KGOU

Cybersecurity Expert Mark Raymond Debunks Myths, Explores Future Of Internet Security

Oct 7, 2016

Just 10 years ago, only 30 percent of American adults reported owning a laptop computer -- a number that has now doubled, according to the Pew Research Center’s latest data.

Meanwhile, cell phone ownership has also risen, while desktop computer use has dropped. Amidst the global spread of the Internet and the tech industry’s constant flux, news of Russian, Chinese and Iranian hackers has swept headlines around the world. The face of contemporary cybercrime is increasingly tech-savvy, a reality the University of Oklahoma’s Mark Raymond says has far-reaching implications.

Raymond told KGOU’s World Views cybercrime and espionage have adapted to current technology, but are deeply rooted in ongoing international disputes.

Mark Raymond
Credit Jacque Braun / University of Oklahoma College of International Studies

“The hack of DNC and other election-oriented bodies … appears new and shocking, but at another level, BBC World Service and Voice of America have been broadcasting political information into countries to undermine their regimes for decades,” Raymond said. “The U.S. has sponsored coups in Guatemala and Chile and in other countries-- so at one level, you could ask the question: ‘What's new here other than the technology?’”

Along with high-profile leaks and hacks, the internet has also changed the ways that terrorist organizations do business.

“We know that terrorist groups use the internet, but actually, they use it in different ways then we've expected. They use it to raise money, they use it to recruit, and they use it to get their message out. They haven't attacked it as a target much more than they've used it as a tool,” Raymond said.

Terrorism, already a transnational issue, will also require international cooperation in the cyber realm. According to Raymond, some European nations have already taken steps to enhance cooperation on digital issues.

“There's something called the Budapest Convention on Cybercrime, which originated in the EU but now has some signatories beyond the Eurozone,” Raymond said. “One of the major purposes of that treaty: to obligate its parties to adopt a harmonized set of legal instruments on cybercrime to facilitate that kind of police cooperation.”

Despite concerns over the exact capabilities of shadowy foreign hackers, Raymond remains confident that the internet as a whole will be able to withstand most threats.

“You can interfere with it in a local way for temporary time periods, but it's actually built to be resilient,” Raymond said. “That was one of its original design features. Its decentralized nature gives it a kind of resilience.”

KGOU and World Views rely on voluntary contributions from readers and listeners to further its mission of public service with internationally focused reporting for Oklahoma and beyond. To contribute to our efforts, make your donation online, or contact our Membership department.

FULL TRANSCRIPT

SUZETTE GRILLOT, HOST: Mark Raymond, welcome to World Views.

MARK RAYMOND: I appreciate being here.

GRILLOT: So, Mark, you're an expert on cybersecurity issues, and I want to start with some basics here. When we think of cyber issues, we often think of cyber warfare-- things that involve attacking computers and affecting weapons systems, maybe thwarting some sort of armed attack. Those kinds of things come to mind pretty quickly. We've come to think more about major attacks on banking or the stock market, or maybe even utilities -- electric grids, water treatment, things like that. Kind of lay it out for us, the basics.

RAYMOND: One of the big problems in this area is that when people say "cyber security" or "computer security," they don't always necessarily mean the same thing. You'll hear discussion of that from generals, from high military officials, and they usually mean things like safeguarding national assets-- ensuring there aren't big disruptions to national ways of life, economies. On the other hand, you'll hear discussions in these same terms -- cyber security, but especially computer security in the computer science and engineering communities. And what those folks tend to mean is the actual integrity of particular computer networks. So they're focused at a much more micro level, and that can lead to some talking past each other. My own background isn't technological; it's more on the social science side-- understanding the law, the policy, the ethics, and the governance of these issues, especially at the global level. That's where my focus is, more. But in terms of where these issues reside, I think we can sort of understand a couple of major buckets, if you will. So the one bucket would be in the event of a great power war - a war between sophisticated national militaries - it is likely that some of these tools would get used to disrupt electronic networks, disrupt communications, command and control, surveillance and reconnaissance efforts-- there would be pretty strong incentives for militaries to take actions like that. Now, luckily, the probability of that is pretty low. So while we should worry about those issues, and militaries certainly do, at the sort of broader, public level, that's less relevant than the other major bucket of issues, which falls, in terms of international law, below what's called the "threshold of an armed attack" that triggers rights of self-defense. So these issues are a lot more varied. They can run the gamut of a bunch of things you've already talked about: attacks on critical infrastructure, attacks on banking systems, attacks on individuals in terms of cybercrime. It encompasses a lot of things that are sort of referred to by different terms: cybercrime, cyber security, political espionage - there's sort of some overlap with that, talking about the hacking of the DNC and other election oriented groups in the United States in this cycle. There's a bunch of different terms, but that broad bucket of security related challenges is probably the more relevant one. One of the important things for people to know is there should be reasonably little chance of those kinds of events escalating all the way to what we would think of as traditional war. That's really unlikely. So we can, if not take that off the table, at least rest assured that it's not too big of a risk.

GRILLOT: Well we do hear in the news, things like the Chinese infiltrating things, or trying to hack into the Department of Defense, or obviously the Russians that have been involved in recent high-profile cyberattacks-- you mentioned the Democratic National Committee. But I kind of want to focus for a minute on cybercrime. Is most of this activity really being sponsored by states, like we were talking about the Chinese or the Russians, or are there individual computer experts out there - hackers - that are just hacking into things, exposing emails, exposing information, collecting personal information so that they can go and enter your bank account or siphon off funds little by little all around the world. Does that seem to be the bigger concern now? Like you said, it's certainly possible governments and militaries and countries are doing these things, but the bigger issue maybe is just these individual rogue players out there around the world?

RAYMOND: So part of that starts with the definitional question of how you delineate cybercrime from other forms of cyber behavior that we might not like. So one way to do that is to say that cybercrime is distinguished by being financially motivated, and obviously, a huge portion of cybercrime is. So if you define cybercrime that way, then that doesn't look two-state sponsored. If you're talking theft of credit card numbers, theft of personal identifying information like social security numbers and birthdates, for example, to use in identity fraud, to apply for loans and things like that-- that is mainly criminal sector activity. Now, it's pretty hard to study black market networks, but there are economists and social scientists of other kinds that do this. One of the fairly evident conclusions from that work is that this has become far more organized. So this is an organized crime activity. It is found more prevalently in some jurisdictions across the planet. There is a large share of it that originates in the United States. There's a large share of it that originates in Eastern Europe, and certain parts of East Asia. So that's sort of a quick global picture of that kind of activity. The grey zone is the theft of industrial secrets, or intellectual property of other kinds. The United States and China have reached an informal understanding about that about that, but whether or not China really implements that in a way the United States will appreciate and approve of is to be determined. There are some early indications that no, not a lot has changed there. There's some indication that some things have changed. But in any event, that's kind of the grey zone. On the other side, you have a whole bunch of political activity, and whether or not that's illegal is a really interesting question, because the United States takes the position that espionage is not illegal under international law. It absolutely breaks the domestic law of any country in which it's committed. So the United States authorizes American citizens to break the laws of other countries in order to collect intelligence for the United States, and accepts that other countries will do the same thing. But there are sort of unwritten, informal rules about how far you go. The problem is that when you introduce a disruptive new technology, people will use that in unanticipated ways and that will create a lot of uncertainty about the rules of the game and how people want to treat certain kinds of activity. The hack of DNC and other election oriented bodies is just such a case. You know, at one level it appears new and shocking, but at another level, BBC World Service and Voice of America have been broadcasting political information into countries to undermine their regimes for decades. The U.S. has sponsored coups in Guatemala and Chile and in other countries-- so at one level, you could ask the question: "What's new here other than the technology?" Countries have interfered in other countries' elections for decades, at least, and if you open up that can of worms, you might not like what you find. So I think the technology is at least prompting us to ask the question, whether that's something we can continue to tolerate - whether the technology has now made it so easy, potentially, to interfere in elections in really large and meaningful ways that-- maybe now we need to take that off the table. But then we have to recognize everyone's going to have to take that off the table. And that is a bigger international discussion that will take a long period of time.

GRILLOT: Well, I definitely want to get to this - what do we do about those kinds of problems? But given that you've mentioned this sort of activity is so easy to do - there are people entering this world of cybercrime or some sort of cyber activity, and it's hard to stop them. It's hard to stop them. It's hard to identify them. It's easy to do, and it's easy to hide. That being the case, some of these specifics that we've heard about in the news - we've already mentioned the DNC, but the Sony emails - the list goes on and on. What is it that can stop them? The whole profit motive is one thing, and that's going to be very, very hard to stop, right? I mean, in terms of policing that, and holding people accountable. But those that are trying to disrupt and actually-- can we use the word "terrorize?" Is this cyber terror that we're talking about here? How can we possibly address these sorts of things?

RAYMOND: The question of whether or not it's cyber terror is an interesting one. I mean, we know that terrorist groups use the internet, but actually, they use it in different ways then we've expected. They use it to raise money, they use it to recruit, and they use it to get their message out. They haven't attacked it as a target much more than they've used it as a tool. That's been the dominant response of terror groups to internet technology: try and use it as a tool for those purposes. So really, they haven't targeted the internet infrastructure itself. Now, whether that remains true is an interesting question, but I think it's more likely they'll go after more theatrical targets - things that generate a bigger public response. The internet is also, by design, pretty hard to take out in a very general way. You can interfere with it in a local way for temporary time periods, but it's actually built to be resilient. That was one of its original design features. Its decentralized nature gives it a kind of resilience. So luckily, that probably isn't too much of a worry. Whether we can stop this-- like you say, the barriers to entry here are really low. It's hard to identify the players. It's difficult to attribute an attack to a particular perpetrator. And that combination of things means it's really hard to play defense, and it's really easy to play offense. That kind of a combination tends to be, in geopolitical terms, unstable. At an economic level, though, it might work a little bit differently. Companies like Visa and other financial companies-- they have a loss ratio built into their business model, where they say, "A certain percentage of the time, we're going to get taken, and it's going to be fraud, and they're going to get away with it, and we're just not going to worry about it, because the company's built to be profitable." Now, as that loss ratio rises, the kinds of things those companies do is respond by passing on costs to consumers. So that's one thing we may see. The boom of the internet economy may become smaller if the internet turns out to be dramatically insecure and difficult to secure. So that might be one thing that happens. There are also a whole host of insurance issues around this. One of the things that we do when we have risk in society is use insurance as a tool to pool risk and minimize the cost, and ensure that it's not catastrophic for anyone. But the insurance industry has really been struggling to figure out what the upper bounds and liability here are, and it's really hard for an insurance company to write a policy for cyber risk if they can't quantify it at the upper end, if they can't realize "if we write more than this number of policies it could bankrupt us." So that's a really important question for an insurance company, and they can't really answer that well yet. There are starting to be some cyber risk policies. There are also existing policies for things called "business interruption." It's very easy to see that a business can be interrupted by a cyber disruption, but whether or not that would be covered under a business interruption policy-- if anyone's dealt with an insurance company, you quickly find out that they have a very good way of making sure that they're not covering losses they don't want to cover. So there are a huge host of insurance questions here, and the insurance industry could be part of the solution. If we get that policy right, maybe we can keep losses to a manageable level and then basically just not worry about it.

GRILLOT: But this is an interesting perspective you're taking, Mark-- that you're looking at how industry and how consumers, and consumer-oriented companies, are having to react to the reality. I guess we're just going to assume now that this is the reality: that there are just going to be hackers out there that are doing all kinds of things for various reasons, as you noted. So if we're just going to assume that this is something we're going to have to deal with - it's just kind of the new normal, if you want to put it that way - then we adjust, we pass on costs, we insure ourselves, we do all those kinds of things to minimize, hopefully, the damage. Is there any way to make this more costly for the hackers themselves? I ask this question because my background in the arms trade-- people who would run guns would say, "as soon as it's more costly for me to do this - I'm trading in a commodity that I make money on-- and as soon as I can't make money, or make as much money, or I can make money doing something else, then I'll shift. But until then, you have to increase the cost of my doing this kind of business." Is there nothing that's going on, or what we can do, to try and increase the costs of hackers doing their business?

RAYMOND: Global law enforcement cooperation is one of the ways to easily raise costs of engaging in this kind of activity, because right now, a lot of countries don't necessarily have strong laws on cybercrime. Even if they have laws, if those legal regimes aren't harmonized, it becomes difficult to use Mutual Legal Assistance Treaties, or MLATs, which are a common sort of legal agreement that are used across borders to facilitate police cooperation. So one of the provisions of an MLAT is usually dual criminality, because we don't want to be forced under a treaty to provide assistance to a police force in another country, for example, for prosecuting a political dissident, because we wouldn't regard that activity as criminal. So if it's not criminal here, we won't engage in that law enforcement cooperation. What that has meant is that there has to be an international effort to harmonize domestic law and cybercrime. There have been important steps in that regard. There's something called the Budapest Convention on cybercrime, which originated in the EU but now has some signatories beyond the Eurozone. And that is one of the major purposes of that treaty: to obligate its parties to adopt a harmonized set of legal instruments on cybercrime to facilitate that kind of police cooperation. The reason that raises costs is because it reduces the number of available havens. So if you want to live in a place that's going to provide you legal shelter from prosecution, when you target the citizens of other countries, you're going to be forced to go farther and farther down the league table of desirable countries to live in, and you're going to wind up in places you don't want to be. So that is one way to raise the cost. But, if there are major powers that perceive an interest in being havens, like in Russia and in other places in the world, then they're going to continue to allow that for political reasons, and that's an open question.

GRILLOT: Well Mark, clearly this issue isn't going away any time soon. We'll continue to discuss it well into the future, so we'll have you back here again on World Views. Thank you again for being here today.

RAYMOND: Thank you.

Copyright © 2016 KGOU Radio. No quotes from the materials contained herein may be used in any media without attribution to KGOU Radio. This transcript is provided for personal, noncommercial use only. Any other use requires KGOU's prior permission.

KGOU transcripts are created on a rush deadline by our staff, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of KGOU's programming is the audio.