 We're so glad to welcome Timothy Edgar to the Berkman Center to talk to us about cyber war and conflict and associated issues Tim is a visiting fellow at the Watson Institute at Brown and adjunct professor at the Georgetown University Law Center He also served under President Obama as the first-ever director of privacy and civil liberties for the White House National Security staff and he Was at the ACLU in the years following 9-11 and has a wealth experience to share with us. Welcome Tim Okay, well, thank you very much Amar and thanks very much to the Berkman Center for extending this invitation. I'd also like to thank personally Professor Zittrain for some of the ideas that have incorporated into my class at Georgetown and Brown and and hopefully he will recognize some of the ideas here in the presentation as well So this is kind of a broad overview of the issue of cyber conflict and how it relates to the issues of privacy and internet freedom And it it's based somewhat on this experience, but also I'm reminded being back here at Harvard of my first year at the law school with Charles Nesson with Charlie Nesson Introduction to lawyering where we were all taught that we were no longer going to be practicing law We were going to be practicing cyber law. So That's that's something that definitely had an impact on me in my later career So the problem here is to balance our concerns over protecting our computer networks, especially for in the way they interact with critical infrastructure with personal liberty and privacy and also with business needs and the need to continue to have competitiveness in our high-tech economy So it poses unique challenges for all of us governments citizens also companies and corporate boardrooms that are grappling with these issues and For the future of what the internet is going to look like The threats seem to be multiplying and getting more and more grave It used to be malware and annoyance was something that everybody kind of started to realize was a big problem But now cyber crime continues to grow and we you know also see state-sponsored espionage And now we're worrying even about attacks that might constitute a use of force in international law through through cyberspace on critical infrastructure So it requires major new security thinking and it also requires major new Legal thinking at the same time a growing list of countries have adopted a variety of more or less Restrictive internet filtering practices many of which the Berkman Center has had a lot to do with documenting Not just the usual suspects. We know about China Russia Iran these kind of countries But also it's being debated increasingly in many democratic countries Australia had a proposal to do internet filtering And there are many voluntary arrangements of ISPs and the US is deploying some of these technologies to protect First government networks and now critical infrastructure So the effects are you know, how are we going to maintain a free internet with personal privacy? Will we destroy the internet to try to save it and will this clicker work? Yeah, I was told the clicker would work Maybe I will try the old-fashioned method Here we go Except the cursor has disappeared Here I got it. Here we go. There we go So the Obama administration could be forgiven if it leaves us a little bit confused The United States has announced that there's a freedom to connect It's an aspect of fundamental human rights in a speech that Hillary Clinton gave to the museum January of 2010 she defended internet freedom and said that social networks Were somewhat like Soviet era Samistat the self-published pamphlets that were circulated underground in the Soviet Union The State Department funds internet a circumvention to circumvention tools to get around the kind of controls that many countries I mentioned have at the same time four months later General Alexander announced a new command a new military command for cyberspace that would be co-located with the NSA This command would be Able to launch at the direction of the president full-spectrum military cyberspace operations It was described in the Defense Department's own fact sheet As something that would enable action in all domains ensure US and allied freedom of action in cyberspace and Deny the same to our adversaries So this is the concept of cyberspace is a domain of warfare a domain that requires not only an NSA to involve itself in intelligence gathering in this domain But a new command like strategic under strategic command, but like the other military commands in order to direct military operations President Obama is in many ways the cyber security president He's the first president to have given a comprehensive speech on the topic of cyber security Announcing the results of his cyberspace policy review that was conducted by my colleague Melissa Hathaway addressed all the different areas of cyber security and You know one thing one way of looking at that speech is to look at the two major caveats that President Obama made One is essentially we need to protect innovation and in doing that He said whatever we do in the area of cyber security. We're not going to dictate security standards to private companies We don't want to have an overarching regulatory approach that says this is how you will do security Computer security because the government has told you so He also said that we needed to protect privacy and made this emphatic promise That the pursuit of cyber security would not include monitoring private sector networks or internet traffic Now this caused some of us in the intelligence community to scratch our heads a little bit because we thought wait Don't we already monitor private sector networks or internet traffic? Don't we do so under legal authorities given to us by Congress not just in the Patriot Act but earlier both for intelligence purposes and For law enforcement purpose, of course we do what I take this promise to mean is that we would not have a comprehensive internet monitoring Program that would essentially use cyber security as a new basis for programmatic monitoring of all kinds Instead we would use whatever tools we currently had to deal with The whatever monitoring was necessary whether it's for intelligence or law enforcement purposes That's the way I kind of thought that that promise made sense so You know one question that people often ask themselves about the area of cyber security is why is there a difference in terms of Computer security then with any other aspect of modern life And we don't you don't let cars go in the road unless they've you know been heavily regulated for their safety We don't let many other things that could have this kind of impact that the catastrophic Saliors of our critical infrastructure would have on the road and it really comes back to many of the values that Animate this place the Berkman Center and many others and so It's this idea of kind of the electronic frontier that that cyberspace is a place that's Liberated from governments from social and traditional controls where you're free to be yourself. It kind of started in the 1990s And it was promoted by a group of thinkers that said you know look Cyberspace is different and allows us to do all sorts of new and amazing things Allows us to be free of some of the of the problems of the industrial age And you know you can you can certainly easily parody this a little bit and obviously I'm poking a little bit of fun here at our founders The founder of the electronic frontier foundation One of the founders anyway who you know had this declaration of independence of some from cyberspace And we all know that sovereigns certainly do care about what happens online And that there are many strategies that they can use to enforce rules online And there's some that have sort of questioned this whole idea altogether really is the internet really any different than anything else that We do does it really have this transformative? impact Larry Lessig says look it's just the way we coded it. We just decided to code it in certain ways that allow At the beginning perhaps for a greater freedom and that you know now we can recode it and allow for greater control I think there's a lot to that But I also think that the very openness of the way the internet was architected in the beginning Allowed it to beat out some of the more controlled networks Um Professor Zittrain talks about that also David post in his book Jefferson's moose But basically the point here is that maybe if we change some of those things and add security in as some people say Well, what if we redesign the internet for security? We would actually Disrupt some of what makes it so transformative and so we have to be careful about that So one was one of the ways we were going to deal with that problem. Well Steve Jobs, you know gave us some of these appliance size devices. They're extremely elegant They seem to work very well. They have user interfaces that work This is with apologies to professors. They train a quote from his book That the iPhone is a product of both fashion and fear and The big point here is that as Steve Jobs said you don't want your phone to be like a PC This was an acknowledgement of the fact that Generative PCs the technologies that are extremely open also create security holes and problems People can run whatever code they want on it and they're going to make the wrong choices and run the wrong type of code So the fear was that we would essentially pledge our Freedom and our privacy to large corporations that in return for us giving us freedom and privacy to them Would give us greater security now. I have some good news for all of you That didn't really work out. We don't have greater security In fact, and blind size devices are some of the most insecure devices we have certainly the iPhone has all sorts of security problems and holes and It's one of the most rapid growing areas of computer insecurity when I was at the White House We were given an unclassified demonstration of many of the security flaws with the iPhone as well as the other The other mobile devices and because it's unclassified it can tell you what they did It's pretty easy to do if you poke around on the internet You can have malware that allows the phone to to record everything you say and transmit it to somebody that's rather alarming for your personal privacy and You know, what's the answer to it? Well the answer typically for security for the government types is Don't bring your phone with you take the battery out It can't even take the battery out of an iPhone. So don't bring it with you That's not particularly compelling when you want to have the connectivity and functionality that this gives you But it gets much worse than that. It's not just a few random security flaws. In fact the United States is facing serious threats of cyber espionage and Earlier this year this kind of made the New York Times But it's something that if people were paying attention would have known was going on for many many years The OD&I where I worked the head of the intelligence community has the national counter intelligence Executive and puts out an unclassified statement of the intelligence community's assessment of the cyber Risks and did so a couple of years ago three years ago In fact and in this report Assessed first of all that China was the world's most active and persistent perpetrators of economic espionage So, you know when you find out how they do it, of course It it makes the headlines, but this is something the intelligence community has been saying for years and it's not just China Russia also has extensive and sophisticated Operations generally known to be a little bit more careful in some of the way that they do their operations And yet certainly a very sophisticated player in terms of the espionage world Accelerating that's kind of self-explanatory and It's a growing and persistent threat to US economic security So not just national security, but our economic security may be at risk economic espionage, you know has a Long pedigree. So what's different? Well, what's different may just be the scale here the kind of ability to steal industrial amounts of Plans and things of very quickly and without necessarily being inside although obviously having an insider Makes things work more easily more alarming perhaps than cyber espionage is the Concerns around potential cyber war We've heard these over and over again in this year's state of the union President Obama said these words now. We know hackers steal people's identities and infiltrate private emails We know foreign countries and companies swipe our corporate secrets now our enemies are also seeking the ability to sabotage Our power grid our financial institutions our air traffic control systems We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy When the president United States says those words in such a formal setting that should get people's attention I mean that is that is essentially saying that we are in some ways in a september 10th moment That the intelligence community is screaming. This is a problem. We need to do something about it And so, you know, I think that that whatever you think about the risks of cyber warfare It's something that's dominating in many ways our discussions in Washington around national security and it's seen as a very serious problem and Of course, you know, we've we've seen the hype We've seen the media I I tend to doubt the accuracy of this statement, but my you know My technical expertise is such that I'll leave maybe others with more to know whether this is true But part of the reason I throw this up there is that what's really gets our attention is real world effects It's one thing to talk about Emails being insecure or they're being malware and certainly if you're a company you worried about your trade secrets But but people are wondering are the lights gonna turn out am I gonna go to the ATM and not be able to get my money? Is there something that's gonna affect me? That's gonna be pretty dramatic. Maybe maybe not an explosion but something that's pretty dramatic and You know Hugo Tessa the security consultant who made a big splash at the hack in the box conference this year You know, he kind of understood that and he said look I've created an app on a smartphone that would be allowed to you would allow you to remotely hijack an airplane That certainly got a lot of people's attention Whether whether true or not the FAA says that's not the case. I would notice that it was an Android phone So apparently he wasn't able to get that app approved by the app store So so maybe actually appliance isation does have a place in security But it raises the question. How are we gonna deal with this problem? I mean one way of dealing with it is to declare, okay We're in a cyber war or we're about to get into a cyber war This is something that people thought maybe we should have done before 9-11 You know, Osama bin Laden had said we're at war with the United States So George Tennant said we're really at war with al-qaeda It wasn't until after 9-11 that we actually invoked those powers that the government has to use in wartime now What's the danger here? These guys here by the way are cyber warriors These are in fact soldiers sitting at their computers at cyber command So they are the people that would be launching those full-spectrum military cyberspace operations at the direction of the president if authorized Well, we worry about This I mean I think a lot of people here would be concerned about this a lot of Americans would be concerned about this and and one reason Is and I'm apologize for my use of about a thousand percent more Latin in this part of the presentation but in more the laws are silent that's what Cicero said and And You know, there's still a certain amount of truth to this despite all sorts of courses you can take on the law of war It stretches Law it's it's a military necessity is a very powerful thing and it becomes difficult For lawyers to really resist the logic of it. That said we do have important areas of Law of war we have something called usad bellow this Defines when can we go and use force military force in response to some sort of harm that our nation is experiencing? Because the basic general rule is you can't I mean, you know You can't just go attack countries because you don't like them or you you're experiencing harms from them You can only Basically do so in self-defense or when the UN Security Council authorizes it and so that means self-defense means You know, I either have been attacked militarily or I'm afraid that I will be attacked and it meets the test for preemptive self-defense, which is I'm not going to go into all the details for that. You can do it collectively. You can do it on behalf of your allies So there's a lot of action here. You might Wonder about that, but it really makes it important to define when is a cyber attack a use of force And when is it an armed attack which lawyers don't even agree that those two things are different or the same They actually disagree about whether that's the different of the same And most people say look it's the effects that are in the matter the most here If the effects of an attack through cyberspace are so dramatic that it it sort of rises to that level It's what we would have achieved through normal traditional military means then it might be a cyber attack but it's not just effects because Economic sanctions can produce terrible effects. There's other things that can produce terrible effects So we you know we have these tests that we're still debating as to whether What test would work Michael Schmidt at the Naval War College has done a lot of work in this area? There's also the question of use inbellum. So that's the law that applies to the actual conflict itself principles like proportionality a distinction These are the principles that limit how we use force when we are in fact in an armed conflict So just because we have been attacked or I think we're going to be attacked You know and we're in an armed conflict doesn't mean all bets are off. We have to act proportionally We don't necessarily have to act just through cyber means to respond to a cyber attack And that last point is what led to the headline NATO says it can bomb hackers As a result of this study that a number of International lawyers did not a NATO Doctrine, but but NATO funded study of some very prominent international scholars who said well You know if we face a cyber attack that's equivalent to a use of force then we can respond within the laws of war And we don't have to just respond through cyber means Well, this sounds a little scary Maybe we want to limit this we want to limit the way in which a cyber attack might threaten the peace of The West pet in the piece of the whole world. We can do that perhaps through an arms control approach The Russians have been proposing this since the 1990s. They've been saying hey, let's have a Treaty that essentially bans cyber weapons and the way they define cyber weapons is information weapons So weapons that interfere with each country's sovereignty over its information space are things that we should all agree to ban You know weapons like social networks You know that destabilized people's countries So that's not going to be something that's going to fly with the United States What if we were able to narrow that down to just kind of some Small group of weapons that we said okay interfering with critical infrastructure through malware through Technical kinds of means rather than this information warfare concept. Well, then you have the problem of Attribution you have the problem of verification The thing that made these arms control agreements work back in the 1980s when Reagan and Gorbachev sat down as the concept of No providiai trust but verify Arms inspection teams that the countries could agree that would invade what it would otherwise be their sovereignty and their national security By inspecting facilities. Well, how do you do that with code? We're gonna have Russians coming to everybody who might be having a computer where they have a secret contract with you know The military Seems completely impossible. There is some limited way in which this might have some impact Bob Nackie has written about this. He's at the White House now in the cyber security coordinator's office So he might be somewhat influential the idea that you would not attempt to ban Having cyber weapons, but maybe attempt to put some limits on what targets can be attacked And then if one side or the other Broke those limits you would at least know that they have a what at least amounts to a very hostile intent The US has been skeptical of this as well despite Bob Nackie's Advocacy basically just saying well look that we already have these limits. It's what I just told you about use in Bell You can't attack civilian infrastructure. There's certain of targets You wouldn't be able to attack under the laws of war anyway regardless of what we agreed to Well, what if we addressed it in terms of a criminal justice model? There's certainly a lot of cyber crime out there We know about Alberto Gonzalez the master of shadow crew More than 4,000 registered members of the shadow crew website 170 million credit cards and ATM card numbers stolen and essentially laundered through Eastern Europe He's was sentenced to more than 20 years in prison more than any other hacker up to that point. So certainly criminal tools can work And and the the sort of criminal element is not just motivated by profit. There's also the ideological hackers The anonymous hackers and others out there They may just want to make a point They may want to do it just for the laws just to show they can do it for for fun And you know, there's there's a varying degree of culpability among people that may be involved in this kind of black hat hacking from kind of minor annoyance to Pretty serious potentially dangerous things that may be being done for a point, but which could have big impacts on that So how do we address that? Well today we address it through the computer fraud and abuse act which Sure, many of you have heard of I'll run through very quickly Just a few of the crimes that you may or a friend of yours may or may not have been guilty of at any minute Accessing something without or in excess of authorization. What does that mean good question? To defraud obviously obtain anything of value like for example, I don't know Hollywood movies that I might want to watch at home. So that might be a little scary damage to a computer or data so damage defined basically as Affecting confidentiality integrity availability. It's pretty broad concept And trafficking in devices or passwords. Here's the thing that people I think most worry about with the computer fraud and abuse act Which is the penalties? It's pretty easy to get this bumped up to a felony if there's commercial advantage Financial gain furtherance of a crime or tort if I hack into you Am I committing a crime that's in furtherance of the state law tort of invasion of privacy? That seems like it's gonna cover most such things or the value exceeds $5,000 And if you look at remediation costs, it's pretty easy to get above that level If you don't have any of these things, it's a misdemeanor, but if you do it's a felony and there are penalties of five ten Even twenty years in prison. So it's a controversial law and everybody Knows a lot about you know some of the people that that have been Advocating in in favor of reform of this law and so you know, we've got this very robust process But it's certainly not without its problems The other issue is how do we get the evidence in cyber crime cases? basically You know, we have to guess as to what the Supreme Court is going to say the founding fathers thought was an invasion of privacy in 1790s or so that's essentially the way that we do it in US v. Jones That was the way Justice Scalia did it in trying to imagine when you attach a tracking device to a car with a defective warrant Whether this was a violation of the Fourth Amendment and kind of disregarding 30 years of what most lawyers thought Was the test for a violation of the Fourth Amendment, which is reasonable expectation of privacy and what about the public streets and all that kind of stuff He said no, no, this is a trespass under 18th century Understanding of property and therefore it's a per se violation got five justices on that opinion and Justice Alito with a tremendous amount of annoyance obviously said that's got to be one Very very tiny constable or one very very large coach if you're going to be imagining those kind of analogies So it's a little tricky for law enforcement as well as the public to understand where the boundaries are When this is how we decide what our Fourth Amendment jurisprudence is in cyberspace So maybe we just you know move on to a different topic Maybe we're not going to solve this problem by just throwing the criminal justice system that everybody who's involved in hacking What if we have some regulation that will increase the ability of companies to? Scare their systems. Well This bill failed in the Senate to provide such regulation So President Obama issued an executive order of calling for voluntary standards and they include information sharing I'll get to later This NIST framework, which is supposed to be essentially a voluntary framework Which will be supported by DHS in coordination with regulators to get companies to adopt these basic cyber security Practices and then some privacy principles based on the fifth Here's how the Republicans view regulation and that's what Homeland Security Chairman Michael McCall said about this executive order Despite the fact that it's a voluntary order and doesn't actually give anyone any more regulatory authority Well, maybe the president should get together with all of his cabinet officials in the situation room Just if we're attacked and say, okay, I order the internet to be shut down Can you all please flow this switch in the basement of the White House? How would we analyze that? Well, you know, there's 1934 communications act which gives the president pretty serious powers over communications Equipment apparatus that he can seize and threat or time of war. You might say oh, that's some old law They'll never Resurrect that one again But if you have an old law then you've got under Justice Jackson's framework You may have explicit authorization and you may have the zenith of your emergency powers And I can tell you that when the lawyer in the Justice Department is asked to draft draft the opinion They have never said that the president's powers are at its lowest ebb They have always found a statute to say that's been explicitly authorized by congress and therefore it's their highest ebb So quickly running through are we going to end up like this like china? The great firewall of china Perhaps perhaps so if all these powers are implemented Or maybe just the great rabbit fence of australia Which is what their kind of civil liberties organizations called their proposal to filter internet content um That proposal was not quite as crazy as you as you might have originally imagined just because in many ways to me it shows How australia went in a different direction than the united states when it came to regulating the internet The united states essentially said the internet is like a library. It's like a bookstore. It has the highest degree of Free expression protection australia, which doesn't have a first amendment or constitutional protection from freedom of speech I said no, this is like tv You know, you should be able to regulate in decent content if it's in your home your children might be watching You know, we certainly have pretty pretty aggressive regulation of tv. We just went a different way What about things like child abuse? horrible things that we want to block If we don't have the ability to implement it directly Most countries the uk canada Even the us have voluntary arrangements with isps that allow them to block certain types of illegal content And then in the us We have adopted the einstein network defense system for Government networks and this chart here, which is just so you know that I did actually work in the government So I can give you a chart like this You know, which is obviously clear It basically shows that agencies that we're connecting directly to the isps are now going to be routed through an access point in which Their traffic is filtered not only for sort of commercial signatures, but also For classified signatures developed with the assistance of of the NSA In terms of information sharing to develop those signatures without content of communications going back to the NSA But just essentially saying this is the kind of thing we're seeing when they attack our military networks This network defense is going to be extended Per the executive order already has been to the defense industrial base will be extended to other critical Infrastructure sectors. So this is a form of filtering. What does this all mean for privacy? Do we have any privacy anyway? Well, what did mark buckers suckerberg say about that? You know, uh, what do a lot of people think about their privacy? You know scott mcnealy A lot of people are skeptical Whether they have any privacy on the internet. Anyway, it may make it harder to advocate against Things that might be problematic And, you know, there's a real debate about the uh, the privacy norms that we have. I mean, they're currently based Primarily on the fair information practice principles from that very fuzzy old 1973 health education and welfare report good principles Transparency and collecting information individual participation. I have to have these consent at the consent To my information. I have to specify the purpose if i'm collecting it. Why are you collecting it? We have to minimize collect only that you need what you need We have to use it only in ways that are compatible with those purposes It has to be good data good integrity And it has to be secure So, you know, and there has to be accountability and auditing of all this to make sure it's working This is the basic principles principles that underlie Privacy law in the u that underlie privacy law in the u.s For those records and areas where there's regulation Think about just how incompatible Applying these principles would be sort of literally to big data analysis to cyber security monitoring You know, it's it's It strains in many ways those principles to apply them and So you end up with a lot of You know what lawyers? I think technically called bs. Um, you know I write a notice. Yes, of course, it's compatible. Um, it's totally different, but i'm going to say it's compatible Uh, you know consent. Yeah, of course you consented you uh, you all read that privacy notice that was on the bottom of the screen So, you know, how do you have real privacy? How do you enforce these rules faithfully? Not just through kind of lawyer bs But in reality and do it in a way that's consistent with These threats that we're facing. Well a couple of answers. I don't think technology is a panacea But I want to give you some ideas that technology certainly can help us here And and cryptology in particular. So information sharing is a big issue The patriot act allows the government access to records and intelligence investigations Intelligence investigations have a lot of sensitivities involved Sources and methods you don't want to necessarily reveal the terms of your search Here are all the people that i'm looking for Um, here's all the information I want to know about you may not trust the record holder So here's your solution. Uh, just ask for the entire database and trust me that I'll treat your information. Okay Some turns out that some record holders don't trust the government. Um, or are worried that their customers won't I don't actually trust the government. Um, there is an answer to this problem besides just okay tough luck There are hard choices. You either have to reveal your searches or not And that is private information retrieval a crypto technique that allows You know Depending on whether you want to use this or not it would allow Essentially a secret search which sounds a little orwellian, but if the if the Alternative is to get the entire database. This actually may be quite a privacy preserving technique It's only going to return a few A few pieces of data that you're looking for without revealing the search to the record holder Another area is online authentication. I worked quite a quite many hours In boring boring meetings on the national strategy for trusted identity in cyberspace This is something where We want to enable people to To to be online. We had certain needs. We wanted identity solutions online that are privacy enhancing and voluntary And here's what we wanted specifically We wanted uh anonymous Anonymous with validated attributes pseudonyms Uniquely identified we wanted a range of ways in which people could authenticate a two relying parties And we wanted these to be privacy preserving So what's the answer to that? Anonymous credentials Based on crypto tools developed Actually several many years ago By yonkommunish and annales yonskia and others who looked into how do you do this? But hasn't been widely deployed so in conclusion There's a whole lot of cyber security threats that are out there. They're getting much much worse They're reaching to the level where at least the national security establishment believes that it's a national security threat But we should all be careful of the hype and I think that actually people like general alexander would be uh Would be the first to tell you that The internet in cyberspace is certainly something that has just promise and potential Let's not think of it just as a place that's scary and is going to be the next national security problem But remember what it is that we're trying to protect There's a whole series of legal frameworks. I took you through pretty quickly law of war criminal law Regulatory powers emergency powers. We have to use these very carefully The government has a lot of power in this area. It doesn't lack authority It needs to use them carefully and wisely and to make sure that it does so But with due attention to the limits on each of those individual powers We don't want to destroy internet freedom while addressing cyber security Privacy is a fundamental value and I think the notion that it's dead or that it's just you know Going to evolve away is nonsense. I think it's utter nonsense It's a fundamental right and it's a fundamental right for a reason people need it for their social interactions But we don't have easy answers Just applying the tips to everything that happens in terms of this big data world is Going to require a lot of creativity and then crypto has a a lot of promising tools to offer us It's certainly not a panacea, but it has a lot of things that it can offer us to To to solve some of these problems. So That's my very brief overview of this issue and thank you very much questions, I guess Any questions Ah in the back. Well, there's already been a cyber use of force with Stuxnet and apparently obama was very deeply involved And still is in operation olympic games. Uh, is that another reason why the united states doesn't want to join any cyber war through you well, um, I don't believe the u.s. Government has confirmed its involvement in any of those but Yes, in in the sense that the u.s. Has offensive capabilities and would want to make sure That it doesn't give up an advantage. That's certainly the case In terms of whether Stuxnet is a use of force. That's a very interesting question the nato Led group that I mentioned professor michael schmidt They were unanimous in agreeing that it was a use of force. They also I believe agreed that it was not an arms of armed attack um, and so That kind of leaves a gap the u.s. By the way has the position that uses a force an armed attack mean the same thing That's kind of a minority view in international law. I kind of scratched my head a little bit It was physical. It was, you know, certainly, uh in violation of the country's sovereignty assuming that It was done by another country. Um, is it a use of force? You know, I think that some of these issues around both terrorism and cyber You know, these are kind of micro uses of force. Uh, they they You know, if we say it's a use of force, then what is the consequence? It means that you can defend yourself against it It means that you can use force in response at least if it rises the level of an armed attack So I don't think we're there in terms of even understanding where that trigger is Um, but I do think that look any try limitation of offensive cyber operations Um, it faces dramatic problems even if we thought it was a good idea in terms of verification Um, and and in terms of you know, how would you exactly enforce that? Yeah some of the definitional challenges between Say espionage and cyber warfare and uh, and ultimately how much it matters because it seems that that in many cases things that That if they were done in the sort of physical realm of espionage When they're sort of transmuted into the cyberspace beginning to Get very close to the loan that we might think of yeah, it's a difficult problem. So You know use of force is prohibited under international law except in self-defense or When authorized espionage is one of those things which is a really interesting area because it's what we call a lacuna Every every country in the world practices espionage more or less every country in the world makes it a crime domestically to commit espionage And there is no real international law around it In terms of prohibiting it or permitting it so You know, basically I think that the problem is I mean you can conceptualize the difference very easily You know my extracting information and my engagement intelligence operations or am I launching an attack? Am I trying to cause an effect that might be an attack? That's easy. What's difficult is understanding when you're on the receiving end, which it is Because the same techniques that are used to extract information To defeat security and maybe plant yourself in somebody's system possibly for years Could be preparation for an attack in the u.s. We have a bureaucratic distinction. That's why general alexander Has two hats literally he has he is the cyber commander and he is the director of the nsa and His lawyers will care a great deal. Which hat he's wearing if he's director of the nsa. That's intelligence gathering if he's cyber command that's Defense and potentially if directed offense and so It's not an easy question and it raises difficult issues, especially around the preemption sort of idea You're allowed to defend yourself International armed conflicts. You're allowed to defend yourself before you're attacked When it's necessary absolutely necessary to do so. I don't want to state the test incorrectly I'm sure there are international lawyers here who who who will get me on that but The question about preemption is really about you know the traditional obvious one is All these troops are massing at the border I can get a tactical advantage by striking first. Do I have to wait until I'm attacked? No, you don't you're still in self defense What if it's a cyber attack? You know that can be launched very very quickly It's very difficult to receive the difference between preparation for an attack and an actual Because it might be espionage. Those are difficult questions that we don't have any easy answers to In the back very substantial geographic bias US criminal law or tort law versus international law and what can be done in that front? I'd like to know if you could develop a little bit Whether you think the geographic element is particularly meaningful, especially on on the first presentation of a concern where you cannot identify necessarily the source and how and how you would How your standard of action may change the the more you learn about the target Well, it makes a great deal of difference the more you learn about the target and My presentation was looking primarily from the perspective of You know someone who might be sitting in the white house or in the u.s. Government thinking about how to address this problem But I think it's similar issues, you know in many of the european countries and many other countries I guess the point is that it may be very easy to kind of disguise where you are And it may be very easy to spoof your ip address and so forth But it makes it very difficult to formulate an effective and legal response You know we we have different rules for how we can use You know our surveillance tools Whether it's directed inside the united states at a u.s person or whether it's directed outside the united states at a non us person These are the things that lawyers will tell the operators. They'll say I need to respond in x y z way And a lawyer will say okay, we'll tell me more about this operation. You know, is this overseas? Is this here? you know, what do we know and You know, I don't think that there's a magical answer to this It's just a question of kind of risk assessment of of where are we? And you know, we have a certain amount of experience over the past several years in in dealing with this problem, but You know, I don't think that sovereigns are going away. I think we continue to have sovereign countries and it just sort of multiplies the The whole sort of yahoo problem of which law applies becomes kind of exponentially more difficult When you're dealing with cyber conflict You're dealing with the potential attacker the potential defender You don't know whether the attacker necessarily who they are and then it's going to be transiting multiple potentially third countries that might be neutral Um, and there's been a lot written about this, but I don't know that anyone's actually answered the question or maybe could answer it Yeah initially the us is allowed to the u.s Government is allowed to exercise certain power over people who are not citizens that it's not allowed to exercise over citizens. So for instance, it might be it might be allowed to spy on A russian who's in the u.s Who is not a u.s citizen in a way that it would not be allowed to spy on that person's extra neighbor who is a u.s. Citizen How do you apply those to stations here? Right, so it yeah, it is and it's a certain agencies are allowed those are only certain agencies are allowed to do these things And not others right on that well that that is a good that's the best sort of a good insight right there is that you start with You know from the outside it's all the government right but from the inside it's each individual agency applying its legal authority. So in general You know the fbi is going to be primary when it's inside the u.s Not just in criminal cases, but also in intelligence cases Um, even with you know non-us citizens And the primary reason for that is the fourth amendment according to the government applies to everyone inside the u.s um FISA applies slightly differently based on whether you are a u.s citizen or not inside the u.s But the fourth amendment applies everywhere inside the u.s outside the u.s different rules apply Uh, you know fISA gives pretty much the same protections to u.s citizens outside the u.s As it does inside but non-us citizens outside the u.s Now you've got a lot looser rules. So how do you deal with that? Well, you have to have if you look at the way that they amended uh fISA To address that in the fISA amendments act the basic principle there was we have a targeting procedures Uh that that the fISA court has to look at and say these procedures are reasonably designed to ensure that our targets Uh are outside the u.s. And therefore we can use these different rules. Um, and you know, it's it's like any technical Analysis of of how does it how do you figure that out? And and what level of certainty is required? And um, that's that's That's really what those uh targeting procedures are all about at least for fISA for other, you know types of um Of intelligence gathering tools, uh You know, you're going to be consulting with your offices of general counsel and figuring out, um, What rules apply and you do the best you can? Yeah As a cryptographer Very intrigued to hear you mention things like uh private information retrieval as a as a potential solution some of these issues and it's wondering if you comment a bit on what you see as the most significant challenges for Bringing crypto technology like private information retrieval to bear. Is it the practicality of the technology? Is it that intelligence and law enforcement wouldn't want their hands tied in the way that These tools would tie them. Is it difficulty of providing the right kind of judicial oversight? Or a sense that there's The current system is working just fine Yes, um Yes, it's all of those things and it even I think it even starts earlier in the sense that You know, there's a mismatch in the language that lawyers and computer scientists tend to use Um, and that not just lawyers, but other policymakers in the public use So the first step is you have to know that it exists In order to know to ask for it Um, and if you don't know that it exists or you don't understand how it works Then you're not going to ask for it that problem. I gave you with the sort of the patriot act slide You know, you may be sitting there facing that problem in many varied forms doesn't have to be a patriot act And the first, you know, you're just going to assume. Well, there's only two choices here I can either reveal my search And trust that the guy is going to keep it secret Or I can ask him for the whole database Or I cannot do it at all, but I don't have any other choices and it turns out you have another choice You have to know that that exists and So you start with education that's to assume you do know that it exists. Well, it has to be practical You know, I have to be able to actually deploy it. Um, You know, if I call up the people that are doing these kinds of things and they say, well Normally what we do is we get a cd with all the data and we bring it into our computer and we analyze it Well, I'd like you to use some kind of new fangled, you know, private information retrieval. Um, Where's that? How do I buy that? You know, how do I deploy that? How do I get it through my government acquisitions process? So then after that, then it's like, why am I doing this? Um, you know, do I have to do this under the law? Does the law require me to do this? No, we you're doing it because it's good for privacy And you know, we want to be able to go out there and say it's good And then I'm sitting there scratching my head thinking, well, what if I screw it up and don't do it right and You know, is the congress going to come and say, why did you do this? Why did you complicate your life? You could have gotten the whole database to get all this power we gave you Um, so there's a whole series of barriers to the deployment of these technologies But I guess I'm an eternal optimist and I think the logic is so compelling That we will use some of these technologies and hopefully more and more of them as things go forward and and help us Not necessarily solve for all time the dilemma I laid out, but at least address some of the problems Yeah Zero day exploits by driven by government, the US government, more governments and private companies Yes, I certainly can. One of my students at Georgetown actually wrote a paper on this topic and I found it very interesting Basically the point is that zero day exploits could be useful To those who want to engage in both attack and exploitation And so there are companies the economist has written about this That come up with zero day exploits and sell them to Clients including the US government Really to me it it kind of raises this question of what is a cyber weapon You know, we hear about an armed attack Okay, so what arms are you talking about? You're talking about computer code Computer code is arms. Well, that's not new. We had that whole debate back in the 1990s about encryption You know, there's there's broad licensing authority to kind of declare Okay, this is now this is now ammunition and therefore it's going to be regulated You could potentially use that authority whether it's desirable or not. I I don't know But you could use that authority to regulate this trade in exploits you could say You know, you can't sell exploits to a foreign government. It's ammunition You you can't sell exploits to anybody Proved list or if you do sell the exploits, you have to tell us first what they are So that we can use them or we can know about them or we can fix them There's all sorts of ways you could use regulatory power existing regulatory power to address this market There's also the great policy question of do you want to stimulate this market? Do you want to instead not buy exploits? And then how would you find out about vulnerabilities just hire a bunch of hackers and have them create them in house? Um, would you would you instead say we want to discourage this and stigmatize it? Um, it raises all sorts of questions One question I'd like to know is how come the computer fraud and abuse act isn't a violation of your individual right to bear arms under the second amendment? Um, you know, if if if malicious code is a weapon It seems to me. I should be able to defend myself with such a weapon. Um, what would the founding fathers think? Was a legitimate cyber weapon versus something like a nuclear bomb that we might be able to ban But we know from heller that in fact there is an individual right to bear arms. So Uh, this humorous argument I've just made is perhaps not as frivolous as it would first sound Yes Signed to private systems and then reference the defense industrial base Can you talk a little bit more about how those two things are separate? Um I think there are key differences between them there. Yeah, yeah, I mean they're all I think It has a lot to do with the role of the government in each and whether Um, you know, it's primarily I mean, I think what the policy proposal is is to Not to have direct monitoring but to have very detailed information sharing That allows companies to monitor themselves more effectively And to have strict rules and guidelines to protect privacy in place Uh, which the dhs privacy office is working very closely with nsa on to implement So, you know, I think there are significant differences in this. Um But there's a fuzzy line between information sharing and doing something directly at some point Um, if the information being shared is detailed enough It starts to look like what we would call tasking In the in the intelligence community. There's a an old phrase ask don't task Um, if you want to avoid somebody becoming your agent Uh and subject to all of the rules of of of what you have to do if you have that Well, you can ask him but don't task him Um, are you are you sharing information? In a way that essentially says hey, we want you to gather this information for us And then you give it to us when we've done those are kind of some of the questions We have to deal with they're not necessarily new questions. The other big issue is will it scale? Will it work? Uh, you know as traffic becomes increasingly Encrypted, you know signature detection Uh becomes a less useful way of defending your network Uh, another questions more questions Yeah, do you want to say anything about where, um, let's say where, uh Fits cross into atoms. I'm thinking about, um, I think the u.s. government recently required Some some servers that were hosting Data files that could be headed 3d printers to produce, uh, you know, rather poor quality guns Oh that one Yeah, well that to me that's a fascinating example. It's it's just You know Well, it was it was determined after Hundreds of thousands of people downloaded so so just to back up for those of you may not follow the story Uh with 3d printing, uh someone demonstrated that you could print a gun A crude gun that would actually work, uh, which is Right, so it's it's a plastic gun that you can create with a 3d printer and then fire once Um, and he put up the plans for how to do this So if you own a 3d printer, you can just download them and start printing Um, you know, and he called it what a distributed defense Something like that. He's kind of a libertarian people should be able to make their own guns at home with their own printers Just like you can print off powerpoint slides um So the treasury department was I think stretching its head and thinking how comes this isn't an export of an arm And they came in a week or so after everyone in the universe knew about it and said, you know, you've got to get a license And I guess it's been taken down, but you know, this is the problem of the internet, right? Yeah, I don't think it's going to be that hard if you spend more than about three minutes looking for it to find it Um, this is really a lot of the same problem that we had with the issue about regulating encryption as a munition um Whether you think it's a good idea or not. It just becomes impossible and um You know regulating code as an encryption may have a a legal basis But does it have any practical impact whatsoever? And it's going to depend entirely on how the market works if somebody wants to just do something I don't see how you control that if somebody has a profit motive for doing something Well, maybe you can use intermediaries or use legal rules in a way that Guides them to want to do something that you want them to do I guess that's my Not particularly helpful answer Yeah The the partner framework of the thing you're talking about that sort of government effort to protect class from cyber weapons Do they get pushback or cooperation from private industry or does it depend on the industry? It depends very much on the industry. Um Backing up in terms of private industry You know, there's a real schizophrenia among a lot of industry folks. Um, the chamber of commerce was the most sort of Adamant objector to cyber security legislation Kind of goes along with Uh, my first slide with with these, you know, these two caveats that president obama had Chamber of commerce was saying no cyber security legislation The aclu for very desperate reasons was also saying we have problems with the cyber security legislation So, uh, but at the same time many individual companies were saying no, no, we want this We think this is very important. We're very worried about a cyber attack And in fact, we're uh willing certainly to regulate ourselves. Uh, we might like the government to have some role here um So You know, I think it's just like with any area of regulation You kind of start with a certain amount of voluntary self regulation on the part of the industry And then if you get a tipping point where enough big players in the industry buy into that and say, yes We want to be regulated. Um Now they may actually want that to be mandatory because they may want other players to be disciplined within their industry That's kind of basic economic or regulatory theory. It also makes a certain amount of practical sense. Um, so You know going from that broader point to the narrow point you asked me about cyber weapons It's going to depend on your business model, so to speak if your business model is I want to Sell cyber exploits to the u.s. Government and that's my big customer You're already highly regulated through the federal acquisition regulation. You want to care about things like your security clearance So all sorts of things you care about And and you may welcome some kind of regulatory framework that makes sense for you as long as your business works if you have a much broader model or maybe a More aggressive model where you want to sell to others as well It's going to depend. Uh, you you uh, uh You're going to want whatever regulation allows you to continue to make money Yeah Uh war law traditional war law as one possible Uh solution or concept that we can appeal to Um to address some of those cyber threats. Yes problems And I'd like to get your sense of how worried are you about that those kind of applications in a world in which You the major threats do not come from states right anymore You've got individuals and applying categories that had been fought for interstate war to individuals doing Things all over the world may not apply So it strikes me the palette that you can make with terrorism for instance when you declare war On terrorism. Well terrorism is not a state So you get to define it as you want basically what you make you you make war to whom you want and uh It's also unclear when you win. So you basically can pursue that thing as long as you want to basically you basically give the government the right to do whatever it wants without any Public supervision of it right by applying the wrong concept An old concept to a new problem. How do you tend to think about that? Okay, so right So the title of my talk with cyber war is not the answer precisely for that for that reason You just gave it very well. I think um Basically, I think couple things one is There is the potential of traditional state-to-state conflict china russia the us north korea others have You know adopted certain types of capabilities that they may have and certainly in the context of a kind of shooting war These kind of capabilities will certainly be in the mix and may even become dominant in certain cases So there's certainly a role for site law of war in that situation in the situation where you're dealing with non-state actors Which is very analogous to the Conflict with al-qaeda I'd say, you know look a little bit at how we've evolved from this never-ending Completely amorphous war on terrorism in the early A few years after 9 11 under the first bush administration up to you know, what are still very serious issues But if you look at herald co's speech Uh, just his very recent speech I think he laid out some very important ways in which The obama administration has limited the use of that power. So for example We are not in a war on terrorism We are in a war with al-qaeda And it's associated forces which are defined by the law of war as co-cobaligerence Um, the war will not be forever It'll be until as jay johnson is the general secretary general counsel of the defense department said recently Look at some point. We're going to have destroyed so much of al-qaeda's senior leadership That we are going to have to just accept that there is no longer an armed conflict with any existing Organization and we don't have the authority to detain people in guantanamo anymore Because the hostilities will be over. I'm not saying that those questions have all been answered What i'm saying is that we have more than 10 years now Of practice of legal decisions of opinions from the supreme court of you know habeas corpus petitions from guantanamo prisoners being litigated in multiple courts of You know, we've developed A body of law Both in terms of use of force and law of armed conflict That for better or worse, whether you agree with it or disagree with it is being applied By the united states and by many other allied states as well To a conflict with a non-state actor in the form of al-qaeda We are not at war with anybody else. We are not at war with anonymous We are not a war with any shadowy network of hackers Could we be well my suggestion is that you'd have to go back and look through The law of armed conflict to make those questions, you know Is this an organization that is capable of producing the effects that would amount to an armed conflict To an armed attack that that's going to be a very small number of groups You know notice carefully what president obama said. He said seeking Our enemies are seeking these capabilities So yes, definitely there are certain non-state groups that have expressed interest have sought to You know obtain these tools, but you know It was also true that that al-qaeda, you know that sedam hussein had sought significant quantities of uranium Allegedly in another state of the union. So, you know, we need to be careful Is a group actually capable of producing A cyber impact that's not just A threat to our economic security or something like that but is actually amounting to an armed force And so I guess that's my way of saying that I don't agree that the law of armed conflict is completely the wrong frame I don't agree that it's completely irrelevant. I'm saying that it's small It has a small smaller degree of relevance than we might say It is it is you know traditional state conflicts and then possibly a hypothetical situation in which you had something like A 9 11 style effect that some state non-state group was able to produce those are The most much more important is going to be law enforcement regulation You know other Other techniques to address the problem because we're not going to be at war with with every hacker And and I was going to say one more thing and then your question to maybe close it out Michael Daniel the cyber security coordinator basically agrees with me the current one. I I served under the previous one He made a very good speech at rsa. It's on the white house website And I commend it to you in which he said, you know, whenever we talk about this problem You know, I feel like i'm in the scripts for some bad hollywood movie You know the first the first thing is, you know, we're all going to get blown up because of some massive huge cyber attack He said that's really not where we are It's not really The wartime frame as you kind of pointed out Except for these exceptions that I've said it's not really the right frame. Yes Implications of the new utah data center in bluffdale. It's due to open in september I think they're exactly the same as the civil impurities implications generally of the nsa's activities, which is to say Uh, you know for many decades since sort of the founding of the nsa. It's been well understood Uh, not just among citizens, but within the fort That there's a lot of civil liberties implications to having large scale enormous Processing of data and and signals intelligence and um this data center In utah that you're describing You know just like a lot of other agencies that in many cases came out of the cold war Had you know, it had creaky infrastructure. It needed to expand its capabilities. Um, and so utah Was selected for whatever political and economic reasons But generally, I guess my answer is We should be concerned about those civil liberties implications For the same reason that we should always be concerned about the civil liberties implications of you know, the us government having The largest intelligence agency in the world in the form of the nsa. It's not the cia. It's not mi5 It's not any it's not the masad. It's the nsa. It's the largest intelligence agency in the world And yes, it has big civil liberties implications I think that's it. Thank you