There's a flood of cybersecurity news as a result of the Ukraine War as well as Washington's recent efforts to compel organizations to report cyberattacks to federal officials. In this episode, Trey Herr and Emma Schroeder of the Atlantic Council’s Cyber Statecraft Initiative break it all down. They explore the consequences of an escalating digital battlefield in Europe, whether a hack could bring NATO into the war and strategies for creating more consensus within the tangled and complicated realm of cyber policy.
There's a flood of cybersecurity news as a result of the Ukraine War as well as Washington's recent efforts to compel organizations to report cyberattacks to federal officials. In this episode, Trey Herr and Emma Schroeder of the Atlantic Council’s Cyber Statecraft Initiative break it all down. They explore the consequences of an escalating digital battlefield in Europe, whether a hack could bring NATO into the war and strategies for creating more consensus within the tangled and complicated realm of cyber policy.
Why you should listen:
* Understand what's at stake as cyber warriors do battle on both sides of the the Ukraine War.
* Lean about some potential consequences of a destructive hack in Europe and whether that could even draw NATO into the war.
* Hear what Washington is doing to obtain better insights and actionable intelligence that could improve cybersecurity defenses.
Key quotes:
* "Cybersecurity generally is not a good state of affairs. So I think we are going to see some regulatory changes that make it much harder for certain classes of companies to operate because they've grown up around this inefficient system."
* "The physical military invasion [into Ukraine] has not necessitated sophisticated cyber support from the Russians. What's been more important in the information space is misinformation [and] disinformation."
* "You've got a lot of [outside hackers] tripping over systems to try to find some kind of way in to do something. And the challenge is that's not really strategic. You don't have any of these groups plugged into the target selection and intelligence collection processes that Western agencies have."
Links:
* https://www.atlanticcouncil.org/
* https://www.atlanticcouncil.org/thecybermoonshot/
[00:00:22] Bella DeShantz: Um, so welcome to the show at Trey and Emma. Uh, we're, we're really excited to get to speak with you today. And we've got a lot that we'd like to talk. Uh, with what's happening in Ukraine and Russia. Uh, but first we wanted to get started, uh, with a brief explanation for our listeners of what cyber statecraft initiative is all about.
[00:00:44] Trey Herr: Sure. So the cyberspace. The Atlantic councils cyber policy program and the Atlantic council is a national security foreign policy think tank it's been around in DC since 1961. So what we try to do is take operational [00:01:00] expertise. Folks have have hands on keyboards. You've had actual military experience, technical experience engineering experience, and bring them into conversations about strategy and the conduct of statecraft that involves technology.
Thinking less about how states should be doing things in isolation and more how politics manifests in the real world where technology is messy and people want to do all sorts of malicious things.
[00:01:25] Jeremiah Roe: does that touch on the cyber moonshot initiative? I know you've worked on that previously. Emma as well. Maybe you could tell us a little bit about that.
[00:01:35] Emma Schroeder: Yeah, definitely. Um, so this, this, our moonshot initiative was. Of new ideas that the team came up with, um, last year, about a year ago. Um, and I think that it's kind of a unique format for us, but it does kind of speak to our core mission of trying to connect different communities to talk about these ideas.
Um, a lot of these concepts can seem really [00:02:00] intimidating and daunting people to get into. So, you know, one purpose of this, uh, project was to try to make cyber a little bit more approachable, a little bit more. Bring more people into that conversation. So, you know, to do that, we are writing a couple of short stories, you know, it's set in the future, it's on the moon.
There are cats with, you know, a couple special abilities. Um, and it's just meant to be, you know, a fun time, but while you're reading it, you're also getting, you know, some, some lessons and, and condensed ideas, um, that we explore further in our reports.
[00:02:37] Trey Herr: So major credit, major credit to em, on this, I think too, because this is one of the things that think tanks tend not to focus on as much. We do a lot of. Story and not anywhere near as much on the storytelling. And so we still fall into a lot of these tropes of like academics, writing long papers, hoping for the best.
Um, and one of the first things that Emma had wanted to do when she came into the council was find a way to do something different and to work for form prose [00:03:00] storytelling, and this very, what has devolved into this incredible science fiction, you know, meets Hitchhiker's guide to the galaxy kind of universe where there's whimsy, but there's whimsy that supporting really important.
And so I think it's something that we're working to try to build out in part, just because there's so many people that need to understand stuff in the space that, that don't have time don't have wherewithal and really shouldn't be subjected to an 80 page written report in a PDF. So it's sort of on us to figure out not just what to say, but,
[00:03:25] Bella DeShantz: So it sounds like this, that particular initiative is, is geared towards bringing sort of like. I don't want to say like regular people, but maybe not, not like people that are deep, deep in the industry professionals, uh, bringing them up to speed and giving them education. Um, what other types of like, I guess I'm, I'm curious, like, who else do you interface with?
Who else are you, um, you know, kind of bringing into the conversation.
[00:03:51] Jeremiah Roe: Okay.
[00:03:53] Trey Herr: So a lot of it, I think I'm a reference. This is we're trying to bridge the community between folks who work on technology, who built it, who designed it to [00:04:00] commit code, um, with folks that regulate it to talk about the political implications of it. And so, you know, for a long time, that's been sort of the divide between Congress and technology developers.
And the world that we look at today, it's between law enforcement and folks that are sort of in civil society doing open-source research on cyber crime, it's between the military community and the technical community that would like to be in the military, but maybe, you know, has had some strong fixation on certain substances, or isn't really keen on doing a bunch of pushups.
Um, and so for, for the way that we work, it's really trying to blend the user base and the developer base that we see with the policy community, and they look different and. Say different things. And they mean different things when they say the same words. And so a lot of this is trying to find mechanisms to translate, but also to present and allow people to live in that context, in that culture.
So that it's a little bit less of an us. Other thing. It's a lot more about a common group trying to figure something.
[00:06:06] Emma Schroeder: people I think are more likely to engage with something it's easier to connect with things when it's it's, you know, given to them in a format that they can understand. Um, and a lot of the time, you know, we have a lot of cars, a lot of kind of dense reporting out there, which is obviously really great.
Um, and then there's a lot of, you know, you're on social media and you're like, oh, I want to know what happened today. And you go in, you're like, you know, wall of things just like hitting you. Um, and it can be really hard to kind of. Walk through that and figure out, you know, what can I trust? What happened?
How can I understand it on like, on a human level? Um, as well as just like, you know, verifying what I'm seeing. Um, and I think that we do try to pull some of that narrative [00:07:00] thread into a lot of our work, even if it's, you know, largely not fiction, um, having something to say and making sure that message is, is carried through very strongly, um, is something that.
Just going to really help connect a lot of different communities. Um, and I think, especially when we're seeing, you know, tragedies unfolding, having, having ways to tell that story in a more human and approachable way is always going to be a good thing.
[00:07:26] Jeremiah Roe: From a communications perspective, are you all seeing. Kind of, um, shift in the way things are communicated sort of in, um, in Washington when it comes to cybersecurity and what's currently happening over in Ukraine.
[00:07:42] Trey Herr: It's an interesting question. I mean, we've seen a tremendous presence by the Ukrainians. I think the government, but also folks in the civil society, a space just to, to win the information war, the meme war alone right. Has been remarkable. Um, and I think that is normalized in some ways, some of [00:08:00] these kinds of communication and these media as standard official messaging channels, uh, Uh, you know, that maybe that's going to resonate over a longer-term.
I think you are seeing some people, some folks in DC exposed to that sort of, uh, imagery in a way that they haven't been before. But I don't know that I've seen it really shift the conversation yet. [00:10:45] Bella DeShantz: What's your take on the legislation that Congress just passed, requiring critical infrastructure operators to report.
[00:10:58] Trey Herr: I would say, I would say, and I'm curious and I to stop it, but I think three things. One is. It's overdue to have some kind of incident reporting requirement. Um, and it's not necessarily that it has to go to government, but I think says is a good player for this they've matured substantially in the role that they're playing in the space in the last 18 to 24 months.
And it's not a bad home. Um, but more importantly, I think number two is the positive data that we have about these kinds of incidents. True. the bias that, that as analysts we're still working through, which is to say, we know a lot about certain high consequence failures, and that's what we think the domain looks like.
We really don't know about good success stories. We don't often hear about the, the dogs that do bark, but really not very loudly. Uh, I think that the way this data gets used in some ways, as much more important than the requirement that that data be out there alone. Uh, but the third is, I just was so disappointed to see the breakdown and the interagency with FBI coming out at the last minute, trying to make this point.
You [00:12:00] know, just last ditch, desperate burn the grass down in the Prairie stand. They get this back in their domain. I think that was something that really reflected poorly on the leadership over there. And it's, it's a shame given how much of a role they play and how important of a stakeholder DOJ is. But especially FBI's in this space, you hope it's
[00:12:18] Bella DeShantz: do you think should have happened?
[00:12:23] Trey Herr: I think they are their concerns to Congress and through the inter-agency extensively. And I think at some point. White house is going to is going to indicate what they believe is the consensus opinion. Congress is going to make its fall. And that thus ended the book.
[00:12:38] Jeremiah Roe: I think, I think that's a hugely contentious topic, right? Especially for commercial entities that have nothing to do with government affairs. one of the arguments is this is intellectual property. I don't want to freely give intellectual property or insight into my business. And, and though.
Greater good. If you will, it can be super beneficial. [00:14:00] Emma Schroeder: There is a kind of perspective difference that I think is difficult to get around in this space, which is the, you know, individual security versus collective security, or I know individual benefit versus collective benefit. Um, and you know, these, these companies. You know, maybe in the short term, there are risks in sharing this data, or they may perceive that there are risks.
Um, but. As to Trey's point, you know, the more that we know about how these incidents unfold and the types of actors that are out there and what responses actually look like day to day, uh, the better prepared that we can help, um, you know, each other B and, you know, ensuring that through this process, it's not just a top-down government requiring information one way street.
Um, and I think, you know, this is already the way that things are trending, I [00:15:00] think, but, you know, ensuring that. If companies are giving the government information, then they are getting some sort of benefit out of that. Okay. How do we make sure this mechanism works? If they're getting information back from the government, they get that information back in a way that's actually understandable and usable for them. Um, and making sure that we're kind of, we're pulling in the same direction, but not, you know, the government just yanking everybody in the same direction.
If we can do everything we can to make sure that companies themselves are incentivized to work in this way. That's, you know, pulling generally in the same direction. It doesn't have to be, you know, in March. But [00:16:00] aligning incentives, try to produce some more collective security framework, um, and mindset and more of the population I think would be helpful in these kinds of conversations about, you know, reporting.
[00:16:14] Trey Herr: in terms of public private cooperation and Matt agree that you would like to see a two way street and value being passed in both directions.
Um, but it's a little bit, I guess from my standpoint, it reminds me of the VEP conversation where the principal had argument about a vulnerability equities process, which is the interagency process that exists in the intelligence community and for law enforcement to decide. What software flaws. They discovered that should be turned over to industry and fix rather than utilize for law enforcement and intelligence activities.
The thesis that I I bought into, and I think a lot of people have bought into over time is doesn't matter if private sector uses that information incredibly well, pretty well, mostly. Well, it's a principle question about how the government is going to secure its citizens, whether it's through making these companies, software products, and more secure.
Or using that information or using those software philosophy exploit and gather information and services, trying to secure people. And so what you don't want to see is government saying, well, we don't want to give it to you cause we don't think you're going to do good things with it. It's like now the question is who's taking the lead on [00:18:00] security.
How many people are you going to help? And if you give this thing to Google and it's going to solve, you know, it's going to close a software flaw for hundreds of millions of users, versus if you're going to use it to target one terrorist organization, that's, that's a very difficult,
[00:18:12] Jeremiah Roe: as soon as you use it it's burned too. Right? Because.
[00:18:14] Trey Herr: It is exactly.
And that's and that's, but I think that's your point about instant reporting. It's the same way. Even if government doesn't make great use this information, this is information the public should have, and this is information that should be had in aggregate for scholars and for folks in the analytic committee to be able to make use of.
So I think that's maybe the third answer to the question on the it's the reporting pieces. Yeah, there are some companies and there were some services that exist because this is not a very well-functioning market. And cybersecurity generally is not a good state of affairs. So I think we are going to see some regulatory changes that make it much harder for certain classes of companies that operate because they've grown up around this inefficient system.
And that's just the nature of the beast that will change.
[00:18:53] Jeremiah Roe: So speaking of, of, uh, malicious software and malware, uh, being utilized in unique ways, is there [00:19:00] anything that you are particularly tracking right now, uh, from a, uh, cybersecurity perspective and vulnerabilities aspect? That that is something that.
[00:19:09] Trey Herr: software, supply chain security. It is, it is the, is the gift that keeps on giving to every attacker around the world. And I would say the theme, the theme we're looking at for this year is source and firmware. Um, we haven't seen a lot of public information about software supply chain attacks, targeting the firmware of systems, mobile phones.
We have seen a few cases, but we're really keenly interested in some of the server side attacks. Special and major cloud vendors. Um, but the other is just open source. You know, this community has come together in the aftermath of Lockport J and really had some great conversations about what security governance needs to look like.
What sort of funding models are out there. And it's just at the early stage. I think we're going to see the federal government involved in a more significant way as well. Um, but this is an area that is, is right for opportunity, unfortunately, both for the defender, but also the attacker.
[00:19:59] Jeremiah Roe: what do you think of when you think supply chain. Like, is it, is it solely software base? Is it, is it hardware based? Is it, um, third-party vendors that might be connected through, uh, off the shelf devices? Obviously you mentioned firmware, so I'm just kinda, I kinda like to dig in on that.
[00:20:41] Emma Schroeder: Um, yeah, I think, uh, on our ongoing project called, you know, broken trust, we've kind of, I think taken, tried to take the idea of supply chains and like trace out of, kind of attack it a little bit at a time. Um, so we have mainly focused on. And if software supply [00:21:00] chains, um, as of yet, and breaking down some of, some of the vulnerabilities vulnerabilities that we have seen, um, you know, one way that we've done that is collect our database of software, supply chain, disclosures, and attacks, um, over the past couple of decades.
Um, but this is definitely a complicated issue. And I think, you know, even just within, you know, software supply chain, there are a lot of different types of actors. Um, let alone a lot of different actors. Um, and these different actors are going to have different incentives. They're different sizes. Um, they're located in different places.
Um, so trying to bring together that conversation is, you know, it's a complicated issue. And then as, as Trey said, we're trying to focus in on not just proprietary software. So it was, you know, software owned, um, and built by these companies that are selling it, but also open source. No free and available for anybody to [00:22:00] use, but it's also used in a lot of that proprietary software.
Um, so, you know, complicated answer to a complicated question. Uh, we have a lot of moving parts in it throughout the supply chain. Um, but, and you can take chunks, um, for, for research on it, but those chunks are kind of always going to have some interconnectivity with everything else. So trying to build it one piece at a time and make those links like that.
[00:22:26] Bella DeShantz: So I want to focus our conversation more about the crisis happening in Ukraine right now. Um, and specifically the cybersecurity issues and relevance there. Um, so specifically I know we talked a little bit about, you know, malware and destructive cyber attacks that are happening right now. Um, I know that that's something that's been talked about in the context of, you know, Russia attacking Ukraine.
Um, what do we know about what's happening? In Ukraine related to malware destructive, cyber attacks, things like that.[00:23:00]
[00:23:03] Trey Herr: Yeah. So, so far there have been a paucity of destructive cyber attacks. There was a wiper that was discovered prior to the Russians, uh, jump off on the 24th that affected look like about 50 targets, 50 different systems inside of Ukraine, as well as a handful of Lithuania mafia. Although later reporting.
And I believe it was Kim Zetter had had come back and said that the Lithuanian Latvian infections were actually just collateral damage from a single contractor. Clients and all three companies, all three countries, excuse me, who is based in Ukraine? Um, inside of Ukraine that we've seen precious, little offensive, Russian cyber security activity targeted at destruction.
Uh, there's been some to degrade, especially telecommunications networks. Um, and it's not altogether surprising in part because a lot of cyber's capability is in more covert operations, more sabotage, focused operations, and really to shape the animal. And so once you, you pierced the, you know, the [00:24:00] threshold of bombs are falling.
Artillery shells are falling that that really makes cyber a little bit less useful and it takes some of its advantages off the table where we have seen those some really interesting cyber activity is outside of Ukraine. Um, and in particular, there was an attack on a commercial satellite operator called bias that that appears to have been intended to live in.
Um, folks in Ukraine's access to broadband internet services. And there's the, there's some speculation that there are commercial, uh, provider, but they're government, military customers inside of Ukraine using the service, the effect of that degrade and disruptive attack on via sets infrastructure, however, was far, far wider than just Ukraine.
And it led to service outages for folks across Europe, including, and I think for us, really, interestingly, a large commercial wind turbine up. So across Germany, the number was actually 5,000 different turbines were for a period of time in accessible in an operable because their means of communicating back home to their [00:25:00] operators was via this commercial satellite link.
And it was disrupted. Haven't seen a tremendous amount of coverage on that. There was a good write-up from Rafael sadder writers. Uh, about a week ago, I haven't seen a tremendous amount of follow-up, but that's the kind of, you know, ancillary to the core campaign. Area where I think we're expecting to see cyber pop up first, or at least most frequently, but turn to Emma.
She's got other, other pieces from that space in her. She's been following.
[00:25:23] Emma Schroeder: Yeah, I, um, I think, uh, I've seen a lot of the conversation around this idea of. Why haven't we seen more? Will we see more? What will it look like? Um, and I think kind of going through, you know, falling along, uh, a lot of what Trey said, there are the, the use so far of cyber that we've seen is not surprising.
Um, you know, there are multiple different reasons that we see that, um, I think first and foremost is probably need so. The, the kind of effects that, that cyber can have, if you want those to [00:26:00] be, you know, destructive effects kind of in line with the direct military offensive, it's probably more efficient to use the tanks that you're going to be rolling in.
Um, and then, you know, along with that, you have just the factors of, you know, cyber it's it's best utility is kind of that low and slow. Buildup. It takes time. If you're going to try to use, you know, more sophisticated cyber operations, it takes time to build those up. It takes time to find vulnerabilities, to, you know, build a malware that you're going to use.
Um, you know, make sure that you deploy that in an appropriate way. You know, one caveat there is definitely the, how much are, are the Russians afraid of. Potential, you know, again, very hypothetical, sophisticated cyber operation in Ukraine, spreading into an actual, uh, you know, NATO member. the little that we've seen in terms [00:27:00] of like very sophisticated cyber operations, maybe there has not been time.
There's been a lot of talk about. Um, when Putin actually made the decision that this was going to happen, as opposed to just being a buildup. Um, there are a lot of, as we talked about earlier, there are a lot of proxies involved in this operation. Um, the involvement of the proxies is really fascinating, but again, uh, most of these, uh, individuals and the, the groups that have coalesced don't have a lot of sophisticated capability.
So they are relying mainly on. More like, you know, DDoSing websites and that type of operation, um, that we have seen. And then, you know, finally just looking at what are the best tools that you can use to forward this type of operation. Um, so that's not to say that. We won't see more sophisticated cyber operations in the future, but you know, [00:28:00] at each step we have to look at this and say, you know, what's the most important fight that needs fighting.
Um, and I think what we've seen so far is the, the military invasion, you know, physical military invasion has not necessitated a sophisticated cyber. Support from the Russians. And what's been more important in the kind of information space is what we've talked about. You know, misinformation, disinformation, which does not necessitate hacking, but what it does need is, you know, really solid messaging access to these places.
So that's where we've seen a lot more activity in, in kind of the cyber information environment.
[00:28:41] Jeremiah Roe: I think the threat of escalation is always a concern with any war, obviously. Um, especially when it comes to cyber operations. Um, what are the risks in this particular conflict from an escalation?
[00:28:56] Trey Herr: I mean, you have a nuclear armed power is one of the invading states [00:29:00] and there's a, by all accounts, highly centralized decision-making structure with a great deal of, let's say, uh, information symmetry between what's happening on the ground. And what's being delivered back to the central node. Who's actually making decisions in pulling these triggers.
Uh, so that's concerning and that has prospect for escalation retinol. Um, aside from that, I think the conventional understanding is that we're native to become involved as a party of the conflict that, that poses risk of escalation with respect to Russian, seeing that as a direct threat to the continued viability of their invasion.
Um, now they're not, they're not experiencing an easy time of it. And I think frankly, the Ukrainians had amazed every single analyst I've ever. just at how effectively they've been able to slow down the Russian advance to reverse it in some cases to impose significant consequences and costs. But part of the flip side of that is it appears to have forced the Russians to change tactics and maybe become more desperate.
Um, and so we're seeing widespread shelling and, and [00:30:00] unguided, aerial munitions, bombardment of major urban areas, the likes of which we've seen before in Syria and in Chechnya, uh, just causing massive loss of life and just undirected collateral. And that feels like a choice, but it's also a sort of active, um, having fewer options, having, having fewer resources to achieve your goals and the Russian side as that window continues to narrow, you know, is there going to be an effort for, um, is there going to be a choice I guess, made to try and widen the options window by taking action against some of these other forms of support the military that's flowing into Ukraine from folks on the border, all of whom are NATO state. And so I think that the NATO as a co combat and co belligerent aspect is really concerning as an escalation. The other though, frankly, is, and we've seen this, you know, I think less addressed in the last week or two, but these massive sanctions that are disconnecting Russia from global aviation networks, global energy networks, global financial networks, they dramatically reduce the cost for Russia to come back and just [00:31:00] impose costs on those networks, just to play the spoiler and disrupt them.
It kind of behavior that we've seen from, from the North Korea. Where there are very few consequences to them, to jive, to literally Rob international banks, because they're not part of the swift network they've already been sanctioned up the wazoo. If we may start to see that from the Russians as well, potentially as a way of imposing costs on these other states.
And that is concerning when you have a state as large and as from a cyber standpoint as capable, uh, as Russia in that sort of spoiler position. So even if that doesn't cause an escalation spiral up to state on state military activity with a NATO member or nuclear. It absolutely causes costs for the west end for the U S and trying to respond to this crisis
[00:31:41] Jeremiah Roe: What about an escalation from a cyber attack perspective from Russia to the U S and European entities.
[00:31:52] Trey Herr: one thought, and then I took them. I was just, it's really helpful, I think in this context, not to think about escalation under domain specific rate, right. So we [00:32:00] may see. And then that, that turns into something kinetic and it goes back to cyber ends up in information. It's just, it's very likely that these exchanges are going to be thought of in broader terms of not to not to plug the concept, but they crafted strategy rather than cyber response with cyber kinetic response with Connecticut, let me be kicked in, but she's with the.
[00:32:19] Emma Schroeder: Yeah. Um, I think that, that question of, you know, specifically in the NATO context, what contractual trigger, uh, what can trigger article five, uh, is something that there's been some answers to, but again, a lot of, um, A lot of conversations still to be had. So the secretary general has said that cyber could trigger article five.
That's not a guarantee that it will. Um, and I
[00:32:49] Jeremiah Roe: And what is article five? I'm so sorry.
[00:32:51] Emma Schroeder: oh, yes. Uh, so article five is the agreement that if you are a NATO member that. You know, attack on a, any NATO [00:33:00] member, his attack on all NATO members. So that is kind of the pledge that has made when a new member joins NATO. And so the, the, what constitutes that attack made on any NATO member is cyber included.
Um, that is a very slippery question because in cyber, we have a lot of. Definitions of what constitutes attack. Um, and the, the conflict that we see in cyber is, is ongoing. There isn't really a state of peace and war in the cyber domain. We see just malicious activity back and forth all the time from, from espionage to, you know, degradation intervention, all along that range.
So the, you know, deciding question of, you know, Cyber trigger, um, article five intervention by NATO members. Um, again, like Trey said, don't think could be triggered [00:34:00] by, you know, a cyber incident in kind of an independent state. It would have to be part of a larger campaign. A big context would matter a lot more than what that specific incident was.
Um, and I think too, That, that probably would have to rise to a level that it would seem it would be, you know, not in the Russians interest to try to affect that. Um, but yeah, that, that conversation of could this escalate, could this draw in, you know, more European countries I think would be a conversation when it comes to cyber operations and not, you know, a trigger in that kind of.
[00:34:48] Bella DeShantz: Sorry, I'm trying to, I'm kind of trying to wrap my brain around, like, uh, to, to be candid, a lot of this stuff like about NATO and these agreements and [00:35:00] when, or if, or how NATO would get involved is something that I've had the privilege of not having to learn about until recently, you know, so it's all really new to me.
And I'm trying to understand, like, what would that potential conversation look like or, uh, What would it look like for NATO to even have a, have to have a conversation of like, okay, does this cyber attack, does this, um, you know, incident cyber incident constitutes something that, that would invoke article.
[00:35:34] Trey Herr: No, it was a really good question. I mean, so when we take a pass at trying to explain to them as well, the, the way that NATO was originally constituted was intended to be a defensive Alliance against a Soviet invasion of. Uh, and so the notion was if the Soviets invaded part of NATO, all of NATO would come to the aid of that country.
So an attack on one part of NATO was an attack on all of NATO, and it was a way to create a commitment [00:36:00] device, basically. Hey, Soviet union, we are visibly committing all of ourselves to come to anybody's aid. If you cross the border, if you start to invade, so know that you got to deal with everybody, not just that one country.
Um, so from a cyber perspective, that that model becomes. What w what cyber things could be done that starts to look like Soviet tanks rolling across the border of Germany and, and running towards Berlin. Um, and that's an issue that's been debated and discussed ad nauseum for the last decade and a half.
Um, but the interpretation that native is laid down is that a cyber attack broadly construed could be the basis to invoke this. If you attack one, you attack everybody model. And I think the could be as where a lot of the focuses, right. My 2 cents is most likely that could be, would have to be a destructive attack.
Something where data and hardware was unrecoverable and it was data and hardware that was somehow critical to the target state, to the host state. So, as an example, if, uh, [00:37:00] a cyber attack were to disable, uh, Poland, uh, banking system, if ATM's were not just accessible, but they were actually. Uh, if personal data banking data was, was destroyed, such that people couldn't recover their funds, a different scenario.
These are the kinds of things that I think would start to lead into that discussion of this is really an armed attack. This is something significant that we have to respond to
[00:38:23] Bella DeShantz: we've kind of talked a lot about this, uh, more offensive, um, perspective from, from Russia and attacking Ukraine, uh, in terms of cyber, cyber attacks, things like that. Um, but I've also heard a lot of news about hackers.
Many based in the U S but also around the entire world, uh, attacking targets in Russia as a way to kind of step in and help defend Ukraine in a way, I guess. Um, and there's also news about Ukraine recruit, recruiting an it army to kind of help with this effort. [00:39:00] but I wanted to dig in specifically about the legality.
Also the ethics of that kind of, um, endeavor, I guess
[00:39:19] Emma Schroeder: it's definitely very interesting. Um, you know, thing that has unfolded, um, the increasing involvement of non-state actors in this conflict from a variety of different angles, from this kind of it army to. No government officials in Ukraine, specifically calling on different companies around the world and asking them to take certain types of action.
Um, I think that, you know, in this space, we need to have more of a conversation on, you know, what does it mean? For, for kind of [00:40:00] ourselves and our allies to engage in this kind of behavior. I think, you know, it's, it's a more simple conversation when we say, oh, you know, Russia or China, they have patriotic hackers that, that attack us.
Um, but it's not officially state sponsored or maybe it is, we don't know, you know, what, what can we do about that? Um, so there is a conversation to be had along the line of, you know, kind of, again, back to the idea. Collective defense getting people involved. Um, but we want to make sure that that at least, I think, you know, from the us perspective, more than the defensive side of things, um, I believe that Estonia has a cyber defense league.
I might be getting the name wrong. Um, but it is a core of volunteers. They're not, you know, officially members of the government, but volunteers that come together to have. Protect Estonian networks. Um, but you know, on the [00:41:00] other side of that, we had, I think, you know, last year we saw a lot of conversation about the idea of kind of cyber privacy. Um, and taking advantage of the incredible cyber talent that we have in the United States and kind of weaponizing that against, uh, um, adversaries. Um, you know, I think that kind of, I think there were a few things, you know, letter of cyber letter of mark, we, we give a couple of different groups permission to go after specific adversary groups.
But that is that I think that line of thinking really exposes the. The potential dangers of getting more people involved. Um, cyber is a domain where we see a lot of activity, uh, activity, but, um, you know, we don't have a solid sense of, like I said earlier, like what is, what is a red line what's going to happen?
Um, and so giving kind of carte blanche to different entities to take on [00:42:00] adversaries at their own will, um, is, is playing a dangerous game. But, you know, in the Ukraine specific context, they are at war. Um, you know, the Ukrainians are going to use every resource at their disposal to try to beat back the Russians.
Um, and you know, it is understandable that they came up with this idea, um, you know, got, got the talent together. Um, I think that. You know, that conversation is going to be a little bit distinct from how the lessons that we carry for it, um, to, to the United States or, or other other states. But yeah, in terms of, in terms of Ukraine, very understandable.
Uh, we'll just have to be cognizant and watch how that
[00:42:52] Bella DeShantz: you mentioned like this, the, you know, the dangers of getting a bunch of people involved in this kind of action. I [00:43:00] want to talk about like, what are the dangers? What happens if a ton of people from the United States, from the whole world, you know, jump in on this. Something goes wrong. Like what would that be?
[00:43:25] Trey Herr: in terms of dangerous, two things come to mind first is you've got a lot of folks tripping over systems to try to find some kind of way in to do something.
And the challenge is that's not really strategic. Uh, and so you don't have any of these groups plugged into the target selection and intelligence collection processes that Western agencies have. Uh, and so one, one risk, I think that we've seen people call out is the possibility that one of these. May in having a relatively minimal effect on a Russian system or network actually because the Russian network owner or defender to take a look at what has gone wrong and in, so doing discover another intelligence operation or more sophisticated penetration potentially from the Ukrainian government or from others.
And so unwittingly actually. Uh, a useful source of intelligence for the west that may be getting funneled back to Ukraine as one risk. Um, another is, and we talked about, there's probably not a lot of prospect that these kinds of groups are going to be, [00:45:00] uh, conducting sustained destructive attacks. But we have seen two instances where belly or , uh, activists have compromised.
We national rail network both before and after the actual kickoff of the invasion. Um, and they were able to disable if not actually destroy some digital systems and switching equipment in the wrong circumstances at the wrong moment of, uh, a more exaggerated crisis and attack like that could appear at least initially, or be misattributed to be the.
Or another major Western government and that firm, I think to the point that I made earlier, from a signaling perspective, it looks much more intentional, much more strategic and thus potentially much more exculpatory than the random act of a large diffused group of, of non-state participants in individuals.
And so the chance that a group gets itself in the firing line are wedged into something, looking like something they're not at the wrong moment. Uh, it could be [00:46:00] potentially costly as well. But the third thing I think that just jumps out from me. You know, we've seen a lot of difficulty in folks to struggle in terms of prosecuting this war against the Russian government and military versus the people of Russia.
And one of the challenges is that it is just low hanging fruit to go after civilians. It's true around the world. We're unfortunately seeing that play out every day on the news with respect to Ukrainian civilian population, but for these kinds of hacker groups to start doxing random Russians, to be compromising their critical infrastructure, to be targeting their bank accounts, their sources of income.
That really not only sends the wrong message, but it's strategically unhelpful when this war is against the Russian state, not the Russian population. And so that's, I think another harm that I, at least that I worry about is you've got a lot of folks that want to do something even large companies are finding it difficult to have a strategic impact rather than.
Pull out of a market and sort of signal. They're not going to keep doing business. It was a really unfortunate situation. I think was a Canadian orchestra had, had been touring with a Russian young, Russian piano, prodigy, really incredibly talented who was [00:47:00] vocally anti war. Uh, and they kicked them off the tour.
And then they released him from his contract, with the orchestra, just as a way to demonstrate their sort of, you know, feelings about the conflict. And that just harms it innocent. And in this case, arms and innocent, who has active feelings in the direction that, that the orchestra wants to signal. That's it.
That's another harm.
[00:47:19] Jeremiah Roe: What about ethics? Right? We’ve got Citizens from the United States that are volunteering to go over and fight this particular war from, from, uh, both the physical perspective, but also from a cyber perspective, sort of jumping on bandwagons to hacking parties, if you will, or joining the it army from an ethic standpoint, where do you even begin to approach?
[00:47:57] Emma Schroeder: bringing in, I fix into this is, can be difficult as well. Um, in terms of where, where do we draw this conversation of, you know, individual responsibility and individual ethics versus. You know, legality and to what degree, you know, ethics informs legality. Um, but you know, having that conversation, I think with what's going on, we'll take a little bit longer.
Um, and I think there's already been a lot of conversation on this topic. You know, the, um, the ethics of, of hacking in a lot of different senses, but. One thing that I think, you know, kind of following along this line of, of how we want ethics to inform our laws and inform our kind of [00:49:00] global strategy, um, is looking at, you know, my future, you know, past, past this, we've already had a lot of conversations about.
The involvement of different types of actors in the cyber domain. Um, and we have already seen some ramifications of, you know, private image, individuals, private actors, um, taking it upon themselves to, you know, attack. Entities within the United States. Um, so we have, you know, ranging from, you know, ransomware groups to companies that, that sell and provide kind of offensive cyber capability as a service.
Um, and I think this has some, some, some line of thought with it, of how can the United States continue to. Curb this growing [00:50:00] kind of threat that we're seeing from non-state actors, um, while also seeing kind of a rise of, of individuals and groups that want to get, want to be active in a way that they see, you know, in line with the ethics of the United States, um, and complicating potentially, you know, if we are trying to create some, some more global conversations around. What, what are the norms of behavior in cyberspace and ensuring that our behavior and the behavior that we support is in line with those norms that we're trying to uphold. Um, but again, you know, it's a very complicated conversation we're bringing in ethics even just, you know, within the United States, let alone, you know, across the
[00:50:46] Jeremiah Roe: Absolutely.
[00:50:47] Emma Schroeder: Um, yeah, another complicated answer.
[00:50:53] Trey Herr: It's a good question though. And I think you may be a way to close out on it is, you know, across a variety of [00:51:00] philosophical traditions, there is often a discussion of the degree to which you own allegiance to your values. You owe some commitment to your, your sort of fellow man to each other. And that notion of going, I think that commitment is really interestingly embedded in a lot of the core ethos that we see of technology.
Of communities of open source developers, some of the original phone freakers, even back to the, you know, the hackers of your, in the sixties and seventies, the research communities that were putting a lot of these basic digital technologies together, there was a, there was a duty to each other and trying to build this, these grand things.
Um, and so I think, you know, what we see here in some ways as a continuation of that trend, The same one that Hemingway was writing about in the forties with whom the bell tolls, right? The experience of Americans going to fight in the Spanish of war against the fascist government. There is a, there's a tradition of folks standing up and trying to take arms and in defense of their values, sometimes those values align with the state that are part of other times not.
So from that standpoint, I think this is, this is continuing in a, [00:52:00] in a long and, and debated, but, but pretty rich tradition. The caveat I'd only add in is, you know, where we start to see. Folks trying to act beyond their individual capability. It's one thing to feel an obligation or a duty to, to another.
It's another to try to take action, even when you don't have an ability to affect that person or their situation. That's I think that's the concern, at least that I have is that, you know, folks that want to contribute, donate money, learn CPR, try to go and assist a massive, and you know, multi-million population of refugees that have floated into Europe, the largest internal migration in the continent.
Since the second world war, there are numerous ways. Very few of them are directly on the battlefield and fewer of them frankly, are on the cyber battlefield. And so I think finding some, some humility alongside that obligation to understand how you can actually best influence the situation rather than just trying to find the most iconic
[00:52:51] Bella DeShantz: a [00:53:00] lot of folks feel confused about what we can, what we can and what we should be doing to help right now. What is, you know, you mentioned like assessing.
Like figuring out the best way to be impactful and helpful. And it's not always, you know, some of the, I don't know, easier, obvious ways. How, what do you, how do you, do you have any recommendations for, you know, for us, our listeners folks in this industry, or just in general for figuring out the best ways, the most impactful ways to help.
[00:53:34] Emma Schroeder: Um, I think probably the first point is that I think. Easy to be caught up in feeling like you have to do the most, or, you know, feeling like you have to be keeping up with everything. Um, and I think that's something important to remember is a little bit still does help. Um, you know, even if you're not able to, to actually, you know, get to Poland and get to a refugee camp.[00:54:00]
If you're able to send money to a reliable and trustworthy organization that can fund that kind of behavior. Um, even if it's just, you know, whatever you can afford that will still be helpful. Um, and you know, just making sure on that, that when you're deciding to, to give money or give support, or, you know, even retweeting something, um, to raise awareness, just making sure that you're doing your due diligence, um, to understand.
Who is it that you're amplifying? Who is it that you're supporting? Um, you know, unfortunately, um, bad times sometimes do bring out the worst in people and we see people trying to profit off of this, but bad times also can bring out the best in people. Um, so just making sure that, you know, you're a part of that, um, doing, doing what research you can try to find some, some trusted sources to help point you in the right direction.
[00:55:00] Um, you know, every little bit.
[00:55:07] Trey Herr: I really echo what Emma said. There's there is no lower space that cyber criminals will not stoop to take advantage of situations like this. Um, but I think one place that folks are feeling, feeling strongly as medicine medicine, that sample.
Uh, doctors without borders, um, has an ongoing fundraising campaign to try to shift not just medical supplies, but some tactical kind of medical equipment, uh, to folks in country. And there's a number of other, um, charities like that that are trying to do work both to address the situation inside of Ukraine, as well as some refugee populations, UNICEF is doing some really incredible work inside of Poland and Romanian.
So, you know, those are, those are ways to contribute, uh, directly with funds. There are also some places that are sourcing violence. Both to travel over and try to support, uh, but also to offer, you know, if we've got more specialized skills from a distance. So [00:56:00] definitely there's a myriad of good things out there to be doing that aren't necessarily picking up a keyboard and trying to deface, uh, the Russian mod website.
Again.
[00:56:10] Jeremiah Roe: Uh, thank you all so much for your time. It's been a pleasure and it's been some really insightful conversations that we've had so far. So.