Gayblack Canadian Man

Foreign Policy Analysis
Cyber Diplomacy or Mr. Robot Dystopia? – Chris Painter | Open Mind

Cyber Diplomacy or Mr. Robot Dystopia? – Chris Painter | Open Mind

HEFFNER: I’m Alexander Heffner,
your host on The Open Mind. When I recorded my first
ever program here in 2014, the subject with digital
scholar and educator John Palfrey was the
very real possibility of a digital Pearl Harbor
or 9/11 in our lifetimes. It’s clear from our evaluations
on The Open Mind that such a crisis
played out during the 2016 campaign, but not
as we expected. We lacked the imagination
foresight and most of all political will to
respond as governments, citizens, and
corporations, which often were hosts of
malignant disinformation and enablers of
massive security breaches. Joining me today is
Christopher Painter, commissioner of The
Global Commission on the Stability of Cyberspace. For over two decades,
painter has been at the helm of American Internet
policy as a prosecutor of high-profile cyber crimes. And then as a senior
official at the Department of Justice, FBI,
National Security Council, and finally the
State Department. In his most recent role
as the nation’s top cyber diplomat, Painter
coordinated and led the diplomatic efforts to
advance an open internet and information
infrastructure, establishing the office of
the coordinator for cyber issues dedicated to
advancing the diplomatic aspects of cyber issues
ranging from national security to human
rights. Welcome, Chris. PAINTER: Happy to
be here. Thanks. HEFFNER: Thank
you for being here. You were pivotal in
brokering an accord, or at least theoretically
an accord between the US and China in 2014. What were you and your
colleagues attempting to accomplish and has
it been enduring? PAINTER: So we were faced
with a situation where there was widespread theft
of commercial information, trade secrets, other
business and proprietary information by China,
not just in the US but around the world. And this was becoming
not just a cyber issue, but really a core
economic issue and national
security issue. And you know there was a
strong feeling that this really had to stop. This was stealing the
life’s blood of our economy going forward. So what we’re trying
to get is that to stop frankly and, and we
were looking at different aspects to do that and one
of the aspects was trying to get China to agree
that this is something that should be
prohibited and not done. Now I will say there is a
difference between a theft of intellectual property
to benefit your own commercial
sector and espionage. Every country
gathers information. Every country will
for all of time. They have from the
beginning you can’t really prohibit that, but this is
a specialized kind that we don’t do and we don’t think
any country should do. So. HEFFNER: Cambridge
Analytica was really at the intersection of the for
profit commerce and espionage. PAINTER: Yeah, it was a
little different though. I mean there were, it was
for-profit espionage in a sense which is not
necessarily all that new. Although the way that
was done was I think a new form of this,
but the kind of theft of information
that you use. So let’s say you steal the
plans to something or the trade secret for something
and then you give it to your own commercial sector
and then they become competitive, and they use
that to become competitive and really displace
your own industry. So that’s what we
were trying to stop. And it did, it
was interesting. It took really from the
president on down strong messaging to China that
this was unacceptable that this was just
not a cyber thing. It affected the overall
relationship and we eventually got an
agreement with them and you asked if
it’s been enduring. I think after that
agreement was reached, which didn’t prohibit
all hacking because that’s not realistic, but
prohibited this kind of hacking. A lot of people saw that
activity drop dramatically after
that. And it did for
a while now, right? Recently it’s
gone back up again. And that’s a big concern. But I think partly that’s
due to the fact that the reason China wanted to
reach this agreement, it was an irritant in
the overall relationship, but with something
that China cares about, the way it’s perceived,
it was a big problem, not just in the cyber realm but
across the board with the US. It was a problem
with Russia or with, I’m sorry, with
Germany, with Japan, with Australia and
other countries around the world, the UK.
And so they agreed to do it, but now the relationship
is really frayed, I think they don’t see any
real need or benefit to comply with that. And that’s the
problem we have now. HEFFNER: Are you referring
to the implementation of the tariffs? PAINTER: I think if you,
the overall relationship between the US and China,
I think it’s fair to say it’s not very good right
now and there’s a lot of reasons for that. There’s certainly
the trade conflict, war, whatever you
call it going on, which I think is a, is
a concern for them and I think their
feeling probably is, and I’m not in
the Chinese mind, but I think that, what
their thinking is why do we need to comply with all
these agreements we made if the relationship
is so bad already, we’re not improving
the relationship. And maybe it’s even a
bargaining chip who knows? HEFFNER: The current
President speaks lovingly of China and at times
at least the Premier, the President, and yet
has taken actions that obviously have
injured that relationship, so that souring effect has
materialized in the way that the United States and
Canada are negotiating a potential resolution
with someone in their technology sector who
is accused of breaking the Iran sanctions. PAINTER: Well, that
the person who’s been accused at Canada is
accused of violating the sanctions have of taking
actions that violates them. It’s against the law. There is no, you know I
see no issue of when you see violations of the
law as a former prosecutor going after them. I
think the larger question is, how can you address
all these issues, how can you make sure
this doesn’t happen? And look, the trade
imbalance with China is a big issue and we do
have to address it. How we address it and how we
message I think is important. You raised a really
interesting point though, when you say that
Trump speaks lovingly, sometimes of President Xi, that
messaging is as kind of a
problem. If your messaging doesn’t
match your actions, it undercuts your own
negotiating and undercuts your own deterrent value. I
think the classic example, certainly with Russia,
where despite all the evidence, despite all
the things that even this administration has done,
Trump constantly calls into question whether
Russia was responsible. It doesn’t matter what you
do in terms of sanctions or other things if
you’re a top leader, is not
consistent in messaging, and Obama was very
consistent in messaging with China for
almost two years. HEFFNER: Even if he
decided not to prosecute forcefully enough the case
against cyber espionage from Russia during
the ’16 campaign, behind the scenes and in
public he was consistently critical of
Wikileaks, Assange, and those criminals. There was a
digital Watergate… PAINTER: Do you mean Obama? HEFFNER: Obama, right. That there was a digital
Watergate and the plumbers and dirty tricksters were
Russians as a country, and I think this is
testified to in ongoing support for the special
counsel’s investigation. This country has not seen
accountability in the area where you prosecuted
cyber criminals. When is there going to
be accountability/ PAINTER: Well, that’s
a great question. I think you have to divide
this into two spheres. One is nation-states and
the other is individuals and criminals. Individuals and criminals
we need to go after using our criminal tools. You know, sometimes it’s
difficult to reach them for various reasons, but
we need to continue to do that and that’s one aspect
when you’re talking about nation states, we have
been just terrible at deterring or punishing
nation states for activity that really
violates all the norms, that goes
beyond, you know, the kind of things we, we
believe very acceptable conduct. So yeah, a good example
certainly is Russia, when you’re trying
to deter someone, there are two aspects. One is timely and the
other is something that actually makes
a difference. It’s going to change your
calculus in the future, and punish them
for past conduct. Now, the Obama
administration did come up with a series of
package of expulsions and sanctions at the end
of the administration. That was pretty late. I mean, frankly, I think
it was clear we needed to act as sooner we needed
to act more strongly. I don’t think that those
things really punished Putin or changed his
calculus could certainly he’s engaged in this again
and again after that and then in this administration
there’s been sanctions. There’s been some
other targeted events. Russia has not limited
their malicious cyber activity to
election interference. They released this big
what’s called computer worm the NotPetya
worm that was – several countries
attributed to them. Yes, the US and
Australia and others have attributed, this
conduct to Russia, but you’re not going to
name and shame Russia, you know, you’re not going
to – you might China, but Russia or North
Korea, that’s not going to have an impact. It’s a, it’s a
good foundation, but then you have to
follow it up with action. The Ashley will make a
difference to them and then as I said before,
you have to couple it with consistent and
strong messaging. You can’t say, well, I
don’t know if they really did it, it’s okay. He said he didn’t do it. I mean those, that, those
undercut all the actions you’re trying to do to
actually punish that conduct and make sure
there’s accountability and I absolutely
agree with you. We have to be far better
at imposing those costs. HEFFNER: The kind of
reciprocal action that could be meaningful is
allowing the young people of Russia to have digital
freedom and use the grassroots technologies
that infuse our politics here and through the web
to bring about reform. PAINTER: We have always
been seen as the leaders in terms of freedom
and democracy and my colleagues at the
State Department, and we work
closely with them, champion this idea
of Internet freedom, freedom online and helping
those communities who are often oppressed or
monitored try to escape that monitoring to
express their views. And, you know, there is
something called Freedom House, which measures the
level of freedom in the world online every year
and they’ve seen that level of freedom
decline year to year, which is a real
concern around the world. And if the US is not
championing those causes, if the US is saying for
political or whatever, expediency you know human
rights are important, but they’re not so
important that we’re going to take them seriously
and factor them into our larger policy. That gives them
carte blanche to these countries,
these dictators, these more repressive
regimes around the world. And it’s a good
parallel to cyber because, you know, if you don’t
have consequences for your actions, then you’re
creating a norm of it’s okay, we can just do this. And the same is true in
this area and you can’t look at cyber security
totally separate than human rights or
economic policy. They have to be
looked at together. HEFFNER: Where are you
hopeful based on your own prosecutions in
the United States? There is not really a
criminal court or tribunal to adjudicate this and
that doesn’t even work when there’s genocide to
the best of its ability. So what is the best hope based
on your own prosecutions? You started doing this
when cyber was just being born in the 90s. PAINTER: Back when
it wasn’t cool? Laughs. HEFFNER: So, so how is it
working here in America in terms of the ongoing
pursuit of justice with domestic actors who hack us or
attack our infrastructure? PAINTER: I think
we’ve gotten better. I don’t think
we’re there yet. I think I’ve seen, there
are a couple of trends that I’ve seen over the 20 some
5 years I’ve been doing this. One is that we have
been getting better, not just catching
the criminals here, but also overseas and
it’s trivial for a cyber criminal to route their
communications through several different countries to
evade detection. So in an unprecedented
way you have to have real international cooperation.
We’ve gotten better at that. You know, it’s
still not perfect. I think a lot of criminals
still see this as a cost free or risk
free enterprise, but we’ve done a lot of
big cases where we’ve wrapped up a lot of
criminals around the world and that sends an important
deterrent message. So that’s good. We’ve trained more
people around the world. More countries have
cyber security law, so they didn’t used
to have them back, I don’t even remember
years ago when the, I Love You worm came
out; it was traced back to someone in
the Philippines. The Philippines didn’t
have a law to punish that, so that’s changed and that’s
changed around the world. So I’m hopeful about that
and I’m hopeful about the kind of
cooperation I’m seeing. It’s a steep hill to climb
still, which is an issue. I’m also hopeful
that, you know, we have done these
joint attributions. So one of the things that
may be surprising is the Trump Administration came
out with its strategy, its cyber
strategy recently. We did these in the Obama
Administration as well. The Trump cyber strategy
is really very much like the Obama cyber strategy. It’s not really very
different and that’s actually a good thing,
you’re building on what you’ve done before. You’re looking at this in
a more holistic way and saying we really don’t have to
create a whole new regime. We need to do this. And there was a portion
of that that talked about deterring bad actors
including state actors and it talked about and it
had language in there that said we are better acting
together than with other countries than we
are acting alone. That doesn’t sound very America
First-is, does it? It sounds actually
very collaborative. And that gives
me hope too. So you know, I think
that those things are continuing to go
on, which is good. You know, there’s lots of
things that I’m worried about as well but I think that
there’s some positive aspects. And the other thing I’d say is
people care about this more. I mean, back when I was
doing some of the early parts occasions,
people thought, well, that’s really
cool. That’s a neat thing. Or you know, it’s a
Robin Hood sort of thing. These hackers are cool. Where now, they
really care about it. And, and you know, I think
we’re at the stage where, you know, back when I
used to go and talk to, if you went to talk to
the attorney general, if you want to talk to,
although Janet Reno was exception, she cared
about this deeply. If you went to talk to a
cabinet official in our system or a minister, and
in Europe you went to talk to the CEO about this and
their eyes would roll back in the back of their heads and
they will run from the room. They didn’t want to
deal with these issues. There were
technical issues. You technical people deal
with them and now there’s a recognition this is
a core issue of our, you know, economic policy
our national security policy or human rights policy.
And our foreign policy. That’s a big deal
because it takes it out of that technical realm. Technical aspects
are still important, but it really makes it
a core policy issue. Now the problem is people
recognize it as an issue, they just don’t know
what to do about it. HEFFNER: Right. They recognize it and
it’s heartening to hear the copying and pasting
of the Obama manual, if in fact it’s being
implemented, which you
mentioned, PAINTER: Which is a
key question, yes. HEFFNER: Right. But at the same time,
this lack of concern was revealed when these
folks’ emails were hacked, and that was an impetus,
whether it was State Department officials
or business executives, they became aware and
concerned about it after their materials became, PAINTER: Sure. HEFFNER: In effect,
declassified stolen, hacked, publicized,
which is, and it’s, there’s
a learning curve. So now they’re up to
speed potentially, PACKER: Not sure they’re
up to speed, but HEFFNER: Or in
the process of.. PACKER: And look, it makes
a difference when like the executive that head of
Sony pictures lost their job because of that. HEFFNER: Sure, sure. So here’s my question to you as
a fellow viewer of Mr. Robot, PACKER: [ Laughs ] HEFFNER: When does this reach
the point of a 9/11 or Pearl
Harbor? And I’m thinking economic
insecurity as a function of a hacking that is so
basic to the necessity of our livelihood as Americans or
as global citizens. You know, of course there
are vulnerabilities that are particular to
Bitcoin in new currencies. But, what about that
scenario of a hacking that completely
disrupts the economy? PAINTER: Well, we,
we’ve talked about this literally for 20 years. We’ve been worrying about
the kind of cyber attack that would be against
critical infrastructure, the financial system, the
electrical power system, the, you know,
food distribution, something that would have
catastrophic and really rolling consequences that, you
know, blackouts, things like
that. And there’s no shortage
of movies about this too. HEFFNER: Right. PAINTER: So I,
you know, my, I tried to make my office unique
in the State Department. I had movie posters where
hackers or computers where the main character, so I
had like 30 of them up there and they’re
all dystopian movies. There are very few
really happy movies there. That said we haven’t
seen that kind of crippling cyber attack. We’ve seen cyber being
used and wore a like in Georgia by Russia. We’ve seen some of the
activity obviously with our election and others. We’ve seen certainly
very serious activity, but not that kind of
crippling 9/11 or Pearl Harbor or
something like that. I also, I’m not that
fond of those terms and the reason I’m not fond of
them is if we keep waiting for that before
we do something, we’re never going
to do anything, you know, so we need to,
we need to think about what’s happening every day and
the conduct is pretty serious. HEFFNER: Chris, is that
because only state actors would have the bandwidth
to do that and the rogue elements like an ISIS in
a cyber unit of an ISIS or a like terrorist
organization just doesn’t have the
equipment to perform it. PAINTER: I think there’s
a couple of aspects. One, yes, sophisticated
actors in Russia, China, North Korea and
Iran are always rated as the most sophisticated
state actors, have more capability,
but even there, if you’re talking
about taking down like the electrical power grid, not
just taking it down but keeping it down.
So that requires a lot. That’s not just an
instantaneous conduct. And yes, you know, this is
an asymmetric area where people without much
resources can cause kind of large disruptions, but
can they really keep that disruption going in a
way that’s going to substantially
affect the economy. So I think that that’s a
part of the issue and you know, in terms
of terrorists, we had been thinking about
terrorists and literally I remember giving a speech
about this maybe 17 years ago where we were worried
about terrorists turning to this and attacking
critical infrastructure and there’s two
reasons they haven’t. One, they’re not really
interested in doing that. They’re interested in
using the Internet to communicate, to
plan to proselytize, to raise money, all those
things. And they do that a lot. We’ve certainly seen
ISIS do that a lot, but they’re not interested
in really attacking critical infrastructure
when what they want to do is they want to attack
physical targets and cause death and destruction
that’s going to have more of an impact. Now, maybe in the future
they could do that in a way that’s going to have
a large level of impact. Maybe you’re going to a
couple a physical attack with an attack on say,
emergency communications that’s going to magnify
it. We just haven’t seen it yet. Now we’re always
worried about it, but it’s, I think
interesting that we haven’t seen that so far. HEFFNER: Well, the net effect of
closing the power grid, PAINTER: Oh yeah. HEFFNER: Turning off
the lights, PAINTER: Sure. HEFFNER: Especially when
it comes to the market and being able to produce the
necessities of life and companies handicapping
their ability to provide goods and services that
are central to our health and wellbeing, that that
could be pretty serious. PAINTER: It could be. They could always
borrow capabilities, they could rent
capabilities so you can get other people to come
in and bring capabilities. You know, I think we
haven’t seen this from nation states by and large
because there’s lots of reasons it doesn’t make sense
for them. I mean, HEFFNER: Right. Yes Iran and North Korea
have been more active because they
don’t have much to, or especially
North Korea does. Russia used to be
much more stealthy, but now it’s much more
active as we’ve seen because again, it’s
positioned after the Ukraine invasion the world
community is very different. So there’s reasons that
the nation states don’t want to deal
with or they worry about escalation
and reprisal. Terrorists, you know,
there is still a chance, but it’s again, having
that widespread effect that they want to have
and that long-term effect, HEFFNER: It’s perhaps
more likely to come from the yellow vest
type movement. PAINTER: You don’t want to also
shoot yourself in the foot. You don’t want to take
down infrastructure that’s going to have an effect
on your own life too. HEFFNER: No I’m not
condoning it whatsoever. I’m just saying that it
seems that the dystopian of some of the fictional PAINTER: Yeah, yeah. HEFFNER: accounts are not so far
in our, our future. I mean there, I think that
a lot of the grassroots protests that have grown
up and are now marching in the streets or
causing havoc, are a function of
economic discord. PAINTER: True. And we look, we’ve had
hacktivists so for quite some time and they haven’t
targeted these kinds of systems. And again, I think it’s
harder and we’re getting, we are getting better at
protecting these systems. We’re getting a better at
protecting electrical power
grids. We’re getting better at
protecting financial systems. It is not perfect yet
and there are scary times. Like for instance,
when Russia shut down, part of the power
grid in the Ukraine, then we saw some, what
we call prepositioning, a malware on some of
our power grid systems that looked like it was
from Russia as well. Look, there’s real
concern about that, but, you know, I think
we also have to look realistically at
what, you know, what we’re doing to
protect ourselves, which we
absolutely have to do. We have to do a far
better job and we are, I think in protecting
those systems and have resilience so if
something happens, we can bounce
back from it. So you’re not down for
a long period of time and it’s still not easy. It’s not easy to have
that sustained effect. HEFFNER: What about the idea of
a generator in effect, having a generator
to turn that on in the event of one of one of
these incapacitating cyber, national cyber
terrorist acts, PAINTER: Having a
generator that’s. HEFFNER: A kind of a
kind of backup plan. PAINTER: Yeah, that’s.
Absolutely, that’s the
resilience aspect. So you know, you
have to assume that sophisticated actors,
particularly state actors, if they really put
their mind to it, can get into a system
and can affect systems. Now what that means is
you do everything you can to protect your system. That’s the, that’s the
cyber security part of it. You make sure there
are consequences for people who break in. That’s
the deterrence part of it. So they don’t do it
in the first place. They don’t see a
benefit in doing it. And then the last part is you
have to have resiliency. You have to have backups
so that even if they succeed in doing this,
you can get back up and running very quickly. There was a case a few
years ago about Saudi Aramco where a hackers
got into their system and basically
destroyed all their computers wiped all
the data from all their. And interestingly, they didn’t
have that backed up. Now I think people
realize that you have to have that
all backed up. You have to make sure that
you have those things so that you can
reconstitute yourself. One of the big worries I
have that we haven’t seen yet is dealing with the
integrity of information. So yes, we see
all these attacks, we see the theft
of information, but the integrity of
information means that if I, for instance, was
able to hack into your medical records and change
your blood type, so the next time you got
a transfusion you died. That’s pretty significant. Or if I could somehow get
into the stock exchange and make it unreliable
in terms of the settling trades that would have
a widespread effect. We haven’t seen that yet. HEFFNER: Is your
commission working with these sectors? PAINTER: What our
commission is doing is we’re looking- So there’s various aspects of
this issue, right? And part of the aspect
is what are the long-term rules of the road. What is the, what is the
framework we want that states will
agree to over time. So there’s been work
between governments on this, international law applies,
which is important. It’s not a free fire zone,
but what are the rules of the road what
are the voluntary, at least in the beginning,
rules of the road, things like don’t attack
critical infrastructure absent war
time, more time. There’s different rules, but
don’t do it in peacetime. Don’t attack the Cert,
the computer emergency response teams. It’s like going
after the ambulances. The commission has
come up with things like, don’t attack the public
core of the Internet because we do that. You could take down the
Internet for everyone. Don’t, you know, the
industry has an obligation to look at their software
to make sure the vulnerabilities are not there to
the extent they can. That states should have
vulnerability equities processes, that election
machinery should be off limits too the states
should not attack that. Does that mean that
everyone will abide by those norms or
embrace them? No. But what it means is that
if they don’t do that, then you have to have that
level of accountability. And, and we don’t have
that firm understanding. There’s a lot of
uncertainty in cyberspace. You don’t know
what the rules are. You don’t know what the
consequences are and we have to change that. HEFFNER: Right, and in
the seconds we have left; you’re really
attempting to resurrect the Geneva Accords or
something like that for… PAINTER: Not so much a
treaty, because the Geneva Convention
applies to cyber. I mean, I think the worry
is when you say we need a Geneva Convention
for cyber, the Geneva Convention
applies to cyber, things like
proportionality to say all these things that have
brought us safely into the 20th and 21st century, those are
things that apply to cyber. We have to figure out how they
apply, but they apply, HEFFNER: But do we need a new
body that is going to… PAINTER: I don’t think
we need a new body. I think what we need to do
is get countries to accept these rules of the road
and then we need to start enforcing them. I
think if you create a new body, that’s a lot of overhead, HEFFNER: Right, PAINTER: And you don’t
necessarily get the payoff you’re looking for. HEFFNER: Chris, a pleasure
to be with you today. PAINTER: Happy to
be here. Thanks. HEFFNER: Thanks and thanks
to you in the audience. I hope you join us again
next time for thoughtful excursion into
the world of ideas. Until then,
keep an open mind. Please visit The
Open Mind website at to
view this program online or to access over 1,500
other i nterviews and do check us out on Twitter
and Facebook @OpenMindTV for updates on
future programming.

Leave a Reply

Your email address will not be published. Required fields are marked *