Cyberspace is the New Battlespace

by Jeh Charles Johnson

[Following personal reflections on his return to private life from public service, former U.S. Secretary of Homeland Security Jeh Charles Johnson delivered the following keynote address at the Global Cyber Threats: Corporate and Governmental Challenges to Protecting Private Data cybersecurity conference held by the Program on Corporate Compliance and Enforcement at New York University School of Law on April 6, 2018.]

Like millions of other Americans, my world was rocked by the terrorist attack that occurred a few blocks from here on September 11, 2001.  Like many of you, I am a New Yorker, and was in Manhattan that day.  September 11 also happens to be my birthday.  I have a vivid recollection of the day, both before and after 8:46 a.m., when the first plane hit the World Trade Center.  At 9:59 a.m., when the first tower collapsed, it was perhaps the only time in my life when my mind could not believe what my eyes were seeing.  Neither would I have been able to comprehend then that 15 years later, there would be something called the Department of Homeland Security, that I would lead it, and that the Secretary’s New York office would occupy the 50th floor of a taller, stronger World Trade Center tower standing in the same place.

Out of 9/11 came the Department of Homeland Security, and my personal dedication to its mission.

Given my prior experiences at the Department of Defense, I confess that I came to the Department of Homeland Security in 2013 with a counterterrorism orientation.  I had said many times that counterterrorism is the reason DHS was created, and that it had to remain the cornerstone of the Department’s mission.  I quickly came to realize that a building can have more than one cornerstone, and that cybersecurity must constitute another.

Cyberattacks on and within our nation occur daily, hourly and by the minute.  Scores of them have occurred since we started this conference today.  The cyber threat to our Nation is going to get worse before it gets better.  And, unless you can find a way to live entirely off the grid, no one is immune.  Bad cyber actors, ranging from nation-states, cybercriminals, hacktivists and those who engage in the growing ransomware industry – are increasingly aggressive, ingenious and tenacious.  Those of us on defense struggle to keep up. 

Cyberspace is the new battlespace.

To understand the cybersecurity threats to our homeland, and the solutions, one must divide them in to three buckets. 

First, there is the hacking and unwanted exfiltration and theft of data and intellectual property.  Many of these attacks are conducted by nation-states.  Here it is important to know that all nation-states have certain behavior traits in common.  Whether a democracy, a monarchy, a dictatorship, or a communist regime, all nation-states respond to deterrents, and will abstain from behavior they know is cost-prohibitive.  The Chinese and Russian governments specifically, like any other nation-state, respond to sufficient deterrents.  

On the prevention side, there are the standard cybersecurity measures I suspect this audience knows, and we must all pursue to limit cyber theft.  Investments in better technology, public/private information sharing, and greater awareness by those who use our systems about the evils of phishing and spear phishing, are the basic answers.   

Second, the problem that is also a focus of this conference – the widespread use and misuse, but not necessarily theft, of data on the internet that we consider private.  This must be viewed not just as a privacy issue.  It too is a cybersecurity issue.  To a very large degree, this is a problem of our own making.  In some cases deliberately but, in most cases through naive indifference, we have surrendered and entrusted much of our private lives (and, by extension, that of our family and friends) to the internet.  We have come to rely on social platforms and the internet for our shopping, our travel, our news, our study habits, our research, our friendships, our dating preferences.  We have surrendered our names, addresses, social security numbers, date and place of birth, place of employment, email, location, contacts, search queries, the websites we visit, financial data, and in many cases the content of messages, to the internet.  

Technically with your consent, but often times not, much of this private data is shared for marketing and commercial purposes, and there is now a growing industry of data mining companies, data brokers, and data intelligence companies dedicated to further exploiting this target-rich environment. 

All this information is also available for political purposes.  There is the new phenomenon called micro-targeting – appeals tailored to you and only you. Even before Cambridge Analytica became common knowledge the head of digital ads for the Trump campaign freely admitted that he could micro-target voters, based on data available about you and your personality traits.  Through psychographics, campaigns can formulate 100,000 different ads with the same basic appeal.

Rather than appeal to you based on their stance on the issues, candidates for elected office can now literally get inside your head, to learn the most effective way to win your vote.

Because of its prevalence on the internet, our private information is now discoverable and exploitable not only by conventional actors, but by criminal hackers and nation-states.  This is why I say this is not just an issue of privacy; it is an issue of security.

And there is little regulation of this environment.  Law and policy simply have not kept pace with rapidly expanding capabilities. 

The third and final bucket: the problem that can be considered a form of cyberattack, but not exclusively so – it is the problem of fake news and hateful, extreme views published and republished on the internet, used as a weapon by foreign and domestic forces to seek to alter elections, sow discord, or alter public opinion generally. 

The recent indictment of 13 Russians individuals by the Special Counsel highlights that this, too, was part of the Russian cyberattack against our Nation in 2016.  And, it may be years before we understand the full extent this aspect of the Russian attack had on our democracy in 2016.  

Of the three buckets of cyber threat I mention here today, I believe this problem is the most pervasive, and the hardest to solve. 

Like many of you, when I grew up we had gatekeepers for news, whether it was the local newspaper, or on the national level, Cronkite, Huntley or Brinkley.  Even as late as law school, I did not fully accept that something happened until I heard Walter Cronkite tell me it happened on the CBS Evening News.  

With the internet, the information marketplace has no gateways through which to send or receive so-called news.  It’s an open platform, with no journalistic standards to limit entry.  Any individual with a keyboard and access to the internet can capture the American public’s attention with real or fake news, which is then just as accessible by Google search as the New York Times.

This is how an increasing number of Americans receive their news and form their opinions and political views.  

Our strength as an open and free society has become our vulnerability – a vulnerability that is being exploited by a range of domestic and foreign actors.   

What is the solution? 

For starters, we should not forget who we are as a Nation.

Addressing the problem of fake news and extremist views is not a matter for the security agencies of our government.  Foreign influence in federal elections is a matter for the federal election laws, and activities that violate criminal laws are a matter for law enforcement. Beyond that, we must be extremely careful not to go down the road of empowering security agencies to regulate or restrict speech, particularly political speech, on the suspicion that it might have a foreign or extremist origin. Imagine the dangers we would be tempting if we gave our political leaders the power to do this.  This is something they do in certain other countries; not here.

Inevitably, self-regulation by private internet access providers (like today’s announcement as I walked in here that Facebook will insist on verified IDs for political ads) is the best solution to this particular problem. 

And increased public skepticism about what they read and see.  Last month a pioneering journalist named Steven Brill, founder of the American Lawyer magazine and Court TV, announced that he’s formed a new company called NewsGuard.  Its mission: reliability ratings for sources of on-line news, as determined by an independent team of journalists: green for trustworthy, yellow for consistently biased or inaccurate, or red for deliberately deceptive.  Those that provide the platform for on-line news could incorporate NewsGuard’s ratings into search results.

Make no mistake: the proliferation of fake news and online hate is a threat to our very democracy.  For, if voters cannot make informed and rationale choices about their leaders or their views on the issues, free of covert foreign influence, there is no true democracy. 

There is one final thing I’d like to say to this particular audience.  I’m going off-topic.  I’m speaking as a concerned private citizen. These remarks should not be construed as political.  I have delivered this message to audiences of lawyers, law enforcement, educators and ROTC members. 

The Administration in which I served was hardly perfect; we made our share of mistakes and had our share of setbacks.

But, like many Americans, I watch with growing alarm and despair as segments of our government in Washington degenerate into a reality TV show.  Policymaking appears to resemble day-trading, without regard for yesterday’s representations or tomorrow’s consequences.  Standards of behavior of our nation’s political leaders spiral downward.  This may be good for ratings, but it is bad for the welfare of the country. 

Equally as depressing, this may be what the American people have come to expect of their political leadership.

We watch as these standards of behavior trickle down in American politics.  A candidate for the U.S. House of Representatives can now criminally assault a reporter one day and get elected the next.  A candidate for the U.S. Senate who has been credibly and publicly accused of molesting a teenage girl was almost elected.         

What do we do?  What can we in this room do?

In the face of this national spectacle, those of us who are the leaders of other professions of American life – the legal profession, education, law enforcement, business, the military – must take care that a similar downward spiral in standards does not happen to us. 

Young people in all these walks of life are watching.

In today’s environment, we must rededicate ourselves to the following principles, for those we educate, train and mentor:

First, our word is our bond.  We must not give our word unless we know we can deliver on that which we have promised.  Adherence to a promise breeds trust and respect, and trust and respect are everything. 

Second, there should be no compromise in our demands for truth and accuracy.  There are no “alternative facts.”  The phrase is a non sequitur, and cannot be allowed to settle into our vocabulary. 

Third, and at all times, we must rededicate ourselves to treating others with respect.  Treat others, superiors and subordinates, teachers, students, the deputy director of the FBI, or even a Cabinet officer, as you would be treated. 

Never forget what it was like to be the new associate in the office, the first-year law student, and how you were treated. Recall those who took the time to mentor you and treat you with courtesy and patience, and, on the other hand, those others who took the opportunity to put you down to build themselves up. 

Remind others to respect those who are different, learn from those differences, and celebrate the diversity of this Nation.  Intolerance of those who are different reflects a narrow mind and a small heart.

Finally, as I said many times in public life, those who know history learn from it; those who don’t know the mistakes of history are bound to repeat them.  Those who know history know that our country is great and never stopped being great. 

Two nights ago I had the solemn privilege and responsibility to speak at an event to mark the moment 50 years ago that my Morehouse brother Martin Luther King Jr. was assassinated. 

For a lot of reasons, that year, 1968, was a terrible year.  We lost Martin Luther King and Bobby Kennedy to gun violence, but 1968 was also the year that, for the first time in the history of all humanity, we sent men beyond Earth’s orbit to encircle the Moon.  1968 was the year my family got a color TV; now with the advent of the internet and laptops, my college-age daughter doesn’t even want a color TV.  1968 was the year that Bobby Kennedy accurately predicted what was then unimaginable for our democracy: that there would be a black president in 40 years.

Our country is great and never stopped being great — for its capacity to accept monumental change, unimaginable progress, and a more perfect union. 

Thank you and have a good weekend. 

Jeh Charles Johnson is a partner at Paul, Weiss, Rifkind, Wharton & Garrison, LLP; Secretary of Homeland Security (2013-2107); General Counsel of the Department of Defense (2009-2012); General Counsel of the Department of the Air Force (1998-2001); Assistant U.S. Attorney, Southern District of New York (1989-1991).

Disclaimer

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.