Last week, DPR’s Megan Steinkirchner sat down with Professor Charles Dunlap to discuss cyber security and warfare. Dunlap is a retired Air Force General, professor at Duke Law School, and Executive Director for the Center on Law, Ethics, and National Security. He has been featured in numerous publications and served as the Staff Judge Advocate at Headquarters Air Combat Command prior to teaching courses on national security, international law, civil-military relations, cyberwar, airpower, counter-insurgency, military justice, and ethical issues related to the practice of national security law.
DPR: You’ve written on the subject of the intersectionality of law and ethics as it applies to cyber security. How much can we apply these concepts to the cyber domain?
Dunlap: There is a big intersection between law and ethics. We have to remember that law is the lowest common denominator—what society decides is the minimum standard of behavior. Ethics takes you beyond that. Just because something is legal doesn’t necessarily mean it’s the right thing to do. In terms of cyber security, [we have to decide] the extent to which we as a society are prepared to trade off privacy for security. A lot of cyber security depends upon the ability of whoever is providing the security—if that’s the government—to have access to the systems and data being generated by individuals. That’s a tradeoff. We’re only beginning to grasp the right way to do that.
I would say that, in society, we’ve made a lot of tradeoffs that we don’t think much about, but they actually have huge price tags. For example, each year we kill about 30,000 people in car accidents. Are there things government could better do to protect people? Sure. We could have more frequent driver tests, more difficult exams, and more surveillance at bars. But we as a society have decided that we don’t want to do that because that would have the effect of a lot of people not driving and a lot of inconvenience. We’re willing to pay the price of 30,000 deaths each year.
Translating that to the cyber realm – to what extent do we want government, for example, monitoring what we do on the web in the interest of security? Some people might suggest focusing on private companies and better firewalls… One of the issues is who should provide security – government or private entities? A lot of private entities will say, “It should be government. The military protects us against invasion—this is an electronic invasion that we’re undergoing now, ergo it should be the military.” Okay, but we need to think that through. Do we really want to involve the military in such domestic activity, much of which would interface with individual citizens? There aren’t very many democratic models in which the armed forces are that involved in domestic law enforcement.
A lot of companies don’t want to share their information about what they’re suffering because it affects public confidence in their product and could cost them money. Their allegiance is to their shareholders and in the end, they have a formal, legal obligation to them. I have a lot of confidence in the private sector because I think the free enterprise system incentivizes people in ways that government can’t.
DPR: This month, at a summit in Palo Alto, companies from Silicon Valley, the President, and White House people came together to discuss privacy and technological progress. What are the most important goals for cooperation between Silicon Valley and DC going forward?
Dunlap: We have to recognize that private industry has different incentives than government. Rightly, they’re out to make money and that is good for society because it provides incentive for creativity. At the same time, government is responsible for protecting people. Somehow we have to align those interests in a way that makes it a win-win for both sides.
The first step is [creating] better protection for private entities suffering from [cyber] attacks so they can disclose this information to government, and government can share it with other entities in a way that won’t compromise propriety information of the victim company or expose them to liability from customers. That [solution] is not perfect because if [private companies] are not doing the kinds of things they should be—exercising due diligence—then they should be held financially culpable. Why should private individuals suffer when a company they depended upon didn’t do what was reasonable? Trying to navigate this is complicated because there are different kinds of interests [to balance]. But there are lots of complicated things—going to the moon was really complicated but we did it. There has to be a real spirit of teamwork. If there’s a silver lining to the Sony Hack, I think it is that it was a wake up call for a lot of people.
I am not a believer in the “Cyber Pearl Harbor” catastrophic attack that’s going to [really affect people]. The big threat now… in the near term is these whole sale thefts of intellectual property, malware issues in banks around the world—assuming that that’s all true. Trying to get ground truths as to what’s really happening is difficult.
DPR: It seems as though getting that ground truth is the beginning to answering the question of how do we realistically assess these new types of threats. What’s your take on this matter?
Dunlap: I think you’re right, which is why this first step needs to be protecting the disclosure of vulnerability, then facilitating the ability to let others know when something is a vulnerability so it can be solved. An idea that came up a while ago is that supposedly the government knows about these “zero day vulnerabilities”, which is when there’s a flaw in a program but nobody has ever exploited it because bad people don’t know about it. The government may accumulate them for purposes of if we ever did get in a conflict with somebody, and wanted to be able to exploit them.
They are called zero day vulnerabilities because they’ve never been used before and probably, once you’ve used them, you can’t use them in the future because people will realize where the hole is in the system and they’ll patch it. So that’s a tough balance to be made – to what extent do you, for national security reasons, accumulate knowledge of these zero day vulnerabilities and to what extent do you share them so that a US entity doesn’t become a victim of a zero day vulnerability?
DPR: It seems that a lot of the expertise on these matters lies with civilians and non-state actors. How do government agencies navigate how much of that knowledge they should have access to?
Dunlap: A lot of expertise does lie in the private sector, and there has to be access to that information, either through the contracting process or persuading people to join government agencies. When Admiral Rogers, the head of the National Security Agency, was here he said—a little bit to my surprise—that the NSA had no problem hiring or keeping computer experts, which was in response to [the claim that] the government was having a hard time getting enough computer experts. I believed him because otherwise, it would have been a good opportunity to get brilliant, young Duke students to join the NSA… He didn’t seize that opportunity to make that point; he made the exact opposite point.
DPR: Is there a future for international agreements and treaties to be made on cyber security or cyber warfare, like there is for “regular” warfare?
Dunlap: Let’s distinguish between cyber warfare and cyber security. I don’t think there is much opportunity for a cyber warfare treaty. Every country in the world thinks, “maybe we can be the smart ones”, meaning they don’t have to spend all this money on a big air force…[they think] “we can afford a computer and our kids are really smart, so maybe we can weaponize this”. I think in this country, we would not be incentivized [towards a treaty]. Maybe we believe we have capabilities that are superior to our potential adversaries. So at both ends of the spectrum, you don’t have the incentive, partly because no one has really suffered the effects [of cyber war] in a big way.
When you look back in the history of international agreements related to war and conflict, they are usually as a result of very specific experiences. For example, gas during World War One resulted in chemical and biological warfare conventions that prohibited the use of those methodologies. Cyber is different in that it is not exclusively used for hostile purposes. In other words, it’s a dual-use capability. Limiting it without limiting your ability to conduct sophisticated, high-tech business would be difficult because it’s not like nuclear weapons treaties where you can count the number of missiles or submarines. You’re always going to have this very sophisticated cyber infrastructure being used for business, and not hostile, purposes. To design and verify a treaty so that cyber infrastructure could not also immediately be used for hostile purposes would be very difficult.
For those reasons, I would not be particularly optimistic about a treaty. Russia and China have proposed treaties, but the problem is that Western countries [disagree] in what they consider threats to the state. Russia and China are thinking that all dissidents are threats to the state. I don’t think the United States is going to sign up to assist in suppressing democracy and human rights advocates… I think there could be more of a future for international organizations that track and prosecute cyber criminals. There would be incentives in enough countries [for that]… There’s a possibility for more cooperation on the law enforcement level.
DPR: In terms of future threats, how realistic or feasible is major international cyber warfare?
Dunlap: I don’t believe in that being a looming threat and I’m in a small universe of people who think that way. I think cyber will always be part of warfare, but it’s just much harder to do than people believe. If it were easy to do, don’t you think ISIS would be doing it right now? These are people that are raping twelve year olds and setting people on fire in cages. If they could hurt us, and it was easy to do—and they do have cyber capability as they’re using the web to recruit people—we’d be sitting here quite literally in the dark…We are not anywhere close to somebody being able to sit at a computer terminal and wage war against the United States in a way that will be militarily decisive. They might be able to hurt us or cost us money, but they’re not going to prevail against the United States. It’s not the same kind of threat—or an existential threat—that a nuclear attack would be. I say that not to diminish the importance of addressing cyber security but merely to put in a context to have a rational conversation about it.