Technology Security and Cyber Insecurity

Technology Security and Cyber Insecurity
(Dr. Stephen Bryen, August 5, 2021)

Transcript available below

About

Stephen Bryen is a leading expert in security strategy and technology. He has held senior positions in the Department of Defense, on Capitol Hill and as the President of a large multinational defense and technology company. Currently, Dr. Bryen is a Senior Fellow at the American Center for Democracy, the Center for Security Policy. He has served as a senior staff director of the U.S. Senate Foreign Relations Committee, as the Executive Director of a grassroots political organization, as the head of the Jewish Institute for National Security Affairs, as the Deputy Under Secretary of Defense for Trade Security Policy, and as the founder and first director of the Defense Technology Security Administration. He is the author of Technology Security and National Power: Winners and Losers, and of three volumes of Essays in Technology, Security and Strategy. Dr. Bryen was twice awarded the Defense Department’s highest civilian honor, the Distinguished Service Medal.

United States and United Kingdom intelligence agencies have recently said that Russian military hackers over the last several years have tried to access the computer networks of “hundreds of government and private sector targets worldwide” and warned that those “efforts are almost certainly still ongoing.” The United States, NATO, the European Union, Australia, Britain, Canada, Japan and New Zealand have accused China of a global cyberespionage campaign. U.S. Secretary of State Antony Blinken said it posed “a major threat to our economic and national security”. Dr. Bryen will address Technology Security and Cyber Insecurity.

Transcript

Robert R. Reilly:

Hello, my name is Robert Reilly and I am the Director of the Westminster Institute. Stephen Bryen is a leading expert in security strategy and technology. He has held senior positions in the Department of Defense, on Capitol Hill and as the President of a large multinational defense and technology company. Currently, Dr. Bryen is a Senior Fellow at the American Center for Democracy, the Center for Security Policy. He has served as a senior staff director of the U.S. Senate Foreign Relations Committee, as the Executive Director of a grassroots political organization, as the head of the Jewish Institute for National Security Affairs, as the Deputy Under Secretary of Defense for Trade Security Policy, and as the founder and first director of the Defense Technology Security Administration. He is the author of Technology Security and National Power: Winners and Losers, and of three volumes of Essays in Technology, Security and Strategy. Dr. Bryen was twice awarded the Defense Department’s highest civilian honor, the Distinguished Service Medal.

United States and United Kingdom intelligence agencies have recently said that Russian military hackers over the last several years have tried to access the computer networks of “hundreds of government and private sector targets worldwide” and warned that those “efforts are almost certainly still ongoing.” The United States, NATO, the European Union, Australia, Britain, Canada, Japan and New Zealand have accused China of a global cyberespionage campaign. U.S. Secretary of State Antony Blinken said it posed, “a major threat to our economic and national security.” Dr. Bryen will address Technology Security and Cyber Insecurity.

Dr. Stephen Bryen:

Well, thank you very much for having me today. I appreciate the opportunity to speak to you and your audience. I will give you a little bit of background. My first book is the one you did not mention. It is called The Application of Cybernetic Analysis to the Study of International Politics. When I wrote that book and brought it to my mother she looked at it and said what else do you do that is useful? She was not impressed. The book was published in 1970 but I wrote it in around ‘67 and ‘68 so I have been at this for a long time.

I am not a whiz kid technologist. I would like to be. I can program but my programming goes back to the 1960s and I did FORTRAN IV so that is an obsolete programming language. And I taught it when I was a professor at Lehigh University, so I have a lot of hands-on with computers, electronics, and the implications. To your main point, which we will discuss in more depth, a lot more depth, as we move along today, the situation is pretty grave right now. That is to say that most of our computer networks, public and private in the U.S. and among our allies and friends, all of them are at high risk, not low risk but high risk, and I do not think right now that anyone has a very good answer on what to do about it. And there are some reasons behind that.

So with that said let me put up my presentation to start the first few slides to introduce the subject more precisely. What I want to say first is the U.S. has become vulnerable to unprecedented threats to its information, command and control, and weapon systems security, all of which rest on cyber networks. And despite years of trying and billions in investment, and the billions keep rising, our military forces, our national command structure, indeed the entire critical infrastructure of our country is at severe risk.

President Biden today proposed on a voluntary basis that the critical infrastructure segments of our country, which is things like communications, transportation, banking and finance, water supply, electrical power and so on, what these people should do is to improve their security. The problem is they cannot improve their security and that they try, but it does not really work very well. And I think that is the problem. And beyond that the government is saying voluntary, if you can do it, because 95% of the U.S. critical infrastructure is in private hands. It is not owned by the government. The government has no share in it, which is unusual for most countries because in many other places, the UK or France or Germany or Japan or anywhere you go, many of the key cyber institutions such as the telephone network are owned by the government.

So the president understands there is a big problem. The CIA, NSA, and the FBI have all gotten together and said there is a big problem just last week, and published a report in which they said the problem is China, mainly. Although the problem is also Russia, and the problem is also Iran, and there is a report out today on Iran. The problem is also North Korea, so it does not stop necessarily in one place. But I think of all them China is probably the most dangerous because they have developed a very sophisticated system of stealing information from the U.S. and from our allies and they do it with ferocity and with cleverness, and they are effective.

I am concerned about our warfighting systems and our capabilities militarily because first of all that is how we defend our country and how we help defend our allies and friends. And we send our boys and girls (if I may use it that term, I think that is probably a pejorative term now), but anyway we send our boys and girls like my daughter, who is a lieutenant colonel in the army, we send them off to war and the risks for them are getting greater and greater.

Now, I go back a long way as I said at the beginning, but let me talk a little bit about what happened in the 1980s in the U.S. Defense Department where I was in the Reagan administrations, two of them. And the decision was made to start using what are called commercial off-the-shelf systems, COTS, and before that the government mostly was using custom-built computers and electronics built to government specifications.

But those were expensive. They were not all that advanced. The commercial stuff was evolving very fast. And DOD said, being the Defense Department, ‘You know let’s just buy IBM desktops or other desktops from Dell and other companies’ that were at that time emerging. And what has happened over time is that virtually all the computers, and all the desktop machines, and all the networks all the modems, and all the stuff that is used by our government and by our military is virtually all of it commercial, and I call that a fateful, fateful decision.

Now, in 1986 there was a guy named Clifford Stoll. He is an astronomer – actually, an astrophysicist – and he was at the University of Berkeley and because his grant had fallen through to do some more astrophysical studies he got a temporary job in the computer lab at Berkeley, minding a very early computer system that they had that happened to be connected to the Defense Department among other places.

And as he was trying to learn the system and understand he came across a a 75 cent charge that no one paid, and being curious he started to look into this 75 cent charge to try to figure out who it was. And he finally tracked it down to Hanover, Germany, and there was a guy in Hanover, Germany who was not only not paying his bills but he was using the Berkeley computer as a way to get into the U.S. Defense Department.

And he was taking thousands of documents out through this very old-fashioned network, but through this network using what has disappeared today, which was acoustic modems. You may remember those. You put your telephone into a little cradle, and your computer went with a lot of funny noises, and your computer connected up, and very slowly you could send data back and forth. That is what he was doing. More than that he was working for the KGB.

Cliff went over to the – you know Cliff, he may not look like a patriot but he is a patriot – he went to NSA and he said, ‘Hey, I just discovered this,’ and they were not interested. And he went to the CIA. They were not interested. So it took a lot of time for them to understand what was really going on and what was happening then.

It is still happening except the scale is you know hugely greater. What you can send over a 1200 band modem is very little compared to what you can send over a high-speed internet connection today where you can send gigabytes worth of information, and that is essentially what has been taken out of our system. And much of it is intellectual property and the rest of it is plans and programs. And it is that kind of information and even more of it is personal information.

I do not know, Bob, whether you were caught up in the hack of the security clearance databases that were stolen, presumably by the Chinese or may have been someone else but we are pretty sure it is the Chinese. I got one of these nice notifications that said your information has been stolen. They know everything there is to know about you but do not worry, we will give you a free, one-year subscription to some nonsense that is going to protect me from what they have already ripped me off. So you know this government – we used to have a joke that said ‘I am from the government [and] I am here to help’ and everybody runs away, rightfully. So in any case these are serious things.

I did want to mention one thing which is a huge problem of the information that was stolen, yours and mine and twenty-one and a half million other people, that information was on an unclassified network. In other words all that all you when you filled out that security application the government said that is not classified information, you put it into the unclassified box, which means the level of protection for that kind of information is shall we say low to non-existent, very little if any.

The government has this curious system of classified and unclassified. Virtually all of it is sensitive data. It includes other things you might not think about. The health information is covered by HIPAA, but in fact health information is not, it is not classified and so it is not encrypted. It is not protected. Law enforcement information is not encrypted so FBI files for example can be accessed without needing a security clearance. See if I can move on.

These are some of the guys who access it. I just thought I would put three of the four of them, the pictures. The Chinese have put together a formidable team of individuals, a well-trained, linguistically-capable [group], and they work for the People’s Liberation Army. That is who they work for and what the Chinese tend to do is hand off the acquisition test as the stealing part to third parties, and the Russians do it the same way too, by the way.

Very often they do not steal it themselves. They get people to steal it for them going back to the Clifford Stoll, the discussion, the guy in Hanover was a German citizen. He was not a member of the Communist Party or anything like that. He was just a German citizen who was being paid and you know now we have more sophisticated things going on like ransomware and all that, but these are people who are being paid to do what they are doing by foreign governments.

That is the key point and I think that if you understand that, you can understand why it is so difficult to try and stop it because you may be able to track down an individual or even a group of individuals but it is hard to prove that the foreign government did it, and even if you can prove it, what are you going to do about it?

SCADA

Now, another vulnerability aside from the kind of data that we think of are what are called SCADA systems. Are you familiar with SCADA systems? The term means supervisory control data acquisition systems. These are systems that manage networks, manufacturing, energy networks, oil and natural gas, transportation networks like your trains and aircraft, many critical infrastructure tasks, but they also manage command and control systems and the military. They manage the intelligence, surveillance, and reconnaissance facilities.

They are extremely important and almost all the SCADA systems that are out there today barn first, they are all commercial. There are no proprietary ones. They are all commercial systems. All the information about how they work is published and they all have very significant vulnerabilities.

Now, the companies that make them, some of them, are very prominent companies like Siemens. Try to update them and try to fix them when they know about a vulnerability, but they are usually way behind the power curve and even if they update it, that update has to get back to the users and the users have to put that update into effect and hope that they have not been hacked before. And one of the things that the Chinese specialize in is they learn about a vulnerability because some technical genius says, oh, I found a vulnerability in this Siemens SCADA controller and it is this, and the Chinese immediately jump on that and they go to every SCADA system they can find in the world and see if they can exploit it.

And we are not immune to doing it to people we do not like either, I mean to be honest, so it is a kind of free for all, but it is extraordinarily important when you think about that. Our command control communications computers used by the Defense Department, by the Air Force, especially the Air Force, the Army and the Navy, and all those can be can be hit by malware of one kind or another or intrusions of one kind or another that can either render them inoperative or change the parameters of what they are reporting.

So we have seen cases, for example, where the toxic materials that are used to disinfect water have been released into the water supply by intruders, hackers in a number of countries (including Rome, Italy and including Israel) successfully and once in the U.S., so they take chlorine, which is a disinfectant, and instead of releasing it in small amounts they release a massive amount by fooling the controller to do that. And no one knows it until it is already in the water supply, but that is just one example that just shows you how vulnerable we are.

Now, these are just some of the risks so I think I have given you enough of that, so I am not going to spend a lot of time except to say that not only foreign governments can do it but terrorists can do it. This is a wide open field and it is easy to see how a smart, let’s say ISIS recruit, who is computer-trained maybe at Berkeley or some other august institution, who becomes capable of writing code and writing malware, for example, or carrying out a intrusion into a foreign system, that he can do this on behalf of al-Qaeda or ISIS or whoever he is working for.

Now, in a little type here on the screen I also wrote stuxnet. Stuxnet, if you recall, was a form of let’s call it malware, and it is more than malware, it is really a trojan that was introduced into Iranian centrifuges in a project that was managed by the U.S. government and by the Israeli government that managed to knock off for a while the number of Iranian centrifuges and more than that to spin them up at such a high rate of speed that they failed and to self-destruct. Interesting part about it is that the bug was introduced through a Siemens update of SCADA software. So that is how they do it. It is one of the ways and it is effective.

Now, the other topic that fits into this today more and more is the internet of things or iot. This chart – it is kind of ugly – but nowadays your television, your washing machine, your printer, your lights, your doorbell, your surveillance camera if you have one, your webcam, all these things and much, much more have a connection to the internet. And because they have a connection in the internet it is possible to bug them.

And you say, ‘Well, that does not really affect the national security.’ Well, it does because how many televisions are there in various military bases that have a camera and a microphone in them, and where are they located? Some of them are just in a meeting hall or some place that is not so important but some of them are in command and control facilities, and you do not know when it has been turned on because it has a back door. It is a very serious problem.

A few years ago I blew the whistle on a State Department rfp, which was actually a sole source request for proposal that the State Department put out for cameras for the U.S. Embassy in Kabul, Afghanistan. And they were buying on cell source Chinese cameras and not only Chinese cameras, that is bad enough, but they were buying Chinese cameras with known security vulnerabilities, including what we call the back door, the ability to look behind and turn the camera on at will and watch what is going on or fool the camera because the cameras usually go back to a security control panel where people are watching to see what is going on, whether there has been an intrusion. And one of the tricks is to put up an old picture of a meeting room which is empty when in fact it is not empty, there are people in it, and therefore you can steal things and do things, and the security monitoring team has no idea. So that is a problem.

The other problem that is increasingly challenging are these things, cell phones. These are quite powerful computers. They have five different radios in them. They have gps connections. They have global positioning systems so if they are on, people know where you are. They have microphones. They have cameras, more than one camera most of them. Somehow mine has four. I bought the premium model.

But in any case these are extremely powerful and totally insecure, totally insecure and almost all of them are made in China or if you are lucky, part of them are made in South Korea or Taiwan, but by and large most of them [are made in China]. For example, the Apple iPhone is made entirely in China by a company called Foxconn, and Foxconn is owned by Han Hay Precision. It is actually a Taiwanese-owned company but its main businesses in China has a million employees, so if you have nefarious characters who are trying to slip in some software back doors or other ways for intruders to get in, be above and beyond what we know about, it is a perfect place where it can happen.

There is no security about these things. There is no security about smart watches. There is no security about cell phones. There is no security about webcams. There is no security about surveillance cameras. They are wide open and very few of the manufacturers take security seriously, and yet they are used everywhere in our society, not just in your home or in your school or in your office but it is used by the military [and] by government.

Now, I just want to give you some quick statistics. [The] most important thing I think is that while we are seeing a massive increase in the amount of hacking that is going on today, most of the hacks that occur are just stealing either for financial reasons or for political reasons or military reasons. Some of them are designed for even more serious kinds of attacks.

Let me talk a little bit about that, but before I do there is one other point. The U.S. government says that we should report to the government about any intrusion that we detect. The problem is that most intrusions are not detected until they have been hacking away for quite a long time, sometimes years, often months. It is very rare to catch them in the act on the first try and so what happens is first of all that the system is biased. The system as it is is biased against detection. The second problem is it is very difficult for private business, especially business that is traded on the stock market, to reveal that they have been seriously hacked because if they reveal that they have been seriously hacked, it could affect their stock price. Banks in particular are very reluctant to declare that they have lost maybe a billion dollars. They would rather wait it out and hope that they can cover it somehow and maybe it will go away, and the same thing happens with ransomware.

Ransomware, as you probably know, is a trick. It is a dirty trick where an intruder will encrypt all your data so you cannot access it, it is impossible to access it, and then he will send you a polite note that says for five million dollars I will unencrypt what is encrypted, and if you do not pay me, then too bad, I am not going to ever decrypt it. And today encryption, even commercial encryption, is good enough that it is probably impossible to break it or at least very, very time consuming and expensive. And meanwhile, your operations are disrupted, so whether it is a oil pipeline, which we have seen, the natural gas pipeline, or whether it is a banking system or whatever it is, is extremely troublesome for companies.

And if the fine, the bribe, or whatever you want to call it, the ransom, is within reach financially, they often just decide, ‘Let’s pay it because if we call the FBI and they get in it, it is going to be a long drawn-out mess, and at the end of the day we may not get what we want back the way we want it.’ For example, the colonial pipeline, which was an east coast pipeline that was disrupted by ransomware, never actually was able to fully recover all the data that they lost. It had been corrupted by the encryption method that was used by the hackers and it was not recoverable, so even though they paid I think five million dollars (and may have been plus or minus that, but more or less in that ballpark), even though they paid the bill after consulting with the FBI and consulting with other government agencies and finding out that the U.S. government could not help them, that even then after they paid it did not get fixed. So something to keep in mind, I think it is an important feature of this sort of thing.

And by the way, while we are at it the government also does not like to report that it is been hacked for a lot of reasons. One is national security. For example, if somebody hacks the Navy or let’s say it gets into the command and control system of one of our nuclear submarines, and that is not an impossibility, that is not an impossibility, the Navy does not necessarily want the world to know that they have been crippled in some serious way, so they tend to hide this sort of information internally.

Also they tend to hide it because if they have been hacked, who is responsible who takes the hit and what are the consequences? The commander could lose his job. An assistant secretary could find himself selling oranges in front of the White House, so maybe that is a good thing, but in any case it is a definite. There is not a good incentive for them to report it. There is no incentive to report it and so they don’t [report it].

I want to talk a little bit about what can be done about this because it is pretty clear that if we are going to rely entirely on commercial systems as we are today, the chances of being able to secure commercial systems is pretty small and a lot of reasons for that. First of all, big companies, Microsoft, for example, Google, and all these companies that the Silicon Valley tribe if you want are not primarily interested in security. They are primarily interested in sales, and so a lot of what they are designing into these machines is as my friend, Janjura Ismura in Japan, says is for entertainment, whether it is webcams like we are using now or whether it is music or whether whatever it is or even games. The fact is that they are designed for that purpose more than they are designed for high-level security. In fact, high-level security is an afterthought, so under the circumstances that is one problem.

Another problem is that an operating system like a computer operating system lasts in the market three or four years before it is replaced, and during that time it may receive ten, twenty or even more updates because some vulnerability has been found or some new feature has been added, so it is a constantly evolving system. We have nuclear submarines in the water today that are using Windows XP. Now, if you remember Windows XP, that goes back a while, about fifteen years I think. It is a very old operating system and one of the worst from a security point of view, but it is built into the submarine because the contractor decided to put it in there because it was easy to get and it worked.

But the problem is that it is also a huge vulnerability and you think it is just us – the British new aircraft carrier Queen Elizabeth, which right now is patrolling in the South China Sea, also has Windows XP computers, and that is a brand new ship because in the defense world twelve to fifteen years is not unusual for a weapon system to be developed and built. So if you freeze the design in 1990 and 2005, the thing is finally manufactured and put in the field and tested and all that, and by 2010 it is an accepted part of the system. Its electronics are absolutely ancient.

Back in the ‘80s I asked Bob Noyce – Bob Noyce was the co-founder of Intel, a great guy, very important man in Silicon Valley and a very important man because he was a patriot as well – and I said Bob, I got a problem. They are having difficulty with the Minuteman system, this is our strategic nuclear system, because the components in the Minuteman system are obsolete and they are not manufactured anymore.

I mean they just do not make them anymore. For example, I will try to explain this in a clear way. The kind of microchips that were in there were called single-scale integrated circuits, which had up to ten transistors on the chip. That is all today. We have a billion transistors on a chip. In the 80s we are already up to hundreds of thousands. And I said, Bob, what can we do? How can we get new chips for the Minuteman? And he went out and looked at the Minuteman, at my invitation – I was in the Pentagon then – and came back and he said it is truly a sunset technology. It is really a shame, he said, because the right thing to do would be to rip the system out and replace it, but you are talking about tens and tens of billions of dollars and lots of time to do it.

So you have a phenomena where the government is using either really old stuff, not by choice but because of the system itself, the way the system works and how long it takes. Now, it takes too long but even if it took seven years or five years, [it is] still a long time. In computer terms it is a long time. The computer and your desk probably would be replaced twice in that period and rightfully so because the technology is rapidly evolving. So keeping up with security in this kind of situation is very difficult.

And then we get to one other consideration and the other consideration is what we call embedded systems. Embedded system is when you take a computer, I will make pretend this is a computer, and you build it into it as a system because you need a computer there. But the computer is not standalone, it is just wired in as part of the circuitry. The problem is that when you put it in 2000 in 2020, that thing is obsolete, useless from a commercial point of view, totally useless piece of junk from a military point of view.

They are going to live with it for another twenty years. See what I mean? And if it is vulnerable, if it is full of holes, security holes, it is very hard to fix if it can be fixed at all. So it is clear that we really have to rethink how we do this and especially in the government, and military sector, and in the critical infrastructure because relying on the commercial equipment is very high risk and we have to find a way around it. So I do not pretend to know all the answers on that, I wish I did, but I have proposed that we form a national commission and we do not fill it up with techies, we fill it up with smart people who can think out of the box and come up with an alternative to commercial systems.

There is another reason why this is so important. The same systems that the United States uses today, same computers, the same networks, the same everything is what the Chinese use and the Russians use and everybody else in the world use it, so there are no secrets. Everybody has time to play with us.

Some some years ago there was an explosive found inside of a printer ink cartridge that got through security in Yemen of all places, and was put on an airplane, and it had a timer, and it was supposed to explode over London. The second one, another airplane, was supposed to explode over Chicago. The good news is that the terrorists who did this were were good at getting it stuck in there but they were not good at design so they made some mistakes. The systems were finally discovered. The planes were asked to land in mid flight to certain places and these printer cartridges, which were full of bomb material, were removed.

And happily [nothing] bad [happened], but the point is that how did they do it? Well, they learned how the X-ray machines at the airport worked because in Yemen it was easy to pay some bribes, and work with the local guys, and figure out where the holes were and how to get around it, and so they were able to smuggle the [explosives] because otherwise [they] would have been picked up by the metal detectors. And they were able to get these things in and into the cargo holds of these airplanes.

The same thing is true of computers and all the rest that we all use. If everybody has access to them, they can figure out how to so-called beat the system, how to penetrate the system, and they can practice and practice and practice on their own stuff until they know how to do it. And then, of course, they turn around and we pay the price because they disrupt our communications or our networks or our command and control systems or our ships or our aircraft or whatever or what have you. So that is the dilemma. That is the dilemma and the national commission would be a way at least, in my humble opinion, it would be a way that we could try to find some alternatives to using commercial materials.

[In] my own head I think that we have to come up with a restricted government system that is not based on commercial products, that does not use commercial software, that does not use commercial hardware as such, and that has very high levels of security. And remember I talked about unclassified versus classified. The government as a whole has to work in a classified environment.

This distinction between what is sensitive and not sensitive, and how to figure that out, it is not a workable way to protect vital information because one of the reasons they steal personal information from individuals like you and me and others (engineers, scientists, decision-makers) is to find ways to get in, get passwords and get information on how to penetrate systems, and then to exploit it, and as long as they can do that we are in a lot of trouble.

But if they cannot get that information, and by the way, I think there is pretty strong evidence to suggest that a lot of CIA operatives in China got exposed because of cyber insecurity and paid for it with their lives, so it is not just information but it is lives and it is lives not just in a war because we are not in a war right now, more or less, but it is also the people who keep us safe, who are willing to put their lives on the line to get it, to protect us.

And then CIA is part of that picture. So we want them to be able to operate without being picked up. So bottom line here is that is that we need to come up with a whole new approach and we need our government to take this very seriously indeed. And we need a national commission to propose a design for a system that can quickly be put in place. It is not going to be a cheap, inexpensive task, but on the other hand maintaining the system we have is a terribly expensive task that can cost us billions of dollars in compromised systems.

The F-35 and the F-22, which are vital to to our air force, stealth fighters, have been compromised almost completely. And the Chinese have copied most of the critical components in those aircraft, the ones they could copy. Some of them they could not [copy] because the information that they really wanted, let’s say one on aircraft engines, is not something you get in one place. There is a lot of magic technology there, but for the most part they copied quite a lot, and you can see it now because they are flying the J-20, which is a stealth fighter bomber [that] looks a lot like the F-22. And they have a new one called the J-31, which is a kind of a knock-off of the F-35 except it has two engines. So I think I will stop at this point and invite some dialogue if it is okay with you.

Robert R. Reilly:

Steve, thank you very much for that presentation. Secretary of State Blinken mentioned not simply national security but economic security, and whereas the Chinese have been able to get the information to design their stealth aircraft we know that they have either reverse engineered or gotten the blueprints for a lot of critical equipment in the commercial world from Germany and from the United States so they do not have the capital expenditures that would be required to develop these things in the first place. So then they make them and can undercut Western manufacturers, and therefore take over entire industries. Do you have any comment about that?

Dr. Stephen Bryen

It is a multi-layered approach that the Chinese take. If your intellectual property is accessible to them and they can copy it, they copy it. Copying it may mean actually getting one of these, for example, and just taking it apart and copying it the old-fashioned way of exploiting something or it can mean stealing the designs and all the information you need to make your own. A lot of Silicon Valley companies like to do business in China but are increasingly worried that their good stuff is going to be ripped off by China and they are going to find themselves competing against the Chinese in global markets.

[A] good example of that are microprocessors for computers. The Chinese are now copying some of the best ones in the marketplace. And they are not just copies, I want to be careful here, they are copies plus. In other words they take the U.S. design and then they add their own twists and turns to it so they can say, well, it is not the same as yours, it is different. And then they go out in the marketplace and they sell computers or gadgets internet of things stuff. Almost all internet of things stuff is made in China. I cannot think of anything that is made anywhere else. It is almost all made in China and they make this stuff and they sell this stuff, and people buy it. And by the way, they sell cheap.

And they also do the same thing in military [hardware]. For example, consider the U.S. Predator, which is one of our most famous armed drones. The Reaper version is armed. They copied it. Now, where did they get that? How did they do that? We do not know exactly, but I would be pretty certain that they were able to hack General Atomics. It makes them, makes the Predator, and over time they were able to gather enough information to copy everything that was in that bird, and in fact a lot of that UAV is not that special technology. The genius was putting it together. It was special. That was the smart thing and they have their own version of it, [which] looks just like it called Wing Loong and Wang Loong.

It is not just that the Chinese have it but they are selling it even to some of our allies. The UAE has bought a lot of them. Saudi Arabia has bought a number of them. Egypt has bought them. And Ukraine has bought a number of them. So a number of countries have bought these things because they are a third of the price of Predator on one hand and the U.S. will not sell the Predator that is armed anyway. The Chinese will sell [then] with all the missiles you want and bombs you want on it, so that is commercial but it is also military, isn’t it? It is a little bit of each and they have been used successfully in wars. I mean they use them in Libya. The UAE had provided them to Haftar’s forces in Libya. The Turks provided their own to the Tripoli side. They have sold them to the Ukrainians who used them to watch the Russians, and so they are out there and they have been used in Syria, too, so there they are staying on the commercial side.

Robert R. Reilly:

Staying on the commercial side, for another moment though – of course it is hard to make that distinction, isn’t it, when respect to China because we know Chinese corporations – well, I do not know [if they are] compromised or controlled, have security and intelligence function embedded in them.

Dr. Stephen Bryen:

Yes, usually they do.

Robert R. Reilly:

Yes, so the subject is just reviewing the Huawei 5G issue, about the warnings the United States gave against Huawei with our NATO allies. Some of them chose to ignore it.

Dr. Stephen Bryen:

That is correct.

Robert R. Reilly:

What are the vulnerabilities that presents?

Dr. Stephen Bryen:

Well, the vulnerability is is that the 5G is of course the new telecommunications standard for high-speed cellular communications, but it is much more than that because once you have enabled the network with 5G it is also a backbone system that can be used like the internet, and it involves your whole PTT.

Today, if you have a home telephone, the chances are that that home telephone is is actually running on what they call voice over internet protocol or VOIP. And what that means is that the telephone is not hardwired to your to the old way down to the ptt in the center of town and then goes out to the rest of the world. It it is part of the internet. It is that simple.

So if you are controlling this large slug of the internet in a certain country, let’s say the UK, okay, which is our big partner, right, security-wise, the most important ally the U.S. has security-wise, or Germany where we have our NATO forces, right? I mean it is very dangerous. It is very dangerous because they are on the inside looking out, not on the outside looking in.

It is a very dangerous thing and I think the U.S. government was right and remains right in really being deeply concerned about Huawei and about the problem that poses because Huawei is connected to the People’s Liberation Army. And even if it was not formally, it would be anyway. It is too juicy a target for the Chinese to allow to be just in the private sector. This is big time national security stuff.

Robert R. Reilly:

A good deal of attention is paid to China’s developing military capabilities, hypersonic missiles, that their goal of taking out our aircraft carriers are making them move so far out of the region that they cannot be effective. However, with the vulnerabilities that something like the Colonial Pipeline represents or the attempt against the Southern California District water system, I think in last May a ransomware attack against water treatment facilities in Norway affecting 85 percent of the population, the vulnerability of our energy electricity grid. It could be over before it begins because ransomware affects the population.

Dr. Stephen Bryer:

Well, look, that is all true. It depends how much damage they could cause and how quickly we could recover from the damage, and I have no idea what the answer is to that, but I would say not immediately. It takes time when these things go down. The Colonial Pipeline was out for well over a week and we saw the gas prices jump up, and naturally they did not come down, it just jumped up. But they jumped up because people saw delivery of gasoline and fuel products under assault, and they saw short supply, and they saw danger. And that was only one pipeline, there are a lot of other pipelines, so if they really wanted to push real hard…

I am not sure where that kind of pushing, where the line is where instead of just hacking a pipeline, you are hacking a country and the country decides that is an act of war. There has got to be a line there. I mean there is a point where you cannot tolerate this nonsense and you have to treat it as an attack like any other attack, whether it is a missile attack or a cyber attack if it is devastating enough, it is going to be a national security issue and not just a nuisance.

Robert R. Reilly:

Well, President Biden purportedly said to Mr. Putin something to that effect.

Dr. Stephen Bryen:

Yeah, then he did not do anything about it.

Robert R. Reilly:

But he did not do anything so, yeah, how convincing is that? And the issue of plausible deniability is there in a way.

Dr. Stephen Bryen:

Well, Putin had two arguments. One is I did not do it, it was not me, it was them, these people, but I do not know who they. It is not my problem, it is your problem. That was one argument. But the other point he made is just as interesting. He said, well, you are doing this to us all the time so I mean what are you complaining about? You guys are doing it to us so if some of our guys are doing it to you, I mean you know.

Robert R. Reilly:

Well, but when was their equivalent to the Colonial Pipeline shutdown? I mean we do not hear about these things happening in China or Russia. I mean at least there is Stuxnet hit in Iran from some years ago, but that was really security-related, but not of our hitting-

Dr. Stephen Bryen:

Yeah, but I think our government has to answer that argument.

Robert R. Reilly:

So tit-for-tat?

Dr. Stephen Bryen:

Is it tit-for-tat or some of the things we do for our national security that we do, we are not trying to declare war on Russia for sure. We are not trying to disrupt major Russian networks, television or radio or in information technology or internet. In fact, it is the Russians who were just tested, by the way, whether they could turn off the external internet outside of the Russian territory and just maintain an internal internet, and they proved they could do it. And that is, by the way, a wartime preparation, that is exactly what it is.

Robert R. Reilly:

Yeah, you know and in terms of the years I spent in government broadcasting we had a mantra that the key to success is great… what is the word? Now that is failing my memory, you know that you would have alternatives. You would not just have shortwave or long wave, you would have satellite, you would have a ground broadcast, multi-layered system, more than one way to reach your audience, particularly if you were in a conflict situation, but it has some problems though.

Dr. Stephen Bryen:

I will tell you what, you know the Pentagon keeps HF radios even though it is an old technology, you know pre-World War II technology, but they keep it because it is frequency hopping. It jumps around and you can make it capable of communications even if they are jamming everything else and knocked off the internet, they knocked off the telephone system, all that, but he could still communicate. The trouble is that today the DEF, our defense system, is heavily based on highly coordinated and integrated communications, a very high level of data exchange from satellites, from aircraft, very high level.

And information dominance is what they talk about in the Pentagon, something that is critical to our ability to fight a war. Without it we will not be successful and they just did an interesting simulation of a conflict in Asia, the Pentagon did. They have not told us too much about it but they reported that they were very concerned that information dominance was not necessarily possible because the Chinese had the ability to knock out our ability to use data high-speed data and then to exchange that information successfully.

Now, whether that is true or not I am not sure, but it does suggest that that multi-layer idea, that old idea that the DOA was talking about redundancy, and redundancy is not possible anymore, not possible at least not now. Maybe in future it will be, but right now it is a real headache. If someone could really defeat our capabilities in this area, and again we are relying on a lot of commercial backbone to make that work, satellites to not just spy in the sky, government satellites, but a lot of our communication satellites that are commercial satellites, high-speed internet, this sort of thing which could be knocked out.

Well, I always wanted to tell my kids, wanting you to take your cell phone on your computer and lock it in a closet and see how you get along all day. They probably will not know what to do with themselves. What no games, no this, no that. But it is [the] government [which] cannot get along without it either, and military for sure cannot get along without it. We could not do this program without it, that is for sure.

Robert R. Reilly:

That is right let me ask you, you seemed to indicate earlier when you said the Russians are using the same commercial stuff that we are and purportedly China does, and perhaps Iran and North Korea.

Dr. Stephen Bryen:

I do not know. Yeah, they do that.

Robert R. Reilly:

Well, does that mean they have the same vulnerabilities as we?

Dr. Stephen Bryen:

It does, absolutely, so we could. Well, you are thinking in the right direction. Oh, yes, we do know that the North Koreans have become very adept at this. We know purportedly the building in Beijing in which the PLA people operate, yeah, and the names of various Russian groups that, yeah, they have a name, a day, a name, a day and but we do not seem to have any names.

Robert R. Reilly:

In other words are we adept at this kind of thing to act if we need to do so?

Dr. Stephen Bryen:

Well, I know that there is a thing called the Project X in the Pentagon that is supposed to have teams of capable people that do this sort of thing, but since there is no information about totally classified [projects] I do not know any more about it than anyone else. I mean it is just not out there, not available.

But I want to mention one other thing. The Chinese are trying to develop their own computer operating systems and to make them unhackable by Western countries, which means mostly the U.S. I do not know if they have been any good at it, but that is what they are doing, and you know they think they are vulnerable, and I think they are, too, so I mean we, too, can fight this battle.

This brings up a whole different — well, not different but a related point. If you are just going to be passive defender, if you are just going to say, okay, I am going to build firewalls and all kinds of security layers and that is how I am going to defend myself, you are surely going to lose. You are surely going to lose. You cannot just be a defender, you have to be an aggressor. In other words you have to hand back some of the pain that we are feeling.

I will give you just a simple, stupid thought. They were stealing plans on the F-35. How come we did not give them bad plans? I mean really bad plans so they are getting up with an airplane with one wing here and one wing down here, and you know, I mean it is possible to because I did it myself in the Pentagon. Not the same way but it is possible to take equipment and modify it, change it so it does not work right or it does really funny things. That can be done today with electronics, with software, with plans, with the you know.

If we had it, if we had a group of people in our government that spent their time screwing the Chinese so they stop hacking us because the stuff they are getting is all bad, that would be very useful, that would really help, and the Russians, too, and then the Iranians, too, and the North Koreans, and all the rest. I mean we have to be aggressive, and we have to be smart and aggressive, and I do not see any sign of that, unfortunately.

Robert R. Reilly:

Well, Steve, the other thing the Chinese have as you well know is a whole of government approach.

Dr. Stephen Bryen:

That is true.

Robert R. Reilly:

So if they are going to move, everything is going to move. They will move on the cyber front, the information front, the kinetic front, the psyops front, taking out our infrastructure, whatever they need to do to achieve victory. And from what you just said to me, you seem to indicate that the person who gets the jump on the other one is going to win.

Dr. Stephen Bryen:

That is right. Cyber business, as I said if we are just going to take a defensive posture, we are going to get into increasing trouble and it is more than being ripped off. We are going to end up losing fights and battles and wars big time, so you know we have an obligation to to take a fresh look at this and then to put together a really aggressive strategy that will help us in the future.

And you have to wait twelve years for a new weapon system. This is not weapon systems, this is creative response to what our adversaries are doing. This, I hate to say it, is not rocket science because rocket science is an issue but it is not rocket science in the sense that we have this capability. We used to have very good and aggressive intelligence capabilities. I do not know where they are these days. I mean, yeah, you mentioned we did Stuxnet.

Well, I forgot in 2001 or something, I mean it was a long time ago. What have we been doing since? Not enough I am afraid and you know it has allowed China to essentially leech off us incessantly for a long time, and they are using it to build up their country. It has become strong, a very strong and in my opinion dangerous country.

When I was in the Pentagon I used to talk about Russians copying the U.S. weapons systems, and you know I had pictures of a Russian thing and an American thing, and they look the same. How come they look the same? And they look the same because the Russians copied it, but nowadays the Chinese are beyond that]. They are copying but they are going beyond copying, and they are going beyond copying because they have such tremendous access, not just to the DOD or the Defense Department or the U.S. government but to our universities, to our intellectual stuff that is not even stuff yet, that is still in the scientific level, and they have sent people into our universities who helped become part of teams.

Nanotechnologies is one of those fields which is extremely important for future defense systems and future commercial systems, everything, and the Chinese are deeply involved in our universities, Harvard and other places like that, so if you are gonna do that, you are going to pay a price. It is not going to be very pleasant.

Robert R. Reilly:

Someone like David Goldman thinks that the United States capabilities have already been sufficiently hollowed out by the Chinese, that is the shift of manufacturing and development and so forth to China, that absent a massive national effort we are not going to make it.

Dr. Stephen Bryen:

Well, David has a point. I write — as you probably know — I write for Asia Times in which Dave is one of the principals, so we are dialoguing all the time on this subject. Look, if you give away most of your manufacturing, then you are in trouble. You have to be in trouble because if you have lost your industrial power, and industrial power is part of what makes up national power, I mean if we had to do what we did in World War II and convert our industry into a wartime industry, we cannot do it because we do not have the industry that can do that anymore.

We just cannot do it. We do not have any. The industrial base is not there anymore, the workers and the skill bases. And some time ago people said you cannot get people to make you run machine tools. Now, you cannot get people to run robots. I mean it is very hard to get skilled workers and to have a skilled workforce, and the capability of switching over to the defense program if you need to.

But we have lost almost all of it and our silicon industry is in trouble, too, as you probably know. I believe I saw a figure lately that said the Chinese shipyards today are turning out naval vessels at the rate that the United States did at the height of its production in World War II. I do not know the exact numbers so I do not know, but you know we were building liberty ships in Philadelphia, here in New Jersey near my hometown at a very high rate because we were we had to have convoys carrying stuff to to our allies, and especially the UK, but also to our troops. And so it was a massive, big effort yes, yeah, but our shipyards are dead, right?

That is exactly the point. I think we only have four left that are capable of producing, but not very fast nothing nothing compared to the speed with which the Chinese are building a naval crown yeah because it takes years to get congress to appropriate the money it takes years to get the designs settled down it takes years to get it all validated and goes on you know every stumbling block you can think of we found it well despite these very concerning weaknesses that you have pointed out one strength of the United States is that it is in a system of alliances but that is only as good as what our allies are doing and how much they understand in those terms do you see a comparable level of understanding to which you have just put forward here in Great Britain or in Germany, in other allied countries, and then in Asia, in Japan, New Zealand, Australia.

Well, aside from the British, who I think are are starting to see some light, let’s put it that way, and are willing to try and work with us to some extent, the others are not the Germans. Germans are busy building the pipeline. Well, it is almost finished now with the rush of the Nord Stream 2. I mean they are not interested in defense, that the German Army is a disaster. They have very few tanks that even run. They are not really a world power anymore. As a military power the British Army is smaller than it was in 1776. That is well. We won that war as I recall so that that is probably a good thing.

The Japanese Self-Defense Force is very tiny by design. They spend around one percent of their GDP on defense, which is far from adequate, especially now with the challenges they face. And when we ask them to put Aegis assurance and air defense system in to protect the vital parts of the Japanese mainland, especially the air bases and the naval ports where we have our ships, and our airplanes, and our personnel, they said yes and then they changed their mind and said no, so they have no 24/7 full-time strategic defensive system even in the planning works. They are relying on the Patriot Pac-3 system and some Pac-2s, which are far from adequate and will not defeat a Chinese attack, so you know I am very discouraged. I think right now that trying to whip our allies into shape is not going to happen unless we whip ourselves into shape.

Robert R. Reilly:

Do you think it is an exaggeration to say we are in pre-war conditions?

Dr. Stephen Bryen:

Smells like the 1930s.

Robert R. Reilly:

As you know a number of admirals and generals have said they expect war with China within five years, that they think the Chinese military is itching for a fight.

Dr. Stephen Bryen:

I think that is true. I think they are itching for a fight. In fact, one of the worrisome issues is whether the civilian leadership in China can constrain their military or whether they are going to be whip sold into getting into the conflict, probably Taiwan but not necessarily only Taiwan.

They got their eye on the Senkaku Islands, the Japanese islands, I mean their whole strategy is this first island chain in the Pacific that they want to control it because they figure that way they control Asia. And by the way, they are right. The Japanese seem to think they are right also, which is why the Minister of Defense recently spoke rather forthrightly, as did his deputy minister, about Taiwan being central to the security.

Robert R. Reilly:

That is substantially important to Japan security.

Dr. Stephen Bryen:

Yeah and I think that made the Chinese crazy. They were furious and they put out a video showing that they were going to nuke Japan, not once but consistently, continuously nuke Japan because of what they say, what the Deputy Defense Minister said. Crazy, but I mean that is the sort of thing that did not come out of the blue, right? And that is scary and it was reckless, irresponsible, and they said China has a no first nuclear policy but it no longer applies to Japan.

I mean can you imagine something like that? Do they threaten Japan with nuclear war? Japan has no nuclear weapons. They are not a nuclear threat to China. They just do not have any, but they threaten to obliterate them, which means obliterating us because we have our soldiers, and our sailors, and our armed support personnel, lots of them, in Japan, not counting all our businessmen and everybody else. But this kind of threat is reckless, but it tells you the mentality of these people and why we have to really take this challenge up.

I am worried that that right now we are appeasing China and that is dangerous. It was dangerous when Chamberlain appeased Hitler and it is dangerous when Wendy Sherman, the State Department deputy, goes to China and appeases the Chinese government. It is the same thing. What are we going to give? Are we going to give them Taiwan? We are going to give them the Senkakus?

Robert R. Reilly:

Well, as the Japanese and some of our military folks have said, it is game over at that point.

Robert R. Reilly:

Well, I think the Japanese are feeling the pressure now, which is probably a good thing if they felt it twenty years ago, it would have even been better, but look we are slow. We are very slow and I just wrote a piece for Asia Times about how we pulled our air. We have one aircraft carrier in the Pacific, just one, based in Yokohama. It is the USS Ronald Reagan and we pulled it out ostensibly to cover the Afghanistan withdrawal, but I do not know what purpose it has covering the Afghanistan withdrawal. I think we pulled it out to placate the Chinese.

Oh, yeah, we also pulled our bombers out of Guam. They are no longer stationed in Guam, they are stationed in the United States. ‘Well, they can get there in a hurry.’ Well, how many hurries is that? That is a long way off to fly a B-52, which is a slow-flying airplane, and we have no more B-1s right now because they are all grounded. And the B-2s are a nuclear mission. We are not going to put them into any conventional conflict, so we have essentially abandoned Guam for all practical purposes. Why? What is wrong with us?

Robert Reilly:

Well, I think let’s leave that to be answered in another program with you.

Dr. Stephen Bryen:

I caused enough trouble today.

Robert R. Reilly:

I am extremely grateful to Dr. Stephen Bryan for doing this program with us today on technology, security, and cyber hyper insecurity, it seems. Thank you for joining us at this program. Please go to the Westminster Institute webpage where you will see a number of our other lectures available on video and on our YouTube channel on China, Russia, and a number of other subjects. Thanks for joining us today. I am Robert Reilly.

1 Shares: