In this episode, Chris Bronk discusses the geopolitical implications of cybersecurity, including how control of information—and misinformation—impacts international relations.
About the guest: Chris Bronk is an assistant professor of computer and information systems and associate director for the Center for Information Security Research and Education at the University of Houston. His research is focused on the area of cyber geopolitics, with additional work in organizational innovation, knowledge management, and intelligence studies. Prior to joining the University of Houston, he was with Rice University's Baker Institute. Previously he worked as a foreign service officer.
KEY EXCERPTS FROM THE Chris Bronk INTERVIEW
(the text below has been condensed and edited for clarity).
John Villasenor: Welcome to Cyberspectives, a podcast that provides insights and analysis on the technology, policy, and legal issues associated with insuring cybersecurity in an increasingly complex technology environment. Our guest today is Chris Bronk, who's an Assistant Professor of Computer and Information Systems, and Associate Director for the Center for Information Security Research and Education at the University of Houston.
His research is focused on the area of cyber geopolitics, with additional work in organizational innovation, knowledge management, and intelligence studies. Prior to joining the University of Houston Chris was an information technology policy fellow at Rice University's Baker Institute. Previously he was a software developer in a technology startup, and then worked as a foreign service officer.
Chris, welcome to Cyberspectives.
Chris Bronk: Thank you for having me.
John Villasenor: The first question is, a lot of your work as looked at what you call cyber geopolitics. What are some of the specific ways you see cyber shaping geopolitics in the coming years?
Chris Bronk: Well, I think there are narrow and broader interpretations of what cyber is, for starters. So that's something we need to think about. But essentially the question is, how is the internet being employed to change political outcomes? To change international relations? To make movements among peoples and publics around the world?
John Villasenor: In terms of US national security, do you think we face more of a threat from the potential for overt cyberattacks on critical infrastructure—someone throws a switch somewhere and a big chunk of the United States loses power or something? Or from the use of cybermethods by non US actors to exert covert influence on things like US policies and elections? Which one of those worries you more?
Chris Bronk: Anything that keeps much of America eating canned goods in the dark is of course frightening. Looking at the cyber kinetic energy problem is a lot of what I do today. Living in Houston, Texas, energy issues are of course paramount. And the projects that we've worked on in the last year or two have been on energy systems, and the types of computers that touch them. I'm going to say that the infrastructure issue is a discrete issue that we can address.
It's not easy, there's a lot that can go wrong, but we have a good understanding of the systems that are in play and how they can be impacted. And we're learning very quickly, I think, when you look at corporations that do petrochemical work, or do pipeline work, or refining. They understand pretty quickly what the public risk issues are for them, and they understand how cyber can amplify those risks. And I think they're doing a lot of work to mitigate it.
John Villasenor: You're essentially saying that there is a pretty good ability to get a hand on the problem, you're talking specific to the energy sector, not to all 16 or whatever DHS critical infrastructures. Is that right?
Chris Bronk: Yes. I would say that. And even ... There are differences. Electricity where there's rate paying regulation, government is involved, it's difficult for those companies, necessarily, to scrape together the funds to do a lot. Whereas oil companies, when prices are high ... And you have to look at oil and gas companies, I think, at this point as large distributed energy supply chain firms.
When times are good they can do a lot in cybersecurity. They have the resources to do so. When things get lean it gets harder. But if you look at all the other infrastructure areas, and the point I wanted to come to is this: The question I think we have to ask on infrastructure at this point is, to what degree does the US government need to get involved?
And then even more difficult is, to what degree does the United States Department of Defense and the agencies that comprise the intelligence community, that are military in nature, and even the armed services themselves, what are they going to do about these issues?
John Villasenor: And what should they do, and what can they do, and how does that work?
Chris Bronk: Yeah, and the simple answer is they, the Department of Defense, has much more capability, probably, than any other organization on the planet in many regards. And the hard sell now is, we've built this edifice of cybersecurity in the Department of Homeland Security that is the lead agency for so much in this infrastructure work, but does not necessarily have the resources that a United States Cyber Command or a National Security Agency has.
And how do you address that disconnect? And it's not an easy question when you start looking, this is when the policy and legal gets complicated when you start looking at, is this a law enforcement issue or not? Can the Department of Defense be involved? Is posse comitatus going to come into play via problems like this? And, generally, I think most of the military folks I talk to, when you start talking about those fundamentals of should the military be involved? They generally seem pretty reluctant to engage.
John Villasenor: And how concerned are you about the second part of the question, that is: non-US actors exerting covert influence on elections and policies? These would be different, of course, from overt attacks on critical infrastructure.
Chris Bronk: Well, I knew I was going to come to Edward Hallett Carr, who is a theoretician of international relations, who wrote a great little book before World War II talking about power. And we generally look at power on three legs when you're talking about a country. Military power, we understand that really well. And then you have an economic power issue. We understand that pretty well, we're seeing a lot of talk about tariffs lately.
And then the final piece is information power, which if we're having this conversation 70 years ago we'd be talking about propaganda. What I think will happen in this space is that national propaganda and counter propaganda organizations are going to evolve fairly quickly. What I'm not seeing in the United States is that process. During the Cold War we built a propaganda organ in the United States government that was independent of other agencies, the United States Information Agency.
And its sole function was to inform the world about US perspective, values, policy, all these soft things. And we don't have that capability anymore. And the aggressor states, I'm primarily looking at Russia but China is also a concern, and now we have issues in other states as well. We're seeing emerging online influence capabilities in a number of developing nations. I mean, Turkey is one in particular.
And then the flip side of it, censorship, which is also going on. My personal litmus test on this lately has been Hungary, I think Hungary went from a pretty typical post-Cold War emerging democracy, to becoming an incredibly autocratic state. It is still a member of the EU and NATO nonetheless. And to large degree that has been done by the successful manipulation of public perspective. Increasingly demonizing the other, outsiders, immigrants, refugees, and creating a strong isolationist reactionary populace.
John Villasenor: I'm going to move on to a policy legislation question. Politicians on both sides of the aisle agree that cybersecurity is of critical importance, and it's really one of the relatively few areas in which there's a real possibility of bipartisan legislation before the 2020 election, or for that matter afterwards.
Are there any specific cybersecurity challenges that you think should be best addressed legislatively? And if so, what are they? What crosses your mind?
Chris Bronk: Well, there have been a number of efforts to improve information sharing. Those are hard. I think, really from a end-user, if I'm running a security team in a large corporation one of the things that I've gotten very well educated on is government to corporate sharing of cybersecurity information. I've spent a lot of time looking at the NCCIC [National Cybersecurity and Communications Integration Center], the Department of Homeland Security's Cyber Information Center, or the body that pushes out information to corporations.
And talking to the corporate folks who take in that information, they're generally glad to get it. But there's this whole secondary economy of companies that are doing the same job that they write big checks to. So no, I do get this feed from DHS, but I still want to pay FireEye a substantial chunk of money to send me different information that I might need.
And I think this is a real problem, where you have these private intelligence services in the cyber domain, as well as government. I think that if I could wave a magic wand, and I know this is going to sound incredibly impractical. One of the biggest things I think we need to solve legislatively in this country is the over-classification of information regarding cybersecurity.
And that's not an easy thing to fix, it's not something that's necessarily easy to do with a stroke of a pen, but because everything is classified at such a high level government cannot have a meaningful conversation many times with public entities, private entities. Whether you're talking about a city government or a large corporation, the federal government can't come and talk to my city very effectively.
They can't roll in to Houston and say, "Here's our problem." When it's classified at the top secret level and in some compartment. That's on my personal wishlist. I don't think that's necessarily what would be a high priority for everybody, but for me over-classification remains an enormous issue.
John Villasenor: [Regarding] cybersecurity as an arms race, what kind of grade do you give us? How are we doing? Are we staying on top of the threats? We falling behind? Anything we can do better? Any sort of top-line takeaways on that issue?
Chris Bronk: My big picture sentiment remains this. I think that most of the technical problems that lead to cybersecurity negative outcomes can be solved. And can be solved in our lifetime. We will build better AI informed software that patches systems, we will build better machine learning algorithms for recognizing malicious binaries as they come across a network boundary.
John Villasenor: But don't the attackers get better as well? In the sense that that's the challenge, right?
Chris Bronk: Right. Yeah, it's this measure, countermeasure, counter-countermeasure struggle, which ends up being really expensive. But I think a lot of the technical features can be fixed, that we deal with today. Now, the two problems are this. Yes, the attackers get better, and the other problem is if you look at the biggest picture, Silicon Valley still wants to evolve all these new things that you're going to want.
Venture capital is not chasing after cybersecurity companies the same way as chasing after the next unicorn, not yet publicly traded corporation. I don't hear a lot about cybersecurity companies that are unicorns. I hear a lot about companies that are involved in delivering me food that are unicorns, or delivering me food and syncing up my Netflix to it or something. I don't know.
John Villasenor: Not all of them are going to stay unicorns.
Chris Bronk: Right, right. So really I think that because the bad guys are effective and keep getting better, that is a problem, but the evolving infrastructure is, I would say, probably the hardest thing to make sure bets about the future on security. Because it used to be that corporations would say, "Oh, that social media thing, we're just going to block that at the firewall. No one uses that." And then 10 years later it's like, well how do you do business and marketing without using Facebook?
I think those are the issues that we're going to have to wrap our heads around. And then the final piece, I would argue, is the value of true and correct information. I got to meet Daniel Patrick Moynihan when I was a graduate student, and he was riffing on his book on secrecy and truth. And he has this famous quote that I'm paraphrasing, that we are entitled to our opinions but they should be based on the same set of facts.
And I guess when you talk about deepfakes and influence operations, the proliferation of information - we have much more information than we've ever had before, and everyone likes to make these comparisons about X zettabytes of information are created every period of time. And the flip side is a lot of the information being created is wrong, it's maybe just outright untruth. Yet people believe it, because they look at a screen and they read a story, and it's well organized, and they say, "Wow, that must be true."
Whereas the bar for, is this true, when I was a college student was, "Well, I read the Wall Street Journal and the New York Times, and they both say this happened. Seems like it happened.” And when I get my Economist on Monday, if it says so I'm just going to assume its true. Now it's the complete disaggregation of news media has made us very vulnerable, I think, to misinformation.