Thirty years ago this week, I watched the news from Beijing and started shredding my bedding. It was the night before my college graduation, I had been studying Chinese politics, and news had broken that college students just like us had been gunned down in Tiananmen Square after weeks of peaceful and exhilarating democracy protests—carried on international TV. In the iconic square where Mao Zedong had proclaimed the People’s Republic decades before, bespectacled students from China’s best universities had camped out, putting up posters with slogans of freedom in Chinese and English. A “goddess of democracy” figure modeled after the Statue of Liberty embodied their hopes—and ours—for political liberation in China.

On my campus back then were just a handful of students majoring in East Asian studies. Learning of the brutal crackdown in Beijing, we somehow found one another, gathered our friends, and stayed up making hundreds of white armbands for classmates to wear at commencement the next day. Grappling with the cold realities of the “real world” we were about to enter, we didn’t know what else to do. So we tore sheets and cried for what might have been.

The June 4, 1989, massacre was a horrifying spectacle that the Chinese government has sought to erase from national memory ever since. But, 30 years later, contemplating what might have been is more important than ever. In hindsight, Tiananmen Square serves as a continuing reminder about just how much China has defied, and continues to defy, the odds and predictions of experts. The fact is that generations of American policy makers, political scientists, and economists have gotten China wrong more often than they’ve gotten China right. In domestic politics, economic development, and foreign policy, China has charted a surprising path that flies in the face of professional prognostications, general theories about anything, and the experience of other nations.

Read the rest at The Atlantic

Congress’s annual worldwide-threat hearings are usually scary affairs, during which intelligence-agency leaders run down all the dangers confronting the United States. This year’s January assessment was especially worrisome, because the minds of American citizens were listed as key battlegrounds for geopolitical conflict for the first time. “China, Russia, Iran, and North Korea increasingly use cyber operations to threaten both minds and machines in an expanding number of ways,” wrote Director of National Intelligence Dan Coats. Coats went on to suggest that Russia’s 2016 election interference is only the beginning, with new tactics and deep fakes probably coming soon, and the bad guys learning from experience.

Deception, of course, has a long history in statecraft and warfare. The Greeks used it to win at the Battle of Salamis in the fifth century b.c. The Allies won the Second World War in Europe with a surprise landing at Normandy—which hinged on an elaborate plan to convince Hitler that the invasion would be elsewhere. Throughout the Cold War, the Soviets engaged in extensive “active measure” operations, using front organizations, propaganda, and forged American documents to peddle half-truths, distortions, and outright lies in the hope of swaying opinion abroad.

But what makes people susceptible to deception? A colleague and I recently launched the two-year Information Warfare Working Group at Stanford. Our first assignment was to read up on psychology research, which drove home how vulnerable we all are to wishful thinking and manipulation.

Read the rest at The Atlantic

The Trump administration’s National Cyber Strategy rests on a pair of convenient fictions.

I used to think we didn’t have enough strategic documents guiding U.S. cyber policy. Now I think we have at least one too many. In September, the Trump administration published a National Cyber Strategy—proudly declaring that it was the first fully articulated cyber strategy in 15 years. This week, the annual intelligence threat hearing laid bare the fantasy world of that four-month-old document and the cold hard reality of, well, reality.

The National Cyber Strategy paints an aspirational view of how the U.S. is doing in cyberspace and what we should do in the future. To be fair, aspirational isn’t all bad. Strategy documents need to inspire, not depress. And the strategy’s four pillars seem as unobjectionable as motherhood and apple pie: defending the homeland and America’s way of life; promoting American prosperity; preserving peace through strength; and advancing American interests. Who could argue with that? The best strategies articulate a future world, lay out a pathway to get there, generate new ideas, and align the disparate elements of government on a common path to succeed. Given how hard it is to keep the government lights on these days, getting on the same page about anything is a big deal.

Read the rest at The Atlantic.

War is changing, and the U.S. military can now use cyber weapons as digital combat power.

When and how that’s done is the subject of a new book, Bytes, Bombs and Spies: The Strategic Dimensions of Offensive Cyber Capabilities, edited by Herb Lin and Amy Zegart at the Center for International Security and Cooperation and the Hoover Institution.

US military doctrine defines offensive cyber operations as operations intended to project power by the application of force in and through cyberspace. This is defined as actions that disrupt or destroy intended targets.

At a time when US cyber policy is taking a new direction, Bytes, Bombs and Spies is one of the first books to examine strategic dimensions of using offensive cyber operations. With chapters by leading scholars, topics include US cyber policy, deterrence and escalation dynamics, among other issues. Many of the experts conclude that research, scholarship, and more open discussion needs to take place on the topics and concerns involved.

Lin and Zegart are senior research scholar and senior fellow, respectively, at Stanford’s Center for International Security and Cooperation. Max Smeets, a CISAC cybersecurity postdoctoral fellow, is also a contributor to the book.

Offensive cyber rising

Examples in recent years of offensive cyber usage include the Stuxnet computer virus that destroyed centrifuges in Iran and slowed that country’s attempt to build a nuclear weapon; cyber weapons employed against ISIS and its network-based command and control systems; and reported cyber incursions against North Korea’s ballistic missiles system that caused launch failures.

“If recent history is any guide, the interest in using offensive cyber operations is likely to grow,” wrote Lin and Zegart.

One key issue is how to best respond to cyberattacks from abroad, such as the 2015 theft of millions of records from the Office of Personnel Management, the 2016 U.S. election hacking, and the 2017 WannaCry ransomware attack that affected computers worldwide, to name but a few. Those incidents have “provided strong signals to policymakers that offensive cyber operations are powerful instruments of statecraft for adversaries as well as for the United States,” Zegart and Lin wrote.

In September 2018, the White House reportedly issued a directive taking a more aggressive posture toward cyber deterrence. This measure allows the military to engage, without a lengthy approval process, in actions that fall below the “use of force” or a level that would cause death, destruction or significant economic effects. Also, US Cyber Command was elevated to an independent unified command, giving it more independence in conducting offensive cyber operations.

These new policy directions make it all the more imperative that offensive cyber weapons be researched, analyzed and better understood, wrote Lin and Zegart.

Conceptual thinking lags

The 438-page Bytes, Bombs and Spies includes 16 chapters by different authors. Topics include the role and nature of military intelligence, surveillance, and reconnaissance in cyberspace; how should the United States respond if an adversary employs cyberattacks to damage the U.S. homeland or weaken its military capabilities; a strategic assessment of the U.S. Cyber Command vision; and operational considerations for strategic offensive cyber planning; among others.

“Conceptual thinking,” Lin and Zegart noted, lags behind the technical development of cyber weapons. Some issues examined include:

• How might offensive cyber operations be used in coercion or conflict?

• What strategic considerations should guide their development and use?

 • What intelligence capabilities are required for cyber weapons to be effective?

• How do escalation dynamics and deterrence work in cyberspace?

• What role does the private sector play?

Scholars at universities and think tanks need to conduct research on such topics, Zegart said. “Independent perspectives contribute to the overall body of useful knowledge on which policymakers can draw.”

In the chapter Lin wrote on “hacking a nation’s missile development program,” he noted that cyber sabotage relies on electronic access to various points in the life cycle of a missile, from its construction to ultimate use.

“For some points, access is really hard to obtain; in other points, it is easier.  Access can be technical (what might be obtained by hacking into a network) or human (what might be obtained by bribing or blackmailing a technician into inserting a USB thumb drive),” he said. 

One key, Lin said, is the availability of intelligence on the missile and the required infrastructure needed to fabricate, assemble, and launch the missile. 

“Precisely targeted offensive cyber operations generally require a great deal of detailed technical information, and such information is usually hard to obtain, especially if the missile program is operated by a closed authoritarian government that does not make available much information on anything,” he said.

Origins in cyber workshop

The idea for Bytes, Bombs and Spies originated from a 2016 research workshop led by Lin and Zegart through the Stanford Cyber Policy Program. That event brought together researchers from academia and think tanks as well as current and former policymakers in the Department of Defense (DoD) and U.S. Cyber Command.

“We organized the workshop for two reasons,” wrote Lin and Zegart. “First, it was already evident then—and is even more so now—that offensive cyber operations were becoming increasingly prominent in U.S. policy and international security more broadly. Second, despite the rising importance of offensive cyber operations, academics and analysts were paying much greater attention to cyber defense than to cyber offense.”

Herb Lin is the Hank J. Holland Fellow in Cyber Policy and Security at the Hoover Institution and senior research scholar for cyber policy and security at the Center for International Security and Cooperation, a center of the Freeman Spogli Institute for International Studies.

Amy Zegart is the Davies Family Senior Fellow at the Hoover Institution, where she directs the Robert and Marion Oster National Security Affairs Fellows program. She is founder and co-director of the Stanford Cyber Policy Program, and senior fellow at the Center for International Security and Cooperation, a center of the Freeman Spogli Institute for International Studies.

Media Contacts

Clifton B. Parker, Hoover Institution: 650-498-5205, cbparker@stanford.edu

Closing the gap between technology leaders and policy makers will require a radically different approach from the defense establishment.

A silent divide is weakening America’s national security, and it has nothing to do with President Donald Trump or party polarization. It’s the growing gulf between the tech community in Silicon Valley and the policy-making community in Washington.

Beyond all the acrimonious headlines, Democrats and Republicans share a growing alarm over the return of great-power conflict. China and Russia are challenging American interests, alliances, and values—through territorial aggression; strong-arm tactics and unfair practices in global trade; cyber theft and information warfare; and massive military buildups in new weapons systems such as Russia’s “Satan 2” nuclear long-range missile, China’s autonomous weapons, and satellite-killing capabilities to destroy our communications and imagery systems in space. Since Trump took office, huge bipartisan majorities in Congress have passed tough sanctions against Russia, sweeping reforms to scrutinize and block Chinese investments in sensitive American technology industries, and record defense-budget increases. You know something’s big when senators like the liberal Ron Wyden and the

In Washington, alarm bells are ringing. Here in Silicon Valley, not so much. “Ask people to finish the sentence, ‘China is a ____ of the United States,’” said the former National Economic Council chairman Keith Hennessey. “Policy makers from both parties are likely to answer with ‘competitor,’ ‘strategic rival,’ or even ‘adversary,’ while Silicon Valley leaders will probably tell you China is a ‘supplier,’ ‘investor,’ and especially ‘potential market.’”

Read the rest at The Atlantic.