In 2013, the Federalist Society conducted a panel regarding cybersecurity, Internet privacy, and their global impact. (1)
The panel was joined by several esteemed professionals with extensive experiences in private practice, government work, academia, and non-profit public interest work.
Mr. Steven G. Bradbury is presently a Partner at Dechert LLP. (2) He served in the Justice Department from 2004 to 2009 and was head of the Office of Legal Counsel. (3) He wrote many of the pioneering legal memoranda that relate to the subjects being addressed today.
Mr. Joel F. Brenner is the principal of Joel Brenner LLC, a law and security consulting firm, and is the Robert Wilhelm Fellow at MIT's Center for International Studies. (4) He has served, at different times, as Inspector General of the NS A, as Senior Counsel at the NSA, and as head of Counterintelligence under the Director of National Intelligence. (5) He has been awarded the Intelligence Community Achievement Medal. (6) He has written a terrific book. The book was originally called America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare: The paperback has been renamed Glass Houses: Privacy, Secrecy, and Cyber Insecurity in a Transparent World.
Ms. Michelle Richardson is currently Legislative Counsel for the Washington office of the American Civil Liberties Union. (8) She focuses on national security, including cybersecurity. Before that, she was Counsel at the House Judiciary Committee, and a Fellow at the Stanford Law School Center for Internet and Society. (9)
Mr. Paul Rosenzweig is the Principal of Red Branch Consulting, a Senior Consultant to The Chertoff Group. (10) At the Department of Homeland Security, he was Deputy Assistant Secretary for Policy. (11) Paul is the lead cyber blogger for Lawfare. He is the author of Cyber Warfare: How Conflicts in Cyberspace Are Challenging America and Changing the World and co-editor of National Security Laws in the News: A Guide for Scholars, Journalists, and Policymakers. (12)
Mr. John Choon Yoo is a law professor at Berkeley, a visiting scholar at the American Enterprise Institute. (13) He clerked for Judge Silberman and Justice Thomas. (14) John served as General Counsel of the Senate Judiciary Committee, and he served in the Office of Legal Counsel at the United States Department of Justice, where he made vital contributions to the full range of national security issues that arose after 9/11. (15)
Mr. Vincent J. Vitkowsky is the current Chairman of the Federalist Society's International and National Security Law Practice Group, where he developed two National Security Symposia on cybersecurity. (16) Additionally, Mr. Vitkowsky is a partner at Seiger Gfeller Laurie LLP, focusing on international commercial arbitration and litigation as well as issues of insurance, terrorism, national security, and cybersecurity. (17)
3:30 to 5:00 p.m. Friday, November 15, 2013
The Mayflower Hotel Washington, D.C.
VINCENT J. VITKOWSKY: In 2003, the Bush Administration released the first National Security Strategy to secure cyberspace. (18) This identified some of the threats and vulnerabilities, and developed the concept of the private-public partnership for cyber defense. (19) Three strategic objectives were identified and five national priorities were cited to help meet those objectives. (20)
In 2007, TJ Maxx revealed the data breach that exposed the debit and credit card information of 45.6 million customers. (21) That brought one type of cyber risk into widespread public attention.
In 2010, the existence of the Stuxnet virus was revealed. (22) That was the virus that slowed down Iran's nuclear program by incapacitating, to some extent, its nuclear reactors. (23) That brought widespread public attention to the possibility of industrial threats; cyber attacks that had kinetic effects or physical effects. (24)
In 2012, then-State Department legal advisor, Harold Koh, announced that under to U.S. policy, the law of armed conflict applied in cyberspace. That meant that cyber attacks could warrant a military response, up to and including bombs and missiles. Later that year, then-Secretary of Defense, Leon Panetta, warned of--and I am going to quote--"A cyber Pearl Harbor that would cause physical destruction and the loss of life, an attack that would paralyze and shock the nation and create a profound new sense of vulnerability." (25)
Also, in 2012, there was a failed attempt to pass cybersecurity legislation, which failed because of policy differences. (26) Those differences do not run along traditional ideological spectrums. They are really all across the political spectrum.
In 2013, cyber attacks were the first identified global threat in the U.S. intelligence community's worldwide threat assessment. (27)
In her farewell address, then-Secretary of Homeland Security, Janet Napolitano, said--and again I quote--"Our country will, for example, at some point, face a major cyber event that will have a serious effect on our lives, our economy, and the everyday functioning of our society." (28)
VINCENT J. VITKOWSKY: Let us start with a question to Paul Rosenzweig. What are the types of cyber threats we face, how seriously should we take them, and which ones rise to the level of national security threats? What has been the US strategy so far?
PAUL ROSENZWEIG: What we have up here (referring to a projection of an image that is generally referred to as the Peacock map of the Internet) is cyberspace circa 2005, a mapping effort that was done at the time, and it gives you some idea of the scope and degree of risk in cyberspace as well as the scope and degree of its wonderful opportunity to create new economies. It is what powers Amazon and Walmart, and as we talk about threats and vulnerabilities, we should not lose sight of everything great that is happening.
Since this is a cybersecurity panel, I want to ask two questions. What is vulnerable, and who is threatening it? The answer to the question what is vulnerable is essentially everything. Anything that has a silicon chip that is programmable and addressable is at least in theory subject to being hacked. I have seen demonstrations of vulnerability in everything ranging from heart monitors to the electric grid.
Back in June of this past year, at a hacker conference in Las Vegas, known as DEF CON, some security researchers demonstrated their ability to crack the security on a commonly implanted type of heart monitor, causing it to malfunction in a way that if they had done it to a real person, would have killed the owner of the monitor. That is pretty shocking, but it is a very small-bore kind of threat.
On the other end, we see threats to the national electric grid. Just yesterday, the North American Electricity Reliability Council, which is responsible for the reliability of the entire North American grid, completed a red-team exercise called GridEx II, in which, at the end of 2 days of effort--which involved a fictitious 2 months of simulated attacks on the American electric grid--tens of millions of Americans were still without power, and over 150 people had been killed. (29)
Now, these vulnerabilities are theoretical, and when they are so comprehensive and widespread, your almost despair of any opportunity to address them. If everything is at risk, how can we protect it all? We surely are unable to. We do not have the resources. That leads us to try to prioritize our efforts by thinking about what the consequences are of cyber vulnerabilities, and who the threat actors are. Unfortunately, I think there is a dissonance. The most common sets of threats, the ones that happen to you and I most frequently, are, in the end, the ones that are least likely to have existential consequences, while the rarest threats are the ones that we hope will never at all, and are obviously the ones that will have the most significant consequence to our country.
So, we see, for example, that the most common threat, the one that you and I would experience most, is crime, and crime, in cyberspace, is rampant and endemic, just as it is in the real world. The best estimates I have seen are between $100 billion to $300 billion a year in losses to the U.S. economy annually; (30) about 500,000 jobs are at risk. But if that were the only threat, we would not be having a panel here today, because, of course, that is a commonality of crime that we can address with traditional criminal tools, probably.
The next thing we worry about is espionage, and granted, there is a fuzzy line between crime and espionage, because the theft of intellectual property from a commercial actor looks a lot like espionage in the national security space. But here, we start to see a lot more significant potential threats to American national security. The Defense Science Board, reporting to the Secretary of Defense, reported, in a classified study earlier this year--and when I say classified, I mean it was secret until it was leaked to the Washington Post--reported that over 50 different important developmental military programs had been penetrated by Chinese intrusions and data exfiltrated. (31) These intrusions ranged from things like the designs for our next stealth fighter, (32) the F22, (33) to something called "micro-nano-proto-metallic" armor. I do not know what it is and I am glad we are building it, because I hope our troops get it, but I am really kind of upset that the Chinese have stolen it from us already, before we have even deployed it.
What is really driving people nuts at the policy level and lawmaking level is the series of threats that have not been realized. Also, the threats from non-state actors, like al-Qaeda or perhaps hacker groups that go by names like Anonymous (34) or LulzSec, (35) and the threats from nation-state actors, like China, the idea that, at some point in time, we might get into a physical conflict with China over, say, Taiwan, and at the same time...