Monday Brief for 21 June, 2021

Tech Terms

Simplex (sim·plex) — a type of communication in which data can only be transmitted in one direction. It is often used in contrast to duplex communication, in which data can flow bidirectionally (back and forth) between two devices.

Cyber Deterrence Must Be More Than Words

What’s New: Last week’s summit between President Biden and Russian President Putin included “clear” and “productive” talks about cybersecurity and establishing “rules of the road” for online espionage.

Why This Matters: A number of high-profile cyber operations — including the recent SolarWinds supply chain hack and the ransomware attack against the Colonial oil pipeline — have been attributed to the Russian government or actors who enjoy tacit approval by Moscow. The Biden administration says Russia needs to change its cyber ways and has publicly stated that the U.S. is stepping up its deterrence efforts.

Key Points:

• During the talks, Biden shared 16 critical infrastructure sectors that he said were “off limits” for Russian cyber attack.

• This list comes from a pre-existing DHS list of “essential critical infrastructure sectors” and is made up of the following: chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors, transportation systems, and water systems.

• Biden also reportedly warned that the U.S. would leverage “significant” offensive cyber operations if Russia attacks any of these sectors or fails to get Russian hackers under control.

“He knows there are consequences,” Biden told reporters. “He doesn’t know exactly what it is, but he knows it’s significant. If in fact they violate these basic norms, we will respond.”

What I’m Thinking:

• This is the dance. No one should expect this meeting is causing Putin to shake in his Valenki boots. Nevertheless, in the world of geopolitics, meetings like these serve as a type of official notice — where the U.S. intends Moscow to understand that there is a shift in U.S. policy and that things are getting serious. It’s intended to be an ever-so-slight move up the escalation ladder — like saying, “I’m only going to count to three — one …”

• Now comes the hard part. As the old Russian saying goes, “Money talks, ерунда walks!” Putin will test Biden and we’ll see if the White House is really prepared to push back. I say we’ll see, but in reality, this is most likely going to unfold behind the scenes and in the darker corners of the internet. We mere mortals will have to watch the broader relationship and may only have a sense of things if they’re going really well or really poorly.

• Real cyber deterrence is not about “proportionality.” Biden reportedly obliquely threatened cyber attacks on Russia’s oil infrastructure if Moscow doesn’t get its hacker house in order. That’s all well and good, but I hope this kind of “proportional” option isn’t the only consideration on the table. The three classical elements of deterrence are severity (explaining to your enemy how much you’re going to hurt them if they cross your redline), certainty (the enemy must believe that you will follow through on your threats), and celerity (the enemy must believe you will act swiftly). The idea of proportionality — limiting your response to actions that are “proportional” to the attack that has been perpetrated against you — is not at all inherent to deterrence. In fact, it often works against this policy. The goal of deterrence is to DETER your enemy from even thinking about crossing your redline, and if you’re not prepared to exact a terrible price, you ought not draw that line in the first place. That doesn’t mean we should threaten to nuke anyone who crosses us, but it does mean that U.S. policymakers have to embrace the full range of asymmetric response options if they want to meaningfully deter cyber aggression. This is especially true in the case of the U.S. because many of our challengers are not as technologically leveraged as we are and, therefore, may be willing to absorb greater cyber losses than we can.

• This also isn’t MAD 2.0. Some believe that, because the U.S. and several of its rivals are assessed to have similar cyber capabilities, that this constitutes a type of digital mutually assured destruction (MAD) scenario. I don’t think that’s true. During the Cold War, MAD was predicated on the fact that both the U.S. and the Soviet Union had survivable second-strike capabilities. That means that, even if one nation preemptively launched a successful nuclear attack, its own destruction would also be certain. When it comes to cyber, this notion of a survivable second strike is unproven. Even more, strategic cyber capabilities are only valuable so long as the enemy doesn’t know you have them or hasn’t patched the vulnerability that makes them work. This, then, actually incentivizes attackers to use their cyber “weapons” first to give them a maximum chance of success. The thing that actually constrains our enemies is a fear of what the U.S. would do in response to crossing one of our redlines — particularly the threat of non-cyber kinetic actions. We need to communicate this aspect of “severity” more clearly.

• Bottom Line: The value of Biden’s meeting last week with Putin will be determined by how U.S. policy develops going forward, not what words were said last week. The meeting in Geneva was neither a triumph nor a tragedy. It was simply the latest move in a game we have to win. But to win this game, we need to tighten up our strategic doctrine and political rhetoric.

New Data Rules in U.S. & China

What’s New: The American Federal Communications Commission (FCC) and China’s legislature have passed significant new data security rules in the last few weeks.

Why This Matters: Washington and Beijing understand the central role digital information now plays in a nation’s economic, social, and political security and are taking action to secure this strategic resource.

Key Points:

• The FCC voted on Thursday to draft rules banning U.S. companies from buying Chinese telecommunications equipment for current and future American networks.

• The Commission is also considering revoking two authorizations allowing limited purchases from Chinese companies who have already been deemed a threat to national security.

• Meanwhile, Beijing has a new data security law requiring all Chinese companies — including their subsidiaries operating globally — and all foreign-owned companies operating in China, to classify and report data to the government according to its relevance to state interests.

• The new law goes into effect on September 1 and is part of a continuing crackdown on private sector data, which is increasingly seen, as one Chinese official said, as “a state-owned asset.”

The law will “clearly implement a more stringent management system for data related to national security, the lifeline of the national economy, people’s livelihood and major public interests,” said a spokesman for the National People’s Congress, the legislature.

What I’m Thinking: I’m going to make two points as simply and as clearly as I can: (1) Any and all data collected by a Chinese company or its subsidiaries should be understood to be controlled and leveraged by the Chinese Communist Party (CCP). (2) Any and all data collected or stored in China by foreign-owned companies should also be understood to be under the control of the CCP. Even more, American companies like Alphabet, Apple, Microsoft, Oracle, and others are undeniably enabling the CCP’s totalitarianism, by directly providing or passively allowing the transfer of their business and research data to China’s insatiable system of technological surveillance and oppression. And these companies should be held accountable.

The Data Deluge

What’s New: Speaking of data, I’ve been doing some research recently and I thought I’d share some of the more striking statistics that I’ve discovered.

Why This Matters: Data is cool and growing exponentially.

Cool Stats:

• The total amount of data in the world was estimated to be 44 zettabytes at the dawn of 2020. (one zettabyte = one trillion gigabytes)

• By 2025, the amount of data generated each day is expected to reach 463 exabytes globally. (one exabyte = one billion gigabytes)

• Google, Facebook, Microsoft, and Amazon store at least 1,200 petabytes of information. (one petabyte = one million gigabytes)

• By 2025, there will be 75 billion Internet-of-Things (IoT) devices in the world.

• By 2030, nine out of every ten people aged six and above is expected to be digitally active.

• Game-maker Electronic Arts process roughly 50 terabytes of data every day. (one terabyte = one thousand gigabytes)

• By 2022, annual revenue from the global big data and business analytics market is expected to reach $274.3 billion.

• The largest share of big data revenue is believed to stem from services spending, representing 39 percent of the overall market as of 2019.

• The world spends almost $1 million per minute on commodities on the Internet.

What I’m Thinking: I have previously cited the statistic that more than 90% of the world’s data has been created in the last 24 months; this is only the beginning. What we currently call “big data analytics” will look like a child’s refrigerator art compared to what will be common practice in the next ten years. This future holds amazing promise and significant peril. Our nation’s practices and laws, however, are ill-equipped for either outcome and it is time we engaged the challenge seriously.

Let’s Get Visual

Nerd Humor

Quick Clicks

• Bitcoin and Encryption: A Race Between Criminals and the FBI

• DOJ Watchdog Investigating Seizure of Democrat’s Data

• The CI0p Bust Shows Why Ransomware Isn’t Going Away

• Apple’s and Google’s AI Wizardry Promises Privacy — at a Cost

• DuckDuckGo’s Quest to Prove Online Privacy is Possible

That’s it for this Monday Brief. Thanks for reading, and if you think someone else would like this newsletter, please share it with your friends and followers. Have a great week!