Power Lines Episode 8 Bonus Transcript
[Music playing]
Anastasiia: Hello listeners, welcome to our bonus episode of Power Lines: From Ukraine to the World. I am Anastasiia Lapatina.
Jakub: And I'm Jakub Parusinski. This week we're speaking about cyber warfare with Lauren Zabierek, the Executive Director of the Cyber Project at Harvard Kennedy School, Belfer Center.
Anastasiia: So Jakub, you spoke to the journalist Andy Greenberg about cyber warfare for our last week's main episode, but what did you want to know from Lauren?
Jakub: Well, Andy Greenberg has an amazing sort of ability to recount the different cases of cyber warfare.
I think Lauren is looking at the question more from a policy or an institutional perspective, looking at how governments, institutions, companies should look at cyber war and that cybersecurity, more from a sort of governance perspective as well.
Anastasiia: This is actually really interesting because since cyber warfare is such a new method of warfare, I'm not sure if states have caught on up to instituting actual policies and understanding what to actually do with it and how to govern it.
Jakub: Well, that's actually the big challenge. Whereas most countries will have doctrines and even established ways to respond to various hostile acts, cyber warfare is just a little bit in an unregulated space, a bit like crypto or NFTs. It's something that we haven't really caught up with.
[Music playing]
Anastasiia: Great. So, let's hear from Lauren then.
Jakub: So Lauren, thank you so much for joining Power Lines. Maybe just to sort of start off, what do people mean when they talk about cyber warfare?
Lauren: Yeah, that's a great question and there's sort of a difference here, between the concept of cyber warfare and an act of war in cyberspace. And this is something that I think can be very confusing to a lot of people because we just see the news and we see actions in cyberspace and we hear the word cyber-attack and that sounds very violent.
But the differences here, cyber warfare itself, I think really refers to the certain tactics, techniques and procedures and actions taken in cyberspace to attack and harm computers and networks by one actor against another.
Cyber war or an act of cyber war or an act of war in cyberspace is much different. That's actually a very political determination. So, when we talk about war, there's implications there. It's loaded obviously, and the victim nation is really the one that has to make that determination.
There are thousands of cyber-attacks every day by nation states, by criminals with different intent and different results. But generally, it's thought that an active war in cyberspace is going to result in massive loss of life, massive economic damage, massive injury or harm.
So, there are a couple different sort of distinctions here that hopefully we can make clear to the audience.
Jakub: Let's move back a little bit towards the, let's say, early part of the 21st century. Where does this kind of idea of using cyberspace as a battlefield come from? What's sort of the story of getting to the present day?
Lauren: I would say starting in the 2010s, the use of cyber and sort of different viruses and malwares propagating that of course, was happening well before that, even once the internet was developed.
But I would say, probably the 2010s is when this started to get real attention from policymakers, policymakers and decision makers starting to think this could actually have some real implications as we become more and more and more connected.
And I think we also saw some of the most disruptive, I guess you can say, and even in some cases, again, destructive attacks. So, looking again back to 2015/2016 with the attacks on the energy grid.
And then of course now we're sort of in the midst of the ransomware epidemic as they call it. So, a lot of really sophisticated capabilities are in use by criminals, by cyber criminals. Obviously, last year we had the attack on colonial pipelines, so part of our critical infrastructure, there was also a ransomware attack on an entire government, Costa Rica.
So, we're seeing a lot of sort of blending of capabilities and tactics by different actors. So, this sort of ramping up, I guess, of capabilities and actions over the last decade and a half (we'll see), is I think when it's become the most serious.
Jakub: You mentioned ransomware, so this is presumably by various criminal groups trying to essentially hold a piece of digital infrastructure or sort of take it hostage basically, until they're paid.
What's sort of the other types of attacks and how are they used? Just to give the audience a little bit of a sense of what we're talking about.
Lauren: So, you mentioned ransomware, that is typically used by cyber criminals to extort money from unwitting victims, basically. And it works a lot of times because the economics of cyber-crime are such that it does favour the criminals.
And then of course there are the nation state actors. So, a lot of times we see this as cyber espionage, so spying and gathering information.
Other times it's sabotage. Part of the appeal to it is that you can use it to your particular will and then it offers some plausible deniability as well as some reach. Although more and more, I think that deniability is going away.
Jakub: Talking about the actors involved here, obviously whether it's in the movies or in real life, it seems like the Russians play a very big role in this space.
But we've also seen that Russia does have limited capabilities. It's certainly sourcing a lot of drones from Iran. The Sony hack is believed to be connected to North Korea. Who's the big players here?
Lauren: We always say sort of the big four. The big four adversaries in cyber, and Russia, China, North Korea and Iran.
Jakub: Is there any sort of specialisation or differences in style or do they have some kind of specific areas that they focus on?
Lauren: Well, I think if we look to Russia, they were the ones that we have seen more destructive malware.
In times past, we've really looked at China as saying using cyber operations to perform more intellectual property theft and of course theft of other data.
And then of course with North Korea really sanctions evasion. And trying to mine for cryptocurrencies.
Jakub: A little bit less glamorous than the others.
Lauren: Yeah.
Jakub: So, moving back towards Ukraine, we see in the sort of run up to the full-scale invasion, basically after 2013, there's the revolution, Ukraine changes course geopolitically and we see quite a bit of these various types of cyber-attacks showing up.
As you mentioned, there's the attacks on the power grid. I remember being in Ukraine quite a bit during those years. It seemed like that was quite a lot of activity, testing the state capabilities. Would you say that Ukraine was one of the major battlefields for cyber warfare throughout the 2010s?
Lauren: There's a lot of people who will say that, yeah, Ukraine was sort of this test bed for Russia. And I think with what has happened with their invasion of Ukraine that maybe it wasn't necessarily a test bed. It wasn't like, “Oh we're just going to test out our capabilities on Ukraine.” It was actually for something much more sinister.
And so, yes, certainly honing capabilities and testing out the ability to achieve certain effects in cyberspace? Yes, absolutely. But also, with I think a more strategic goal, trying to break down people's will.
So yeah, I think it has been a key tool for them to use in the lead up to this particular invasion. It probably will remain a tool, although I think there have been a lot of people who have questioned like, “Oh, why didn't we see all these huge destructive cyber-attacks that we expected?” And did they have the intended effect? And are they as good as they thought?
But I think one of the biggest things that we've learned is that cyber really remains a tool in the sort of the whole toolkit and not the sole domain by which you win a war.
Jakub: So, building off on that, because I think this is a very interesting point about cyber being a tool, and there's a question of how effective it is. So, as you mentioned throughout the 2010s, there's a bunch of attacks on Ukrainian infrastructure. There's lots of blackouts or attempts to sort of take down the power grid, various smaller attacks as well.
And then the war starts, nine months ago. Have you been surprised by the significance of cyber warfare as a tool, as part of the war? Is it more or less what you've expected? Like is it underwhelming, overwhelming, feels like after a lot of fear generated around this, it isn't quite as big. Obviously when you have missiles reigning down, it's a much more clear and present danger.
Lauren: Well, I think that's a great point is that that's a key lesson that I think the community has come to observe. In a war, cyber is sort of a compliment, especially if you can do it with very tight coordination across all of your domains of war.
But really there's no (and this sounds so glib of course), substitute for kinetic operations in a war to destroy and have real impact and prosecute the goals of the war.
So, to your question, am I surprised? I don't know if I'm necessarily surprised or not. I think because we are in this new domain, we're witnessing something for really the first time. I don't think it lessens the fact that yes, cyber operations can still be dangerous and still be impactful.
Let's still look back at those particular attacks, not only from Russia, but other nations as well. They can still have real harm against civilian populations. Like people can still be harmed, whether that's from a sort of first degree or second or third order effects. And that I think is again, something that's sort of lost in the debate here.
Jakub: Moving forward a little bit to what we have learned from the war. And it's now been sort of nine months, we've seen sort of cyber-attacks play a big role, perhaps smaller than expected, or at least not as significant as kinetic ones as you mentioned. What are the big lessons that Western powers, let's say, can take from the war?
Lauren: So, I think the biggest lesson, and I'm going to quote here from James Andrew Lewis, from the CSIS, he wrote in a recent paper, “A well-prepared and energetic defense can prevail over offense in cyberspace.”
I think that is huge because the way that Ukraine acted to defend against all these attacks, one of the ministers recently said like, “Look, these attacks are happening, but Ukraine is defending against them. So, we're not necessarily seeing a lot of those impacts in cyberspace.”
I think that has huge implications for other nations. If we can be well prepared and if we can have that sort of energetic defence, that would really change the game.
But for many nations, I don't think we're necessarily prepared at this point to be like that. Ukraine has had years to sort of understand what is happening to them and be prepared.
The work that was done to make data resilient, to pull together the people needed to defend against these attacks and these relationships that were built, not only across with other nations but companies as well. There was a plan, I think that strategic plan came out in 2016 for a way to defend against these particular attacks. So, I think that's one big lesson.
Another thing is there have been a lot of people sort of like, “Well, does this mean Russia doesn't have such capabilities?” No, I don't think that at all. What I do think though is that the training and the sort of use of cyber in a joint construct is really, really crucial to I think have the impacts that planners and operators are seeking. I think that's one of the biggest lessons that we've learned as well.
Jakub: So, looking at sort of the reaction of governments, but I think also turning to the Belfer Center's cyber project, you have the stated aim of deterring non-state actors and terrorist adversaries from conducting attacks in cyberspace. What are the instruments that you can use to deter bad actors? What are the tools that are available?
Lauren: Well, when you're talking about preventing attacks against yourself, there are a couple of things that any person can do. Things like having strong random passwords across your accounts, using multifactor authentication.
But in terms of deterrence, I think for a long time we've really thought about cyber defence, national security and deterrence as kind of more like a military construct or a military function. But I think it's really become clear in the last couple of years, we'll say five years, seven years, et cetera, that it is not just a department of defence or a military function.
It's really on all of us and not just on individuals, but it's also like our domestic structures. It's our states, it's our local governments, it's our federal government. I think one of the biggest aspects of deterrence now especially, is going back to what James Andrew Lewis said, “A well-prepared and energetic defence.”
And then on the other side of it too, is this concept of resilience. And if we sort of accept that, yes, we are experiencing thousands of cyber-attacks a day, but if we can sort of shake those off and not let those impacts really affect us and damage, not only our systems, but our wellbeing, our psyche as well, then we can become more resilient, if we have plans in place to recover from those attacks.
And then also too, you mentioned work at the Belfer Center. While I've been here, I have focused on kind of the whole spectrum of security from international all the way down to how we sort of organize ourselves for defence.
So, I've written a couple of things that look at how we can be better positioned, better postured for that collective defence, how we can sort of come together and share information and basically collaborate. That again, goes towards better defence.
Jakub: So, this might be a painful oversimplification, but do you feel like the war has been a net positive or net negative for cybersecurity of, let's say, Western democracies?
On the one hand, we've had this increased attention, I think there's an increased level of knowledge. Perhaps Russia has shown its hand and its capabilities to a detrimental level for itself or has the sort of the progress because war drives innovation. Have we sort of lost more on that side?
Lauren: Well, to your initial point, I think war is always a net negative.
Jakub: Of course.
Lauren: And I know you're saying, okay, but for cybersecurity (I see what you're saying, I just wanted to make that point), it's been truly horrifying. But in terms of the things that we have witnessed, it's been instructive, basically.
And I think it's sort of ushered in a new reality and a new understanding and a new way of doing things. I think this is probably the first time where we saw conflict where private companies were huge players and it obviously not belligerence, but came to the very quick and decisive aid to Ukraine. Like Microsoft or other tech companies that have helped out and provided information. I think that's been something that we haven't necessarily seen before.
It's shone light on our supply chain security issues. I think given the public sort of a front seat view to understand more of the capabilities and sort of more of the risk. So, in terms of that, I think it's sort of quickly ushered along this sort of new realities for people.
And then taking those lessons learned, I think a lot of people are trying to do that. And then they're sort of pivoting to, “Okay, what can we apply this understanding to what other conflicts are out there? Not only from a defensive standpoint, but also how might warfare look in the future given what we've seen, given what we know now, given the lessons learned.”
So again, always, always a net negative, but definitely very instructive and illuminating things that we've come to understand from the war.
[Music playing]
Jakub: Lauren, thank you so much for that discussion. Truly, really interesting. It's such a fascinating topic to be covering. Thank you so much.
Lauren: Yeah, thanks Jakub for having me on today. Really appreciate it.
Jakub: Thank you so much for listening to Power Lines. We'll see you next week for our regular episode, where we'll be speaking to humanitarian aid worker Fedir Serdiuk about
Anastasiia: It was produced by Bea Duncan, Harry Stott and Talia Augustidis. The executive producer is Sandra Ferrari. The theme music is by Tom Biddle and Alfie Godfrey.