Can the United States Curb the Threat From Cyberspace?

Cyberattacks dominated U.S. headlines in 2021, sowing panic and chaos and exacting a huge financial toll on governments, businesses, and citizens alike. As the problem gets worse, policymakers are struggling to respond. What is the United States’ cyberstrategy getting wrong? And what is at stake if the country fails to mount a better defense against this unrelenting threat?

Please join Foreign Affairs Deputy Editor Kate Brannen and authors Dmitri Alperovitch, Jacquelyn Schneider, Joseph S. Nye, Jr., and Eric Rosenbach as they mark the launch of the January/February issue with a discussion of U.S. cyberstrategy.

BRANNEN: Welcome, everyone, to today’s discussion, launching the January-February issue of Foreign Affairs. I’m Kate Brannen, the magazine’s deputy editor, and I’m thrilled to be here moderating today for what I know is going to be an excellent conversation about cyber threats.

I recently joined Foreign Affairs and this issue was the first one that I got to work on, and it was a real honor to work with some of today’s guests that we have, and everybody here today contributed an essay to this issue.

We’re joined by Dmitri Alperovitch, the co-founder of CrowdStrike. He’s also served as a special advisor at the Defense Department, and today he’s the co-founder and chair of Silverado Policy Accelerator.

We’re also joined by Joe Nye, the former dean of The Kennedy School at Harvard. He’s served at the State Department and the Pentagon and he’s written countless books about—that have changed sort of the way we view the world and international relations. He’s currently the university distinguished professor emeritus at Harvard.

And we’re joined by Jacquelyn Schneider who’s a fellow at the Harvard—at The Hoover Institution—excuse me—at Stanford University, and she spent six years as an Air Force officer and is currently a reservist assigned to Space Systems Command.

We were also supposed to be joined by Eric Rosenbach, but unfortunately, he was unable to join us at the last minute. But we still have a great mix of perspectives here with us today, years of government, academic, and private sector expertise that we’re going to tap into as we discuss both what all of these experts wrote about for our issue and then things that are going on in the world today.

I’ll lead the discussion for the first half and then we’re going to throw it open to questions from the audience.

And Jacqui, I wanted to start with you to frame our conversation. You wrote about how for years Washington has warned about the potential physical—destructive physical effects that cyberattacks could have, including the famous warning from then-Defense Secretary Leon Panetta about a potential cyber Pearl Harbor. And I think that warning—it’s lodged so clearly in everyone’s memories. I think it might have been in every single essay—there was like a reference to it in every essay in our issue. But you note in your piece that many of these warnings didn’t come to pass and that instead what’s happened is, in some ways, more insidious and more damaging. Describe what you see as the true threats from cyber—that emanate from cyberspace.

SCHNEIDER: Yeah, you know that idea that cyber would create this immediate, large-scale effect really captured the imagination and the attention, which is I think what it was designed to do. The problem was that big event never occurred, and instead we had these overwhelming increase in low-scale cyber activity that actually had extraordinary consequences for economic activity, also for governance, and in general, what it’s doing is it’s degrading the trust that we have on digital markets, on governance in the modern era, and even international cooperation. And so it’s how it degrades that trust that we have in these modern digital systems that really is the overall factor and existential threat that cyber plays to modern societies.

BRANNEN: I thought one thing that was so interesting about what you described was learning to live with failure, that there—rather than put so much effort into preventing these attacks—it’s almost, you know, a futile effort—that it’s more important to focus on building resilience. Could you talk about how you build resilience both at the technical level, you know, into machines, which you write about, but also at the societal level, which, as you describe, is a much harder task?

SCHNEIDER: Yeah, and I think resiliency is going to be the core concept for the United States, beyond cyber, going forward. So in cyber this has many different dimensions. I mean, technical resiliency is about building different types of networks, about creating backups, about creating analog procedures or the ability, you know, in the military, to operate without digital connectivity. And I think kind of the most expensive and the difficult part of resilience is you’re basically making yourself either less effective over the short term or kind of more costly, and so you’re investing in training, you’re investing in manpower. And then as a society, this idea of resilience of society is really difficult, and the way that cyber affects information and how we interact with each other is extremely complicated. And this is kind of—the really difficult part is, how do you make societies more resilient to these types of threats? And that probably has to do less with the technical and more about how human beings interact outside the digital community.

BRANNEN: A common thread through all the pieces was a sense that the United States had almost mis-diagnosed the problem or that there’s something off about the current strategy or the way that the problem is being viewed.

So to shift to your essay, Dmitri, you talk about how cyber threats are often viewed as sort of a distinct national security problem that should be addressed with uniquely cyber solutions, but instead, they’re really symptoms of these larger geopolitical problems. Could you walk us through the threats that come from China and Iran and Russia and how they use cyber to further their own geopolitical aims?

ALPEROVITCH: I said a long time ago that I don’t think that we have a cyber problem; I think we have a Russia, China, Iran, and North Korea problem, and cyber is an element of the landscape of our geopolitical struggle with those four primary adversaries that we face. It’s not—it does not mean that all the attacks that we face come from those four countries, but the vast majority of either nation-state-directed attacks against our institutions and our private sector are coming from the state-owned entities within those governments, their military intelligence agencies, and from criminals that are allowed to operate, often with impunity, from those countries that continue to target us. They’re certainly many other criminals around the world as well, but we’re able to often find them and arrest them fairly quickly and keep that problem to a manageable level. But what we’re not able to do is, of course, deal with the threats that emanate from those four countries, which is why they’ve continued to rise in their significance in terms of impact.

So when you look at each of those four countries, they use cyber in very different ways to accomplish their strategic objectives. When it comes to China, they’re very much focused on continuing to build out their economic power and using cyber to steal intellectual property, both commercial intellectual property for private companies, as well as intellectual property related to national security systems, defense, and other applications, and have been doing that for twenty-plus years now, quite successfully, and have stolen what is probably trillions of dollars of intellectual property.

So when you sort of step back and look beyond just the cyber operations that they’re conducting, what becomes very clear is that they’re essentially waging a trade war against us by trying to out-compete us with this theft of intellectual property that’s taking place on an unprecedented scale.

With Russia it’s very different. The Russians are very adept at using coercion to accomplish their objectives or to attempt to accomplish their objectives. So many of the attacks that we’re seeing from the Russians, in terms of the Russian government, involve disruption, involve active measures operations, influence campaigns like what we saw against the U.S. election in 2016, against the French election in 2017, against Ukrainian elections, and then, of course, disruptive attacks like the ones that they had launched against Ukraine over the last eight years and like the ones that we’ll probably see in the near future if they do decide to invade that country.

And of course, Russia has also kept a blind eye to the fact that huge number of cyber criminals are operating within their borders, including ransomware criminals, and they have traditionally not taken any action against them, except for last week when they did arrest fourteen members of the REVil ransomware gang that was famously responsible for the Kaseya and JBS attacks last summer that even—I’ve argued even those actions, that are really unprecedented for the Russian government to take and they said that they did so in response to U.S. demands. I think you cannot separate from the broader geopolitical struggle that we’re engaged in with Russia and the fact that they’re trying to essentially engage in this ransomware diplomacy right now by sending a signal to the Biden administration of, you can get help from us on these criminals that we’ve traditionally not acted on, but don’t you dare try to sanction us over anything we may do to Ukraine.

So that’s sort of a brief overview of the main actors that we face in cyberspace.

BRANNEN: OK. Professor Nye, I wanted to ask you a similar issue of sort of viewing cyber as somehow distinct from, like, the larger set of national security problems. There’s a lot of skepticism that any rules can be applied to cyberspace, that it’s the Wild West. Why do you think that skepticism exists, and what do people misunderstand about norms and rules that do, in fact, apply to cyberspace, as they do to nuclear weapons and other things?

NYE: Well, thanks, Kate. Let me first say that I agree completely with what Jacqui and Dmitri have said. And you can’t separate cyber from the overall relationship. It’s an instrument that countries are using. It’s a different kind of instrument in the sense that it doesn’t go “bang,” and it is much faster and it—you know, oceans don’t protect us and it’s hard sometimes to attribute, but it’s still an instrument of the contest between powers.

Then the question is, OK, if that’s the case, you have to ask, is it possible to restrict some instruments and to set some limits on them? And we tried that with treaties and arms control and so forth. I don’t think that’s going to be relevant in cyber because you can’t tell whether a particular line of code is a weapon or not; it depends on the intent of the user. On the other hand, you can look for analogies in which you say, sometimes it’s in the interest of the state to accept certain norms or limits, and we have historical examples of that, which I try to outline in my article. But I think in the case of cyber, if you look to the example—a couple of things: one is, during the Cold War, when we certainly had bitter relations, ideological differences with the Soviet Union, we developed certain norms about how we treat each other’s spies. We didn’t kill them. You traded them back. Those became known as the Moscow rules. They weren’t set down in any treaty, but it was based on prudence and the fact that each state realized that if they broke that rule it was more costly than it was worth. Or another example is, in 1972, when both the U.S. and the Soviets were buzzing each other’s ships, trying to get as close as we can in terms of surveillance, as we called it, or sometimes you might call it harassment, we realized that, sooner or later, one of these things was going to get out of control. And we signed the Incidents at Sea Agreement saying there are certain limits on what we’re going to do.

So the analogy, I think, about norms here is sometimes states find that for a variety of reasons it’s in their interest to set some limits to restrain their sovereignty. One reason is coordination; another is prudence, that I’ve mentioned, and another is that certain taboos, when you violate them, become too costly for your reputation, or your soft power. And then there’s another one which I don’t think is as important for Russia or China, or certainly not for North Korea, which is the evolution of changes in domestic opinion, in the sense that after a while certain things are just not acceptable. So those are at least four major reasons why states will restrain themselves, and if they’ve happened on things ranging from slavery to biological weapons to nuclear weapons, there’s no reason they can’t occur in cyber. But we just shouldn’t have any illusions about a grand cyber arms control treaty.

BRANNEN: To stay on norms for a second, where do you think we are in the evolution of cyber norms? Are we at the beginning? Are we in the middle? And what would you like to see? Like, what steps have to take place in the near future to strengthen them, and are they steps that the United States should be taking, or is it just a matter of time?

NYE: Well, it’s hard to give an absolute answer to where we are in the process, but I’ve used the analogy of nuclear weapons. After Hiroshima, we had the Baruch Plan at the U.N., which was a nonstarter, and for two decades we really had no limits or norms on nuclear weapons. After we scared ourselves silly in the Cuban Missile Crisis in ’63, Kennedy proposed that we negotiate with the Soviets the Limited Test Ban Treaty, which—that was accomplished in ’63, and in ’68 we got the Non-Proliferation Treaty, again, based on the self-interest of the states. And in cyber, if you date the current domain of cyber from, let’s say, the late 1990s, from the—from when the web becomes an essential substrate of economics and politics, which is a little different from the invention of the internet, which goes back several decades before that, but if you date it from the late ’90s, we’re at about the two-decade mark now. And you say, well, has anything happened? Well, yeah. In the—Russia proposed a treaty in ’98, which we rejected for good reasons. The U.N. then set up a group of government experts and by 2015 they’d come up with eleven significant norms, which didn’t try to limit the weapons, which you can’t do, but could limit the targets, and that was consistent with existing international humanitarian law, that you don’t attack civilians. So there is a process in which you have at least had states sign on to these basic norms. In addition to that, there are a lot of other norms that have been proposed. I was a member of a group called the Global Commission on Stability in Cyberspace, which reported a year or so ago with eight additional norms, and you have in the U.N. now an open-ended working group that’s trying to incorporate some of these norms and develop them further.

So we’re making some progress, but it’s also true that norms are made to be broken, and unless you combine deterrence with the norms, we’re not going to continue to make progress.

BRANNEN: To throw this question open to everybody: Does anyone see evidence of states restraining themselves in cyberspace yet? Are there lines that they’re not willing to cross yet? Or is a lack of deterrence sort of letting actors sort of have free rein? Whoever wants to take that.

SCHNEIDER: So—

ALPEROVITCH: I think there’s a lot of—go ahead.

SCHNEIDER: Well, I would say I think strategic deterrence still exists, and I think it’s very hard to prove whether deterrence is existing or not existing, working or not working. But the fact that countries like Russia and China have not conducted a cyberattack on the United States that causes large-scale civilian physical harm, I can’t say that that’s deterrence, but I think it probably is. I think there is an unspoken norm that that kind of attack would be extremely inappropriate and escalatory and that might actually have credible deterrence-by-punishment retaliation options. I think that that is a lot more difficult at a lower level, and I think that there’s a very different relationship between the United States and Russia and Russia and Ukraine. And so things that deterrence might work for U.S. and Russia, because it goes back to what Dmitri said—politics and real capabilities. Those might not hold for states that don’t have the same sort of nuclear or even conventional deterrence options.

BRANNEN: Dmitri, did you want to chime in?

ALPEROVITCH: Yeah, I completely agree with Jacqui that when you look at even the actors where we have very strained relations with, like North Korea, like Iran, none of them have really executed targeted—and I’m talking about obviously from a state perspective—targeted destructive attacks on a large scale against our private sector or our government systems. There have been plenty of intrusions. There have been plenty of espionage. Of course, every county conducts espionage against its enemies. But in the case of disruptive attacks, you have a couple that the Iranians have attempted that were very much sort of personal retaliation against the Sands Casino, for example, that was owned by Sheldon Adelson, who had made a comment that we should nuke Tehran, and in response to that they launched a disruptive attack against the Sands Casino. The North Koreans launched an attack, of course, against Sony Pictures because they were offended by the movie Interview from Seth Rogan that showed assassination of Kim Jong-un. But aside from those cases, we really have not seen anything significant that was targeted against us. We had attacks like NotPetya that was launched by Russia against Ukraine and then escaped outside of Ukraine and did hit major Western companies, but it was clear that it was not targeted. In fact, Russia probably suffered the most, outside of Ukraine, in terms of blowback on their own companies and their own networks. So I do think that there’s quite a bit of constraining that’s taking place right now because of two reasons: one, I think countries are deterred; they realize that those types of attacks would, on a large scale, would have huge response from the United States that would not necessarily be in cyber and they’re not interested in that escalation today. And two, there’s no strategic reason for them to launch these types of attacks because it really wouldn’t accomplish any of their geopolitical objectives.

BRANNEN: You just mentioned the NotPetya attacks that had the spin-off effects that were unpredicted, you know, because they weren’t part of the original target. Does that make cyber weapons unique from other weapons, and does it shape the way states decide to use them, the fact that they can have completely unpredictable consequences and affect other states that weren't intended? How do you think that shapes, changes things?

ALPEROVITCH: I think you can say that about any weapon; they can have cascading effects. You know, even if you’re bombing a particular target, you may not fully appreciate the connectivity of that target to other parts of critical infrastructure and the impact it may have. The reality is that cyber weapons can have one-like functionality, like NotPetya, where they sort of spread uncontrollably, but the vast majority of attacks are actually not worms. They are very specific, very targeted. You’re going after a specific system or a specific network, and there’s really no chance it will spread beyond that. So I think that’s been one of the constraining effects on our policy base here in the United States in terms of policymakers really not using cyber-offensive capabilities to their full extent because of this unnatural fear that, oh my God, if I’m targeting the, you know, Iranian nuclear program, I can have somehow blowback on, you know, the Western financial sector, and that is just nonsense. We’ve never seen that. Even Stuxnet, the actual attack on the Iranian nuclear program, even though it did spread, it had zero damaging effect on any system except the ones that it was specifically designed to hit.

SCHNEIDER: I want to highlight that what Dmitri is saying is really important. The uncertainty that surrounds cyber is a bit of a fixed effect. Right? And the United States has an obsession with certainty when it comes to its use of force, and that has severely restrained—we were talking about restraint previously. I think the United States is a place where you actually have seen a significant amount of restraint. And maybe the U.S. hasn’t gotten enough credit for the amount of restraint that I think is coming out of the U.S. But a lot of it is tied to what Dmitri is talking about, which is the inability to create certainty in the way that you could model a JDAM, a bomb—right?—and that you have a model which had a defined uncertainty about what the effects could be. So for the United States, I think that has led to a significant amount of restraint.

NYE: Could I just say that Jacqui’s done some great work on this in the sense of taking war games and asking when will people in war games introduce cyber weapons. And her research shows that it’s surprisingly rare. And I think that one way to think about this is if I’m going to send some airplanes across a border and I have to take out an air defense system and somebody comes into me and says, General, you can do it with cyber, and you say, yeah, but suppose they patch the thing between when you first told me this and when my plane gets here, I’m going to lose an airplane and a pilot. I’ll have to go back to just having a nice old kinetic bomb, which I can see it explode and I can see where the air defense system’s at.

So uncertainty is a major factor, which leads to restraint—actually, prudence. (Laughs.)

ALPEROVITCH: I actually think that’s such a critical point because what history shows so far in the use of cyber weapons by particularly our adversaries, since we have been very constrained, is that it has not been a particularly useful strategic tool. You know, you look at Ukraine and they’ve been hammered by cyberattacks from Russia over the last eight years. Their elections have been targeted; their grid has been targeted. For the first time ever cyber was used to actually turn off power in Ukraine on at least two occasions, and many other disruptive attacks. And yet, over that period of time, Ukraine has only gotten more antagonistic towards Russia, in part because of these cyberattacks, has gotten closer towards the West, so all of the objectives that Russia had to sort of hammer them into submissiveness, have not worked in cyber, which is why they are now considering an actual invasion. It shows you the limits of cyber power.

BRANNEN: Go ahead, Jacqui.

SCHNEIDER: If you don’t mind, I want to go back to your first question about cyber Pearl Harbor. This is where the fundamental problem lies. We were thinking of cyber as a substitute for a conventional bomb, aircraft, cruise missile, and we’ve been trying to stick it in that hole—(laughs)—that substitution hole, for a very long time, where the reality is, the real effect of cyber is in the way it complements these kind of conventional foreign policy means, the way it creates long-term erosion, long-term distrust. And so it’s been our inability to—our bad analogy, which has also probably decreased the effectiveness of the way the U.S. thinks about its own offensive use of cyber operations.

BRANNEN: To stay on Ukraine for a second, you know, it’s not a war game; it’s a very real-world scenario that’s taking place right now. There is discussion—you know, what kind of cyber tools will Russia use? And it sounds like, you know, a cyber weapon is not the thing to be looking for; it’s how Russia might use cyber operations to complement what they’re going to actually do in the conventional warfare arena.

Dmitri, do you have any thoughts about that and what we might see and what Ukraine can do in response?

ALPEROVITCH: I do, and I have a piece coming out in Foreign Affairs, hopefully soon, hopefully before it gets preempted by actual events on the ground, about the ability of cyber to complement traditional kinetic force. And I want to make it very clear: I don’t think that cyber will play an enormous role in this potential invasion. I think, at best, it will be a supporting sort of sideshow. But there are three elements to the campaign where it can be very helpful. One is almost certainly already on the way and that is intelligence collection, infiltration of Ukraine military networks, of their government networks to collect critical tactical intelligence that will be useful to the Russians to target Ukrainian defense forces in the initial hours of the invasion with long-range fires and also to identify potential insurgents that would oppose the Russian invasion to neutralize them within hours of the actual crossing of the border with traditional troops, and also identify, the flipside of the coin, people that could be supportive of Russia that have expressed pro-Russian sympathies that you could put in charge of villages, municipalities, and the like, when you take over territory. So that is almost certainly already underway.

The second element is tactical military support, so to the extent that they can disrupt communications within Ukraine—targeting their telcos, targeting other mobilization systems, and inhibit the ability of Ukraine to stand up effective defense—I think they’re going to do that. A lot of it will happen in the kinetic sphere, but cyber can certainly be very helpful, as well, to make things more difficult for the Ukrainians.

And then the last element is going to be more psychological, and we already started to see that with the pretty rudimentary attacks that have been launched against Ukraine last week with the website defacements, with the wiper attack that really had not accomplished a whole lot, but the goal behind those types of operations is to really try to convince the Ukrainians that resistance is futile, that Russia is everywhere and is omnipotent, and that they can hit any part of the Ukrainian government, either kinetically or through cyberspace. So you will some elements of that, most likely, to complement the traditional campaign.

BRANNEN: And before I relinquish my ability to ask questions, while we have Professor Nye here, I wanted to ask him, quickly, what he thinks Putin’s end game is. I mean, we’re veering off the cyber discussion a little bit, but what’s Putin’s end game with Ukraine? And any thoughts about how President Biden has handled it so far?

NYE: Well, I think Putin has said that he regards the collapse, the disintegration of the Soviet Union as a geopolitical catastrophe and so he wants to restore, basically, Russian control over the near abroad, or the parts that were part of the Soviet Union, and this doesn’t have to be full annexation, as in the case of Crimea, but it means having a government which is going to be subservient to what Moscow wants. So I think he’s trying a variety of tactics to try to produce that. It’s very uncertain which ones will work and how far he’ll go, but that seems to be his objective—something like he got in Georgia in 2008. But we’ll see.

I think Putin’s larger goal, which is interesting, because, particularly in his use of cyber, it’s quite different from the Chinese use of cyber. I think he wants to disrupt the West. In other words, instead of strengthening Russia, which would be a long-run strategy, weakening democracy, weakening the West, including weakening NATO, but also weakening democracy inside the United States is quite plausible. And they view cyber very much for that. But it’s not just cyber. If you view RT, Russia Today, if you watch it, you’ll see it doesn’t cover much about Russia; it doesn’t even rebut a lot of things that are said about Russia. It spends most of its time finding hostile stories in which Western people criticize their own Western governments.

So I think Putin’s objective is to restore Russian prominence by weakening the West. And the Ukraine episode is a very dramatic, immediate instance, but I don’t think it’s going to—it didn’t start with Ukraine. It’s not going to end with Ukraine.

ALPEROVITCH: If I can just add, you know, I think Putin—and I completely agree with Joe that he is not necessarily trying to recreate the Soviet Union, but certainly trying to reassert Russia’s old sphere of influence over its near abroad in the post-Soviet Union space minus the Baltics that, I think, they have given up on.

But in that regard, he has had a phenomenal last couple of years because Belarus, after the fraudulent election there against Lukashenko and the protests that have erupted in that country, is now very tightly within Russia’s grip because he has supported Lukashenko and helped him to crush the uprisings, and Lukashenko now owes him and that’s why we’re seeing Russian troops being deployed to Belarus as part of this potential invasion of Ukraine that may be coming up.

And just in the last two weeks, he has done that spectacularly in Kazakhstan, where you seem to have had a popular uprising followed by a potential coup against the president, and Russia, with very limited commitment of just about twenty-five hundred troops deployed for about a week—they’ve now pulled out—was able to help suppress that coup and bring Kazakhstan squarely into Russia’s orbit because, previously, Kazakhstan tried to practice this multi-backdoor diplomacy of accommodating China, Russia, and the West all at the same time. That is now gone and they’re squarely within Russia’s sphere of influence, and I think he’s going to try to do that in Ukraine in the coming weeks. So he’s on a roll right now, unfortunately.

BRANNEN: OK. At this time, I’m going to invite CFR members and Foreign Affairs subscribers to join our conversation and keep it going with their questions. As a reminder, this meeting is on the record, and the operator is going to remind us how to join the question queue.

OPERATOR: Thank you so much. (Gives queuing instructions.)

Our first question is a written submission from Dustin H., who asks, we’ve discussed Russia, Ukraine, cyber threats, and attacks. But I was curious what we knew about China-Taiwan threats and attacks.

ALPEROVITCH: So we don’t know a lot. There’s, certainly, been a lot of espionage being conducted against Taiwan. I think it’s a fair assumption to make that most of Taiwanese government networks have been thoroughly infiltrated by the Chinese over the last ten-plus years.

But we have not seen any disruptive attacks and, frankly, we have not seen any disruptive attacks from any Chinese government organization, ever. It’s not because they don’t have the capability. It’s just because they have strategically decided that they don’t yet need to escalate.

I’m confident that at the point that they make a decision to invade Taiwan we will see a whole slew of disruptive attacks. Their PLA strategic support force, specifically, has the mission to do cyber operations with a military objective with a disruptive purpose, and they’re quite capable to execute severe and damaging attacks against Taiwanese infrastructure, particularly, its command and control networks that could be very helpful to the Chinese if they do decide to invade.

But, obviously, they have not yet gone after Taiwan from the perspective of trying to invade it. So it makes sense that we have not seen any cyber operations that would be disruptive.

NYE: Could I just add? I agree with what Dmitri said, but there is some evidence that Beijing has interfered with—in elections in Taiwan, and in that sense, it’s interesting because while Russia has interfered in American elections, the Chinese really haven’t. As Dmitri said earlier, they’re more interested in espionage for commercial purposes and others.

But in Taiwan, their behavior toward Taiwan on elections is much more like the Russian behavior toward us in cyberspace.

SCHNEIDER: Yeah. I want to highlight that the Chinese really do have a very different view about information operations when it comes to Taiwan than they do with the United States. They are relatively restrained when it comes to disinformation operations minus kind of like blatant international propaganda against sovereign countries, but they are actually extremely active when it comes to building disinformation campaigns targeting domestic politics in Taiwan.

That’s probably where you see the most significant lines of effort from the Chinese kind of cyber information capabilities against Taiwan pre-conflict.

OPERATOR: Excellent. Our next question will be from Cynthia Roberts.

Q: Thank you very much. My question is about what you mentioned on the Russians rounding up their ransomware group that attacked the United States. The timing does not seem to be accidental, and I wonder what signal you might be taking from this.

Could it be, perhaps, in response to the threats from the United States regarding deterrence against Ukraine making economic and financial sanction threats against Russia as a possible signal to retaliate in the event such sanctions are applied? Thank you.

ALPEROVITCH: Yeah. As I said, I think that’s exactly what it is. It is not an accident, this timing. The fact of the matter is that for six-plus months we’ve been asking the Russians to take action against these groups. We’ve provided them names many months ago, and the fact that all of a sudden they decided to take action now at the point where we’re threatening severe sanctions against the economy, not an accident at all.

Q: I don’t know if you can still hear me. But can you follow up on what kinds of retaliation you would predict in the event that the U.S., you know, applies many of these sanctions? Would they be against the financial sector? Would they be against power grids on the East Coast in the middle of winter? You know, what kinds of targeted attacks would you expect to see?

ALPEROVITCH: So I actually wouldn’t expect to see any Russian state-sponsored attacks against our network. I think it would be incredibly foolish for the Russians to try to escalate vis-à-vis the United States at the time when they’re fighting a war in Ukraine. The last thing they want to do is bring the United States into that fight. So I don’t see them purposely attacking us.

But I think one of the things you will see immediately is a release of these criminals that were just arrested. In fact, they have the perfect excuse for doing so because they said they arrested them based on information that was provided by the United States law enforcement and they can now say that they were so gullible to believe the U.S. law enforcement that made them arrest perfectly innocent Russian boys that had nothing to do with any crimes, and I think that’ll send a pretty strong signal—a sort of unwritten signal even—to Russian criminals that now it’s a free for all. Russia is being attacked economically with these sanctions and it’s time to respond with more ransomware, more criminal activity, against U.S. networks. Again, I don’t think it will be directed by the Russian state but it will be sort of an unspoken message that will be sent to all these groups.

OPERATOR: Excellent. Our next question is a written submission from Marcos Pascal (sp), who asks: Most of the victims of cyberattacks are regular citizens, especially ransomware as of late. What should the nation-states do to protect their citizens against these types of attacks?

BRANNEN: Who wants to take that one?

ALPEROVITCH: Jacqui wrote about that. (Laughter.)

SCHNEIDER: I see we all want to talk about—(laughs)—public-private partnership and ransomware. This is a really, really, really tricky, tricky question because, I think, for the first few—the first, maybe, even ten years that ransomware was evolving and coming onto the forefront, there was maybe a misperception by the U.S. government, and I think from private sector as well, that the U.S. government could do something significantly to defend against or deter ransomware, and that really just wasn’t the case.

So what can the United States government do? And I want to highlight that the U.S. government has less people working on cybersecurity than the major financial institutions by a large order and actually invest less in capability development and definitely less in cyber defense than the private sector. So the lion’s share of capability is in the private sector.

That means it’s, you know, companies like JPMorgan Chase are actually, like, pretty well set up to do cyber defense on their own. Where the companies that kind of get left out here are the mom and pops or smaller companies that are, basically, investing in, like, McAfee and Amazon Cloud as their primary cybersecurity mechanisms. And so those are the folks that are losing out, and the government doesn’t have the resources to defend each one of these.

Now, I think we’ve seen some forward progress here. First, the CISA and Cyber Command are now proliferating information about threats instead of holding onto them. They’ve created a kind of a public persona, public social media, I think, that’s, you know, forward leaning. They’re also doing a better job of creating information and sharing or building up information-sharing centers so that there are kind of structures so that companies and the government are sharing more information than previously.

And then, you know, the last few years has been the advent of what the DOD has kind of awkwardly termed defend forward, which, I think, really, is this concept that the United States, instead of waiting to respond to cyber incidents, will instead use their offensive cyber capabilities, which are resident in the military, to decrease the ability of actors to conduct cyber operations in the first place. And you saw that when it came to disinformation and the elections but now you see that kind of pivoting towards, hey, can we use these resources to decrease ransomware actors’ access to cryptocurrency, for example—can we use military resources to shut off the networks or the capabilities that ransomware actors are using.

So it’s moving forward, but there are kind of unique lanes in the road that the government has a comparative advantage over the private sector, and it’s actually a very small segment where the government has comparative advantage over the private sector here.

OPERATOR: Our next question will be from Alan Raul.

Q: Thank you. I’m Alan Raul, a partner at the law firm of Sidley Austin, and my question actually does follow up on Ms. Schneider’s comments about defensive measures, because sometimes the best defense, really, is a good defense or a great defense.

Do any of you foresee any technological breakthroughs that will provide significantly enhanced defensive protection or new protocols for defending in terms of internet procedures or otherwise, and do you—what do you make of yesterday’s memorandum issued by President Biden regarding cybersecurity for kind of national defense systems in which there was reference to quantum-resistant protocols and quantum-resisting algorithms that the NSA was tasked to address? Is this a new area that we should be very afraid of or is quantum computing and other technological measures going to be some potential solution to the cyber insecurity we face? Thanks.

ALPEROVITCH: I’ll take the quantum part real quick. So I think it is, obviously, prudent for the United States to think over the long term. You know, there are some secrets that the United States government possesses that it wants to keep secret for many, many decades to come, and if you project twenty, fifty years, even, it’s not out of the realm of possible that we will have a quantum computer that will be able to break some of the modern encryption algorithms that are based on factoring of numbers and the discrete logarithm problem that the quantum computers would be able to break very quickly.

So from just a prudence perspective, being able to standardize on encryption algorithms that would be resistant to quantum computing, which we actually have—we don’t need to invent new ones, it’s just going through the process of actually standardizing on them—is something that is a good idea and should be done.

It is not something that most people should be worried about at all. It is a remote possibility. It’s not going to affect our daily life for many decades to come. And by the time quantum computers arrive on the scene, we will very likely convert to new algorithms that are going to be resistant to quantum computing. So that’s the one area of cyber I would not spend much time worrying about.

NYE: On technical fixes for the future, there are some people who think that artificial intelligence may change what’s now the conventional wisdom, that offense has the advantage over defense, and the argument is that humans make mistakes when they write code and the net effect of that is that you get vulnerabilities, which lead to zero-day exploits, and that if you had AI which was checking code you would remove this enormous vulnerability or set of vulnerabilities.

My own view on that is it’s probably cat and mouse, that if you got AI on the defensive side then AI would be on the offensive side as well, and I’m not sure that’s going to solve it. If you ask me the answer to your question, I wouldn’t look for technical fixes. I would look for something like development of a real insurance industry in cyber so that you have companies internalize the external costs of not having adequate security.

Right now, a company says, do I want to have a password that says one two three four or do I want to have a fancy cybersecurity department, and if I’m in competition with another company which is going to sell the product for half of what I’m selling, I’m going to cut every cost I can.

If, on the other hand, they can’t get insurance—if it’s something like underwriters laboratory standards which are necessary to get insurance—you might find a spread of a good defense, as you put it, throughout the economy. We’re a long way from there.

But that, to me, is a better approach than just looking for a technical fix. And one of the first steps on that is to get more information about attacks, and Dmitri has been working on promoting disclosure and getting companies to have to disclose to CISA when they’ve been attacked so we get a real actuarial base to develop an insurance industry.

So I would—I think your point is absolutely correct. Better defense is a better defense. But rather than focusing on a technical fix, I think getting a framework in which you develop a really effective cyber insurance industry would be where I would put my emphasis.

OPERATOR: Our next question is a written submission from Marc Rotenberg, who asks, on the resilience front, could the U.S. do more to protect national interests if we strengthened our laws for data protection?

We know that foreign adversaries are targeting the personal data of U.S. citizens held by U.S. companies. The EU is known for GDPR. But even the Chinese have recently enacted a privacy law partly out of concern for national security.

ALPEROVITCH: I think that—and Jacqui has written about the importance of resilience. Resilience is important. I would be very careful about thinking that a data protection law would significantly improve our resiliency.

However, there is pretty good consensus amongst the security community that GDPR was detrimental to security and achieved exactly the opposite of what it was trying to achieve, at least on the surface of what the Europeans claimed it was designed to achieve. Many think that it was actually much more successful at promoting European companies and targeting American dominance in the technology sector than it was about privacy or security.

But, you know, we have data breach notification laws in all fifty states. We don’t have a federal one, and many companies have reported, of course, breaches of PI information publicly and, yet, we’re still in situation where things get progressively worse.

SCHNEIDER: I want to highlight that a lot of these data privacy regulations are really about creating physical geography in cyberspace. And why does China care about its data being in China? So it can control its data.

The U.S. could, certainly, try to do something like that. But that comes with extreme costs for innovation, extreme costs for the utilization of data, and I think the central—it creates incentives for centralized data in a way that, I think, is probably less productive for resiliency.

OPERATOR: Our next question will be from Glenn Gerstell.

Q: Thank you very much for a really excellent discussion. I’d like to focus a little more on the future. Given the comments—the excellent comments about the sort of fundamentally geopolitical nature of this problem rather than it just being a technical one, and given that we’ve been moving so slowly with both the government and private sector in making incremental progress bit by bit on cybersecurity, what’s the future hold?

Are we going to be here a decade or two from now bemoaning the continued gap between our vulnerability and our ability to defend ourselves? Is this problem going to get worse? Seems like it’s difficult to envision a situation in which we are going to achieve those geopolitical norms that Professor Nye talked about. What’s your prognosis for, say, ten or twenty years out? Are we doomed to this problem forever?

ALPEROVITCH: I think you have to predict the future of our geopolitical relations with China, Russia, Iran, and North Korea, and that will give you the answer for the prediction on where the state of cybersecurity will be in terms of those threats, and, frankly, I’m not very optimistic that things will be any better ten, twenty years from now than they are today with any of these countries.

NYE: I think that’s right. But I would add to that that even when you have intense hostility, prudence can lead to limits, which is the cases I made—mentioned earlier. And so I think you may see limited areas of prudence.

For example, attacks on the domain name system or the assigned names and numbers that are managed by ICANN and so forth, even if you have great hostility between U.S. and China, for example, it’s not in the interests of either of the countries to, essentially, just rip up the telephone book of the internet, so to speak.

So I think there will be some areas where you may get accommodation, based on prudence and coordination, even with hostility in the overall relationship.

BRANNEN: A follow-up on that question in terms of if the picture doesn’t change much over the next ten years, Jacqui, where does that leave trust and people’s trust in institutions, banks, et cetera?

SCHNEIDER: Well, this is something that worries me. You know, I have two young children, and I look at the future of trust and I’m not optimistic. I think there has to be a pretty significant shift and I think U.S. strategy is going to have to deal with trust on its head and it’s going to have to be bigger than cyber in order for us to move past these threats.

Right now, I just see a continuous erosion of digital trust in our financial institutions, in our governance, and, unfortunately, kind of how we interact with one another. It’s very pessimistic—(laughs)—but I don’t think there’ll be a cyber bomb so I’m optimistic about that.

BRANNEN: I think we have time for one more question, maybe two.

OPERATOR: Our next question is a written submission from John Bermingham, who asks, to what extent does cryptocurrency compromise our economic and national security?

ALPEROVITCH: Look, I think that cryptocurrency, potentially, has, you know, great promises in certain applications to optimize our financial system. The DEPA applications are real interesting. But the reality is, today, the vast majority of cryptocurrency transactions are either illicit, supporting criminal activities on the internet, supporting tax evasion, drug trafficking, and the like, or they’re pure speculation.

So I’ve argued that we absolutely need to have better regulations—better global regulations—on cryptocurrency transactions. In the United States, we actually have a significant amount already. So every cryptocurrency exchange in the United States, for example, has to do KYC—Know Your Customer verification—and AML—anti-money laundering—checks on transactions because they’re part of the financial system.

But, overseas, that’s not the case, and we should do two things. We should work with our allies to get them to implement these standards and expand them, really, from their traditional financial sector, which we’ve had tremendous success getting virtually every country on the planet to implement KYC and AML in the last couple of decades. Now they need to extend it to cryptocurrency.

And, two, we’ve argued at Silverado that we should grant the executive branch authorities to sanction any cryptocurrency exchange—any foreign cryptocurrency exchange—that is not abiding by these standards and is not cooperating with law enforcement.

So you move beyond just having to prove that they actually involve the criminal activity to now loosening that standard, saying that if they’re, simply, turning a blind eye to it we can still sanction them and disconnect them from the global financial system.

BRANNEN: Time for one more.

OPERATOR: Our last question will be from Bob Grady.

Q: Thank you very much. Bob Grady, partner at Summit—the private equity and venture capital firm Summit Partners and a member of the Board of Overseers, Jacqui, of the Hoover Institution.

I wanted to sort of merge Dmitri’s initial point that, you know, we haven’t seen sort of cyber as a principal instrument of military attack but it might be a supporting mechanism with Kate’s point at the beginning—with Jacqui’s point at the beginning, excuse me—that, you know, it’s hard to make societies, as opposed to the military, more resilient.

And my specific question is, stepping beyond military vulnerability, do you believe that U.S. critical infrastructure is vulnerable to cyberattack and, specifically, what can the U.S. government—what can and should the U.S. government be doing to make U.S. civilian critical infrastructure—things like power networks, water networks, communications networks—more resilient and better sort of defended in the event of hostilities to cyber—you know, from cyberattack?

SCHNEIDER: Yeah. You know, I would say that there’s a good news-bad news story here. The good news is that a lot of U.S. critical infrastructure is so kind of—is built as such a labyrinth, so byzantine, that it’s very difficult to create large-scale systemic effects. I mean, like, that’s a weird externality of having, like, relatively—(laughs)—not modern or kind of, like, hodgepodge civilian infrastructure.

But, you know, we’re moving towards more digitization and that’s occurring not—it has in the past occurred not in a more—in a deliberate way. I mean, when you talk to, for example, the energy infrastructure, they would consider themselves as primarily an energy provider, not a technology company. That’s very different from the financial sector, where they really do—they view themselves and their kind of future as being technology infrastructure.

So the U.S. has had to devote a significant amount of resources to water, wastewater, energy, in order to try and kind of make these networks more resilient. I mean, I live in California. PG&E can’t even survive a sunny day here, much less—(laughs)—you know, like, significant cyber intrusions.

So, you know, I think there’s two ways to look at this. One way is that we penalize these companies for not having more cybersecurity and not being resilient. I guess there’s three. The other option is we provide them, like, with NIST guidelines about how to become more resilient and how to become less cyber vulnerable, and then kind of hope they do it. And then the third is that you penalize.

The reality is there has to be probably some sort of mixture here. But I think what we haven’t really explored is the ways that we can incentivize and build carrots. There’s a lot of talk about regulation and punishment for not being cyber secure.

But I think there are some kind of carrots that the U.S. federal government can provide to incentivize infrastructures and to create kind of, like, a federal self-help to, you know, really reach out, too, at the municipal level because we’ve seen a lot of vulnerability at the municipal level, which is extremely poorly funded, to try and increase kind of public infrastructure cybersecurity.

BRANNEN: Well, unfortunately, we have to end it there. This has been a wonderful hour of conversation. I want to thank everyone for joining us. Thanks to our speakers, both for writing for us and for joining us today.

The audio and a transcript of this talk will be available on the Foreign Affairs website. And that’s it. Thank you, everybody, and please join us next time.

(END)