 We're back. This is Dave Vellante with Charlie Senate. And we're live at the MIT Media Lab. We're talking about cybersecurity today. There's great conference going on, an event really, workshop, if you will. Talking about the gap in governance and how international relations hasn't been able to keep pace with the developments in cyberspace. Herb Lin is here. He is chief scientist for computer science and telecommunications board at the National Research Council and National Academies. Herb, welcome to the Cube. Thanks for coming on. Glad to be here. So tell us a little bit about your role and then we'll get into some of the things that we're talking about off camera. My role at the academies? Yes, please. I've been there for more than 20 years. I write and do research and manage projects on information technology and public policy. In recent years, I've done a lot of stuff in cybersecurity, various dimensions of cybersecurity. For example, the role of offensive operations in cyberspace, what cyber deterrence might mean, how you might prevent somebody from, dissuade somebody from attacking you in cyberspace. A lot of research on what it would take to create a more secure cyberspace. So you said you were following security more recently. Like how recently? How long have you been digging deep into security? Within the last decade. So what have you seen as the big changes in the last decade? Let's see, last decade, that takes us to approximately 2004. Probably the biggest change, of course, is the emphasis on security in the wake of 9-11, that lots of people are concerned about what the bad guys can do to us in every way. And cyberspace is one of them. There are a lot of people who are concerned, for example, about the ability of terrorists and other bad people to do things to the critical infrastructure of the United States. For example, they worry about being able to take down the electric grid. They worry about being able to take down the financial system, water and gas, those sorts of things. That's what the concerns are. So normally, when you think of security, you think of reactive, you think of defensive, you're going on the offensive. But you said to me off camera, well, they're related. What do you mean by that? Right, so there is a, if you're in a fight with somebody, there are a bunch of things you can do. You can try to block his punches. You can also punch back. And one of the things that cybersecurity has traditionally worried about is how to block. And mostly, the research effort has been on how to block punches. Relatively little research on how to punch, how to attack in cyberspace. For a variety of reasons, there have been taboos about doing that, some of them not for good reason. But there have been these taboos about doing efficiently recognized research in that. But it is now a matter of public record that the United States is developing offensive capabilities in cyberspace to take the battle to the bad guys. Take the battle doesn't mean destroying something necessarily. It could mean spying on them or something like that. But in some cases, it could mean destroying some of his computers, some of his infrastructure, some of his military systems, and so on. At least those are within the range of possibility, of possibility, what the United States might be willing to do under some circumstances should circumstances call for it. So you're right, it was perceived as taboo because it was seen as evil or unethical. Was it solely 9-11 that flipped that switch or were there technological advances? No, I don't think so. The fact that you can punch in cyberspace has been around for a long time. That is, there have been viruses since the early 90s. And there was an internet incident in the late 80s that showed some of the potential for taking the offense. Now, in the 1988 incident was an accident. The person who let loose a worm onto the internet and sort of brought it to its knees pretty quickly was just an accident. He didn't mean to do that, but he did have this bad effect. So there's always been malware on the internet. What's new, I think, in recent years, I mean since 1988 is that there's become an increasing realization that governments too could use these tools to create mischief in cyberspace and to do damage in cyberspace in ways that they hadn't been able to do it before, before cyberspace. So handicap the horses on the track. Who's the best at this? Obviously the United States is really good at it, right? China's got it. The United States is widely regarded as having among the best skills in this. China is regarded as having some of the best skills. Russia also. Then after that you can get into arguments about, well, how good is Iran? How good is Israel on this? Other interesting questions are, if you think about organized crime, what are the capabilities of transnational criminal syndicates that may have capabilities to do bad things in cyberspace? And that's not very well understood either, but we do know that they are, I mean if the Colombian drug cartel can have submarines and so on, who knows what their capabilities are in cyberspace? I think the answer is we don't know. Could I ask you a question about, so if there's a sort of global rules of engagement that's being developed, much like a military protocol and an offensive is permissible under certain criteria, can you lay out the land for us in terms of what that looks like from a corporate side, from a private individual side? In other words, if you have a company that decides it's gonna go out and land a punch and it's gonna be offensive, wouldn't you then get into a sort of a fist fight in the streets and vigilanteism? And then where does that end up? Yes, that is, what you're asking is a very deep and important question. And I think that nobody knows the answer to that. So here's the argument, you said it in a very telescope way, let me expand what you said, I think. If you say that you can punch back to defend yourself in cyberspace, conduct offensive operations to protect yourself. Well, does that mean that the private sector, a company has the right to do that? Well, right now the answer is no, at least under US law. Because they'd be committing a crime just to the other guys. That's right, that's right. Two lungs don't make a right as we say in parenting. That's correct, that's correct. But now the answer is no, you can't do it. Should policy be changed? That's a very interesting question. It has many policy implications. So for example, if you're going to go after the oath, what kind of punch are you gonna throw at him? Are you allowed to go and destroy his servers? Are you allowed to see his data and erase it that he took from you? Are you allowed to implant a beacon there that sends you an email saying here's where I am? Right. I've listed those in order of most severe to least severe. And so what are you allowed to do? What confidence do you need to do that? If you're gonna actually destroy somebody's hard disk or in fact causes computer to catch fire or something like that, how confident are you that that's really the bad guy? How do you know? Right. It sounds like a right to self-defense issue just like you in any court of law with substantive threat there in order for you to retaliate. But right now the answer is no, that's illegal. So now here's another question for you. Why would you imagine wanting to do this? Well, if you're a private corporation acting in cyberspace right now and being under attack in cyberspace right now, what happens is that you have two choices. You can put up the shields, shields up. Or go lights out on the guys at KMA. No, what you have is a choice. The legal choice is you either call the cops or you put shields up. What you can't do is you can't punch back. Now, but the ability of law enforcement to help you out is very limited. They've got lots, they've got lots and lots of requests. They've got lots and lots of requests and very few people, right? And so maybe the private sector should be in power like we have Brinks Guard. What do you think? Do you think the private sector should be in power? Hold on a second. And then there's the question. You keep asking me the hard question. We're going to turn it back on you. I'm sorry, I don't have the answers to here, okay? I know that these are questions that we're going to have to resolve as a nation. But do you put this under government regulation? Do you certify the equivalent of the Brinks Guards who are firing back in cyberspace? Right. And once you put them under regulation, does that imply that the government is doing it? That's a very interesting question. I don't know the answer to that. So in trying to figure that out, there's been much discussion here today of a sense of urgency around the need for better governance. There's been even some statements from the president of ICANN saying, hey, this is not sustainable, the current model of governance. Do you agree with that? And is this, these parameters of trying to define what is retaliatory strikes that are legal and not, that terrain, is that all to be reviewed by this new model of governance? I think those questions are all open for debate. And I don't know where they're going to come out. What he was saying was that what's not sustainable is the control of the US government over the detailed operations of ICANN when it comes to certain issues. And do you agree with that assessment that it's not sustainable? That's outside of, I haven't studied that, so the answer is I don't know. As a political analyst following, my opinion here is just as good as anybody else's here. I see that as, I think he's probably right. That is my guess. In the long run, that probably isn't sustainable because the rest of the world isn't gonna trust us. That's my guess. But I could be wrong about that. And as an American citizen, I hope I'm wrong about that. But I don't know. So cooperation today doesn't have a lot of options other than, like you say, going to some ineffective policing mechanism or break the law. But the question is, how illegal is it? In other words... Well, the finders... If you're gonna retaliate against China, well, maybe that's something we don't want to do. Well, that's right. Punch back against a smaller adversary. Criminal ramification. Right, that's an interesting question. And I think nobody knows the answer to how... Because all of this is so taboo at this point, nobody knows. Nobody knows what the policy implications are gonna be. So I think that this is all to be resolved. I mean, maybe the right answer in the end is suppress it all, that the private sector should not have that the regime is, or strengthen it. That the private sector should not have the right to self-defense. Maybe that's the right answer. But what I know is that we haven't had that debate. We talk a lot about in the Cube about whether it's the industrial internet, internet of things. There's a lot of headwinds to making that happen. But you can see the day where you've got turbines connected and jets providing information. The entire internet's gonna be connected. And again, we've studied this extensively. And engineers are somewhat averse to having intelligence placed and connections placed inside of their devices. But it seems to be coming. When you think about the impact on offensive, cyberspace as an offensive weapon, it's orders of magnitude. Potential. That's right, that's right. Have you studied the impact? Well, yes, you think about that. Yes, you think about that. And it's really scary. So we're gonna have a smart grid of electricity. And the smart grid is supposed to control the amount of electricity used so that it lets you turn on your air conditioner and your freezer and so on at the right time is when it's cheap to do that. How nice. Right, what happens when your neighbor who doesn't like you has a smart kid who can hack into your freezer and reset the temperature? While you're on vacation. That's right. I mean, those kinds of questions. What happens when you have a guy on an airplane who accesses the onboard avionics of the airplane because the entertainment's network is connected to the onboard avionics and starts hacking the control systems using his entertainment console? I don't know what happens in that situation. Or for watchers of Homeland, what happens when a terrorist hacks into the vice president's pacemaker? I see that at the side. Cheney is on record as saying I didn't want the wireless capability to cause him exactly that. That's right. Okay, so what are you working on now? What are you tracking? What's exciting you? What we're trying to do at the academy right now is trying to stimulate a kind of dialogue between technical experts between the United States and China on cyber security issues. That is the hope here is that based on discussion of technical issues, we can find some common ground with them. Now we'll never reach common ground with them on whether it's okay to steal intellectual property or not. That's not the issue there. That's not the kind of problem that I think we can resolve. But we can, for example, we can establish a common vocabulary. That would be a very interesting thing to be able to do. And we'd like to be able to do that. Where do you think you, are there places that you know of where you won't be able to find common ground technically? Because whether it's, I mean, you always see this in standards committees. There's philosophical, though, I want this protocol or that protocol because it's smarter, better, faster, whatever. Do you know even what you don't know yet in terms of? Well, there are many fundamental differences between the US and China, for example. I mean, we have a, we as a nation, and I support this because I'm an American. We're, you know, I support the First Amendment. This is a very good thing to have and so on. But I also have to recognize that the Chinese aren't as thrilled with the First Amendment sorts of things. But specifically technically, are there points of disagreement that just don't look like they're reconcilable without some kind of compromise on either side? But I'd say specifically technical debates. I don't know the answer, I can't answer that. I don't know the answer to that. Okay, you don't have visibility on that at this point. Not at this point. Do you expect those types of things to arise? Or do you feel like that the technologists can sort of get through that? I mean, again, I'm drawing on standards bodies, IEEE or name one, right? That they can't agree on a standard or it takes forever to agree on one. Do you expect similar types of problems to occur? I wouldn't be surprised if they occur, but I can't tell you what they are at this time. Yeah, I understood. Good, all right. Well listen, really appreciate you coming on theCUBE and good luck with your presentation today. Okay, thanks, okay, thanks. All right, so right there everybody, we'll be right back with our next guest. We're live, this is theCUBE, we're at Cambridge Mass, we'll be right back.