On May 23, Stanford students enrolled in Technology and Security (MS&E 193/293) met with General James M. Holmes. General Holmes delivered delivered gave a talk, "Applying Technology--the Military Perspective," and engaged students in a Q&A session afterwards. The interisciplinary course explores the relation between technology, war, and national security policy from early history to modern day, focusing on current U.S. national security challenges and the role that technology plays in shaping our understanding and response to these challenges.

General James M. Holmes

[[{"fid":"231402","view_mode":"crop_870xauto","fields":{"format":"crop_870xauto","field_file_image_description[und][0][value]":"General James M. Holmes","field_file_image_alt_text[und][0][value]":"General James M. Holmes","field_file_image_title_text[und][0][value]":"General James M. Holmes","field_credit[und][0][value]":"Margaret Williams","field_caption[und][0][value]":"","thumbnails":"crop_870xauto"},"link_text":null,"type":"media","field_deltas":{"2":{"format":"crop_870xauto","field_file_image_description[und][0][value]":"General James M. Holmes","field_file_image_alt_text[und][0][value]":"General James M. Holmes","field_file_image_title_text[und][0][value]":"General James M. Holmes","field_credit[und][0][value]":"Margaret Williams","field_caption[und][0][value]":"","thumbnails":"crop_870xauto"}},"attributes":{"alt":"General James M. Holmes","title":"General James M. Holmes","class":"media-element file-crop-870xauto","data-delta":"2"}}]]

[[{"fid":"231403","view_mode":"crop_870xauto","fields":{"format":"crop_870xauto","field_file_image_description[und][0][value]":"General James M. Holmes","field_file_image_alt_text[und][0][value]":"General James M. Holmes","field_file_image_title_text[und][0][value]":"General James M. Holmes","field_credit[und][0][value]":"Margaret Williams","field_caption[und][0][value]":"","thumbnails":"crop_870xauto"},"link_text":null,"type":"media","field_deltas":{"3":{"format":"crop_870xauto","field_file_image_description[und][0][value]":"General James M. Holmes","field_file_image_alt_text[und][0][value]":"General James M. Holmes","field_file_image_title_text[und][0][value]":"General James M. Holmes","field_credit[und][0][value]":"Margaret Williams","field_caption[und][0][value]":"","thumbnails":"crop_870xauto"}},"attributes":{"alt":"General James M. Holmes","title":"General James M. Holmes","class":"media-element file-crop-870xauto","data-delta":"3"}}]]

In a world complicated by terrorism, cyber threats and political instability, the private sector has to prepare for the unexpected. Amy Zegart, CISAC co-director, the Hoover Institution’s Davies Family Senior Fellow, and co-author (along with Condoleezza Rice) of Political Risk: How Businesses And Organizations Can Anticipate Global Insecurity, explains lessons learned in keeping cargo planes moving, hotel guests protected – and possibly coffee customers better served.  

 Herbert Lin and Max Smeets wrote the following essay for Lawfare:

United States Cyber Command recently released a new “command vision” entitled “Achieve and Maintain Cyberspace Superiority.” The document seeks to provide: “a roadmap for USCYBERCOM to achieve and maintain superiority in cyberspace as we direct, synchronize, and coordinate cyberspace planning and operations to defend and advance national interests in collaboration with domestic and foreign partners.”

Taken as a whole, the document emphasizes continual and persistent engagement against malicious cyberspace actors. One could summarize the new U.S. vision using Muhammad Ali’s famous phrase: “Float like a butterfly, sting like a bee.” Cyber Command aims to move swiftly to dodge opponents’ blows while simultaneously creating and recognizing openings to strike.

Cyber Command’s new vision is noteworthy in many ways. Richard Harknett’s March Lawfare post provides more context on “what it entails and how it matters.”

The emergence of this new vision—coinciding with a new administration—recognizes that previous strategies for confronting adversaries in cyberspace have been less than successful:

[A]dversaries direct continuous operations and activities against our allies and us in campaigns short of open warfare to achieve competitive advantage and impair US interests. ... Our adversaries have exploited the velocity and volume of data and events in cyberspace to make the domain more hostile. They have raised the stakes for our nation and allies. In order to improve security and stability, we need a new approach.

Another key realization is that activities in cyberspace that do not rise to the level of armed conflict (as traditionally understood in international law) may nevertheless have strategically significant effects:

The spread of technology and communications has enabled new means of influence and coercion. Adversaries continuously operate against us below the threshold of armed conflict. In this “new normal,” our adversaries are extending their influence without resorting to physical aggression. They provoke and intimidate our citizens and enterprises without fear of legal or military consequences. They understand the constraints under which the United States chooses to operate in cyberspace, including our traditionally high threshold for response to adversary activity. They use this insight to exploit our dependencies and vulnerabilities in cyberspace and use our systems, processes, and values against us to weaken our democratic institutions and gain economic, diplomatic, and military advantages.

Although the document never says so explicitly, it clearly contemplates Cyber Command conducting many cyber activities below the threshold of armed conflict as well.

At the same time, the vision is silent on a number of important points—after all, it is a short, high-level document. In this piece, we have highlighted some of these gaps to identify critical stumbling blocks and necessary areas of research. We categorized our comments below following the basic building blocks of any good strategy: ends, ways and means.

Ends

First, Cyber Command’s objective to “gain strategic advantage” seems obviously desirable. Yet, the vision doesn’t address what that actually means and how much it will cost. Based on Harknett and Fischerkeller’s article, strategic advantage can be interpreted as changing the distribution of power in favor of the United States. (This is in line with the observation made at the start of Harknett’s Lawfare piece: The cyber activity of adversaries that takes place below the threshold of war is slowly degrading U.S. power toward rising challengers—both state and non-state actors.)

But Cyber Command needs to be clear about the consequences of seeking this objective: A United States that is more powerful in cyberspace does not necessarily mean that it is more secure. The best-case scenario following the vision is that the United States achieves the end it desires and dramatically improves the (general or cyber) distribution of power—that is, it achieves superiority through persistence.

Yet, it remains unclear what will be sacrificed in pursuit of this optimal outcome. Some argued at Cyber Command’s first symposium that strategic persistence may first worsen the situation before improving it. This presumes that goals will converge in the future; superiority in cyberspace will in the long run also lead to a more stable environment, less conflict, norms of acceptable behavior, and so on. If this win-win situation is really the intended outcome, Cyber Command needs to provide the basis for its logic in coming to this conclusion—potentially through describing scenarios and variables that lead to future change. Also helpful would be an explanation of the timeframe in which we can expect these changes.

After all, one could equally argue that a strategy of superiority through persistence comes with a set of ill-understood escalation risks about which the vision is silent (Jason Healey has made a similar point). Indeed, it is noteworthy that neither “escalate” or “escalation” appear in the document. Fears of escalation have accounted for much of the lack of forceful response to malicious cyber activities in the past, and it can be argued that such fears have carried too much weight with policy makers—but ignoring escalation risks entirely does not seem sensible either.

Furthermore, high-end conflict is still an issue. True, the major security issue in cyberspace today is the possibility of death by a thousand cuts, and failure to respond to that issue will over time have strongly negative consequences. But this should not blind us to the fact that serious, high-profile cyber conflict remains possible, perhaps in conjunction with kinetic conflict as well. One consequence of the post-9/11 security environment has been that in emphasizing the global war on terror, the U.S. military allowed its capabilities for engaging with near-peer adversaries to atrophy. We are on a course to rebuild those capabilities today, but we should not make a similar mistake by neglecting high-end cyber threats that may have significant consequences.

Ways

The way Cyber Command aims to accomplish its goals, as noted above, is to seize the initiative, retain momentum and disrupt adversaries’ freedom of action.

Given the low signal-to-noise ratio of policy discussions about cyber deterrence over the past several years, it is reasonable and understandable that the vision tries to shift the focus of cyber strategy toward an approach that is more closely matched to the realities of today. But in being silent about deterrence, it goes too far and implies that concepts of cyber deterrence have no relevance at all to U.S. cyber policy. At the very least, some form of deterrence is still needed to address low-probability cyber threats of high consequence.

The vision acknowledges the importance of increasing the resilience of U.S. cyber assets in order to sustain strategic advantage. But the only words in the document about doing so say that Cyber Command will share “intelligence and operational leads with partners in law enforcement, homeland security (at the federal and state levels), and the Intelligence Community.” Greater U.S. cyber asset resilience will enhance our ability to bring the cyber fight to adversaries by reducing their benefits from escalating in response. And yet, the coupling between cyber defense and offense goes unmentioned.

The vision correctly notes that “cyberspace threats ... transcend geographic boundaries and are usually trans-regional in nature.” It also notes “our scrupulous regard for civil liberties and privacy.” But U.S. guarantees of civil liberties and privacy are grounded in U.S. citizenship or presence on U.S. soil. If cyber adversaries transcend geographic boundaries, how will Cyber Command engage foreign adversaries who operate on U.S. soil? The vision document is silent on this point.

Means

Of the strategy’s three dimensions, Cyber Command’s new vision is least explicit about the means required to enable and execute strategic persistence.

However, a better understanding of the available means is essential if we want to know how much the U.S. will go on the offense based on this new strategy. In theory, a strategy of persistence could be the most defensive strategy out there. Think about how Muhammed Ali famously dodged punches from his opponents: the other guy in the ring desperately punches but Ali has the upper hand and wears him out; he mentally dominates his opponent. A strategy of persistence could also be the most aggressive one. Muhammed Ali would also punch his opponents repeatedly, leaving them no opportunity to go on the offense—and sometimes being knocked out.

While the command vision has remained silent on available means, others seem to be moving into this direction and offering some examples. In a recent Foreign Affairs article, Michael Sulmeyer argues that the U.S. should ‘hack the hacker’: “It is time to target capabilities, not calculations. […] Such a campaign would aim to make every aspect of hacking much harder: because hackers often reuse computers, accounts, and infrastructure, targeting these would sabotage their capabilities or render them otherwise useless.” Such activities would indeed increase the friction that adversaries encounter while conducting hostile cyber activities against the United States—but whether that approach will result in persistent strategic advantage remains to be seen.

Also, Muhammad Ali boxed differently against different opponents—especially if he was up against taller boxers. Analogously, there might not be a one-size-fits-all solution when it comes to strategic persistence in the cyber domain. The means used to gain superiority against ISIS aren’t the same as those that are effective against China. Future research will have to list them and parse out the value of different approaches.

What Muhammad Ali was most famous for—and what remained constant throughout all of his matches—was his amazing speed. The new vision shows that the Cyber Command is well-aware of the importance of speed. Operational speed and agility (each mentioned four times in the vision and central to the vision’s fourth imperative) will manifest differently against different opponents; moreover, significant government reorganization will be required to increase operational speed and agility. We should, however, watch out that these concepts do not become meaningless buzzwords: An article on the meaning of an agile cyber command would be a welcome contribution to the field.

Prioritizing

Muhammad Ali boxed 61 matches as a professional. He would not have won 56 of those fights if he had fought all of his opponents at the same time. The Cyber Command is operating in a space in which it has to seize the initiative against a large and ever-growing number of actors. In seeking to engage on some many levels against so many actors, prioritization (as discussed in the strategy) will become a top issue when implementing this new vision.

What’s not in the strategy is as important as what is. Having said that, a short 12-page document cannot be expected to address all important issues. So the gaps described above should be taken as a sampling of issues that will need to be addressed as the vision is implemented.

In this video, Cybersecurity Postdoctoral Fellow Jesse Sowell and Dr Irina Brass of University College London present a joint research project that looks into the options available to create more effective, responsive and dynamic security standards for the Internet of Things (IoT).

Read a summary about the project here.

View the full video interview

Facebook and Congress Must Create Regulations Together

Featuring Eileen Donahoe, executive director of the Global Digital Policy Incubator and Allison Berke, executive director of the Stanford Cyber Initiative. Both programs are housed at the Freeman Spogli Institute for International Studies (FSI). Written by Nicole Feldman.

For the past two days, the United States Senate and House of Representatives grilled Facebook CEO Mark Zuckerberg on everything from user privacy to platform bias to Russian interference in the 2016 elections. Though prompted by Cambridge Analytica’s improper use of user data, Zuckerberg’s testimony provided a broader platform to talk about Facebook’s role in today’s increasingly digital world and regulation for the tech industry as a whole. FSI scholars Eileen Donahoe and Allison Berke give us their top take-aways from Zuckerberg’s testimony.

Eileen Donahoe

There were two big “take-aways” from Mark Zuckerberg’s testimony before Congress this week.

Digital privacy is a form of security that matters to Facebook users and to citizens in our democracy.

The good news that came out of the hearings is that the American public and our representatives in Congress are waking up to the importance of citizens’ privacy in our democracy, as well as to the consequences of the loss of privacy for freedom and security. The Cambridge Analytica — Facebook saga has succeeded in bringing to public consciousness a significant security threat to our democracy, which until now has been relatively invisible in public debate: how failure to protect user’s digital privacy can have real world consequences for democratic processes, national security, and citizens’ liberty. Earlier un-nuanced assertions expressed by many in the technology community that “privacy is over” and users don’t care about how their data is shared, can no longer function as a dominant operating assumption. The hard reality ahead of us is how challenging it will be to protect citizens’ privacy in a context where digital platforms, tools and services are intertwined with our daily lives. The bottom line is that digital platforms now will be required to have much more nuanced conversations with their users about the tradeoffs of using free services in exchange for monetizing personal data. This will have consequences for Facebook’s business model and all freemium digital services.

Congressional hearings are not an adequate vehicle for educating legislators about how to regulate digital platforms.

The range of complex, multilayered challenges that must be tackled to optimally govern digital platforms in democracy cannot be addressed effectively through a brief set of public hearings. Many Senators and members of Congress displayed a lack of understanding of how Facebook works, which strands of the debate warrant deeper inspection, or which issues must be prioritized to protect the liberty and security of citizens on digital platforms. Representatives jumped around from one subject to the next — from political bias in restricting content on Facebook, to whether Facebook is a monopoly, to whether citizens own their data, to the efficacy of user consent to terms of service — without adequately framing any of these important subjects. In effect, the Senate and Congressional hearings themselves were shown to be poor vehicles for deepening regulators’ knowledge or helping progress toward an optimal approach to regulating Facebook or other digital platforms. Other than moving toward passage of the bipartisan Honest Ads Act sponsored by Senators Amy Klobuchar (D), Mark Warner (D), and John McCain(R), which regulates political advertising on digital platforms in the same way as on television and radio, our representatives are not yet well-prepared to regulate digital services. A different mode of engagement between government representatives and technology companies must be developed, if legislators want to help protect citizens in the digital realm, while also allowing users to continue to enjoy the benefits of digital platforms they have come to rely upon in their daily lives.

Allison Berke, executive director of the Stanford Cyber Initiative at FSI. Working across disciplines, the Stanford Cyber Initiative aims to understand how technology affects security, governance, and the future of work.

Mark Zuckerberg prepared for his testimony as though expecting to face hostile opposing counsel. His notes — leaked, ironically, by a press photographer when left open on his table during a bathroom break — show prepared language to address calls for his own resignation, and for compensation for users whose data was improperly shared, though these topics were not raised during questioning. Despite promising to work with legislators on regulations, Zuckerberg stopped short of proposing specific measures. Though he voiced his support of the Honest Ads Act, when asked if he would return to Washington to aid its passage, he offered someone on his team instead and noted that he “doesn’t come to Washington too often.” The implications, both that he doesn’t need to and that he doesn’t want to be involved in forming regulations, revealed a relationship between Facebook and lawmakers with distance, shading from incomprehension to distrust to antagonism, on both sides.

Many of those watching the hearings noted the Senators’ and Representatives’ clunky and repetitive lines of questioning, their difficulty choosing the precise terminology to communicate the technological gist of their inquiries, and the inability of a five-minute oral format to properly convey — and convey strictly enough to reign in a witness looking for a question’s easiest possible interpretation — the nuance in, for example, the points made by Senators Blunt and Wicker about Facebook’s cross-platform tracking between a device hosting a logged-in Facebook app and a device registered to the same user but lacking the Facebook login.

One could imagine a more collegial relationship between Facebook and Washington DC, in which representatives would have discussed their questions with Zuckerberg and his team at greater length, and perhaps behind closed doors, and could use the testimonial hearing format to place prior agreements and understandings on the record. Facebook’s apparent openness to exploring regulation should be taken as an opportunity by policymakers, both to craft regulation that may need to be complex — to cover the myriad ways in which data can be collected and mixed, and to ensure that a savvy company can’t avoid both compliance and detection — and to forge a closer relationship between the tech giant and its community representatives. That may require Zuckerberg visiting Washington a little more often, and it will also require the acquisition of more technological knowledge and expertise by legislators and their staff, which may require them to visit Silicon Valley more, too.

On March 7, 2018, CISAC scholar and Hoover Institution Research Fellow Andrew Grotto testified before a bicameral hearing of the California Legislature on “Cybersecurity and California Elections.” Grotto emphasized the importance of upholding the public's confidence in our electoral infrastructure, and highlighted the need for California's state and county election professionals to implement cybersecurity best practices. 

Image

He also reminded that campaigns and elected officials are also vital components of our nation's electoral infrastructure, and that they too have a responsibility for upholding the public's confidence in our democracy. He emphasized the need for candidates to be vigilant and not allow their campaigns to become unwitting ampflifiers of Russian disinformation efforts. The full testimony is available here.