The Middle East Institute and Raytheon hosted our conference on "Strengthening U.S.-Arab Cyber Security Policy Cooperation." This panel featured Omar al-Ibrahim (Omprotect LLC), Robert Knake (CFR), Paul Krutz (TruSTAR), and Patrick Turner (DefenseOne)
Patrick: Thanks, everyone, for coming. I’m going to briefly introduce myself. Patrick Tucker, technology editor of Defense One. I cover the effects of emerging technology on national security. There, that’s done. Now, we’re going to – I’m gonna ask each of the panelists to introduce themselves and say a little bit about who they are, why they’re here today, and what this moment in Arab-U.S. cyber policy means for them. Then, we’re gonna kick it off. I’ll ask some questions, and pretty soon, I’ll be asking you to ask some questions, too. So, I’m going to begin with my new friend Omar Al-Ibrahim. Tell us a little bit about you and why you’re here.
Omar: Sure. Thank you for the invitation to this panel. Let me just brief you about myself. My name is Dr. Omar Al-Ibrahim. I am an assistant professor at Kuwait University. I also co-founded a company called Omprotect. We perform cybersecurity testing, penetration testing, security architecture review in the Middle East as well as some clients in the U.S. Previously, I worked as a security consultant with Cigital, which is based in Dulles, Virginia, and then I also worked afterwards with another firm in Boston called Virtual Security Research, recently being acquired by NCC Group.
I studied in the U.S. I got my master’s degree from Rice University. I got my PhD from Southern Methodist University in computer science. When I was in Kuwait, I actually – being a Kuwaiti citizen – had the leverage to work on several government projects, namely the CERT Initiative – the Community Emergency Response Team – as well as conducting some training for the Ministry of the Interior. I gave them security training with cybersecurity.
So, mainly, that is my focus. I also worked with the anti-cybercrime unit at Kuwait University – at the State of Kuwait. So, my perspective of the panel will be from the region. So, I’ll discuss things from their perspective and how they see things in terms of the security.
Patrick: Okay, thank you very much. Mr. Kurtz?
Paul: Hi. I’m Paul Kurtz, cofounder and CEO of a company called TruSTAR. With my background – I spent several years in government, working at the State Department, working at the White House, where I picked up cybersecurity right after 9/11. Since that time, I’ve worked on Capitol Hill in a policy advocacy capacity, advocating for cybersecurity policy changes for a few years, and then went off to the Middle East. Lived in Abu Dhabi for about three years and traveled the region, working on cybersecurity related issues, and then came back and founded TruSTAR. TruSTAR, just by way of background, is a company that helps organizations – largely private sector organizations – exchange cyber incident data anonymously. We correlate that data for all our customers, and they can form enclaves – security communities.
Why today? Why is this important? I think – to give a little tidbit of where we’ll go – we’re fundamentally in a policy-challenged area. All of the normal tools that governments have in order to influence or affect infrastructure bad guys, adversaries – they don’t necessarily work, from law enforcement, to intel, to regulation. There’s a lack of control, and General Hayden probably said it most effectively a couple years ago, maybe a year and a half ago. “Government will be permanently late to the party.”
I think what that means – that’s not just U.S. government. I think that’s any government that looks at this problem. So, we have to kind of – and I can talk a little bit more about why we specifically are policy-challenged – but I think, when we think about any sort of discussion about U.S.-Middle East or the Middle East itself trying to solve these problems, the first point: Your ability to control what’s happening on networks is exceptionally limited.
Patrick: All right, great. Mr. Knake.
Rob: Good afternoon. I’m Rob Knake, I’m a senior fellow at the Council on Foreign Relations, and before that, I spent about four years at the National Security Council in the cyber office, working on all manners of executive orders and such things. I think I’m here to talk mostly about what I think for the prospects of the transition from the Obama administration to the Trump administration. What will that mean for cybersecurity generally, and what will that mean specifically for the Middle East region and for issues like support for internet freedom in that region?
Patrick: This is a great segue. Here’s how I’m thinking we would do it. I’ll start talking and asking questions. They’ll be answering questions, and if something occurs to you, go ahead and raise your hand. We don’t need to spend too much time pushing all the questions to the end. We’ll certainly have room for those at the end, but if something occurs to you, raise your hand and we’ll just try and include you in the conversation, keep it a little bit more dynamic.
So, we’re very fortunate, in a weird way. I’m a journalist, so I think that things are fortunate that aren’t actually fortunate, but we’re fortunate to have a nice news item that we can hook this conversation to. December 1st, multiple news outlets reported a concerted, very successful hacking attempt – believed to be by Iran, there’s not any reason at this point to be very suspicious of that conclusion – targeted at various Saudi Arabian institutions, banking sector, some government institutions.
It was significant. They destroyed data, as opposed to just stealing it. It presents a real challenge for the transition team, because this is something that we now have to talk about – whether or not there’s going to be some sort of reprisal, whether there’s going to be some new foreign policy push against Iran as a result of this, and what can happen as a result of this event that was reported on December 1st, but is a couple weeks old. So, first, I guess you, Mr. Knake: What special challenge do you feel this presents to President-elect Trump as he begins to think about how to reach out to our allies in the region, and also how to craft a cyber policy here at home?
Rob: I think we’ve seen a couple things that come together in the early statements from the President-elect on this. The first is a tendency toward military solutions in cyberspace. He did a very short video the week after he was elected. It was about three minutes long, and it did have a mention of cybersecurity in it, and what he said was he was going to ask the Joint Chiefs of Staff and the Department of Defense to develop a plan to protect our vital infrastructure from cyber- and other attacks.
So, that’s a pretty big departure from what has been a traditional view that cyber is largely in the civilian domain. It’s a market, it’s a place where ideas are exchanged. It’s not a place where everyday Americans want the military involved. How we bring that into this conversation – I would say that probably signals a stepped-up militarization of cyberspace and a willingness to use cyber both as an offensive weapon and to think about the defense of Middle Eastern countries and our allies in that region in terms of stepped-up military support.
I would also say that I think the early signs on Iran are that we’re gonna see a harder line with Iran, and this will be ammunition to try and bring our allies in the region along with that harder line on Iran.
Patrick: What sort of harder line in Iran would Arab partners support? Is this something you feel like they would be anxious to support, or something they might be trepidatious about?
Omar: I don’t truly think that the Arab states are interested in some sort of counterattack by cyberspace. They’re more focused on the defensive measure. At least, they don’t have the capabilities to implement a cyber-offense. The policies for that are not in place. Take, for example, the recent attacks against Saudi. The Civil Aviation headquarters were hacked, and I think even yesterday or today, there’s a Shamoon version 2.0. This is the recent attack on critical infrastructures in Saudi.
There were previous incidents that suggest action for some offensive capabilities, but there were not any responses on that front. Take, for example, the Aramco, or even Stuxnet, which hit Iran. There were no political escalations from their parts, and there’s no political escalation from the Arab states’ part, and there’s no interest to escalate politically, but there may be some interest in developing some offensive capabilities.
Paul: Just as a follow-up – what we’ve seen in many of the attacks that have occurred, not only in the Middle East but elsewhere, the atmosphere is simply one of retooling old stuff. Maybe adding on a new component, new means of command and control, but when we look at what happened – what we know happened – in Saudi Arabia, once again, we should have seen it coming. The Saudis should have seen it coming, other countries should have seen it coming.
The way I unravel that is why? Why did this happen again? Why do we keep on having events happen over and over and over? I keep coming back to the problem of when we are hit, we are exceptionally reluctant to talk about it, for obvious reasons. Until we manage that problem, bad guys, adversaries will have a field day.
As soon as we start thinking more in a connected way, a collective way, about exchanging data about threats – I’m not talking about forming separate internets, I’m talking about creating gated communities where the same regions – the Arab states – could begin to exchange data. I recognize that not all data’s gonna be exchanged about every event, but until we start doing that, adversaries – wherever they may be – are gonna continue to cause a problem.
Patrick: Everything you’re saying totally makes sense to me, and yet, I also see a ton of challenges in the way of Arab states better sharing cybersecurity data with one another. This was a pretty controversial subject in the United States when the Department of Homeland Security was pushing this big cyberinformation-sharing bill, and this is the United States. Everyone gets along just fine, and this was pretty controversial. As a sub-portion of that bill, companies can share information voluntarily with the Department of Homeland Security, which can share it with DOD, which can then share it with Arab partners. There’s a weird thing that resulted from that.
Paul: It doesn’t have to be that way. I think the problem with the calculation we always make is that we’re going back to the old school, that government has to be in the middle of this. It doesn’t. Government doesn’t have to be in the middle. The private sector can take matters into its own hands and begin to form alliances to exchange data. Government can be told along the way, perhaps later, but the front line, in many cases, is a private sector organization.
In the reference to the Cybersecurity Act, which was passed – what, a year ago today? – it does indeed promote exchange with the federal government, but it also enables the exchange of data back and forth across the private sector. So, in that sense, it was good. That data is not flowing between the private sector – when it’s exchanged with the private sector, it’s not flowing into the government, so you don’t have the privacy issues that you highlighted.
Patrick: Yeah. There’s a question, though, of whether or not you can mandate that different companies disclose incidents where they were attacked and then share information about that, which is something that I think a lot of people in the cybersecurity community would like to see happen – companies having to come out and say, “We were attacked. Here’s what happened. We’re going to share this information to improve collective defense.” That can come at a cost to share price, because you’re saying, “We might have lost information. This is an embarrassing black eye for us.”
So, this tradeoff is something that everybody talks about in debates a lot. Where to mandate sharing, where not to. Can we create a private framework for information-sharing that can be as effective as a mandate? That’s a lot to put on you, Mr. Knake. I’m sorry about that.
Rob: I’m happy to take the burden of it. I think we can. I think if you look at the impact that incident after incident, disclosure after disclosure, has had on company stock prices, it has been almost nothing. Stock prices – if they take any hit at all, they always rebound from the disclosure. Target, Home Depot, every health insurance company in the United States, defense companies, Google – I could go on for a while. I’m sure we could probably get a very long list if we did.
So, I think that fear is something that we need to move beyond. I also think that one of the more defensive models – or one of the better models we’ve gotten out of the defense community – is the idea that when I disclose to my partner companies that I have been targeted, I’m not necessarily disclosing the fact that I have been breached. And so, I can share that information without raising questions of, “Does this mean that you lost all your intellectual property, all your payroll information, or does this mean you’re actually that good at what you do, and you’re sharing it in hopes of protecting others that you depend on?”
Patrick: Right. We had a question over here.
Audience Member: Patrick, you asked us to hack the panels.
Patrick: Yes, please hack the panel.
Audience Member: My question is actually to Mr. Knake. The White House – executive branch of the U.S. government – dealt with this sort of cybersecurity threat, tried to develop policy and responses. My question is about allies of the United States, and in this particular case, the Arab world. If we think of cybersecurity as the new frontier of warfare – in some cases, criminal action in others, and so on, learning how to defend itself and so on – to what degree is that being done cooperatively with allies in Europe and Japan, who have the technology? And, to what degree is whatever the U.S. and its allies are learning and developing as countermeasures being shared with allies in the Arab world?
I particularly ask with the White House’s GCC summits that have happened with President Obama and so on. Has cybersecurity been one of the areas of defense cooperation, and does an ally of the U.S. get some protection or ways to protect itself as they do in naval affairs and missile defense and so on? Their toolkit –
Rob: I’ll give a multi-part answer to a multi-part question. First, I think, traditionally, the U.S. has looked first to its Five Eyes allies on issues like this, and so cyber is no different. So, the first round of cooperation has been with the Five Eyes. The second round of cooperation has been with non-Five Eyes European countries and Japan, so it’s kind of followed that traditional model. I think, in the Obama administration, the GCC countries were kind of difficult partners because the issue of cybersecurity gets conflicted with others of what I’ll call information security.
So, at the same time, where the Obama administration wanted to help Saudi Arabia and the UAE after the Iranian attacks on them and did provide assistance to them, at the same time, there was this tension in the relationship pressing them on domestic spying on their citizens, pressing them on having national firewalls that block content. That was a major push in the Obama administration, pushed in large part by Secretary Clinton at the State Department. So, I would predict that we’ll see less of a concern with those areas in the Trump administration, and probably a stepping up of cooperation on the military front and on the cybersecurity front.
Patrick: On that – this is a really important point because, according to the figures that I saw – which are from 2014, so they might not be perfect – there are 160 million Arab internet users around the world. Saudi Arabia, the UAE – these are countries that receive not particularly good ratings in terms of internet freedom from the Open Net Initiative, from other think tanks, and I wonder –
Here’s the thing. Does the United States have some special responsibility on behalf of the citizens of those countries to stand up for their – I don’t know, what we would think of as a First Amendment right – just freedom of expression, freedom to exchange information openly, and in so doing, do we put our relationship with the state of Saudi Arabia, with the state of the UAE, at risk? We’ve tried to strike that balance, and I think Secretary Clinton’s tried really hard to strike that balance, and did – I think – a very good job at a very complicated task. Where do you see that responsibility lying for the United States government for the Trump team, and what are your expectations?
Paul: I’ll start. Once again, I think we’re policy-challenged because of recent events here in the United States. I think it’s exceptionally difficult for us to look outwardly and promote freedom of expression among citizens when, at the same time, we do have debates inside the United States about the use of encryption, and discussions around whether there needs to be some sort of back door. I think, though, we should always strive. I hope that the incoming administration will always strive for an open, free internet. I think that’s paramount, not only for individual rights, but also exceptionally important for commerce.
I don’t want to see the balkanization of that, but our ability to work with our friends in the region and, on one hand, speak in such a way, “Well, they’re violating individual human rights,” at the same that we have such debates, it’s difficult, but we have to continue to push, and I would argue that this is where governments can work together in the region with us to recognize that there are some inherent difficulties here, especially when it comes to handling terrorism and criminal organizations that are involved in not just financial criminal enterprises, but some really nasty stuff.
So, that’s where I come back to that collective approach – or connective approach, rather than collective – of being able to work together, and is there some sort of alliance with the little “a” that comes together? Omar probably –
Patrick: Yeah, Dr. Al-Ibrahim, I wonder – I understand that it’s hard to speak on behalf of an entire region, but the regional perspective on this is probably something different than what the U.S. tech press reports on this. How is the question of internet freedom, encryption, and security handled?
Omar: I’ll give an example and then deduce my comments from that. In 2015 in Kuwait, there was a bombing in the Shia mosque in the heart of Kuwait. The Department of Homeland Security in Kuwait knew about the bombing months before it happened, but they didn’t know how to approach it. In the aftermath, after things happened, they saw recordings from telegrams between the terrorist groups about planning these actions.
Now, from their perspective, if they’d had the capabilities – the visibility – over these connections, these communications, they would have been able to prevent such terrorist attacks. So, from a government perspective, from a political perspective, even the people feel the need for security, and that need can be more valuable than end user privacy. The people are aware of the invasion of privacy issues, but they tend to accept it because of the fear of terrorism.
Patrick: What would be a constructive role for the U.S. to play in that debate? Obviously, we’re not part of the group there. We’re a foreign player that perhaps has an opinion, and burdening other people with that opinion. At the same time, I think there should be a real fear of alienating 160 million people around the world that are going to make up the users of the next generation. Is there a balanced role that we should play in terms of policy and the way we talk about this?
Omar: Countries like Kuwait and Jordan do protect civil liberties. Because of the political landscape, they have a free elected parliament, and the people’s voice is on the table when it comes to freedom of expression, curbing civil liberties, and so forth.
I’ll tell you another example. After these attacks – the Shia bombing – happened, the Kuwaiti government had enforced a law to conduct DNA testing on every citizen in Kuwait, just like a library of genealogy for everyone, and that was approved by the parliament at that time. Now, when people start to think about it, “Hey, it’s invading our privacy,” and the political opinions started to rise, and this law was stopped. So, you see, these debates are ongoing and are sort of like a conversation.
Patrick: I think it’s very difficult to have a conversation about cybersecurity in the Arab world without having a big focus on Iran and the effect that Iran has been having, particularly since 2009, when their entire internal internet posture changed and they created different military apparati to first clamp down on their own internet, essentially turning it into a highly surveilled intranet, and also the creation of different military and paramilitary cyber units that can effect havoc, if you will, around the world.
So, earlier, we were talking about the very famous Aramco hack, which was the second documented cyber-physical attack, the first one being Stuxnet at the nation-state level. Stuxnet remains officially unattributed, I think, but we have pretty high confidence that Aramco was Iran. So, contrasted with that, destroying data from a bunch of banks looks pretty mild. Having said that, there’s been an increase, certainly in incidents, especially since 2014.
So, when you look at the effectiveness of Iranian cyberactivity over the last couple of years, do you see a trend toward escalation, and is there an appropriate response specific to Iran, or does it depend on whether or not we can create a coherent cyber policy first and then project that forward? I feel like I already know your answer – create a coherent one first, and then see if we can deal with Iran.
Paul: Look, I think it’s tough. As Sean said in his remarks before – and I think he was right – let’s understand what a cyberattack is. It is a tool that a party may be using to effect an end, and when I think of Iran, I think of, “Well, how would they seek to use that tool, and is it one of an escalatory nature? Are they seeking to do more?” Perhaps I’m really not that well-schooled on their capabilities, but what I think I can say is that as we think about working with our allies in the region, it’s like, “How do we gain a greater understanding of where they actually are and what they’re doing?”
I think the challenge, once again, that I come back to is that the cyber tactics on the part of an adversary can be so amorphous, so jelly-like, that to attribute something to Iran, which might actually be launched from elsewhere in the world, is really hard problem. Launched in our own backyard, or inside Saudi or Kuwait or wherever it may be. That’s where I come down to – we really haven’t fully gotten our hands around the essential issues or challenges that we have. The velocity of the network is instantaneous. The change in the technology is essentially overnight. Our mousetraps are security fails, and there’s no silver bullet.
Fundamentally, at the end of the day, government can’t do a lot, but they do need to have a level of trust at the senior level to begin to collectively understand whether or not an entity like Iran is really a problem. I suspect they are.
Patrick: Well, I think that there are things that government can do, and in the case of Iran most recently, we had – 2016, in March, the Justice Department indicted a guy named Hamid Firoozi for trying to hack into a dam. He did. He was basically doing what we call port scanning. He was sitting around his office. He works for an Iranian military defense contractor, and he found this one particular port on a website where you can just go and find open ports all around the world, and he figured out how to remotely close a dam in rural New York, and the Justice Department hit him with an indictment.
I remember watching the Senate Armed Services Committee hearing not long after, and John McCain, who has a wonderful and consistent opinion on this sort of thing, brought up, “Well, why can’t we hack them back? Why can’t we retaliate on the level of a nation-state, since this is a nation-state attack on a piece of infrastructure? This could have been very dangerous.” And deputy Defense Secretary Bob Work, who also has a wonderful, consistent point of view on this thing, said, “We’re going to respond in the time and place of our choosing.”
Attribution is really hard. Before you’re going to do any sort of nation-state retaliation, they want – from the Defense Department – to know not only the person who pulled off that particular operation, but also the chain of command that gave him the authority to do that. Absent that clear message from a commander saying, “You get to do this,” the Defense Department’s really reluctant to act, but there’s a lot of political pressure to have a more forceful nation-state retaliatory response when we read about this sort of thing.
Do you see that – you’re someone that lives in this town with the rest of us and watches as the winds of change blow through – do you see that balance changing in the coming administration? You talked about a more robust military posture. Is that something that you see changing?
Paul: My hope – and I think this a reasonable hope – is that cyber will be seen in the context of the overall relationship with Iran and what we want out of that relationship. If you back a few years, while the Aramco attacks were going on, there were also distributed denial of service attacks against U.S. banks. JP Morgan and other banks were hit with attacks that tried to flood their websites with traffic and keep their users from being able to access them.
Very quickly, it got attributed to Iran, and very quickly, the phone calls started to the White House and to the Defense Department, demanding that we do something about this. This is a nation-state attack against the banks. Right, it was. The response of the administration was nothing. The reason the response of the administration was to do nothing was really twofold. 1). It was happening in a way that the feeling was, “Leave this alone and ignore it. It’ll probably antagonize them more than responding.” 2). We didn’t want to get into a cycle of escalation with them. We wanted to avoid that.
Why did we want to avoid that? We were negotiating the Iran deal on the nuclear fuel enrichment. So, I think in that context, you would say that the next administration will hopefully say, “What do we want to get out of our relationship with Iran, and how do we think about how we respond? Do we continue to respond at a time of our choosing and in a manner of our choosing and gaining escalation dominance over the Iranians?”
Patrick: Right. It’s an important point, because the threshold of attribution that’s necessary before there is a nation-state response is somewhat subjective and somewhat in the mind of whoever is in charge of making that decision about an acceptable level of attribution or not. I’ve known Admiral Mike Rogers for a while, and he has a pretty high threshold. I think that that could change pretty quickly, depending on which direction the team decides to go.
Maybe that’s not necessarily a bad thing, because the escalation attack shows that there is something. There are teeth that are missing in our response, but that doesn’t necessarily mean that a reciprocal nation-state counterattack is the best solution for when a guy in an office in Iran finds an empty port and operates a dam. It doesn’t necessarily mean that you want to shut off a dam in Iran, and that’s a really difficult question of what sort of response is appropriate. Let me see – do we have a question? Yes, right here. Shoot.
Audience Member: – your earlier question about sovereign intelligence. We do cybersecurity work in the Middle East region. Two quick questions – one is where is the private sector in this discussion? They’re very vulnerable, as you know. There’s family businesses, there’s very little in the way of government controls and registrations, stock markets, until the very last few years. So, the private sector is far more vulnerable there than anywhere else in the world, perhaps. Could you address that a little bit and see where that goes? Thank you.
Omar: Yeah, the private sector, they follow the standards. Whatever the standards give them, that the level of security they have. For the banks, for example, they follow the ISF standards, generally, to conduct their security practices. For the critical infrastructures, however, it’s a fragile environment. There is no level of decent protection over there. If you follow the Microsoft security intelligence report on the number of Windows machines that are infected in the Arab world, the world infection rate is between five and ten percent, and the GCC alone is about 20 to 30 percent, and in some countries, it reaches up to 40 percent of the machines infected from the population.
So, even the impact of these types of attacks that we hear, a part of it is that a lot of the countries are using legacy systems that just need patching. I don’t believe that the level of sophistication justifies the impact that we see and some of the damages that we have in some of the control infrastructures or some of the banks. So, just following some of that security practice will reduce some of that impact.
Rob: Just to add to that a little bit: I think PWC – earlier this year, maybe March, April, or May – put out a report, a security survey, of where the Middle East was, broadly speaking, on cybersecurity and highlighted lots and lots of problems. But at the same time, one of the things I took away from that survey was there was also a more open acknowledgement of incidents and problems that I expected. When I lived out in the region for a few years – it’s been a few years since I’ve been there – there was a real sense of not necessarily wanting to talk about having a problem.
So, I do think that there is – I found the survey negative in a way of the number of incidents that were occurring, but positive in a way that the willingness of executives to talk about the problems they were having. The other point I would add is – and maybe Dr. Al-Ibrahim can talk about this, too – I sense that the governments knew that this was a growing challenge, and that Saudi Arabia, UAE, Bahrain, several others in the region were ramping up on how they were gonna handle this problem. They were seeking to protect government.
How do you basically get your hands around what’s going on networks to begin with, given the rapid change in technology, and in a country like UAE, it’s ramping up from not a lot; in Saudi, not a lot. In many cases, the government’s gotta get their act together first, and then they can start working more concretely with the private sector. I do think there’s great business opportunities out there to help the private sector, but I do think there’s a bit of lag time. I don’t if others would disagree.
Patrick: So, actually, Omar, if I could, on this – one aspect of cybersecurity that I think gets very short shrift that needs more attention is that of encryption – disk encryption and also end-to-end user encryption. So many of the attacks that you read about in the news are the result of somebody, somewhere, opening up an e-mail and clicking on a link. We call these “highly sophisticated attacks,” and they’re actually pretty rudimentary.
So, both end-to-end user encryption and disk encryption are generally seen as very important to cybersecurity, but they also run up against state policing and surveillance initiative. So, there’s sort of a contrast there. I wonder if you could talk a little bit about how different governments that you’ve worked with and different citizens across the Arab world think about the encryption debate. We’re going to have a big debate about it probably in the next year. It’s something that I think very strongly is gonna come back up on the hill. How do different governments, different companies, and different citizens in the Arab world think about encryption, or do they?
Omar: Encryption – you mean of mobile applications?
Patrick: Mobile, yeah. End-to-end mobile encryption, and also desktop encryption, which is much less controversial, so you probably don’t really think about it.
Omar: Okay. Let me talk about some of the surveillance controls that are in that region. Currently, they follow maybe four or five surveillance controls that I can think of. They’re either blocking service from the network level or from the application level. They’re either throttling the network traffic – when the Arab Spring came and people started to protest, there was throttling in some of the countries to prevent media file exchanges.
There’s also work on interception of encrypted traffic like SSL. If you look back in 2011, the Blackberry ban or the encryption keys, they wanted that encryption keys regardless of the customer base that Blackberry had or the number of users that are using Blackberry. In Saudi alone, during that time, they had about 400,000 or 500,000 users, and the same numbers in the UAE, and they were willing to ban Blackberry for that. This tells you something about the privacy/security debate that’s going on there. Their policy or their value framework is different.
Patrick: Are there any groups – so, today, if there’s gonna be an encryption bill that comes up, I get an e-mail from the Electronic Frontier Foundation, I get one from the ACLU, my Twitter feed explodes, a bunch of people ask me to participate in a boycott, and there’s just a ton of political activity. Are there interest groups or consumer groups or user groups that advocate on behalf of strong mobile encryption in the Arab world? Is that even – pardon my ignorance – is that even a thing? Do people do that?
Omar: It didn’t pick up as much in the media, but people are aware – I saw something in the social network arena. There’s a lot of Twitter abuse in the region in terms of people slandering against each other, extortion, a lot of these type of abuses. These are reported as cases to the anti-cybercrime unit, and they have to deal with them. That is what is overwhelming the government or overwhelming the situation over there, is how to handle these cybercrime cases.
There is anti-bullying that’s going on through cyberspace. The governments there – all they really want in terms of their strategic policy is to have collaboration with the social network companies to gain access to some of the technical information so they can pinpoint to some of the cybercrimes and resolve them.
Patrick: Okay, so it’s sort of safe to say that the availability of end-to-end user encryption is probably gonna flow from whatever compromise the activist community and the government and security community reach in the United States. That would determine, in some small way, the availability of these sorts of things in the Arab world.
Omar: Yeah. End-to-end encryption as a commodity is viewed as a political threat.
Patrick: Yeah, which is key, and I think it’s definitely coming back this year before the hill. So, I wanted to go back briefly to the question of Iran and what sort of policy is appropriate in terms of creating a strong disincentive, what’s practically achievable, and what are the risks of pursuing a stronger deterrence policy, particularly towards Iran? I might start with you.
Rob: Sure. When you look at Iran, you have to look at the context of this relationship. How do you deter Iran, period? If you look at the Obama administration, it took about five years to get to what I think is a semblance of a deterrence strategy in place for China, to convince them that it wasn’t in their interest, that we would make it cost more than they would gain to steal U.S. intellectual property and give it to their national champion companies.
That took a five-year multistep strategy of first showing – to Paul’s point – that we could do attribution, and we could do that down at the level not of a country, not of an organization, not of a building, but down to the level of individuals – name, rank, and serial number. That started last spring with Iran. “You can’t deny this, we know who this was, we know was by name. We’ve gotten that good at attribution.” That lays the groundwork for convincing the rest of the world that Iran was behind those activities, and then trying to build some kind of structure around them to contain their activities in this space.
Patrick: Do you think that sanctions are still an effective deterrent tool, or do you need something more creative?
Rob: The real question with Iran is what more sanctions can the United States put in place against them on anything? Sanctions were a very strong threat to China, and China cared about being labeled as this pariah kleptocracy. Iran, I don’t think cares as much about any label the United States might apply to them, and so I think from that perspective, it’s very hard to look at how we might contain Iran and their activity. I think you have to go back to an earlier era – and Paul can probably talk to this better than I can – but look at what was done after Khobar Towers. How did the United States put that relationship with Iran back in the box and contain their global terrorism?
Patrick: So, what should we do?
Rob: Sorry, Paul.
Patrick: Go ahead. Make our cyber deterrent policy against Iran, please.
Paul: You’re definitely dating me as well.
Rob: I was in high school when that went on. You were in the White House.
Paul: No, I wasn’t quite. Look, I’m sorry Patrick. I’m gonna sound like a broken record. I think a lot of the traditional tools we’ve had to influence in the case of sanctions and law enforcement are not as useful as they used to be in this space, and just in the example you raised about the individuals who had hacked the dam, and if you look at the time it took to put that together and all the adversaries out there – not just whether they’re Iran or a criminal organization – they’re looking at the time it takes to respond.
And so, I really do think we need to keep that in the back of our mind. I think a lot of this is gonna come down to how we work with – as Rob appropriately said – let’s not look at Iran in terms of strictly cyber. There’s huge issues with Iran. So, let’s look at the collective package, and ultimately – like Rob said – what’s the end state? Where do we want Iran to land in the region? There’s gotta be a broader approach to how we look at that, and I’m sure the incoming President will – I would hope – do that.
Patrick: I need a specific, though. I gotta figure something out. Either we can put more naval assets there to frighten them, we can increase arms sales to Saudi Arabia as a retaliatory strike – but that seems like a weird thing to do because some banks saw DDoS attacks. I think we’re all grasping at what concrete steps are available to us in the face of a threat.
Paul: I go back to one of my first conversations I had with somebody in the region about wanting to build out the capabilities to be more offensive in cyberspace, and I said, “The first thing you have to do is figure out how to defend yourself.” So, we can talk all we want about deploying assets, but the first thing people have to figure out is how Arab nations are going to actually collectively defend themselves.
That’s the problem that hasn’t been solved, and I’ll leave it to Rob and those who left the White House more recently to determine what the avenue forward is and the broader applications of deploying military assets, because what I think is challenging about this situation is – okay, let’s see. You move a bunch of military assets – naval forces – in. We’re the one that has extreme vulnerability – dependency, excuse me – on IT networks and many of our allies and friends.
This is not straightforward anymore as to how we respond with cyber, and once again, to Rob’s point, opening up about the President-elect’s short video and talking about the Joint Chiefs of Staff and, if you will, looking after critical infrastructure. That’s clearly an escalation. You might argue we need to shake things up in that sense. We need to send a message that we’re gonna be more forceful in this space, but my concern is – and even with the President’s report that came out yesterday or the day before – we don’t understand what that endpoint is and what that escalation looks like in cyberspace as it relates to all of the other capabilities we might have.
One final point, which is totally off target, but relevant – one of the things that nobody is focusing on now is who’s spending money now to increase communications on the internet. It’s the private sector, and they’re putting satellites in space. If you look at Amazon, Musk, and others, once again you’re faced with the challenge of how much government can do. It’s gonna have a real impact on the ground in places like the Middle East because there’s gonna be private sector options in space, and your ability to traditionally control networks on the ground might be very much challenged in the not-too-distant future. Maybe five years, as satellites start to get deployed in space – private sector ones.
Patrick: Later this month, Defense One is having a viewcast meeting on the contested space environment, so just a little plug, if space war is something that you’re totally into.
So, on this, I think it’s actually a really good point, because you actually did – I don’t think you meant to, but you did lay out a concrete step that we can all take, which is better cooperation to improve the resiliency of important internet assets in general, whether it’s an offensive step or just everybody cooperating to play better defense, and part of that means – as we’ve been talking about – understanding that you’re going to have breaches, and have a mitigation policy practice in place that’s gonna be effective.
This is something that the United States – in May 2015, the White House and the Global Cooperation Council – pledged security assistance, military cybersecurity exercises, with different Arab partner states. I wonder – have you seen anything come from any of those efforts? In your view, have you seen better, more meaningful cooperation between the U.S. and Arab partners since 2015, or even if you want to take a broader view in the last few years, on cybersecurity, and what’s the evidence of that?
Omar: The Arab states have what they call the TRA, the Telecom Regulatory Authority. This acts like the FCC in the United States, and part of the TRA – including the regulation and licensing of the telecom services – they are also responsible for e-commerce and e-government policies and monitoring these projects, as well as devising the national cybersecurity policy. So, that’s under the responsibility of the TRA. The TRA has been established in several countries – the UAE, Oman, Saudi – and you can go online and read about their services.
Part of the TRA’s action is actually to cooperate and develop the policy framework, and I have been cooperating from the Kuwaiti front. They have been working closely with officials from the U.S. government, namely the FBI, NSA, the SS, and to devise that national security policy. So, that’s a role that the U.S. government can play with its Arab partners, is to develop that framework.
The other role I think the panelists mentioned is to devise or build a platform for cyber-threat intelligence. Today, in the U.S., the standards are there – the information-sharing standards by MITRE or other companies, even the government have their own standards for information – sharing cyberattacks, attribution of cyber-incidents, malware, and the technology is there. So, developing and employing that technology in the Arab partners and building the incident response capabilities – not just the risk assessment and penetration testing or the security assessment type of services.
Audience Member: Omar, could you clarify [inaudible] [00:53:08]?
Omar: That’s something that should happen. There some incident response – in the private sector, that is happening, but not at the government level.
Patrick: Go ahead.
Audience Member: [Inaudible] Does the U.S. government provide any cybersecurity training? We do foreign military education and training and foreign military sales in many other areas, and I’m just wondering why we don’t do that, and if we do, who’s doing it and how often and with whom?
Patrick: We do, a little bit. That’s part of the 2015 White House/Cooperation Council announcement. They pledged security assistance, co-military cybersecurity exercises – so that would be run out of Cyber Command – and Tenth Fleet, so the Navy, but the extent of them is – It’s inter-military, so it’s not something that the U.S. extends out to the private sector in the Arab world, for instance. So, it’s not actually something that reaches those targets that are most likely to be hit.
Rob: I would also say that, in general, the funding for State Department assistance for DHS, U.S. CERT assistance, and for the Justice Department to provide law enforcement and legal training assistance is woefully inadequate, and so, it’s very hard to get those kinds of resources outside of the military context anywhere, let alone to the GCC.
Paul: Let me add to that a little bit. I may disagree a little bit with Rob on this in that a lot of the challenge just becomes where to get the training. If you’re sitting somewhere in the Middle East and you’re like, “Okay, where do I go to learn how to defend myself?”, there are a lot of entities here in the U.S. that offer training – UMBC, for one, you can go to private sector organizations as well – and having walked that walk out there, a lot of what the task was is to make those introductions to help countries evaluate what the training opportunities might be, and then to arrange for them in a way.
In some cases, at least in the Arab world, cost isn’t necessarily as much of a challenge as you might find in other parts. So, it’s creating an avenue of trust – I can send people here, or they can come here – and when I was out there, there were several training programs that were launched. And then, the type of questions that come up, like, “What kind of training? Are you starting at the fundamental level of coding, or are you just talking about basically cybersecurity practices and procedures?”
There’s a whole slew of training that can be utilized, it’s just creating that and understanding what the curriculum might be for whatever entity might be in the private sector versus – to the point about the private sector, there’s government needs, but there’s – mil-to-mil may be really appropriate and good, and maybe the resources are a little bit short, but you can also say, “Well, what about the private sector side?” A lot of people I talked to when I was out there did not know where to start, but they might not be able to get the resources to do it if they didn’t know where to go.
Patrick: I would tend to agree. I think that mil-to-mil co-training efforts, when you’re talking about how to fire ballistic weaponry, is hugely important, but when you talk about cybersecurity, I don’t think for a second that the United States military has a better handle on that than a cybersecurity company that’s doing contract work, that’s facing Iranian DDoS attacks on a daily basis. The entire United States government, in many ways, is following the private cybersecurity community in so many ways, so much; and that’s where information sharing comes in, and why it’s so critical.
I think I saw another hand. Did I –okay. So, I wonder if we could talk a little bit about how we’re going to be talking about cybersecurity in the Arab world in ten years. We’ve been talking about a need for better collaboration, and some issues around consumer encryption, and some anxiety about whether or not the incoming President might pursue a deterrence policy that’s more robust than the current administration. Ten years from now, what do you think we’re gonna be talking about when we talk about cybersecurity in the Arab world and opportunities for the U.S. to play a helpful role?
Paul: I’ll throw one idea out there. I think in ten years, we’re gonna be very much cloud-based. The traditional infrastructure we have inside enterprises is gonna be largely dispersed into the clouds, and I think the opportunity it presents is what does that cloud look like? How do we partner on protecting the cloud?
I think that’s gonna open up some really positive opportunities for working together with our allies, a way of defining relationships with allies, and who might have access to what security communities may be established. That is the incentive we have with the cloud, we’re gonna have the IOT. It is exploding, but if you look in the reading I’ve done – Seventh Sense by Joshua Cooper Ramo talks about a lot of the issues that are out there, but it’s gonna be a consolidation of activity in the cloud, and that’s gonna really challenge how private sector and government look at working together.
Patrick: Okay. Go ahead.
Omar: Yeah, I think the area of critical infrastructure protection is key to that relationship. Part of it is the U.S. has its interest to protect the critical infrastructure, not only because it supports its allies, but also to protect its military operations. I had the representative from the U.S. Embassy in Kuwait, and he discussed that point with me. I literally said to him, “Why are you developing the policy and working with the Kuwaiti government on this?”
He said, “Well, the critical infrastructure in Kuwait is very fragile, and their systems are being exploited because of the fragility of the current underlying critical infrastructure.” We’re talking about communications, utilities, the main services. So, in the event of a war or a cyberwar, that is augmented with that. Critical infrastructure protection is key.
Patrick: Have you seen actual infrastructure attacks in Kuwait from outside actors? Is that something that you’ve seen?
Omar: Kuwait is not a specific target. I mean, we saw some examples in Saudi. Saudi’s the larger example here. I’m sure such events could happen in any country in the region. So, that being said, there are project initiatives that are happening. There is the Internet Exchange Project, which is consolidating all the infrastructure from different telecom sectors into one aggregate SOC or NOC, having the resiliency to protect that internet exchanged as opposed to every telecom or every private sector being responsible for protecting their own infrastructure. There is a tendency for the nation having the responsibility to protect the private sector. It’s not just that everyone protects their own infrastructure anymore.
Patrick: Okay, that sounds good.
Rob: I’m gonna try and be optimistic – or, depending on your viewpoint, pessimistic. In ten years in this region, I think we’re gonna see the failure of the national firewall model, the idea that we can wall ourselves off for reasons of politics, for reasons of culture, from the greater internet. I think we’re gonna find that that is two things: Incompatible with business, certainly incompatible with the future of IT that Paul hearkened to with almost totally useless for cybersecurity – the idea that this is for a cybersecurity purpose will be proved absolutely and totally false.
I think where we will end up is a situation in which the proliferation of anti-censorship tools is just going to increasingly mean that these countries realize they have no ability to control what their citizenry have access to on the internet. I think the ability of a country to selectively say, “We want to let in business, we want to let information flow so our economy can thrive, but we want to keep out other kinds of information and we’re gonna try and control that” is actually just a technical impossibility. It’s not compatible with the internet that we have today, and I don’t think it’s gonna be compatible with the internet that we have in ten years.
Patrick: That is very optimistic. All right everybody, I want to thank you for participating in this. Can you join me in giving a round of applause to the panel?