Monday Brief for 10 May 2021
A tough Taiwan question; Big Brother is in Moscow; & DoD expands its bug bounty program
A Tough Taiwan Question
What’s New: While on a panel recently, I was asked, “If you were the US National Security Advisor and China was invading or preparing to invade Taiwan, would you advise the President to use military action to defend the island?”
Why This Matters: This may not be a hypothetical for long. There is growing concern among defense and national security leaders that China could take coercive — possibly even military — action against Taipei in the near- to mid-term.
Key Points:
The question was posed to a panel consisting of myself, two experts who have forgotten more about these issues than I will ever know, and a representative of Taiwan’s government.
The government representative got a pass (obviously) and the other two panelists were decisively in favor of advising military action against China.
I was less sure, saying, “I don’t know … I would want a military and intelligence briefing on our vulnerabilities to Chinese reprisals because I’m working from the presupposition that we are catastrophically vulnerable — particularly when it comes to cyber.”
This answer left some in the audience surprised, others pleased, and still others confused.
What I Was Thinking:
No one was being cavalier. It goes without saying (but I’ll say it anyway) that my two colleagues who advised military action were not being rash and they too would have ordered a vulnerability assessment and planned accordingly. They are both serious scholars and practitioners who have coherent and compelling reasons for their preferred course of action.
Nor am I indifferent or ignorant. Likewise, I have a deep appreciation for the plight of the Taiwanese people and of the nation’s geostrategic importance to American interests. It is also undeniably true that it would do immense damage to American credibility and alliances if the US failed to defend Taiwan. For these reasons, I’m inclined to equip and to defend our friends.
But, there are reasons for caution. First, Beijing is a nuclear power. The US has never squared off against another nuclear power in a direct shooting war — and the prospect of doing so forces you to ask, “Am I willing to risk human civilization over this?” Second, I’m inclined to believe that a military operation to repel a Chinese invasion of Taiwan would likely escalate very quickly, making strategic miscalculation on both sides more likely. It doesn’t help that I just finished reading Elliot Ackerman and ADM(ret.) James Stravidis’ 2034: A Novel of the Next World War. Third, I have questions about our capacity to militarily achieve this objective. And, fourth, we are catastrophically vulnerable to Chinese reprisals — especially in the cyber domain.
Yes, I think we could technically repel a Chinese invasion — but at what cost? I say “think” because there are at least three asymmetries here — of stakes, distance, and time — that really matter. As important as Taiwan is to the US, in the mind of the Chinese government, this is an existential issue of national sovereignty and credibility. Beijing will be all-in. Also, when it comes to proximity to the battlefield and the ability to act quickly, both advantages go to China. This, coupled with China’s formidable anti access/area denial (A2/AD) capabilities, gives me pause.
Our digital threat surface is a known vulnerability. Multiple US Presidents, Secretaries of State, Secretaries of Defense, Directors of National Intelligence, and others have publicly testified and commented on China’s existing capacity to shutdown large swaths of our critical infrastructure. This means more than just a lack of natural gas or water for a few days. It means our “just-in-time” economy comes to a grinding halt which then leads to cascading failures in essential services and operations. It is also true that, if the CCP was so inclined, it could take more aggressive cyber actions that could do even more damage — including wide-scale loss of human life.
I’m arguing for resolve, not resignation. Lest I be misunderstood, I do not believe the US should simply say, “Oh well, it’s too hard and too risky. Sorry Taipei!” I’m saying that, in light of the above thoughts, I’m not sure what course of action I would advise today in the face of an impending Chinese invasion of Taiwan. But, thankfully, this is still a hypothetical and we have time to change many of these variables. Most fundamentally, though, my key message is this: US strength and influence are not inevitable. They are the result of deliberate planning, decision-making, and investment. We have grown lax in these disciplines and the consequences are stacking up. This must change.
Shocker: Big Brother is Watching in Moscow
What’s New: The Russian government is using a facial-recognition camera network to identify and detain political dissidents, reports Bloomberg.
Why This Matters: Originally deployed to “enforce quarantine restrictions, catch criminals and even let [citizens] pay subway fares,” the video system is now being leveraged against anyone opposed to President Vladimir Putin.
Key Points:
More than two dozen people were identified by the system and arrested last week after publicly protesting Moscow’s detention of Kremlin foe Alexei Navalny.
“The authorities are changing their tactics: they’ve become smarter, more repressive and more selective,” said Tatyana Stanovaya, the founder of political consultancy R.Politik. “Participants are tracked through security cameras, facial recognition systems, social media activity, and phone billing.”
More than 1,800 protesters were detained last week, with many of them being arrested at their homes after the city’s facial-recognition cameras tracked them returning from the event.
“They use various techniques but they have one goal: intimidation,” said Mikhail Biryukov, a lawyer who represents several of the detained, including Borzenko. “Creating uncertainty over when they might come for you can be a better deterrent than using violence.”
What I’m Thinking: We’re entering an era of super-empowered authoritarians. I suspect, that for some, this will shorten the distance between peaceful protest and violent opposition. Every action has an equal and opposite reaction (in politics too).
DoD Wants a Bigger Bug Hunt
What’s New: The Department of Defense (DoD) is expanding its Vulnerability Disclosure Program (VDP) to include all public-facing defense websites and applications, according to Bleeping Computer.
Why This Matters: The VDP allows security researchers to look for and to report cyber vulnerabilities in DoD information systems and was previously limited to just a few websites.
Key Points:
Before the VDP, ethical hackers had no formal mechanism for warning DoD about vulnerabilities.
Since its establishment in 2016, however, the program has resulted in more than 30K reports, with more than 70% of them including validated bugs.
Working with the Defense Counterintelligence Security Agency, the Pentagon’s Cyber Crime Center — who manages the VDP — also launched a 12-month Defense Industrial Base Vulnerability Disclosure Program pilot in April.
"The expansion of vulnerability research to participating DoD contractor networks replicates the DoD's success by making participating DoD contractor networks available for vulnerability research," DoD's Cyber Crime Center explains.
What I’m Thinking: This is good progress. It’s yet another validation of the crowd-sourced bug bounty model and DoD continues to effectively modernize its cybersecurity posture. While there’s plenty of work left to do, these improvements deserve recognition.
Quick Clicks
That’s it for this Monday Brief. Thanks for reading, and if you think someone else would like this newsletter, please share it with your friends and followers. Have a great week!