IN THE EVENING of December 23, 2015, the lights went out in parts of Ukraine, plunging more than 225,000 households into darkness. In itself, a blackout in that part of the world might not have attracted much notice. What was unusual: Word came from Kyivoblenergo, a local utility in Ukraine’s Ivano-Frankivsk region, that the outage was due to an illegal entry into its information technology systems. In short, hackers turned out the lights, using their access to the utility’s computer systems to disconnect about 60 substations from the grid.
What followed that startling announcement was a whirlwind of reports, clarifications, ersatz analysis, and hand-wringing that has become familiar. Analysis by the private security software firm ESET, headquartered in Bratislava, Slovakia, connected the attack on the Ukrainian utilities to malicious software with names like Black Energy and KillDisk. ESET claimed they were discovered on systems operated by the utilities and that the same tools had been used in attacks on media outlets during the contentious 2015 Ukrainian local elections.
Months later, the finger of blame points toward Moscow. But questions linger: Was the blackout the work of hackers? If so, who were they? Where were they trained? What were their motives? If an attack took place, was it a stand-alone operation or part of a larger effort to destabilize the fragile Ukrainian government? What foreign and domestic policy response—if any—should Ukraine and its allies, including the United States and the EU, mount?
Those are some of the thorny questions and controversies that faculty members and students at the Kennedy School’s new Cyber Security Project, part of the Belfer Center for Science and International Affairs, are delving deep into—involving issues such as information security, conflict in cyberspace, information warfare, and the prevention of cyber attacks by terrorists. It is all part of a broad new initiative to study and define what one faculty member calls “the big policy questions of the next 40 years.” (See the article “Digital HKS” below for more on this.)
Funded by a $15 million gift announced in January, from Robert and Renée Belfer and their son Laurence, the Cyber Security Project is bringing some of the world’s top minds in information security and policy to Cambridge. (This gift supports a priority area of the Campaign for Harvard Kennedy School.) The goal: creating a “conceptual arsenal” with which strategists and policy makers can confront the growing challenge posed by the potential for conflict in cyberspace.
Within defense and policy circles, the timing is propitious for the launch of the new program, says Michael Sulmeyer, the director of the Cyber Security Project.
“We have this new manmade domain of potential conflict,” Sulmeyer says. “We have to marry knowledge of information security and security studies.” The project aims to provide students with the problem solving skills they will need to resolve issues they are likely to confront early and often in their jobs in government, where Kennedy School graduates may find themselves helping to shape fast-evolving cyber policies.
Evidence of that need is everywhere, from the Ukraine grid attack to incidents of cyber compromise and probing of U.S. critical infrastructure to the heated legal dispute between the FBI and Apple Computer over access to the data on an iPhone used by one of the individuals responsible for the December 2015 terrorist attack in San Bernardino, California.
“Hacking used to be what pimply kids did in their basement,” says Jim Waldo, a professor of the practice of computer science at Harvard and a faculty affiliate at the Belfer Center. “Now it’s what governments and militaries do in well-appointed conference rooms.” Still, the international implications of cyber are only now becoming apparent to policymakers.
The center has long drawn experts in cyber security and policy to Cambridge, such as Daniel Schrag, director of the Belfer Center’s Science, Technology and Public Policy program and a professor of environmental science and engineering at Harvard. “There are huge benefits to connecting, but our understanding about how to be secure has lagged,” says Schrag. “We need to understand how technology is evolving in the way that we use it.”
Edward Snowden’s disclosure of classified information about CIA and NSA spying, destructive cyber attacks like those against Saudi Aramco and Rasgas in 2012, and the theft of millions of records from the U.S. Office of Personnel Management have broadened the discussion to encompass everything from economics to civil liberties and international relations.
The dispute that erupted between the FBI and Apple is a great example of that, says Doug Elmendorf, dean of the Kennedy School. “Devising the best technologies and policies to protect us is very challenging. There may be significant trade-offs between the ability of our government to ensure security and maintaining our privacy.”
That’s just the kind of thicket that the Kennedy School will be preparing future policymakers and leaders to throw themselves into. “I think that hard thinking by smart people will help us find a better path,” Elmendorf says.
Long secretive about their offensive cyber operations, the military and even the intelligence community have begun to talk more openly about cyber as a new domain in which nations operate and about the appropriateness and effectiveness of various offensive and defensive tools. The Cyber Security Project is bringing that conversation into academia, with the goal of demystifying what happens in cyberspace.
In a seminar Sulmeyer teaches, for example, discussion may focus on what constitutes an attack. In kinetic warfare, that’s generally a short conversation, but not so in the theater of cyber conflict. “If a major bank is hit with a DDOS but there is no discernible impact, does that constitute an attack,” Sulmeyer asks, using the acronym for distributed denial of service.
Discussions just as often spring from the headlines. The devastating 2014 hack of Sony Pictures Entertainment was the topic of one recent class discussion, with Sulmeyer and his students delving into the nuances of the incident, which has been attributed to North Korean retaliation for Sony’s planned release of The Interview, a movie that parodied North Korean leader Kim Jong-Un.
“We try to talk more factually about what is going on—to be more descriptive and get to ground truth about what we do and don’t know actually happened before we characterize something as an attack,” he says.
A former senior policy advisor to the deputy assistant secretary of defense for cyber policy and director of the office’s Plans and Operations Group, Sulmeyer worked closely with the Joint Staff and Cyber Command to develop policies to counter malicious cyber activity against the Department of Defense and U.S. interests.
Information security has not been part of the traditional public policy curriculum, but it desperately needs to be. “We’re in the process of building a 21st century conceptual arsenal for cyber operations,” Sulmeyer says.
Conflicts in cyberspace present a unique challenge for students and scholars of government alike, because they can blur the lines between individuals, groups, states and non-state actors, notes Waldo. “There is a continuum from individual actors to criminals to political organizations (like Anonymous) to state-sponsored or state-based actors,” he says. “Further, there is no clear notion of jurisdiction in cyberspace. Notions of borders don’t really make sense.”
“You have to be able to think critically about what you’re reading and what someone is telling you,” Waldo says. “You have to ask the right questions, not just nod.”
Sulmeyer says that security industry luminaries such as Bruce Schneier, an author and authority on cryptography and privacy, will be speaking at the Belfer Center. In addition, students and fellows will have access to outside experts such as Katie Moussouris, an affiliate of the Cyber Security Project, who pioneered the so-called bug bounty programs that help companies improve their cyber security.
Vivek Mohan, a research fellow in the Science, Technology and Public Policy Program from 2011 to 2013 and now an associate in the Privacy, Data Security and Information Law practice group at Sidley Austin LLP in Washington, DC, says there is urgent need for attorneys and policymakers who understand and are conversant in matters—such as encryption—that have historically been the domain of technologists.
He’s anxious to see the Cyber Security Project become a nationally recognized center for academic thought leadership while also mentoring students toward careers in a field that is desperately in need of talent.
As for answers to some of the tough policy questions? Experts at the Belfer Center advise patience. “The situation is much more like that in the Age of Discovery, when there were pirates, privateers, and nations all trying to figure out what the law of the sea would be,” Waldo observes. “That took a couple of hundred years to figure out. I hope cyber doesn’t take that long.”
Paul Roberts is the editor in chief of The Security Ledger and a contributing writer at The Christian Science Monitor.