 The U.S. Naval War College is a Navy's home of thought. Established in 1884, NWC has become the center of naval seapower, both strategically and intellectually. The following issues in national security lecture is specifically designed to offer scholarly lectures to all participants. We hope you enjoy this upcoming discussion and future lectures. Good afternoon and welcome to our third issues in national security lecture for this academic year. I'm John Jackson and I will serve as host for today's event. I'd like to note that we're gathered here together in person and we also have a large audience dialed in via Zoom and I extend a very warm welcome to members of the LDO Warn Officer Academy and other students enrolled throughout the Officer Training Command Newport who've joined us. Over the 2023-24 academic year we will be offering 10 lectures from some of the best scholars in the world from our resident faculty. This is intended to share a portion of the Naval War College's academic experience with the spouses and significant others of our student body. We also welcome participation by the entire Naval War College extended family including members of the Naval War College Foundation, international sponsors, civilian employees, colleagues throughout Naval Station, Newport and others around the globe. While the primary purpose is to share information and learn together, we do offer documentation in the form of certificates of completion to all participants who attend at least 70 percent of the offered lectures. You can participate here in the audience via Zoom or even by watching the lectures when they are posted on YouTube. We ask you to keep track of how many you attend and how you participate and we'll ask you to self-certify your completion towards the end of the series. Our next lecture will be on 12 December 2023 when Professor Peter Dutton will discuss issues facing Taiwan. We will then take a winter break and will return in the new year on 23 January 2024 with Professor Jim Holmes' clever and thoughtful presentation that he calls China and Zombies. Okay, on with the main event. At the conclusion of the presentation that follows we'll welcome questions from our in-person audience. Please use the microphones located at each seat so all of us including our virtual participants can hear the question. Please stand, push the button and hold the button while you're speaking. Our virtual participants should feel free to ask questions using the chat feature of Zoom and we'll get to many of them as possible. So let's move on to the educational portion of today's lecture. Perhaps we should begin with the definition. Cyberspace is a global domain within the information environment consisting of the interdependent network of information systems infrastructures including the internet, telecommunications networks, computer systems and embedded processors and controllers. Our presenter believes that cyberspace has evolved so poorly that a large number of bad actors and autocratic states have been able to exploit its shortcomings at will. China in particular has been able to accelerate its economic rise by using cyber-related threat, theft, blackmail and bullying of companies and states alike. Fragmented democracies cannot individually survive against the Chinese government's strategically targeted bad behaviors. Today's presentation will suggest an overarching solution for collective defense in cyberspace. Dr. Chris Dimchak is the Ravel Grace Imhopper Professor of Cybersecurity and a founding member of the Cyber and Innovation Policy Institute here at the Naval War College. In her research on cyberspace as a globally shared insecure complex substrate she takes a systemic approach to emerging structures, comparative institutional evolution, adversaries use of systemic cyber tools, virtual worlds and gaming for operationalized organizational learning and designing systemic resilience against imposed surprise. Round of applause for me for getting through all that. Please welcome one of the nation's foremost experts on cyber, Dr. Chris Dimchak. Thank you. All right, so I talk fast and my apologies in advance. The only good news about that is apparently they're recording it, they'll put it up and if you miss something entirely and you go you can go and look at it on the recording but with any luck I can clear it up today. All right, here's what we're going to do. We're going to talk about cyberspace and we're going to talk about national security and my talk comes from a premise that you've had a lot of cyber training, you've been told that this is important, that this stuff is this and it's that and the other thing, you've told little bits and pieces all the way everywhere and it's kind of like having a box of ornaments and you shake them around and they're shiny and they're great but they don't hang on anything. So what I'm going to try and do today is I'm going to try and give you the structure to hang those ornaments on and I'm going to give you some, shall we say, some adages to live by. So let's start with the premise of this. Whatever is neglected by the democracies will be exploited by our adversaries on land or at sea, right? All right, so let's start with cyberspace. When I was a baby professor we were building it and I can tell you what we thought we were building. We were building universal knowledge, universal understanding, we were going to build universal prosperity, no borders, governments were going to float away, we were going to be able to communicate and know everything. That's what we got. We got war and thievery, right? And we lost some important pieces of information. Are we going to compete with each other? By the way, any opportunity I get I blame China. So I'm sure this is the Chinese. Do you have to be down there? Oh, it's a lag, got it, clear. Okay, first off the easiest way to kill a democracy is to kill its economy, right? And maritime trade is absolutely existential to our economies. What's the second adage? China and its fellow travelers are absolutely determined to dominate sea, space, technology, and global power. These are not people that we're just going to flow in. When at the time when we built cyberspace we thought they were just going to make money and flow right into our international system as we set it up. Unfortunately, democracies are a fragmented community of states. And when we thought we ran the world, we didn't remember that we were less than 40 states in the world and less than 10% of the world's population. And you can't run the world infinitely under that on those those circumstances. And the only way we're going to survive is if we act together. So here's a couple of other points to be made. I'm going to describe this substrate to you. This basically shoddy thing we made. I'm going to describe how it not only gave offense advantages to people all over the world, but also how we gave access everywhere and we created, we accelerated the very great systems conflict that we're living in today, right? I'm going to argue that collective cyber defense is an existential requirement for this future. And I'm also going to talk about the implications for the sea as well as for the shore. So let's start with cyberspace. We built it on naivete and greed. And we built it for ourselves and we spread it everywhere. And what we did is we built it with languages that were easy to code quick. You can make a lot of money off of them. You have some mistakes and some errors and that made them easy to hack. And we threw those out into the world without thought about what the consequences would be. We made no effort to regulate it, to monitor it, to impose any rules or regulations on the people that gave us that very crappy software. Excuse me, crappy is a technical term in here, all right? And what with the consequences, we built five offense advantages right into that substrate, this thing that is now underpinning all of our societies, right? And each of our societies being, having basically evolved into what is better seen now as socio-technical economic systems. So when you think of a nation, we think of people or we think of land or we think of this or that. But when I think of this, I think of them as socio-technical economic systems, right? And we turned around and we built this substrate and we now said to the rest of the world, any of you all with hardly any money can make an army like only superpowers or emperors could. You can get 100,000 to 200,000 infected computers for $500 and rent them for two hours. And you can take those infected computers and you reach two to five thousand kilometers away and collect what used to be high quality, high quality intelligence on people and you can reach out and touch them. And furthermore, thirdly, you can pick any tool you like and you can buy them on the underground cyber market and you can throw at it half of the war college, most of Ghana, all of Detroit and you can go out for lunch and come back and say it's not working as well. I'm going to buy two or three more and try those as well. This is what we gave. And fourth and fifth, you can hide what she sent out. If I throw a missile at you, you know it's a missile. But here in cyberspace, I can throw some of these at you and hide them and I can hide who I am so you can't come get me. This is what we created. And then what happened? We doubled the sources of systemic surprise for each of our societies. We were already complexifying and we were already having single enterprises with what we call normal accidents, surprising accidents from complexity. And then we linked those normal surprising enterprises up and we get joint enterprises. But that was already happening anyway. But with cyberspace, what we did is we threw out this connectivity and we invited in this entire world of bad actors to reach in anywhere that they could. And it was a lot of wares. And in that group of bad actors, the last 15, 20 percent, they're really scary smart ones. The ones that are going to get in and they have a different business model than the bad actors who are like want money or they want creds or they just want to show that they can do that. These guys' business model, they're paid to do it. They're what we called advanced persistent threats, right? And their business models, they largely work for organizations or adversary states. And so we opened the carpet for them. 30 years later, what do we have now? We are largely poorly defended societies with enormous losses in wealth. The estimate is one to two percent of our GDP is lost to cyber insecurity. That is unsustainable over time. Recent estimates is closer to six percent. These numbers are hard to get in the United States, but much easier in Europe. You can explain that if you want to know. At one to two percent, we have fragmented, scrambling government responses all across these countries. And they're largely in their countries themselves, right? But who is missing? Largely, the private sector is still missing out of this. The private sector doesn't feel responsible for it because there weren't no rules. There weren't no regulations. It was y'all come down, make as much money as you can, right? And we are, guess what, doing the same with cyber's offspring. I call it cyber's offspring, AI, quantum. Because they rest upon this underlying substrate. If you can do AI without using a computer, then I don't need to talk to you. But that's not going to happen, right? And they are being built on it. In a survey that Microsoft did a couple of years ago, 25 out of 28 machine learning firms had no idea how to defend the models that they were selling. None. And then you go into the classes in the university, people taking computer science degrees. Until a few years ago, they had exactly zero cybersecurity courses. Now, they get one in four years. And the consequence for us in the long term is we created this new kind of conflict, cyber conflict. Now we have called it, my colleague and I, Pete Dombrazky, have called it cyber conflict because it's an adjective and ultimately we should be able to get rid of it and just say conflict. But we're still learning about the consequences of that. And here's a picture of that, right? So here's our offense advantages. Here's our sources of systemic surprise. What does it lead to? Weak systemic resilience, poor forward defense. Weak cyber power on the whole. Well, that requires governments to have a response. Here's a government trying to work through the layers of cyberspace, connectivity, content, cognition, but we're democracies, so we don't want to work up in cognition. We're going to work down here in connectivity. We're trying to clean the bad stuff off connectivity, still building off of this poor substrate. Nothing changes in the five offense advantages and it becomes a vicious cycle that just keeps going through. What happens is that we don't advance in making ourselves robust cyber powers because we haven't figured out how to build our socio-technical systems with systemically, cooperatively across all the layers where we actually learn to defend collectively. Okay, what else did it do for us? Well, it accelerated the movement of the global center of economic power to China. No, it did not make it. China's scale and strategic coherence was leading China to this place anyway, but it did accelerate it. It gave them opportunities with their predation to move technical expertise into China. It undermined the rules of the liberal international system. The system we set up over the Cold War and we told ourselves for the last 20, well, not for the last 10, but at least the last 30 years, we told ourselves it was permanent. The China was just going to grow into joining us. That Russia would eventually grow into joining us. Everybody would grow into joining us and instead it undermined it and it increased the intensity of the hostility between these systems as the Chinese came out of their own particular hidey hole. It creased it such that what we now have is great systems conflict. I know you've heard the term great power conflict. It's a very good term. It woke everybody up. It's nice, but analytically it doesn't help. Not only do the private sector, when they hear the term great power conflict, they hear the term, they go, oh, nothing to do with me. I do business. Right? That's why we use great systems conflict because the private sector is part and parcel of this socio-technical economic system that we live in. A couple of realities. By sheer size and strategic coherence, no matter what happens, China will be a central node, central node in future global business. It just will. Right? What else? The problem is, is their business practices and their wealth will also dominate what happens in the world if we do nothing at all. And China has a head start that we weren't really ready for. We anticipated that China would meet us in our GDP, I don't know, 2030, 2035, I don't know. The Chinese themselves expected to do it in 2049. But there's pretty hard evidence that by using the PPP GDP measure that they already matched the U.S. economy in 2014 and they were 20% bigger by 2019. This is before COVID. Now, it is true. There are people talking about plateauing, but there's no way a country of 1.4 billion people are suddenly going to go like this. So this is a reality for us. Right? And the other reality of great systems conflict is the Chinese themselves. The Chinese are intent upon dominating. They graduate more computer scientists alone every year than we do in all of STEM. And by we, I mean the United States. Right? They already have a large stream of highly skilled computer scientists, IT specialists, and others coming back to China. And to add to it, Xi Jinping explicitly rejects our civil society values. Explicitly is telling his people that they are rising to their rightful place. And by the way, their rightful place is determined and defined by their demographic weight. China is five times the United States demographically and four times the EU demographically. By any measure they have, we're not their peer. We're an obstacle. By the way, who is? India. India is compromised four ways against the middle. If you want to talk, but we can talk more about India and the Q and A. And they know it. They're trying. But the Chinese also, this is their aim, right? They expect to be the cyber AI power. And even more, they expect this is inevitable. It is the trend of the times. Do you know what people do when they feel you've taken away something from them to which they are entitled? They fight a lot harder. And they stay angry with their grievance. So we're up against it. And what are we? We're very fragmented. We're always going to be a minority of states who are less than 10% of the population. Our political structures are profoundly different from the rest of the world. We have to think in terms of how do we defend and survive, but we individually lack the demographic scale to face China. Now, what doesn't help is a poor understanding of the structure of that substrate. It doesn't help when our policy makers don't understand, and it doesn't help when the rest of us don't. It is a socio-technical economic system. It is always peer or pay. There's no magic here. You either have a contract to move your traffic or I've just decided to take your traffic. It's not magical at all. So here's a nice picture. It's a little bit dated. It's a basic picture. Here are you down here, your internet users. And all your traffic goes up through these internet exchanges. And everybody pays up until the back, which is called the tier one network, so the backbone. And everybody keeps pumping the traffic up to a place where they don't have to pay. It's cheaper if it goes across the backbone, right up there. And if you understand that, but your adversary or your enemy or your target doesn't, you can exploit it. And most of our policy makers have difficulty understanding this basic and have done, have had difficulty for some time. And of course China has taken this opportunity to exploit it. And let me give you an example. China Telecom. So at each of those internet exchanges, China Telecom put what's called a point of presence. What that means is a set of servers that accepts traffic and moves it on. Now if they're working like anybody else, they accept traffic, they get paid for it, and they move it on up until they get to that big backbone network where it's free because they're peers. They don't charge each other. And then you save money and it comes out the other end. China Telecom positioned each of these pops, point of presence, in key strategic places in the United States and in Canada. And then it began. So here is an example of some research I did with my good colleague, Professor Yuval Shavit of the University of Tel Aviv. We published this in 2018. And what we found at the time is that the Canadian government was sending traffic over to the Korean government. I'm not talking about a single piece of traffic. I'm not talking about a misconfiguration. I'm talking about a whole stream and a period of time. I think traffic over to South Korea and on top, that's the way it should have gone. But instead, in Ottawa, it hit a China Telecom pop. And instead of going up to the big backbone, it went to a China Telecom pop and went all the way over to China, bounced around in China where people could take some copies. This goes on for weeks and then goes to Korea. And why didn't people notice? Because for any each particular piece of traffic, it was a tiny delay and they weren't looking for it. Because they weren't looking for it, they missed it. Here's another one. This one I believe was a bank in Japan. This is the way it should have gone quickly down to Singapore over to UAE. It's a China Telecom pop in Tokyo. It goes over to one, a China Telecom pop. And remember, it never gets now out of their system. It goes to China and then shows up in UAE. Again, not a misconfiguration. We published that in 2018, 2019. We published again in 2021. And here it's going on again. Even though China Telecom may be pushed down the United States, it's not gone anywhere else. And it has a close relationship with Russia Telecom, Trans Telecom, right? So in this particular story, because of the way the networks are set up, if you're sending traffic out of Israel and you want to go to South Africa, it pops up to Frankfurt and it goes down. Why? Because that's the way the relationships work. So it's one of the cheaper ways to do it. What happened was they hit, this time a Russian Trans Telecom pops up to Germany and it gets through Moscow and then it's sent down. And it didn't happen once, didn't happen twice. Again, not a misconfiguration. And if you look around the world at the time, and this is a couple of years old, China Telecom and other 2,500 of these pops are always strategically located near capital cities where they can selectively collect the data. Now, if you have this pile of data accumulating in China, what are you going to do with it? What are you going to do with it? You're going to try and, yes, you're going to try and actually do something like with AI. You can search it. I used to teach data mining. You can just data mine it for heaven's sakes if that's what you want to do. Who's talking to whom? How often are they doing it? And you're chasing it down. This is called intelligence. The other part of the problem now we face is that picture I told you was nice and clean. Yuval and I predict that in about five years we won't be able to do that research anymore because they're being covered by clouds. And these clouds, we call them clouds, they're big server farms, right? And then you have things like software as a service, right? Infrastructure is a service. You buy the services. You pump your data up. It's used by the software and their hardware and it comes back down in whatever direction you want. The problem is that this is getting back down to the last mile and we had these people who run these have absolutely no legal obligation to tell us how they program it, who they hire, where they send it around inside those services. And we're already discovering that about 70% or 80% of firms that use these software services focus on their own end point or network protections and they spend less time thinking about what happens when it gets hijacked up in the cloud. So this becomes another difficulty for us. And of course, here's our vicious cycle and now we cover it with the cloud, right? So part of the difficulty is we can't see in them and that means we can't defend easily. Another point to be made about the internet, it's not magical, it's not going over the air, it's going over cables. 95% of the internet goes on subsea cables, and every single cable comes up on somebody's sovereign territory. And every single one of these cables is owned by somebody. And when we built it, we didn't think about the fact, we said, oh, it's free, it's around the world, it's going to be wonderful, and we didn't think about the fact that countries may have interests in intervening in those flows and knowing what goes past them and cross them. And now what we find is that all kinds of countries have interests in that. So the great big open, unbroken, unbordered internet has now become bordered. A colleague here at NWC with me, Pete Dombrovsky, and I wrote about this, we talked about with the rise of a cyber-west failure, where every country has an interest in understanding what traffic is traveling in through and around in their society. But the problem for democracies is as we slowly begin to control our our internet, we're doing it one by one by one by one in a fragmented fashion. So here's the important underlying question here. How do minority states survive, particularly in a country that has a very different approach to governance, demographically much larger and hostile? And I'm going to make three suggestions. One is a cyber-operational resilience alliance. I'm going to describe what that does for us. The second thing I'm going to tell you why Ukraine has inadvertently given us some good news is a natural experiment here. And the third thing I'm going to address is this question of resilience again. If it's important, how do you do it? I will end with a comment about the Navy. So my argument is how do these little fragmented minority of states survive is they need a new narrative and they need to have an operational collection. They need to have common operational goals and three of them. Scale up. China is not going to give peer deference to anybody that is into prosperous and nearly as big demographically. That is no country at the moment. And so we need to scale up. And as it happens, these 40 odd democracies are over a billion people educated consumers. And the key for us is we get them together to defend our common democratic IT with our private sector. This is a key. A private sector has to be inside the tent. They build it, they operate it, they own it. They have to be inside the tent, right? We've done this before. We have actually brought together democracies before. That's how we have NATO, how we have the EU. In fact, it's quite sui generis, both of those organizations, right? Secondly, we have to buy time. I already told you how fast they were moving ahead in GDP and I told you what they were pursuing. But I believe recently, if you look at patents, you look at publications, you look at research, they are striding out on AI and a lot of cyber is offspring. We have to move very quickly to defend our critical forms of democratic IT, right? Including across clouds with our private sector. Now, it does not mean we're creating a fortress. What it means is that we're trading vigorously, but for example, we don't allow China telecom in our exchanges anymore, right? And we don't allow Huawei to own all the routers and our major telecommunications corporations, for example. And by the way, why don't we want them to do that? Are they a bad technology company? We're leaving aside the fact that they've stolen a whole lot of what they've done. Leaving this part aside, let's go into the other question. It's because the Chinese government has passed laws in which the Chinese government has an equity stake in every single telecommunications corporation irrespective of their location in the world that is Chinese. And that also means that the corporations are legally obliged to provide to the Chinese government anything the Chinese government says it wants. That is fundamentally different than our attitude towards individual rights, the rights even of businessmen, right? There's a reason that we don't mind trading with them. We don't want them inside the tent, right? And finally, and absolutely as importantly, we have to invest in the advanced IT to reconstruct that underlying shoddy substrate, right? We are still just bolting stuff on and hoping to fix it. There aren't people trying. I believe it is IBM, forgive me if it's not, I believe it is IBM that has created a language called F-Sharp, which is a secure language. And what they'll do is if you bring your code to them that's printed, that's been coded in something like C++, which is not memory secure, which is an insecure language, but it's quick, they'll run it through their software and they'll export as F-Sharp and do exactly the same things that it did before while it was coded. But this is a small point. We need to invest in wartime level of R&D and laboratories and universities and all these public, I mean, all these private firms, right? We have to face this kind of reality. And we have to reconstruct it with what we had in mind, that it be secure from the get-go, as well as democratic and generative, right? And only then can we really provide a successful narrative to the rest of the world to counter the China model. That's just it. Now Ukraine is not a choice Ukraine would have made to do this for us, but it did. Ukraine, as it turned out, provided a natural experiment. I've been giving talks on the Quora for four or five years and I'd always end in the Q&A with, well, now do you have any examples of a Quora, you know, I mean, existing? And I would point to these other examples, you know, of like, you know, NATO, EU and these associations of private sector people. Yes, we come together. But I didn't have a country that it actually had to defend itself and needed Allied support like this. Ukraine provided this, right? After 2024, over a thousand corporations pulled out of Russia. And this included even the big ones, right? They just pulled out, right? And here's the important point, they weren't being paid to do so. The big objection to bringing in private sector into a Quora was, well, who are you going to pay them? It's what's in it for them. Well, I would have thought surviving in a democracy would be in it for them. But, you know, that was not seen as enough. These guys simply left. And that, the laws that make it hard to do work in Russia now, they came later. This is data that comes from the Chief Executive Leadership Institute of Yale University. They started collecting this. The corporations that pulled out were 40% of Russian's GDP, represented it, 500,000 plus people of which half were IT professionals, 200 to 300,000 people up and left. Now, imagine if we'd already had a Quora. Imagine if we'd already had a Quora. And those people up and left that we could collectively say, come on in, we'll vet you, and you can work with us. Now they're scattered around the world, they're being, you know, employed, hitherto and beyond. But there's no organized way for us to take that talent and bring it in to work with us. It's a couple other pictures. It's the way the data breaks out. The other interesting thing about these guys is the bulk of them walked out the door and the bulk of them were the people, the kinds of corporations we'd want in a Quora. Communication services, information technology, utilities, finance. So Ukraine, a position they never would have wanted to be in, but Ukraine provides us part of the evidence that a Quora can happen, right? And that it's feasible. And I finally want to make a point on resilience. About 10 years ago, I co-authored and co-edited a book with two other colleagues on designing resilience. And resilience is used a lot everywhere. Some people call it resiliency. I forgive you. It's resilience. There's no why. Six overall requirements. Very straightforward for large socio-technical economic systems. The first three are for a single enterprise. Single enterprises have some nice characteristics. You can make all the rules for everybody inside the system. You know where the boundaries are, who's in, who's out. You know what the networks are. The first one is redundancy and knowledge. This is not replication. Complex systems automatically give you what's called normal accidents. Right? Unanticipated surprises will come at you. At that moment, you need to have redundancy and knowledge. You need to have whatever information you are missing at the moment to apply to that situation needs to be in multiple sources in my head, in a manual, in a tool, in a piece of software, at the same time so I have multiple sources to go to. We can talk a little bit about, some people are afraid that AI will deceive decision makers. But if a decision maker had a redundancy of knowledge at the point of decision, this would be less of a problem. The second thing is slack in time. Resilience involves reducing the urgency on decision makers. And we do this all the time by the way. When you look at these and you're a military member, you see them and you go, oh, militaries do this. Why? Because militaries expect to be surprised by enemies. So you are just instinctive. You don't call it this, but yeah, of course, I cross level skills so I got more than one medic. Slack in time, minefields, chains across harbors. Slow it down, segmentation, stratification, all these words that we use. Slack in time so you buffer the urgency. And the third one extremely important is discovery trial and error learning. Trial and error learning is you kill people. The plane can go down. You learn from that. That's great. But we'd really be better if you could discover that in advance. And what do we do in militaries? We have exercises, right? We do a lot of exercises. But do we allow ourselves to discover? Do we allow errors, not just in what we meant to do, but surprises? That's discovery trial and error learning. Practice the whole system. Adapt the practice. Rinse or repeat. The other three are for collective or joint enterprises, right? Common and collective sense making. What is in fact coming at us? So for example, if you're the United States and you believe you're the remaining superpower in the world is as you meant it to be, and only thing that's happened is the Chinese have ruffled it a bit, you're not quite prepared for a world in which you are part of a minority, are you? So what's the common collective sense making that's going on? The second thing, common action plans are preparedness. We do this up the wazoo in the military. You know what else? The rest of society doesn't. The private sector doesn't do it. So we don't say, oh, okay, so here's the action plan. You're going to do this. You're going to do that. You're going to do this. You're going to do that. Okay, everybody got it? Okay, we don't do that. Not collectively, not across the system. And then of course you want collective DTEL, right? People are beginning to do this. NATO, for example, runs an annual cyber shield like exercise, for example, trying to get all the countries. But of course it's not obliged to join. And they're not obliged to send someone. And they're not obliged to make it truly a whole system stress test. And that's resilience. Now what's interesting is Ukraine roughly ticked all six. But the difficulty and the difference for us is that Ukraine already demonstrated the value of wartime cyber resilience and collective support. They reached outside of them to bring in the allies, welcomed them when they showed up, even if it's ad hoc, even if it's fragmented, oh, I'll come in. What they managed to do over the previous eight years, however, was to do an extraordinary amount of DTEL. And the Russians didn't know they were doing it because the Russians kept attacking them in cyber terms. So that in ironically not discussed very much as the Ukrainians also developed a wonderfully large hacker community, which immediately and instantaneously became more white hat after the Russians attacked and broke off with the Russians. It's a resource. What they did teach us was those eight years mattered. Another example of this actually was a bit of an ironic. In 2007 the Russians actually attacked Estonia. They were annoyed that the Estonians were moving a statue of a Russian soldier. And the plan for the Russians was to attack on the anniversary date of I think the Russian surrender or the Russian takeover Estonia. I'm not sure what it was, but it was in May. And the Estonians knew this and the Russians were already making a big stink about it. This is 2007. So the Estonians moved the statue early. The side note, they put it on a truck and they ran two other trucks that looked just like it. They all ran around Estonia like this so the Russians couldn't figure out which truck had the statue on it. Side note. Anyway, the Russians suddenly scrambled. And they scrambled in a fragmented and erratic way which meant that the Estonians were able to defend in this tool. It was 10 days early than the Russian plan. And they were able to repel the Russians. They had to shut down the whole country by the way. Close the whole country off the internet for that few minutes. What happened? The Russians then attacked in May as they planned. And the Estonians were ready. DT. All right. What does Korra do? It breaks the vicious cycle. Now, I'm going to finish up with the shore and I see that I am going to pay attention to my time. So I'm going to move pretty fast on this part. Some of it you'll already know. Implications for the shore and the sea are the same. If it can be reached, it can be breached. Easier they're reached, the more likely you have multivariate sources of access, right? Anything that can be coded can be corrupted. And that includes all the emerging technologies. And the major adversaries expect them everywhere. Everywhere. Any avenue you've left unprotected and that of course includes the large cloud. So I'm going to talk about some of these that are maritime options, right? Ports. Okay, just think of a port as a huge cyber-sitting duck. It's the easiest way to think about it. Fragmented. Access is easier because it's very close. It's on land. It's not going anywhere, right? Right? It has a complex, fractured community. Ships arrive. Containers. All kinds of modalities come together. All kinds of owners come together. Right? Very hard to defend. This is what a port looks like. Sort of. Isn't a nice picture? But this is a better picture of a port these days. Because ports are automating. They are trying to bring in the internet. They're trying to do remote control all over the world. Looks more like this. This is a better picture of the port. This is what you're trying to defend. Even efficiencies are now bringing in threats that no one ever thought about before. Bring a ship in the port. You turn the engines off. You connect electricity out on the land. Why? It saves you gas, right? Command and control cable goes right into the ship. And ships. Well, the other part of the problem is ships run close to the land. The closer they get, the more likely they're affected by land-based signaling. And anyway, you want to, right? You want to turn on your cell phone. All kinds of things you want to do. The problem is that's where the adversary knows you are going to be, right? Anything electronic, systemic, becomes open, right? And this is a nice list of a lot of other not visible systemic choke points that one has. Harbors, port services. And then you have this interesting phenomenon, which adversaries also know. The larger the ships get, which save you a lot of money, it's great for your efficiency, also drives you to certain ports. So if I'm an adversary and I want to do something with that particular shipping line, I know what ports to go to. I don't have to go to everywhere in the world, right? What's happening to ships is they've become floating high-priced hubs of their own. And they are friggin' massive. Massive, right? New container ships are larger than our own biggest aircraft carrier. 275,000. Take that and smash it into something. 2021, the Ever Given, one of the newer, large container ships, was blown by a sandstorm across the Suez Canal. They couldn't move it for days. It was massive. Many of us thought, hey, what was it, cyber? At least as far as we know, it was a sandstorm. But it resulted, it's one ship, 4% rise in the global oil price. 12 days to a nine-day trip was added. You want things not to arrive on time? And by the way, at the other end, for those of you who are actually serving in the Navy, you know that if you lose your slot, you're going to pull into port at a certain time, right? And you're a big, huge container? Well, you just don't get to show up any old day and pull in. You get to pull up, park yourself on the outside, and wait till a slot shows up, right? So this disruption is very attractive if you know what you want to stop as an adversary. And here's the nine recognized maritime choke points, but there are others that are close to it as well. Unchips at sea. There's a sense when you go out to sea and you sail away, well, you've sailed away. Well, you have it, right? Impact is greater if you can board it, but you know what, you don't have to board it necessarily. You can use satellites, anything. Systemically critical. It's electronic. There's some nice pictures for those of you who haven't been on there. Here's some electronic pictures. Here's some electronic access points. All of them offer access points. Here's some pictures. And here's the one I like. The difficulty with these huge, massive floating container ships is that the vast majority of them have their connectivity from the outside goes in and there's no segmentation to propulsion and everything else. It just goes straight on down, right? Because when they were built, people weren't thinking that way. We sail out to sea, nobody can reach us. Few, if any, basic protections. And we've already shown this. We've shown this in 2021 DEFCON. They just simply posed a challenge. A bunch of hackers never knew anything about the maritime world came in and they hacked right into the bridge. Land hackers. Why? Because, remember, all of that software not only shoddily put together was simply imported from the land onto the sea. Same thing in 2021, except the Naval X folks actually did it remotely. This is one of my favorite ones. 2017, it was a remote hack of a German container ship near the port of Djibouti. And they compromised both steering and maneuver control and the captain couldn't do anything. He could just watch his ship being trying to direct his ship. So what he did is he turned it off. He turned off everything in the ship. They just sat there until they could helicopter out IT specialists who could save the ship. It was the only way to keep it from being pirated. And we all know, if you're particularly feeling the Navy, that this continues in maritime saccons, right? The point here is, Navy's protect the maritime world and the maritime world isn't ready for cyber conflict. Just a quick thing on how to hack. We can talk about it later if you want. I like this chart. This is one you can go and look at later. But this is a nice description. You get in through a lot of guessing. What do you do once you get in? Well, you move laterally. You look at anything you can find. You cover your tracks. You're trying to raise logs. You're prepared to get back in. You map your network. Then you plan your exploits. You stay hidden, rinse and repeat. And you just keep doing it over and over again. So what happens on shore happens at sea. And what do you need to know about that? First thing you need to know is just understand how hacking happens. Take those ornaments, hang them on the structure. Okay, I see how it happens. And access, by the way, starts everything. Observe and try and avoid the failures and resilience. Map your own networks. When you come into command, find out what everyone has, what's connected to what, to your horror. Find out who's carrying what. It's a little bit different when you're inside a Navy military ship. But remember, you are connecting to other networks at the same time. And finally, I argue, you can't sail away from the hackers or the adversaries, or for that matter, the whole problem of great systems conflict. So here's a nice little cartoon to end it with. This is our modern digital structure. Here's the one little pin right over here. And this basic one little pin, as they put in the cartoon, is a project some random person in Nebraska has been thanklessly maintaining since 2003, right? And nobody cares. This is open source software, right? Right? This is all that stuff. The volunteers that are supposed to do it for us no matter what. And here are the adversaries. I had to get some pictures of adversaries. So the future of democracies is collective cyber resilience. I forgot the cyber. But there's no long-term survival at all. That is my position. And that's even true for navies. Well, thank you, Chris. I asked her to give us her good news pitch. So if you come back another day, she'll give you the bad news pitch. Okay. Well, thank you very much, Chris. That was great.