 Hey, we're back, we're live. Welcome to Asia Review on ThinkTech. I'm your host, Jay Fidel. Our show today is called Cybersecurity at ASEAN. We're going to talk about the new trust and collaboration that's required to meet the threat of cyberterrorism in Asia Pacific and elsewhere, and address the issue of whether it's time we got serious about cybersecurity in Asia Pacific and elsewhere. If you want to ask a question or participate in discussion, you can tweet us at thinktech.hi or call us at 415-871-2474. Our guest for the show is Brad Glosserman, camera on black. Brad Glosserman, please. There it is. Thank you for being here, Brad. Glad to be here, Jay, as always. Thanks for having me back. He's the executive director of Pacific Forum, CSIS, and he's written a PACNET advisory on the issue of cyberterrorism and security, calling for greater trust and collaboration among the nations of ASEAN to deal with that. The issue is high priority, and there is a likelihood that want to cry and his progeny will be repeated as a new normal, a new normal phenomenon in Asia Pacific and the rest of the world. So, Brad, great article, timely. Did you know this was going to happen? Were you expecting it? Yes. No, it was going to happen. No, expecting it, yes. I think anyone that is working on cybersecurity as any familiarity would understand we're living in a very, very rich threat environment, one in which it's only a matter of time. And in fact, it's speculated that the next variant of the want to cry crisis is already infiltrated into machines around the world, and we're just waiting for the signal to turn on. So, cybersecurity is an issue that is proliferating in our daily lives. It's not something I think we tend to think about, whether it's in terms of our computers, whether it's in terms of your equipment here, whether it's increasingly proliferating into our phones, into the internet of things, our watches, our homes, our cars, and our automatic cars, automatic self-driving cars. The fact of the matter is that there are great vulnerabilities built into the system, and we are just not, I think, a custom, perhaps our disposition as human beings, maybe isn't to be as conscious of vulnerabilities as we should be. You know, the shocker of it is that when all this started the internet, and Bill Gates made his shift in policy around Microsoft, and all of a sudden it bolstered this whole development of the internet, everybody was so excited about it. It was only going to be used for good. Nobody could conceive of the like of the possibility that bad guys would use the internet against us. But that's what's happened. Just for every good thing, there's a bad thing. Why can't mankind, human kind, can't we be better? Why can't we all just live together in peace? There you go, there you go. That's a failure of imagination, Jay. Sorry, sorry. I have these on a regular basis. Anybody that was cynical... That's Brad Glosserman. He's Executive Director of Pacific Forum. Anyone I think that was thoughtful, that was slightly skeptical, remotely cynical, anybody that I think looked at the world, you look at the use of every technological advancement in human civilization. And for every benefit that's offered you, there has always been a negative. I mean, the printing press gave us the Bible, and then at the same time it gave us this inflammatory tracts. Every drug that is possible to be used for human health benefits, of course, can be misused as well for negative reasons. I don't think anybody was really naive about it. I think that what we probably just never quite... Invariably, we have a hard time keeping pace with technology. I mean, our inclination tends to be... I mean, this is, I thought, one of the more intriguing discoveries of technological advancement, you know, is that when you first create a new technology with the internet or with the information technologies, the first thing we end up doing is we do everything we used to do with this new technology. And so it's something of a labor-saving device. It takes us a generation or two before we really appreciate that we can apply these things in completely new ways. And it has, at that point, it becomes more than a ripple effect and becomes like tidal waves, in which, in fact, life's changed drastically. And so what we're discovering, I think, only now we're reaching the point where we're beginning to understand the way that rather than just having all of these electronic do-dads do what we've always done, that in fact we're using it to do entirely new things or do things in completely different ways that I think at that point sort of stretch the imagination. And if you will, certainly to the degree to which these devices are integrated into our daily lives, again, create vulnerabilities that we just never anticipated. Yeah, well, you know, what's interesting is that the internet was always global, but the rest of the globe didn't have the infrastructure to really participate. And over the past, what is it? From 95 till now, I'm using 95 as the benchmark, what, 25, 27 years? That's all it is, really, of time on the internet. It's become global. Everybody wants it because it's so great. So every country has the internet. In one way or another, even with solar power, they have the internet. And so people think that when you have WannaCry, it only happened in the U.S., but no, that's not true. It happened lots in Asia and it had lots, lots in Europe. But how much is lots? Well, I mean, first of all, it wasn't that lots here. In fact, I think that the hardest-hit countries were basically outside the United States. The last numbers I saw, and this is, I believe, this morning, something like 200,000 computer networks, not computers, computer networks, around the world in over 150 different countries. And, you know, I mean, in the United States, what you have for the most part is a culture of people that tend to keep software legally acquired rather than in pirate circumstances, or they also have a tendency to stay on the net in ways that you have IT departments or a certain consciousness in which you update your computers and all of your technology on a regular basis. And your job may depend on that. And you have somebody in your job who does it, the IT person, or you just set it up automatically. I mean, my wife and I have a constant argument about just updating all the different apps that comes in over iPhone, and I constantly do it for her and it irritates her. But the fact of the matter, you know, if you go to China, I mean, you'll find, for example, a number of the, there were reportedly a bunch of, mostly schools and universities in China that were hit hardest, the original reports of the damage that was done. I think subsequently we found it spread to other computers. But the Chinese have a pronounced tendency, let us say, to use pirated software, which then means that they would not be receiving the updates that would Microsoft is sending out. And in fact, Microsoft did, was aware of the exploit. And in March it sent out a patch to all of its customers. And for those of us that are reasonably savvy or reasonably conscientious about this, we installed it and we were safe. And there was no danger there. But if you had a bootleg copy of the program, you would have installed it. Exactly. I mean, so there's that. There is, however, I mean, if we want to do a deeper dive into WannaCry, it's a fascinating phenomenon because we can talk about its origins, which are in cyber offensive capabilities, if you will. And we can also talk, I mean, the fact of the matter is, while Microsoft did send out the patch in early March, it also sent that patch out primarily just for the most updated Windows users. So people that were using legacy systems in Microsoft were, I'm under the impression, were not only offered the patch, but offered it at a much higher price. How nice. Well, the reason for that, quite frankly, is business economics, which is Microsoft's logic is we don't want you using these old systems. If we've developed the new software, we want you to migrate to these new systems. And as a result, for us to continue to make them safe, really essentially undercuts our business model, if you will. Now, once the WannaCry was out and in the wild and doing what it was doing a couple of weeks ago, Microsoft apparently then decided that that wasn't the smartest business strategy and was putting the patch out for free and updating it for the legacy systems. Nevertheless, some damage was done. So this attack wasn't on a given day, it was happening. And it's just sort of ramped up. Is that what happened? No, I mean, what you have is a trigger. And so it is, the systems, there are a variety of different tools that have worked. I mean, and the origin, and we still don't know where, I mean, who exactly was responding behind this. There is at this moment the most recent speculations of North Koreans. Yeah, what's its semantic came up with that within the last day or so? The last few days. I think there's another security firm that's agreeing as well that's come to the same conclusion. But again, what they're suggesting is that it's tied to a group called Lazarus, which was responsible for the North Korean hack of Sony in 2014, if you recall, when the North Koreans got upset about the prospect of the release of the movie The Interview. But it's also looking for the way that it was done, perhaps, that it was done by a rogue programmer in North Korea and not necessarily as a state-directed group. Whether you can tell the difference, whether there's a meaningful difference, I don't know. Either way, if it's a North Korean connection, we in the West and the people that are trying to get behind it will never give their hands on the perpetrators and be able to make any definite decisions. But there are sufficient fingerprints to convince reputable experts that this looks a lot like a hack, like Sony hack, which also looks like a hack of the Fed that was intended basically to steal about $80 million from Bangladesh a few years ago. Well, you know, one thing that you mentioned is we got to get countries together. We got to get state actors together to deal with this. And with that, you have to have trust, you mentioned, and you have to have collaboration. But, Query, what can states do? This is not so easy. No, of course it's not easy. I mean, there are all sorts of levels that you have to address this. I mean, one of the things I think we have to understand, and I come on here and I talk about security challenges and we talk about North Korea, for example, as a security threat. And then we talk about cybersecurity or cyber vulnerabilities as a security threat. The fact is that those are extraordinarily broad circumstances or phrases. You know, you have to unpack them because as you slice it more finely, you discover that there are gradations, that there are differences, there are different angles of attack, different interests that are addressed. For example, let's talk about North Korea, right? We're talking about North Korea as a cyber threat, right, in the last few minutes, however long we've been chatting. Until ten minutes ago, most of the conversation about North Korea was in the context of a missile threat, or is it a context of a nuclear threat? And each of those requires us to think differently about the nature of the problem. When we talk about cyber vulnerabilities, what are we talking about? Are we talking about, you know, criminal activities, cyber crime, which is reckoned, the estimates I think about in 2015 were over a 12-year period, something around, I'm sorry, over a 12-month period, something about $81 billion worth of damage done in cyber crime. Cyber crime. And that's probably, it's a considerably lower number than it is today. We've seen a steadily expanding number of incidents. The Asia-Pacific is probably, there's even more, it's reckoned perhaps $20 billion more in damage done to that region than there is in either Europe or the United States. But it's also hard to say, because in a lot of senses, people that get hacked don't like to let us know. No, they go clam, yeah. They go clam that they don't want to risk vulnerability, they don't want to do damage to their reputation. You know, there's legal liability that could follow if you're not protecting your data, et cetera. So, why don't we talk about cyber crime? Number two, are we talking about cyber espionage, which at some level I'm prepared to concede is legitimate. But the two things are very different. Extremely different. But there's even more. I mean, there is cyber infrastructure, if you will. I mean, there's espionage of information such that countries are stealing from other countries because they think that it is being done for the protection of national interest. You can have cyber espionage for business purposes. We're raiding banks and the like. Again, but that's a little different than, I mean, what would you call the theft of negotiating information that you know as you go into between two companies that are going into a business market? It's different. Yeah, that's a third. Then you've got, I think, vulnerabilities in what we call critical infrastructure such that, and this isn't espionage, but this is an attack on dams, on traffic lights, on banking systems that are intended to disrupt or create damage. I mean, you could call it terrorism if it's done by, you know, a 400-pound hacker in his bathroom or the bedroom as someone knows it. So, well, I'm not done. I'm not done. Stop it. But we've got to take a break. Oh, well. I hope you remain, you know, passionate about this. I'll try to keep it. That's Brad Wasserman. He's passionate about this. We're going to take a short break when we come back and we're going to see if we can recreate the very same passion on the other side. Match day is no ordinary day. The pitch. Hallowed ground for players and supporters alike. Excitement fields. Game plans are made with responsibility in mind. Celebrations are underway. Ready for kickoff. MLS clubs and our supporters rise to the challenge. We make responsible decisions while we cheer on our heroes and toast their success. Elevate your match day experience. If you drink, never drive. My name is Steven Phillip Katz. I'm a licensed marriage and family therapist. And I'm the host of Shrink Rap Hawaii where I talk to other shrinks. Did you ever want to get your head shrunk? Well, this is the best place to come to pick one. I've been doing this. We must have 60 shows with a whole bunch of shrinks that you can look at. I'm here on Tuesdays at three o'clock every other Tuesday. I hope you are too. Aloha. Okay. We're back live with Brad Wasserman, Executive Director of Pacific Forum, CSIS. And as we left it, Brad was describing all these different possibilities and none of them were good. Right. Well, we had cyber crime. We had cyber espionage. We had, you know, business intrusions, if you will. Then we could have what we call cyber terrorism, right? So you've got disgruntled groups that are either stealing money from, you know, like some of these North Korean banks did or North Koreans did to these banks. You can have, you know, a DDOS distributed denial of service where you're just shutting down websites, for example, for the purpose of an individual actor where you can do it in a state of war. You know, in a larger conflict that we're likely to have, for example, with a nuclear armed adversary and advanced adversary, you know, God forbid we should think about going to war with China. One of the things that we're going to be trying to do is blinding each other. So it's going to have a lot to do with things. So it's all of the foregoing. It's every different kind of attack you can think of. There's that. There's just plain old, you know, sloppiness that happens. I mean, what WannaCry was again, criminality. So yeah, each of those, they're different pieces. I haven't forgotten your question, which was about how we cooperate. The point is, is that each of those has different sets of concerns, different key actors, different ways to respond. And I think you're going to find a great deal more agreement, for example, on addressing the questions of cyber crime and cyber terrorism than we are, for example, on addressing what are the appropriate tools to be used in the event of a, you know, in a larger conflict. We can create rules of the road, but they're going to be harder to reach. Then I think we also have to, you know, sort of acknowledge who is involved in creating the conditions by which we respond to these things. And our tendency is to consider a technical problem, right? Instinctively, it's my damn phone. Get the techie, get the IT guy in here to fix this, et cetera. Whereas instead, I mean, there are pieces of this in which we as citizens have got to be on top of things. I mean, the reason that those applications are updated every week or so or whatever is because they're usually addressing vulnerabilities. It's not just to add another language onto that particular, you know, to Uber, right? It's not so that you can now, you know, get a tag in Tagalog, get a tag in Tagalog. No, it has to do that, wait a minute, we've discovered that there's a hole in this particular software and we need to fix it. So it's up to you as a, just an ordinary schmo to stay, you know, on top of this. It is up to you as the administrator of this business and me as the executive director of Pacific Forum to work with my IT team to make sure that we have protocols that were on top that were thinking about the damage that can be done. What I hear you saying is it's not the government that can really solve this. I mean, the government can solve some things maybe. All these risks you mentioned, some of them are at the governmental level and some of them are at the ordinary semantic level, Norton level, if you will. And the administrator in the company level. I mean, the technical term is distributed risk, right? And we all have to be prepared to do our part. I mean, governments are important because, you know, the fact is nobody knows if you're a dog in cyberspace, the famous New Yorker cartoon. Well, nobody knows if you're an American, if you're a German, if you're a Swiss, if you're an Australian or a Malaysian. You know, so the fact is that the anonymity of the internet and the ability for us both to move so quickly across borders invisibly requires us to have, you know, first conversations across borders. And most importantly, we have to trust each other. You know, back to this problem, you are not going to share. But I want to go back to what you said a minute ago. It's anonymous. Let me finish this thought first. Okay. You'll get there. No. To the degree that our problems, you know, everything is about us being linked together, right? And everything is about, ultimately, our security depends on the weakest link in the chain. So what that demands of us, whether it is a government, whether it is a company, whether, you know, we talked about reputation, whether it is an individual, is that if we do not trust the people that we are working with, the cooperative problem sets, right? And they require cooperative solutions. So if we don't trust the person to protect, you know, what we tell them, these are my vulnerabilities, I lost this, I'm weak here. If we are not prepared to protect that information, then we have a real problem solving these problems. We can't collaborate. And now this is where it gets really, really, it's like a mobius strip, right? We're going to turn back into ourselves. Is that what was the origin of the WannaCry virus? That's why I recall that was the NSA. Exactly. How about that last summer? Right. And so the famous line that came out a couple of weeks ago in the aftermath of the outbreak was, we really didn't intend for the software. I mean, I think the NSA was cited, somebody was saying, we really didn't intend for the software to be used for this purpose. Well, you know, to quote every high school girl, duh. I mean, of course, that wasn't intended to be used for this purpose. It was intended to be hacked and kept off the shelf. And consequently, it was precisely the fact that these tools got into the wild were then, you know, mixed with these worms taken over by bad guys. It's exactly, weirdly enough, well, not weirdly enough. I think logically and perfectly logical, you know, perfectly, congruently and consistently enough. As you will recall a couple of months ago when there was the San Bernardino shooter and the FBI was demanding that Apple give it the tools to hack the phones. What was Apple's response? If we give it to you, you cannot guarantee that this A will only be used in this particular case. That was a real concern, wasn't it? B, that it will be protected and won't get into the wild. And what we're seeing now is for whatever reason. Real concern. This validates Tim Cook's concern about it. It validates Tim Cook's it, but it's just, you know, information wants to be free. Every worm wants to go wild. It is the idea that we can compartmentalize that we need to segment. I mean, you know, and again, kind of to both, to go one more loop into the circle and to revisit the logic of all of this. It is, we're talking about these extraordinary high tech tools and, you know, capabilities. And yet they're all still by and large driven by human systems, right? And we often forget that no matter how high tech all of your protections are, that if you don't have people that you can trust, then they can violate the integrity. You don't have to, you know, you don't need an external hacker. What is being thought about in many cases is that the source of the release of information in one form or another, the hack, like for the NSA tools that's thought, it's just a disgruntled employee who just popped a USB port into the, you know, drive into the port, downloaded all the stuff and walked out the door. It's not real high tech stuff. No, but it's high leverage. That thumb drive could bring the world down. Of course, but still, the point is that how do you protect against that? It's a human psychology issue. It is just the most elemental, fundamental questions of making sure you have people you can trust doing their jobs and not getting disgruntled, right? Well, you talk about trust, you talk about countries trusting, but in this world of cyber terrorism and vulnerability, the message is don't trust anybody. So there's a conflict on that, isn't there? Well, I mean, except, yes, and it is absolutely endemic and completely integral to the systems themselves because the nature of, I mean, you know, what do they call it when two systems reach out to each other when one computer communicates with everybody? Remember that? Handshake. There you go. Right? It's a handshake, man. That's a gesture of trust, man. Well, the problem is how do you deal with this? Because, you know, as you said in your article, this is, and you said just now, this is not over. It's going to happen again, and those worms still will still are still in those systems and they can be triggered any time again. Or a new worms will be infiltrated, which is also the case. I think there are a number of sort of what grim realities that accompany this. Number one is there's no such thing as perfect security. We've got to acknowledge that there will be moments in which we are going to be vulnerable, and there's no such thing as absolute security. This is a discussion that we have at the state level when we're talking about the way that we relate to countries like North Korea and China. It's something that we have to acknowledge ourselves. So what do we do? We reduce our vulnerabilities the best we can. And we talk about, again, in the lexicon of strategic studies, deterrence, right? So you're either deterred by punishment, meaning I keep you from doing bad things to me by the threat that I'm going to hurt you worse, as bad or worse, you know, or deterrence by denial, which is just that I will deny you the opportunity to inflict the harm on me that you expect to. And so, you know, in the world of nuclear weapons, which is where I spend a lot of my time, it is deterrence by punishment is mad, mutually assured destruction. You nuked me, I'm nuking you back. And so hopefully that threat is sufficient to even the scale. Well, and it's also the threat of transparency, the threat of having your most critical information, strategic information revealed by Julian Assange or what happened with all of those operatives in China where they were all turned in considerably by hacking. You had to get hacked. You thought I'd mention that. But again, the point, though, is, OK, so what is your leverage against Julian Assange? I mean, is it somehow or other that we can render him vulnerable or render him irrelevant? Is it that we have ways to protect our information such that, you know, again, it's by denial. If they're going to steal your bank account information, what do you do? Do you figure out a way to make it harder? Do you figure out a way to diminish the loss? I mean, all of these are the forms of deterrence that you have to build into the system. And at the end of the day, I think one of the things we just have to acknowledge is that the vulnerabilities are part of the reality of life. They're new and normal. And I mean, you know, just as the news today is we're still trying to recover from the news of the area on the ground bombing at our concert last night in Manchester, you know, there's no stopping lone wolves. Just as for many, many years they had said, you know, there's no stop, a single determined assassin can't be stopped. You know, one man is prepared or a person prepared to die in the attempts to, you know, realize his or her ambition is pretty much unstoppable. Unless you get really lucky. So if that's the new reality, then we've got to adjust our lives and our expectations accordingly. Yeah. And we have to adjust our diplomatic relationships, our international strategies. So usually I ask people at the end of the show to address the common person, you know, the viewer, the ordinary folks, and give them advice. But I'm not asking you for that. We're not even at the end of the show yet, right? No, we are. We're sorry. Oh, I thought we had it now? No. Okay. We have to come back. Do the other half hour. The one we both want you to do. Okay, but this time I'd like to ask you to address the nation states. The nation states, you know, who are observing at least, I hope they're observing, the new normal, the new change, the change because of Manchester and terrorism, you know, by lone wolves or possibly small groups anywhere and everywhere, anytime and the possibility of cyber-terrorism in all of those categories you mentioned from the big categories to the little we categories ripping my bank account off. So what are the nations to? They're supposed to protect us. Are they still capable of doing that now in the new 21st century? I mean, the new 21st century? What would you advise the nations to do to protect us, give us comfort and, you know, hold to earlier standards and earlier quality of public life? I don't think you can, I think that's an unfair ask, if you will, particularly that last little bit, the earlier standards. I mean, the fact of the matter is that our lives are immeasurably better than they were than however whatever your baseline's going to be, but at the same time we've incorporated new risks. We have to accept that and acknowledge it. As for what states can do, I think that, you know, they need to acknowledge the nature of the threat. They need to acknowledge the fact that it demands a different kind of approach. What we now increasingly call hold of government. So it's got to be, you know, you need to have conversations that, you know, bring all of these different players and constituencies and stakeholders into the conversation. So it's civil society groups, it's governments, it's law enforcement, it's techies, it's, you know, policy specialists. But it is an encompassing argument that acknowledges the diversity of interest and that acknowledges that there are different folks that have different contributions to make. And that I think at the same time, you know, recognizes that we are in a world that is changing so rapidly that the demand for flexibility that follows from that revolutionary pace is such that it transforms, I think, the nature of engagement itself, which is a very weird answer and a very incomplete answer, but then the time is killing us here. But the fact of the matter is, as you said, we just got our arms around WannaCry, I think, and we already know that the next one's out there. And so we can only offer sort of broad nostrums, if you will, and sort of ways that we can engage. We have to be looking ahead and we have to be thinking now that, about the way that we integrate new technologies into our societies. I mean, that's really, I think, one of the really interesting vulnerabilities here. And that is that we are developing societies of which their essence, their bones, not the bones, probably, but the capillaries, if you will, and the blood vessels of the system are information technologies. And as we grow and develop, those vulnerabilities are integral to the way the system works. And yet, as they're developing, we don't know what the vulnerabilities will be. So we have to acknowledge that this is evolutionary, revolutionary, it is internal, and it is, at the same time, something that we are always going to lag a little bit behind. And then deal with it. Wow. So the nature of our world has changed, is changing, maybe faster in some ways, but also the nature of our international engagements must change to meet that changing world. I'd say turn off your phone a little more, play with your kid, spend time with your special folks, be a little less connected, and get back in the real world. It's never a bad idea. Whatever happens, we have to continue to engage, though. And that means shaking hands, right? Handshake. And can somebody make that weird modem sound as you do with it? Remember how it connected? Exactly. That would change pitch and register. Thank you, Brad Glosserman. Thanks, Jack. Glad to be here.