23 July 2017

Nations, Even Adversaries, Must Work Out Cyber Issues – Carefully

MICHAEL DANIEL

How should nations collaborate in cyberspace? Can a nation like the U.S. and one like Russia bridge their views on data collection? What’s the future of artificial intelligence? The Cipher Brief’s Kaitlin Lavinder talked with Michael Daniel, former special assistant to President Barack Obama and cybersecurity coordinator at the White House, to get his take. Michael is now president of the Cyber Threat Alliance, a group of cybersecurity practitioners who work together to share threat information.

The Cipher Brief: At The Cipher Brief’s annual threat conference this June in Sea Island, Georgia, NSA Research Director Deborah Frincke talked about the necessity of collaborating with international partners on cybersecurity issues. What’s your take on that? Did you implement that during the Obama Administration – how?

Michael Daniel: It’s absolutely critical to have international collaboration on cybersecurity issues for a whole bunch of reasons. The obvious one is that cyber issues just don’t respect international boundaries. Most cyber crime actually crosses international boundaries; nation state activity crosses international boundaries. So if you want to have any sort of hope of addressing the issue, you have to do it in an international context.

In the Obama Administration, we tried to do this in multiple different ways – encouraging participation in things like the international launch and warning networks; things like the FIRST organization, which is the Forum of Incident Response and Security Teams; the collaboration among like-minded countries; the development of cyber norms, of acceptable state behavior. We really had a very robust, international strategy.

TCB: You mentioned collaboration around like-minded countries. How should the United States work with non-like-minded countries, such as Russia and China, for example?

Daniel: Even there, you search for areas of common ground, things that both sides can agree on. A good example of that is the agreement that we worked out with the Chinese in the fall of 2015, where the Chinese agreed to limit the theft of intellectual property through cyber means for economic benefit. That was something that took a long time to develop, but it was one that we were able to negotiate with them. So even with non-like-minded countries, you can find areas of agreement and pursue those.

TCB: The Western concepts of how cyber should be used and how data should be stored for national security purposes often diverges from more authoritarian regimes that may collect data for spying on their own citizens. Can you describe some of those philosophical divides that you see between countries and how those may be able to be bridged?

Daniel: The philosophical differences are really at a more macro level. For example, the Chinese government puts a very high priority on stability, and that shows up in a whole bunch of different ways, including how they approach cyberspace. That’s really not unique to how they think about cyberspace, it just shows up there; they want to exert more control there than we in the West want. Same thing with Russia.

But what we are going to have to come to grips with is the fact that all states are going to try to figure out ways to pursue their interests through cyberspace, whatever those interests are. So cyberspace is going to become – or already is and will continue to be – an area in which states will pursue their interests, and we will have cooperation and frankly conflict.

TCB: Do you think that certain data collection practices by America, by Germany, by other liberal democracies have pushed other countries toward more data localization laws, especially post-Snowden?

Daniel: It’s actually driven by something other than data collection. Data localization is driven by another issue, which is that in the past, crime was local, meaning you had to actually be some place to commit a crime and the physical evidence was there as well. But now, in the digital age, you can commit crime remotely. And so now you can be in the untenable position of, if you are a French investigator, trying to investigate a crime between two French people in some purely domestic French issue, and yet they communicated through Yahoo or Gmail or Outlook, you may have to go to an American IT company to get your evidence and go through the international legal data exchange process to get evidence of a purely domestic crime.

That process was never built to handle the kind of volume and speed that you need to move at in the digital age. So my belief is that data localization efforts are focused more on the fact that local law enforcement and others are frustrated that they can’t get the kind of data they want to deal with criminal activity, than they really are about data collection practices on the part of the U.S. That’s obviously going to be part of the equation for some people, but what I was just describing is a much greater driving force for data localization. It’s an issue that we’re going to have to come up with some solutions for that work at the speed of the digital environment.

TCB: What are some of those solutions that could be implemented?

Daniel: One of the things that we will have to look at is, are there some other regimes for thinking about data that don’t rely on where the ones and zeros happen to reside in a given moment in time? For example, a lot of the cloud service companies would say, we can’t even tell you where that data is physically located in any given second. Trying to say, well that data is located in the U.S. or Germany or Brazil or India is almost a meaningless statement. Instead, we may need to be looking at dealing with issues of data ownership – who owns the data? – looking at it more from a data ownership perspective and establishing rules like that. Maybe even pursuing, on a broader scale, some of the agreements that we were trying to reach with the United Kingdom, where we would grant certain countries that met certain criteria the ability to query U.S. information technology companies and internet service providers directly about their national.

There’s a lot more thought that needs to go into this; there’s a lot more thinking from a conceptual level that needs to occur before we’re really ready to answer this question.

TCB: At The Cipher Brief annual threat conference, we’ve been talking a lot about the future of artificial intelligence and the fact that even though people place a lot of value on it, it’s still not at that level where it can make quick decisions based on a minimal amount of data – you have to program a lot of data and experience and context into these systems before they are able to make decisions at all like a human being. It seems like what’s still missing with AI is this notion of the adaptive unconscious, an intuitive way of reasoning – Malcolm Gladwell talks about it in his book Blink. Is that in development? Do you think that can be developed in the coming decade?

Daniel: This really gets at the issue of general versus specific AI. The specific AI is artificial intelligence designed to do very specific tasks. You already see this when Amazon serves you up [and says] you like x, therefore we think you would like y. Or even the kind of specific AI that we’re trying to develop to do our driverless cars.

But what you’re referring to there and what Malcolm Gladwell is talking about and what other folks that are in this area talk about is something that can truly be considered conscience and has the general capabilities that the human brain has. That I think is a much more difficult problem, and I’m not sure that we actually have a good handle on what it will take to achieve that. In fact, I’m not even sure that all the theorists agree that that will even develop out of the work that we’re doing on specific AI. So I tend to be of the school that that is still a little bit further down the road than people think. That’s probably more like 30 to 40 years in the future.

No comments: