This is Democracy – Episode 148: Cybersecurity

[0:00:04 Speaker 0] Mhm Yeah, this is Democracy, a podcast about the people of the United States. A podcast about citizenship about engaging with politics and the world around you. A podcast about educating yourself on today’s important issues and how to have a voice in what happens next. Welcome to our new episode of This is Democracy. This week we’re going to discuss cybersecurity. What is cyber security? What are the threats, concerns and trepidation surrounding cyber issues today? What are the opportunities and perhaps most naughty of all? How do we examine and deal with cyber issues and also protect and further our democratic values as a society? I don’t think there’s an issue that’s more complex and more important in our society than this and we are fortunate to have with us, one of the foremost scholars of precisely the intersection of these issues, my friend and colleague and distinguished scholar, robert Chesney bobby, Thank you for joining us today, jeremy, thanks for having me on the show. I’m excited to be with you and with democracy. They admire of the show. I love what you do here and it’s exciting to get the chance to talk with your audience. Well, I’m so grateful that you’ve taken the time. I know how busy you are. The issues you you deal with bobby are on the front page of every newspaper every day. So we’re grateful that you’re lending your expertise to us, bobby. Chesney is a leading scholar and policy adviser on issues related to national security, cyber security and law and they really are very few people who really deal with that nexus bring those three sets of domains of expertise together. He holds the James baker chair and also serves as associate dean for Academic affairs at the University of texas School of Law. He’s the director of the robert Strauss Center for International Security in Law, which is a world leading research unit that brings together of different disciplines including history, as well as law, political science, various heart and technical sciences together to address security issues and international issues in our society today. He’s also the co founder of the Law Fair blog and anyone who hasn’t read law fair, I encourage you to its law fair blog dot com really on a day to day basis. Some of the most interesting analyses of security, law and cyber issues. And bobby has his own podcast with another friend of ours and frequent guest on our show steve. Vladeck, bobby and steve are kind of laurel and hardy of national security laws. Is that fair bobby totally. It’s like car talk. Well that that’s a high bar. Car talk is about aspirational aspirational period. So speaking of car talk, I think the biggest fan of Car talk I know is Zachary. Suri Zachary. You have a poem for us again this week. Do indeed? What is the title of your poem? Well it’s a long one. The solution after Brexit deal losing. Oh wow! After bertolt brecht. Okay, well this is going to be heady stuff. Let’s hear it. What creeps in numbers through the sky? Can censor you while it bakes a pie? What creeps in circuits through your phones? Can wake you up or break your bones. What creeps in numbers through the sky? Can write up home or in order to die. What creeps through objects up in space? Can hold your hand or spit in your face. What creeps in numbers through the sky? Can shut a pipe and swat a fly. What creeps and cables under the sea can watch the toilet as U. P. Would it not in that case be simpler for the computer to dissolve the people and invent another? I love. Exactly wow. Uh What’s your poem about Zachary? My poem is about the very absurd moment that we’re in as a society in which in a sense computers have begun to define us instead of us defining the computers. And I think it speaks to the fact that our vulnerabilities today come from the fact that we don’t actually control our own reliance on computers and that so much of our lives are determined by algorithms that the vast majority of us do not understand. Certainly I’m in the group of those who don’t understand many of these bobby. Is that is that a fair framing for cybersecurity issues? It’s wonderful hats off to Zachary. That’s that’s amazing. I I since the computers probably are listening, I for one want to go on record welcoming our new lords and masters the algorithms and when you when you get rid of everyone else, you know, I can be one of your human remnants slaves. Some sort of some sort of humanoid quisling for the uh terminator masters. Right. Yeah. That was a really great framework. What I loved about that poem was the little segments touched on so many different aspects and the and the so not everything about ai and cybersecurity. You know, it’s not a perfect overlap but there is so much to it and and it gets at the larger set of anxieties we should all have about whether whether we are developing our our understandings are policy architectures in our legal architectures even close to almost fast enough to keep up with the practical implications of the clearly much more rapid technological changes that are happening. And to state that question of course is to suggest an answer to it. Which is no, not currently, no. We are not bobby. When when did we start to worry about these issues as a historian? I’m often obsessed with Origin moments and it’s kind of artificial. Nothing starts at one moment. But, but where would you putting on your historian hat, when would you start this story? Oh, that’s such a, that’s a great. I’m glad we’re gonna start there. I have lots of thoughts about this and I’m going to begin by passing along an anecdote that I’m not the original, uh, purveyor of ill attributed in a moment. But I’ll start with that. And then I want to kind of step back and put it into a much longer historical lens because I so know and appreciate your orientation towards placing things in that deeper context. So the, so the sort of short lens version, one might say the moment came when President Reagan screened the movie war Games at the White House back in the early eighties, the famous Matthew broderick thriller in which I proposed Zachary’s poem, The pentagon decides to hook up the nuclear arsenal of the strategic arsenal to the whopper the, I forget what the acronym stood for, but it’s something like the weapon. It’s a, it’s a computer that would control for strike capability so that the computers could react rapidly. And would you know, if all the humans were taken out and Matthew broderick say young hacker who? Well, I’m not gonna do any spoilers because if you’re listening to this and you’ve never watched War war Games, then your homework is to watch war games. I’ll just say that Matthew broderick is a teenage hacker and the idea of hooking up our first strike arsenal to a computer and combining that with cybersecurity issues, well, problems ensue. And so does a a classic of hacker film. So the film was screened at the White House Ronald. Reagan and Nancy watched and enjoyed it. And then as as fred Kaplan writes in the book, dark territory, which I strongly recommend as a great history of the United States, has struggled to institutionally respond to gradual awareness of cyber security problems. Reagan sees this and he’s absolutely horrified and he and he doesn’t know much about the technology that’s that’s being portrayed. But he wonders is how much Hollywood fictionalization is going on here and how real might it be? So as soon as may be the next day, certainly within the week he asked the Chairman of the Joint Chiefs whether he’d seen the film and chairman says, uh no, they probably asked him a lot about films and and the chair probably didn’t think much of the inquiry at first. Then Reagan starts to relay the plot, including the problems that ensued with cybersecurity, and asked the Chairman to look into it and the chairman says, okay, sure, I’ll look into it. And later would reflect that he I didn’t think much of the directive at the time, but he comes back, you know, some days later, having actually asked some questions about the vulnerability of strategically significant, another operationally significant military systems. It was horrified by what he was told about the potential vulnerabilities. Now there were lots of people to be clear who understood these vulnerabilities already. But but I’m talking about when did people in a position of authority and responsibility really start to focus that really did set in motion White House machinery? Because the President was alarmed. And I think it’s a really cool example of where policy and pop culture can come together and actually meaningful ways. It reminds me jeremy, you’ll know this when Bill Clinton read Stephen Preston’s book. I think it was hot zone. Yes and and got really shouldn’t in pandemic. Right. Right, right. I kind of wish more people had maybe read more more of the Preston books. But that’s a that’s a whole another podcast and topic. So the the War Games episode I think is often cited as one plausible starter point for when the U. S. Government began to view this as a significant enough problem to warrant that kind of top level attention. But I promised I was going to put it into a longer lens historical perspective. And I think it’s useful to to begin that by being clear about the idea that the military likes to use the idea of domains in which people can operate. The classic operational domains that were with humanity for centuries and centuries and centuries, of course, would be land and the surface of water. Those have always been traditionally the two most important, and indeed for most of human history, the only available venues for significant power projection, whether you’re talking about something that we call today, full scale armed conflict or instead minor episodic low intensity projections of power, land and surface water. Now, as long as that’s the state of affairs, then there are hard geographic facts that cabin the ability of one polity or another to project power. And there’s a certain stability in those hard facts. You know, whether you have neighbors that are threatening, whether their neighbors that are peaceful, you know how quickly threats could come upon you. This reminds us, I think of the classic american idea that we sit safely behind two oceans. And at least in the early part of our country’s history, we were relatively safe from anything that might resemble a pier or superior powers ability to project serious force on us. Technology progress famously changed, especially in the industrial age, the ability of humanity to project power into other domains. So air below surface or submarine use of water, and then eventually space. Those separate domains opened up over time because of what industrialization and other technological changes made possible. And and of course, one of the disturbing and unsettling things about that that shook up the equilibrium is especially being able to project through air later space with ballistic missiles especially, and submarines sneaking right up to your shore. The ability of far away foes to do relatively threatening things to you, changed your risk calculus? Sure, sure. So now new technology has created a domain, the cyber domain. And and it from a certain perspective, not not entirely, but from a certain perspective, doesn’t have geographic borders or at least it’s it’s complicated. And so a similar change to the threat picture has emerged. And so when we think about when when did cyber threats emerged? Well, first you have to have the emergence of that cyber domain, then you have a gradual awakening by a variety of actors, state actors, non state actors and individuals figuring out what they might do, how they might pursue their interest. And then for those on the receiving end of it. And by the way, the United States Government, of course, we’re on both the administering and receive the kind of things. You know, the Reagan moment symbolizes a particularly acute realization about just how significant this sort of vulnerability this domain could make us, you know, it’s it’s really wonderful that you made the connection and the parallels to see and or underwater air in space. In each of those areas where we have more established historical scholarship. There’s an emphasis upon the lumpiness, the inconsistency of american activities. Is that also true in the cyber domain? That’s an interesting, it’s a really interesting comparison. And I hope there’s some students hearing you say that and thinking, ah there’s that paper idea exactly what I’m looking for. Please get to work and then share it with us. I’ll say this, that there, I like to say that the federal government which will be my focal point because that’s where most of the action is. It’s a they not in it. So there’s there’s a plurality of different institutions and people over time in those institutions with really varied equities and capabilities and interest in missions. And so you’ve you’ve had, I think the quickest uptake in the slice of the government that traditionally had been the electronic signals intelligence acquisition operation. And of course, that’s the N. S. A. Above all the National Security Agency. Uh, they made it pretty quick in a very effective adaptation to the emergence of this domain. Two take proper advantage in executing their espionage mission of the way that information is now newly available there. So they made that change, you know, throughout their early signs of it, as long as computers, you know, going back to alan turing for GCHQ during World War Two. On the british side, that that transition began for the brits and and and and very quickly for the americans to buy the seventies, you could really identify it. And by the eighties we were getting good at exploiting this domain militarily outside of the intelligence use of this sort of thing. The capital book I mentioned tells the story of the pretty slow and uncertain progress towards what we would try to do even just defensively. And then the slower lagging effort to figure out how offensively from support of military operations or indeed, maybe even as a weapon in and of itself development of military capacities were. Now, if you want, I can say more about sort of how cyber command emerges out of this. I’ll just note quickly that on the defensive side. No, it I say to my students sometimes that when environmental pollution concerns became really significant in the popular mind and and hence in our politics in the sixties and early seventies, we responded institutionally with the Environmental Protection Agency, a clear new entity designed in scoped to reflect the new newly recognized problem set. We didn’t really have not still done that for cybersecurity as a threat. Instead, we’ve got this highly decentralized model in which the military and the intelligence community, through N. S. A. And cyber command, they take care of themselves. The private sector is largely remains in sort of the free market model protecting itself for for better or worse. And then, as we learned recently with solar winds and other headline stories, the civilian parts of the federal government that remains very decentralized. But we have spawned a part of the Homeland Security Department of Homeland Security that we call the cybersecurity and Infrastructure Security Agency, or CISA. C. I. S. A. Cisa. That’s the closest we’ve gotten to having a collective shop. But it’s it’s no E. P. A. It doesn’t have broad regulatory authority over the private sector at all. What it can do to some extent is direct and have an impact on the civilian parts of the federal government’s executive branch. But even that authority is limited and still having to evolve. So it’s quite a pastiche of different pieces. It sounds like the kind of overlapping and decentralized bureaucratic authority you’d see in many areas. I I know Zachary wants to ask you a question about contemporary cyber threats and and really dig into that, but quickly before we go to that bobby, could you just say a little bit about cyber command? Because I think it’s it’s one of those topics, topics that comes up a lot but isn’t often well explained and you know more about it than almost anyone. It’s a fascinating institution, cyber command, formally speaking, is one of the several combatant commands of the US military, most of which are defined actually not sure numerically if it’s most, but many of which are defined by their geographic areas of responsibilities such as famously Central Command, which you hear so much about in connection with Iraq and Syria etcetera. But we have some that are functionally defined like special operations command, Transportation command. There are those in cyber command’s the newest of the bunch and its its job is threefold, first, defense of the dot mil military networks. Uh secondly and most sort of obviously they are just just as special operations command oversees and ensures the ability to supply special operations capabilities to the geographic commands when our forces are deployed overseas, Cyber command has a parallel role in pushing out cyber capabilities in uniform to the various operational combatant commanders. But then there’s the third function where cyber command also has its own operational role, sort of a loosely defined national mission category. And the place that gets most interesting is if you imagine the simple idea that Russian strategic bombers entering north american airspace, we expect the military to be the ones to respond to that. So the idea is that in some way or fashion there should be a similar cyber response to protect the country as a whole when sufficient provocations coming into the country. But how do you define it in the cyber domain? That’s a very vexed question. And you combine with that. The idea that you really, especially in cyber conflict or cyber competition, you really don’t want to just sit back inside your own network, being the constant and persistent punching bag of the intrusions of all these other countries and individuals and organizations, you might want to be out there hunting for these threats, uh, in other networks outside your own. And they do a lot of this on a by invitation basis with allies, especially in eastern europe, where you get to your cyber command operator, you get to go over to say Montenegro, you’re helping them and getting to see the things that the Russians are testing in the field against that comparatively weak adversary spotted. Yeah, no, it’s really they consciously try to identify these trial run type techniques and procedures and then bring that knowledge back and be ready for it when it shows up on an american network or another allied networks. And then a few years back, cyber command began articulating the defend forward doctrine in another respect, the idea that we might actually be best off if we can live inside as much as possible. The Russian zone networks and networks of the most capable foreign adversaries so that you actually hack their systems and can figure out what they’re planning before they can even bring it to bear on us, or Montenegro. And that’s that’s been controversial in some ways. It’s not well understood because we don’t have a lot of public insight into it. What actually happens, how effective it is, and it’s hard to judge it, but that’s basically what cyber Command’s mission set is. And and that’s probably the most interesting and an important thing in certain ways that they’re doing. And by the way, since we’re here to talk ultimately about democracy, that threat hunting was certainly reportedly very central to the role that cyber command played in trying to help secure the most recent round of elections, 2018 and 2020. So where are we today? We seem to be at a moment when these issues are really coming to the fore of public discourse, at least in a way they haven’t before, but at the same time, we seem to be uniquely vulnerable to cyber security issues today. So, so how should we understand where we are? That’s a great way to put it. We seem to be trying harder talking about it more and cognizant of it more than we’ve ever been yet. It seems, I mean, just look at the headlines in the past week and a half, maybe, maybe someone listening to this is going to be on the East Coast waiting in a gas line. So it seems like we’re getting hammered by it more than ever, I would say this first as a comparatively digitized and wired economy, not maybe the most digitized and wired in the world, certainly, but certainly along the spectrum, we live in a comparatively big glass house. Now, we’ve got the biggest rocks or some of the biggest rocks because we have en esa and cyber command and and we also have a variety of individuals in America who do things as well. But we all live in this big giant glass house in in the colonial pipeline fiasco of the past week and a half is an example of someone throwing a big old rock right through one of our walls and getting glass all over the place. And we have a problem from that. So so we live in a time where every year were more and more online, more connected. And hence the attack surface that we’ve got to defend every moment of every day just grows both in quantity and in, you might say strategic relevance, both in practical terms like the colonial pipeline. Great example of the sort of a single point of failure, but also in collective terms in the sense that there’s, you know, almost anything that happens, jeremy and Zach to the three of us is not individually strategically significant even no matter how upset we are, but you multiply that across half the population and it collectively is strategically significant. And so that’s happening too. So even though we are trying harder and in operating better, our defenses have never been as good before as they are right now today. But the playing field itself has shifted in a way that’s made us twice as vulnerable at the same time. And I guess it would be interesting. I don’t think you could really quantify it. But if you could reduce those two dimensions, two vectors into a time series and try to see which one has the steeper slope. Is that the improvement and defense? Or is it the increasing attack surface? And I sometimes worry it’s the ladder and so all our progress. I mean, thank God we’ve been making it, they were actually falling behind in the race despite that. So, so I think it’s a it’s a fascinating and really helpful analogy thinking about being in a glass house. I also think bobby of the analogy to nuclear offense and defense right? Where it’s long been said that the the offense has the advantage because they only have to get it right once the defense has to get it right every single time. And and I wonder if as we’re thinking about solar winds and colonial pipeline, where we learn about the cases where the the adversary was successful, not where we thwarted them and stop them from doing damage. What are we learning about that dynamic? Are we uh in a situation now where as a society we’re doing some of the things we need to do to deal with this inevitably difficult dilemma? Or are we are we running in circles? I think we’re making some decent strides of late in response to primarily solar winds. It’s too soon to say with colonial pipeline quite what the response there will be, uh, in terms of systematic improvements. But the solar winds fiasco that began unfolding last december and into january and then really filled the headlines in generated sustained anxiety where you began to see leading national figures no less than the President President biden talking in really robust terms as if it was an act of war. Sometimes that was a sufficient shock to the system and then jeremy, nobody knows better than you. That sometimes you have these punctuated moments in history where some event, usually a very unwelcome one breaks through in a way that changes it, tips the playing field a bit and makes new policy possibilities come open absolutely exchange. So it was, it was not a 9 11 level event, but it was on the spectrum. It opened up and ensured that steps would be taken that maybe eventually would have been taken, but almost certainly not quite this quickly with quite this focal point by the biden administration, which about a week and a half ago issued an executive order that contains a whole slew of different things that the sum and substance of it is a bunch of very smart, very responsive to solar winds directives to various parts of the executive branch that will have the net effect within about six months time, perhaps of substantially improving the cybersecurity practices across the civilian parts of the executive branch that significantly got popped during by the Russians during the solar winds fiasco. So foolish. Once, shame on you. Fool me. Twice shame on us. I don’t know if this is once twice or the 74th time, but at least this time we seem to have made a concentrated effort with the the timing of a new administration that was determined anyways to take this topic seriously and bringing in a lot of really talented people like anne Neuberger, who is the uh one tier down from the National Security Advisor with a dedicated cyber portfolio and she is famous for her long service at esa including a stint as the key person interacting with the private sector. And I think led this process, many others contributing to it. That produced a smart set of lessons learned. But remember earlier, I emphasize that the folks at DHS CISA, they’re not the E. P. A. They can’t promulgate regulations that the private sector has to follow, nor can anyone other single entity. There are regulators that have purview over key elements of critical infrastructure that can, and to some extent do promulgate really specific sectors regulations for really specific sectors. And so that may yet be something we see more of. But what we’ve not had is any sort of major change such as oh, the most dramatic thing, I suppose would be a statute that empowers cisa to issue cybersecurity compulsory regulations with enforcement authorities encompassing at least some, if not all, of the critical infrastructure categories. I’m not aware of anyone proposing that you can easily imagine the more market forces that would, that would oppose legislation like that that have in the past. So that’s exactly where I wanted to go bobby. I read really your excellent analysis of the executive order. I think it was on law Fair, right, that you and uh it helped me to understand the executive order because I had read it and not being an expert in the area. And I’m sure many of our listeners share this. It reads like Gobbledy Guck, You need someone with your expertise to explain it. And one of the points you made, so clearly there was that this order did about as much as the executive branch could do, and now it’s throwing the ball to Congress. And that’s I think, where the democratic side of this democracy, part of this comes in, right? How can we as a democracy create the kinds of dialogue and get our representatives on both sides of the aisle to start thinking about these issues in more productive ways? And I don’t want to be naive and assume that simply putting out information will lead to enlightened policy making. But but it does seem we need to at least open that door and start in that direction. Just for example, as you said, having statutory guidelines for private entities like colonial pipeline to build in redundancy and protections for the kinds of attacks. We know they’re going to get redundancies and protections that have cost, of course, of course, cost money that they’ll have to invest in in the short run. Uh they’re not going to do that if there isn’t some kind of statutory obligations. So how do we begin to have that dialogue and move forward in that policy space? You know, one of the things that I know has has greatly concerned you and certainly does me as well. And probably everybody listen to the show is the sense that on so many of our most important policy questions, we can’t seem to just treat it as a policy problem. We seem to want to transform everything into a it’s almost like we’re picking teams for the two political parties and you get to pick which side of any issue you want. But then the other side has to take the other side of the issue and you have to you have to politicize it and treat it all as proxy warfare for politics. And and what’s so far comforting I I feel about the cyber security issue is it seems to be somewhat resistant to that. I don’t feel it’s been politicized. You look at the way a lot of public health policy has been politicized here, and I’m not, by the way, I can almost, I can almost hear some list are saying like, well, you know, it’s not an even thing one side is doing it more than the other. I’m not trying to I’m trying to come to grips with issues like that here. I’m just trying to make the observation that for better or worse, some issues do get dragged into that muck. Cyber security seems to have preserved a strong degree of openness towards being treated as a bipartisan. How do we do good government interventions in this space? And that that’s very comforting. So, one thing I think is incumbent on all of us is anytime we feel or perceive we have the chance, we should reinforce the hopefully nonpartisan nature of this problem. Said, of course, most problems that should be non partisan in nature, but we should reinforce the tendency to keep it away from politicized framing, and that helps it creates space for people to reach across the aisle. Um, and we’ve seen a lot of that. You see situations where where Mike McCaul and Mark Warner can can both be involved very, very happily on on a particular intervention. So I think that’s going to be really important going forward because as you said, the executive branch can only do so much unilaterally. And and by the way, as as a matter of democratic accountability, we only want it to do so much unilaterally. It’s fine for the president to order around his ultimate employees throughout the executive branch. It’s it’s not fine for the president simply to order around all the rest of us in the private sector without a statute empowering him to do so. So the ball is in Congress is court. This has become a topic that has enough newspaper relevance, enough enough perceived significance among average people. I mean, these days, everyone’s pretty focused on what could happen, especially here in texas, where through natural disaster, the lights went out. I think all of us here in texas are increasingly focused on, you know, the vulnerability of the grid to any kind of cyber shenanigans and and then as a result of all of that, I guess I’m kind of talking myself in a circle circle here. I just really want to say that we probably need some things to be done. I think congress currently feels that it’s in the median members interest to be seen to be legislated in this area. And since it hasn’t been made a sharply partisan issue, there seems to be collaborative things taking place. So an example, we, we may over the course of this year see legislation that includes a requirement, at least on entities over a certain size in terms of their revenues perhaps or employee base. However, they define it if they’ve suffered a breach, even if there’s not an exposure personal data, which might trigger notification laws through, through various state privacy laws that you nonetheless have to reach out to DHS CISA or perhaps some other entity, like just to notify them that the breaches happened here, the indicators of compromise so that everyone has a duty to reveal that this happened. I read somewhere, I don’t know if that’s true, but I read that there was at least some substantial delay at colonial before they begin sharing information about what had happened to them. That may not be true. So don’t take my word on that. I just had seen that. It’s a good example where it might have been good if it’s true that let’s say 36 hours went by. Well, that’s, that’s a long time. Somewhere within that window. It would’ve been good if malware samples could have been conveyed and maybe they were, but if they weren’t, they should have been. So I think we’ll see legislation like that. And jeremy as you know, the one train that always leaves the station and Congress is the National Defense authorization act usually in the winter. And if nowhere else I think you’ll see in the next N. D. A whole bevy of non D. O. D. Nondefense cyber provisions that actually happened in the prior one as well. How do we do this democratically? I think it’s important that we address cybersecurity issues. But but how do we do it in a democratic way? And I think that has that brings up to sub questions and I think the first is how do we avoid cybersecurity becoming cyber surveillance? But then on the other hand how do cybersecurity issues come together with preventing breaches of democratic norms abroad and say a country like china that uses cyber activity to monitor their people. Where do those two intersect? Wow. Those are those are media and important questions. I’ll take on the first one, and then if I get myself so far down the road, I can’t recall exactly the framing of the second one. I may come back to you Zachary, but on the first one, you put your finger on one of the challenges that has resulted in the not super narrow but relatively narrow set of statutory and regulatory interventions we’ve seen so far. Well, so here’s a critical concept to explain where I’m going to go. The concept of market failure, which is often used to describe in in in economics, to describe a situation in which there is an actor whom if forced to internalize all the externalities, the harms that are, or costs that come from something they’re doing might invest in preventing those harms to a certain level, but they’re externalized. They’re they’re they’re not made accountable for, um they’re they’re not paying that tab. And so it’s not rational for them to invest that much. So they don’t, they meet the market where where it is. And I think a lot of people, I think it’s conventional wisdom, frankly, at this point in the economics of cybersecurity that there’s a lot of externalities that society as a whole bears the cost of if, say, a software company or an app developer is figuring out how much to invest in security they’re not going to as things currently stand there not likely or they’re gonna think they’re not likely to bear the full cost if a breach later on occurs because they didn’t do more. So they’re under tough economic pressures, they don’t do more because of that. You do traditionally have to address that either by being extremely patient and hoping and waiting that eventually the market corrects that, But by definition it might not. So the typical argument is that, yeah, that’s where you have the most justified cases for carefully calibrated regulatory or statutory intervention. When we in the past have seen congress begin to dip its toes into these waters. As I mentioned earlier, the pushback tends to be sort of an economic efficiency or commercial viability pushback. You do hear that like, hey, don’t, don’t impose these burdens on us because these are tough markets, you’re just gonna kill businesses and you’re gonna kill innovation. That’s a real concern. It’s a major stumbling block towards doing more, but it’s not the only concern. You also have serious privacy concerns because not all cybersecurity measures one might undertake implicate the privacy of people’s communications and data about what they’ve done. Their location. The sites they visited, uh, scanning the traffic, that’s, that’s being distributed, looking for indicators of compromise. But obviously that’s a big part of it. There’s a there’s a lot of what one might try to compel entities to do that could fall under that heading. And so in addition to triggering free market antibodies, there have been privacy protection antibodies that have been triggered by these sorts of proposals in the past. And so those sort of loom is the too big forces that help us understand in a big abstract since why people didn’t just recognize Hey, there’s a problem. Let’s uh let’s snap our fingers and imposed regulations. Problem solved. There are costs on both the dimensions in Susak. Your question really highlights the one. Yeah. I think that the answer to how to democratically cut the Gordian knot on the privacy versus security tie. There is to recognize that technology is both the source of the problem, but also potentially the solution to that challenge. It’s not as simple as anything we do to improve. Security is going to erode privacy substantially. There are ways to go about making improvements that can be done in privacy protective ways, privacy respecting ways. And if there is still some notional or marginal impact on privacy, it could be that that’s worth it. If what it means is we have a huge improvement vis a vis ransomware. So we’ve got to be, we’ve got to be nuanced in the discussion. Now I say nuanced and immediately we think, okay, that doesn’t sound like something that’s going to happen in Washington. Fair enough shows like this, every, every engagement, every conversation we all have on this topic, being alert to the possibility that we may have to trade off some values to a limited extent, but also we could act creatively to come up with technical and other solutions to ameliorate those costs. I think that’s ultimately where we’re going to have to go. The mounting costs suggests we’re going to have to go down this pathway a little bit right? It sounds to me like it’s going to be iterative as most policy work is right that you you start down the road, you try to balance the different equities and look for technological help in moving moving toward more security, but also protecting privacy at the same time while being attentive to both. I think that’s exactly right. Exactly. You’re the second question, can you restate it for me? So, I think the second question is really how do we understand cyber security measures in the broader context of the ways in which computers and new technology is being used in both democratic and undemocratic ways? I know that’s a very broad topic, but I think what the core of that question is, how do we understand cyber security in the context of violations of people’s cyber privacy abroad, for instance, Apple making a deal with china to put their material on its in china on chinese government run servers. Exactly right. So this is this is an area where I really hope students will, will pay a lot of attention because there’s just an endless series of good topics that need attention, uh, and too few people that are paying close attention to both the technology environment, but also the the the intersection of business, commercial life and international relations. This is this is really right. So one way I think about it is there’s there are several different dimensions that cut in funny ways. One dimension or one way it cuts is that the authorities comparatively authoritarian governments like Beijing in the Chinese Communist Party, they’re in a position relative freedom of action to uh to not boost cybersecurity in ways that will limit their own collection capabilities, certainly overseas, but also vis a vis their own people. And what I mean by this is things as simple as the fact that it used to be that cybersecurity captured the flag competitions where teams of researchers and academics and companies would show up with their best trackers would show up. There’ll be a particular problem set and they wheel out their incredible exploits and and the newly found O’day’s vulnerabilities and uh, they win a prize that went renowned and the companies whose products were found to be vulnerable would get the benefit of being able to patch them, et cetera. Um, chinese law now requires that if you if you’ve got this sort of knowledge, you can’t disclose it to Microsoft you’ve got to give a right of first refusal to the government. It’s it’s the you know dead opposite of the american system where of course the private sector and academics and others if they discover these things of course they can tell Microsoft so that windows can be patched. There’s the idea that you’d be obliged to tell the U. S. Government first is it’s very hard to get our minds around that. So uh the the things that some governments are doing to enable them to be able to engage in espionage espionage both internationally and in repression of their home populations uh nearby populations. It’s a real problem. Um At the same time the ability of the ability of the U. S. Government to call foul on that is limited because we do engage in lots of espionage. We don’t disclose all the vulnerabilities and exploits that are discovered and developed by esa um they don’t develop and discover them as a purely defensive heads up mechanism for the companies they developed them to be used for espionage purposes. And then they do have a process to consider whether or not to disclose them. At some point there it’s called the well I’m not gonna give you the details but there’s a process for that. Now. Different dimension. International norms of late the Russian government in particular has been very active in talking about wanting a new international cybercrime treaty to be developed through a multinational U. N. Supervised process. Which is really striking because they’ve never even ratified the very mundane existing cybercrime treaty, the Budapest convention. And and of course we all understand I think that Russia is not really actually eager to try to stamp out cyber intrusions globally. So what’s going on here, and I would submit to you that what’s going on is a very clear eyed understanding in Moscow in particular, that international norms, and especially international law, relatively speaking, however much the United States may skirt its way around these sorts of things. Sometimes we will be more bound in one counter, much more friction than they will, because there really is a practical matter, not, they don’t operate as if they’re bound at all, even if they full throated lee proclaim that they are. So that creates a real dilemma, especially for those who would like to see effective international norms, if not outright treaties. How do you how do you pursue that, and feel good about it? In a world in which you realize that the binding effect will largely fall on the non authoritarian governments and will largely be, well, you know, bounce right off the surface in the authoritarian ones. That’s it’s a grave dilemma. Do you give up on it? I don’t know if you give up on it, but I guess you have to proceed with a realistic eye towards what exactly you might be able to accomplish well. And it seems to me that, you know, the experience of the Cold War where the this dilemma comes up time and again, indicates that you want to build a structure of norms that put pressure on the authoritarian regimes. Even if that pressure is not internal, at least external pressure, if they want other goodies from the international system, there are certain expectations that they behave in certain ways. I sort of the Helsinki model that even right, of course, that now you now, jeremy, you’re you’re so good at drawing my attention back to the historical perspective. so I should add the trust but verify principal rights. And we think about arms control which nuclear arms control and missile control presented a version of this dilemma like how do you prevent defection? This is a famous game theory type problem very familiar to us from the arms control context and we haven’t mentioned it but we should. There’s a lot of literature on whether and to what extent we can bring those concepts and experiences to bear on cyber arms control in effect. And the problem that’s usually wheeled out as the reason why it’s at least hard and a not easy transfer is difficulties of that verify step So I suggested a moment ago you really can’t just trust you need to trust but verify. But verification with missile technology was comparatively easy. As hard as it was with the difficulties of attribution that we sometimes see in the cyber domain not being sure who is responsible for that hack that clearly just occurred. And even if you can trace it back to a particular actor, the actor in in a way that would never be true for nuclear missiles, but certainly could be true for a hack. Well, I know it’s a guy in ST Petersburg, but was it just the guy or was it a guy who’s taking orders ultimately from the Kremlin? Um, so the role of cutouts limbs really large here as well. So bobby as you know, we always like to close on a hopeful note on on how this expertise that you’ve shared with us in really brilliant and breathtaking ways and the historical perspective that underlay all of it, how that can give us some energy and optimism going forward. There’s so much doom and gloom, especially around these issues. But as as your tone and as your substance indicates, there’s a lot of possibility there too. And so I thought, I thought maybe we close with a final question about resilience. Uh one of the arguments often made at least by historians about democracies is that they proved more resilient in the long term authoritarian regimes can move fast, they can make big investments and as you just described so well, they can close themselves off to certain pressures that democratic societies face, but in the long term they’re pretty brittle and democracies are are much more rubber, like in being able to adjust often in sub optimal ways, but yet adjust to different circumstances. What are the things we as citizens can be thinking about to make our cyber worlds in our cyber security, personal and and public more resilient to what will be inevitable perturbations attacks, outages, things of that kind. I like, I like to end on a happy note and I think there’s a lot actually to be happy about in this space resilience, you couldn’t have chosen a better word to talk about where we need to be heading. Resilience has both practical and I don’t know is it moral or spiritual or just personal dimensions? And I want to say something about each of those dimensions first. Um Colonial pipeline shows there are a lot of context in which we lack the practical resilience that is associated with having fall backs, having quick mechanisms for recovery etcetera. We have we have too many single points of failure in the critical infrastructure system. Um hopefully the existence of that particular episode, which is like somebody’s 1990 forecast come to life. I’m sure somebody at some point has written a report where like that’s the Pearl Harbor type example. Um, so hopefully something like that will help us start putting more resources into the entities and individuals. And, and let me add real quick, the insurance companies that are in the best position to push people to make these changes. Hopefully we’ll see some of that. But also there’s that moral or almost spiritual dimension of resilience in which, you know, I think here of things like the idea of boston strong after the marathon bombing, The idea, uh, stiff upper lip and then the classic, you know, keep, keep calm and carry on model of the brits. This idea that in some context where there are, when there’s novel exotic threats, they’re shocking and scary in part because they’re unfamiliar and they seem scalable. It’s hard to be resilient in that sense. But as you become more familiar with the idea that that threat is there, you acclimated to it in a way that yes, can be bad because it might reduce the political pressure to do something about it. But there’s a sweet spot where that pressure is still there. But you get away from the panic element and you come to understand that there’s a new, challenging feature of life brought on by technological change. It has its downsides, but you don’t lose sight of the fact that there’s upsides to and you begin to get into that iterative game of making constant marginal improvements, always having lessons learned, always making it better. There are a lot of signs that despite these big fiascoes like solar winds, a colonial pipeline, we seem to be getting finally towards more of a Alright, let’s learn the lessons, let’s fix it, let’s not panic. And so it’s a little duty for all of us not to take our foot off the gas of improving things, but also to keep calm and carry on. And that’s part of the resilience we need as a society because we don’t want to not live in this glass house. This glass house for building is beautiful, it drives innovation, it drives the economy, it makes smart cities possible, it’s eventually gonna make autonomous transportation ubiquitous. Lots of scary stuff that comes with that. But this is progress and we can we can we can get there. We just need to be resilient. I love that description and the connection again to the beautiful glass houses with wonderful views that we enjoy bobby but we have to know that the glass sometimes will shatter Zachary um as a young person who thinks about these issues a lot. Um do you see uh progress on resilience around these issues? both as bobby framed it as practical and as moral spiritual resilience and and where is that going? Where, where where are we headed in that space? I certainly think that at least on the awareness front, we’ve made a lot of progress in recent years, my peers and I think are much more aware of issues of privacy and cybersecurity on both, a very personal level, but also on an international level. Uh there’s even a club at my school called Cyber Patriot, which I think is a very creepy name, but is indeed uh like I think it’s government sponsored effort to to bring issues of cybersecurity to the attention of young people and get people working on that. So I think there’s a lot of a lot of action and a lot of exciting work being done by young people, but I do think there’s a lack of understanding of how complex some of these issues are and a lack of understanding about how important they are among the population as a whole. And I think part of that is that they’re so unique, that it’s it’s very hard to fit them into the categories. We usually tend to think about national security threats in. Right, right. And I think we all have to work harder to educate ourselves and see that in educating ourselves, it’s not just doom and gloom. It’s actually again, back to bobby’s wonderful metaphor, it’s making our glasshouse more resilient, more durable in the environment. We’re in uh bobby, you have shared so much insight and wisdom with us and uh I feel like one could talk about this for hours and hours, we’ll have to have you back on. But thank you at least for now for sharing, sharing so much with us. That’s so provocative, thoughtful and and I think we’re all smarter having listened to you bobby. Well, I don’t know about that, but I’m grateful to both of you both for having me on the show and for having the show and and so and thanks to your audience for listening to it. And I know weekend and week out, it’s just it’s just an incredible resource. So hats off to all of you. Well, we feel very fortunate to be able to do it. I I’m particularly fortunate to have wonderful guests we can bring on and having a tremendous partner in Crime Zachary. Sorry, thank you. And a tremendous technical team. Direct tremendous technical team. That is that is true as well. Shout out to the L I I T s technical team. Uh thank you Zachary for your poem as always and echoing bobby. Thank you most of all to our loyal listeners. We really appreciate you being out there. That is our discussion for this week on this is Democracy. Yeah. Mhm. Yeah. This podcast is produced by the Liberal Arts i. T. S development Studio and the College of Liberal Arts at the University of Texas at Austin. Okay. The music in this episode was written and recorded by Harris Komotini. Stay tuned for a new episode every week you can find this is Democracy on Apple podcasts, Spotify and stitcher. See you next time