Press "Enter" to skip to content

Chris Painter on The Open Mind: Cyber Diplomacy or Mr. Robot Dystopia?

I’m Alexander Heffner, your host on The Open
Mind. When I recorded my first ever program here
in 2014, the subject with digital scholar and educator John Palfrey was the very real
possibility of a digital Pearl Harbor or 9/11 in our lifetimes. It’s clear from our evaluations on The Open
Mind that such a crisis played out during the 2016 campaign, but not as we expected. We lacked the imagination foresight and most
of all political will to respond as governments, citizens, and corporations, which often were
hosts of malignant disinformation and enablers of massive security breaches. Joining me today is Christopher Painter, commissioner
of The Global Commission on the Stability of Cyberspace. For over two decades, painter has been at
the helm of American Internet policy as a prosecutor of high-profile cyber crimes. And then as a senior official at the Department
of Justice, FBI, National Security Council, and finally the State Department. In his most recent role as the nation’s top
cyber diplomat, Painter coordinated and led the diplomatic efforts to advance an open
internet and information infrastructure, establishing the office of the coordinator for cyber issues
dedicated to advancing the diplomatic aspects of cyber issues ranging from national security
to human rights. Welcome, Chris. PAINTER: Happy to be here. Thanks. HEFFNER: Thank you for being here. You were pivotal in brokering an accord, or
at least theoretically an accord between the US and China in 2014. What were you and your colleagues attempting
to accomplish and has it been enduring? PAINTER: So we were faced with a situation
where there was widespread theft of commercial information, trade secrets, other business
and proprietary information by China, not just in the US but around the world. And this was becoming not just a cyber issue,
but really a core economic issue and national security issue. And you know there was a strong feeling that
this really had to stop. This was stealing the life’s blood of our
economy going forward. So what we’re trying to get is that to stop
frankly and, and we were looking at different aspects to do that and one of the aspects
was trying to get China to agree that this is something that should be prohibited and
not done. Now I will say there is a difference between
a theft of intellectual property to benefit your own commercial sector and espionage. Every country gathers information. Every country will for all of time. They have from the beginning you can’t really
prohibit that, but this is a specialized kind that we don’t do and we don’t think any country
should do. So. HEFFNER: Cambridge Analytica was really at
the intersection of the for profit commerce and espionage. PAINTER: Yeah, it was a little different though. I mean there were, it was for-profit espionage
in a sense which is not necessarily all that new. Although the way that was done was I think
a new form of this, but the kind of theft of information that you use. So let’s say you steal the plans is something
or the trade secret for something and then you give it to your own commercial sector
and then they become competitive, and they use that to become competitive and really
displace your own industry. So that’s what we were trying to stop. And it did, it was interesting. It took really from the president on down
strong messaging to China that this was unacceptable that this was just not a cyber thing. It affected the overall relationship and we
eventually got an agreement with them and you asked if it’s been enduring. I think after that agreement was reached,
which didn’t prohibit all hacking because that’s not realistic, but prohibited this
kind of hacking. A lot of people saw that activity drop dramatically
after that. And it did for a while now, right? Recently it’s gone back up again. And that’s a big concern. But I think partly that’s due to the fact
that the reason China wanted to reach this agreement, it was an irritant in the overall
relationship, but with something that China cares about, the way it’s perceived, it was
a big problem, not just in the cyber realm but across the board with the US. It was a problem with Russia or with, I’m
sorry, with Germany, with Japan, with Australia and other countries around the world, the
UK. And so they agreed to do it, but now the relationship
is really frayed, I think they don’t see any real need or benefit to comply with that. And that’s the problem we have now. HEFFNER: Are you referring to the implementation
of the tariffs? PAINTER: I think if you, the overall relationship
between the US and China, I think it’s fair to say it’s not very good right now and there’s
a lot of reasons for that. There’s certainly the trade conflict, war,
whatever you call it going on, which I think is a, is a concern for them and I think their
feeling probably is, and I’m not in the Chinese mind, but I think that, what their thinking
is why do we need to comply with all these agreements we made if the relationship is
so bad already, we’re not improving the relationship. And maybe it’s even a bargaining chip who
knows? HEFFNER: The current President speaks lovingly
of China and at times at least the Premier, the President, and yet has taken actions that
obviously have injured that relationship, so that souring effect has materialized in
the way that the United States and Canada are negotiating a potential resolution with
someone in their technology sector who is accused of breaking the Iran sanctions. 6:37PAINTER: Well, that the person who’s been
accused at Canada is accused of violating the sanctions have of taking actions that
violates them. It’s against the law. There is no, you know I see no issue of when
you see violations of the law as a former prosecutor going after them. I think the larger question is, how can you
address all these issues, how can you make sure this doesn’t happen? And look, the trade imbalance with China is
a big issue and we do have to address it. How we address it and how we message I think
is important. You raised a really interesting point though,
when you say that Trump speaks lovingly, sometimes of President Xi, that messaging is as kind
of a problem. If your messaging doesn’t match your actions,
it undercuts your own negotiating and undercuts your own deterrent value. I think the classic example, certainly with
Russia, where despite all the evidence, despite all the things that even this administration
has done, Trump constantly calls into question whether Russia was responsible. It doesn’t matter what you do in terms of
sanctions or other things if you’re a top leader, is not consistent in messaging, and
Obama was very consistent in messaging with China for almost two years. HEFFNER: Even if he decided not to prosecute
forcefully enough the case against cyber espionage from Russia during the ‘16 campaign, behind
the scenes and in public he was consistently critical of Wikileaks, Assange, and those
criminals. There was a digital Watergate… PAINTER: Do you mean Obama? HEFFNER: Obama, right. That there was a digital Watergate and the
plumbers and dirty tricksters were Russians as a country, and I think this is testified
to in ongoing support for the special counsel’s investigation. This country has not seen accountability in
the area where you prosecuted cyber criminals. When is there going to be accountability/
PAINTER: Well, that’s a great question. I think you have to divide this into two spheres. One is nation-states and the other is individuals
and criminals. Individuals and criminals we need to go after
using our criminal tools. You know, sometimes it’s difficult to reach
them for various reasons, but we need to continue to do that and that’s one aspect when you’re
talking about nation states, we have been just terrible at deterring or punishing nation
states for activity that really violates all the norms, that goes beyond, you know, the
kind of things we, we believe very acceptable conduct. So yeah, a good example certainly is Russia,
when you’re trying to deter someone, there are two aspects. One is timely and the other is something that
actually makes a difference. It’s going to change your calculus in the
future, and punish them for past conduct. Now, the Obama administration did come up
with a series of package of expulsions and sanctions at the end of the administration. That was pretty late. I mean, frankly, I think it was clear we needed
to act as sooner we needed to act more strongly. I don’t think that those things really punished
Putin or changed his calculus could certainly he’s engaged in this again and again after
that and then in this administration there’s been sanctions. There’s been some other targeted events. Russia has not limited their malicious cyber
activity to election interference. They released this big what’s called computer
worm the NotPetya worm that was – several countries attributed to them. Yes, the US and Australia and others have
attributed, this conduct to Russia, but you’re not going to name and shame Russia, you know,
you’re not going to – you might China, but Russia or North Korea, that’s not going to
have an impact. It’s a, it’s a good foundation, but then you
have to follow it up with action. The Ashley will make a difference to them
and then as I said before, you have to couple it with consistent and strong messaging. You can’t say, well, I don’t know if they
really did it, it’s okay. He said he didn’t do it. I mean those, that, those undercut all the
actions you’re trying to do to actually punish that conduct and make sure there’s accountability
and I absolutely agree with you. We have to be far better at imposing those
costs. HEFFNER: The kind of reciprocal action that
could be meaningful is allowing the young people of Russia to have digital freedom and
use the grassroots technologies that infuse our politics here and through the web to bring
about reform. PAINTER: We have always been seen as the leaders
in terms of freedom and democracy and my colleagues at the State Department, and we work closely
with them, champion this idea of Internet freedom, freedom online and helping those
communities who are often oppressed or monitored try to escape that monitoring to express their
views. And, you know, there is something called Freedom
House, which measures the level of freedom in the world online every year and they’ve
seen that level of freedom decline year to year, which is a real concern around the world. And if the US is not championing those causes,
if the US is saying for political or whatever, expediency you know human rights are important,
but they’re not so important that we’re going to take them seriously and factor them into
our larger policy. That gives them carte blanche to these countries,
these dictators, these more repressive regimes around the world. And it’s a good parallel to cyber because,
you know, if you don’t have consequences for your actions, then you’re creating a norm
of it’s okay, we can just do this. And the same is true in this area and you
can’t look at cyber security totally separate than human rights or economic policy. They have to be looked at together. HEFFNER: Where are you hopeful based on your
own prosecutions in the United States? There is not really a criminal court or tribunal
to adjudicate this and that doesn’t even work when there’s genocide to the best of its ability. So what is the best hope based on your own
prosecutions? You started doing this when cyber was just
being born in the 90s. PAINTER: Back when it wasn’t cool? Laughs. HEFFNER: So, so how is it working here in
America in terms of the ongoing pursuit of justice with domestic actors who hack us or
attack our infrastructure? PAINTER: I think we’ve gotten better. I don’t think we’re there yet. I think I’ve seen, there are a couple of trends
that I’ve seen over the 20 some 5 years I’ve been doing this. One is that we have been getting better, not
just catching the criminals here, but also overseas and it’s trivial for a cyber criminal
to route their communications through several different countries to evade detection. So in an unprecedented way you have to have
real international cooperation. We’ve gotten better at that. You know, it’s still not perfect. I think a lot of criminals still see this
as a cost free or risk free enterprise, but we’ve done a lot of big cases where we’ve
wrapped up a lot of criminals around the world and that sends an important deterrent message. So that’s good. We’ve trained more people around the world. More countries have cyber security law, so
they didn’t used to have them back, I don’t even remember years ago when the, I Love You
worm came out; it was traced back to someone in the Philippines. The Philippines didn’t have a law to punish
that, so that’s changed and that’s changed around the world. So I’m hopeful about that and I’m hopeful
about the kind of cooperation I’m seeing. It’s a steep hill to climb still, which is
an issue. I’m also hopeful that, you know, we have done
these joint attributions. So one of the things that may be surprising
is the Trump Administration came out with its strategy, its cyber strategy recently. We did these in the Obama Administration as
well. The Trump cyber strategy is really very much
like the Obama cyber strategy. It’s not really very different and that’s
actually a good thing, you’re building on what you’ve done before. You’re looking at this in a more holistic
way and saying we really don’t have to create a whole new regime. We need to do this. And there was a portion of that that talked
about deterring bad actors including state actors and it talked about and it had language
in there that said we are better acting together than with other countries than we are acting
alone. That doesn’t sound very America First-is,
does it? It sounds actually very collaborative. And that gives me hope too. So you know, I think that those things are
continuing to go on, which is good. You know, there’s lots of things that I’m
worried about as well but I think that there’s some positive aspects. And the other thing I’d say is people care
about this more. I mean, back when I was doing some of the
early parts occasions, people thought, well, that’s really cool. That’s a neat thing. Or you know, it’s a Robin Hood sort of thing. These hackers are cool. Where now, they really care about it. And, and you know, I think we’re at the stage
where, you know, back when I used to go and talk to, if you went to talk to the attorney
general, if you want to talk to, although Janet Reno was exception, she cared about
this deeply. If you went to talk to a cabinet official
in our system or a minister, and in Europe you went to talk to the CEO about this and
their eyes would roll back in the back of their heads and they will run from the room. They didn’t want to deal with these issues. There were technical issues. You technical people deal with them and now
there’s a recognition this is a core issue of our, you know, economic policy our national
security policy or human rights policy. And our foreign policy. That’s a big deal because it takes it out
of that technical realm. Technical aspects are still important, but
it really makes it a core policy issue. Now the problem is people recognize it as
an issue, they just don’t know what to do about it. HEFFNER: Right. They recognize it and it’s heartening to hear
the copying and pasting of the Obama manual, if in fact it’s being implemented, which you
mentioned, PAINTER: Which is a key question, yes. HEFFNER: Right. But at the same time, this lack of concern
was revealed when these folks’ emails were hacked, and that was an impetus, whether it
was State Department officials or business executives, they became aware and concerned
about it after their materials became, PAINTER: Sure. HEFFNER: In effect, declassified stolen, hacked,
publicized, which is, and it’s, there’s a learning curve. So now they’re up to speed potentially,
PACKER: Not sure they’re up to speed, but HEFFNER: Or in the process of..
PACKER: And look, it makes a difference when like the executive that head of Sony pictures
lost their job because of that. HEFFNER: Sure, sure. So here’s my question to you as a fellow viewer
of Mr. Robot, PACKER: Laughs
HEFFNER: So when does this reach the point of a 9/11 or Pearl Harbor? And I’m thinking economic insecurity as a
function of a hacking that is so basic to the necessity of our livelihood as Americans
or as global citizens. You know, of course there are vulnerabilities
that are particular to Bitcoin in new currencies. But, what about that scenario of a hacking
that completely disrupts the economy? PAINTER: Well, we, we’ve talked about this
literally for 20 years. We’ve been worrying about the kind of cyber
attack that would be against critical infrastructure, the financial system, the electrical power
system, the, you know, food distribution, something that would have catastrophic and
really rolling consequences that, you know, blackouts, things like that. And there’s no shortage of movies about this
too. HEFFNER: Right. PAINTER: So I, you know, my, I tried to make
my office unique in the State Department. I had movie posters where hackers or computers
where the main character, so I had like 30 of them up there and they’re all dystopian
movies. There are very few really happy movies there. That said we haven’t seen that kind of crippling
cyber attack. We’ve seen cyber being used and wore a like
in Georgia by Russia. We’ve seen some of the activity obviously
with our election and others. We’ve seen certainly very serious activity,
but not that kind of crippling 9/11 or Pearl Harbor or something like that. I also, I’m not that fond of those terms and
the reason I’m not fond of them is if we keep waiting for that before we do something, we’re
never going to do anything, you know, so we need to, we need to think about what’s happening
every day and the conduct is pretty serious. HEFFNER: Chris, is that because only state
actors would have the bandwidth to do that and the rogue elements like an ISIS in a cyber
unit of an ISIS or a like terrorist organization just doesn’t have the equipment to perform
it. PAINTER: I think there’s a couple of aspects. One, yes, sophisticated actors in Russia,
China, North Korea and Iran are always rated as the most sophisticated state actors, have
more capability, but even there, if you’re talking about taking down like the electrical
power grid, not just taking it down but keeping it down. So that requires a lot. That’s not just an instantaneous conduct. And yes, you know, this is an asymmetric area
where people without much resources can cause kind of large disruptions, but can they really
keep that disruption going in a way that’s going to substantially affect the economy. So I think that that’s a part of the issue
and you know, in terms of terrorists, we had been thinking about terrorists and literally
I remember giving a speech about this maybe 17 years ago where we were worried about terrorists
turning to this and attacking critical infrastructure and there’s two reasons they haven’t. One, they’re not really interested in doing
that. They’re interested in using the Internet to
communicate, to plan to proselytize, to raise money, all those things. And they do that a lot. We’ve certainly seen ISIS do that a lot,
but they’re not interested in really attacking critical infrastructure when what they want
to do is they want to attack physical targets and cause death and destruction that’s going
to have more of an impact. Now, maybe in the future they could do that
in a way that’s going to have a large level of impact. Maybe you’re going to a couple a physical
attack with an attack on say, emergency communications that’s going to magnify it. We just haven’t seen it yet. Now we’re always worried about it, but it’s,
I think interesting that we haven’t seen that so far. HEFFNER: Well, the net effect of closing the
power grid, PAINTER: Oh yeah. HEFFNER: Turning off the lights,
PAINTER: Sure. HEFFNER: Especially when it comes to the market
and being able to produce the necessities of life and companies handicapping their ability
to provide goods and services that are central to our health and wellbeing, that that could
be pretty serious. PAINTER: It could be. They could always borrow capabilities, they
could rent capabilities so you can get other people to come in and bring capabilities. You know, I think we haven’t seen this from
nation states by and large because there’s lots of reasons it doesn’t make sense for
them. I mean,
HEFFNER: Right. Yes Iran and North Korea have been more active
because they don’t have much to, or especially North Korea does. Russia used to be much more stealthy, but
now it’s much more active as we’ve seen because again, it’s positioned after the Ukraine invasion
the world community is very different. So there’s reasons that the nation states
don’t want to deal with or they worry about escalation and reprisal. Terrorists, you know, there is still a chance,
but it’s again, having that widespread effect that they want to have and that long-term
effect, HEFFNER: It’s perhaps more likely to come
from the yellow vest type movement. PAINTER: You don’t want to also shoot yourself
in the foot. You don’t want to take down infrastructure
that’s going to have an effect on your own life too. HEFFNER: No I’m not condoning it whatsoever. I’m just saying that it seems that the dystopian
of some of the fictional PAINTER: Yeah, yeah. HEFFNER: accounts are not so far in our, our
future. I mean there, I think that a lot of the grassroots
protests that have grown up and are now marching in the streets or causing havoc, are a function
of economic discord. PAINTER: True. And we look, we’ve had hacktivists so for
quite some time and they haven’t targeted these kinds of systems. And again, I think it’s harder and we’re getting,
we are getting better at protecting these systems. We’re getting a better at protecting electrical
power grids. We’re getting better at protecting financial
systems. It is not perfect yet and there are scary
times. Like for instance, when Russia shut down,
part of the power grid in the Ukraine, then we saw some, what we call prepositioning,
a malware on some of our power grid systems that looked like it was from Russia as well. Look, there’s real concern about that, but,
you know, I think we also have to look realistically at what, you know, what we’re doing to protect
ourselves, which we absolutely have to do. We have to do a far better job and we are,
I think in protecting those systems and have resilience so if something happens, we can
bounce back from it. So you’re not down for a long period of time
and it’s still not easy. It’s not easy to have that sustained effect. HEFFNER: What about the idea of a generator
in effect, having a generator to turn that on in the event of one of one of these incapacitating
cyber, national cyber terrorist acts, PAINTER: Having a generator that’s. HEFFNER: A kind of a kind of backup plan. PAINTER: Yeah, that’s. Absolutely, that’s the resilience aspect. So you know, you have to assume that sophisticated
actors, particularly state actors, if they really put their mind to it, can get into
a system and can affect systems. Now what that means is you do everything you
can to protect your system. That’s the, that’s the cyber security part
of it. You make sure there are consequences for people
who break in. That’s the deterrence part of it. So they don’t do it in the first place. They don’t see a benefit in doing it. And then the last part is you have to have
resiliency. You have to have backups so that even if they
succeed in doing this, you can get back up and running very quickly. There was a case a few years ago about Saudi
Aramco where a hackers got into their system and basically destroyed all their computers
wiped all the data from all their. And interestingly, they didn’t have that backed
up. Now I think people realize that you have to
have that all backed up. You have to make sure that you have those
things so that you can reconstitute yourself. One of the big worries I have that we haven’t
seen yet is dealing with the integrity of information. So yes, we see all these attacks, we see the
theft of information, but the integrity of information means that if I, for instance,
was able to hack into your medical records and change your blood type, so the next time
you got a transfusion you died. That’s pretty significant. Or if I could somehow get into the stock exchange
and make it unreliable in terms of the settling trades that would have a widespread effect. We haven’t seen that yet. HEFFNER: Is your commission working with these
sectors? PAINTER: What our commission is doing is we’re
looking. So there’s various aspects of this issue,
right? And part of the aspect is what are the long-term
rules of the road. What is the, what is the framework we want
that states will agree to over time. So there’s been work between governments on
this, international law applies, which is important. It’s not a free fire zone, but what are the
rules of the road what are the voluntary, at least in the beginning, rules of the road,
things like don’t attack critical infrastructure absent war time, more time. There’s different rules, but don’t do it in
peacetime. Don’t attack the Cert, the computer emergency
response teams. It’s like going after the ambulances. The commission has come up with things like,
don’t attack the public core of the Internet because we do that. You could take down the Internet for everyone. Don’t, you know, the industry has an obligation
to look at their software to make sure the vulnerabilities are not there to the extent
they can. That states should have vulnerability equities
processes, that election machinery should be off limits too the states should not attack
that. Does that mean that everyone will abide by
those norms or embrace them? No. But what it means is that if they don’t do
that, then you have to have that level of accountability. And, and we don’t have that firm understanding. There’s a lot of uncertainty in cyberspace. You don’t know what the rules are. You don’t know what the consequences are and
we have to change that. HEFFNER: Right, and in the seconds we have
left; you’re really attempting to resurrect the Geneva Accords or something like that
for… PAINTER: Not so much a treaty, because the
Geneva Convention applies to cyber. I mean, I think the worry is when you say
we need a Geneva Convention for cyber, the Geneva Convention applies to cyber, things
like proportionality to say all these things that have brought us safely into the 20th
and 21st century, those are things that apply to cyber. We have to figure out how they apply, but
they apply, HEFFNER: But do we need a new body that is
going to… PAINTER: I don’t think we need a new body. I think what we need to do is get countries
to accept these rules of the road and then we need to start enforcing them. I think if you create a new body, that’s a
lot of overhead, HEFFNER: Right,
PAINTER: And you don’t necessarily get the payoff you’re looking for. HEFFNER: Chris, a pleasure to be with you
today. PAINTER: Happy to be here. Thanks. HEFFNER: Thanks and thanks to you in the audience. I hope you join us again next time for thoughtful
excursion into the world of ideas. Until then, keep an open mind. Please visit The Open Mind website at
to view this program online or to access over 1,500 other interviews and do check us out
on Twitter and Facebook @OpenMindTV for updates on future programming.

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *