale physical attacks take place.
One example of this took place in 2019. When threatened with the possibility of war with Iran, the U.S. shut down Iran’s ability to monitor shipping and shut down their air defense systems, causing the threatening country to take a step back and quieting negative activity for six months. This demonstrates that we can use cyber technology not to destroy, but to provide other options for discussion between two states.
Information is the currency of the future. It’s less about goods and services, and more about information and what we can do with it. Companies continue to buy data to better target audiences, but is it all for the greater good? Or are we, as consumers, not working hard enough to protect our personal information? We especially see this new form of currency when considering artificial intelligence. Artificial intelligence requires input – such as what you say to your Alexa or what you search in your Maps app. Consumers generally don’t think about how that information can be used in the future. We are freely giving out unprotected information to be used by anyone, anywhere.
Since AI is useless without data, what happens when the data is incorrect or not considered? This is especially important as facial recognition becomes more and more popular. What happens when a person is mistaken for someone else via facial recognition? Or certain unconscious biases seep in, causing programs to not recognize ethnic faces. These are all issues with this new form of “currency” we could see take shape in the future.