My first thoughts on the strategic impact of Solar Winds: this is appears to be a large infiltration of networks that contain important information about US government operations. This could be a huge intelligence loss for the US with long term implications for national security
As of yet, no released evidence that hack led to disruptions, deletions, or manipulations of data (still waiting here). Unclear whether this was restraint by (presumable) Russian actors, lack of opportunity, or a combination of both, i.e. intel benefit outweighed attack benefit.
Lessons learned: 1) there is a proliferation of private & public US actors that have the capability and willingness to attribute. Attribution may become less of a political decision as these private attribution actors become more influential & capable.
Lesson learned: 3) I largely agree w/folks that point to these exploits as evidence that deterrence of intelligence-motivated cyber exploits is a flawed strategy. I still believe that defense, counter-cyber ops, & info sharing is the best response to these kinds of hacks.
@jacklgoldsmith has important ?s about whether US would conduct similar hacks & if so whether the US' current toolbox is appropriate for dissuading (or degrading) adversaries from these hacks. Are we on the losing side of this competition? @lawfareblog lawfareblog.com/quick-thoughts…
The US can better shape rules of the road, but I'm pessimistic we can dissuade adversaries from attempting these cyber hacks. I do believe declaratory restraint can help build norms about not using accesses for cyber attacks that cause civilian violence. tandfonline.com/doi/abs/10.108…
• • •
Missing some Tweet in this thread? You can try to
force a refresh
I've been seeing a bunch of "its the end of an era" in response to this article. This is indeed a technical achievement, but its a distraction from where we really need to focus our AI efforts in the DoD (haters stay for the thread).👇 defenseone.com/technology/202…
On the experiment: y'all it was a pilot w/a VR headset & a fake stick. AI beat a human pilot at a video game. It isn't surprising that AI performs well in a simulated environment & that human advantages (the warm fuzzy) are less important. quantamagazine.org/why-alphazeros…
The transition from this kind of AI to an unmanned platform with integrated sensors, weapons, & combat controls is expensive & vulnerable to both cyber/EM threats. Check out my work w/@jumacdo on the importance of cost in optimizing unmanned strategies.
I'm about to join a panel on wargaming in 2020 with @becca_wasser@elliebartels. I'm discussing developments on wargaming w/in academia and I've decided to tweet my thoughts for those not attending. Thread below . . .
Why wargaming & academia? Academic wargaming was a large part of early nuclear research. Games led by Bloomfield and Schelling at MIT were fundamental to how we think about modern nuclear strategy. Check out @reidpauly's work in @Journal_IS
How is wargaming different in academia? 1) No sponsor (Pro: freedom, Con: money) 2) No logistics tail (Pro: less onerous, Con: hard to run games at scale) 3) Different communities (Pro: less guild/more science, Con: Too positivist?)
Recent firing of Teddy Roosevelt CO highlighted issues that have been simmering for the Navy/DoD: 1) civ-mil relations in Trump administration, 2) Navy leadership/accountability, & 3) should we sacrifice the health of the fleet for presence missions (FONOPS, etc.)?
1) Culture. Microsoft has been a stalwart DoD partner since the the dawn of the Information Age. Almost every DoD mission runs on Microsoft applications. PowerPoint, excel, and outlook are probably the most prolific tech applications in modern combat.
2). Culture (continued). Because of Microsoft’s long history working w/DoD, it also means less potential of employee protests and more vetted personnel than other companies. That’s huge for insider threats- arguably the greatest threat of a cloud strategy this centralized.
I've seen some twitter threads floating around w/ suggestions for "canonical" cyber/international security works. While it might be premature to canonize these, here are some works I recommend for anyone teaching an international security/cyber course (added bonus: w/women too!)
Lots of posts today about how to do policy-relevant work. My list: 1.Do good social science
2.Understand policy timelines
3.Spend time w/those in policy 4.Work in government
5.Go into the weeds when necessary
6.Publish/talk outside academia
1. Do good social science. The proliferation of info means that policy-makers may reach for academic work that supports their own conscious & unconscious biases. That means your work may be ignored or adopted with little evaluation of methodology; the onus for rigor is on us.
2. Understand policy timelines. A recent piece with @jumacdo was just accepted for publication after the project began in 2014. Either ask questions whose relevance can survive that time lag, or be creative about publicizing your work prior to pub (but keep in mind rule #1).