Strategist Six: Chris Painter
29 Mar 2018|

Welcome to The Strategist Six, a feature providing a glimpse into the thinking of prominent academics, government officials, military officers, reporters and interesting individuals from around the world.

As a top US cyber specialist, you’ve seen the internet shrink the world by allowing people to communicate over vast distances. It’s given us access to massive amounts of information and allowed oppressed people to unite and force change. But it’s also used by terrorists to encourage attacks and by nations to steal commercial and military secrets. Overall, has the net made the world a better or a more dangerous place?

Every new technology from the beginning of mankind has been seized upon by criminals and others who have tried to exploit it. For better or worse, the internet was never conceived as a secure platform. Instead it was designed to ensure communication, survive and be resilient. On balance, it’s been a tremendous force for good in terms of social interaction, global communication and economic growth. So even with the mounting threats, I would definitely say it has made the world a better place.

However, there’s a wide range of threats and threat actors in cyberspace, including criminals, terrorists who predominantly use the internet to communicate and plan and some nation states who cause disruption and steal sensitive commercial and other information. Cyberspace is also a new domain of warfare where over 100 countries are developing offensive capability. We’ll certainly see these capabilities employed as part of a traditional physical conflict but, as recent cases like the destructive NotPetya worm attributed to Russia illustrate, we’ll also see them outside traditional conflicts. Yet, we don’t have a good idea of what escalation is in cyberspace, what are the bounds of acceptable state behaviour and what the consequences might be if those bounds are breached. We need to work all of those things out.

The US and Australia have been in the vanguard of advancing an international stability framework for cyberspace. That framework includes applying existing international law to cyberspace, getting consensus on certain voluntary norms (or rules of the road) for responsible state action, and transparency and confidence-building measures such as hotlines to help dial down the chances of misperceptions and avert escalation. There has been good progress in promoting this framework but we also need to be better at deterring bad conduct in cyberspace. There have to be timely and credible consequences for bad actors. That means enhancing our law enforcement capabilities and going after more criminals and locking them up to make clear there’s a cost for their actions.

It also means we need to be much better at imposing consequences on disruptive nation states. We must act collectively with like-minded countries, see what tools we have to deter a potential adversary’s behaviour, and be willing to use them. There’s a lot left to do in this area. For example, we still need to explore how existing international law maps to cyberspace, further articulate and gain wider acceptance of voluntary norms and improve collective response.

This work will involve governments, the private sector and civil society. Recently, for example, the Global Commission for the Stability of Cyberspace put forth a proposed norm that stated that state and non-state actors shouldn’t take actions that substantially disrupt the general availability of the global core of the internet.

If we hope to make real progress combatting the threats we face and seizing on the opportunities that cyberspace provides, we need to get away from thinking that cyber is this boutique, technical policy area and ingrain it in how we think about national security, economic security and foreign policy.

Where are we going with the internet?

We’re not going to go backwards. It’s not a genie you can put back into the bottle. The web is intertwined with everything we do and it’ll continue to evolve and become more useful. You’ll also have more sophisticated attacks and attackers because of that dependency. We’ll be in a cat-and-mouse game to an extent. There’ll be lots of innovation.

Those who are intent on doing evil or using it for their own purposes will find more sophisticated ways to do that. We’ll do what we can to contain the threats because, ultimately, we have the platform to do good things.

The technology that’s allowed us to communicate worldwide and enabled all this social interaction can also be used by more repressive countries to monitor and control their citizens. There’s a range of challenges that extend to cybersecurity, human rights and how the internet itself is governed in the future. Now that it’s become such a big deal, the natural instinct of many states is to want to control it. We need to be vigilant in ensuring wide participation by all stakeholders to ensure that this technology continues to evolve and thrive.

Can it ever be completely controlled by anyone or any state?

I don’t think so. You can imagine scenarios where states try to control their piece of the internet. That obviously undermines its global nature and its value to commerce and other things it enables. There’ll be challenges to the architecture of the internet itself but it would be very hard for any one government to control it. But that doesn’t mean there won’t be governments that try.

Have we reached a plateau or will we continue to see the same technological leaps in the cyber area as in the past, and what are your main concerns about the internet and computing generally?

In terms of sheer computing speed, people have often said it’ll slow down because it’s reached its practical limits with the size of circuits. But circuits keep getting smaller—down to the atomic level—and faster and more capable. Every time we think it has reached its limits, someone thinks of new things like stacking chips on top of each other. It hasn’t slowed yet. I think innovation and advancement will continue to accelerate.

Quantum computing could bring a vast increase in capability. In addition, there will continue to be great innovation in terms of the architecture of the internet and the applications that run on top of it. I don’t know what the next big leap will be but I’m confident something will happen.

There are a lot of tensions built into the internet. Obviously it would be useful to have easy attribution of internet traffic to go after bad actors, but that’s bad for human rights and privacy so you have to find middle ground. You have a lot of new things coming on line, including the internet of things and the promise of everything from self-driving cars to autonomous health systems. That’s great and can lead to amazing innovation, but if security isn’t built in as we’re doing this, they could be vulnerable to attack and the results will be physical as well. You won’t just lose your information but something bad may happen in the physical world—including critical infrastructure disruption. I worry about that.

The other thing I really worry about, and this doesn’t get a lot of discussion, is how we preserve the integrity of information. We worry about data being stolen or deleted but we don’t talk enough about what happens when data is made unreliable by a bad actor. For example, if someone gets into your health records and changes your blood type so that the next time you get a transfusion you die, that’s certainly more serious than not being able to access a webpage because of a distributed denial of service attack.

Much military equipment relies on satellites. Could a cyber attack render that inoperable?

Anything that relies on computers and computer networks is potentially vulnerable if the right precautions aren’t taken and protections implemented. Militaries need to be cognizant of how dependent they are on systems that ride on the back of networks—secure networks but also just networks. What would they do if they were unavailable? Some militaries try to train for that—a day or a week without cyber.

We need to be keenly aware of how dependent we are. What’s our resilience? What’s our bounce back? Attacks on critical infrastructure may be low in their probability but high in their impact if they happen.

Many people haven’t done the basic hygiene they need to in order to protect themselves and that’s a problem. You can do basic things to protect yourself from most intrusions and attacks. Even when you do that, there are still the dedicated, usually state, actors who can use tools to try to get into your system. But that allows those protecting systems to focus on that smaller set of actors and their tools.

How concerned should we be about advances in artificial intelligence? Are machines going to take over?

There are different camps on this. I think AI, as it’s now constituted, is very helpful. Machine learning and the like can lead to great advances. The dystopian movie view has AI with human characteristics and taking over everything. I suppose that’s a possibility but I don’t think we’re anywhere close to that and we can take precautions. I tend to take a more optimistic view. I don’t think we should shy away from exploring AI because it has so many benefits. Who knows what the future will bring but I don’t think it’ll be a binary thing where suddenly, one day they’re running us.