 Thank You Martin. I see this is on. Did you say seminar or sleep after yeah? This is going to be tough because after following probably the greatest jokester in the philosophy circle, Henrik Suss and Martin is known for his for his witticisms, though two of them are keeping us often in stitches, so I'm not even going to try. I'm just going to go right to what I would like to do with you this afternoon, which is the Q&A essentially and to get you involved in helping me think about certain kinds of cyber conflict and what we are to make of them and the reason I thought would defer to you is because generally it's the case that while I'm very interested in this stuff I suspect many if not all of you know way more about it than I do and So you'll have some intuitions that would help guide us. In fact, I was mentioning to Henrik this these cases that are Are up here now that I'd like to to talk to you about Come out of the Journal of Military Ethics In a debate we're having trying to understand how cyber war and cyber conflict ought to be Understood by looking for appropriate analogies in the real world and figure out what we would do then and then figure how Whether or if this translates over into the cyber realm so let me start with that and The the first case there asks you if you would how you would react to a scenario in which real human beings wearing real black ninja suits As nation-state agents from a foreign power were observed detaching real You know bombs and mines and grenades and explosive devices to bridges power stations dams air traffic control centers in Aurora Illinois and so forth to set them on fire or to disrupt them if that happened and We observe them How would we as a nation? How would our government? How would you in the military? think about respond to What would you propose to do? About these incidents Over to you grab a microphone First wake up and then grab your mic and let's hear you know What what you think of an activity like this clearly clandestine sabotage of some kind Ma'am right here, but what's your reaction to this? Obviously living in the US that would be a huge difference compared to what normally We're exposed to so I mean I think first you go through all the phases you fear and then you question it anger and anger yeah, and then How long it's going on and what the motive is and the motivation and obviously response there you go It's a yeah that fear and anger Outrage terror This this would not sit well with us. I assume We would assume if we captured some of these people and discovered that they were state agents that they were from a foreign government As I mentioned my first would be all their terrorists. Maybe they're domestic terrorists. Maybe they're foreign terrorists. Oh, no They're coming from The People's Republic of China or they're coming from North Korea Let's try North Korea just for the sake of argument We discovered that these folks are from North Korea What are you gonna do with them when you've arrested them and and discovered this Anybody what would you want to do with them? What would you want to do about North Korea? Yeah, there we go. Well, I think that's one of the things we struggle with now, sir I mean we right we invaded Afghanistan after 9 11 because they were harboring terrorists and then we capture the mastermind And we try them as a criminal not as a agent of a non-state actor not as a Warrior but as a criminal so I think the issue would be up to the politicians when we treat these non-state agents as Agents of the state and thereby hold them under war powers or we treat them as criminals and just put it under the umbrella of terrorism There you go. That's an interesting point is what we have here a criminal act or Is it a? state-to-state Interstate conflict How do we treat the individuals if we apprehend them do we treat them as criminals and put them in jail and put them on Trial for domestic terrorism for acts against the safety of the public or When we discover that there's a conspiracy and a nation involved behind them. Do we do something different? Suppose just for example that this didn't happen once it happened several times first time Maybe we found the devices and said who the hell put these there and we took them down And there was a hubbub over you know Do we have terrorists in our midst and our? Surveillance devices sufficiently robust to catch them and so forth and Then they come again this time we see them people say they're people in black ninja suits up there on the bridge And they're putting explosives up there and the police come and they arrest them and They find that it's not just one city, but many cities where these folks have been and they're doing just that they're putting up Explosive devices on vital infrastructure. It's quite clear that the infrastructure itself will be damaged and in the course of that damage If those things should go off People will lose lives There'll be a lot of a loss of life So we arrest her we put him in jail now what? We found out there from North Korea, and this is the second time they've done it How about you root? Shall I come down and grab everybody? I don't know make sure Help me out here. I don't know what the what to do about this. What would you recommend? well at this case it's not good after we consider it as the criminal case in the morse is We have to do well we have to return whether it's the terrorist act or not it depends on The purpose so depends on the agency can find out more information of behind the purpose who back in the month Are they yes? They from North Korea, but they're backing up by the government's or they just rock agent So so we do really know the intention behind the roof So we can't really go full Military to military action again that nation whoever it is We have to find out more until before we make Okay, so we're gonna need some more information. We're gonna have to interrogate these folks and That yields all kinds of interesting and difficult prospects in itself, but suppose they're truthful Yes, we are agents of the government they say the government of North Korea the government of the People's Republic of China or something They identify their nationality and they they say their work. Well, of course. Are they telling the truth? We need to know that so presumably we get on the horn or we send somebody to if it's the People's over People's Republic of China we go to the embassy we complain we just caught your guys And the emissives well, we don't know who they are, you know, they don't work for us And we don't have diplomatic relations with North Korea. So we don't have anybody we can obviously ask But the agents who are doing this stuff tell us they're working for a government We need to know if they are and then if they are and we know who the government is all these questions about accountability and so forth we need to tell them to cease and desist or What we've caught your agents now doing this two times they say they work for you you deny it But then they keep coming back. They say the same thing. Oh, no, they say something else interesting. Oh, we're not gonna set these off We don't intend to blow up anything We just want these in place in case You should get involved in our internal affairs over on the other side of the Pacific or something and Then if you get into an altercation over there, that's none of your beeswax We'll set off a couple of these things, but that'll be after you've done something wrong We don't want to do anything. We have no quarrel with you but we know You people in the US Particularly the you Navy people projecting power all over the place that we have no way of countering that so we're sending our guys in here At least that's what the what the individual, you know, ninja dressed guys. That's what we're doing. It's harmless We don't mean any harm. We're not gonna set them off and they will go off accidentally unless you get involved in our internal affairs like Arguing over who owns the Shinkaku dial you islands or something. That's none of your business. That's our business We have a treaty that we signed back in Cairo in 1940 that says the islands are ours And then when everybody got together after World War two and Potsdam the Americans and the British and the French and the Russians all said the islands are ours and So we have it right here in writing. Oh, but the government changed. Oh, well, that doesn't matter We're still China Chinese those islands are ours Now if we try to take them and you try to interfere We'll set these things off But if you stay out of that, you've got nothing to worry about Now that's the story the ninjas are telling you where the Chinese embassy is we don't know who these people are They don't work for us This is a fantastic scenario So now we're into international relations to help me out here. How do we handle this? What's the next step? It's like a war game here Except well, that's the question. Is it in fact a war game? Yes Well, sir lieutenant commander Alan Hester. I would say in this specific case of them Installing these devices I'll be it not planning to set them off unless this then and that occur They still impinge upon our sovereignty and that by itself is problematic Right. It sounds like even just that Not single but constant infringement of sovereignty violation of our rights of sovereignty and Appearing to put our citizens in jeopardy would invoke what in the discussion in our by dr. Seuss in the preceding Our lunch would that this is a just cause for war. Isn't it or is it? Do we threaten to go to war over this? Do we threaten to do something to the Chinese or to the North Koreans or to some of their hardware or what? Exactly would we do if this just kept happening, especially if we arrested them? We yelled at the embassy Folks we yelled at the ambassador. We denounced the actions in our press And then we sent the people home and said I'll go home and don't do this again And they kept coming back. Oh, yes, here. We are fixing more bombs on your bridges and so forth How long does this go on? Before we do something and what do we do? We've tried negotiations. We've tried arguing. We've tried denouncing people We treated these folks as prisoners of war and repatriated them on the grounds or at least on the promise Despite the denials that this wouldn't happen anymore and it keeps happening anyone This is your field not mine I mean, I'm I'm one of those people dr. Seuss was making fun of you know philosophy professor You know, I talk about abstractions and weird stuff and trolleys and all right and pushing people in front of them Preferably my colleague Martin when he makes bad jokes and so forth So what what but this is your field. What would you do? What would you recommend being done? What would be being discussed in the ward room at this point? Yes Okay, send special forces and we'll do the same thing exactly reciprocal to them You know, but this is dangerous work. They're lucky. They didn't get themselves blown up or killed and we have no Guarantees that if we sent our guys, they would be treated so well as we treated these Agents of a far alleged agents of a foreign government, but that would be a possibility Exactly a symmetrical reciprocal response any other thoughts How serious is this especially since no harm has been done and the agents involved in setting these Trap door devices or whatever it is these these these these bombs Are saying well, we're not going to set them off. We're just using them as a deterrent Now, obviously you see where I'm going with this but I'd like some clarity because really there are differences of opinion amongst those who argue about this and the pages of of Martin and Hendricks journal. I'm one of them. I Mean, I think I know what I'd do But I'm not sure that we know collectively and certainly would disagree on on what we think we should do Is this a serious enough cause For military action of some kind anybody Yes, yes, I think this case we can take a page from history and this is More scale Okay, so you all heard that that could be essentially Cuba missile missile crisis now taken into the 21st century that this is something like that planning nuclear weapons on soil 90 miles from the American coastline is seen as a hostile act even if the argument is It's all defensive. We're not going to use them. We're only going to fire him if you in the US Try to invade Cuba again or do anything else that really is is You know Defiable from our standpoint only then would we ever use these so they're a deterrent They're not there. We're not these are not offensive weapons and some argument like that's being made here We're putting these not just off your coast But inside your country on your infrastructure where people live and work and travel to work every day And they're threatening the power and the water and the food supply and the transportation system But we're not planning to to use them. We just want to deter you from military Interference and adventurism abroad in our own affairs So is this like the Cuban Missile Crisis does this call for something as dramatic and you remember Historically at least that was about as close as we've ever come to to fighting an all-out nuclear war it could easily have become one and We were certainly prepared to do that if that's what it took I mean that's an interesting case, but okay, so is this like that? Yes. No, how many think yes This is like the Cuban Missile Crisis. This is pretty serious. How many think I'm not so sure this is a big deal People what who cares if they put bombs on our bridges? Okay? I'm not seeing a lot of hands I See a few kind of wimpy us is not much and then I see if oh, that's you know new come into the Stone Age And then everybody else kind of oh crap when will he shut up? Soon I promise soon. Yes sir, if you're if you're leading us down this cyber threat, it's It is different What it is different. Oh I look at history. I think the more things change the more they say the same You're talking about the cyber and you're talking about information. Okay, I look at the same sovereignty issues That happened during the price of reformation even Gutenberg with his premium prep and I look even just a little bit further down history and see he the communist threat and then the You which hunt that occurred in our own country because of ideas. Okay, so What is a threat we're making a lot of assumptions here. Okay, okay? That's so you would be nervous making this analogous to the cyber case, which is the next case up there Is that right? You don't think it's a good analogy Well, it might not surprise you then to think that some of the contributors and readers of the Journal of Military Ethics Also, don't think this is a this isn't these two aren't closely alike They're different. So you think the first one though the real physical one is serious Okay, so the first one if it occurred would be serious But if we turned it into a cyber case, then you would want to back off No, I hear a no say some more No, I think a cyber attack depending how serious it is which they're starting to occur in more frequency We're gonna have to be a little bit more aggressive Battling back in that regard the first one definitely gets me agitated Okay, and I think you do have to have some type of Threat back to them of equal kind. Are you a Marine by any chance? Yes. Ah, thank you. Good. I Was I was I was gonna plead for some help and An expeditionary force to say come on guys if you know the first one that worries you the second one though Say that again. It's not clear. You're gonna have to do something, but you're not sure what? You're gonna have to respond in kind with with your own cyber attack back. Yeah, okay So if we would send special forces in the first case to do to them what they had just done to us We would send cyber weapons and trap doors and sabotage and oh by the way We do and we you know full well more than I do that we already do this stuff We're kind of at war now if you want to call that a war There's a constant state of low-intensity cyber conflict We all know this and we're doing it to them and they're doing it to us and so forth The question is what to make of it see and that's the thing that we were arguing about In the the Journal of Military is this serious and grave in the way in which the first case seems pretty serious in Grave a violation of sovereignty a threat to the life and well-being and Property of our of our citizens a direct action against which you know We would think we would be entitled to do something equivalent at least to the Cuban Missile Crisis and maybe something more an embargo Special forces sent to do that and what they've done to us and so forth and then The second piece of this as well if we put it into the cyber realm as I've done and I tried to make these look identical except obviously for the fact that in the second case the trap doors are not actual Dynamite and TNT and stuff. They are software programs that will end up doing exactly the same physical damage to those pieces of infrastructure as the dynamite and The grenades and the TNT or whatever the hell the gingers were putting up there So that when the smoke cleared in both cases There would be rubble if they went off There would be rubble where there had been bridges and there would be people who were on them who were killed as they collapsed There would be floods as the dams burst But the dams wouldn't burst because dynamite blew a hole in the dam They would burst because a software program caused an electro Turbine to you know do like I did at Sandia and just you know operate faster and faster till the whole thing blew up and exploded and that explosion Do I care whether it was a Exploding hydroelectric power generator or a piece of dynamite that blew the hole in the dam that killed I know a hundred thousand people and flooded half of the Southwest. Does that matter? No Okay, the effects are the same So whether I use a cyber weapon or a physical weapon whether I put the thing there by sending a ninja to Tie up the bomb as he would have to do on the bridge or the dam or whether I send it via my keyboard and and send a worm that Somehow infects by software that's running the power plant or whatever if the physical effects are the same It's the same Yes, no Sorry, I believe that the who did it matters So is it North Korea or is it China? Is it another is it another nation that we feel ha you should take action against and win decisively Or is it someone that we feel would drag us into a prolonged war and I think that that in and of itself would dictate What a response okay, so they're the same in terms of their effects But in both cases we would as just as we said we have to verify the stories of the ninjas Are they really from China really from North Korea? They say you aren't we would have to do the same thing in the cyber realm the problem of attribution and accountability We'd have to do our cyber forensics and figure out that the software that was planting the devices In the trap doors Getting prepared to sabotage our our infrastructure did in fact come from Shanghai units six one three eight four Whatever the hell it is and if we did know this You all know we've indicted five Members in u.s. Criminal Court five members of the People's Liberation Army in that Shanghai unit by name if they should ever travel to the United States They would be under arrest Now of course We don't expect them to oh yeah, it was me. I'm here to turn myself in We don't expect that to happen. We just wanted to address this question. We know you're doing it That's how you know and you can deny it all you want But we caught you red-handed your fingerprints digital fingerprints are all over the software you not just China not just PLH Shanghai unit six one three eight four whatever the heck it is not just that you Colonel fang have done this and you wrote the software We we know you did it and you're under arrest if you should ever come to the u.s Or if we never get hold of here, we're going to put you in jail put you on trial. Yes So I think there are two big overlying issues here first of all the effects are the same okay Not every cyber issue is going to blow up dams and rain fury So there are actually lower level cyber effects that may not be the same as bombing bridges The other piece that you have that's very different is the aspects of time and space The fact that you may have these trap doors off u.s. Soil or the fact that somebody can reach it from China almost Instantaneously, and you don't actually have to move people across the world I think these two issues are the bigger underlying pieces in the overall discussion Okay, thank you your Cadillac escalate is waiting outside the prize you For for beautifully segueing into the problem that yeah if this was as simple as it was Maybe we would have learned something the clear equivalent effects base kinetic scenarios At least and where attribution is not a question and we can figure it out We know it's the Chinese just like we knew it was the Russians putting the missiles and the On Cuba we know as the Chinese putting these trap doors in our in our software and they're going to do the same thing We've indicted them by name yada yada yada even so things begin to erode the analogy Like all analogies isn't precise and in a way a lot of what we do in international relations ethics law Just war theory is look for analogies that work Because we don't know how to think about this stuff This is a brand new domain You could compare it to how I suppose one of our Mutual friends another another brilliant philosopher by the name of cook But no relation to Martin just a good buddy James Cook who? Colonel James Cook out at the Air Force Academy has likened this kind of situation We're in now to what it was like at the dawn of the age of aviation You know we didn't have any rules nobody had ever flown before and pretty quickly just as here We get all kinds of stuff in the air and some of its government stuff and some of its private stuff You got Wright brothers flying around and then Wilbur opens a defense contracting industry and Dayton, Ohio And we're off to the races right and we didn't have any rules governing this so what did we do well? We said well, this is not unlike navigating on the ocean. We have all you Navy guys We have all these lights and patterns and you know rules of the road and stuff Couldn't we just take these and Jimmy them a little bit and make them work in the air? Which is what we did right and now we have Government planes and private planes and commercial aviation and military aviation and all kinds of stuff going on it Without confusion with no problems whatsoever, you know everything is smooth lot orderly and so forth well Maybe not but at least we know how to get around and deal with a lot of different kinds of phenomena and activities in the realm of aviation that we didn't know how to deal with in 1903 and Jim predicts Jim cook predicts. We're gonna do the same thing in the cyber realm Okay, I'm here. You're here. Let's do it Hey, there's the problem the doing of it. What are the comparative? You know, how do we draw the analogies? so I started out with two and I think we've beaten those two to death and We're not finished yet. We're sort of we saw some similarities We saw some differences and most of us sat on our hands. We weren't sure exactly what we should do in either case But we were sort of clear it sounds like many of you seem to say in the cyber case Whatever we would have done in the actual real-world case. We would dial down a little bit We would back off because things would be even more vague attribution would be vague Damage would be difficult harm to assess and so forth So we'd want to tread and then we can act at the speed of light rather than having to transform Transport our troops and project our power over 3,000 miles of sea space and in the air and so forth here You know since we could act quickly, but we don't know what we're doing. Maybe we better take a deep breath And keep our finger off the button And keep working on trying to understand this and keep yelling at the Chinese and see if we can work something out Let me just pause there questions comments so far so good. Yes Yes, sir. Just one more comment a lot of the effects we can get from cyber have been Noted and I agree that we can get kinetic effects But cyber also adds one more option that we don't get with physical bridges And that's at least the theoretical possibility of making our cyber bridges impenetrable Because these cyber hacks these worms these Viruses that infect our programs happen due to software flaws that allow data to make the program do something It was not designed to do But the program in any case is doing exactly what it was programmed to do It's a flaw in the programming right. Yeah, so at least in theory We can focus on making programs that can't be hacked that Be denied their service, you know, due to things that aren't up to the program's control But they don't have to be wide open sieves like we buy today That is an interesting observation and a really good one in that I have a colleague at postgraduate school who I used to remember I retired Um, but um, I had a colleague. I still have a colleague at postgraduate school. Who's a computer scientist and he says, you know these Cyber vulnerabilities in a way. They're not like the bridge vulnerabilities. I'm not going to go get the engineer and say Why did you build a bridge that went over water now the Chinese can blow it up and drown people? I mean No, maybe there is a flaw in the bridge and maybe they exploit the flaw But but presumably the flaw in the construction if any is not really what's an issue It's the dynamite that the ninja is attaching to it flaw or no flaw is going to blow it to kingdom come Whereas in the case of cyber You know, this was bill gates fault He hired all these computer software engineers paid him a munt had them all working and not really knowing what the hell they were doing And every vulnerability or at least most of the vulnerabilities are microsoft vulnerabilities are or software vulnerabilities And my computer science friend says a few idiots who like me who Do the computer programming if you'd done your job right there wouldn't be any cyber conflict because there'd be no vulnerabilities to exploit Well, I don't know if that's fair. I don't write code. I don't think I could I think it's very complicated Maybe this is just a problem of dealing in a realm that is so complex That nobody could ever Do it perfectly and somebody else would sooner or later be smart enough to figure out where they'd screwed up And that that's the world we built for ourselves a world of vulnerabilities and internet of things so I've got a app on my phone that can you know Turn my hot tub on at home I've got another app on my phone on the car. I just bought yesterday that my wife has really pissed off at me for doing I can turn that on from here, you know, I can I can't believe it But of course that means that those things and all the things that we have that are connected and networked that way All through software programs adapts that somebody's writing like mad that are going to be full of flaws We did this to ourselves And that makes a big difference. We didn't do anything. We were innocent. We were the the the just warriors In the first scenario who are being unjustly attacked by the ninja people strapping bombs to our our infrastructure But we sort of set ourselves up for the cyber case and so does everybody else And the deeper we go into this the more stuff we do the more Programs and apps we write the more vulnerable we make ourselves to being attacked So maybe that means when we are attacked we can't be quite as indignant As I think My colleagues in the marine court at least we're ready to to go to do something about this, right? In the in the kinetic case we we know how to handle that, but maybe we can't be so indignant and so clear Uh in the cyber realm well the segue for which you earned the Cadillac Escalade that's out in the parking lot was to talk about something else that's going on It's even more vague now that really is the subject of what I wanted to discuss with you At least in that preceding case There was a close analogy wasn't there between um The sabotaging physical sabotaging of our infrastructure and the cyber sabotaging of it if the cyber sabotaging was meant to destroy it physically Now we've got a different kind of problem. We know these groups You all know anonymous. I think some of the others you might not know so well And in any case none of them are state agents Lulzak is a black hat organization of some kind that kind of takes great delight In exploiting the folder abilities you were just talking about they just they're very smart folks and they like to poke fun at banks and I think they went after sony pictures And I don't know who else have been their their targets But they they kind of do stuff to them to show I know how your stuff works and I can make it screw up anytime I want to And to prove it. I'll deface something or make it not operate Okay, cyber warriors for freedom. That was a much more political group in Azerbaijan I think I mean we're not sure where they are where they're but but the issues against which they were specifically protesting um Were had to do with freedom of expression and some film festival that was being held in Azerbaijan as far as I know Anybody heard of these groups before anyone Yeah, okay a couple a couple of you Uh, well, everybody's heard of anonymous, of course. They they make themselves known Kind of interesting. They're anonymous, but everybody knows who not who they are, but that they exist. Okay Well, yeah, what happens when the kind of things that that group does These are technically on that first line. Those are criminal actions, right? They deface public websites They attack banks and shut them down They might steal data or at least show you that they could if they wanted to but they don't Criminal acts But they're not carried out like The 35 russian kids who were stealing us all blind and stole 150 million dollars before the fbi Took the nsa software and caught them another story um but um These guys are not enriching themselves presumably at our expense They're committing acts of political protest and the term for this that we've developed is political activism We take it to computer hackers and we come up with the acronym hacktivist And that was the title of my talk hacktivism Excuse me, but it wasn't just hacktivism. It was state sponsored hacktivism Which seems to be very different for what was on that first slide Very different from the thing we're objecting and have indicted the five members of pla shanghai unit whatever it is 61398 there it is This seems to be demonstrations of disaffection and political protest carried out first initially By private groups like anonymous individuals or Groups of citizens. We don't know who they are But they tell us what they're mad about right And they do things that would be considered criminal acts Like defacing public property and trespassing and possibly even theft of of property With a political purpose in mind not for their own financial gain or sometimes Vandals just do this kind of stuff because they're alienated Computer geeks, right and they don't like anybody. They don't have any friends And so they sit there and mess everybody's facebook page up or something But this seems more serious than that Okay, so far so good Now we find that hey The russian federation did this if we go back and think about what happened in estonia In 2007 the famous much-analyzed cyber attack We could look at that and say well what that was mean the russian government denied any knowledge right And they said wait with this these were just patriots patriots upset with behavior of estonians who are moving russian statue from center of town to military cemetery And they are expressing their outrage. How can we possibly control? Well, I don't know And that's a question. Did you put them up to it? Mr. Putin, did you know about this? Do you approve of this? Did you encourage them? Did you give them money? Are they organized? Yeah, we don't know right? We have no idea So it looks like it's possible at least that the russian federation engaged and actually an article came out in the Wall street journal just a week ago I was thinking about this and coming here and what am I going to talk about and here Was the piece that said hacking trail leads to russia and experts say malware found at us firm where military secrets were kept The fire I folks, you know the security group found this and discovered that Not only was it the russians doing it But he said, you know, they're Much more dangerous than the chinese We got the five pla guys because they're not as good the china the russians are really the super duper cyber experts And this was a considerably more sophisticated set of attacks of this kind Than we've ever seen before on american banks and financial institutions and you name it Okay, but they're not taking anything They're not taking your money They're just keeping you from getting at it for a few hours They're shutting down trades and exchanges which could cost you something if you're investing your retirement funds as I did in the stock market And that's why I'm here now because I don't have any retirement funds And so I have to do little gigs like this to keep afloat But um, they're generally They're not doing any harm and the harm they do is reversible and put it all back We could stop the ddos attack The distributed denial of service we can Restart the frozen accounts that we've locked We can give you the password to the malware that we have, you know, installed on your computer and you can remove it after A time just to let you know that we can do this to you Or once our dispute with you is solved point is states Have been involved from fairly early on In doing a thing that otherwise we would think of as acts of political protest by individuals and groups of citizens Or groups of vigilantes. I don't know. I'm looking for the right way to think about what these things are doing What these people are and how we should think about them This group here the cyber fighters of is al-din al-qasam Is an interesting example. How many have you heard of the cyber fighters of is al-dim al-qasam? Yes, no New to you. Well, the is al-dim al-qasam was a Muslim cleric Who was an anti-colonial Fighter in the middle east of the 1920s 1930s About then and these cyber fighters this they've taken their name from this exemplary Muslim patriot Who tried to fight against colonial powers largely brit? Who are they fighting against? Well, they took credit for an enormous attack on the 11th anniversary of 9 11 on us financial institutions And this is one if you watch the nsa revelations taking place after Snowden revealed his You know that that he had stolen all this information and blown the whistle and then they let you in and so forth they showed you A system known as treasure map where you could see these attacks occurring all over the world I mean it was like something out of batman The dark night rises, you know if you remember the thing that That the police chief had in his office or something you could see all this kind of communications and nodes and networks all over the place Well, we actually have something like that Treasure map is the the program that keeps trap of these keeps track of this and this was an massive attack One of the biggest ever suffered And it was highly successful for a while then it went away And then this group tweeted that they had done this and they claimed what they were doing It was a political act. They were protesting The continued Availability of the film the innocence of muslims How many of you know of the film the innocence of muslims? Okay, this is the film that some american filmmaker made on his own very critical of his law I'm kind of portrays the prophet as a Well in a very very negative light And so the claim was we did this to you As an act of political protest Against your in the u.s. Showing this film. We want the government to take it down Stop for one thing. We can't do that right? I mean, I think a lot of people would like to take the innocence of muslims down innocence of Of islam the film down because it's offensive and it causes us trouble and it could get Some of our guys Killed in theater Out of the reaction of angry people who think that we're all in this together Defacing their religion and their their faith So this seems like something would like to do but guess what this is a democracy the government does not have that power Right So we can't do that So why ask? I mean you could protest but why ask us to take it down? We can't do that and then a Another funny thing was noticed that the tweet site the anonymous site where the twitter feed for the cyber warriors of Is al-Din al-Kazam Was announcing this was the turned out to be the same site when the fire I guys looked at it and the semantics security guys Looked at it That's the same thing that was used to announce the attacks on aramco in Saudi Arabia a few weeks earlier Huh all starting to make sense The banks that were attacked weren't just every financial institution in the us They were banks that were complying with the us economic embargo against Iran So put this all into the hopper What does it look like? Just detective work here. We've got attacks on banks that aren't aren't releasing funds to aram We've got attacks on aramco and the same tweet site used for this What's going on? Looks like state sponsored retaliation for Stuxnet and Operation olympic games and so forth Yeah, it looks like this is state sponsored. It's iranian. We don't know this But it sure looks like it just like it looked like it in these other cases Okay, if we look at it this way, I mean this is not anything we haven't seen before But now notice what we're doing. We're beginning to look at a kind of activity hacktivism Normally carried out by private citizens for political purposes We're discovering states are doing the same thing and they seem to be doing it as an act of war Or retaliation for what they regarded as acts of war with some justification and The traditional distinctions we make Then between war crime espionage all those things. It looks like these are really getting fuzzy eroding running into trouble and That if we if we look at the crime side at the top there crime and vandalism Those tend to be done by private individuals for personal gain or gangs or something War that's a collective state act to alter state policy and espionage is kind of a low intensity version Hacktivism right in the middle there And it now seems to be available and being used by states as well as individuals for political purposes In the same way claus witt said war was used for political purposes. We're trying to get people We're trying to punish them for for harming us. We're trying to humiliate them or we're trying to bend them to our will Sounds like war to me except it's not it's clearly not and This whole phenomenon Viewed in this way. This has begun to be something that we're paying attention to a colleague and At the university of warwick convened a large convention not too long ago to talk about About the rise of hacktivism generally and How we how we should think about that and at the same time tried to uh examine the way in which states are increasingly using this as a method of settling the quarrels that they have In lieu of presumably armed conflict state sponsored hacktivism Is a kind of a unique thing It doesn't fit into any of those little Spheres not precisely um So where does it fit and what should we do about it? And this is what to go back to title of my talk Colleagues and I have begun to call soft war in the analogy with soft power And if that's a right way to think about this it suggests a new kind of of method of conflict that sort of blends elements of vandalism hacktivism crime espionage And uses it as a state sponsored instrument of war But it isn't war it isn't equivalent to a use of force. It's much less destructive. It's much more nuisance oriented And it is not covered under the international law of armed conflict You have here one of the most brilliant international legal scholars in the world michael schmitt Who has done an incredible amount of work with colleagues all over the world trying to understand how Current international law water would not apply to to To cyber conflict But that's if it does something like stuxnet did or something like I portrayed on the first conflict scenario This I mean this is going to be a lot of work to try and get international law that doesn't say anything about espionage To cover this kind of thing So how are we to make of it and when we think of that as a technique of of combat used by states or groups To adjudicate the conflicts that they have with their adversaries It's not limited to cyber You know so far. We've only talked about cyber But there are other techniques available Economic techniques techniques that use international law There are media operations. There's there's disinformation and propaganda You put all of that in the tool chest and a lot of these aren't new It's just grouping them in this way and using them for this purpose Seems like it might constitute a whole new era of conflict That we're calling the era of soft war And it's in that context and with this I think it's time to wrap up It's in that context. I think we should look at the revelations of of snowden Because of course, there was none of this discussion When he revealed what he thought he knew about how nsa was violating american privacy By collecting doing all this metadata collection And I think I sent you all a read ahead that I did on this some time ago on the nsa management directive 424 this enterprise knowledge system Treasure map and all that stuff. I don't know if any of you had a chance to look at it But that I had some pretty good technical advice from the deputy director of the end of the cia at the time writing this So the the technical stuff is is better than it would have been if it had been on my own But the point that I tried to make there and that I'd make down here with regard to this is this is miscast As an invasion of privacy or any any even anti-terrorism This may be One of the things we need to examine if there is this new phenomenon of soft war How are we entitled to fight it? What are we entitled to do? What in particular are we entitled to do in the way of self defense? And even more particularly is it possible given the nature of soft war That some things would be permitted that wouldn't be permitted in hard or kinetic war Such as deliberate targeting of civilians and civilian infrastructure These these questions need to be examined another thing that might be permitted is What we're already engaged in and most of you know that what nsa was really doing Was uh was preemptive self defense They were trying to defend against acts of terrorism and crime and and even warfare Before they were committed not trying to track them down and retaliate after the fact Well preemptive war is not usually permitted under the Certainly in the laws of arm conflict or in the usem bellow at belem regulations that henrik was talking about before lunch Preemptive war is basically a no-no We tried one of those once this last decade and didn't go very well and you know, so In the kinetic sphere, we don't license preemptive war But it seems like in the soft war case we might be able to make A case for it It would still be the case that the wars fought with these means would only be fought for a good reason And that they would be we would demand that they inflict damage And that was kind of the argument we were having here in the in the room about how much damage has been suffered And how much are we willing to do in retaliation? That's the principle of proportionality but these two hard war principles that are very Very firmly entrenched that you tend to go only after military targets and not deliberately target civilians It seems hard to imagine how soft war would work without being allowed to loosen those boundaries ought we to tolerate that Certainly these should be if not a last resort a next to last resort We should try normal means of conflict resolution first and soft war Should be fought only after all those have been exhausted, but perhaps before You resort to kinetic conflict, which is what I think is the transformative feature here If we think about a new era of soft war involving but not limited to cyber As incorporating some of the insights we learn from conventional war about when it's to be fought and how it's to be fought And others recognize that they were there for a reason, but those reasons may not exist in the soft war case Then it's possible we Have begun to come into an era in which conflicts Very serious and grave ones can be adjudicated fought One side forced to do the will of the other in the klaus witzian sense without necessarily Doing irreparable harm and damage To lives and property and treasure That's the promise of this The problems are enormous and on those I invite your questions and comments now. Thank you very much Did I leave you any time? Georgia occurred me as you're talking this Seems to be about where the discussion of air power was between world war one and world war two You know you had the theorists like duet And in a slightly different way michel who thought that this would be a way to uh to avoid Frontline warfare that you would simply Either do or threaten enough damage to the adversary's economic system And morale that you would avoid having to actually fight the war right the difference is this might actually work out for it This might actually work as opposed to yeah As it turned out that theory of air power didn't work out very well So If it would actually work as long as we're good at it wouldn't this be good news I think it possibly could be good news. Yes. Yes master these techniques and I think also As with previous eras of war you come To some kind of consensus of practice with your adversaries about better and worse ways of fighting it That's very important and we don't know what those are now. We're busy experimenting and So far we haven't hurt anybody terribly badly knocked out a few Um nuclear centrifuges. I think is the only damage we've done of any great physical amount so far But a lot of tacking and counterattacking is going on at least in the cyber domain And I don't think it's clear to the people carrying it out exactly what the limits are What the ends and goals and purposes are and how well the practices are serving Them getting to those ends. Okay. Just one item of fact for the audience He met george mentioned michael schmitt our colleague here at the war college in the international law department He produced a really excellent manual with a bunch of colleagues called the tolling manual from from tolling estonia Which was the attempt to figure out what international law about all this would be At this point, it's just a bunch of people offering an opinion about what it ought to be So they've run it up the flagpole and we'll see whether anybody salutes or not So it has no no legal status Except that it's the opinion of considered opinion of a bunch of international law very well respected experts. Yeah, okay questions for the audience Please You say that this is uh new But for the soft power Nation states have been using economic sanctions for years. Yeah, this is no different Right by using that and it's a very low bar of entry with or for cybers. So it's much cheaper With that way. So it's not necessarily new The talent manual of course Brings open the discussion the global debate, but we don't have a common language For is we don't have an economy agreement on what's right. What's wrong? Internationally speaking. So that's part of the problem The other problem is that the governments don't own Cyber domain commercial enterprise right owns the cyber domain and the infrastructure So when you're talking about dollars and cents and profit Companies don't really want to listen to their governments because that's the bottom line So The other thing is you can't see this. This is you know people tend to you know virtual Virtual presence is actual absence. So they can't see it Unlike the example you gave with the ninjas. So they can't believe it But hysteria works. So we saw that it was in four cases of Ebola in the united states But people are going crazy about that. Right. So it's just a matter of educating the people and comparing cyber to Isn't more akin to like global warming in a in a way because the cyber domain is a man-made domain It's arguable that the Global warming is a man-made problem, but no one can agree on what to do to stop it A lot of really good questions and comments there. Let me parse some of them and try to respond quickly The point about the tolin manual that it doesn't have any, you know, authority or anything. Yeah, the one of the great Disappointments about this is that By and large, there's no prospect of any new international, you know, constructive international law on the topic of cyber conflict in particular Nobody, you know surprise surprise The world community is very much like the american community enough laws. We don't want any more laws First let's kill all the lawyers and so forth So the tolin manual got a resounding You know vote of approval at the united nations level from countries who weren't included in the process and so forth So, yeah, we don't know how to think about it and We're not making a lot of progress there The issue of whether software itself is new or not It's not that economic sanctions haven't been practiced and disinformation and propaganda and psych ops It's linking them all up with some other things that nobody ever had or would thought of at the time such as Lawfare the use of human shields by Hamas If they're volunteers then the israelis technically under the law of armed conflict can't shoot at them, right And so you've defended a target with people you're not supposed to do that But you're using the laws of war against You know as as themselves a kind of weapon Um Cyber it's linking them all up and the founding document. Maybe some of you know this or have read this is a A monograph that you can find online And it's called unrestricted warfare written by two pla kernels in 1998 99 And they essentially laid this whole strategy out I said we they didn't call it soft war But they said you know sort of this is we're gonna have to fight wars in new ways Because the americans are so strong They're conventional power so great They're Wimpy reliance on technology so overblown that they'll just blow the rest of us out of the water So we've got to find new and creative clever jiu-jitsu like ways of fighting and and they listed all of these things including cyber And so in a way the founding document is that one and then this is just giving a name to that doctrine What else uh conventional Uh commercial ownership of of the cyber domain in particular who and the side of the commercial entities Verizon and com they don't want to have to do anything You know, they're already mad that we found out that they were helping provide metadata to nsa They're not going to do anything more in the future true Which means that a it's hard not to target civilian targets if the civilians own the infrastructure If you're carrying out cyber conflict And so that rule against doing so which I thought made sense for a while, but now I think it sort of doesn't Or at least we need to work on it. I I don't know what to do about that But it makes the civilian targets available Because everything passes through them in the case of cyber I can't remember if there's many more things you raised that i'm not sure that i've addressed accurately. I'm sorry There was one back there. Yeah, yeah, please go ahead Hi, sir I'm a commander by climbing in I wanted to uh make some comments on the uh the aircraft analogy going back to uh pre-world war one and It was kind of three things. I think that are different with that and with cyber today And uh, the first one is kind of like an asymmetric problem The united states is much more reliant on cyber than uh, many of our possible adversaries are For example, north korea. You could cyber attack them back to the stone age and it would still be a day that ends in wine Yes, uh, they wouldn't really notice the difference too much. Whereas your average citizen would not suffer. Yes They're already busy suffering. So yeah, we definitely notice that. Yeah And likewise you could see the bombers going to the cities You could see the bombers coming back as much easier to attribute attacks to whichever nation had launched the attacks Whereas nowadays you can you can route Packets through proxies. You can make attacks appear to be coming from the united states itself Which is kind of a lawfare problem because we actually need warrants to do that investigation now You can't just do it as a military intelligence problem. Right, right I kind of forgot what the third one was but There's a lot of stuff here and it's all a mess But I think your point that you know, how much Mileage I'd put it this way. How much mileage can we get out of the analogy with aviation? Some not much. I mean, it's it's heartening only because it's a large area of public concern About which we knew nothing a century ago and now we've pretty much worked it out I think that was jim's point and he's we'll do it here too. We just need time But then my rejoinder was okay. Here we are. Let's do it and you see the doing of it is is is hard work If you see what mike and his colleagues did in the tolling manual, it's It makes the Talmud look like a simple document by comparison I mean they really had to do a lot of gymnastics to make existing legislation That was already fairly clear apply to all these cases and somewhat. Well, and it doesn't you know that's just you guys And so what we have to do in the larger arena to get this worked through I think we're still Years, if not decades away And what it will look like when we're done. I have no idea But I think we need to get on with it Okay So tonic manner it's honest not states navy in terms of analogies One thing that kind of struck me was maybe this is more akin to age of exploration british east india versus dutch east india company Where you have this confidence of Governments are wanting to attain new colonies at the same time leading up to these mercantile Interests to actually pave the way through it This mercantile interest sometimes getting into their own kind of armed conflicts with local tribes, but also with their european competitors You had a certain point in the history timeline that the british east india company gets actually gets nationalized And a lot of these companies same thing with with dutch east india company as well And it would progress to what they did in indonesia, but maybe that's kind of where it's going to go That's really yes that that that's another good place historically to look for some insights How did we deal with the private public military state sponsored versus? You know commercial sets of interests on the high seas at the beginning of this west valiant period that martin and his colleagues have been talking about How did that work? Can we learn some lessons there? I went when we think about military contracting and its issues I mean there were military contractors all the time in those days mild standish to quote one You know site one famous local figure was certainly I hired paid military contractor as were John smith in and virginia as the east india company paid British naval officers to crew and Command private Gunships to protect their trade cargoes and so forth. I mean this public private thing There are a lot of a lot of lessons we could learn from that period that I think would would help us What specifically they are until we get down to the hard work of rereading those documents and those histories and taking those Courses and so forth and and putting that to work That's still we still need to do that, but I think it is a rich resource. Yes Yes, sir 10 20 10 trend uh us navy Kind of want to revisit um I think how we phrase this going into the back into the situation of the cyber. It seems like we've chosen The work go through the the choice of words of hacktivism Yes, and as you mentioned kind of choice from political activism And I'm surprising that we chose to follow the path of a civilian type of way of civilian Activism civilian way so that we say that we can't do anything because it's we can't arrest We can't be in a actively do anything in the warfare world because it's It's more towards civilians. We can't take this to that action I'm surprised that we didn't take a path of that they are cyber aggressors When you take the path of cyber aggressor, uh, and I know it's a crossing the word people can say that I think when the world started with suicide bombers, right? I think for a while there back in the world We decided why did we choose suicide bombers? And then we try to go rephrase that to say, you know what they're homicide bombers Try to kind of change the dialogue, but it went too long And by I think if we choose the word cyber aggressors, uh, instead Doing the path of hack to this then it allows us to go and go down the path of either law enforcement or military kinetic actions I think those are the things just my opinion from seeing this where you go with the soft power We're choosing the passive approach instead of An active approach to say that as we walk down this path as we define this and as you said the rules of the road Starts to be defined. How do we do this? I think we have to we take a look at how we define The words so that we can be able to attack it because you see this problem I think this becomes part of hacktivism becomes a part of what we see with the irregular warfare Uh-huh. Yeah, I mean, you know the the guys down in quantanamo, right? We got to make a decision at one point Are they criminals terrorists? What are they asked? Yes, exactly once we made a decision By saying that they're cyber aggressors instead of hack to this we give them a path that we can actually take an action at What do you think on that? Well, thank you very much for those very very astute comments. I think the the some total of them suggests words matter Concepts matter they either clarify Or they obfuscate and confuse And if I heard you right, you're worried that using hacktivism with its political connotations And it's it is maybe not the right word to use in this case. If so, what is Your larger comments made me think of another very esteemed colleague who we've lost to retirement here at the war college William professor rubel nicknamed call sign Barney Barney rubel Who brilliantly outlined this kind of a process that we go through in terms of ied's and suicide bombers and so forth He said look, you know, there was once upon a time in the age of heroic warfare with big ships and guns and conventional armies and so forth and And and you know really great commanders and then we got into this sort of systemic Sorry systematic technological warfare where it really didn't matter if your commanders were all that good or not You just had such great Stuff and such great people together operating it that nobody this is the thing the chinese theorists were complaining about We can't stand up the americans anymore. They have mastered this new form of systematic warfare We we can't touch them nobody can stand up to them, but that does make conflict go away So what happens people learn new modes of conflict and I think he called the third phase systemic where they would Invent little things like, you know, you the robots come and you paint the the lens of the camera So they can't see you put an ied out there and blow up your your troop trains you Um you suicide bombers and so forth because those are the weapons available to you to pursue conflict And uh and now, you know, what happens next? Well, of course we come back with predators and cyber stuff and whatever and Due to them what they did to us and everybody's always off balance But I thought it was a very interesting evolutionary notion of how warfare goes And maybe we should get Barney to come back and talk about this because I think it's very useful And it helps us with the question How do we conceptualize what's going on and understand what initially is shocking And deeply frustrating to us when these cyber regressors or these suicide bombers or whatever do what they do Our initial reaction is like yours to the first scenario anger fear outrage But we need to think clear about what this is and how we Kind of respond to it and combat it And that still needs to be done. Okay. I know there are other hands out there But I want to give you adequate time in your seminars this afternoon. So we'll we'll quit for now Thank you very much George and please make your way to your seminar rooms