U.S. Embassy Tokyo: How the Biden Administration is responding to the growing cybersecurity threat

U.S. Embassy Tokyo: How the Biden Administration is responding to the growing cybersecurity threat

Show Video

JOSHUA GONZALEZ: Good evening, everyone. Thank you so much for joining us today. My name is Joshua Gonzalez and I'm the Assistant Cultural Affairs officer at the U.S. Embassy in Tokyo. I'm delighted to be joined this evening by Dr. Adam Segal as

well as economics officer, Tiffany Wu will moderate tonight's discussion. Before we begin, I have a few housekeeping items that I need to take care of. So please bear with me as I go through this list. First and foremost, tonight's session will be recorded and it is on the record. There's also English and Japanese simultaneous interpretation.

So if you look at the bottom of your screen and check out that functionality you can select which language you'd like to listen to tonight's program. And captioning for today's program is also available through the talk app or in your web browser directly. Instructions for connecting were sent prior to tonight's session and they can also be found within the chat box.

I would also like to remind you all that [INAUDIBLE] is not an employee of the U.S. Government. So his remarks and expertise do not represent the official policy of the U.S. Government.

Following opening remarks and presentations, we will open up the session for your questions and answers. We invite you to submit your questions throughout the session within the Q&A box. Please excuse me.

Do not use the chat box to submit your questions. Only the box at the bottom that is labeled Q&A. And you can also submit those questions anonymously.

Additionally during today's program, we will be conducting audience polling and we encourage you to participate. This is also completely anonymous. So now I would like to invite all of you to engage with us in some audience polling.

This helps us to understand who's in the audience and what you may or may not know about this particular topic. The polling questions should pop up on your screen now and your answers are completely anonymous. So once again we encourage you to participate. We'll give you a few moments to answer.

All right thank you all for your answers. We're going to end the polling now. So it seems like what people thought was the greatest obstacle to Japan's ensuring greater cybersecurity is a shortage of human resources. And also that the majority of you are mostly concerned about cybersecurity attacks that disrupt critical infrastructure. All right.

So without further ado, I would like to introduce the moderator for tonight's program. Tiffany Wu, an economic officer in U.S. Embassy Tokyo's environment science technology and health unit. She covers issues such as cybersecurity, economic security, and export controls.

She received her MS from Northwestern University in predictive analytics, NBAs from the University of California in political science and history specializing in U.S., East Asian Affairs. So without further ado, over to you Tiffany. TIFFANY WU: Thank you, Josh. And hello, everyone and welcome to our participants. My name is Tiffany Wu.

Thank you for joining the U.S. Embassy's program for Cybersecurity Awareness month. This is when we raise awareness on cyber threats and learn about ways to secure and protect our internet connected technology and networks. We recognize the importance of these issues because any disruption or dysfunction to our critical infrastructure can put our national security and our everyday safety at risk.

Japan is home to one of the world's most technologically sophisticated societies. As such, we share a commitment to bolster our collaboration and to address increasingly complex cyber issues. To highlight the U.S. Embassies efforts to strengthen

bilateral and multilateral coordination on cybersecurity challenges, we are pleased to present to you this virtual discussion with Dr. Adam Siegel. Dr. Siegel is the Council on Foreign Relations, IRA A Lipman chair in emerging technologies and national security.

And the Director of the digital and cyberspace policy program. During his talk, Dr. Siegel will discuss how the threat of cyber attacks from nation states is evolving and will look at the Biden-harris administration's domestic and international policies to reduce the risk and to build resilience. Dr. Siegel, we are looking forward to your remarks. Please begin. DR. ADAM SIEGEL: Thank you, Tiffany and thank you

all for joining us tonight. I'm looking forward to the conversation. Of course I would rather be there in person but I'm sure we are going to have a good discussion. All right so what I'm going to do today is talk a little bit about how the Biden administration sees the threats from cyber and broadly how I think about cyberspace and what we would call great power competition in cyberspace.

I'll talk a little bit about how we got here and what in particular happened under the Trump administration. And then I'll move into what the Biden administration is thinking on a domestic and international policy front. And then I'll try to end with some thoughts about what might come next and what the most likely developments are in the future. So how do we think about cyberspace and cybersecurity and cyber conflict? And I think we can think of several trends that are happening in this space. And it might be useful to think about cyberspace as having 3 levels.

A hardware level, a software level, and an information level. So the hardware level of course is all of the routers, and networks, cables, that the data travels over. The software is the programs we use to store data, transfer data, and speak to each other. And then the information or the identity is kind of what we learn, how it affects our decision making, how we present ourselves in cyberspace. And all of those levels, all 3 levels are susceptible to hacking or susceptible to attacks. And we've seen them all targeted by criminal and by nation state attackers.

What we're seeing in this space most recently is a merging of the physical, the digital, and the biological. So all these systems are coming together. And so it really doesn't make a lot of sense to speak about cyberspace as something separate from our real lives, our everyday lives.

And in fact, increasingly what happens in the digital world affects us in the physical world. And to some extent moving forward in the biological world as we have internet enabled medical devices and use large computational computers programming to help us solve biological issues. Now the clearest sign of this signal of this is in the internet of things, the growth of billions of devices connected to the internet. Everything from our ovens to garage door opens, to self-driving cars. And what of course, this does is increase our vulnerability immensely.

So now many more targets that can cause much more disruption and destruction. Now one of the other characteristics of cyberspace is that the cutting edge innovation and the agencies and organizations pushing the envelope on technology are not in the U.S. government, are not in any government, they're in the private sector. It's big tech startups, other new firms that are constantly innovating in this space.

And so governments are really both always kind of one step behind on what the technology envelope is. The frontier is. And dependent on the private sector both for access to those technologies and for in many cases, help deploying and applying them. Another thing to think about in cyberspace is that attribution is hard but not impossible. So if we think about attribution, the ability to say who was behind an attack, a cyber attack.

10 years ago a talk like this would have said that attribution was almost impossible. That the attacker could hide where they were coming from. They could route an attack to numerous networks. And it would be very difficult to know who is behind an attack. But that is really no longer the case.

We've seen that countries and companies not only have significant digital forensic capabilities. That is they can look at the code or the infrastructure that the hackers are using to help trace back where the attacks came from. But they also rely on other types of intelligence in particular signals intelligence or human intelligence.

And so governments can put all of that together and increasingly they can say an attack came from country X. It probably came from this unit or this agency. But what governments can't do is say who ordered the attack or who's responsible for that attack or which authority decided to do it. So you can get very close to saying where it came from but perhaps not who is ultimately responsible. The decision though to attribute in many cases is political.

So governments often have a lot of ability to say who was behind an attack but choose not to make it public for political reasons. Either because the attack was too damaging or they have no good policy responses, they have other assets or interests with the country that is behind the attack that they are I think right now are more important. And so not every case gets attributed even if the governments are able to.

And also these capabilities are not evenly distributed. You have to have some significant intelligence collection capabilities. We've seen that the United States and its 5 eye partners.

So the United Kingdom, Canada, Australia, and New Zealand have been the most willing to attribute. Although in April of this year Japan national police commissioner for the first time independently attributed an attack from China. But lots of other countries have a significant drop off in those capabilities. And then finally for the U.S. And for others who promote an idea of a free and open internet, it is much harder to defend their cyber spaces and focus on security than for countries like China and Russia that are promoting the idea of cyber sovereignty. The idea that every nation state has the ability to control and limit what goes on in its cyberspace.

So there's a tension between how the U.S. Describes cyberspace as a kind of global open platform and national interest. And the same goes with supply chain risks. From a globalization perspective, it makes a huge amount of economic success to break down supply chains, move them around to where they are most efficient, and create interdependence between economies. But that of course, raises the risk to those supply chains significantly.

So thee is a tension between global and national interests. What we see in cyberspace and how the great powers or the major cyber powers have been acting in this space. So it's important to think about what type of attacks. So the press and the media often say cyber attacks or cyber war. But I think it's important to think about what we've really seen.

And the vast majority of those attacks are espionage. So the theft of data either for political and military reasons or for industrial espionage. The vast majority, as I said before of attacks are our spying or espionage. We have seen attacks that are disruptive. So knock a website offline or interfere with the operations of other networks.

Ransomware attacks would fall into this category. In that category of courses is of rising. Just those disruptions can spill over into the physical world. So we've seen with ransomware attacks at hospitals they have to send patients to other hospitals because they cannot do schedule surgery.

But for the most part, these really are dealing with data and don't spill over into the physical world. Destructive attacks are attacks that would cause actual physical destruction and perhaps death. And here we've really only seen a handful of these attacks and one very notable attack which was the U.S. and Israeli operation known as Stuxnet or Olympic games against Iran's nuclear program and the centrifuges at Natanz. Those attacks caused the centrifuges to speed up and speed down and eventually destroy themselves.

They caused physical destruction. The only other attack that might fall into that category were Russian attackers turning off the power in Kyiv in December 2015 and 2016. Again no physical destruction but you can imagine that not having power in December in Kyiv is rather uncomfortable and dangerous.

And then finally, what we would call information operations. So a lot of what we see on social media, on Twitter, on Facebook either presenting yourself as someone you're not. So Russian hackers saying that they are the Republican Party of Tennessee or other attacks that try to sow, discord or spread disinformation or misinformation. I mentioned that there is this tension between cybersecurity and information security. So cybersecurity is generally how the U.S., Japan, and other democracies describe this threat.

So as I mentioned attacks on hardware, software, and information. And information security is often the phrase that's used in Russia, in China. And these are countries that are also concerned about how information is going to be used domestically. Will it enable protesters? Will it strengthen social organizations, social movements? And so there's often a kind of 2 sides talk past each other as they try to address different problems. Now what we've seen over the last 3 to 5 years is that state actors are not just trying to target defense industry base or government agencies. They often go after private companies and non-government networks for political purposes.

You may remember that North Korea hacked into Sony because they did not like the movie and its mocking of the Korean leadership. But also attacks in some cases have become increasingly indiscriminate spreading to many, many networks. As what happened with WannaCry which was ransomware that came from North Korea and NotPetya which was a Russian attack on Ukraine that then spread very widely.

An increasingly worrying trend is the reliance on criminal or proxy groups for hacking. This of course, makes the attribution problem more difficult. You can trace it back for example to China or Russia but you can't say if it was the government behind it or the attackers, the hackers were acting out of their own interest.

Russia seems to be the big power that relies most on these groups. It is kind of assumed that in Russia hacking groups as long as they don't target Russian networks and institutions operate fairly freely and in some cases cooperate with Russian intelligence agencies. And the U.S. Government has recently said that China has begun to rely more on criminal groups as they hack and attack other networks. And then finally commenting on the polling that everyone did at the beginning here, we certainly see these groups probing critical infrastructure.

Russian Chinese, North Korean, and Iranian groups have all been seen in critical infrastructure with varying degrees of sophistication and success. They seem to be preparing in case they have to do a destructive attack. So you can imagine for Chinese policymakers, the idea would be if there is a significant escalation of tensions in the South China Sea or in the seas around Japan or in the Taiwan Straits and you have perhaps kinetic event, Japanese Naval vessels colliding with Chinese Naval vessels or the U.S. Navy with the PLA Navy, that the Chinese would want to be able to send a signal to Japan or to the United States.

That the conflict would not just be over the water or not just be near China and might want to for example flicker the lights in a major city. And you have to assume and I do assume that the United States has the same capabilities that it is in the same types of network in China and other potential adversaries. But that clearly creates a situation where both sides have significant vulnerabilities and abilities to threaten each other.

So under the Trump administration, I would say we saw 2 real large significant developments about how we think about cyberspace. And one of them really is that the idea that cyberspace and technology was kind of a force for good. Is a kind of a sense that came out of the Arab revolution, the Arab Spring, and an enthusiasm and optimism about how these technologies would energize activists and strengthen Democratic governments and really threaten authoritarian governments. And that I think has really changed dramatically certainly since the 2016 elections in the United States. I think there's a much more skeptical view about technology and the technology companies in particular. And that kind of view about cyberspace as being a common good I think has really disappeared from U.S. policymaking thinking.

Second, there is a sense that defense is not enough in cyberspace. And in particular the idea that you can deter the attacks has really fallen out of favor. So of course in the conventional world of the nuclear world we rely on deterrence. The idea that if a potential adversary knows that they will be punished or we hold significant things at risk, they are unlikely to attack or follow through on actions that are threatening on U.S. Or others interests.

And you do that by demonstrating your own capabilities, by clearly stating what the red lines are. And what we've seen in cyberspace is that there doesn't seem to be any deterrence. That at least above what we would call the use of force or an armed attack in international law. So there have as I said only been 1 attack that has caused physical destruction. So I think there is a type of deterrence that holds in cyberspace for those types of attacks.

Like China and Russia, the United States, they think about attacks that caused destruction differently. They exercise self-restraint and have not used those attacks because there is a type of deterrence in place. But for everything below that which as I mentioned is the vast majority of attacks. So espionage and disruption, there is no deterrence. The deterrence doesn't work. And so defense doesn't seem to work either because the attacker seems to have the advantage and can always get into the networks.

And so under the Trump administration, you had the view that the best defense was offense. You need to disrupt the attackers before they ever arrive at U.S. Networks. And that became known as defend for it or persistent engagement. So cyber command adopted new guidelines for how it will operate. And it would think about defending forward which means again, disrupting the networks that the attackers use ever before that they reach U.S. Networks. 2 policy changes in particular also helped that the National security policy memo 13 which basically revised an Obama administration decision that the President would have final say over all cyber attacks that could cause significant damage.

So it was very tightly politically controlled and the President had to weigh all the potential costs and benefits. NSPM 13 pushed those responsibilities down to the combatant commanders. So the commanders in the Pacific command, central command and other places that had to make decisions about how to use those weapons. And made them of course, more likely to be used.

And then the 2019 national Defense Authorization Act, also known as the John McCain act explicitly stated that cyber command could conduct operations against China, Russia, DPRK, and Iran when they were conducting operations that threatened U.S. interests. We don't know a lot about what defend forward or persistent engagement looks like. The leaks to the press have suggested operations like taking down the Internet Research Agency in St Petersburg, which is where Russian trolls and other information operations are. For perhaps a day or 2 days so making it hard for them to log into their computers or knocking down their servers. Cyber Command around the election in 2018 sent texts to Russian operators who were involved in these information operators saying we know who you are. Don't do this.

So they don't seem to be at least in the public reporting very significant operations. But we have to suspect that other things are going on. That are probably more disruptive of what Russian Chinese or other operators are trying to do. In 2015, you may remember under a lot of pressure from the U.S. government, the Chinese agreed to a statement

that they would neither support nor tolerate the cyber enabled theft of intellectual property or business secrets. President Xi and President Obama stood in the Rose Garden and both sides agreed to that. And in that first year after 2015, we did see a decline in Chinese cyber attacks.

The Chinese went off and signed similar agreements with the United Kingdom and Australia. They signed a norm against cyber industrial espionage at the G7 and the G20. But after that year the attacks came back.

They started ticking back up. And what we saw was a kind of a change of targeting. The Chinese hackers before 2015 had really been known as of indiscriminate, knocking on every door seeing which ones were unlocked and not being particularly stealthy in their operations. They often seem to care if they were seen or caught. After that, what we saw was that the Chinese became much more selective in their targets. Their tradecraft became better.

They improved. They became much, much less likely to be caught. And they went after targets that gave them greater access to a whole range of targets.

So cloud providers and other IT services that allowed them to begin to see other targets. We're not exactly sure why the decline happened in that 1 year. Some at the time assumed it was U.S. government pressure. The Obama administration made it fairly clear that they were preparing sanctions against high level state owned enterprises and some high level Chinese leaders. And people at the time believed that that's what got the Chinese government's attention.

But it also looks like during that year the Chinese government intended to reorganize their cyber forces anyway. So they essentially created a new cyber force inside the PLA and shifted some espionage responsibilities to the Ministry of State Security the MSS. And so they were probably expecting a year where they had to slow down the pace of operations anyway. But that is kind of an open question. What we also saw under the Trump administration was the growth of joint attribution. So the U.S working with its partners, the 5 eyes, Japan,

Netherlands, others to call out Russian Chinese and North Korean activities. Often these were accompanied by sanctions on either the hackers or the agencies that were said to support them. And finally, we saw private sector, private companies actors and civil society becoming more active in this space. In promoting their own rules of the road or ideas about how cyberspace should be governed and cyber security should be governed.

And in particular this happened because discussions at the UN and in particular at a group known as the group of government experts on information security bogged down. There was a kind of impasse about how to move forward on those discussions. And so governments did not seem to be making progress in this space. And so you saw companies like Microsoft talking about the idea of the need for a digital Geneva Convention. So Microsoft cooperating with the French government on what was known as the Paris call which now includes several of hundreds of companies and tens of governments.

Although not the United States have signed on to some of those norms governing that space. So let's talk a little bit about what the Biden administration has done and what its concerns are. And really the first and most clear is just personnel.

The Trump administration got rid of the cybersecurity position inside the NSC, the National Security Council. And it of course at one point Trump was kind of battling with its own agencies about Russian interference in the elections. He eventually fired Chris Krebs, who was the director of CISA, the cybersecurity Infrastructure and Security Agency.

And so there was a real sense outside of the Trump administration that Trump White House was not taking cybersecurity particularly seriously. And so I think in one way to demonstrate how important it was to the Biden administration, they named 3 individuals with a very, very long history in the space and were highly and are highly respected outside the private sector. So Anne Neuberger who has worked at the NSA for quite a long time was named a new position, the Deputy National Security advisor to the President for cybersecurity and emerging technology. Jen Easterly who had been very involved setting up the U.S. Army's Cyber Command as well as the NSA and spent time with private sector was named to the head of CISA.

And then Chris Inglis who had been at the NSA as Deputy director was named head to a new position, the National Cyber director. Now the National Cyber director as I mentioned is new. It was recommended by what was called the Cyber Solarium Commission which was a congressional commission studying cybersecurity and coming up with 40 plus recommendations for the government. And was created by the 2021 national Defense Authorization Act.

And it's pretty clear that the Biden White house didn't want this position. They didn't really know what it was going to do and what its responsibilities were. And it also because it requires Senate approval meant more congressional oversight.

So they didn't really want the position although they named as I said incredibly qualified and capable person in it. But right now people are still not sure how the responsibilities between the NCD, the National security advisor and the director of CISA are going to be divided. And there is some fear that you have too many people responsible that things will not get done. The NCD in the legislation has no operational responsibilities.

They can't make anyone do anything. Right. The legislation says they can recommend, they can suggest, they can oversee but they don't have the authority to make anyone do anything. And Chris Inglis in his public appearances has talked about how the 3 of them are going to divide the responsibilities and much of that comes down to the personal relationship of them speaking to each other all the time. But he's essentially said that the NCD's responsibilities are primarily inside cyberspace.

And that Anne Neuberger in the National Security Council will concentrate on responses that are outside of cyberspace. So for example with something like SolarWinds which was the alleged attack from Russia on the supply chain, that breached tens of U.S. government agencies and probably hundreds of U.S. Companies, Inglis would take the mobilization of resources inside of cyberspace.

So federal resources inside of cyberspace. And Neuberger would be in charge of things as well as sanctions or discussions with Russia. So it's kind of the diplomatic tools on the cyber side. We're waiting for the full budget.

But this year it was 21 million. Right now the staff I think is below 10 but they're hoping to go up to 75. 2 other institutional innovations are on the table for the Biden administration.

The first is a cyber safety review board which is similar to the National Traffic Safety Board. So the idea that after a major cyber event, you could have investigators come, public discussions, and that would help information sharing and others learn about the attacks and prepare for the next attacks. That is going to be inside of the DHS, the Department of Homeland Security. And then there's the idea of a Bureau of cyber statistics. So one of the big problems with cyber attacks is we just don't have a full picture about how many are victims. For example on ransomware how much ransomware is paid, how often they happen.

And so being able to have a much clearer view of the statistics, to be able to standardize them across types of attacks and different sectors would all be very important. I think people think to creating incentives for industry and others to improve cybersecurity. On the domestic side, the President issued an executive order in May of 2021. That's primarily focused on federal cybersecurity and ensures a lot of kind of basic hygiene including multifactor, authentication, endpoint detection and encryption. It employs a zero trust security model and accelerates the move for government agencies to secure cloud services. It includes a breach notification requirements for contractors.

So they must tell the U.S. government about any incident that happens. It is focused on supply chain security and what's called a software Bill of materials. So the ingredients in some extent of the software, the different components of software should be transparent and purchasers should know what's inside that which will help them make security decisions. And then this, the National Institute of Standards and Technology is beginning to develop a labeling system for the internet of device things.

So consumers know how secure they are which is something that Singapore has begun to do already when you make your buying decisions. In July 2021 there was a national security memorandum on critical infrastructure. And here again the desire is to get more transparency and more reporting from critical infrastructure and to ensure specific cybersecurity performance goals for critical infrastructure.

But already we've seen some pushback. So last week, Secretary Mayorkas announced new guidelines for railways, subways and aviation to the transportation sector. And not 6 or 12 hours after, those companies in those sectors released statements saying they already did everything the DHS was asking for them and they didn't see the need for new guidelines. And then finally there's a task force inside the U.S. government on a ransomware that's trying to coordinate a series of offensive defensive measures for reacting.

On the international side, ransomware has been I think the primary focus. We've begun to see the administration thinking about how they can disrupt the actors. Much of this is focused on the financial side, right.

On the Bitcoin payments. So in June of 2021 after the ransomware attacks on Colonial pipeline, the FBI managed to track those payments and seize more than half of it. The payment that was paid to the hacking group DarkSide. And I suspect we will see that moving forward. More use of tracking and other intelligence abilities to find who are using Bitcoin. And then in September the Treasury Department imposed sanctions on a Russian cryptocurrency exchange and we know your customer requirements for cloud services and others who are sometimes host to hackers.

So again we're going to go after, I think the U.S. government is going to go after the infrastructure of the payments. Just last week there was a virtual summit in the White House on ransomware that involved 30 countries. The focus was on resilience, crypto coins, law enforcement disruption and diplomacy.

And in the summit between President Biden and President Putin in Geneva, the U.S. government gave Russia a list of 16 critical infrastructure sectors that it said should be off limits to ransomware attacks. The process at the UN has kind of been re-energized. There are now 2 groups discussing this.

Some of the norms and the rules of behavior. One of them as I mentioned is the group of government experts and the other is a track that the Russia supported is the open ended working group. These groups have managed to agree that international law applies in cyberspace and have begun defining some of the norms that should guide behavior. Right now those norms I would say don't constrain states very much.

They include the norm of State responsibility. So you should take responsibility for attacks that come from your territory, a norm of assistance. So if your neighbor is attacked you should provide assistance that they ask for it.

A norm against attacking computer emergency response teams, CERTS. So kind of a similar norm to prevent protecting the Red Cross or other medical services. And then a norm of non-interference in critical infrastructure during peacetime. Now those words were all chosen very carefully. Noninterference means that you may be allowed to hack into the critical infrastructure and kind of map it in preparation for a more disruptive attack.

But as long as you cause no disruption while you're doing that, if you don't interfere with the networks that would in some ways not violate that norm. So it allows those operations as long as they don't interfere with the critical infrastructure. But there is hope that those 2 groups actually will be unified and we'll go back to one process as opposed to having 2 competing processes. I think the Biden administration has and will continue to use joint attribution. So again, working with the 5 eyes, Japan, the Dutch and others in calling out Russian Chinese, North Korean, and Iranian actors and hopefully developing more targeted sanctions that might have more effect. And then there will be a large and is a large reliance on the United States' allies and partners and a lot of discussion of technology alliances.

So the quad, the U.S., Japan, India, and Australia has a cybersecurity working group. And so I think we'll focus both on technological exchanges as well as working on these rules of behavior and international forum. And the U.S.-EU trade and technology council also has a cybersecurity discussion that will probably focus on supply chains and other areas.

So let me just conclude with some thoughts. And I'm sad to say that I've never ended a cybersecurity talk on a optimistic note I'm hopeful that things are getting better. Unfortunately things seem to be going much in the same direction that they will continue to pretty much be the same. But right now we've seen no sign for example, that Russia is going to take the ransomware problem very seriously or restrain the operators there. And so U.S. and others may make some progress

on the financial side in disrupting some of that infrastructure but certainly in the short term I think we can expect to see the attacks go up. And the larger issue is that right now the benefits for nation states of using cyber means to pursue interests are just too high. That they manage to pursue their interests with very, very low costs. And so there's really no reason to stop. And that I think will continue for quite a while.

But what we're seeing and what we will continue to see I think is a continued fragmentation of the internet. Or as both the U.S. and China compete over technology stacks, where they're made, where the data is stored, and we see lots of countries thinking about data localization, supply chain security, offshoring and offshoring for national security reasons. So the future is not going to be the internet as a global platform but one that's increasingly fragmented by national security concerns. I will stop there and I look forward to our discussions and questions at the end. TIFFANY WU: Great.

Thank you so much Dr. Siegel for those remarks. We can see that the environment for cybersecurity has been evolving. I would like to now turn to our audience for the question and answer session. Please go ahead if you haven't already, go ahead and write your question in either English or Japanese is fine into the box that's labeled Q&A. So we have about 20 minutes for a question and answers and we would like to address as many of your questions as possible. So let's start off with kind of one of the hot topics of the day cryptocurrency.

Dr. Siegel, so cryptocurrency tends to foster crime more so than normal traditional currency. What do you envision? What kind of rules do you think will be developing as it pertains to cryptocurrency? DR. SIEGEL: So yes. I mean, I think that's right. There's certainly an increasing concern about the use of cryptocurrencies. And ransomware in many ways would not be as lucrative and it's possible without the use of cryptocurrencies.

And what we're seeing is both a development of kind of the technological capabilities to track what is generally thought of as an anonymous currency but with the right capabilities can be tracked back to individuals. But I think on the regulatory side we're seeing greater demands on cryptocurrency trading platforms of know your customers. That they are going to be held increasingly responsible for hosting or allowing ransomware groups to use their platforms to trade in and out of those cryptocurrencies.

And so as I mentioned, the sanctions against the Russian platforms OX I think are a signal of what's coming. And certainly within the U.S. and other liberal democracies that's going to be greater demand on those platforms to know the customers and to ensure that ransomware groups are not exploiting it. TIFFANY WU: Great.

Thank you so much. We also have another question. Are there specific sectors in which you think that the United States and Japan can cooperate more on? For example sectors such as manufacturing, health care, and education have the lowest cybersecurity immaturity. DR. SIEGEL: Yes. I think those are 3 great examples of where the U.S. and Japan can cooperate.

I think certainly coming out of the Olympics where Japan did such a good job of defending and coordinating across agencies. There are certainly probably lots of lessons learned for Los Angeles and other venues in the United States moving forward. I know that there are numerous ISACs, so information sharing and analysis centers on the U.S. and Japan side that are already engaged in sharing information and threat intelligence. So I think those are 3 great examples of as you said kind of sectors that are online, that probably do not have the best cybersecurity but can help each other out as they address the threats. TIFFANY WU: Great.

And earlier, you also spoke about multifactor authentication. So one of our questions is what percentage of companies in the United States with more than 1,000 employees, so we're talking about bigger companies. What percentage of those bigger American companies have adopted multifactor authentication or EDR? DR. SIEGEL: Yeah. I'm sorry I don't have that specific data point. My sense is it's probably most of them.

But I don't have that data. TIFFANY WU: Not quite specific. We know that you're very knowledgeable. [LAUGHTER] Don't worry.

And also, we have a question about how do you ensure transparency in cyberspace owners and companies by using laws and institutions? DR. SIEGEL: Yes. I think that's been a major problem especially for the U.S. where there has been significant pushback against cybersecurity regulations because of concerns about blocking innovation or redundancy or creating a bureaucratic or other regulatory burdens on the companies. But I do think we've kind of reached an inflection point. And as I mentioned, the Biden administration one of the things the executive memo did was require it for government agencies and government contractors which is a big push for it. So anyone who does any government work now has to report a breach within a certain time period.

For the private sector, broadly the requirement has often been fairly vague. So under the SEC, Security Exchange Commission you're supposed to report breaches that have a material impact on your business. But companies with lawyers often describe ways that the breach did not have a material impact and so don't move forward. There are breach notification laws for certain types of hacks. So anything that involves private personal information generally has to be reported depending upon certain state level government laws.

There is a hope that we will get a national breach law fairly soon that's been introduced in congress and seems to have some support. So the short answer is I think we're going to have increasing regulation specifically of critical infrastructure requiring notification of when companies are hacked. TIFFANY WU: And so now turning to kind of a more international perspective, what are your thoughts on the development of international standards covering the area of cyber operations such as ongoing efforts by NATO? And will it help make cyberspace more peaceful in the future? DR. SIEGEL: So before I've been optimistic

and then I've been pessimistic. And now I'm slightly more optimistic. So I was optimistic as I mentioned in the beginning stages from 2015 to about 2017 we saw significant progress in these discussions that were happening in the United Nations that the group of government experts. We saw China, Russia, United States and others agree that international law applied in cyberspace. That the UN charter applied in cyberspace. And we had a discussion of about 11 norms that the signers of these consensus reports agreed on.

But then the progress bogged down and did not reach an agreement. Did not reach consensus on a report in part because the U.S. said, well, we've all agreed on that international law applies in cyberspace. Let's start talking specifically about how it applies.

And in particular, we want to know about the laws of self-defense and non-interference and how we might respond to cyber attacks. And Cuba and China and Russia and others didn't really want to have those discussions. And so that's why we saw the split between what's known as the UN group of government experts and the open ended working group. But the open ended working group this year basically adopted all of the norms and agreements inside the GGE. From what I've heard the U.S. and Russia want to basically get the track together again.

They want to have one process. So I think through UN discussions, we are slowly making some progress on some of the norms. Now part of the problem is that do states follow the norms? So I mentioned that the norm of State responsibility is one in the group of government experts and it seems clear with ransomware at least that the Russian government for example, is not doing as much as it could on that norm. But one of the main problems is that states aren't very transparent in this space. We don't really know what operations states do.

And without them publicly saying we conducted this operation, we think it's justified for these reasons, it's very hard to develop international law further. And so to that extent, I think it's going to be fairly slow. And as I mentioned at my conclusion, right now there's not a lot of reasons why states would restrain themselves in this space. It's mostly espionage. And espionage traditionally hasn't been controlled or restricted by international agreements.

TIFFANY WU: So to those challenges in the international community, what are your thoughts on the international community and what they have already done already to develop international norms on cybersecurity through organizations such as the UN, OEWG? DR. SIEGEL: Yeah. So I think there is a continued interest in using those institutions. I think there's a proliferation of institutions that are involved in this space. We mentioned the UN and the GGE. I talked about the private sector, so Microsoft and others. There are regional discussions.

So for example at ASEAN, at the Asian regional forum. Japan, South Korea, the U.S. and others are discussing regional developments of the norms. The OSCE in Europe is involved in some of these norms discussions.

So I think there are lots of forum and I think there is a hope to kind of clarify what these norms are. As I mentioned again, I just think it is difficult without the major state to conduct these operations. China, Russia, the United States and others being more transparent in clearly stating what the justifications are for those operations. That really I think holds the development of these rules back. TIFFANY WU: Great. So now let's turn the conversation over to a little bit more Japan focused.

What do you think is the role that is expected particularly for Japan in the context of international collaboration? DR. SIEGEL: Well, I will I'll speak about what I think the U.S. government hopes for Japan, not expects. I think certainly in the framing of the free and open indo-pacific, the United States expects to work with Japan on promoting these norms of behavior that we've discussed through the UN, GGE and other places.

The view of cyberspace is global, open, inter operable. I think the U.S. hopes to continue close cooperation on threat intelligence, sharing and information sharing on shared concerns about cyber security chain and technological development.

I think Prime Minister Abe had an effort to promote an idea about free flow of data with trusted partners or free trusted flow of data. I can't remember the exact phrasing of it. But I think those types of initiatives, the U.S. would hope that Japan would play a greater

role promoting its vision about how these technologies should be governed. I mean Tiffany, as you said in your introduction, given the recognition of Japan as being such a technologically and digitally advanced society, the norms and rules that Japan implements and promotes have I think a particular weight on the global discussion. TIFFANY WU: And there are some of those who feel about Japan's cyber capabilities are not to that of the U.S. And that the Japanese government has been reluctant to develop offensive capabilities in cyberspace or in cyber defense.

There has also been the discussion among certain Japanese politicians of Japan joining the 5 eyes to share intelligence in order to counter cyber attacks. Can you speak a little bit to what do you think are the merits, the setbacks, the challenges for Japan to join and the responsibilities required for Japan to join the 5 Eyes. DR. SIEGEL: Well, I think one of the big issues or constraints for Japan, of course, is the constitution and the conception about offensive capabilities. So as the U.S. has shifted to a more offense oriented defense, so the idea that you the best defense is a good offense, that as I said seems to suggest operations outside of U.S. networks.

And it may be third party networks. So some other country where Russian and Chinese operators are sitting on servers or it may be in the networks of Russian and of Russian China. Now under the Japanese constitution, it's unclear to me if that seems to be considered an offensive operation.

And so my understanding is that it would be hard for the self-defense forces to conduct those operations. And so if you believe that theory of cyber defense, then you would seem to have the need a political consensus about is this truly offense and can the Japanese self-defense forces operate in this way. And I don't think that that has been settled inside of Japan. I think something similar with the sharing of intelligence with the 5 eyes.

Again, we know U.S. operators on the cyber side collect intelligence by some offensive operations. So here I once knew about the status of reforms inside the Japanese government on intelligence collection but I'm sorry I'm not up to date. So I think there were some concerns domestically about some of those laws and intelligence sharing between the U.S. and Japan. I think those have been addressed. But I don't know if it'll be an official agreement.

So to expand to a 6 eyes or a 7 eyes but I certainly expect in the future continued and greater intelligence sharing on the cyber side. TIFFANY WU: And let's turn the conversation over to the private sector now. So in the private sector there is oftentimes I hear the notion of surveillance capitalism.

How do you balance cybersecurity with economic and social security? DR. SIEGEL: Yeah, it's a very interesting question because in many ways if we had complete surveillance, we could have complete security. And people for example talked about one of the ways to improve cybersecurity would be to get rid of anonymity online, to have a driver's license for the internet.

Everybody would have to as they do in China or other places go online with their real name, identifications. And also on the private sector side companies like Google and Microsoft have significant cybersecurity capabilities because they see so much of the network. They can track users and have a huge insight into the type of data that's flowing over their networks.

And so they are significant cybersecurity partners there. I think the way in liberal democracies we traditionally balance that is through kind of transparency, accountability, and the rule of law. That we expect the companies to operate under certain restrictions and users to have certain rights in reference to the services that they use. Now of course in the U.S. we are kind

of readjusting that relationship right now. We are trying to pass national privacy laws, issues about data portability and data control. But I think that that certainly that relationship is being reworked even as we speak, as people talk about the influence of big tech.

And I think clearly we are moving towards much more highly regulated sector on a range of kind of these issues both from social concerns, economic concerns and security concerns. TIFFANY WU: Great. So we have time for one more question. Is there any progress with the development of critical software procurement guideline by NEST? DR. SIEGEL: So I think there has been a little progress. My sense is that still the process is rather slow and bureaucratic. And that the kind of options available are fairly restricted.

But I hear this is not an area I spent a lot of time but I hear that the trend lines are the right direction but still fairly, fairly slow. TIFFANY WU: Well I'm actually glad that we ended the Q&A on somewhat of an optimistic note. [LAUGHTER] But I'm sorry that we are out of time but I can certainly see that we are just getting started on this important topic.

Of course I'd like to think Dr. Siegel for his time and also to all of our participants who have joined us here today. And so with that I'd like to turn the floor back to Joshua Gonzalez.

Thank you. Josh, I think you might be muted still. JOSHUA GONZALEZ: Oh, sorry about that. TIFFANY WU: We hear you now.

JOSHUA GONZALEZ: OK, great. So thank you all for joining us this evening. Before we'd like to wrap up we'd like to take a short survey from our audience. You should see the QR code pop up on your screen right about now.

And while you take the time to answer those survey questions I just like to take a moment to thank our keynote speaker, Dr. Adam Siegel for joining us today and for sharing his expertise with us. Also thank you very much Tiffany for your expert moderation in your contributions to tonight's program. Also, I'd like to give a special thanks to our simultaneous interpreters and technicians at NHK and our captions at UD talk.

Lastly, I would like to invite all of you to visit our website or social media for further information on upcoming cybersecurity events and programs. We hope to see you virtually at one of those events. Thank you all for joining us this evening and take care.

2021-11-05 13:48

Show Video

Other news