Every month at Publicyte, we interview a star who in our view is under-the-radar, and highlight their work in which they’re using technology for civic good, whether in the private or public sector. This month for our issue on Safety, I reached out to Jeffrey Carr, a cybersecurity consultant and author and former Microsoftie who I've known off-and-on for years through my work at the Department of Defense and now at Microsoft. I recently got to chat with him about the latest on the topics of cybersecurity and "cyberwar" and other things that keep him up at night.
Hi Jeffrey! What's currently keeping you busy?
First, thanks for doing this interview, Mark. My company Taia Global has grown a lot since you moved from National Defense University to Microsoft! We're actively involved in incident response and vulnerability assessment for a very select group of Fortune 100 companies and we will soon be launching a subsidiary company named Taia Mobile, Inc. which will move us into the world of mobile security apps. We've got two such apps on deck for development, one of which has a splash page up at Embassy911.com. By the way, that's an exclusive for you - we've never announced the creation of Taia Mobile Inc. until now.
An accidental exclusive! Who knew Publicyte was so powerful! Let's back up - How did you get your start in the cybersecurity field?
Good question. I just wrote a blog post about that called "My Top 5 Tips for Cyber Startups." Basically,I started trying to solve a hard challenge for the Intelligence Community while I was at Microsoft,which led in turn to Project Grey Goose which led eventually to my own hard challenge - how to convert a passion (solving hard intelligence questions like attribution in cyberspace) into a business. Taia Global and soon, Taia Mobile, is the latest iteration of that journey.
Thinking about Publicyte's public sector-oriented audience, what is the role of governments in cybersecurity, versus the role of private tech companies like Microsoft? Are there international regulatory bodies overseeing these matters?
There are no regulatory bodies that wield any authority, and that includes ICANN [Internet Corporation for Assigned Names and Numbers]. As far as private companies and governments go, I can't really answer this question in a few sentences, Mark. It can easily be the subject of an entire paper, especially based upon my own experience at Microsoft. Suffice to say that private companies must be involved at least as much as government, if not more so. And that much more must be done by both parties.
Turning to the more military/defense side of these issues, how do you know if a cyber act is an "act of war" and how does the U.S. think about that differently or the same as other nations or, say, a group like the UN? Does the military necessarily have to be involved?
I'm not a lawyer, but I did quite a bit of research on this topic for my book "Inside Cyber Warfare," chapter 3. Basically, the Law of Armed Conflict (LOAC) regulates when and how a nation can respond to an attack. The first requirement is that the LOAC applies only once armed conflict has been initiated. So a cyber incident doesn't even qualify unless it follows a military action. If you get past that hurdle, then you must be able to assign attribution to the cyber attack. If you can't, you have no legal standing to launch a counter-attack. Finally, the initial attack must cause significant damage or harm. Most cyber attacks don't come close to meeting one or more of the criteria set out by the LOAC.
The U.S. position as I understand it is that it reserves the right to respond to a cyber attack with military force if such a response is warranted; meaning if sufficient harm has been caused and if attribution can be assigned. That would coincide with the LOAC, in my opinion.
Cyberwar is not quite cyber and not quite war. You don't like the term "cyberwar" nor necessarily using the same understanding of traditional war in the cyber setting. How do you suggest it be alternatively explained?
The convention of "cyberwar" instead of "cyber war" is just weird to me. You don't use it to describe a war on any other terrain (i.e., a land war isn't referred to as "landwar"), so why should war in the cyber terrain all of a sudden become "cyberwar"?
I don't think that we'll ever see a pure cyberwar (sic) but we do see cyber operations between adversary states on a regular basis. We also see a lot of cyber espionage; moreso than at any other time in history. I believe that China, Russia and other nations are ramping up their espionage operations in order to accelerate their own military and civilian technology development with the ultimate goal of replacing the U.S. as the world's sole superpower. For China, this would represent the supreme conquest mentioned in Sun Tzu's Art of War - wining over your opponent without ever having to join in battle.
You used to blog for Forbes, and now you don't. What happened with that?
In two words, Yuri Milner happend. I wrote an article that explored Milner's ties to the Kremlin and suggested that his investment in social media benefited the FSB [Russia's Federal Security Service]. After all, DST Global, a Russian company, would have to cooperate with the Russian government if asked. That's the law in the Russian Federation.
Milner read it, then called his lawyer in London who sent the Forbes San Francisco Bureau Chief a demand letter to remove the post. Forbes removed it without discussing it with me and also locked me out of my blog for 24 hours. Once I could get back in and create a new post, I called Forbes on its chickenshit behavior - literally - and stopped blogging for them. Even other journalists were shocked at how quickly Forbes caved in to Milner's attorney.
Interesting. Little known fact - For about a year, I blogged at True/Slant, the startup precursor to what's now Forbes' blog platform. So we both broke up with them 🙂 Anyway...speaking of more general audiences for this material, what's the most important thing about cybersecurity that your average techie probably doesn't understand?
I think it's that Information Security is a monumental failure. Companies spend more money than ever yet experience more breaches than ever as well. The entire strategy of defending the network perimeter is flawed and needs to be turned on its head. The key is not to keep the bad guys out of your network (because they're going to get in no matter what you do) but to keep your critical data from leaving.
Our mutual friend Jack Holt might say that this is akin to not seeing your computers as a fortress to defend, but rather as seeing the Internet as a field to maneuver within. What is the biggest difference between defending government vs. private industry systems, or is there any?
I don't think that there is a fundamental difference. We advise both companies and governments to become data-centric rather than network-centric; to know who is accessing their critical data and when; and to lock it down accordingly.
Jeffrey Carr is the CEO and Founder of Taia Global, Inc. and the author of "Inside Cyber Warfare: Mapping the Cyber Underworld" (O'Reilly Media, 2009). He is a frequent speaker at places that include the U.S. Army War College, the Air Force Institute of Technology, the Chief of Naval Operations Strategic Study Group, and over 60 conferences and seminars. Carr occasionally blogs for the O'Reilly Radar site and he tweets at @jeffreycarr.