 It's my pleasure now to conduct a conversation with one of New America's fellows, Shane Harris, who is author of the book At War, The Rise of the Military Internet Complex. So Shane, welcome. Thank you. Thanks for having me. I strongly recommend the book. I wanted to start, let's start with some specifics. Let's start with Iraq. And I wanted to ask you, how did the military's experience in Iraq, or maybe the military and the industry's experience in Iraq shape the way the military looks at the whole cyber field? So it was really formative. I talk about this in the book in the beginning, it's really sort of the first section of the book. In 2007, everyone is familiar with the troop surge that President Bush ordered up in Iraq where we sent tens of thousands of more ground forces. But parallel to that was a massive intelligence gathering effort, a cyber effort really, that I think many people I interviewed for the book believe was actually the linchpin that helped turn the tide of the surge. And what you saw there was the full sort of capabilities of the U.S. intelligence community, mainly through the NSA, being brought to bear to collect all electronic communications inside the nation of Iraq to effectively sit on its network, gather up cell phones, emails, text messages for the purpose of locating physically insurgents and understanding how the insurgents and bomb making networks were comprised. That information was processed, collected, and practically real time. It was an unprecedented intelligence gathering effort on the field of battle and was handed off to the troops on the ground. So you created this cycle of sort of gathering information in the cyberspace and handing information off to people in the real world space. And it was a lethally efficient and effective mechanism that really, I think, showed the military going forward how you could pair up the capabilities of kinetic military activity with cyber activity to really great effect. So was this just a difference in degree from – I mean, we've always done that. We've collected intelligence and somebody says, here's where the enemy is. And that gets back to the folks who are actually in charge of the kinetic operations. So you're translating information into action into battle deaths. Is this just more of the same, or is there something about the ability to do it at this scale that makes it a difference in kind, not a difference in degree? That's right. I mean, to some extent it is an extension of that kind of battlefield intelligence. What we're really talking about here is, in fact, the scale. The system that was built was something called the Real Time Regional Gateway, which NSA ran, which is – we were really talking about a piece of infrastructure here that was capable of ingesting this information and ensuring processing in Real Time. There were other things that NSA was able to do that look a lot like information operations that have been conducted in warfare before. So sending fake text or sending real text messages to insurgents posing as people they knew and trying to lure them into traps where they could be captured or killed. So kind of techniques and ideas that had been used on a much smaller scale, but when you ramp it up that way and then you integrate and you put literally the people who are mining and analyzing the data in the same centers in the same rooms as the ground forces and the special operations people who are going out and conducting these raids and these attacks and bringing back more information, it is the seamlessness of that cycle that really became formative for how the intelligence community is going to fight – help fight wars. So would it be fair to say that if you combine the scale and the speed, then information itself becomes the weapon? I think that's right and that is the powerful lesson for them in Iraq was that if you could provide that information in close to Real Time, it couldn't in fact be sort of like a weapon in that way. David Petraeus has actually said publicly in documents that he credited this cycle with removing 4,000 insurgents from the battlefield. That's a pretty remarkable capability to be developed for really what was the first time there in Iraq. So I'm sure I know the answer to this question, but I have to ask you, did anyone ever raise a question about the rights of regular, ordinary civilian Iraqis? Not in my reporting, no. I mean, and this is really – I mean, you're talking about sort of an occupation force here at this time. If you remember, too, that the infrastructure in that country that grew up, largely the cell phone infrastructure, sort of developed in an occupation setting, the first contracts that the U.S. government allowed to be let in Iraq were for cell phone coverage. And it was really the cell phone networks that became sort of a very fertile mine for that. But no, in all of my reporting on this, the subject of privacy of innocent Iraqis was just – it was not raised. So – and this, of course, this is where the difference in degree or in scale makes such a difference, because traditionally, yes, you're in a conflict area, you have normal military intelligence, but they're not capable of monitoring the communications of everyone. And it's more like a warrants situation. They're going after specific people. There's reason to be suspicious of those people. You're under war rules, not peacetime rules. But here, of course, the distinction between war and peace is blurred. Something we'll be talking about in the next two days in the future of war conference. And you have the ability to gather everyone. So let me put this forward. So that was Iraq. That's – it's over a decade ago. You don't have the cell phone penetration you have today. And you don't have all the other things we do on mobile. Now imagine something like Ukraine, where you have a tremendous cell phone penetration. You have – to go back to the last question – US corporations presumably selling products to Ukrainian citizens. And suddenly – and you have a conflict situation where suddenly mass data mining is infringing the rights of those citizens and is affecting the way they see US industry. Is the military now thinking about it that way? Well, I think that they're going to think about it in the context of what is the operational requirement, right? So right now, you know, we don't have a heavy military intervention, obviously, in Ukraine. Might we – if we decided to start providing non-lethal aid to Ukrainians, say, we're going to outfit you with better encryption or ways of trying to circumvent state surveillance because we know, in fact, that there has been a very heavy Russian penetration of the Ukrainian networks. We've seen them manipulating websites and trying to spread disinformation. There, too – I mean, Russia has had early experience in the Georgian conflict with offensive cyber-actions. So I think probably if the military is – what they're looking at here is how is this being brought to bear by the Russians as a capability? And if we were to provide some kind of assistance to the Ukrainians, how would we start countering that? So yeah, so thinking about operational requirements, I can – I mean, I can well imagine that if you were sitting in the White House and you were trying to figure out what kind of assistance can we offer the whole debate about lethal and non-lethal – whether we should be arming Ukrainians at all, this is exactly where you might say, well, we can do this, but – And could we help defend their networks better? I mean, would a cyber defense sort of offer to the Ukrainians constitute non-lethal aid? I mean, I'd love to hear where the lawyer says to that, but sure, perhaps why not? Why couldn't we bring some of our own surveillance capability to bear to help the Ukrainians understand how the Russians were compromising their systems? And to be clear, that may have already happened. But this is certainly a place where in this new domain and treating cyberspace as a battlefield, which is how the military sees it, where you could imagine that resource being tapped. Can you imagine the U.S. offering that kind of assistance? Let's move it from defensive to active. So now we're offering assistance that allows Ukrainian rebels to do what you just described – not rebels, the Ukrainian government to do what you just described in Iraq. So the Ukrainian government is getting real-time information about who's in the field, and that's being transmitted to targeters. At what point could Russia say that's an active war? The United States just committed an active war against us. So here we start walking down the spectrum, right, towards, you know, we're in the sort of the realm of intelligence-gathering activities and espionage. And the closer that you get to trying to cause some real-world outcome, the more you're drifting towards what the military today would probably classify as cyber war. So if we're equipping the Ukrainians with spying technology, with surveillance technology, that may be one line that's not too far to cross. If you're equipping them with computer exploits that allow them to go back and try and cause disruption on systems in Moscow, or knockout communication systems, yeah, I would imagine then the Russians would say you're essentially crossing a line here from providing some kind of intelligence support to something that looks more, again, the military term kinetic. We will, this is a conversation that, I mean, and any rules to help us decide that? Well, right, it's very interesting. So there actually is a fair amount in the public literature that the military has put out. I wouldn't call it doctrinal, I wouldn't call them rules. There are sort of areas where the military has basically said we would consider this an act of war, or we would consider this an act of aggression where we would recommend to the president you have the option of responding, not just in cyberspace, but militarily as well. So an attack on the national infrastructure that causes death, a power grid attack, a attack on public utilities, disabling a key part of the financial system, something that undermines the sort of the national security framework. It has to be sort of high end, but these are also very low probability attacks. That would be something where the military would look at this and effectively say, that's an act of aggression that allows us to respond in kind. Interestingly, with the Sony hack, from the tribute to North Korea, there was a question immediately right after that when the internet suddenly went down in North Korea and Admiral Rogers was asked about this, did the United States do that? And the president had promised a proportional response to the Sony hack. The experts I talked to at that time said, well, if we did do it, and I think we probably did not do it actually, that would have constituted a proportional response, perhaps, under the legal framework. That you hack into our company, you wipe out these computers, you threaten a threat in this way, we take down your internet for a day. At least at first blush, that sort of presented some legal scholars I talked to with a yes, that looks like a proportional response, something we might actually order. That could be instructive for future events as well. So from where I sit as a foreign policy expert and the former dean of a public policy school, this is one of the new areas of scholarship, research, conceptualization. I mean, you heard Admiral Rogers say, deterrence, cyber deterrence is very immature. Well, this is what I grew up on in the Cold War, trying to figure out how we did nuclear deterrence, what is proportional to what, what do you threaten so that you have a credible threat? Cause obviously if you say, we're gonna take out Moscow if you do something very small, that's not credible. So then figuring that out in the cyber domain where that's what we're talking about. What do you make public? What's a credible threat? But what's also a legal threat? What is a proportional response? And we're very... Absolutely, and that's why I think the Sony event was so important. And one respect is that this is the administration essentially making policy as we go here and saying that we're going to, first of all, identifying North Korea, the president of the United States standing up and saying who it was, that's never happened. The director of the FBI doing it, revealing some amount of intelligence about why they think they did it. And then announcing there would be a proportional response at the time of our choosing, putting aside the shutdown of the internet, however that happened, we levied more sanctions against North Korea. Now it's a pretty sanctioned country. You know, maybe we didn't do that much damage, but that is essentially making policy now. We're saying effectively, if you intrude on the networks of a U.S. company, if you make threats in the way that North Korea did, we reserve the right to sanction you. We potentially reserve the right to knock your internet out. That's policy being made. There is a deterrent effect to that, I think. So I want to ask you about companies and the way they mesh or don't with military, but I just have to follow up. You just said, as a throwaway, you don't think that was us taking down the Korean internet? Yeah, I actually, I don't. The Associated Press has reported that U.S. officials say that it's not, some of my own reporting suggests that it wasn't us. And yet, honestly, it raises the question of, well, why would we have done that? I mean, if we have the ability to shut off North Korea's internet, which from a technical standpoint is probably a fairly trivial exercise as compared to shutting down other countries' internet, there's really about two or three choke points. Why would we necessarily reveal that capability or sort of spend that bullet on this incident when the president coming up and condemning it, having a conversation, and then the sanctions might have just done the trick? But we said we were going to do something. We did, and then we sanctioned them. And then what else was very coy about this? I think they were deliberately coy to some degree. But just sources that I talked to now are sort of more on the side of, yes, we're not going to come out and say on the record we didn't do it, but no, we were not responsible for this. So did Sony do it? Who knows? Maybe North Korea accidentally tripped its own switch when they were trying to figure out how we got in. So let me come back to companies because your book is the rise of the military internet complex, right? Obviously, taking off in the military industrial complex. But one of the things you show in your book is how much the military internet complex is a public-private complex, that the companies are deeply involved. And this is the flip side of the tension that we're seeing between the NSA and tech companies. This is a situation of symbiosis. So I wanted to ask you to talk about the ways in which the military depends on companies. Yeah, so I think on a very basic level when you're talking about cyberspace defense and offense, the military, the intelligence community operating in that space is almost entirely dependent on companies. We talk about the fact that 85% of the network infrastructure in the United States is privately owned. Just from the standpoint of conducting authorized legal surveillance, the FBI, the NSA on a daily basis depend upon a legal framework that requires companies to give them information. There have been times in the past where companies, back in 2007 or 2008, when we were debating the reform of FISA, there was a moment there where the companies were wondering if they were going to try and resist even participating in government surveillance if they didn't have certain assurances. And people within the intelligence community freaked out over this, the idea that the companies would not simply just take the warrants and do what they were dutifully told, but that they would put up a fight and say, we're not gonna share the information with you, we're not gonna give you access. You see it happening today in the going dark arguments that Comey and Rodgers and others are talking about. Just on a very intrinsic level, you need the access to the network infrastructure. Now, of course, the NSA is very adept at going out and getting that access when companies are not going to comply or when they don't want them to know about it. But just at that very basic level when you're talking about operating in cyberspace, it is a private public, I hesitate to use the word partnership because that implies some sort of camaraderie. And it's often a very tense and tenuous relationship. So is it fair to say that actually when we're thinking about the cyber domain that it's the companies and their networks that are the perimeter of our domain? In other words, if you try to analogize from the physical to the virtual here, the physical, you've got to define territory and the military can police that territory, surveil that territory or defend it, however they need to. But here, the territory itself is U.S. companies and their networks, is that? Yeah, it's almost more like if we're using a body analogy, they are the circulatory system. They're completely embedded. I mean, the military again talks about cyberspace as a domain of warfare after airlines seeing outer space. But those four domains, they can effectively control and patrol, right? We patrol our borders. The U.S. government controls the airspace. We have laws of the sea. Cyberspace, this is a domain that is completely comprised of equipment and entities that are not governed by a single entity that sort of are moving throughout. It is not sort of a singularly defined space. And this is actually why even the analogy of calling it a domain starts to sort of conceptually stretch our definitions and our understanding and it certainly befuddles many of our legal understandings because it is a borderless entity. Even talking about cyberspace, what is it? Is it a commons? Is it a utility? President Obama's been talking lately that it is a utility. And that suggests that you can regulate it. Yeah, so this reminds me when I was in government from 2009 to 2011, I wasn't there as a lawyer, but of course my background is as a law professor. And at one point I got myself into this debate about what was a global commons. Because from the point of view of an international lawyer, and we're thinking about global rules, it's great to have the cyberspace be a global commons. It's like the oceans, right? And that means it isn't subject to national regulation, it's subject to international regulation. And there are lots of reasons for lots of purposes to wanna think about cyberspace that way. On the other hand, from the military point of view, that's the last thing you wanna do. And to their point, wait a minute, it isn't really out there, it's not like the oceans, they're actually physical servers and they're located in physical space. And let's not let our academic conceptualization get away from that, because we need to defend actual networks. And so that, I can't remember what compromise we reached. It was carefully lawyered, but that issue is a very big one from the point of view of how you think about this globally and from the international regulation and how you think about national armies. Yeah, and it also raises the question, if you were ever to form a treaty in cyberspace, how would you even go about doing that? I mean, these are sort of the fundamentals. We have assumptions about what cyberspace is, we don't have any great definitions. And one of the things I found in reporting the book is that when you bring up the idea of a treaty, of an arms treaty in cyberspace, let's call it with the military, it's the last thing they want as well, because how would you verify it? How would you actually make sure that anyone is abiding by the rules of that treaty? And why in a domain in which the United States military is not necessarily the far and away front runner or superpower, why would you preemptively limit our capabilities? I mean, this was an insight into the extent to which I think people like Admiral Rodgers and others really see cyberspace as a battlefield right now. And they're making calculations and decisions somewhat informed by recent historical experience, somewhat using cold runalities and others, but this is also very new territory. And again, making up policy as we go here. So we've got three minutes, so I'm gonna ask for maybe two questions. There, over there in the back. Is somebody have a mic? You may have to stand up and, oh, here comes the mic. Thank you very much. My name's Benjamin Dean. I'm a fellow for cybersecurity at Columbia University. We talk a lot about the Sony hack today, but as I was going through the 10Q report that Sony filed, quarter three last year, they said their total losses from the hack were $15 million. There would be no lasting consequences. That's about 1% or a bit less. The annual turnover. I wonder, given how many billions of dollars we spend on cybersecurity, whether it makes economic sense to do so, given that the losses are so small, even in what has been historically quite a big hack. That's a great question. I haven't seen the report so I don't know how they're calculating loss and are they sort of maybe hiding the football a little bit and minimizing that. But you know, I'll use the example of J.P. Morgan. I mean, reportedly J.P. Morgan was hacked last year. Spends $250 million on network security. Well, what are they getting for it? You know, I guess for Sony, the question is also reputationally. I mean, I think there's a question of monetary damage, but you know, this becomes an event in which the White House and the President of the United States come out and start lecturing your CEO about not being proper defenders of the First Amendment. So I mean, in that respect, I think the monetary damages to Sony are sort of in one category that maybe is not as significant as sort of the reputational ones. But you're asking a great question. What is the sort of the cost-benefit analysis? And many companies, it seems to me, have concluded that they're not going to spend that much money on information security. I've been hearing this lately from people in the electrical sector down at the level of managing physical facilities where there is equipment that is connected to networks that can be hacked and you talk to people managing those facilities and they'll say, well, we only have so much money in our budget and we have other things we have to protect like we have to put fences up. We have physical security needs as well. So I mean, I think there are people for various reasons who are asking, is this really worth it? There, last question. Here in, yeah. Is there a mic coming? All right. I can hear you. If you yell and I'll repeat the question. So, can you repeat the question? Yeah, so the question was, is the talent manual which was a manual, but I guess about a year, year and a half ago, right, Harvey, which essentially, years long effort by technologists and lawyers to try and understand whether or not effectively the law of armed conflict that we use to govern kinetic military action can apply in cyberspace. I found it to be a pretty persuasive document. I mean, I'm not a lawyer, but I'm fairly familiar with law of armed conflict in other settings and in asymmetric settings. I mean, it certainly raised the question of, well, why not? I mean, there certainly seems like there are some instances in which that would be true and everything that we've heard from the US military tells us that they would use offensive cyber according to the law of armed conflict. So when the president stood up after the Sony intrusion and said, there will be a proportional response that is a legal terminology, right? He's saying essentially we are not going to go bomb Pyongyang because they embarrass Sony and delay the launch of a movie. So I think that we are, even if we are not sort of on the books doing it that way, it seems to me that we're following it in practice and I thought the manual will make a pretty persuasive case that that can work. And in general, just as lawyers, it's very hard to start with nothing, right? I mean, as we have developed law over centuries, we tend to start with something from one domain and try to adapt it because otherwise you may never get anywhere. So we're, we just got an extra minute. I think we're, now we're going up. Oh, we're going, we're over time. Okay, so let me, well, I'll take it. I'd let me just say one final thing on the Sony point that I think has not gotten nearly enough attention. So there, there was the economic cost. There was also Amy Pascal essentially lost her job, right? I mean, she, what was exposed made it very, very hard for her to do her job. So to individualize this, there's the, you know, what's the cost of the company? But there's also, if you're the CEO or in the leadership, either you're doing a tremendous amount of self-censoring. And I remember when I joined the government, you know, being told at some point, you know, you start making phone calls rather than sending emails. Or you are, you're really thinking about this, not just in terms of the cost of the company, but the cost to you and your leadership team should things be exposed. And that, that's a different calculus, but it's probably very much on CEO's minds. I think so. So I urge you to buy the book, read the book. It's wonderfully readable. I can tell you in terms of weaving together what are very important and complex subjects with just terrific stories. And join me in thanking Shane Harris for our conversation. Thank you.