VS Subrahmanian: Welcome to what is the first
of, I hope, many events jointly sponsored
by ISTS, the Institute for Security Technology
and Society and the Dickey Center.
I'm VS Subrahmanian, the director of ISTS,
and it's my very great pleasure and honor
to introduce today Samantha Ravich, who I've
known for several years.
Samantha is the head of the Transformative
Cyber Innovation Lab at the Foundation for
the Defense of Democracy in Washington DC.
But this was just one of many very distinguished
hats she currently wears and has worn during
for distinguished career.
She served as deputy national security advisor
to former Vice President, Dick Cheney.
She currently serves as vice chair of the
president's intelligence advisory board.
She has, I think, seen a wide range of threats
over the years, ranging from al Qaeda, ISIS
and now increasingly, cyber threats.
Without further ado, I'll turn the floor over
to Samantha.
Welcome.
Samantha Ravich: Thank you, thank you, thank
you.
It really is a pleasure to be here.
And it's beautiful, I don't know if you noticed.
The sun is shining, the campus looks magnificent.
It's been reading way too much down in DC,
but thank you very much for getting this beautiful
day for me.
I really appreciate it.
Before I start, obviously, I want to make
clear, these are my personal comments from
the research that I do at the think tank that
I'm associated with.
It has nothing to do with PIAB.
But I thought I would use a part of my time
here today to talk about the research that
my team and I have been conducting over the
past few years on cyber enabled economic warfare.
And some of our findings and where we are
now putting our efforts, which get to the
Transformative Cyber Innovation Lab.
And then I really do hope that we can have
a robust discussion and Q&A because I want
to hear which parts of what I was talking
about actually are interesting and may spur
other lines of research.
Samantha Ravich: And also let me add, although
it is 4:35, so typically when they asked me
to speak, they asked me to speak directly
before cocktail hour because typically the
things that I work on a CT, counterproliferation,
cyber threats, most people need a drink right
after I finis.
I tend to leave audiences in the past, despondent
and hopeless.
You'll feel some of that, but I think where
we're really trying to focus some of the research
now is, is there a pathway towards hope?
And is there things that can be done that
if not a will completely eliminate the threat?
It can happen.
What parts of it can we try to mitigate?
Let me start.
Since 2015, my team at the Foundation for
the Defense of Democracies and the center
for sanctions and illicit finance and I have
been engaged in researching, writing and briefing
on cyber enabled economic warfare.
Samantha Ravich: What is that?
What is cyber enabled economic warfare?
In brief, it refers to a hostile strategy
involving attacks against a nation using cyber
means.
Those attacks focus on undermining key elements
of an economy in order to weaken the country
militarily and strategically or politically.
It is not just about stealing IP to give a
country a market advantage or for criminals
to steal money for whatever they want to use
it.
But it is particularly going after an economy
in order to weaken that country's strategically,
militarily, politically.
And what we are doing is not only creating
a taxonomy of the cyber enabled economic warfare
attacks to be used for academic purposes or
theoretical purposes, but also given that
we're in DC and we're at a think tank, we
really have been working to create a way to
explain what is going on to hopefully open
the eyes of some folks in the government that
may be able to do more about this, and in
the private sector.
Samantha Ravich: So that they see what we're
seeing, which is that there is potentially
campaign plans underway in adversarial state
and non-state actors, again, to weaken our
economy in order to weaken us politically
or strategically.
At first, when we started this back in 2015,
we really had a difficult time getting some
in the government and in the private sector
to see behind the what they would see as ad
hoc attacks happening across our economy.
And it was crazy because we even had trouble
getting people in the banking sector, for
instance, to understand this even after 2011
and 2013 when J.P. Morgan, Wells Fargo, American
Express were all attacked by now we know,
out in the open, a hostile foreign actor even
after the 2016 indictments of seven Iranian
hackers tied back to the Iranian government
for those attacks.
Samantha Ravich: Even after it became clear
that the attacks upon our banking sector was
not, as I said, to simply steal money, but
most probably to lay the groundwork for getting
into our banking system as payback for increased
sanctions on Iranian financial entities.
They're seeing in some quarters to be an unwillingness
to fully believe or understand that an adversary
was embarking upon a strategic campaign plan
to harm our private sector, our ability to
move money, to create value, to innovate.
There was a campaign plan to undermine those
things with an ulterior motive, as I said,
that goes well beyond the simple stealing
of money.
It's hard, and it's ironic in some ways that
we had such a difficult time breaking through
to get people to understand that this could
be happening.
And I say it's ironic because our country
has been very good at it in the past.
In fact, soon after we were born as a nation,
we went after the economic wherewithal of
Britain, we went after the economic wherewithal
of Japan and Germany during World War II.
Samantha Ravich: And there's evidence to suggest
that us going after the economic wherewithal
of the Soviet Union is what lead to a collapse.
And of course, more recently, with our sanctions
regimes, we've been going after North Korea
and Iran.
The idea that others would think likewise,
but with new tools, it seemed obvious to us,
but not obvious to those that we were talking
about.
But again, since people in glass houses should
definitely not throw stones, I didn't consider
how an adversary could use economic warfare,
let alone cyber enabled economic warfare against
us.
When I was in the White House helping to craft
those economic sanctions against North Korea
and Iran, we'd sit in, and Dan will know this,
well, we'd sit in the situation room and we'd
be thinking about what can we do to constrain
North Korea's nuclear weapons program.
Let's go after Banco Delta Asia, how they
move their money or let's constrain Iran by
kicking them out of SWIFT.
Samantha Ravich: And think about, we'd sit
there and we think about, well, how could
they harm us in response?
North Korea, we'd think about they could set
off another missile and over time test another
nuclear weapon?
With Iran, we would think they could go after
our soldiers in Afghanistan or in Iraq.
But we, I, maybe you guys were smarter, never
contemplated how they, Iran and North Korea
in this instance could go after our economy.
It was ridiculous to even think that.
North Korea has a GDP per capita of $1,300.
What could they possibly do against the largest
economy in the world?
Well, back in 2006 and 2007, not really nothing.
But I think, and something I want you all
to take away is that golden age when we could
take actions against other economies and not
suffer likewise is coming to a close.
Because the use of cyber has given nation
states and some non nation states the ability
to punch far and far above their weight.
Samantha Ravich: Let me discuss a few of the
more recent examples of what we term cyber
enabled economic warfare.
I think one of the earliest attacks that really
opened my eyes is what is now called Dark
Soul.
It happened in 2013 in South Korea, and the
attacker was no surprise, North Korea.
And I think we can still learn a lot from
this attack.
We can learn lessons that we just need to
learn and maybe aren't.
At the time of the attack, I was the co-chair
of a congressionally mandated commission called
the National Commission for the Review of
Research and Development in the US intelligence
community.
As Dark Soul was unwinding, it got me thinking
too, what do we have in our own arsenal to
understand what's going on, to defend and
deter such an attack if it came at us?
Anyway in broad brush strokes, in April of
2013, between 45,000 and 50,000 computers
in South Korea's media and financial services
sectors were rendered inoperable by North
Korea malware.
Samantha Ravich: Across South Korea, people
were trying to get money out of their ATMs
for diapers, for food, medicines.
And they couldn't because their ATM screens
were dark.
They check their bank balances, nothing.
They log on mobile devices, nothing.
The Dark Soul attacks cost an estimated $800
million to South Korean firms and citizens.
Think about the panic and havoc that would
be created here if our ATMs were shut down
and we couldn't get our money.
And then the media that we would turn to to
tell us what the heck's going on was also
dark and knocked out so we wouldn't know what
was going on and we couldn't get our money.
The main purpose of the Dark Soul attacks
appears not to be about the money, but rather
to hone Pyongyang's capability to undercut
South Korea's ability to function in the midst
of a northern offensive.
Tellingly Pyongyang launched its cyber strike
in the midst of a major joint exercise between
the United States and South Korea.
Samantha Ravich: Before I turn to attacks
on US entities, I want to briefly describe
another cyber enabled economic warfare attack
this time also against South Korea, but this
time the aggressor was not North Korea, but
China.
And I think it will give you an even richer
flavor about how attacks on an economic targets
are and can be used to shift a government's
policies.
In the beginning of 2017, the South Korean
company, Latte Corporation, which employs
over 60,000 people and owned businesses and
everything from candy to construction, to
chemicals agreed to sell to the South Korean
government property to house a US anti-ballistic
missile defense system to counter the North
Korean missile threat.
China has long opposed the deployment of US
missile defense systems on the Korean Peninsula
citing national security concerns.
Within days of the announcement of the sale,
the website of one of Latte's prime units,
was taken down in a DDOS attack emanating
from China.
Simultaneously with the cyber attack, the
Chinese government closed nearly half of Latte's
112 stores on mainland China citing safety
problems.
Samantha Ravich: The Chinese state press blanketed
the media with editorials urging boycotts
and said that Latte was an accomplice in efforts
to undermine China.
Stock shares of the Latte shopping corporation
fell as much as 7.8% as a result, resulting
in $400 million of losses to shareholder value.
Latte was forced to sell it's Chinese based
assets at a fraction of what the company invested
to construct them.
I imagine that other large foreign companies
operating in China from that point on will
think twice about assisting their national
governments against Beijing's wishes.
To recap, private South Korean company sold
land to their own government to use to help
to protect their own citizens and China punished
the company through cyber and other means
costing the company tens if not millions,
hundreds of millions of dollars.
Postscript, the missile defense system, the
one did go ahead, but it's surrounded by protestors
night and day, Korean protestors and forcing
US and Korean soldiers to be resupplied by
helicopter.
Samantha Ravich: By China's standards, the
strong arming of Latte was child's play.
I really think something that they could do
before breakfast.
But let me underscore for you, China's breadth
and depth of their attacks across the western
economic landscape is breathtaking.
I'll get back to that in a minute.
But another cyber enabled economic warfare
attack conducted by a different state actor
had more profound effects on the US homeland
last year.
In June of 2017, a computer virus you're all
familiar with, and I'm sure, NotPetya spread
around the world, wiped data from computers
of banks, energy firms, senior government
officials and an airport developed by Russia
mostly focused on Ukraine to get Ukraine to
capitulate to Russian strategic demands.
But the virus hopscotched the globe, landed
on a number of US based and US companies.
The shipping giant Maersk reported a total
cost of dealing with the virus at between
200 and $300 million.
Samantha Ravich: FedEx reported spending roughly
$400 billion in remediation and related expenses.
Pharmaceutical manufacturer, Merck reported
$670 million in losses when NotPetya temporarily
disrupted the company's manufacturing, research
and sales operations.
Total worldwide losses are estimated to be
$10 billion.
While NotPetya, it does not appear was purposefully
aim to strike companies like Merck or Maersk
or FedEx aimed as it was at Ukraine, it has
rung a bell on what a global cyber enabled
economic warfare attack could look like.
One nation targeting the economic and critical
infrastructure of an adversary to get them
to change policies or even to destabilize
that government.
And it forces other nations to join the fray,
either because an ally had been attacked or
they were just unwitting participants, just
fell on them.
In some ways, think about how this can really
ramp up and think about this potentially as
the modern day assassination of Archduke Ferdinand
in another eastern European country, triggering
a series of events that led to World War I.
Samantha Ravich: We at the project on cyber
enabled economic warfare have not only been
studying these attacks themselves but analyzing
what are the motives and the strategies behind
these attacks by our most dangerous adversaries.
What is the cyber enabled economic warfare
strategy of Moscow or Beijing, Pyongyang,
Tirana?
How are their decision making and operational
elements organized to undertake these attacks?
What are the levels of resources they are
putting to these capabilities?
What is their escalatory ladder?
These are the types of questions we want to
ask and help answer on cyber.
And we focus on cyber enabled economic warfare
because we believe that the American economy
is the greatest source of American strength.
We are only the number one military in the
world because we are the number one economy
in the world, and so undermine our economy
and you undermine what makes America powerful.
Samantha Ravich: What we are learning, North
Korea employs its Cyber capabilities to achieve
a wide range of objectives with South Korea
being its prime but not its only target.
South Korea suffers as many as 1.5 million
attempted cyber intrusions from North Korea
hackers every day.
North Korea is a learning organization.
It observes best practices and incorporates
them into its arsenal, which is again why
I go back, I don't think we spend enough time
in the US government maybe in academia as
well, focused on what's going on in South
Korea.
Because North Korea is resourceful, and just
like they were able to build a world class
nuclear arsenal even though their citizens
eat tree bark, they have created a world class
cyber capability.
Iran's interest in cyber changed significantly
after the discovery of Stuxnet.
Iran cyber annual budget prior to 2011 averaged
three-quarters of a billion dollars.
It's been growing by leaps and bounds ever
since.
Samantha Ravich: Iran has conducted a number
of very highly specific and very high profile
cyber enabled economic warfare attacks, the
most famous being the 2 Shamoon attacks against
Saudi Arabia.
You may have heard of them, but again, a lot
to learn from these attacks.
The first, which destroyed data of 35,000
computers at Saudi Aramco in 2012.
Now, again, Saudi Aramco, the economic element
that drives the power of Saudi Arabia.
You want to go after the kingdom, you want
to go after the way they do policy, go after
their economic engine, Saudi Aramco.
Now, the attack in 2012 led to every Aramco
office anywhere in the world physically unplugging
itself from the internet.
It's unbelievable to even consider.
Although oil production did remain steady,
shipping, contracts, supply orders, everything
that went over network systems or the internet
was basically gone.
Up until NotPetya, Shamoon was probably the
most destructive attack upon the private sector,
Samantha Ravich: And then there's Russia.
As one of our researchers, Boris Zilberman
wrote in a new monograph that we have published
on the FDD website on Russian cyber enabled
economic warfare, Kaspersky Lab, the Russian
antivirus company, you might be familiar with,
built by Eugene and Natalia Kaspersky provides
one of the best examples of how technical
knowhow, market foresight and government cooperation
can produce not only a global tech giant,
but also a serious national security threat.
The Kasperskys were engineers for the KGB.
Eugene even graduated from the Technical Faculty
of the KGB Higher School.
Within a few years after the fall of the Soviet
Union, both Eugene and Natalia joined the
private sector building an international antivirus
software company, keeping their connections
and relations with the Russian government.
Samantha Ravich: The same antivirus protocols
that make Kaspersky antivirus a highly effective
malware detector allowed Russian authorities
to use the antivirus product to search and
retrieve materials.
How perfect, how perfect?
The Russian government helps build an IT company,
markets itself all around the world specifically
also very highly focused in Washington and
other parts around the United States.
They sell their software at a good price,
it's a good software to government, companies,
private individuals around the world.
It has the ability to phone home information
about systems, vulnerabilities, individuals,
your name.
It was a very good thing, although very long
overdue when the Department of Homeland Security
in 2017 required all Kaspersky software to
be removed from government systems.
Samantha Ravich: China poses a multi-vector
threat to the United States regarding cyber.
Every year, China intellectual property theft
cost of the US economy over $300 billion,
probably an understatement.
Most cyber incidences go unreported.
Many companies either do not know or do not
want to admit to the losses.
And of course, stealing proprietary technology
and early stage ideas allows China to unfairly
tap into the innovation of our free societies
and weaken our businesses and our economy
in the longer term.
And China appears to understand very well
that advantaging Chinese enterprises at the
expense of the US degrades US national security.
Senator Cornyn is absolutely right when he
said that China is using a private sector
investments to pilfer American technology,
that China has weaponized its investments
in America in order to vacuum up US industrial
capabilities from American companies.
Samantha Ravich: That goal he added is to
turn our own technology and knowhow against
us in an effort to erase our national security
advantage.
Where do we go from here?
Well, our team continues to research, better
understand the cyber enabled economic warfare
strategies of our adversaries, help ensure
that both our government and our private sector
are properly positioned to prevail on this
battlefield.
Because unlike earlier conflicts where American
citizens and American businesses could look
at the fight over there surrounded by as we
were, two sides by water.
In this battle space, American citizens and
American companies are the freely, the front
lines in the fight.
We agitate for better policies.
Now, at this point you're going, where's the
hopeful part?
I know, this is where I usually pause and
I see people wondering, when does it get hopeful?
Samantha Ravich: We do agitate for better
policies to make real forward, better forward
movement in protecting our economic base from
hostile adversaries using cyber means to undermine
us.
But we have to move faster because in this
day and age of data and technological advances
happening at the speed of light, we have to
change the way we face those challenges.
We have to be willing to rapidly prototype
new tools and capabilities and refuse to fall
into the trap that there has to be an answer
to everything before we adopt it.
And in this battle space, we have to move
forward with the having the answers to some
things.
If we wait to find a unifying theory, we're
going to be dead in the water.
To that point, we launched a nonprofit called
the Transformative Cyber Innovation Lab funded
through the generosity of a number of American
philanthropies.
Samantha Ravich: And our mission is to help
drive society-wide improvement in cyber resilience
through the innovative synthesis of technology,
policy and governance.
These philanthropists came forward and they
said, "Hey, love the work you're doing focused
on what the adversary is and the strategy,
and all that good stuff.
But can you make a difference and try to close
the gaps?"
We're not a technology company, we're small,
we're in DC.
What could be our value add?
And we realized that our value add is this,
we understand, we can understand and are understanding
where there are cyber gaps and vulnerabilities
that exist both in the government and in the
private sector for which there are existing
technologies.
We're not a technology firm, we're not inventing.
Existing technologies that could help close
some of those gaps and vulnerabilities.
Second basket, but third basket, there are
human elements that are preventing the transition
of good technologies to help close the gaps
of cyber vulnerabilities.
Samantha Ravich: Human elements like we don't
understand that technology, we've never heard
of that technology.
We're afraid of liability if we try it in
the government, we don't have the authorities,
title 10, title 50, all the different titles.
We need legislation, we need new resources.
Those are human elements, those aren't the
technological piece.
That is where we spend our time.
I'll give you two very quick examples of what
we're doing and then we can move on to discussion.
The first is, for those of you who have ever
taken a look at the defense supply chain,
it's terrifying.
It is a malware or malicious code, counterfeit
stuff has been inserted all over the defense
supply chain.
We think that distributed ledgers are very
interesting to give some transparency to it.
It's not a brown breaking theory.
Samantha Ravich: But oddly enough, there haven't
been very many if all, any prototypes, real
world use of distributed ledgers to buy things
within defense acquisition.
Why?
Oh, my God, you have to change defense acquisition.
People are afraid to try it.
All of the things that you always hear.
We got agreement from the countering terrorism
technical support office to prototype with
us that we would use Microsoft blockchain
and we would do the very simple, simple, almost
a cartoon.
The government office contracts a prime, the
prime contracts with us.
We write two lines of code, hello world, doesn't
do anything.
Put it on a blockchain, have it go from us
to the prime to the government, back and forth.
It's simple, people can see what it is.
And we start to break down [world 00:27:26],
"Oh, that's what you're talking about.
Oh, that gives us insight.
Oh, we can move things very quickly.
We can pay contractors.
They don't have to wait 180 days.
Huh, that's interesting."
Samantha Ravich: Just showing that something
can work in a safe environment, they don't
have to eat the whole cow, they can just take
a little bite and see that it works has been
able to move things in the massive bureaucracy
of the Pentagon.
There are others, and we can get to other
great examples later maybe during the Q&A.
But I just want to say that as our lab grows,
we look forward to working on more real world
problems and helping to solve them bit by
bit with real world solutions.
Again, it's a lot, it's a big scary topic.
But I think there is hope and there are ways
to help secure our economic future, which
is our national security future.
We have to be willing to move quickly and
as I say, just do it.
Thank you very much.
VS Subrahmanian: [inaudible 00:28:41] over
here.
Daniel Benjamin: I'm Dan Benjamin, and I'm
the director of the Dickey Center.
And now we will do the part of the show that
is a little bit Johnny Carson to Cavett.
You can choose which one.
And we'll have a few questions with Samantha.
I want to begin by thanking her for a terrific
talk that scared the hell out of me again.
And then we'll open it up to the crowd.
So many issues.
The mantra or the, I don't know if it's the
mantra or the blanket excuse in the government
for a long time going all the way back into
the 90s to date [myself 00:29:42] was the
problem with cyber was that all the important
stuff was in the private sector and the private
sector was slow to come to the realization
that they actually had responsibility in this
area.
And I was wondering if after all of these
big hacks you think that is changing or do
the hacks had the opposite effect and make
a CEOs say, "Goddammit, I need a secure environment
to work in.
It's all your fault, government."
Who can we point the finger at here?
Samantha Ravich: Yeah, right, right.
There's a few strands there.
First of all, companies are spending lots
of money on cyber security, but they're angry
because there is at this point in time, but
maybe smart people will create it.
There's no way to measure return on investment
for these hundreds of millions of dollars
that some companies are spending.
They're doing it just so that, the old joke,
if you're in the woods and a bear is coming
up, you don't have to run faster than the
bear, you just have to run faster than your
friend.
And that's what's happening in terms of cybersecurity
investment, they just want to say, "Well,
we," so that when they are breached and when
there's a massive exposure of their data,
they can say, "Well, we spent the money,"
but it's not really about securing their data.
Samantha Ravich: It literally is just about
running faster than their friend.
They are doing something but they're not happy
about it, which gets to, oka, now what, what
can they get happy about?
I speak to a lot of corporate boards, and
oftentimes at the end of my remarks or during
the Q&A, I say, "I honestly don't know why
you guys aren't marching on Washington."
First of all, everyone marches on Washington.
It's like a thing to do these days.
I said, "But you corporate leaders, it is
not your responsibility to thwart an attack
from a nation state.
That is the responsibility of the US government
to thwart an attack from a nation state."
I guess long winded answer is I actually lean
towards the company side of this now, granted
there's a lot they need to do and should be
doing on cyber hygiene.
I mean, don't be stupid, lock the doors, do
your patches.
I mean, honestly.
Samantha Ravich: But when it comes to an attack
by a nation state on our economic wherewithal,
it's the responsibility the US government.
Well, we pay taxes for ... Well, not in New
Hampshire, you guys don't.
Daniel Benjamin: They pay taxes, people in
New Hampshire do pay taxes.
Samantha Ravich: I know, they're so lucky,
I love that.
Oh, my God, it's so excellent.
Daniel Benjamin: If I can follow up and then
I'll just pass it off to VS.
I think that's a great answer because certainly
in the early days most people were concerned
about cyber crime and not so much about the
state attack.
The big question mark here, that is, what
role does cyber offense play in terms of cyber
defense?
I'm not on?
Oh, I thought I was on.
What role does cyber offense play in terms
of cyber defense?
And that of course is the purview of the government
at least so far.
Samantha Ravich: Yeah.
It is a very hot and heated debate about this
going on right now in Washington, there's
been a couple.
White House just released a cyber strategy.
DOD just released a new cyber strategy, and
The Hill in last year or this most recent
NDAA, the National Defense Authorization Act
created a cyber solarium commission to also
kind of think through these weighty issues.
But I'll tell you, the big contours, two of
the contours of the debate, some believe that
you can deter in cyberspace.
You can deter a China or Russia, Iran, Pyongyang,
not necessarily through cyber means, deterring
them.
But yes, that is part of an arsenal.
But you can deter them through lots of different
ways using all elements of national power,
punish them economically, kick them out of
organizations, whatever, but you can deter
them.
Samantha Ravich: There is another theory that
I think is really taking hold in places like
Cyber Command.
And that is called persistence.
And kind of the rules on persistence versus
deterrence, deterrence suggests that we will
deter an event from happening or an event
from escalating.
Persistence is, now, we're already in the
middle of it.
The time for deterrence has long passed, that
horse is out of the barn, it's going on.
We are in the middle of a cyber war.
For persistence, what is now the game is where
is the boundaries?
Think about any war that's ever happened in
history.
You're over there, I'm over here.
You're incurring on my territory, I'm pushing
you back and I'm incurring into your territory.
And we're trying to figure out where the border
is.
And eventually with you attacking me and me
pushing back, we figure out it's this table
is the boundary.
Samantha Ravich: But we're not there in cyber
yet.
The idea of persistence is we need to be actively
engaged offensively pushing you back.
You're going to incur, I'm going to push you
back until this border is established.
And then we can start to talk about norms.
But we can't talk about norms until we actually
have a reason to believe that this is the
border.
And that will happen through engaged offensive
wars, what's the new term of war, defend forward.
It's an odd term.
Daniel Benjamin: You could call it an euphemism.
Samantha Ravich: Yeah.
But if I could say one last point on the offensive
side, when I talk about to these companies,
there's always somebody at one of these big
companies, why can't we have a cyber stand
your ground law?
Especially when I talk about, I live in the
south, especially when I talked to companies
in the south.
Someone comes into my house or maybe New Hampshire
too, I don't know.
But I have a gun, they're going to feel it.
Why if they come into my company, can I like
chase them out and chew them?
I'm like, "Well, you can't actually even do
that in a stand your ground scenario.
And anybody can't chase them down to the next
street and shoot them."
Samantha Ravich: But in the event that this
starts to happen in companies start to try
to take matters into their own hands, especially
as it regards a nation state, I think that
the US government better quickly start enforcing
the Logan Act.
And that's that private citizens and companies
can't actually create and operationalize their
own foreign policy.
That is a world that is not a good one for
us.
I would hope that there will be swift action
to kind of shut that down.
VS Subrahmanian: Samantha, I was not going
to bring up cyber offense, but Dan gave me
a lead in.
So let me follow up.
In standard military parlance, we do intelligence
preparation of the battlefield, the traditional
battlefield, which amongst other things includes
imposing or insinuating intelligence assets
onto the battlefield, prepositioning assets
to carry out operations.
In the cyber setting, we have reports, for
example, in the Washington Post about a year
back about the Dutch intelligence agency,
AIBD penetrating the Russian operation that
carried out the attack on the US election
a couple of years back.
I don't know if that report is true or not,
but if it is, they apparently according to
the report where it had compromised everything
from the security cameras to the screens of
the Russian operators carrying out the DNC
hack.
VS Subrahmanian: And while I'm not from the
south of America, I'm originally from the
south of India, it's a good place with slightly
different rules.
It strikes me that having those kinds of assets
in place is never a bad thing.
And when a company such as a J.P. Morgan or
someone else is attacked in the sense that
there's a low grade attack carried out once,
another low grade attack carried out later
so that the collective set of attacks forms
a consistent and substantial campaign, having
those kinds of eyes on the ground would be
really useful.
And I sort of sympathize with some of the
companies which are the targets of this.
As a country, how do you think we should think
about policies around us that enable companies
to at least detect where the attacks are coming
back from without taking any further offensive
action or should this be handled over to the
FBI?
What are the protocols?
Samantha Ravich: Well, I mean, clearly on
their own systems, they have a lot of flexibility
and a lot of ability.
And when they're worldwide international actors
companies like J.P. Morgan Chase or others.
In some ways, they have better insight into
what's going on and data than the US government
has.
There certainly is flexibility on that.
It's when they hop off of chase someone past
their networks that it really becomes a problem.
In terms of, well, should they call the FBI?
I'm not sure even the latest series of cyber
strategies that have come out answer the question
that, when Dan was in, we didn't answer it,
when I was in, we didn't answer it, which
is really the clear lines of who you're going
to call.
Samantha Ravich: Again, when I advise companies,
I say, "Look, get to know your field office
for the FBI because it probably is a call
you want to make.
And you certainly want to make a call to them
before they make a call to you."
However, they're interested in solving crimes.
They're not the people, most likely that are
going to give you a heads up if something
is headed your way.
They're the people that you call after it's
broken into your house.
They're not also going to be the people that
help mitigate.
On the front hand, it's other intelligence
agencies that have the large caches of data
to understand what's coming at who, on the
back end, maybe DHS to help with the mitigation.
Samantha Ravich: But that's a lot to ask of
a company.
Again, I really do.
My heart goes out to the private sector because,
first of all, US government, tell me what
is a good thing I'm supposed to use?
Is it this vendor?
Is it that vendor.
Tell me why isn't like a vaccine?
I don't go and figure out which flu vaccine
I'm supposed to get, I'm not an immunologist.
I trust that the government has figured it
out, and then I go get the flu vaccine.
I don't know how companies are supposed to
really be able to tell which one is supposed
to.
But then after the fact, who are you supposed
to call?
You call the FBI for this, you call DHS for
that.
Samantha Ravich: If you're one of the 16 largest
banks in the country, then you have special
permission through an entity called FSARC
that works very closely with the intelligence
community.
But if you're, I don't know what your local
bank is here, but if you're that local bank,
you're not getting into that sweet spot.
There's really not the 911 that you can call
and then figures out for you as a citizen
or an American company what to do.
I don't know, I'm still frustrated.
Daniel Benjamin: Isn't THS actually the entity
that's supposed to be issuing warnings of-
Samantha Ravich: They issue general, they
don't issue specific.
Daniel Benjamin: Yeah, that's helpful.
Samantha Ravich: Right, that's right.
Daniel Benjamin: If we were having this conversation
15 years ago I'd say, I think most people
would be asking about the terrorist threat
to the internet.
And I think the conventional wisdom right
now is that terrorists, I think maybe it was
the conventional wisdom five or six years
ago, and I hope it's still a conventional
wisdom.
That some groups are up for vandalism and
sort of small scale attacks that the terrorists'
exploitation and the internet is most dangerous
when it comes to recruitment and radicalization.
But the terrorists haven't shown any great
capacities in this area.
Do you still agree with that assessment?
Samantha Ravich: I do with this one caveat.
I do because defenses have gotten a lot better.
It's hard, it's not really easy to get into
the grid, although we kind of mock that.
It isn't.
Clearly, certain nation states have risen
to the fore on this.
Yes, in general, I think you're right.
Here's my concern, because I always have to
have a concern, but we're getting close to
cocktail hour.
Is that as forensics and accountability become
ever better, which they are, that certain
nation states may decide to have proxies,
they'll give the proxy their capability and
then it's not really Iran, it's Hezbollah
or it's somebody who, whatever, can be set
up.
Daniel Benjamin: That true, but we're usually
pretty good at getting to the proxies too.
Samantha Ravich: I think so, but I mean, it's
just [works 00:44:51].
I think that that's right, and hopefully it'll
stay that way.
VS Subrahmanian: Let me turn the conversation
to some of the comments about Kaspersky Lab
because to me the Kaspersky Lab scenario poses
a much greater threat than what we've seen
so far.
Most of you who've installed any kind of software
on your machine, whether it's your phone or
whether it's your laptop or some other device
that's connected will see that your software
is periodically reaching back to some server
somewhere.
It's not just the Kasperskys of the world,
but software developed in many, many countries
around the world.
Down the road, if those companies are either
based in countries that are hostile to the
interests of the US or if those companies
are controlled by or substantially influenced
by entities in such hostile countries, then
we run the risk that there will not be one
Kaspersky lab or two, but potentially thousands.
How should we think about this potential threat?
I'm sorry, I know I planned to ... Samantha
says, try not to scare you-
Daniel Benjamin: You are a buzz killer.
Samantha Ravich: I have to think about how
we think about the broad category.
But on the specifics, we knew that Kaspersky
was bad years before we kicked them out of
the government system or told the American
people.
And again, that's kind of unconscionable.
Even before we get to your question, which
is much more expansive, I think that, and
I don't know whether the eyes have been opened.
I mean, what was I reading, Canada is still
embracing [walway 00:46:47], really?
That's worrisome.
But there's another company, a little bit
different called the Speech Technology Center
also grew out of KGB Acoustics.
They do things like audio and recording devices
and lots of things on that front have been
working here in the US for years with US law
enforcement.
Samantha Ravich: Interestingly enough, this
is a company that's also had a lot of presence
in Cuba, which makes you wonder about the
acoustic problems going on with our diplomats.
But again, we in America come from a basis
that the private sector is private.
Yes, we regulate certain industries, but it's
not baked into our DNA that the private sector
is truly just an arm of the government.
I think sometimes it's hard for us really
to kind of take at first basis that a lot
of these companies in hostile nations are
set up by their governments, are owned by
their governments, really don't have the freedom
to make the decisions that our companies do.
Daniel Benjamin: We should open it up, question.
Great.
I'm just going to start right here if I could.
Can you wait for the mic, otherwise your question
will be lost in history.
Speaker 4: A central focus of your speech
was on attacks on private US companies.
I was just curious if you could speak a little
bit to kind of focus on maybe the infrastructure.
What comes to the top of my mind is our energy
networks, telecoms, communications, food,
transportation.
If you take these out, the scale is much greater
in magnitude.
Is it just that they're attacking private
companies because there's an easier backdoor
to get into?
Samantha Ravich: It's both.
We were trying to focus on the broader swath
of the American economy.
But that is certainly not to say that those
other components aren't being held at risk,
we see that they are.
The recent reports of what's going on the
grid, it's in the open press, really worrisome.
Gets back to what I was saying the American
people need to be learning about what happened
in Ukraine.
The grid went down there, it went dark in
winter.
There are a lot of hard questions that we
have to ask ourselves both to protect.
What should be done in terms of making it
harder for people to go after parts of the
grid?
And there are things.
rom the Transformative Cyber Innovation Lab,
we recruited the former chief engineer at
DISA, the guys that do all the defense networks.
Samantha Ravich: Our government is a truly
wonderful place.
They have created ways to harden their systems
and harden their own defense on DOD owned
energy grid because they do have some on their
bases and other places.
They created a certain protocols that hardened
them.
We post other agencies, specifically DOE,
found they didn't know anything about them.
They didn't know anything about these protocols
that were tried and true and have actually
been in place in DOD for the last decade.
From our little perch, we are now trying to
open the aperture at DOE and saying, "Hey,
just let us go talk to the grid operators
about what we learned at DOD to help harden.
And you too can take advantage of certain
of these protocols.
But it is not to say that we don't have risk
and we aren't being held in harm's way in
those other sectors.
VS Subrahmanian: It's one of those great only
in America stories, right?
Speaker 5: First of all, thank you very much
for everything you've said.
I want to maybe offer a challenge or something
that you said and hear your thoughts on it.
When you were talking about the relationship
between the FBI and private companies, you
mentioned that the FBI is really the entity
that is interested in investigating crimes.
They're going to come after something terrible
has happened and they're not really going
to be the entity warning you that something's
on its way.
In the physical world, if the FBI were to
get a bomb threat, have evidence that a nation
state was planning a physical attack on a
company.
Maybe I'm influenced too much by Hollywood,
but my expectation would be that they would
warn that company, that they actually would
have that responsibility.
Do you think the same does, should apply to
cyber attacks?
Samantha Ravich: Yeah, potentially.
The kind of fly in the ointment on that is
who would hold the data that would warn of
an attack?
Another great thing about the US government
is different agencies own different data.
If it came from certain places and ways, the
national security agency would own that data
as to a risk on a certain place, a certain
type of entity, most likely wouldn't be sharing
with the FBI for lots of reasons about how
big and unwieldy the US government is.
But in theory, yeah, I totally agree with
where you are.
Look, I understand that there's always a tension
between stopping a crime and stopping the
network that operates behind the crime.
There's always a tension.
Samantha Ravich: If I know somebody's going
to come after you, I want to warn you.
But if I warn you, maybe I can get the network
that was going to harm you and everybody else
in this room.
So there's a tension on that.
But again, again, I think that the US government
has to be pressed to do more to protect the
private sector in this environment.
And a great example of this or a great kind
of underscore of this, DHS is there to protect
.gov.
They were given the mandate, thou shall protect
the systems of .gov.
Cyber command was given the mandate, thou
shall protect the systems of.mil.
There is no authorizing legislation that dictates
to an agency, thou shall protect .com.
The US government spends a lot of its efforts
focused on itself and not what really I think
is the basis and background of the power that
is in the US government stems from the private
sector and the citizens not the other way.
Daniel Benjamin: [inaudible 00:54:28] to you.
VS Subrahmanian: Yeah, I was just about to
mention that.
Samantha Ravich: Always first.
Daniel Benjamin: Okay, more questions.
It's you.
Speaker 6: All right.
I'm interested in the tension that you described
in public opinion.
You talk about how people are despondent and
overwhelmed and at the same time, reluctant
to believe that it's actually a thing.
And I was wondering how this played into government
response or under provision of security.
What efforts are there to educate or mobilize
public and even in global public opinion?
It seems like a lot of these attacks are inherently
global with the way the viruses go around.
Samantha Ravich: Yeah.
Again, a couple of different pieces on this.
First of all, there's just the general knowledge
of what is going on.
And people's eyes have to be open so that
then they can take actions.
There's the training for cyber hygiene.
Because again, it's overwhelming.
I'm kind of in this field and oftentimes,
I'm at a loss.
While we were talking, I'm just about to go
on a trip and it says download these patches.
I'll get to it in a minute.
It's too difficult the advice and the guidance
and the education, I think as it stands now
is too confusing, it's too complex.
But then the other piece, and you didn't really
ask about this, but I do want it to bring
it up is what responsibility does or should
the citizens have to hand over their data
if it's going to help solve a problem that
we all face?
Samantha Ravich: And that's a really tricky
one.
I can't say with certainty and maybe VS can
say with a lot certainty if the US government
had a lot more of the citizens' data, would
they be able to be much better at protecting
the citizenry from these threats?
I don't know the answer to that.
First of all, you need the answer, yes or
no.
If no, then forget it, you shouldn't get my
data.
If yes, what are the costs to it?
Those questions really do need to be answered
and answered really thoughtfully.
Despite what I had said on the nation state
threat and everything, this vector of your
question on what are the responsibilities
of individual US citizens if they are a data
point in a bigger data pool that can help
address some of these problems, I don't know,
that's a tough one.
Samantha Ravich: We may be forced to face
it, I'll give you an example.
I'm running a war game next month, and the
scenario is there's some overseas event that
occurs, a contingency.
We're potentially going to war against somebody
rather, and a bunch of cyber enabled economic
warfare attacks spread across the country,
across the economy.
A bank has taken down, a grid, distribution,
logistics.
Can the US government force those companies
to give over data?
We need your data to be able to do the immediate
forensics to know whether it was the enemy
that we're about to go to war with has done
these things.
I can argue it both ways.
I can argue it from the US government side
while protecting the country.
And I can argue it from the private company,
yeah, give me liability protection.
Under what authority are you coming and grabbing
my data?
We haven't answered those, I don't think we've
answered.
We, the collective have not answered those
questions.
We're kind of [battered 00:58:25].
VS Subrahmanian: I do want to interject something
there, which is I certainly don't know the
answer to your question, which is will the
government do a better job at securing all
of us if they had more access to our private
data?
The answer to that isn't clear.
But one thing has always struck me as a little
odd, which is that a lot of us, perhaps many
people in this room, but certainly a large
number of people in America and the world
over put a ton of their data online.
If you have an Instagram account, a Facebook
account and you're posting stuff about your
lives and who you had dinner with last night,
where you were, what you're attending right
now.
You're giving away a bunch of information
about yourself.
Many private corporations, our adversaries
and others can freely use this data to learn
something about everybody in this room.
VS Subrahmanian: But there are at least great
sensitivities and in some cases, some constraints
that I'm aware of that prevent the US government
from doing the same for US citizens.
What's the thinking on this?
Samantha Ravich: Because we stand on the back
of the US Constitution that except for powers
that are explicitly given to the government,
they reside with the people.
That is one of the things that makes us as
strong as we are.
It's not explicitly written in there that
thou shall give all of your data and have
no privacy to any of it.
But it is weird because Google can have it.
It's not as if no one is having it.
That's where the rub is.
It's out there and others are collecting it.
Speaker 7: Just to respond [inaudible 01:00:19].
Just in response, is it really relevant to
bring up a 250 year old document when talking
about issues that have only existed for 30
years?
Data would not have even been a thought that
would have ever come into the mind of the
writers of the Constitution, why are we not
considering this problem in a new light?
Samantha Ravich: Well, I think we are, but
we're considering it within our core values.
We're considering it within the framework
of what our country is based on, and individual
rights and liberties are kind of at the forefront
of that.
While you can freely give your stuff and Google
can get it, which is a private entity, entering
into a world where the government can demand
it.
And, oh, by the way, Google doesn't yet have
up armored vehicles with rocket propelled
grenade launchers.
Having the government have it raises a whole
host of questions.
They're not satisfactorily answered, and I
think under times of duress or in crisis,
I actually think the answer to my previous
question would be there are certain emergency
communications powers.
The government can and has in the past taken
over telecommunications.
Samantha Ravich: There's very explicit laws
governing during war time that there's the
Emergency Telecommunications Powers Act, they
can take over.
Remember the old dude, this is just a test.
Some of you may know that beeping sound.
That is the US government taking over telecommunications
to be able to put a message out to the American
people in the event of a nuclear attack by
the Soviets.
That power still exists, it exists in telecom,
but it hasn't transferred to, doesn't exist
across data streams.
Those questions need to be absolutely asked
and answered.
Speaker 8: Oh, thank you for coming to talk
to us.
For someone working in a government sector,
your talk is kind of eyeopening to me.
My question is regarding North Korea, as you
pointed out, I also believe that North Korea
is developing a top notch cyber capability.
It is known to build asymmetrical capabilities
to offset its inferiority in conventional
military capabilities, and also economic capability.
And in cyber is especially clearly one of
them on the military and also diplomatic front.
And however, when we talk about cyber enabled
economic warfare sent out on private sectors,
what do you think their true motivations and
objectives given the nature of it's regime?
And also, could you describe an advantage
in its economy and also political status vis
a vis, South Korea or as a country?
Samantha Ravich: Well, there's certainly like,
on the just stealing of the money, the North
Koreans have become very adept at busting
sanctions, whether it's through crypto, theft
of crypto or other ways to get it.
The Bangladesh Bank heist, there is clear
evidence.
And that wasn't a cyber enabled economic warfare,
that was robbing a bank.
They're under economic duress, and they're
looking for ways to fill the coffers.
But attacking Sony was not to create a North
Korean movie industry, how weird?
I just don't think that that's what it was.
And in the strange world of the Kim family
regime, in some ways it ... I don't usually
bring it up because sometimes it elicits laughter,
but think about it, Sony Corporation, American
corporation based in California releases a
movie.
The Kim family doesn't like it, goes after
a private American Corporation and cost tens
of millions of dollars to its bottom line
forcing it to pull the movie.
Samantha Ravich: Again, it's kind of a silly-ish
example, and I say ish because it's a movie.
Who cares, whatever.
I didn't actually see it.
I didn't actually see it, I hear it's not
even a great movie.
Is it funny?
Really?
Is it as good as Team America?
Team America is awesome.
I always keep reading, I need to see it.
And I say silly-ish because again, it was
a company, they changed the policy of that
company.
Extrapolate that up.
And so it's both.
Speaker 9: [inaudible 01:05:50].
Samantha Ravich: Sony.
Speaker 9: [inaudible 01:06:05].
I worked for a big bank in international trade
finance and we spent a lot of money hardening
the security, but that's what ... I think
private industry has got to defend the assets
that they're responsible for, and I think
the federal government has got to do something
offensively.
The guy talked about what the Dutch did, they
absolutely did that.
That's a confirmed report, and I think we
ought to be doing it as well.
But last, Samuel Johnson said, if all objections
must be first overcome, then nothing will
be accomplished
Speaker 10: It's more of an observation than
a question-
Daniel Benjamin: Can you just wait for the
mic?
Speaker 10: More of an observation than a
question, but a follow-up from that.
You had said early on that you thought corporations
didn't know how to calculate an RIO on cybersecurity
defense spending.
And I actually don't agree with that.
What they calculate is an ROI on their overall
IT infrastructure spend.
Their It infrastructure spend enables their
business, enables new products and services,
enables worker productivity, employee productivity,
all of those things I mentioned.
We're in an environment for the last 10 years
of cost compute, cost of telecommunication
system [inaudible 01:07:28].
But it hasn't made a [inaudible 01:07:36]
as the cost of defense, [inaudible 01:07:41].
It's a cost [inaudible 01:07:44], it's of
providing [inaudible 01:07:46].
Speaker 10: That's the way to look at it.
They don't create a return of investment on
just [inaudible 01:07:49], they look at return
on investment [inaudible 01:07:55], which
is cost of doing businesses they may not have
but they're forced to have it and they have
to build their own capability.
And I don't think they will rely on the government
because they don't think the best talent is
in the government.
Because the government's best talent in this
area is in military and intelligence.
It's not [inaudible 01:08:21] protecting corporations.
So they are responsible for their own defenses.
And they've got to find the government talent.
It turns out that the government also knows
it doesn't have the greatest talent in these
areas as well.
Speaker 10: So there's a venture fund called
In-Q-Tel, which is funded, you know them,
it's funded by national security agencies
starting with the CIA, a bunch of national
security agencies.
And they're trying to find startups, the best
talent to keep developing this technology
[inaudible 01:08:50].
Samantha Ravich: I just think for the majority
of companies who aren't the biggest ones,
those small and medium size enterprise.
Speaker 10: But those aren't going to cause
the economic disruption-
Samantha Ravich: You get a whole bunch of
them.
Where I think there's a really interesting
conversation taking place is the insurance
industry and how this lashes onto changing
behavior and having the insurance industry,
which are really, really at the forefront
of trying to figure out actuarially how to
price this.
And we've been having a number of really kinda
of, I think very cool conversations about
what they're doing and then how does it change
behavior and what kind of behavior do you
want it to change.
I think that's also a very promising path.
Speaker 10: And then to this question here
on the FBI and warning people, the reality
is a government agency could only worn a corporation
of an attack if they had access to their systems,
and no corporation is going to give the government
access to their systems.
Because the only way to detect the attack
is to be in the systems so they can help forensically
deconstruct the attack ex post-
Samantha Ravich: Or if another agency found
that there is-
Speaker 10: Or more similar attack pattern
or whatever.
But no corporation is going to give the government
access to their systems to be a defense shield
or warning system.
Speaker 11: I think something that got a lot
of coverage over the summer in media was the
white paper granting Theresa May more power
in terms of rejecting transactions between
UK companies and foreign companies especially
that had a national security nexus.
Something I'm curious about is more recently,
at least in the United States, at least President
Trump said that even if the Broadcom and Qualcomm
transaction were to close, it would not pass
regulatory approval under his watch.
My question is more so, do you think that
is a trend A, that predates president trump's
presidency, and B, is something that will
stay within this administration or is it going
to really continue moving forward?
Samantha Ravich: You're talking about CFIUS
and other regulation.
They just strengthened, CFIUS is the committee
for foreign investment in the United States.
And where our national security interest it
comes to play, the purchase of a company,
an American company by a foreign company can
be stopped.
It's gotten much more robust as bipartisan
legislation signed by the President, FIRRMA
was called.
It absolutely strengthened the types of transactions
that can be reviewed.
There's a ton more money going into the agencies
that are reviewing the transactions, but it
doesn't catch everything.
Another piece of our work, we became very
concerned about sensitive technology leaking
on cyber, specifically cyber technology leaking
out of the country through bankruptcy courts.
CFIUS does not cover bankruptcy, oddly enough
Samantha Ravich: And there's not a lot of
focus on what happens in administrative or
bankruptcy courts.
We have been gathering data on this problem,
we have been working with a small set of judges
on how would you train judges to know whether
there's a company going bankrupt that has
sensitive technology, who would they call
if they found it out so that a hostile nation
doesn't walk into a courtroom and buy a company
with sensitive technology.
And using existing technology, in fact, we
might run some cargo type of competition.
There are datasets that exist in the US government,
ITAR, EAR, Dan is familiar with these things,
been at least some companies, it's not the
whole range.
But certain American companies that have sensitive
technology, you could easily have a system
that does a match between those and west law
or some other database when a company is going
bankrupt and if it pings you know you need
to look closer at it.
Samantha Ravich: Again, a small gap that we
didn't have to think about in the past.
But answer to your question, direct answer
to your question, it's not something that
either started with this administration, and
it's certainly not going to end with this
administration.
It's a trend that is absolutely going to continue.
Speaker 11: Your exact words were that China
has weaponized investments in America-
Samantha Ravich: No, those were Senator Cornyn's
actually.
Speaker 11: Okay, it's a good line.
Something that I'm curious about is with the
VC arm in In-Q-Tel for the IC and a number
of patriots in the private sector that assist
the United States government, is the role
of cooperation with these companies more so
on the defensive front or is it on the offensive
as well?
Samantha Ravich: Building capabilities and
how they're used could be either defensive
or offensive.
VS would know better than I, a lot of these
capabilities are fungible.
But I want him to just broaden out a little
bit out of your question because it's not
all foreign companies.
And this is something that I think is really
important to focus on as we think about this
threat to the Western economic system.
We have to find ways to work closely with
friends and allies and their economies and
their companies to be able to have a bull
work on this.
And I think we might be getting there.
A British company coming to buy a US company
depending on who owns that British company
is going to get a different type of scrutiny.
In fact, a British company can actually apply
to have security clearances and create something
called a proxy board, whatever, to actually
do classified work.
There's different levels of it.
Did I get that right pretty much?
Daniel Benjamin: You know more than I do.
Samantha Ravich: [inaudible 01:15:30] you
were at state.
You've [inaudible 01:15:35].
Speaker 12: Thank you for your speech.
I have a question here that we just know that
the United States are suffering tons of self
cyber attacks every minutes.
Most of them are the national based cyber
attacks from the big countries just like see
Russia, China or North Korea.
I would like to know that whether they are
some kind of analysis reports showing that
those countries are targeting at some specific
parts in common or different countries have
their own different interests on the cyber
attacks.
Samantha Ravich: No, I mean, that's great.
That's a great question.
Nothing comes to mind that overlays, but I
think there is.
Clearly, there's a number of reports that
look at forensically how can you tell code
is from one country and not another.
But when you overlap their attack vectors,
even though you wouldn't be able to say with
causality that they're working together.
I don't know, it's a cool question.
I don't know, I'd like to know.
So find out, let me know.
Speaker 13: Oh, let's see if I can remember
my question now.
Something that we talk about in lab is quite
often, is this notion that you can't wait
until you have a perfect system.
You've have to just been deploying things
as you have.
And that one of the heuristics that we come
up with or, I don't know what the word is.
But basically, you want to simultaneously
be rising the costs of performing an attack
while lowering the benefit you get from doing
that attack.
And that trade-off will help you effectively
just move the target somewhere else, but you
do this domino effect and you make everything
more secure.
Are there other paradigms that you end up
talking about in your work?
Samantha Ravich: Well, persistence was one
of them.
Persistence is while you're doing that, but
forcibly keep forcing them back.
Yes, but I can't think of [inaudible 01:17:58].
VS Subrahmanian: All right.
We'll take this one last question and then
let everyone go home.
Speaker 10: All right.
To bring it back to what I asked about earlier,
since it is known that our government has
been collecting data on US citizens as revealed
in the Snowden papers, this is already an
issue that we need to deal with.
The big companies have been working with the
government to allow them to collect data on
US citizens such as Verizon and the metadata
scandal.
And this is something that should be talked
about.
What are we doing currently to help protect
US citizens and prevent these shady parts
of the government, like the NSA who use classification
as a way to hide their techniques?
What are we doing to increase transparency,
I guess?
Samantha Ravich: I take issue with it at numerous
parts.
Snowden was not a patriot, he was not doing
it for anything other than either himself
and/or hostile foreign intelligence services.
So start there and kind of finish there when
you come to talk about Snowden.
Well, I do agree with what you had said in
your last question about are we properly positioned
given today's set of realities?
What the government should be collecting,
I mean, data and how central it is.
Not just in my privacy but for me to be an
educated person connected to the world that
can feed myself and my family.
It's almost a basic need that needs to be
filled now.
What role the government shouldn't have in
that.
Again, we're right at the beginning of really
addressing those, so the laws as they exist,
many of them I would suspect are outdated.
Samantha Ravich: I mean, it's not too different
than some of the hard things we had to face
after 9/11 in terms of what should we be collecting,
and what should we make people have to suffer
with in the airports, what should we be able
to do in furtherance of a counter terrorism
strategy that protects the United States from
hostile forces.
Samantha Ravich: We had to work our way through
it.
There's not mal intent on the part of these
government agencies.
It's struggling with how do you reconcile
the new reality to some of these old laws,
especially, and I can't, I can't stress this
enough, especially because everyone is giving
it away to everyone already, and Google is
collecting it all.
I talk to these folks inside the government
who are incredibly frustrated because they
can't even use this stuff to figure out do
they want to hire somebody.
They can go and look at their public social
media profile.
They can't, in most agencies, they can't,
and yet it's out there.
Yeah, there's a disconnect.
Transparency, maybe it's transparency, but
I think it's a public conversation that the
American public has to decide how do they
rank privacy and security.
And then the government should follow suit
based on what the American people decide for
themselves, not the other way around.
VS Subrahmanian: Well, I think with that,
we'll bring this session to a close.
Samantha, thank you very much for this.
Samantha Ravich: Oh, thanks.
