DefCon Cyber: A ‘War’ that's Underway Online.
‘Would you ban TikTok in the US?’ ‘Absolutely. Absolutely.’ A new book argues that Americans are unknowingly ‘on the battlefield’ every time they sit down at a computer or pick up a smart phone.
Taking cyber threats seriously.
Last month William Holstein and Michael McLaughlin published a book called Battlefield Cyber: How China and Russia are Undermining Our Democracy and National Security.
Holstein is a veteran journalist, with extended tours living in and reporting from Asia. We have been friends since the mid 1980s, when we both were working in Japan. Michael McLaughlin, now a cybersecurity lawyer, was a career Naval Intelligence Officer and a senior counterintelligence advisor for the US Cyber Command.
Their book argues, as you’ll have gathered from its subtitle, that state-sponsored forces in both Russia and China are more aggressively waging online campaigns against US interests than most Americans recognize.
Those endangered American interests, according to the authors, have a nearly all-inclusive range. Corporations may lose their trade secrets. The plans and strategies of military and intelligence organizations may be compromised. The networks upon which daily life depends, from the electric grid to financial exchanges to internet connections as a whole, could be disabled by malware or ransomware. (The most recent such real-world example was when hackers disabled Colonial Pipeline, which connects refineries along the East Coast, two years ago.) The operating machinery of democracy, from information sources to voting system, is all too vulnerable.
The authors use the word war to depict this situation. Last week I asked them about that terminology, about the rest of their argument (including their emphasis on the difference between Chinese and Russian strategies), and about what they’d like American institutions and individuals to do.
You can hear the resulting 53-minute podcast on the audio player immediately below this paragraph. The first voice you’ll hear is me asking a question, and the first response is from Bill Holstein. Then Mike McLaughlin answers. (I address them as Bill and Mike.) At several points you’ll also hear a dog that decided to join the conversation.
Let’s go to the transcript.
Our entire discussion is available in the podcast player above. Below is a curated set of highlights and quotes that amount to about half of the total conversation. In many places I’ve boiled down or compressed the answers, or added context or explanation in brackets, [like this]. The time stamp by each answer gives a rough idea of where you can listen to those lines in the original version. Tech note: this transcription comes from Otter.ai, which got it closer-to-right than I’ve seen from other systems so far.
With thanks to William Holstein and Michael McLaughlin, let’s get to the discussion:
For those who, unlike me, have not read your interesting and provocative new book, tell us the precis of the argument you're making.
William Holstein 00:37
As someone who lived in China and studied Chinese culture, the Chinese have a very sophisticated understanding of conflict and struggle.
We in the West are black/white, yes/no people. We think: We're at war--or we're not at war, in the kinetic physical sense.
But Chinese [leaders] believe that they can prevail in a confrontation with the United States through non military, non directly-kinetic means. This is a different kind of struggle. This is the kind of struggle in the we have never witnessed as Americans.
They are seeking to penetrate our IT systems and our organizations to steal technology on a massive basis. We think that it is their goal to be able to monitor and surveil key decision-making apparatuses in the United States so that they can anticipate what we might do.
A final piece of the strategy is to place malware in critical infrastructure. So that if there is a moment where we contemplate some sort of military action over Taiwan or some place in the Pacific Ocean, our critical infrastructure could suffer disastrous outages. So that we would be distracted or outright incapable.
When we talk about “war,” we're not advocating kinetic full scale war against China. That would be absolutely insane. We're trying to educate Americans about the nature of a confrontation that we're deeply engaged in, and that has largely escaped American attention.
‘If you connect to the internet, you are on the battlefield.’
Michael McLaughlin 02:57
Bill and I disagree on very little, which is surprising, because in experience and background we are vastly different.
But we came to the same conclusion. The same thesis. And the crux of our book is that if you connect to the internet, you are on the battlefield.
It's no longer just a military problem. It's no longer just a law enforcement problem. It is an everyone problem.
What China and Russia view as warfare, we in the United States view as just commonplace activities. They view it as economic warfare. They view it as commercial warfare. They certainly view it as kinetic warfare. They view it as espionage.
And they view it on a continuum. In the United States, it's very black and white, as Bill pointed out. It's either a problem for Cyber Command, or it's a problem for the FBI. Or it’s not a problem. And it's not necessarily a problem for individuals.
China exploits that. Russia exploits that. They target individuals, and they do it in such a way that it turns our entire ecosystem, our entire environment, into a battlefield.
What people need to recognize very clearly is that they are there on the battlefield. Social media is part of this battlefield. Their personal networks are part of this battlefield. Their corporate networks are part of this battlefield. They need to embrace the fact that everything they do feeds into national security.
About the broader effects of social media and connectivity, there has been an important shift of general opinion in the US. A generation ago, people thought: Oh, being connected, what a breakthrough! Now there is a sense of the yin and yang, the benefits and curses of this kind of connectivity.
Are you suggesting that even as people have become aware of the cultural effects of social media, they’re still blind to the national security implications?
I think it's an extension of the same thing.
But in the United States, I think people don't view it in the context of national security…
American companies are using data for commercial gain. Whereas the Russians and particularly the Chinese are using data to draw profiles of prominent Americans for possible influence purposes…
Mike was part of the hack of the Office of Personnel Management. They stole a massive amounts of health information, massive amounts of information from Equifax, massive amounts of information from United Airlines, and Marriott hotels. Why? From that they can draw portraits of prominent Americans, and even what their children are doing on TikTok. [TikTok’s parent company is ByteDance, which is a Chinese firm subject to Chinese laws.]
They can create rich portraits of these individuals--who may have access to technology, who may be in crucial decision-making roles. They can monitor them in some ways. They can keep track of their physical movements, their patterns of life.
The Chinese are using the data for elements of subversion. For example, on LinkedIn, intelligence officers in Shanghai and Beijing can send messages to people who have profiles on LinkedIn saying they’re available for work, and draw them in.
Twitter, Facebook, all these others are seeking to make money. They’re not principally seeking to shape decision-making on a national scale.
‘The reason TikTok exists…’
The prime example of this is TikTok. In the United States is the number one or the number two app that's downloaded across every app store. The Apple App Store, the Google Play Store, Microsoft, etc.
We look at this as being entertainment. But it's well documented that they collect a wide swath of data from the mobile devices, everything down to your precise geolocation at any given time.
What does that mean for national security? For everyday users of TikTok, you get that that dopamine rush that somebody likes your video. Or you’re using it for advertising purposes. That's all well and good.
But the reason that TikTok is free, the reason it exists, is that they're collecting a wide swath of data they're then able to monetize. The advertiser can then take the data and make a very, very clear portrait of you, and very, very precisely target you for products and for merchandise. All well and good.
When I say “well and good,” I mean, it's terrible. But it happens. And it’s commercial. When Google, Meta, and X do it, they're doing it for commercial gain. Is it a good system? No, it's a terrible system. But we don't have any laws that really restrict it in any meaningful way at the federal level.
The Chinese are different. They do have laws. But those laws don't restrict the collection of data. Those laws actually say that if you are a Chinese company, or a company operating in China, you are required to share that data-- data collected anywhere in the world--with Chinese intelligence and security services.
So all of those 140 million Americans that are regular users of TikTok, all of that data from their mobile devices, all of that is going into a Chinese database. Where the Chinese intelligence and security services can then utilize that to train their AI models. Train them to individually target the US for propaganda purposes, for information warfare, or for more malicious means.
One example: the Chinese are capable of creating profiles of top military people and top intelligence people, to create a sense of their life patterns and their travel preferences. Suppose these Americans go to China to try to meet with Chinese people to understand what's happening in China. To recruit agents or just to make friends.
The Chinese are capable of tracking them, their movements to hotels, and then triangulating on which Chinese, they might be meeting with..
It extends beyond China. What the Chinese are doing with their Belt and Road initiative, they're expanding well beyond the borders of China, into Africa, into East Asia, into Europe. They're trying to put in these “smart cities” and implement all of the Chinese technology and to export it. The reason they're doing that is because it gives them the opportunity to collect more data. It gives them the opportunity to siphon all of that data back to Beijing, to funnel it in and apply their resources to further train their AI. [And identify, for instance, US intelligence officers or Special Operations personnel in other countries.]
‘Know where the funding is coming from.’
Bill, in your role as longtime reporter, and Mike, from having worked in the cyber intel field, how do US assets and sophistication match up with what you're describing about China and Russia?
We’re at a disadvantage, because of the gap between our private sector and our public sector… [Among other things] our critical infrastructure is owned by the private sector. Electricity, communications, water, food, nearly all that is owned by private sector companies who have to make a profit and increase their profits every quarter, hopefully.
So when government knocks on their door and says, Can you add capacity? Can you add protections? Can you add resiliency to your systems? The private sector says to government: that’s not our responsibility. If this is a national security interest, why shouldn't the government be paying for it?
There is a full blitz on our research and development in our technology. Because we have so many Chinese students, researchers throughout academia are taking the technology, they're doing the research on it, and then they go back to China. That's not necessarily classified information, but it's the precursors to what goes into classified programs.
We're a country that's built on immigrants, and we should continue to benefit from that. But we are running head on into a country that utilizes everything at their disposal that information to our detriment.
To be clear on this point: One of my personal beliefs is that the strength of US universities, in specific, and US society, in general is that people from around the world want to come here and be part of it. Are you questioning that when it comes to Chinese people at US universities or in the US?
No, in no way are we challenging that,
The important thing is we don't want to close our doors on innovation, because how many of those Chinese students end up staying in the US and directly benefiting us in a lot of different ways. We don't want to close the door because there are some bad apples, which is inevitable.
But it's important for our universities to make sure that they know where their funding is coming from. We've seen many universities receiving money from Chinese donors that benefits Chinese students taking information and going back to China. Universities are effectively turning a blind eye to that.
But we very, very much are in favor of that remaining inclusive, as it relates to inviting students in to study and do research, because it adds to our innovation and our innovative edge.
There are three or four million Chinese Americans. Some of them have been here for five generations or more. They have no connections with the mainland, no family, no business interests. They want nothing to do with the Communist Party. They may even be rabidly anti-Communist.
But in the spectrum of all the Chinese and Chinese Americans here, some got their green cards very recently. They have families still in China, whom the Chinese government can exploit. The Chinese government will come and say: Oh, you have access to certain technologies. We'll help you make some money, we'll help your family do well in China, if you just share a few little things with us. And if you don't, then your family is going to suffer.
‘What does Russia want?’
This leads me to another of my hypotheses. I know very little about Russia or its predecessor, the Soviet Union. I know something more about China, where I lived for a number of years. My contention from this imbalanced experience is that China is not principally interested in harming the United States. They're mainly interested in helping China. If some policy harms the United States along the way, that's fine. But helping China is the main goal. My view of Russia is that the order seems reversed. The principal aim is to hurt the United States. If it also helps Russia, that's good—and if it hurts Russia, that’s too bad. But it’s OK as long as it hurts the US.
You’ve written about both Russia and China. Does this comparison sound naive?
I don’t think it’s naive. I think it's accurate. And for the way in which the two countries engage in cyber operations, it gives a very good view into the distinction between the two.
We’ve seen that Russia is very willing to go right up to the line, in some cases go over the line, and do things that are very clearly violations of international law, or international standards and norms.
Russia has an economy that's roughly the size of Texas. For all intents and purposes they are a third world country with nuclear weapons. They were once the number two world power. They're trying to show by saber rattling that they are still on the world stage. This is what's going on in Ukraine right now.
Russia is trying to utilize cyberspace and trying to utilize its capabilities to show its strength and to show that it is still a world power.
China, by contrast, is trying to use its cyber operations and its capabilities to destabilize the US. And to collect as much information as possible through espionage and through other means, ultimately to surpassing the US on the world stage. … We're seeing that in their very large expansion across the continents of Africa, Asia and Europe, through their belt Road initiative.
But China has been very strategic about it, they're not stepping over the line, they're doing things in that gray space of warfare in that gray space of cyber operations, that doesn't warrant a forceful response.
The Russians are leaders in the ransomware attacks. They need the money. They've created a whole industry in the dark web, where people provide tech tools that attack systems.
The Russians don't mind doing things, like the Colonial Pipeline [ransomware attack] that rattled Americans, that are shocking. It’s almost like they prefer that. The Chinese believe in subtlety. They believe in penetrating systems, and lurking within those systems for years.
What the two powers share in common is their desire to undermine American democracy, because democracy is a challenge to them. This is where they have common ground. They want us to lose confidence in our institutions, and they want us to fight each other. They want us to be atomized, to be polarized. They're pouring oil on fires that we've lit ourselves.
For example, in the social media space, one Russian institution can create a website that says in polished English “all teachers should carry guns in schools.” And that website infiltrates into the right wing social media network. Then the same Russian institution can create a website that says “Oh, no teacher should never carry guns in schools! That's against everything Americans stand for”. That infiltrates into the American ecosystem, so they can keep the argument going.
They're really better at that than the Chinese. The Russians understand these wedge issues better than the Chinese do. After the supreme court judgment overruling Roe v. Wade, the Russians knew how to manipulate that from both sides.
To follow up on Russia and China: 99% of the coverage about foreign involvement in the 2016 US election was about Russia, and whether it had been involved or not. Very little about China. Is that a realistic assessment of how much of the two countries were actually involved?
I think that goes to the difference in the way that they conduct their operations. What Russia did was to use their information operations in conjunction with their cyber operations. Remember that John Podesta's email was attacked and compromised by a Russian intelligence service, which then turned it over to WikiLeaks. And WikiLeaks leaked it right as the President Trump and Billy Bush video came out, to push away the focus.
The whole goal was to destabilize us. We knew that it was Russia, because we had CrowdStrike do the analysis of the logs and the networks for the DNC and come out and say this was a Russian cyber operation.
The Chinese, by contrast, are using much more subtle methods. They’re using lobbying firms, or media firms. [Holstein adds: They’re trying to get American companies to do their lobbying for them.]
Right ahead of the Beijing Winter Olympics, the Chinese government hired the [American] firm Vippi to get social media influencers to push these touching moments on their accounts. There was a “Real Housewives of New Jersey,” star, there was a Paralympic athlete, there were others pushing these touching moments about how wonderful the Winter Olympics are, and to downplay anything negative about the Uyghurs.
If you do that as a foreign power, you have to register as a foreign agent. If you're doing it as an influencer, it comes off as authentic. You don't have to register as a foreign agent. These “authentic” moments are clearly the product of Chinese influence. But they are under the radar, whereas Russia was much more overt.
We don’t have the large scale charm offensives, like when Deng Xiao Ping came to Texas and put on a cowboy hat. Instead they can do it as targeted advertising, and targeted propaganda.
‘Ban TikTok? Absolutely.’
To be clear here, if you all were in charge, would you ban TikTok? Ban it completely in the US?
It is an evil… it is a very sophisticated set of algorithms that can even monitor your biometric indicators. They can see your face [through a smart phone’s camera], they can devise a flow of video images to you that excites you, that lead you down the rabbit hole.
It’s a form of cognitive warfare. You'll notice that the Chinese government doesn't allow TikTok to operate in China. It is one of the most sophisticated forms of cognitive warfare and intelligence gathering that I think we've ever seen.
The reason we no one can ban TikTok is what Gina Raimondo articulated very well. She said, Whoever bans TikTok loses all the votes of everybody under the age of 35.
I guess an American president could invoke national security and say, Tomorrow, TikTok is gone, it’s banned, we’ll shut down all the servers. But the blowback would be ferocious.
If you were in charge, what would you want a president or the leaders of Congress to do about the kinds of cyber threats you are mentioning?
The top one is that in the government, there is not a cohesive cyber strategy… We have a Space Force. We don't have a cyber force. We have a Department of Homeland Security. We don't have a Department of Cybersecurity, it is big enough that we need to have a cabinet level secretary who is coordinating it, it's big enough that we need to have a separate military service that's imbued with sufficient authorities that they can go out and actually respond to cyber issues, both abroad and domestically…
If you could make me king for a day. That would be my one recommendation.
The private sector is part of the problem as well. In the corporate boardrooms, CEOs and boards of directors are making decisions about how much money they're going to spend defending their systems. Very few of them are saying we want to have truly secure systems. What they're trying to do is prevent themselves from becoming liable and getting sued.
The government has to figure out how to change the set of incentives, the set of motivations that exist in the corporate world.
‘From time to time, wear a tinfoil hat.’
As a final question, what should individuals do, in response to the analysis you're presenting?
First and foremost, individuals should be aware of what data they are just giving away freely. Because data in every system is inherently vulnerable. Whether it's Google's network and their servers, whether it's your corporate network or servers, whether it's the post office, anything is vulnerable. The more information you give out freely, the more likely that the data is going to get into the wrong hands and is going to be used against you.
You don't need 85 apps on your phone running at all times. If you're not using the app, delete the app. Be aware of the type of data that you're giving away freely. So that's the first thing.
Second, if everyone can just, at least, from time to time, wear a tinfoil hat and ask the question of “Is this normal? Is this something that I should be doing?” Phishing comprises about 90%? of all data breaches. They start with a phishing email, if we have people who are looking through and actually asking the question, who is sending me this email? Basic things, like not opening attachments from people you don’t know, and a questioning mentality about opening things online, can make you much more secure.
I think we need a major push in our educational sector. We should be focused on teaching about misinformation and disinformation, how to protect your systems. We should be coping with the societal and psychological impacts of one of the most rapid periods of technological change in human history. So that our citizens can, can take advantage of the internet, without being manipulated. So that we can exploit the inherent goodness that it offers, while minimizing the negative societal and educational consequences.
That’s the end of the transcript; as noted, it’s about half of what we discussed, and of course is only an overview of the full argument in their book. I’ll welcome responses, critiques, and rejoinders in the comments section.