[Music] You're listening to the Cyberwire Network powered by N2K. [Music] [Music] Your organization could be at risk due to common password sharing practices. Imagine this scenario. You're out of the office, colleague pings you because they need access to some system that only you have credentials for. Now, of course, our listeners would never send a password over email or Slack. We know that. But what about your co-workers? How many organizations out there are sending logins back and forth in plain text? Worse yet, how many just store all of their logins on a shared spreadsheet? Now, we all know human errors are the biggest threat to your organization's security, but did you know that it accounts for over 68% of all data breaches? What you need is a platform that allows you to share credentials in a secure fashion, set access permissions or time controls and monitor the dark web for stolen logins. Keeper Security Government Cloud is a zero knowledge solution that does just that. Plus, it is FedRAMP and StateRAMP authorized. If you want to see Keeper in action, schedule a demo or request a trial today by visiting keeper.io/gov. That's keeper.io/gov and thank you to Keeper Security for sponsoring this episode. Welcome to Research Saturday brought to you by N2K Cyberwire. I am Brandon Karpf, the Executive Editor and Vice President of N2K Networks, and your host for today's episode. A naval cryptological officer doing routine duties offshore in the South China Sea, sort of looking at Malaysia, and there's a vulnerability that has been exploited Japanese installed work crane in Malaysia. Over the last few years, we've seen a rapid increase in tensions and competition in the Indo-Pacific region, specifically hitting the US and China against one another and each other's allies and partners in that region of the world. We've seen increases in cyber activity launched by Volt Typhoon, the advanced persistent threat coming from the Chinese military and government. We've seen increased tensions caused by island building campaigns in the South China Sea, and we've seen trade relationships rise and fall throughout the entire region. Our discussion today is with Kevin Lentz, a graduate student at UT Austin and the team leader of the Cyber Pacific Project at the Global Disinformation Lab. They recently published a report on cyber competition in the Indo-Pacific Gray Zone 2035, a threat casting activity that they ran earlier this year, exploring what the private sector, the public sector, military, government, academia and policymakers can do to ensure that the United States and Western nation allies prevail in a world of growing competition intentions in this region of the world. And this episode is brought to you exclusively by our sponsor and partner, Keeper Security. So, Kevin, the reason I invited you on, we got this threat casting report around cyber competition in the Indo-Pacific Gray Zone 2035. I thought it was particularly important for our audience, obviously given the relevance to cyber competition and cyber security, and then ultimately national security. So, before we dive into this report, though, can you give the audience a sense of what is threat casting? Sure, it's a great question because it's not a very well-known technique, but I'll go ahead and outline what it is. So, it is a structured analytic technique, a structured analytic foresight technique, I should say, and this is a bit of a complicated process, but it breaks down into identifying a question, assembling a panel of subject matter experts who can answer the question or provide perspectives on it. Brandon, you were one of those, and it was a great contribution. And then assembling a few dozen relevant participants at a two-day workshop who will crank out and work on scenarios that look about ten years in the future on the question, and the central premise is imagining a person specifically, which is what makes threat casting unique, is you're imagining a future person experiencing a future threat in a specific place. So, a person in a place experiencing a threat, and then you sort of ask the participants who break into small groups to build these models so each person that they generate as a model with as much detail as possible. And so, by putting the participants in the perspective of a future human, it kind of personifies things and brings it to a level of detail and practicality that is unique, and so then they create a bunch of models, and then we gather all those models, and on the back end a team of analysts, in this case myself, and some others from the University of Texas and some other schools, and we go through the models and sort of cluster significant findings, things that deviate, and we do some further back end research on context, things like that, and then a few months later we produce a report. Nice, so it seems like it's a way of developing strategy or insights into a future state of the world from numerous perspectives. When it comes to this specific threat casting event that you hosted and the report that you've recently published, what was that central question that you wanted to answer? Right, so the central theme was, as you said, cyber competition and Indo-Pacific Grey Zone 2035, and the question we were trying to answer was, what can and should the U.S. and Indo-Pacific allies and partners do to enhance combined cyber-defensive operations, sort of mitigate the threats that we're seeing in the future, and, you know, essentially prevail in the competition? Specifically in Western Pacific or any region of the Pacific? We took Indo-Pacific writ large, it ended up being focused around, you know, current hotspots, East China Sea, South China Sea. Got it, so, you know, thinking about what you were saying, some of the outcomes or some of the outputs of this threat casting, what were some of those personas or those stories and the insights that you and the other analysts were able to extract from this event? Sure, so one interesting story, and it's in the report. The report's not like a normal report, I should say, up front. There is sort of an exome at the beginning and normal stuff, but then peppered throughout it, there are sort of these fictional narratives of these models, so one of the models that's in there, I think, is interesting, is from a naval cryptological officer, sort of doing routine duties offshore in South China Sea, sort of looking at Malaysia, and there's a vulnerability that has been exploited in a Japanese-installed Fort Crane in Malaysia. So, you know, it's a complex scenario already, but it's, you know, Asia's a complex place, and so this vulnerability is exploited, and there's chaos in Malaysia, and there are simultaneous information operations that are complementing the adversarial exploitation, and the long and short is that it ends up costing U.S. analyses and partners politically Malaysia goodwill and cooperation. Us today and other cyber professionals recognize the potential impacts. You know, we take the most recent event with CrowdStrike and Microsoft, a very relevant analogy that had global implications. You know, to what extent were modern or current companies and technologies considered when you and the other analysts and participants were going through this exercise? Yeah, so they were, I mean, they're sort of bedrock, right? There's a certain amount of suspension of belief in trying to push the boundaries, but in this case, I think what we came down on is that the parameters of cyber are kind of set in a way. Obviously, things are going to change, LOMs are going to get better. Fake, fake everything will get a lot better. Yeah, and that's going to hit, you know, that'll hit a threshold where things change qualitatively, for sure. But sort of the use that they are being used for, and the companies producing them are kind of similar. So we, yeah, it was based on current companies and capabilities for the most part. And, you know, thinking about now that the report has been published and, you know, has a series of these vignettes as well as the contributed reports from various industry experts and analysts. How do you envision the industry, the community, using this report? You know, who is the intended audience? How should people read this and why should they read it? Yeah, thanks. That's a great question. So one of the benefits of the threat casting model is that the audience is sort of baked into the process because in a large part, the audience is comprised of the participants. So we had over 30 participants. And these are folks we kind of handpicked and invited from across the spectrum. We had, you know, Intel, military, government, public sector, academia, and then folks in the private sector as well. And so these folks come and they bring their institutional knowledge and experience. And then the report goes, well, the network building and the report and the ideas of the report that they sort of come up with inherently go out with them. And they're sort of the first tranche of recipients of the final report. So they're sort of the front lines. And then beyond that, the report is intended to influence policymakers in this area, as well as practitioners, and that's broad. But it is, I think a pro and a con of the report is that we decided not to tailor specifically to a single institutional actor. And so we get, you know, we got a lot of interesting results from that. But I think as well, the report is intended to hit a broad audience. And, you know, thinking about the audience that we're speaking to right now, you know, probably about 20 to 30% are somehow associated with government defense technology or what have you. But that leaves another 70, 80% of this audience who are primarily private sector. How can private sector use this type of modeling, this type of narrative storytelling, or this exact report in their own efforts, furthering the pursuit of cyber security? On the one hand, the private sector uses, you know, track casting model a lot more frequently than the public sector does as an aside. It was developed in the private sector by a guy at Intel who sort of developed it in-house and used it, and then he spun it out, and sort of where that came from. So the public sector, I'd rather private sector, this would definitely benefit them in terms of thinking about risk, because that's sort of the big thing nowadays is, you know, where do you make your investments when, you know, we're on this knife edge type situation, and it's going to persist for a decade. So that's on the one hand, and then on the other hand, as you said, is the private sector cyber security industry is huge, and it's only growing, and it's only going to grow most likely, if I had to guess, you know, that's a safe fit. And so I think there exists massive capabilities, and this is one of the findings in the report, is sort of like private sector, end up calling them kingmakers, because they have the scale and the capability and the speed and the efficiency and everything to make, make or break efforts in cyber. But maybe it would help for them to read it, to sort of think about how to approach and tell the narrative of their companies and their interests and tie that into the broader national, strategic national security picture. So that's a bit of a vague answer, but hopefully it gets over-tracking. Well, to all of the cyber security king and queenmakers out there, we do report them. It sounds like there's some valuable information in there for you and the way that you can influence. All right, we're going to take a short break, and when we come back, Kevin and I are going to dig into the key findings and his recommendations from the report. We'll be right back. The White House Office of Management and Budget Deadline for federal agencies to adopt some level of Zero Trust architecture is this September 30th. Federal agencies must move away from perimeter security architectures towards Never Trust Always Verify. Zero Trust does not grant automatic trust to any user device or system. Every request for access must be authenticated, authorized and continuously validated. Keeper Security Government Cloud is FedRAMP and StateRAMP authorized and ensures that users have complete knowledge, management, and control over credentials and encryption keys, all with a Zero Trust security framework. Want to see how Keeper can help your organization achieve Zero Trust? Schedule a demo or request a trial today by visiting keeper.io/gov. That's keeper.io/gov and our thanks to Keeper Security for sponsoring this episode. So, Kevin, I want to give you an opportunity to cover what were the key findings from this report? We really like to understand the major takeaways. Yeah, I'll hit the key findings and then also the recommendations, which is only three. But findings-wise, we had four. And the first one is that this idea that third-party cyber, we end up calling kingmakers, queenmakers, like we were just talking about. And these are folks and institutions and agencies between the two major contestants right now, US and China, for, you know, unfortunately, as weight is. But there's these two groups of kingmakers, on the one hand, that can sort of make or break these efforts that are going to be central to working with and organizing and balancing to make anything happen. So, on the one hand, you have technological ones. And these are the companies, the cybersecurity industries, but also the infrastructure providers. The folks actually building the cables, the platforms. They're, you know, de facto sovereigns in terms of making law adjacent decisions on what stands in the information environment, for example. So, you have all those in one bucket, and then the other one is the political one. So, thinking here of Southeast Asia, you have this constellation of extremely fast-growing, young developing countries with sort of a multi-alignment strategy, because they're reaping benefits from both sides of this competition from our perspective here. And they'll continue to do that, and that's great. You know, it's a win-win situation as long as things don't spill into conflict. Right, yeah, of course. But that being said, you know, a country like Indonesia, for example, Vietnam, making a strong stand, this seriously shapes the strategic environment. And so, that's one thing. Second finding fragmented regulatory authority is going to continue to compound regulatory lag. So, that's a slightly convoluted, but a simple idea is that there's a legal and political, legal and policy gray zone, right, in terms of who's in charge in cyberspace. So, because it hits us kind of right in the intersection of all these different authorities. It's a domestic legal problem. It's crime, a lot of cases, like crypto and ransomware and everything. Right. But then it's being launched as part of an international campaign by an adversary. So, who's in charge? We don't really know. And so, you have SIS, for example, but that's a young organization. They don't necessarily have all the capabilities and authorities they need. And so, more established actors are stepping in and the picture is just getting very complicated. And the example we pull out here is cybersecurity incident reporting laws, or lack thereof, there's all these different laws. Every state's got one. And there are multiple federal agencies that have decided that they have the authority to make a new law about it. And so, they have, and then courts are involved. So, it's a messy situation, will continue to be messy. Third finding is that a regular strategic competition between the US and Chinese Communist Party is going to set the overall parameters for the use and development of cyber power. And so, this is basically just trying to underscore the idea that conventional deterrence will hold for the most part. Like, we assess that it will. And if it doesn't, you know, we've got other problems. Yeah, we've got a lot of other problems. We're not going to be on a podcast talking, you know, a different situation. Right. So, the, you know, assuming conventional deterrence holds, we're going to be in this situation that's a lot, it resonates with the 50s. And this sort of is another theme of the report. We've kind of been here before. The idea of the gray zone actually first gets coined in the 50s. So, it's an old problem, but we're going to have this sort of irregular warfare type situation without the warfare. So, you know, it's going to be a dirty tricks slide of hand in subtlety or lack thereof in this gray zone. And that will persist. So, that's sort of, and it's, you know, the major two contestants are the US and Chinese Communist Party. Sure, sure. And then how about the, you mentioned there were the key takeaways and then recommendations. So, what were the key recommendations? Yeah, recommendations. First one, it was unexpected, but very interesting. And that's that the US should develop and operationalize a distinct cyber economic trade and development strategy for the region. Oh, okay. Right. So, you know, we have in the US, we say cyber is a functional thing and the Indo-Pacific is a regional thing. And so, we go at it from these two different perspectives. But if you combine them, you know, cyber and cyber security is a different thing. Cyber security is a development problem. This is computers, computer networks. These are expensive. They require electrification. They require all these things that we take for granted in the US, but much of the world goes without or is in the process of developing. So, there are efforts underway in the Indo-Pacific economic framework to sort of like tack on cyber security as a sort of afterthought. But they should be more centralized because cyber space is a unique domain and that we're literally building it. And so, who builds it? The rules they set when they build it, you know, configurations, this whole thing make the literal space of cyber space. Yeah. So, we can make we can have a permanent uphill battle or we can have like a level playing field office. We would want the latter. Second recommendation is to rebuild and re-center political and information warfare capabilities for the cyber competition. Cyber today, we will probably talk about in five ways. The same way we used to talk about digital economy. It's redundant. The whole economy has become digital. There's not like a separate digital economy now. So, our cyber problems are just our regular political problems. And so, in terms of developing, being competitive in the space, it's going to require the government to speak with a single voice consistently and hit on norms we want, behavior we want, this kind of thing. And it's, you know, it's something that we lacked historically. We still lack and so we still need to develop it. And then the final one is this idea that we should work with allies and partners to develop a Indo-Pacific cyber and conventional open access intelligence clearinghouse. In a permanent save crisis, we're sort of tap dancing on a red line in the South China Sea all the time. That's going to continue that sort of cat and mouse, but it's a situation where if country A doesn't have a clear idea of what happened in event X. Involving these two countries, you know, country B in country C or whatever country A in country B, that increases the space for miscalculation, misunderstandings, sure. And the intelligence apparatus and the way that it is organized and disseminated, it's hard to get certain data and certain information out there. If it's classified in the US, you know, we have an institutional culture of sort of going alone, not sharing with allies unless we absolutely have to, we've got to get faster at it. And, you know, the sort of takeaway here is like, maybe we should just circumvent this whole thing alone. Or circumvent it altogether, right, and build up a way to share this sort of, you know, imagery, radio frequency, this kind of information from the ground up, because going through institutional reform and change long process, difficult process. So those are three recommendations, Brandon. Truly the hacker way, break down the problem into his constituent parts. And why don't we just rebuild the whole thing. There you go. Yeah, exactly. Well, the report is a threat casting publication cyber competition in the Indo-Pacific Grey Zone, 2035, published by the Army Cyber Institute and the University of Texas. We will have a link to that report in the show notes. And Kevin, so great to have you on. Thank you for filling us in. Brandon, really appreciate you having me on. And that's Research Saturday, brought to you by N2K Cyberwire. Our thanks to Kevin Lentz, team leader of the Cyber Pacific Project at the Global Disinformation Lab for joining us. The research is cyber competition in the Indo-Pacific Grey Zone 2035. You can find a link in additional resources in the show notes. We would love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. It really does help. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ivan. Simone Petrella is our president. Peter Kilpe is our publisher. And I'm Brandon Carf. Thanks for listening. ♪♪♪ How are you managing your organization's passwords and secrets? How can you enforce the security of all the passwords within your enterprise? Earlier, we talked about Keeper Security, but did you know that Keeper is much more than just a password manager? Keeper Security is a FedRAMP-authorized zero-trust cybersecurity platform that seamlessly integrates enterprise password management, secrets management, and secure remote connections into one intuitive platform. Trusted by federal agencies, including the departments of justice and energy, Keeper is the leader in zero-trust password and passkey management, secrets management, privileged access, secure remote access, and encrypted messaging. To schedule a demo or request a trial, visit keeper.io/gov. That's keeper.io/gov. And our thanks once more to Keeper Security for making this episode possible. ♪♪♪ [BLANK_AUDIO]
