Avril began her career on the National Security Council, and went on to become the first female deputy at the CIA.
DK: How will cyber will play a role in military operations?
AH: We look at it from the perspective of “asymmetric threats”; state actors (those who have high-value assets that they can hold at risk with no threat to them). The US is more technologically advanced and relies on cyber more and more; we are as a consequence more vulnerable to cyber threats. Asymmetric threats thus hold at risk those things that are most important to us.
In the cyber realm we can’t quite define what constitutes a use of force, and saying so can be used against us. So this is an area that is crucial to continue working in; in many respects the US has the most to lose from using a framework that doesn’t work.
“The private sector is utterly critical in creating a framework that is going to work.”
We want to have widely-accepted norms and rules so that we can ask other countries to help us take an appropriate response.
The NSA spent so much time and effort training people in Cybercom that they weren’t spending time on other aspects that they needed to.
DK: Discuss the terrifying possibilities of the murkiness of these terms.
AH: It’s easy to think about cyber as a battlefield; I think of it as part of conflict; a state actor does not perform a cyber attack in a vacuum. This is part of the way we need to think about these issues: comprehensively.
This is one area where there is consistency between the Obama and Trump administrations; we cannot think about responses to cyber solely in cyber.
There is an increasing tension between political structures and the way we organize ourselves as human beings. For instance, we think our political structures are based on geographies. And yet, we are all part of virtual communities with people not in our geographic area. That creates tension between the way we are governed and the way we locate ourselves.
There are also governance challenges: it used to be that people would get their news through a local news network. If you were a politician, you knew where your constituents were getting their news. This is no longer the case.
DK: When you think about the evolution of law and legal standards: traditionally in terms of borders, which don’t exist at all online… as you move to a world without borders, the application of law becomes challenging. Where do you see the challenges around that: enforcing laws and having conversations across nation-states?
AH: I see two sets of issues. Let’s use the law of the seas example. The law of the seas has been developed across time. It’s a great example of how we dealt with a situation of many nebulous issues. The US government has an enormous interest in freedom of navigation across the world. We don’t have the right to create international laws; and yet they’re crucial. There is now an extraordinary amount of detail to it, to what we can and cannot do across the world. This is one reason I have optimism about us being able to get into these issues and think them through.
We have seen how the regulatory structures that we apply are unenforceable in the context of cyber.
DK: How are you seeing people identify their base allegiances in virtual communities?
AH: Two of the mega-trends identified are individual empowerment and diffusion of power. What people are discussing is the role of non-state actors; to my mind this is part of what we’re seeing in terms of the challenge of what it presents to government. As we see governments relying on public institutions less and less, you can see how non-state actors are increasingly having power in this area. And I don’t just mean terrorist groups, but cabals of companies, and so on. Those actors are not subject to the same rules that we subject our institutions to. Are we comfortable with those actors filling the gap of what governments use to do? This is a very interesting space.
DK: Going back to asymmetric threats: do you you have a prediction about when we might cross the line? Within the last four years there are reports that the US government may have listened into conversations of Angela Merkel. Then there are recent allegations about Russia influencing the US election. These things are becoming more tangible; the impacts more real. What do you think could be the first cyber attack that would provoke a military response? You can’t just keep poking at the virtual world and have it not eventually lead to military action, right?
AH: In trying to define what’s a use of force, we’re already taking a position. If you do through cyber what you could have done through dropping a bomb… Russia is a great example of not just using military, but also using cyber. (This might warrant an attack)
DK: What do you see in the next 5–10 years in terms of challenges?
AH: Most of the conversation around cyber and the intelligence community has to do with the amount of information it can collect. There is digital footprint that everybody makes and the near impossibility of keeping things secret. The big crisis is about keeping things secret and how to even do the job of intelligence anymore.
Cyber presents enormous challenges; it is increasingly difficult to keep things secret. On the other hand, there needs to be transparency about the framework in which the intelligence community is operating.
There is great value in being as transparent as possible about what the intelligence community does. And yet the details have to remain secret if they are going to be valuable.
There is a recent article in Wired by Mike Dempsey about this, worth reading: about the importance of the US maintaining an information edge. It’s difficult for the intelligence community to bring something new to the table.
“One of the things I thought I would miss was the daily access to the PDB; but then I started reading the New York Times…”
Q: What will it take to do a Y2K-style investment in security infrastructure to protect old hardware that is vulnerable to security issues?
AH: We spent a lot of time working with Congress on this. I think it’s not just about investing in upgrading, but really thinking through in a comprehensive way how to institute security practices that span the US government. This is an extraordinarily difficult challenge — — it will not happen in the life of any one administration, but over years through continued and consistent investment. I don’t know whether it will happen or not.
Q: Could you talk about the classic tension between privacy and security from a government perspective and how that relates to the eroding faith that people have in government at this point?
AH: I can’t really do this answer justice. 1) I wish that it hadn’t taken Snowden to start this conversation, but we should still keep having it.
2) I worry that the conversation often occurs in the context of a particular attack that has arisen; the discussion requires a level of risk that is not where we should be, meaning that the demand for perfection is extraordinary.
Originally published at blog.cloudflare.com on September 14, 2017.