U.S. Secretary of the Air Force Deborah Lee James speaks at a roundtable on cyber policy at Stanford University on January 6, 2016.

The U.S. military needs to train and recruit more “cyber warriors,” and improve its offensive and defensive capabilities in cyberspace, Secretary of the Air Force Deborah Lee James said during a visit to Stanford University last week.

“Today we’re not sufficiently strategizing, organizing, training or equipping to be cyber warriors,” James said at a roundtable discussion on cyber policy. “We’ve made progress over the last year or two, but it’s not good enough. We need to do more, to be open to different ways of bringing people on and retaining people so we can bring the best and brightest into our ranks.”

She called on Silicon Valley to “move past the debate over Edward Snowden and the debate over encryption” and help the military combat cyber threats to U.S. national security. “Particularly here in Silicon Valley, how can we get better access…and work better with some of the great innovations here in Silicon Valley?” she asked.

U.S. Secretary of the Air Force Deborah Lee James (left) meets with former Secretary of Defense William J. Perry (second from right) and former Secretaries of State Condoleezza Rice and George P. Shultz (far right) during a visit to Stanford University on January 6, 2016.

Stanford University was just one of the stops on James’ schedule, which also included meetings at Google, Facebook, FireEye and In-Q-Tel (the investment arm of the U.S. intelligence community).

James said she’d come to Silicon Valley to “listen and learn” and search for “the next big thing” – from drones to big data.

“We’re actively on the hunt for what will be our next advantage as the military,” she said.

She said the military was working to streamline its procurement process so it could move more quickly fund new technological development using what she called “rapid acquisition.”

“You can’t build the next fighter aircraft under this, but you can build smaller types of technological products and get something under contract within 30 days,” she said.

Protecting networked weapons systems and critical infrastructure at military bases were two top priorities for the Air Force, James said.

It is also working to develop better defensive capabilities to protect satellites and other assets in space, and prevent adversaries from disabling critical missile warning and global positions systems, James said.

“Space had been a fairly tranquil, uncontested area,” she said.

“Nowadays, space is much more contested and congested. There are many more companies and countries up there.

“If a conflict on earth bleeds into space in some way, how do we defend our constellation?”

Military operations centers will need to integrate more cyber capabilities in order to create more options for defense and offense, James said.

“What we need in future is a multi-domain operations center where we’re fully plugged in terms of cyber and space...so that a commander at every turn has military options that go beyond bombing a target,” she said.

“The President, the Secretary of Defense, everybody is pressing, ‘We want more options. We want more targets.’.”

But James acknowledged that even digital conflict could cause collateral damage in the physical world.

“Let’s say we take out a power grid to shut down a particular part of a country to stop a military action,” she said.  “Maybe you’d shut off power to a hospital and people would die.”

That’s why cyber operations would continue to be governed by the law of armed conflict.

“Before a cyber target would be hit, there would be a legal decision with other parts of the government,” James said. “It’s not solely [up to] a commander on the scene.”

In an indication of the growing importance of cyber operations, political and military leadership in Washington are considering elevating U.S. Cyber Command from under U.S. Strategic Command to become its own unified command, James said.

The Air Force currently has around 1,700 personnel working directly on cyber offense and defense, spread among the National Guard, Reserves and active duty. And it recently established a new Cyber College at Air University on Maxwell Air Force base in Montgomery, Alabama to train more internal talent.

But military leaders are also looking for other ways to scale up their cyber forces, James said.

“Maybe leveraging the private sector and leveraging Silicon Valley can help us,” she said.

Image

This book is a counter to the conventional wisdom that the United States can and should do more to reduce both the role of nuclear weapons in its security strategies and the number of nuclear weapons in its arsenal.  That conventional wisdom, argues Brad Roberts in The Case for Nuclear Weapons in the 21st Century, has not been informed by the experience of the United States since the Cold War in trying to adapt deterrence to a changed world or of the Obama administration to create the conditions that would allow further significant changes to U.S. nuclear policy and posture.  A CISAC affiliate, Roberts served as Deputy Assistant Secretary of Defense for Nuclear and Missile Defense Policy during the first Obama administration. He wrote the book, which draws heavily on his experience in government, during his time as a consulting professor and William J. Perry fellow at CISAC in 2014. To purchase the book, please visit: http://www.sup.org/books/title/?id=26137

Why did you write this book?

My main purpose was to reclaim the middle in the U.S. nuclear policy debate.  As in so much of the rest of our national political life, the middle has disappeared from this particular debate, leaving two deeply antagonistic camps to dominate it. One favors more disarmament now, while the other sees many enduring roles for U.S. nuclear weapons. The division didn’t matter so long as the United States could live off the investments of the Cold War.  It can no longer do so, as old weapons and delivery systems age out and expensive decisions must be made.  A coherent and centrist approach is needed to guide national choices, and this book attempts to fill that gap.

What is your main argument?

That the conditions do not now exist for the United States to safely take additional steps to further reduce the number and role of U.S. nuclear weapons. The Obama administration set out a strategy for creating those conditions in 2009, and the results have been disappointing. Russia has rejected further arms control. China has rejected further transparency.  Others have refused to join an international consensus against nuclear weapons. This experience must temper enthusiasm for the disarmament project. The conditions do not exist and are not proximate.

What is the case against nuclear weapons? And why do you think the case for nuclear weapons is more compelling?

The case against nuclear weapons has been made on many grounds:  historical (‘these are nothing more than cold war relics’), moral (‘their use in war would violate the laws of war so deterrence is immoral as well’), and prudential (‘we can’t prove that deterrence works but we can prove that these are dangerous weapons’). The case for nuclear weapons derives first and foremost from the role the United States wants to play in the world—as a security guarantor to others and a projector of power to promote stability and our values. In today’s world, without nuclear weapons, the United States could not play that role.

Can you ever imagine a scenario where the U.S. would need to use nuclear weapons again?

We don't have nuclear weapons to fight and win wars with them; we have nuclear weapons to ensure they are never used against us or our allies—in other words, for deterrence.  The President would only consider the employment of nuclear weapons in extreme circumstances when the vital interests of the United States or an ally are at risk. Though extreme, such circumstances are not implausible. The cold-war vintage bolt-from-the-blue major strike isn’t the potential problem today; rather, the problem is a regional conflict that goes badly for an adversary who then tries to escalate his way out of failed aggression against a U.S. ally. At least three nuclear-armed potential adversaries have now long studied the common problem they face:  deterring and defeating a conventionally-superior nuclear-armed major power and its allies. They have developed theories of victory built around nuclear coercion, blackmail, and brinksmanship, aimed at breaking the will of the United States and its allies, including with limited nuclear strikes to demonstrate their resolve. Our deterrence strategy requires that we have an effective ability to respond and that the threat to employ it in the circumstances they create is credible. Moreover, let us distinguish the verb “employ” from “use.” U.S. nuclear weapons are used every day to cast a shadow of doubt over the thinking of potential challengers to U.S. interests and to assure our allies. 

President Obama set out a vision for a world free of nuclear weapons at a speech in Prague in April, 2009. Does your book contradict the President’s strategic vision?

President Obama is a pragmatist and this was reflected in the Prague speech. In 2009, we took some steps to reduce the role and number of nuclear weapons and set out a plan for working with others to create the conditions for further reductions. But so long as nuclear weapons remain, the President is committed to ensuring that nuclear deterrence remains effective. Toward that end, the administration has expended considerable time, energy, and money.  This is the story of that effort and a distillation of key lessons.

The U.S. Senate summary report on the allegations of CIA torture during the "war on terror" failed to live up to its original purpose, according to Amy Zegart, co-director of Stanford's Center on International Security and Cooperation (CISAC).

In a new journal article, Zegart wrote that the report has "not changed minds on either side of the torture debate and is unlikely to do so."

In December 2014, after five years of research, the U.S. Senate Select Committee on Intelligence issued a summary report of its investigation into the Central Intelligence Agency's terrorist detention and interrogation program between 2001 and 2006.

As Zegart noted, the Senate's summary released to the public amounted to less than a tenth of the full report, most of which remains classified. In an interview, she said the issue at hand should concern all Americans.

"How do secret agencies operate in a democratic society? Were the CIA's interrogation methods effective? Were they legal or moral? What role should the Congress have played when decisions about detainees were being made? All of these are vital questions which, sadly, remain unanswered and hotly contested – in large part because they have been caught in the maw of politics on both sides," said Zegart, the co-director of the Center for International Security and Cooperation at Stanford and a senior fellow at the Hoover Institution.

'A tiny portion of the full study'

Zegart explained that four key errors have doomed the Senate report to "eternal controversy."

"It was not bipartisan, took too long to write, made little effort to generate public support along the way and produced a declassified version that constituted a tiny portion of the full study," she said.

In contrast, Zegart said, the U.S. Senate's 1975-76 Church Committee investigation of intelligence abuses made different calls on all four issues, which helped it achieve significantly more impact. That committee was formed in the wake of Watergate and disclosures in the New York Times that U.S. intelligence agencies had engaged in a number of illegal activities for years, including widespread domestic surveillance on American citizens.

[[{"fid":"221516","view_mode":"crop_870xauto","fields":{"format":"crop_870xauto","field_file_image_description[und][0][value]":"","field_file_image_alt_text[und][0][value]":"","field_file_image_title_text[und][0][value]":"The cover of the U.S. Senate Select Committee on Intelligence's report on the CIA's detention and interrogation program.","field_credit[und][0][value]":"","field_caption[und][0][value]":"","field_related_image_aspect[und][0][value]":"","thumbnails":"crop_870xauto"},"type":"media","attributes":{"title":"The cover of the U.S. Senate Select Committee on Intelligence's report on the CIA's detention and interrogation program.","width":"870","style":"width: 350px; height: 521px; float: right;","class":"media-element file-crop-870xauto"}}]]She said the Church Committee was bipartisan and finished its job in 16 months. As a result, Congress passed new laws aimed at curbing aggressive spying on Americans and political assassinations abroad, among other measures.

Zegart wrote, "This was deliberate: As one Church Committee source told the New York Times in December 1975, 'If you wait too long, both the public and the members of Congress forget what you're trying to reform.' He was right."

On the other hand, she said, the Senate committee investigating CIA torture consisted entirely of Democrats and took five years to deliver what turned out to be a heavily redacted report. U.S. Sen. Dianne Feinstein (D-Calif.) chaired the committee.

While Feinstein's staff worked from 2009 to 2014, Zegart said, public outrage about torture faded – in fact, public support for coercive techniques actually increased. According to Zegart, a 2007 Rasmussen poll showed that 27 percent of Americans said the U.S. should torture captured terrorists, while 53 percent said the U.S. should not. A 2012 YouGov national poll conducted by Zegart found that support for torture rose 14 points while opposition fell 19 points.

Another problem was that the investigation did not hold a single public hearing to generate public attention or support, she said. In contrast, Church's investigation held 21 public hearings in 15 months.

Finally, the Senate report is still almost entirely classified, Zegart said.

"The 'report' released in December 2014 was a redacted executive summary of 500 pages – that's less than 10 percent of the 6,700-page report. No one knows when the other 6,200 pages will see the light of day," she wrote.

'Extraordinary resistance'

The aforementioned factors gave CIA defenders the upper hand when the report was eventually issued, she said.

"When the summary was released, former CIA officials launched an unprecedented public relations campaign replete with a web site, op-ed onslaught, and even a 'CIAsavedlives' Twitter hashtag," Zegart wrote.

And so, the episode represented one of the controversial episodes in the history of the CIA's relationship with the U.S. Senate, Zegart said.

"They [the Senate] faced extraordinary resistance from the CIA that included spying on the investigation; stonewalling and whittling away what parts of the report would be declassified; and a publicity campaign to discredit the study as soon as it was released," she wrote.

Zegart said the Feinstein investigation serves as a "cautionary tale" for Congress in its constitutional role of intelligence oversight.

"Even those who consider the interrogation and detention programs a dark mark on American history should be wary of calling the Senate report the definitive account of the subject or a model of intelligence oversight success," she wrote.

U.S. national security faces rising challenges from insider threats and organizational rigidity, a Stanford professor says.

Amy Zegart, co-director of the Center for International Security and Cooperation at Stanford and a senior fellow at the Hoover Institution, wrote in a new study that in the past five years, seemingly trustworthy U.S. military and intelligence insiders have been responsible for a number of national security incidents, including the WikiLeaks publications and the 2009 attack at Fort Hood in Texas that killed 13 and injured more than 30.

She defines "insider threats" as people who use their authorized access to do harm to the security of the United States. They could range from mentally ill people to "coldly calculating officials" who betray critical national security secrets.

In her research, which relies upon declassified investigations by the U.S. military, FBI and Congress, Zegart analyzes the Fort Hood attack and one facet of the insider threat universe – Islamist terrorists.

In this case, a self-radicalized Army psychiatrist named Nidal Hasan walked into a Fort Hood facility in 2009 and fired 200 rounds, killing 13 people and wounding dozens of others. The shooting spree remains the worst terrorist attack on American soil since 9/11 and the worst mass murder at a military site in American history, she added.

Insights and lessons learned

Zegart's study of insider and surprise attacks as well as academic research into the theory of organizations led her to some key insights about why the Army failed to prevent Hasan's attack when clues were clear:

Image

In the Fort Hood case, she said, bureaucratic procedures kept red flags about Hasan in different places, making them harder to detect.

• Career incentives and organizational cultures often backfire. As Zegart wrote, several researchers found that "misaligned incentives and cultures" played major roles in undermining safety before the Challenger space shuttle disaster.

Zegart's earlier research on 9/11 found the same dynamic played a role in the FBI's manhunt for two 9/11 hijackers just 19 days before their attack. Because the FBI's culture prized convicting criminals after the fact rather than preventing disasters beforehand, the search for two would-be terrorists received the lowest priority and was handled by one of the least experienced agents in the New York office.

• Organizations matter more than most people think. Robust structures, processes and cultures that were effective in earlier periods for other tasks proved maladaptive after 9/11.

In the case of the Fort Hood attack, the evidence suggests that government investigations, which focused on individual errors and political correctness (disciplining or investigating a Muslim American in the military) identified only some of the root causes, missing key organizational failures.

Hasan slipped through the cracks not only because people made mistakes or were prone to political correctness, but also because defense organizations "worked in their usual ways," according to Zegart.

Adapting to a new threat

In terms of organizational weaknesses, Hasan's Fort Hood attack signaled a new challenge for the U.S. military: rethinking what "force protection" truly means, Zegart said. Before 9/11, force protection reflected a physical protection or hardening of potential targets from an outside attack. Now, force protection has evolved to mean that the threats could come from within the Defense Department and from Americans, she added.

"For half a century, the department's structure, systems, policies and culture had been oriented to think about protecting forces from the outside, not the inside," Zegart wrote.

In the case of Hasan, the Defense Department failed in three different ways to identify him as a threat: through the disciplinary system, the performance evaluation system and the counter-terrorism investigatory system run jointly with the FBI through Joint Terrorism Task Forces.

"Organizational factors played a significant role in explaining why the Pentagon could not stop Nidal Hasan in time. Despite 9/11 and a rising number of homegrown Jihadi terrorist attacks, the Defense Department struggled to adapt to insider terrorist threats," Zegart wrote.

Difficult to change

Another problem was that the Pentagon faced substantial manpower shortages in the medical corps – especially among psychiatrists. So the Defense Department responded to incentives and promoted Hasan, despite his increasingly poor performance and erratic behavior.

In addition, Zegart found the Defense Department official who investigated Hasan prior to the attack saw nothing amiss because he was the wrong person for the job – he was trained to ferret out waste, fraud and abuse, not counterterrorism, which is why he did not know how to look for signs of radicalization or counterintelligence risk.

"In sum, the Pentagon's force protection, discipline, promotion and counter-terrorism investigatory systems all missed this insider threat because they were designed for other purposes in earlier times, and deep-seated organizational incentives and cultures made it difficult for officials to change what they normally did," she wrote.

Zegart acknowledges the difficulties of learning lessons from tragedies like 9/11, the NASA space shuttle accidents and the 2009 Fort Hood shooting.

"People and organizations often remember what they should forget and forget what they should remember," she said, adding that policymakers tend to attribute failure to people and policies. While seemingly hidden at times, the organizational roots of disaster are much more important than many think, she added.

It’s a technique that’s been used to calculate the odds of everything from the likelihood of a nuclear meltdown to the chances of getting sick from eating bad seafood.

Today, a CISAC scholar told the U.S. Senate Judiciary Committee that he hoped probabilistic risk analysis could help move the ball forward in the debate over encryption that’s pitted law enforcement and national security agencies against some of Silicon Valley’s most influential technology companies.

“Neither side can prove its case, and we see a clash of theological absolutes,” said Herb Lin, senior research scholar for cybersecurity at the Center for International Security and Cooperation and research fellow at the Hoover Institution, in his testimony before a full hearing of the committee.

The contentious debate over encryption has developed in the wake of the National Security Agency spying scandal, with tech titans Apple and Google recently announcing plans to implement stringent new cryptography protocols to protect customer data.

“When the Snowden documents revealed that NSA was hacking [the tech companies], there was a real sense of betrayal,” Lin said.

“You now hear tech companies talking about the U.S. government in the same way they talk about China. They feel like they have to protect themselves against the U.S. government in the same way they have to protect themselves against China. That’s a terrifying thought. In that kind of environment, there’s no trust.”

Law enforcement and national security agencies want tech companies to integrate a mechanism for the government to gain “exceptional access” to encrypted data into their new encryption technology. But, industry and privacy advocates have resisted, arguing that creating a so-called “backdoor” would make their software more vulnerable to attacks from hackers.

FBI director James B. Comey, who also testified before the committee, warned that the latest generation of encryption technology was putting American lives at risk. He said that the Islamic State in Iraq and Syria (ISIS) was actively recruiting homegrown terrorists via Twitter then using end-to-end encrypted mobile messaging apps to secretly send orders for them to carry out attacks within the United States.

FBI Director James B. Comey (right) testifies before the U.S. Senate Judiciary Committee about the national security risks of end-to-end encryption, with Deputy Attorney General Sally Quillian Yates (left) at his side, as CISAC senior research scholar Herb Lin looks on from the gallery.

“Our job is to look in a haystack the size of this country for needles that are increasingly invisible to us because of end-to-end encryption,” Comey said.

Deputy Attorney General Sally Quillian Yates, who testified at Comey’s side, said law enforcement could not get access to that kind of encrypted communications, even with a valid court order.

“Critical information becomes in effect ‘warrant proof’,” she said.

“Because of this, we are creating safe zones where dangerous terrorists and criminals can operate and avoid detection.”

It is a polarizing debate.

Image

“I’d like to find a way to move the ball forward rather than seeing both sides being stuck in the trenches shouting at each other.”

Lin’s proposal, which he presented to the Senate Judiciary Committee on Wednesday, recommended that both sides focus on estimating how long it would take a hacker to break into an encrypted device equipped for “exceptional access.”

“If it takes a thousand years for a bad guy to figure out how to hack…that’s probably secure enough,” Lin testified.

“If it takes him 30 seconds, using that mechanism is a dumb idea. So somewhere between 30 seconds and a thousand years, the mechanism changes from being unworkable to being secure enough.”

Not all computer security experts believe such a calculation would be possible.

“It’s challenging to come up with a defensible methodology for estimating the risk that a backdoor system will be compromised,” said Jonathan Mayer, a Stanford PhD candidate in Computer Science and former CISAC cybersecurity fellow who garnered national headlines for his research demonstrating that the NSA could use phone metadata to reconstruct detailed personal information.

“Not only are the risks of compromise unknown – they’re unknowable.”

However, Lin said the mathematical methodology known as probabilistic risk analysis, which has widely been used to predict the likelihood of catastrophic failure in complex systems from nuclear power plants to the space shuttle, might be able to shed some useful light on the risks.

And, he said, the only way to find out if it could successfully be used to calculate the risks of encryption software getting hacked would be to conduct more research.

Veterans of the so-called “Crypto Wars” of the ‘70s and ‘90s (when the U.S. government tried to limit public access to encryption technology), like Stanford professor emeritus of electrical engineering and CISAC affiliated faculty member Martin Hellman, said proposals like Lin’s could help advance the public debate and bring both sides closer together.

“Getting the two opposing sides to talk — and listen — is really important,” Hellman said.

“That's what happened 20 years ago when Congress asked the National Academies to look at an almost identical problem. It got those different groups talking and working out compromises.”