A recent Lawfare blogpost by Mailyn Fidler (Class of 2014) featured research findings on zero-day vulnerabilities, the topic of both her CISAC honors thesis and a forthcoming law review paper. Fidler graduated from Stanford a year ago, having successfully completed the CISAC Honors Program in International Security Studies. Martha Crenshaw, who co-directs the Honors Program with Chip Blacker, and was a mentor to Fidler, comments: “We are enormously proud of and gratified by Mailyn’s accomplishment.  The publication of her research findings about zero-day exploits is exactly what we aspire to for our honors students.  We will cite her as a model and inspiration for years to come.  But of course first and foremost the credit is Mailyn’s, for her command of the subject and her determination and professionalism – qualities that have long been evident.”

Fidler, who is currently a Marshall Scholar at Oxford University, studying for a master’s degree in International Relations, is eventually planning to head to law school, as an aspiring legal academic.  In the short term, Fidler is looking forward to the publication in summer 2015 of a paper titled  “Regulating The Zero-Day Vulnerability Trade: A Preliminary Analysis.” The paper, a revised version of her honors thesis, will appear in I/S: A Journal of Law and Policy for the Information Society, a law review focused on the intersection of technology and law.

Image

She took away lasting lessons from the Honors College, a two-week program that takes place in Washington DC, providing students with exposure to policy-makers who are prominent in the students’ fields of research. “Something that stood out to me was meeting role models at the tops of their fields with such integrity and kindness,” she reflects. “Colleen Hanabusa [US Rep, Hawaii, 2011-2015], Jane Harman [Director of the Woodrow Wilson Center], and our own Karl Eikenberry and Tom Fingar particularly left a lasting impact for this reason exactly.”

Another teaching moment took place during a visit to the National Security Agency: “There was a picture of the Twin Towers front and center on the speakers’ table, and they had us pass it around and hold the picture. For me, this was indicative of how deeply this event has influenced government policy, that even a group of student visitors was asked to engage with surveillance very clearly through the lens of 9/11.”

To Fidler, the ability to have access to experts in the field of international security studies during her year at CISAC has been a great benefit to her work: “With the support of CISAC, I was able to interview and otherwise engage with a range of high-level contacts in policy, industry, and academia, and I still connect with them now, when relevant.”

In Fidler’s eyes, one of the highlights of the CISAC program was the opportunity to engage with fellow honors students as scholars and as friends and the resulting broadening of her interests: “One of my CISAC cohort just Facebook messaged me because she saw something in the news about zero-days, which she now cares about, and I, similarly, care a lot more about topics beyond my own field, such as the Indian Civil Nuclear deal and Arctic cooperation, than I did before.”

In addition to Crenshaw, Fidler was also mentored by Jennifer Granick. Granick, an expert on privacy in cyber, is the Director of Civil Liberties at the Stanford Law School Center for Internet and Society's (CIS) and a CISAC affiliate. 

Image

“Having Crenshaw and Granick as my mentors was a great pairing. Crenshaw helped me with the more academic side of my research, and Granick was invaluable in connecting me with policy movers and shakers. I ended up writing a blog post with her on Just Security, and have reached out to her numerous times for advice on how to best engage in public debate on my research topic.”

“Mailyn is a great thinker. Her thesis was smart and well-researched, and as it turns out, incredibly timely,” observes Granick. She is a real public asset as both a scholar and a voice in important policy debates.”

Fidler’s research is a work in progress. As different opportunities arise, she is constantly refocusing the lens through which she is looking at the zero-day issue: “As I have continued this work, I have had the opportunity to engage with a much wider range of actors, so I have had to rethink and reanalyze my research from multiple angles. For instance, I had the opportunity to give a presentation on zero-days to Amnesty International’s Technology & Human Rights group, which meant I rethought the issue from a human rights perspective.” Fidler researched specific instances of abuse or potential abuse of human rights using zero-days, she said, and presented the Technology & Human Rights group with several possible normative stances, a change from the more cost/benefit-oriented analysis originally laid out in her thesis.

In Crenshaw’s view, students like Fidler exemplify what the Honors program hopes to accomplish once those students go out into the real world. "We want our students to make a substantive contribution to our understanding of international security,” she notes, “and Mailyn has done just that."

When it comes to contributing to research in international security issues, Fidler is hardly alone among CISAC Honors alums. A partial listing of publications and presentations based on CISAC Honors Theses can be found here.

As a new class of incoming Honors students prepares to join CISAC, Fidler has this advice for her successors: “Don’t be afraid to ask for help or advice“ even if you think it is unlikely or intimidating, “Asking never hurts and often has a good upside.”

CISAC's Honors Program in International Studies recently awarded three prizes to some of its students, instead of the traditional two. “At the end of the year we award prizes to three of the thesis writers. It’s always a hard decision to make because they are all really good,” said FSI Senior Fellow and Honors Co-director Martha Crenshaw.

Taylor Grossman, Patrick Cirenza, and Teo Lamiot were awarded the Firestone Medal for Excellence in Undergraduate Research, the William J. Perry Prize, and the John Holland Slusser World Peace Prize, respectively. They presented their work in front of faculty, advisors, and friends at a packed seminar in early June.

The Perry Prize, named after former Defense Secretary and current FSI Senior Fellow William Perry, is awarded to a student for excellence in policy-relevant research in international security studies. Cirenza’s thesis, “An Evaluation of the Analogy between Nuclear and Cyber Deterrence,” examined whether cyber weapons can be accurately understood by comparing them to nuclear weapons.

Image

“My thesis topic definitely evolved over time,” Cirenza said. “I really did not know that much about cyber weapons. I initially wanted to look at non-state actors in cyber space and I asked Professor Scott Sagan about that and he asked what I knew about cyber and the reality was I really did not know anything. But I still really wanted to study it and at the time I was in Condoleezza Rice’s seminar and she suggested examining the analogy between nuclear and cyber weapons, which was being used a lot at the time. I went through several different topics and ultimately landed on deterrence.”

Cirenza was advised by FSI Senior Fellow Coit Blacker, who co-directs the honors program with Crenshaw, and by consulting professor Phil Taubman. Next fall he will attend Cambridge for a one year M.Phil program in international relations. After that he hopes to join the Marine Corps infantry.

“I never wanted a desk job in my twenties and I think it’s the best way to serve my country at this time,” he said.

The newly created Slusser Prize goes to the thesis that best contributes to the development of “permanent world peace.” Lamiot’s thesis, “When Blue Helmets Do Battle: Civilian Protection in the Democratic Republic of the Congo” examined whether the use of force against rebel groups in the DRC by UN peacekeepers had any effect on atrocities committed against civilians. He was advised by FSI Senior Fellow Stephen Stedman, who formerly served as Assistant Secretary-General and Special Advisor to the Secretary-General of the United Nations.

Lamiot started formulating his thesis topic when he was working in the U.S. embassy in the DRC. “I worked in the unit that is tasked with monitoring the conflict in the eastern part of the country. Part of my work was investigating a massacre that had taken place in that region about a month before I arrived in country. The massacre was of interest to the U.S. government because the Congolese and U.N. peacekeeping forces stationed nearby did not respond to the massacre despite knowing that it was going on,” he recounted.

Image

“This sparked my interest and, at first, I wanted to answer the question why do peacekeepers use force in some cases but not in others, but I ultimately decided on answering what happens when they do use force. I’m hoping that my argument that in some cases using force has positive effects and decreases rebel violence against civilians informs these decision-makers on the ground when they are choosing what to do.”

After graduation Lamiot will be on a Center for Democracy, Development, and Rule of Law fellowship in Uganda doing development work. “I’ll likely be working on democratic and political development. I’m trying to learn something about how outside actors can try to bring about these development outcomes in foreign countries.”

The Firestone Medal is a Stanford-wide prize awarded to the top ten percent of all honors theses in social science, science, and engineering. Grossman, who will also graduate with a B.A. Political Science, wrote hers on homeland security and the evolution of terrorism advisory systems. She was advised by CISAC Co-Director Amy Zegart.

“I really wanted to look at effectiveness of communication and intelligence sharing, but in a way that I could actually see government information. That led me to public warning systems for terrorism where there is a lot of public information available. Not a lot has been written on how effective they are, how they operate, or how they have evolved,” Grossman said.

Image

After graduation she plans on joining the Hoover Institution as a research assistant.

“I feel like I majored in CISAC. Ever since I took the class ‘The Face of Battle’ with Professor Scott Sagan and Colonel Joe Felter, I’ve been hooked on international security and the issues CISAC focuses on. I think the honors program has been the defining part of my undergraduate career. It was really rewarding and challenging and I’m glad I did it.”

Grossman and Cirenza were also elected to the Phi Beta Kappa Society in May 2015, as was Geo Saba, a political science major. Phi Beta Kappa is a nationwide society honoring students for the excellence and breadth of their undergraduate scholarly accomplishments.

Additionally, the Stanford Alumni Association (SAA) selected Cirenza, Grossman, and Akshai Baskaran, who majored in chemical engineering, to receive an Award of Excellence. 

Congratulations to all graduates of the Class of 2015: Akshai Baskaran, Patrick Cirenza, Kelsey Dayton, Taylor Grossman, Sean Hiroshima, Annie Kapnick, Sarah Kunis, Teo Lamiot, Austin Lewis, Sam Rebo, Geo Saba, Eliza Thompson, and Adrienne von Schulthess.

Secretary of Defense Ashton B. Carter unveiled the Pentagon’s new cybersecurity strategy before a Stanford audience Thursday, saying the United States would defend the nation using cyber warfare and calling for a renewed partnership with Silicon Valley.

Carter, the first sitting secretary of defense to speak on the Stanford campus in two decades, warned cyber criminals that Washington considers a cyber attack against the homeland or American businesses and citizens like any other threat to national security.

“Adversaries should know that our preference for deterrence and our defensive posture don’t diminish our willingness to use cyber options if necessary,” he told the audience at CEMEX Auditorium. “And when we do take action – defensive or otherwise, conventionally or in cyberspace – we operate under rules of engagement that comply with domestic and international law.”

Carter, who has a doctorate in theoretical physics, has strong ties to technology. He knows that as he takes the helm at the Pentagon, digital innovators and cyber criminals are trying to outpace one another at breakneck speeds. A strong partnership between military strategist and technologists would establish an unbeatable pact, he said.

The secretary was a senior partner at Global Technology Partners, where he advised major investment firms on technology and defense. He acknowledges the boundless transformation of technology and the opportunities and prosperity that it has brought to all sectors of American society.

But, he added: “The same Internet that enables Wikipedia also allows terrorists to learn how to build a bomb. And the same technologies we use to target cruise missiles and jam enemy air defenses can be used against our own forces – and they’re now available to the highest bidder.”

This is why, he said, the Pentagon must rebuild the bridge between Washington and Silicon Valley. “Renewing our partnership is the only way we can do this right.” Carter was building on President Barack Obama’s cybersecurity policies outlined by the president at the White House Summit on Cybersecurity and Consumer Protection at Stanford earlier this year. 

Carter was the Payne distinguished visitor at the Freeman Spogli Institute for International Studies and a distinguished visiting fellow at the Hoover Institution until he was sworn in as the 25th secretary of defense in February.

Carter’s speech was delivered as the annual Drell Lecture for Stanford’s Center for International Security and Cooperation (CISAC).

The lecture is named for theoretical physicist and arms control expert Sidney Drell, the center’s co-founder, a senior fellow at Hoover and former director of the SLAC National Accelerator Laboratory. Drell and former Secretary of Defense William J. Perry – a FSI senior fellow and consulting professor at CISAC – were both mentors to Carter and he thanked them at length before his formal policy speech. (Read here.)

"Secretary Carter is the first sitting secretary of defense to speak in Silicon Valley in 20 years," said CISAC Co-Director and Hoover senior fellow Amy Zegart, who led a Q&A session with Carter at the end of his talk. "This was an historic day, with the unveiling of DoD's new cyber strategy, and we are honored that Stanford could play a part. Cybersecurity is one of the toughest international security challenges of our time, and we are dedicated to playing a leading role in bringing together policymakers, scholars, and industry leaders to develop the new technologies, talent, and ideas that our nation requires."

Image

As Carter was speaking, the Department of Defense released online its new cyber strategy based on three primary missions: To defend the Pentagon’s networks; to defend the United States and its interests against cyber attacks of “significant consequences”; and to provide integrated cyber capabilities to support military operations and contingency plans.

“The cyber threat against U.S. interests is increasing in severity and sophistication,” Carter said. “While the North Korean cyber attack on Sony was the most destructive on a U.S. entity so far, this threat affects us all. Just as Russia and China have advanced cyber capabilities and strategies ranging from stealthy network penetration to intellectual property theft, criminal and terrorist networks are also increasing their cyber operations. Low-cost and global proliferation of malware have lowered barriers to entry and made it easier for smaller malicious actors to strike in cyberspace.”

The cyber strategy calls for a 6,200-strong Cyber Mission Force of military, civilian and defense contractors, with 133 cyber protection and combat teams in action by 2018.

“These are the talented individuals who hunt down intruders, red-team our networks and perform the forensics that help keep our systems secure,” Carter said.

And the Pentagon is creating a new “point of partnership” in the Silicon Valley called the Defense Innovation Unit X.

“The first-of-its-kind unit will be staffed by an elite team of active-duty and civilian personnel, plus key people from the Reserves, where some of our best technical talent resides,” he said, adding the unit would scout for breakthrough and emerging technologies and potentially help startups find new ways to work with the military.

The Pentagon will establish a branch of the U.S. Digital Service, the outgrowth of the technical team that helped rescue the beleaguered healthcare.gov site, which collapsed when the Affordable Care Act was implemented.

Herb Lin, a senior research scholar for cyber policy and security at CISAC and a research fellow at Hoover, said the concept was particularly noteworthy. “He’s asking technologists to take a tour of duty helping the DoD by working on some important technical problems. I heartily endorse this vision.”

Lin said the new DoD cyber strategy that was released online is also notable for its openness about the role of the Pentagon’s offensive cyber capabilities.

“It’s been an open secret for a long time that DoD has these capabilities, but by discussing them more forthrightly than any defense secretary has done before, Dr. Carter has done a real public service,” Lin said. “And the announcement of the new strategy will spark much needed conversations among policymakers and researchers about what should be done with these capabilities.”

Lin – chief scientist for the Computer Science and Telecommunications Board, National Research Council of the National Academies before coming to Stanford earlier this year – was also impressed by how open Carter was about wanting to repair relations with Silicon Valley. Those have been frosty at best since the Edward Snowden revelations.

“That will be a hard task, but you have to start somewhere, and Carter is quite tech-savvy, so if anyone can make headway, he can,” Lin said.

The secretary was slated to visit Facebook after his speech and meet with tech leaders on Friday. Not only does he hope to make amends, but to enlist their support in countering the threat of cyber attacks and ensuring the military has the technology it needs.

Carter revealed that earlier this year, sensors that guard the Pentagon’s unclassified networks detected what they believed were Russian hackers. After investigating, they discovered an old vulnerability in one of the DoD’s legacy networks that hadn’t been patched. But they caught it and kicked off the hackers within 24 hours.

He said the incident had not been made public until now.

“Shining a bright light on such intrusions can eventually benefit us all, government and business alike,” he said. “As secretary of defense, I believe that we at the Pentagon must be open, and think, as I like to say, outside our five-sided box.”

After his speech, the secretary took questions from the Stanford and Twitter audiences in a session moderated by Zegart.

One of those questions from Twitter asked why young Stanford computer scientists or technologists from the valley would want to join the cyber teams at the Pentagon.

“Because we have the most exciting problems you can have in technology,” he said. “And they’re consequential – they matter.”

Image

All Photos by Rod Searcey.

U.S. Navy Adm. Cecil D. Haney, the U.S. Strategic Command commander, hosted CISAC Co-Directors David Relman and Amy Zegart as well as CISAC faculty and fellows at Offutt Air Force Base in Nebraska on March 30-31, 2015, to promote military-to-university cooperation and innovation, and provide a better understanding of USSTRATCOM’s global missions.

The visit follows Haney’s trip to Stanford last year, during which he held seminars and private meetings with faculty, scholars and students to discuss strategic deterrence in the 21st century. Those discussions focused on reducing the U.S. nuclear weapons stockpile while maintaining an effective deterrent, the integration of space and cyberspace in nuclear platforms and the congested, contested and competitive operating environment in space.

“Developing and maintaining partnerships with security experts from the private sector and academic institutions like CISAC enables USSTRATCOM to view the strategic environment from a different perspective and adjust our decision calculous accordingly,” Haney said. “We are excited about this unique opportunity to exchange ideas and share information with this prestigious organization.” 

Haney opened the discussions by presenting a command mission brief, in which he described USSTRATCOM’s nine Unified Command Plan-assigned missions, his priorities as commander and his ongoing effort to build enduring relationships with partner organizations to exchange ideas and confront the broad range of global strategic challenges.

Zegart, who is also a senior fellow at Stanford’s Hoover Institution, said getting to see and experience how USSTRATCOM operates first-hand was “an eye opener.”

“It’s one thing to think about deterrence, it’s another to live it,” she said. “When you go to each other’s neighborhoods, you gain a better understanding of where each side is coming from … and that’s enormously important to us in how we think about deterrence and what we can do to help USSTRATCOM and its mission.”

“These kinds of exchanges have cascade effects on young people; how they think about civil-military relations [and] how they understand what our military is doing,” she added.

Image

The delegation also received a tour of USSTRATCOM’s global operations center and held discussions with subject matter experts on strategic deterrence, cyber responsibility and nuclear modernization.

“As a cybersecurity fellow, it was fascinating to visit the global operations center and the battle deck to see the role that cybersecurity and information technology plays in the strategic deterrence mission,” said Andreas Kuehn, a CISAC pre-doctoral cybersecurity fellow from Switzerland. “At CISAC, we often discuss deterrence from a theoretical perspective, so it was very insightful to hear from people who work in [this field] and see how they deal with deterrence in an operational manner.”

The two-day visit concluded with an open discussion, during which CISAC and USSTRATCOM members discussed the most effective means to share information, plan future engagements and continue working to build on the mutually beneficial relationship between the two organizations.

“Sometimes people talk [about strategic issues] in the abstract and it becomes difficult to understand what is happening on the ground and in the real world,” Kuehn said. “I think [USSTRATCOM] took extra steps to keep the conversations open and concrete.”

USSTRATCOM is one of nine Department of Defense unified combatant commands charged with strategic deterrence, space operations, cyberspace operations, joint electronic warfare, global strike, missile defense, intelligence, surveillance and reconnaissance, combating weapons of mass destruction, and analysis and targeting.

Former U.S. Sen. Mark Udall gained notoriety for his vocal opposition to National Security Agency surveillance programs in the wake of the Edward Snowden disclosures of June 2013.

Before losing his seat in the mid-term elections last year, the senior senator from Colorado had become one of the staunchest critics of the U.S. spy agency for conducting massive, warrantless data grabs on millions of Americans without their knowledge.

Even before the Snowden leaks, Udall had warned on the Senate floor in 2011 that the Patriot Act was being interpreted in a way to allow domestic surveillance activities that many members of Congress and the American public do not understand.

"Americans would be alarmed if they knew how this law is being carried out," he told fellow senators before he introduced amendments to the Patriot Act that would have secured tougher privacy mechanisms. The act was renewed without the amendments.

Udall – who served on the Senate's Intelligence and Armed Services committees – will be in conversation with Center for International Security and Cooperation Co-Director Amy Zegart Thursday, April 2, at 7:30 p.m. in CEMEX Auditorium as part of Stanford's Security Conundrum lecture series. The event is open to the public but an RSVP is required by 5 p.m. April 1.

The special series has brought together nationally prominent experts this academic year to explore the critical issues raised by the NSA's activities, including their impact on security, privacy and civil liberties. The series ends April 10 with a public conversation with Judge Reggie Barnett Walton, former presiding judge of the Foreign Intelligence Surveillance Court, known as the FISA court.

The Foreign Intelligence Surveillance Act of 1978 empowered the FISA court to oversee government requests for surveillance of foreign intelligence agencies. During its existence, the court has granted more than 30,000 warrants; it has denied only 11.

Walton, in conversation with Stanford Law School Professor Jenny Martinez, will explain the role that the secretive institution attempts to play in maintaining the balance between civil liberties and national security.

"We're delighted to end the Security Conundrum series with a view from Congress and the courts," said Zegart, who is also a senior fellow at the Hoover Institution. "Holding serious campus-wide conversations about issues of national importance is an essential part of the Stanford experience."

Zegart said CISAC and Hoover would conduct a similar series on international cybersecurity challenges in the coming academic year.

Udall, the third speaker in the series, also advocated for the declassification of the Senate Intelligence Committee's study on the CIA's enhanced interrogation program. The post-9/11 program allowed the government to ship suspected terrorists to secret overseas prisons and subject them to waterboarding and other torture techniques.

Gen. Michael Hayden, the former director of the NSA and CIA who has defended the government surveillance programs, kicked off the Security Conundrum series in October. In that talk, he said the metadata collection "is something we would never have done on Sept. 9 or Sept. 10. But it seemed reasonable after Sept. 11. No one is doing this out of prurient interests. No – it as a logical response to the needs of the moment."

The second speaker in the series, journalist Barton Gellman, gave a detailed account of his relationship with former NSA contractor Snowden and how he worked with him to reveal the details of the NSA's global and domestic surveillance programs.

One of the first Snowden revelations, Gellman said, was the top-secret PRISM surveillance program, in which the NSA tapped into the servers of nine large U.S. Internet companies, including Google, Microsoft, Yahoo and Facebook. Snowden said he believed the extent of mass data collection on American citizens was far greater than what the public knew.

The PRISM program allows the U.S. intelligence community to gain access from the tech companies to a wide range of digital information, including audio, video chats, photographs, emails and stored data, that enables analysts to track foreign targets. The program does not require individual warrants, but instead operates under the broad authorization of the FISA court.

"I asked him very bluntly, 'Why are you doing this?'" Gellman said of Snowden.

"He gave me very persuasive and consistent answers about his motives. Whatever you think of what he did or whether or not I should have published these stories, I would claim to you that all the evidence supports his claim that he had come across a dangerous accumulation of state power that the people needed to know about."