Hello, everyone. Welcome to DiscroundUp. Along with geospace, aqua space, and space, cyberspace is a contested common, and its use as a battleground to wage war is rapidly intensifying. This changing landscape of warfare, where emerging cyber weapons have become more lethal than real battlefield weapons, is becoming a cause of great concern.
Keeping up with the rapidly growing complexity of the raging war in cyberspace is a challenge facing not only nations' military, but also individuals and entities across nations as government, industry, organizations, and academia. So as we evaluate the ongoing cyber warfare getting integrated with artificial intelligence and its scope of overall entanglement with geospace, aqua space, and space, the anonymity of enemy soldiers in the cyber domain, and the leveling of attack capabilities, we are entering an era where it seems a new paradigm of cyber conflict and warfare management seems essential. To discuss cyber warfare further, I'm delighted to welcome retired colonel Dr. Don Welch to DiscroundUp.
Dr. Welch is the Chief Information Security Officer and has just been taken over the role of Acting CIO and Acting VP. I'm not sure if that is still current for Penn State. Also an affiliate professor in the College of Information Science and Technology, as well as the Department of Electrical Engineering and Computer Science.
Welcome, Dr. Welch. We are so honored to have you, DiscroundUp. Yeah, thank you.
It's my pleasure to be here. Wonderful, Dr. Welch. So it seems cyber space is the only domain which is entirely human-made, and it seems to have been created, maintained, owned, and operated both by public as well as private stakeholders across nations.
It is changing continuously in response to technology transformation and is not being subject to geopolitical or natural boundaries. So information and electronic payloads are deployed instantaneously between any point of origin and any destination connected through the electromagnetic spectrum, and data and information have traveled in the form of multiple digitalized fragmented through uncreditable routings before being reconstituted at their destination. So as we evaluate this man-made contested common, how is cyber warfare evolving as compared to warfare in geospace, aqua space, and space, which, you know, commonly known as land, sea, and space? Yeah, so I think you're right in that the lines between the battlefield and non-battlefield have really blurred.
So as we, we've always had terrorism, but terrorism has gotten more popular as time has gone on, and who is a combatant and who is not have gotten a little bit more difficult to understand, and I think that what's going on in cyberspace is an extension of that trend. So, for example, in the United States, the Constitution precludes the federal government from taking action inside U.S. borders, especially the military aspects of the NSA, the CIA, and of course, the armed services. So most of the attacks that go on in cyberspace are going on within U.S.
borders, and so it leaves people like the security teams and the IT teams at institutions like Penn State to actually be combatants, and we really, I think, have to go back to the colonial days when there was not a strong federal government in the U.S., and defending settlements and colonies fell on the colonists themselves. So this is really a little different way for us to act. There's certainly a lot of constitutional issues about when we can invite the federal government in, how much it can do, how much it should do, and to be able to defend our nation's critical infrastructure. As you pointed out, it's more than just stealing intellectual property.
It can be a life safety issue now, and then to continue to go on on this introductory first question, as you pointed out, the combatants are more and more wired. The soldiers themselves are carrying many computers. All our vehicles are many computers. Back when I was in the Army, we talked about the next infantry rifle was going to have 20 million lines of code in it.
The project managers for major weapon systems, they'd show you a picture of a mobile artillery piece and say, what is this? And people would say, oh, that's artillery. It's a cannon. It's like, no, it is a container for software.
That software is what makes this weapon effective. And so that also is having that effect that traditionally non-combatants can have an impact on the battlefield conducting cyber operations against the uniformed military. So that border has really changed and it's blurred, and it's really difficult to draw lines when we like to draw those lines. Yes, that is very true.
And there's complexity of the technology transformation because there is so much progress in development in technologies and everyday technology changes. And this, you know, the hacking industry itself is now an industry. It's a full-blown industry. So that creates so much complex challenges.
And there is this vicious progress for the rating on the cyberspace and this new cyber battleground. It's full of unknowns because there are so many significant players and minor players and rules of war and reasons for war are not understood clearly. And in these cyber battlegrounds, the war casualties have been quietly piling up. And it's just everyone that is, you know, individuals and entities across nations, government industries, organizations, and academia are being hit and are at risk of being hit.
Nobody is being spared, including common citizens. So that brings us a question that how can, you know, anyone be prepared for this new warfare reality? Because we, not everyone has understanding of, you know, the computers or the security technologies or processes. And, you know, most of the common citizens, they are not prepared with this kind of vulnerabilities.
And if they are not prepared, everything is interconnected because now we are connecting not only just the, you know, major corporations, but even the homes and enterprises and everything is getting connected. So how can any nation or how should any nation prepare for this new warfare reality? So I think that, you know, like any complex problem, there are complex answers to it. So it's many faceted on how we'll have to do that.
And I think the same kinds of things that are necessary to combat cybercrime are the things that are necessary to combat cyber war. Obviously, nation states and, you know, non-governmental bad actors and terrorist organizations and so forth can bring a lot of technology and expertise to bear. But still, your basic citizens have got to learn how to operate in this more adversarial internet that continues to grow. Things like keeping your systems patch.
I'm having some basic awareness of security and so forth. We, when we started driving cars, it was a new technology and we needed to figure out basic things like which side of the road we would drive on, what are the rules for intersections and so forth. And people had to become aware of that. And right now, those kinds of things are second nature to us.
And I think in using technology, guarding our security, our privacy, that's going to have to be second nature. And it's certainly not yet. Obviously, I work at a university and around students. I have young children of my own who know a lot about technology, but are not as concerned about their privacy as possible as I think they should be.
And the question is whether it even matters that all of our privacy is already compromised anyway, and you will never get that information back. But regardless of all that, we need this awareness overall. And of course, one of my concerns is small businesses. So if a country is going to attack and try to either combine a traditional kinetic type of attack with cyber operations, then they can go after big companies.
Big companies have resources. Most of them do a fairly good job of securing their critical infrastructure. But if you want to disrupt, say, the food supply for a region, yes, you could go after the big distribution companies, but you can make a big impact by hitting a number of smaller companies that are probably not well-prepared. Cybersecurity people are expensive.
Running your infrastructure well so that it's not vulnerable, is expensive, and a lot of small companies have difficulty coming up with the resources to do IT well. And also just the practical sense of it, if your IT shop is three people, you can't afford a full-time security person. So if someone is doing it part-time, they're not going to be as good at understanding what the threats and what the countermeasures are and so forth. So I think one of the challenges, how are we going to defend those small companies that, if attacked and aggregate, can have the same impact as taking down a major company that's a major infrastructure provider like transportation or food distribution or whatever it may be that supports that operation?
And then, of course, different than cyber operations, there's information operations. And of course, we see that in social media right now. And of course, they're not the same thing, but they complement each other. And we have to understand, as a people, what those informations are, who's trying to manipulate our perceptions and our actions, and be able to live in a world where we can understand that.
I'm sorry, go ahead. No, you're absolutely right. We do need to understand how the misinformation, disinformation campaign is going on. And like you said, the nature of privacy by the young children, a young generation, is not concerned about it.
And it seems that the nature of privacy is self-changing nature and definition. But you're absolutely right about individuals and small enterprises, that they do not have enough resources. So what can be done? Not everyone has resources at large corporations.
So probably, we need to start to focus on how we can have the manufacturers and telecom companies to incorporate the first layer of security in them. Because right now, if you buy any computer or any phone, it doesn't come with any security. So we have to install all the antivirus and all those kind of softwares. And not everyone is knowledgeable.
So why not just make manufacturers install all that and have regular updates? So that will take away some vulnerability. And the second thing is telecommunication. That also can be the first layer, because everything comes to wireline and wireless networks.
So why not have them incorporate a layer of security? So we have to change our approach. And that certainly is possible if everyone works together and understand that these risks that are emerging and coming over there are very, very complex. And we cannot have just one security solution.
We need to have a layer of security solution. So I mean, the rapidly transforming cyber background is bringing all of us, the good, the bad, and the unknown. And with the world getting immersed in these rapid advances in artificial intelligence and machine learning, it's making, you know, cyberspace and cyber security challenges very complex. So by the fundamental reason and goals of warfare have not changed.
The way wars are fought indeed have. And is it fair to say that cyber crime and warfare activities through cyberspace is now the most critical national security threat and perhaps ahead of terrorism, espionaging weapons of mass destruction? Well, so yeah, interesting question. You know, still, obviously, even though cyber weapons can kill and arguably may have caused some death, still, it's fairly minor.
A nuclear weapon, obviously, would be much more devastating. So I think, you know, in reality, we're much more concerned about nuclear warfare, a large scale kinetic warfare where, you know, we're very good at blowing each other up at large scale. And we haven't seen that yet. So I wouldn't say that it is the major national security threat that we've got going on right now.
But it's certainly one that we have to pay attention to. So if you look at, you know, the impact of the number of people who, for example, in the US that have died due to terrorist attacks is still fairly minor compared to the number of people who have died in automobile accidents. But the impact is much greater. You know, I like the example of, you know, about 10 times as many people worldwide are killed by cows as are killed by sharks.
But nobody sees a cow and goes running away screaming, cow, cow. And so it's the psychological impact is there. And I think the cyber warfare has that capability right now that we depend on it. If somebody cuts off the power, like I was working with the National Guard in the state of Michigan as we were developing cyber defenses for the state and the National Guard commander, his number one worry was the power gets shut off in Michigan in January.
And, you know, and how is he going to keep all those people warm, you know, get them to a shelter where they would where they could be protected from the cold. Those those fears, I think, are real. And I think right now, the thing that's holding that back is deterrence. So will what would what would a country do if they were attacked through cyber, a cyber attack that harms people?
And there's been threats back and forth. You know, we think we've seen a case where the Israelis bombed a Hamas center that was conducting cyber operations against them. You know, the there's been news reports of the US penetrating the Russian utility system, power system to detour the Russians who have allegedly penetrated the US utility system. The there have been reports that the Iranians tried to penetrate the US utility systems and have been so so that they could deter another such net like attack.
So once again, like nuclear warfare right now, it's all the deterrent stage. And that may or may not work. It certainly worked for nuclear weapons. But how long will that work for cyber weapons?
And I think we see our adversaries getting bolder. So it's it's a complicated problem. It's difficult for our our leaders to to figure out how to operate. When I was in the army back around 2000, a cyber attack had the same release level as a nuclear weapon.
If the army was going to do a cyber attack, it had to have the presidential approval to do so. Now, that's not the case. That's probably a good decision. But still, I think breaking that deterrence is something that should not be done lightly.
And I don't think we'll be done lightly on anybody's heart right now. Yes, I agree with you. And you're right that, you know, we still don't see widespread attack on humans to kill them. You know, so that that is still a relief that, you know, all these hackers and, you know, criminals are still having little conscience not to go after, you know, the humans to try to distort that.
But we are not just, you know, facing challenges with the cyber weapons. We are also looking at these rapidly evolving EFP weapons because electromagnetic weapons are also emerging. So and there are many nations who would like to harm nations that are economically more successful. And that's why the United States, you know, becomes very vulnerable because billions of dollars are invested in developing cyber capabilities to attack financially successful nations like the United States.
So if bad actors succeed in attacking economically prosperous nations like the United States, if you're doing a collapse of global economy, you have a dependence on the, you know, on the other economies. So how to prevent damage to these, you know, global economy and how to contain the cyber warfare ambitions of these bad actors and especially the thousands and probably, you know, hundreds of thousands of young, brilliant people who are getting attracted to, you know, move towards this, the dark side and try to, you know, create damage because it's a thrill for them. So how to prevent that? Because that is where the biggest challenge is.
If they don't have the bigger brain power, then, you know, it will be much easier for us to control the situation. But it looks like that a lot of young people are, you know, moving towards that. Yeah. So, and vice versa, there's a lot of people who start out penetrating systems who become professionals in the security field and want to stop those malicious actions.
So I think we're always going to have people who, you know, who have bad motivations. I mean, I think that's just human nature. You know, just like we're not going to stop terrorists from being recruited. But what we want to do is mitigate their impact.
act so one of the things I think you brought up earlier in that the devices that we buy those are not necessarily secure well how do we make them that way do we regulate that and say it must be secure well regulation can be effective but certainly not the most effective the most effective would be if the marketplace said we want secure devices and people are willing to pay for it because for software to be secure you don't just write it so it works you have to read it so it doesn't fail and we write try write software that controls aircraft so it doesn't fail or control spacecraft so it doesn't fail and that is much more expensive than it is to write consumer software that is just supposed to you know supposed to work and so if we were willing to pay that you know for example the baby monitor that we use to watch or to keep an eye on our child we'd be willing to pay 10 or 20 times as much for it but it would be secure because that company that did it would have put the effort into to do thorough testing so design security in from the beginning to pay those security professionals and to keep that software updated when flaws are noticed you know there right now there's a market for that you go out of business even in the medical device field we know that is a big problem and I had been a consultant to a company that was a startup to create secure medical device the devices and they were gonna build their own operating system from the ground up that would just handle those medical devices but would be secure because it wasn't built to do other things therefore not as complex and not as many flaws but it didn't work the market wasn't there even in that which is a life-safety device so that's what we really have to do is we need this widespread understanding so that people are willing to pay for it and I'll give the example of an automobile so the automobiles when I was a child are much more expensive now than they were then even when you account for inflation but they are much safer you know not only have seat belts but they have airbags they're they're built better and so forth and we have a combination of regulation and market we have automobiles that are much safer now than they were 40 or 50 years ago we need to get there faster with software but consumers have to be educated too that this why is necessary and unfortunately that education probably involves a lot of pain and loss along the way that's just human nature that's the way we are yes that is an excellent point because education and awareness is the key and that's what we are trying to do it one step at a time that we educate the global cities and not just you know in the United States but everybody across nations to understand the risk so then they can take an informed decision about what needs to be there and they can support the right initiatives now it's not just the cyber weapons we are talking about we see AI and machine learning capabilities beginning to be incorporated and integrated into cyber warfare so how will the malicious code that includes AI and machine learning capabilities change the cyber warfare landscape what trends do you see well so you're right we're starting to see malicious software that is controlled by artificial intelligence I'm not sure we really see in the wild yet machine learning but I'm sure that's coming but also we need artificial intelligence and defense right so people are going to be they have to focus on the things that they're good at which is you know really difficult problems and thinking through those solutions but they aren't good at reacting quickly and properly so whenever we can automate a process and if we happen to use artificial intelligence as part of that automation then we will have a better response but the important thing is machines can do processes that we can define much faster than people can and so including that is going to be absolutely key so we see the speed you know when we talked about the advanced persistent threat years ago and the idea that an adversary especially a nation-state would come in penetration penetrated network take their time move around and be in that network for a long time stealing what they what they can that still is a threat but we also see these attacks that are automated you smash and grab if you will where they go and they're not worried about being discovered they want to quickly hit the payload exfiltrate the data do whatever malicious things that they want to do but do it faster than the defensive team can react and that's where we need automation to be able to do and AI is certainly one of that I am AI of course is important buzzword as a machine learning machine learning is actually a little different but AI to me is a programming technique how do we put the process and logic in there and artificial intelligence is a way a different way of doing it that we can capture more complex processes but it's it's very effective not necessarily are we at Skynet and the Terminator yet but but still effective program programming techniques especially in attack and defense absolutely and you know we are almost seeing an algorithmic warfare and these algorithms are transparent and who develops algorithm where it is developed there's no way to know that so there's no way to control that's what you know we just addressed that you know we need to create some sort of algorithm naming and identification system so that once it becomes a security threat then we do need to know what that algorithm is so we can track it and we can contain it but there needs to be some sort of naming and identification system of algorithms because right now we have no idea who is you know developing algorithms where they are developed and for what purpose so that is where the bigger challenge is because they're all transparent and we will never know you know what is included in the hardware that we are buying or software we are buying because we have no capability to see that what algorithmic core is you know embedded in that and what is the purpose and goal of that now the blurring boundaries of cyberspace and all these different spaces across this pure space and space and growing threads from cyberspace means that the current and emerging warfare challenges will need to be fought using more tools than those furnished by the conventional military and you recently proposed to create a cyber militia would that meet the needs of individuals and entities across nations so I think the idea of a cyber militia is one way that we can do it and the idea being that these people are trained are well trained and right now we've got some government programs in the US that are supporting that I was involved in the state of Michigan they they had a National Guard unit and they had what they call the cyber cyber core the civilian cyber core anyways so the state would provide training and provided then an organization to share best practices the they got because they were trusted and had been checked their backgrounds checked and so forth for their button the system they would have access to more threat intelligence through the fusion center and that I think was a really far-reaching and a good start towards towards the kinds of things that we need but the idea that individual organizations will fight this alone I think is a losing proposition that we have to be able to share threat intelligence quickly we have to share best practices we have to work together and there are a lot of different things organizations and people who are working towards that end the ones that work will be the ones we put more resources into but you probably heard the cyber threat alliance security vendors who are sharing information with each other so that they can protect their customers faster I think is a great idea so that militia won't look like people in with muskets and tricolor hats as it was back in our colonial days but it will look like a whole a very different thing that is vendors and security people higher education is a nice environment that we don't don't really compete with each other we don't you know yes we compete for students at research rants but the collaboration is really high you know I can talk to CISOs from especially other big 10 universities we meet three times a year we talk on the phone every month and we trust each other and keep each other up to date and those kind of relationships are going to be really important the in the US the FBI's InfraGuard tries to foster those relationships regionally and we're gonna we're gonna need more of that to work together one of the things that you mentioned and you mentioned earlier is the idea of not knowing what's in our software and the idea of supply chain security and that really isn't a big deal and you see the world wrestling with that now with Huawei so you know 5g is coming and it's gonna be critical and we are gonna the idea that just cell phones are on it is gonna be gone we're gonna have cars and we're gonna have devices and so we have all these life safety systems on this network and the five eyes intelligence agencies have questioned whether we can trust that supply chain and code is so complex you've seen some arguments of some people trying to figure out whether or not code has back doors in it or it just has a lot of security flaws so forth but the way we currently operate we can't we can't say that it is and it might not even be the company that is necessarily being malicious but if people infiltrate the company they can put malicious code inside of a product and we find cases of malicious software being found on consumer devices and phones and so forth we find it in the Play Store and all those different kinds of ways that malicious software finds itself into the supply chain so much software now is built from open source coming from github and so forth that people depend on it they don't it's expensive to go and examine all that code and understand security implications of it generally speaking people aren't incentivized to do that and so therefore they're not doing that and we can't trust that supply chain so it is it's gonna require a huge effort across many areas where we can operate safely in cyberspace the Russians and the Chinese are doing their best to be able to disconnect themselves from the internet maybe the idea of one internet for the entire world was a quaint idea that historians will look back at and say yeah it worked for 50 years but after that there will be closely monitored entrance and exit points and you know the idea of free and open internet will go away I don't know but certainly the way it's designed right now it's very difficult to secure it and I think we will see other developments of other types of networks that can be secured yes very true no there are conversations there are you know trans-emerging which tells us that you know maybe China will you know cut off and you know have their own internet but the challenge is that even if nations cut off their internet and have the internal you know network but the companies are you're not just in one location they have you know their presence in so many different locations they're all transnational so how do we you know contain the security that emerges and the point that you made about sharing that intelligence it's absolutely essential but because of legal liability corporations are not doing that so what we at risk you know proposed is that we need to develop a framework that is security centered security management framework that would make every organization accountable for the security risk that emerges now because security risks are something of a nature that you know just causes independent risk to their corporation and it falls within the corporation boundaries then they are supposed to manage that and if they if there is a chance that those security risks are going to cross their corporate boundaries and impact other corporations or in their industry or other industries then they become interconnected interdependent and they are accountable to share that information because without sharing the information of interconnected risk we are just making the risk bigger and bigger and you know we are facing huge complex challenges because of that so we need to bring accountability in the security infrastructure and we need to create that framework which gives an ability to everyone to share the information that they need to share now there's other framework that we have you know proposed is that you know if we are going to remain in one internet then we don't need to come up with a global framework in which we need to identify risk similarly independent risk and interdependent risk and if the risk falls within a country let's say you know china then they if that if it impacts only china then it will remain within their walls and you know they they will have responsibility and opportunity to manage those but if it's going to impact other countries then they need to notify that they need to share that information so we have to make everyone accountable and unless we develop a framework that is not going to be possible just telling everyone that you should share information they're not going to do that and then legal liability because we have to incorporate the accountability and legal liability into the framework and that is something we all have to think about it because without doing all those things it is not going to be possible to manage the complex interconnected security risk that are coming over any organization they have a right to manage their independent risk the way they want to but as you know as soon as it becomes interconnected and they have the accountability and responsibility and legal you know responsibility that they have to share that information but unless you know that is a topic you know a huge topic to be discussed in a separate this roundup but let's talk about the law of armed conflict under the law of armed conflict cyber warfare must be distinguished from phenomena such as cyber criminality is that distinction clear when does a security breach or attack becomes a warfare event and how are cyber conflicts evaluated currently and who is evaluating them because we need some markers that tells us that this is not just a cyber terrorism or this is not just a cyber uh criminal event or cyber kidnapping or cyber you know all kinds of uh different momentary but that it has become a warfare event so what are the markers that tells us that this has become a warfare event now yeah so that's a really great question and the difficulty of attribution in cyber attacks complicates that even more whether it's a criminal or a nation state um you know determining in which nation state so when does it cross the border into uh into warfare so you can look at the intellectual property loss um to china over the last decade or so and can you say well if they had a bunch of spies that were over in the u.s and they stole all these paper this paper and brought it back would that be would that cross the threshold of war would we be justified to respond by sending warships over to china to do that that's a question i don't know if you look at the uh russian interference in the u.s election and european elections over the last few years did that cross the threshold uh you can look at and say well how much you know how effective was uh were the russians in uh either promoting brexit or the election of president trump and you look at the amount of ads they bought or whatever and say boy um our campaign uh teams really have to get with it if they could influence an election with only spending that much money um when ours spent you know hundreds of millions of dollars more and uh were ineffective so it's a really good question uh i think you know like with elections if we saw uh an attack where a foreign nation actually manipulated the voting results i think most people would agree they'd probably cross the threshold uh in the information operations clearly you know we've made a lot of threats but we haven't uh attacked uh russia you know we've put sanctions on but we haven't um technically attacked them we don't think that that necessarily crossed uh the threshold and i think at this point you can't draw bright lines you have to take the whole thing in complex if you cross the threshold from a cyber war to kinetic war there are real um uh the implications from that are huge right when we're talking um armed conflict and we never want to go into armed conflict uh lightly uh because the uh you know those sides are going to going to lose even the winning side is going to suffer uh from doing that so i think it's good of our world leaders to be restrained before you go there you you you you you But we've got basically four elements of national power, diplomatic, information, military, economic and military should always be the last resort. And I think what we really need to do is you talk about a framework so that we understand this. And I know most nations have got people, policy people who are trying to determine this and make recommendations. But what's the appropriate response?
Is it diplomatic? Is it information, a counter information operation? Is it sanctions? What can we do?
And can we affect change or deter them from taking that action in ways that are short of kinetic warfare? And certainly we want to we want to do that. But I think when we don't take appropriate action, then people are inspired to be bolder. And so we have to hope that we've got the right the right leaders who are making the right decisions and they've got the right advice so that they can deter that activity, but not not make the consequences so so light that it encourages other nations to continue their attacks.
And so really hard, I think, to draw a bright line. You know, it took us a long time to come up with the various conventions on land warfare. Even those, you know, are not always followed. But generally, OK, it worked pretty well.
But we but but that those are hard frameworks to come up with. And I think it's far more complicated than our current battlefields are to develop those frameworks. So right now, I think we have to depend on all the leaders of the world to exercise the right judgment and how to respond and how to deter. Yes, very true.
I mean, I've been talking about that integrated as a security center, this framework for the last three years. And so now it's not going anywhere. So you're right. It's not an easy solution.
You know, you need to make sure that right people come on board and, you know, decision makers understand the criticality of developing that. I'm proposing that I'm discussing that with so many decision makers, but let's see where it goes. But other question I have is that do nations have sovereignty in cyberspace for judging the lawfulness of cyber activity? Is there a legal framework regulating these water attacks?
So I think most countries will say that they have sovereignty, that they they can control. So if you are a visitor in China and you do something that's illegal online, you know, they have no problem arresting you and you suffering the consequences. The practicality of it is, you know, we have indicted Chinese nationals for cyber attacks in the U.S. and Iranian nationals, Russians, and sometimes we catch them.
But usually they if they don't travel to a country that has an extradition treaty with the U.S., they are never going to face any punishment. So in a practical sense, that sovereignty is is pretty thin. But the idea that that you control your aspect of cyberspace, I think there's some good ideas behind that. Right.
So a lot of activity that happens in cyberspace, countries want to enforce their own values there. And is that OK? Well, you know, we might not agree that we think you should have freedom of information or whatever. But, you know, I think that's a issue to handle in the in totality and not just in cyberspace, whether North Korea should have access to information to the network or whatever.
If our countries decide that they should deal with it, that's something to be taken in totality. Totality. But in cyberspace, we came up with this idea that the Internet would be free and open and we're finding that, well, there's problems with that. Do we want jihadists to be able to recruit over the Internet?
Well, we prefer to not. Well, OK, you know, do we want child pornographers to be able to apply their trade? No, we don't. Well, you know, where do we draw the line?
And nations need, I think, to be able to do that because enforcement is essentially going to take place in the real world and not necessarily online. So I think that idea of sovereignty is is there to stay for a while. And really, like what we see with China, basically trying to really control their Internet and control access to information inside their country. That's a trend that we might have that continues.
And we may see that even in liberal democracies where we don't like what's going on the rest of the Internet and we try to control it. Realistically, it's not going to happen anytime soon. It's far too complex. Too much infrastructure is built out.
And I don't think we put the effort towards it. But, you know, maybe 20 years in the future, that's where we'll be going. It seems so. You know, I agree with you on that.
Now, when we consider, for example, any crippling or, you know, any effect of cyber operation that can disable entire systems, for example, electrical power grids or telecommunication infrastructure, any other critical infrastructure, the entire or, you know, air defense system for any nation's military, then the magnitude of the impact falls within the realm of warfare. I mean, that is warfare. The critical infrastructure is attacked. So what are the legal framework guidelines for such scenarios if there is a system wide attack?
You know, financial system, telecommunication system, you know, military, air system or, you know, electrical power grids. How do nations, you know, go forward, you know, with water on that? Is there any legal framework guidelines for such scenarios? Yes.
So theoretically, in warfare, you are not supposed to target civilian only use. Right. So but I think the way the interpretation of the laws of land warfare have evolved, if you attack the power grid that is supplying a factory that is making weapons, well, that's OK. The strategic bombing programs of World War Two and so forth.
And as long as you try and minimize collateral damage to noncombatants. But the idea that you can attack the entire industry, industrial base that supports the war effort is in the concept of proportionality is critical there. In terms of responses that we have proportional response or we use whatever to minimize the collateral damage to noncombatants. So I think once again, it's it's nice to have a framework.
And I think the current laws of land warfare are the best we have right now as we evolve that. But we've got all those four aspects of national power. And I think the principles that we want to deter further aggression or aggression in the first place using those instruments of national power, I think is critical and keeping it at a minimum is minimum levels possible and proportional level is possible. If a country can only respond with nuclear weapons and so it's either nothing or everything, then that's a bad situation.
So being able to impose sanctions, being able to have countries work together to impose sanctions so that they can be even more effective. That's the kind of thing that I think we need to continue to be able to do. It's the things that we've already been trying to do to deter aggression in our kinetic space. So I think there's more of that.
But I am reluctant right now for us to draw, try and draw bright lines. I think the reality is that most of our policymakers have a thin grasp of the technology. They have been working in it. They haven't necessarily grown up with an understanding of it.
I spent a lot of time working with military leaders and politicians and trying to explain this. And they want to take what they understand about the kinetic world, use it as an analogy for cyberspace. And it's not quite the same thing. And so I think until we get leaders and advisors who have a better grounding in the technology, and can keep up with the rapid changes, that it's going to be difficult to come up with an effective policy.
I don't pretend that I can come up with them. You know, the point where I will throw my opinion in. But it takes a lot of smart people working really hard, I think, to work together to figure this out and try to come up with a framework where we can continue to thrive as a world. And, of course, you know, the easy solution is if we all got along better, it wouldn't be such a threat.
But, you know, probably not going to happen in my lifetime. But it is, I think, important that we keep those diplomatic relationships open, trying to keep those economic ties, try and understand each other and basically reduce those reasons for conducting cyber war. Very true, very true. I mean, the bottom of all these problems is that we all are still working in silos.
There is a need for collective approach, like you said. You know, we all need to not one single person or organization. Can you come up with an effective approach to policy or recommendations? But we have to work together and understand, you know, bits and pieces that we can take from everyone and make it a very secure framework or, you know, very effective regulations, which is becoming very difficult day by day because the technology transformation is so rapid.
So to come up with an effective regulation in a timely manner is looking, you know, very complex. But it is possible to work together, like you said, and come up with effective ways so that we can, if we all work together across nations, then we can work on the real challenges facing the future of humanity because there are a lot more complex challenges coming our way where we need to focus our attention. And we don't need to waste our energy on this useless and unnecessary warfare that is happening in cyberspace because at the end of the day, if we cannot secure the future of humanity, then none of these matters. So having said that, how would you like to conclude the state of cyber warfare today?
And what would you like to tell our global viewers and listeners, especially the young brilliant minds who are getting so, you know, caught up into getting into the cyber hacking and, you know, doing all the crimes? What would you like to tell them? Well, I think, so warfare, we used to say, you know, in the infantry is, you know, seconds of sheer terror, you know, punctuated by hours of boredom. And being on the defense can seem very boring, very tedious.
You know, unlike on TV, you know, it doesn't look that exciting. But the real hard, productive work, security work is rewarding in that we are protecting our digital way of life and our way of life. So we value our liberal societies where we respect human rights, respect the rights of all sexes, ethnicities, and so forth. And that's something that is worth protecting as well as our economic well-being.
And so for people to go into that field, work hard, put their talent and their intellect towards defending this and making it a safe way where we can do the great things that the internet has opened up for us and make the world a better place. That may not be as rewarding minute by minute, but in the long term, I think it's something to be very proud of. Yes, very true. Very true.
I mean, it has given us a lot of benefits and the tools necessary to connect with everyone across nations and do collaborative work, you know, and come up with sharing, you know, frameworks and infrastructure. So that is a great blessing. Only thing is, you know, we have also given tools to these, you know, one-on-one criminals who want to destroy society. I mean, if they can focus their efforts and energy into managing the complex security that's coming towards the future of humanity, that would be more, you know, an effective and efficient way of using their brilliance and their energy levels.
But having said that, thank you so much, Dr. Welch, for participating in this roundup today. We appreciate your thoughtful insight on cyber warfare and our global viewers and listeners who benefit tremendously from the information you provided today and helping raise awareness of this critical topic. We thank you for that.
Thank you for having me on, Jayshri. Wonderful, Dr. Welch. Let's roundup.
A global initiative launched by this group is a security risk reporting for risk emerging from existing and emerging technologies, technology convergence, and transformation happening across cyberspace, equispace, geospace, and space. We have also believed that risk management, security, and peace, they walk together hand-in-hand. Though security is related to management of threats and peace to the management of conflict, risk management is related to management of security vulnerabilities as well as management of conflict, and it is not possible to conceive any one of the three without the existence of the other two. All three concepts fit into each other.
We believe that the security we build for ourselves is precarious and uncertain until it is secure for everyone across nations. Tradition becomes our security, so if we build a culture of managing risk effectively, it will lead us to security and security will lead us to peace. Let's manage existing and emerging risk together. For more information on the listeners, do other listeners on the video or the podcast, please go to risplopilacy.com and do not forget to subscribe and share.
Until next time, I'm Jay Shree, host of listeners signing off. See you next time. Thank you.