Last week I attended the U.S. Military Academy’s 55th annual senior leader conference at West Point to talk about the future of digital risk and cybersecurity. The conference was focused on the future of security in the Indo-Pacific region and brought together leaders from the across the United States to deliberate about the future. I’d not been to West Point since I was a kid and after serving for seven years in the Defense Department it felt like coming home. I also got in a few runs on the Hudson River by the campus – something I’d recommend any runner do. The fog rolled in over the river, up the parapets, and onto the green riverbeds and fields adjacent to the water. It reminded me of running in England’s Lakes District almost fifteen years ago.
On the substance, our panel included Vice Admiral Timothy "T. J." White, Commander of Navy Cyber Command/the U.S. Navy’s 10th Fleet, Karan Bhatia, Google’s new Global Head of Policy, and Renee DiResta, Director of Research at New Knowledge and a Mozilla Fellow in Media, Misinformation, and Trust. Jason Healey, Senior Research Scholar at Columbia University’s School of International and Public Affairs, moderated. It was one of the best panels that I’ve been on in ages thanks to the participants’ expertise and Jason’s moderating skills. Later that night, Renee and I joined Dr. Jackie Whitt, Associate Professor of Strategy at the U.S. Army War College, to record a podcast on these topics for A Better Peace: The War Room podcast.
The question for the panel was: what are the key things that the U.S. should think about as it plans for the future of digitization in the Indo-Pacific region?
Managing digital risk and cybersecurity is ultimately about human behavior
It’s tricky today because the internet is so new. It’s only 36 years old, which is the same age as Chris Hemsworth and Nicky Minaj and oodles of other young good-looking people – and yet it’s everywhere, and spreading faster and faster. It expanded more quickly than any other technological disruption in history. So the first step for any society is to recognize that national and community leaders have a key role to play in communicating with populations about digital risks and the nexus of digital and hostile actions. Full stop. Leadership and behavior-shaping narrative communications are the most important parts for managing change. (That’s also what our upcoming podcast is about – and we explore it through a range of social, management, and leadership frames. More on that later.)
What should leaders focus on in their rhetoric and communications to populations? These folks need to give regular public addresses about digital risk to help society manage change.
Communications responsibilities should start by focusing on two risks
1. Criminal and nation-state attackers target critical infrastructure, which needs to be defined by each country. Leaders need to urge countries and companies to identify and secure their most valuable assets. The U.S. defines its most cyber-vulnerable critical infrastructure in an annual assessment called the "Section 9 List" after the 2012 executive order that first required this annual assessment. Many countries haven’t done this work yet – and if they are to get ahead of digital risks, they need to.
2. The second risk is more insidious and demands that leaders shape social behaviors over time. Criminal and nation-state attackers will spread disinformation online as the next billion users rise up across Asia. There are plenty of examples for where and how states spread misinformation, from China spreading misinformation online in Cambodia and hacking Cambodia’s election infrastructure to Indian mob behavior spreading fake news in advance of the Indian election.
The primary duty of security institutions is to prevent aggression, offline or online, and to do so justly. If that’s your goal then leaders need to spread and enforce the rule of law and foster inclusive societies. Suppression sets the pre-conditions for violence by stifling freedom. Today a number of states in Asia lack a robust rule of law and trend towards authoritarianism. If in the past insurgent groups took their politics into armed violent struggle, today and tomorrow frustration will spill into cyberattacks. Today China is oppressing the ethnic minority Uighars, one group out of many suffering under the controlling hand of the People’s Republic of China. States need to recognize that suppression will ultimately lead to resistance – including in hacktivism. Fostering the rule of law and building a just society is the best way to prevent internal conflict as any peacebuilder will tell you.
Partner Capacity Building
Doing cybersecurity requires some key ingredients: a talented workforce, knowledge about institution building and team building, and comfort with technology and vendor selection. This is hard in any society. It is especially hard in the developing world where tech is newer and institutions lack a deep bench of talent.
The U.S. can help its allies and partners by passing on best practices.
The U.S. has learned a lot in building cybersecurity institutions over the last decade and in a deliberate manner over time, it can continue to build cybersecurity capacity across the public and private sector in the Indo-Pacific to help partners learn. Last fall I wrote about the recent New America Foundation report on cybersecurity partner capacity building. This report is still one of the best out there and it should continue to find its way into the hands of the State Department and USAID as well as the Pentagon – and U.S. agencies should continue the process of educating key allies about lessons learned from the U.S. experience in critical infrastructure protection, agency roles and missions, and lessons learned from the Russian operation of 2016.
Technology transfer and preventing the spread of malware
The private sector sees immense growth in the Asia-Pacific for cybersecurity technology. Regional forums like RSA Conference Asia-Pacific show that states in the region want to invest. This is good. As technologies enter new markets, however, the U.S. government needs to maintain situational awareness of defensive capability sales and marketing trends as well as the potential for offensive weapons proliferation.
Why? Recent events in the United Arab Emirates indicate the threat posed by the proliferation of malware and hacking knowledge in illiberal regimes. While the story is still developing and I don’t know the full details, even the hypothesis shows how even under an International Transfer of Arms (ITAR) agreement, malware has the potential to make its way into dangerous hands for dangerous reasons. The U.S. government needs to work with partners and allies, and internally, to develop and enforce international norms and rules regarding malware proliferation.
The good news remains: we’re making progress in dealing with digital risks. Six years ago the United States made a big down payment in U.S. Cyber Command and this past fall that investment paid off when the U.S. military knocked the Russian Internet Research Agency offline in advance of the elections. It takes time to plan and build teams to succeed. But progress happens. If human behavior is our most important ingredient for managing digital risk, in the future we know that the world is only going to get more complicated as more people come online and the planet gets more crowded. Managing escalation and controlling aggression will remain paramount in the digital age. Good leadership will be our best guarantor of potential success.