Cyberspace Wars and Other Musings - with Bobby Chesney
This week on the podcast Bobby Chesney, James Baker Chair at the University of Texas School of Law, and co-founder of the awesome Lawfare.com blog and co-host of the National Security Law podcast, joins us for a discussion on all things cyber legal policy and regulations - and it is fun! We chat about the recent Viasat satellite hack that served dual-purposes for military application and disruption of industries (for example, impacting wind turbines!).
He also shares his perspective on cyber versus kinetic attacks, cyberspace wars, space law vs maritime law parallels, and the geography of cyber. Want to learn more about cyber law and policy? Check out Chesney's free eCasebook on Cybersecurity Law, Policy, and Institutions here.
Cyberspace Wars and Other Musings - with Bobby Chesney
[01:46] Why Are We Not Seeing the Cyberspace Wars We’re Expecting?
Rachael: We have Bobby Chesney joining us today. He holds the James Baker Chair at the University of Texas School of Law. And I also want to mention he's a co-founder of Lawfare Blog and he co-hosts The National Security Law Podcast. So we are going to have an amazing conversation today. Why don't we start with Ukraine. Because it's everywhere.
I was, I was reading some articles and one of the things that has come up a lot on the podcast is why aren't we seeing more of the kind of cyber space wars that we would've expected? And you had a really great perspective there on terms of kind of the physical elements of conflict versus the cyber conflicts. And I'd love for you to kind of talk a little bit about that.
Bobby: Sure. So a lot of people expected that when the ball dropped over there that we'd see both a visible amount of combat-related cyber activity. Which let me just pause on that and say that it was probably not realistic to think that insofar as a lot of things were going on with direct combat application, that it would be visible to the outside. But more to the point, a lot of people expected there to be a lot of spillover, impacting systems.
Elsewhere, presumably Europe and the United States. And famously, we haven't seen visible outward signs of this and so there's been a whole discourse about why is that? Is this deterrence? Is deterrence working? Was there less capability than we thought? Are we just not seeing it? Some people said, "Well, you don't know what you don't know."
A Complex Game of Back and Forth in Cyberspace Wars
Bobby: I think it's only fair to sort of note that DoD through cyber command has been building and expanding its capabilities to defend forward precisely in order to see possible activity of that kind coming towards systems that we need to protect. And if possible, disrupt them. I'm not saying that it has or hasn't happened. But it's one possible part of the story is that maybe we've been effective at doing these sorts of things we said we were going to try to do.
But I think probably the bigger part of the explanation is that it's a complex game of back and forth with some amount of things the west that we're doing that greatly frustrates the Russians, no doubt. They are trying to calibrate their response back to us, but there's more that we could do. And it clearly would not be cost-free. Therefore it would not necessarily be wise for the Russians to escalate things by seeking practical, disruptive effects on say, one or more sectors of our economy.
There's no question that this would be dramatically escalatory and there's all sorts of things we're not yet doing that could cause them further problems. And so I think probably the best answer is a degree of deterrence and also just a lack of interest on the part of the Russians in taking that further step. It's not obvious what that would get them. It would be unrealistic for them to think that by going after say our financial sector, that somehow that would cause us to back down on sanctions. As opposed to enhancing the extent to which we're aiding the Ukrainians. So I think it's a big part of it as well.
Is There Deterrence in Russia-Ukraine Cyberspace Wars?
Eric: I think that deterrence piece, is the component. I can't understand why they haven't done much of anything other than that, right? That hey, it's already bad enough on the sanctions, we would make it worse. For me, Bobby, it's you would've expected them to do it. It's almost like we're forecasting we expect them to do it with CISA's shields up and all the notifications we've put out there without any kind of threats or promises of retaliation. Specific, anyway. I think you're right on that. I just don't get it.
Bobby: Well, it helps to think about what else might we be doing? So famously we got anxious when the Poles were going to transfer aircraft to the Ukrainians and the idea was we would backfill to them. That seemed to cause us to have a bit of a hesitation, shall we say. There are air defense systems, there are weapons systems. There are forms of support that we've not yet provided. There's a lot of debate up there about, both in the United States and you hear this in France as well, why aren't we taking certain steps?
Sometimes people couch it in legal language, like, if we go one step further with the types of weapons we're providing or the types of intelligence we're providing, does it make us a co-belligerent? Maybe that's causing friction in some places. I think it's more the calculus of escalation.
And you might say, we seem to have reached almost from the beginning, an equilibrium point. There were certain weapons that were being provided and there were certain pressures being provided. If the Russians were to take a disruptive step, it would cause us to be much more generous in what we're doing, I'm sure.
Russia Did Not Expect the Solidarity from the West
Bobby: And conversely, if we were to take a step putting in place, let's say we started just directly providing fighter aircraft to the Ukrainians. Something that the Russians themselves have identified as a red line and presumably conveyed as a red line, then what's the coercion behind that? The coercion is okay at that point, we will start to use disruptive cyber means, and you'll try to fend it off but it's going to cost you.
So again, I think we've reached something of an equilibrium. What's fascinating about all of it. And this goes to the broader question of how is it that the Russians are proving to be so ineffective. What's fascinating is that they're kind of getting their head handed to them. And part of that is the support that's flowing from the west and the Russians seem to have not been prepared for that degree of solidarity, to borrow a phrase, on the part of the west.
Eric: Well, we've seen it in Syria. We've seen it in Serbia, you've seen it in Georgia. Everywhere, right? Where the west did not join together, come together as well as the west did here.
Bobby: That's right. To go back to the cyber piece of it, there's just a vast amount of activity, surely taking place across all the allies, across NATO and others, all directed towards understanding what the Russians might be trying to do or might be positioned to do in cyberspace and to de-fang that and into spot it coming. And I think we're probably seeing a lot of benefit from that.
Eric: Would not argue with that.
Will There Be a Fallout for the Hacking Army That’s Helping Ukraine?
Rachael: So another thing that we haven't talked about in a while, or this aspect of it, and since we have a lawyer on the podcast, Eric, I want to raise it up.
There's been a lot of calls for illegal activity if you will, on the hacking front. A call for the volunteer, the hacking army, and vice versa. Historically we know, right? There's not a lot of repercussions for said activities in certain countries, but is there going to be any fallout from that? I joined the volunteer hacking army to help Ukraine. Am I good to go, or should I be worried later?
Bobby: So look, you see the loose grip, let's back up, right? So the philosophers would say that the whole identity of the government is having monopoly on the course of means, on the means of violence, Weber said. There's all sorts of ways in which the cyber domain challenges the control of states. This is as old as the internet itself. In fact, that was sort of the philosophical attraction for so many people, right?
So now you have a situation of warfare where you would think, of course, the state parties involved control everything. But it's not so easy, it's not so simple. Because one of the features of the cyber domain is its accessibility. So on the Russian side, perhaps with great encouragement, or even more than encouragement from authorities. But perhaps also in a self-generated sense, you've got a lot of talk.
So far, not a lot action, but a lot of talk from especially some of the ransomware crews. Revol in particular, having kind of hosed itself by getting out over its skis without accounting for the views of its Ukrainian crew members, but that's a whole another topic.
Don’t Do Anything Illegal
Bobby: So there's talk about these non-state actor entities perhaps going to bat for the Rodina. And then on the other side, you had Ukrainian authorities urging whoever can get to their keyboard, here's a list of Russian targets, please go take unspecified, disruptive actions against them.
So were giving legal counsel to some American friend who wanted to do a little bit of hacking or other fun stuff, targeting something on that list. The first thing I'd say is the Ukrainian government doesn't give you any authority to violate the computer fraud and abuse act in the United States. So don't do anything illegal from the US perspective.
Does that mean you'd be likely to be prosecuted if you did manage to pull off some sweet hack that went after an appealing Russian target? I don't know, that's prosecutorial discretion. But most people of sound judgment, don't commit illegal acts just trusting that well. Hopefully that won't turn out to be held against me and pursued at some point, that just seems unwise.
So the other interesting legal issue that's raised by that list, there was a lot of civilian stuff on that list that went out when, when it first got attention. We have a situation of armed conflict. The law of armed conflict applies. And that means the principle of distinction between, at the human level combatants and civilians, and at the object level, things that are militarily useful and things that are civilian objects. Now you've got dual-use stuff. One of the most interesting early cyber stories coming out of the war has been the attack on ViaSat, the satellite communications company.
[13:23] A Dual-Use Scenario
Bobby: I am no expert. I have no insight information on any of this, but just from some of the stuff I've read. I gather that there is at least some plausible reason to believe that ViaSat communication links were important for some of the Ukrainian drone capabilities. Which raises the distinct possibility that this is a dual-use scenario where yes, it's a civilian system in some senses, but it has a military application.
We don't need to get into the weeds about how you resolve that. But that makes it at least possible from a principal distinction perspective, a legitimate use of military capabilities. What about all these civilian targets that the Ukrainian authorities encouraged the foreign legion of hackers to go after? Some of them might have that quality? My loose recollection is there were also a lot of just significant business targets.
The sort of things that might be subject to sanctions to create pressure. But to actually carry out destructive actions against them raises more than just computer fraud and abuse act problems. It needs to be thought of very carefully. If you're going to do it, if you're going to do some hacking on behalf of Ukraine, needless to say, I'm not objecting on moral grounds. I'm just flagging your legal exposures because that's what we lawyers do.
Eric: Now, if I were a Ukrainian citizen though, I've got the authorities from my government. Right?
Bobby: Right. So that starts to get interesting. It obviously largely eliminates the practical concerns of what about local law enforcement prosecuting me for whatever the Ukrainian equivalent of the computer fraud and abuse act is. Right, obviously that's not going to be a problem.
The Consequences of Participating in Cyberspace Wars
Bobby: Nothing that any government can do can erase the fundamental line between civilian objects and military targets. And so you still need to be mindful. There's a question there about whether what you're doing would count as an attack in the law of war sense. Not in the lazy way in the media where we talk about a computer network attack or something like that. But specifically, is it an armed attack of the kind it obviously would be if you were blowing something up?
Well, you've just got to be careful there. There's a lot of debate about when computer network activity can count as an attack including in this particular sense. If what you're achieving is the practical equivalent of destructive effects, then you're in the ballpark and you need to be concerned about this. If you're denying service, if you're DDoS-ing something, I think that's less of a concern.
Obviously if you're just engaging in collection of information, if you're gaining access but you're not destroying things or disrupting things, that's less of an issue. Less likely to count as an attack. Again this is all hypothetical. Like Oliver Wendell Holmes Jr. said, the question is not so much what the law is, but what are you likely to be held accountable for? What's the consequence going to be?
So if you're fighting for your life in your homeland in Ukraine right now, these concerns are so far down your list of things you need to be worried about. That I wouldn't suggest to some Ukrainian that they need to back off because of these types of considerations. But again, if you're just asking, what's the academic answer, these are the types of considerations you've got to factor in.
Cyberspace Wars Involving ViaSat
Eric: Yes, no, that's a good point. I want to go back to the ViaSat comment though, because we've been reading a lot about it lately. It's probably the most well-known attack coming out of this conflict or war. ViaSat's an American company, right? So they ruined, I don't know how many thousands of modems in this attack. They definitely took some Ukrainian assets offline or capabilities.
But our buddy JAGs from SentinelOne who put the report it out last week, last week being I think April 1st or so. The 31st of March, maybe. When they analyzed it there were 5,800 wind turbines in Germany impacted, right? People across the world who were using ViaSat's capabilities were impacted by this acid rain wiper.
So it is Bobby, one of the first attacks of the conflict we can attribute back to somebody related to the conflict. I don't think anybody's done any attribution to Russia. I don't know that they ever will, but it's definitely a wiper that impacted Ukraine operations, but through an American company. And I'd love to hear your thoughts on that.
Bobby: Yes. I think you're right that there is a bit of a Rubicon crosser. Or a precedent setter there with respect to the geographic dispersion of what amounts to collateral damage. So let's assume for the sake of argument, let's put the best face on it from the Russian perspective and assume that the motivation for the attack was based in military necessity. It had to do with disrupting command and control links that were militarily relevant. So it was a legitimate object sort of in the abstract. Then there's questions about the impact of the attack on pure civilian uses and on enterprises and other systems located elsewhere.
Spillover Impacts of Cyberspace Wars
Bobby: Like the wind farms you mentioned. Prior to the cyber domain being an operational realm, when you're talking about actions taking place in physical domains with kinetic systems. Sure of course, we've always had spillover impacts, this is why we have the topic of proportionality and attack. Where you have to balance the expected military benefit against the anticipated civilian cost and weigh these imponderables about whether it's all sufficiently justified.
But one thing we never really had was a significant, not just cross borders, but just cross globe sort of spillovers at scales and distances that you wouldn't even consider before. Maybe the closest you could get might be some notion, like, I think about Saddam. This isn't a great example, but Saddam during the Persian Gulf war, I recall set fire to the oil fields.
Eric: Right, as we retreated.
Bobby: Yes, exactly. And there was a huge environmental degradation effect that spread pretty broadly and wasn't confined just to the local region. So you could kind of have scenarios like that in past conflicts. But here you've got presumably a militarily motivated use of a capability for destructive effect in theater. Eric, as you say, that had significant destructive spill of effects on entirely unrelated, purely civilian, incredibly distant systems elsewhere.
So that raises, the law's not designed to speak directly to that unique scenario. We're going to start thinking about that. But to take a first pass at it, the first thing to note is, okay, so there's been a destructive effect in Germany. So this implicates the UN charter and Germany's rights as a sovereign, and it raises questions. For example, should you analyze this as a use of force in international affairs?
Think About the Broader Implications of Cyberspace Wars
Bobby: And as soon as you say that, you've got to pause and say, okay, I don't know what the answer to that question is off the cuff. But what I do know is that if we're going to talk about uses of force and violations of the UN charter, Russia has engaged in the war crime, the mack daddy war crime of aggression against the Ukrainians to start with.
So it's kind of almost only of minor academic interest at first blush to talk about the impacts on Germany as well of this comparatively minor thing. It's got to be said. But again, we have the privilege of sitting at this distance thinking about it more abstractly. And part of what we can do to add value is to think about what are the broader implications?
I think it does matter that some of these tools do in fact prove to have downstream impacts that are way removed from the battlefield. It's problematic. Now the Russians famously, historically have never cared about these collateral impacts. And you look at some of what GRU has reported to have unleashed on this planet, billions of dollars of cost and impact and all.
Eric: Right, like NotPetya, and on and on.
Bobby: Yes, especially NotPetya is just the most, vastly worse than what's happened to the German wind farms here in terms of its scale. But all of it is a reminder of what everybody in the industry knows. Which is that some of these capabilities will not have confined effects. Other ones are going to have exquisitely and purposely confined effects. But you've got actors out there, and the Russians are the leading example even before this. Actors who don't care a lot about the spillovers.
Bobby: If it will get them what they want as their main object, the spillovers are irrelevant. The legal considerations clearly irrelevant to all of their operations, let alone this. This is nothing compared to the actual murders and rapes and other things that are now being reported.
Eric: How would you think about it differently if they used kinetic weapons to take the satellites out of the sky?
Bobby: Yes. That's the intersection.
Eric: Right? Destroyed some modems. We had physical damage.
Bobby: And this is something that the issue of space security is looming so large for us now. It's got a direct cyber dimension as this illustrates, but there is the more permanent way of disrupting these systems. And we know that the Russians have capabilities, we know that Chinese have capabilities. Both of them have endangered all space operations by testing and using these capabilities. Creating clouds of incredibly dangerous space junk to add to our space junk problems.
It is easy to see that the future, when the ball drops in a peer-to-peer competition, if and when we ever get to that point It is not hard to imagine the rapid deployment of kinetic capabilities in space from an anti-satellite perspective. Alongside with attempts to achieve the same effects through cyber means. And, space force is, I believe on task and more aware than anybody that our constellations are incredibly vulnerable.
But it's one thing to recognize the problem, it's another thing to solve it. And when you talk about such incredibly physically fragile mechanisms, I think actually our chances of defending them from a cyber attack seem much more plausible than defending them from a really motivated physical attack.
[24:24] A Different Line to Cross
Bobby: Because at the end of the day, physical contact at a small scale but high velocity is all it takes to take these capabilities out.
Eric: But you think there's a difference, right? So acid rain destroyed modems, which had to be replaced, physical destruction there preventing communications. But a physical attack on a satellite, that's a different line to cross.
Bobby: I think you're putting your finger on something really important. We're talking about whether and when a government, let's say the United States would treat something as either a policy or a legal red line, perhaps both. That would trigger some, if not outright full-scale intervention in the war. Some leveling up to a level of support or engagement in the conflict that's beyond what we're currently doing, which we're already doing quite a bit. But we could do more.
From a legal perspective, we can talk about it. Does it count as an arm attack against the state, a use of force? And in all these settings, whether we're talking about the political slash policy analysis, or if we're talking about the abstract legal analysis, I find that most people have an intuition that something about the kinetic realm makes it easier to say, yes, more likely to say yes.
Eric: I think it's tangible, right? You can feel it.
Bobby: Yes, even if the effects are identical in terms of the functional practicality, it's the visibility, as you say, the tangibility. Maybe it's just human nature, but we tend to weight that more because that's how we've always defined that sort of attack and that sort of trigger. So physical destruction, yes is more likely to lead whoever the relevant decision-maker to say, "Okay, that red line's been crossed."
International Cyber Policy
Bobby: But that doesn't mean that it has to be physical. And if the practical effects achieved through cyber means with no visible physical damage, nonetheless are sufficient. That ought to at least create the possibility. But at the end of the day, it's always a judgment.
You think about the Iranians after Stuxnet. Reportedly the United States and Israel achieved really remarkable physical effects through cyber means. Could they have loudly announced this categorization, that line crossed? Plausibly, sure. But does that mean it would be wise to do so? No, probably not. And that's obviously the judgment they made. They decided to proceed in quieter ways in response to that.
Rachael: Yes. Well, it kind of opens up this whole window though, right? The cyber realm, we're kind of peeling back this onion, right? More and more, day by day, year by year. From a legal standpoint, how do we ever get a handle on this thing?
Eric: Are you talking international cyber policy that people adhere to Rachel?
Rachael: Well, sure. Among other things.
Bobby: Well, the first thing you've got to say about this is you have to be realistic in assessing what the international law and the international norms frameworks. Both now and in the future would really mean for the United States versus what they'd really mean for Moscow and what they'd really mean for Beijing. And I will not be persuaded that they mean the same things across these different capitals. Which does not mean that therefore, the United States and NATO countries, and FVEY's allies, et cetera. It doesn't mean that we should therefore not want there to be rules of the road. We do want there to be rules of the road.
International Normative Principles
Bobby: But we need to be clear-eyed and honest about what those rules of the road are going to mean for us. They will be constraining to some extent for us. They will not be constraining for Beijing and Moscow. So that's a starting point.
Related to that, there's been a generation's worth of debate about trying to create if not international law, at least international normative principles. Not law is the key phrase there. Not law, but things that people say really ought to matter.
There's been a ton of debate and a ton of process trying to get to some precise point that would, for example, perhaps say that you shouldn't put implants into the grid. Or you shouldn't put implants into the financial system. Let alone take these systems down, or the water system. The nations involved in this process got pretty far as long as the level of generality was pretty high.
But as soon as it got down to brass tacks, divergent, national interests emerged, and no agreement was reached. And that wasn't to create a treaty that actually had the force of law, that was just to identify norms people could agree with. So those efforts continue. The United States is leading one effort at the UN. The Russians are leading a very different one with all the authoritarians sort of in their corner on that.
I think it's great to keep that conversation going. We should hope for it, but we should be realistic. I do think it's valuable for rule of law nations of wherever they might be, whether they're military allies or not, those nations that do believe in the rule of law and the growth of space for online commerce and all the good things.
We Don’t Have Peace Time Rules
Bobby: To try to form the agreements that they can. And so that sort of dialogue, the dialogue of the willing, that I think is a more promising space. But just note that all of this stuff is talking about separate from warfare.
With warfare, we've got the laws of war, they're not written in domain-specific ways for the most part. Yes, there's some of that. But the principles of distinction and proportionality and all the rest, they're there for use in this setting. And so I wouldn't want listeners to think that in an armed conflict setting, like we just have no rules and we've got to get some rules.
What we don't have are our peace time rules. And we've got all this gray zone activity, all this below the threshold of armed conflict activity. That's been going on for a generation where nations mess with each other, sometimes in pretty harmful ways. And especially engage in a lot of prepositioning of implants so they can hold each other's vital systems at risk. And that is a scary world to be in.
Eric: Yes, it's interesting last week. I don't know what order the recordings will come out in. But we had Michael Daniel on the show from the Cyber Threat Alliance. We were kind of equating the laws of the sea to how laws of cyber need to mature and form over time. We had hundreds of years on the laws of the sea, though. Bobby, I'm not suggesting you're a maritime expert, but would you agree with that parallel? Or, eh, maybe, maybe not? Because we have to trade openly.
Bobby: A little bit because it's a commons. So space, sea, undersea.
The Law of the Sea
Bobby: And high atmosphere. Yes, you've got all these places where human beings can cause effects that are in some senses, always with caveats especially with cyber, in some senses, not national territory. Now again, that actually is maybe where the cyber analogy breaks down a little bit because the infrastructure is somewhere. Yes, sure, we got pipes under the sea, the wires and such and some of it's bouncing up to the satellites and down again. But the satellites themselves are national vessels, national properties.
The servers are by and large all sitting on someone's territory. So there is a geography to it and people tend to overlook it, but people in industry understand there's geography to this. There is real sovereign concerns all over the map with it.
I guess what I come back to is this, when it comes to developing international law, one lesson from the law of the sea example is you can, with enough effort and enough good will, you can craft rules that help all of us be better off.
But also witness China and its unhelpful approach to the law of the sea rooted in its perception of its national interest. In all things international law, the nation's pursue their national interests. Whatever they are saying, they pursue their national interest.
And that suggests that when the national interests don't seem to align on what the rules of the road ought to be, then you have to have modest expectations about how much the legal framework's going to say otherwise.
Eric: Okay. I think that's very fair. I do think the law has to mature. But I'm with you, each nation will take advantage of it to the extent possible in their self-interest, in their best interest.
One Long-Term Consequence
Eric: Although I don't know that wasn't the case back when we were putting down international law in the sea. If the United Kingdom had the biggest Navy, they probably had a pretty voice compared to the Congo or someone else.
Bobby: I guess it connects up to this question of the best position to influence things, what is it they're trying to accomplish? We have this multipolar world now in which China has these capabilities. A tremendous part of what could happen is not going to happen if they are not seeing the national interest in it. The Russians are sort of a more of a spoiler player. They shouldn't have the voice that they do. But they've always played their hand to an outsized degree and punched above their weight and we're seeing the limits of that now. Thank God, finally.
It could be that one long-term consequence. Who knows what's going to happen with Ukraine. But if you're an optimist, you hope you see the beginnings of real cracks in the edifice. Maybe even the ultimate demise of the Putin crime family. If, and when that demise occurs, is it too much to hope that maybe at some point we see Russia swing back into a constructive participant in world affairs? That would be awfully nice.
It would certainly be meaningful for the ransomware problem were that to happen. That's a lot of ifs between here and there. That's kind of calling for another 1989 through 1991 sort of period of sudden blossoming of good things, but it would really help.
We Need More Cyber Curriculum to Combat Cyberspace Wars
Bobby: And in that world, perhaps that would oblige China to a certain extent to be more cooperative. But China in the past handful of years has been so much more assertive. So much more disregarding of the interest of other nations. That it makes one pessimistic that they're going to come around on this and that we're going to get major cyber powers. Not just agreeing to the articulation of rules of the road, but actually obeying them.
Rachael: Well, and a weird segue maybe or not, but there's such a long road ahead of us. And we talk a lot about the cyber skills shortage here. And I was really, really excited to see the UT school of law, I guess, and your interdisciplinary role here for cyber expert. I would love for you to talk a little bit more about that. Because we need more cyber curriculum if we're going to start tackling these huge problems.
Bobby: A hundred percent. So I think everybody understands, certainly anybody who's listening to this show understands that we have a workforce challenge. Everybody does, this is an old story, you don't need me to repeat it. But we usually talk about that in terms of applied cybersecurity and we need more fingers on the keyboards. All true.
But if we look to a different part of the organizations, all of them, government, non-governmental business, et cetera. One of the most recurring challenges you tend to hear about is the lack of mutual understanding across the relevant disciplines. You've got lawyers who don't understand the technology. You have CISOs who might not understand the political context. And you have political leadership who don't understand the business functions. You have business leaders who don't understand the law. It's all around the horn.
Cyber Security Cross-Disciplinary Training
Bobby: And there are a bunch of other disciplines we could throw into the mix as well. But to simplify things, the business regulatory, technical, and legal frameworks, all of them, the whole system would work so much better if we could level up systematically across society. Mutual understanding of what the other disciplines are bringing to the table with respect to cyber.
So UT Austin, which has long had a world-class computer science department. We've never lacked for advanced research and top-end students graduating that can touch on security issues. But many years ago, when we sat around thinking about how can we here in Austin add to the larger set of things happening in the Austin and San Antonio area with cybersecurity, where this has become quite the hub.
What could we do that might be additional and not unique, but a little bit different? And what we decided was missing was just that, the interdisciplinary or cross-disciplinary training. And we set out to build a program that begins with a sort of a broad survey course that takes the question like, hey, cyber security, great topic. What does that mean again?
Not as a technical matter, but as a field of policy and regulation in business. So we have an introductory survey course and then a whole slew of additional courses. Some are about risk management and how businesses think about these things, how incident response works. We have one of the world's leading experts on the law of war as it plays out in cyberspace. We have a lot of stuff because of my own interest and involvements, we have stuff that's all about CISA. Some of it's all about cyber command.
[38:55] Bobby Chesney’s Cybersecurity Book
Bobby: And the goal ultimately is to ensure that any computer science or engineer or other technical student who wants to have some exposure to this has really bespoke made for this purpose training opportunities. And likewise that the kids graduating from Texas Law or from the LBJ School of Public Affairs, who might be in government at some point working on these issues, have actually had some technical training.
We even have a course, I avoided the temptation to call it Technology For Dummies, because I don't want to insult myself. But it's a course for law students and public affairs students and business students who you can't drop them into a computer science classroom.
These are people who may have no grounding whatsoever in coding. But it's nonetheless a semester long, purely technical introduction to build some not fluency, but some familiarity.
So we think the combination of these things really does help to address the problem. And we actually have a model of trying to put the fruits of all this out there where anyone can use them for free. The case book I wrote, that's a big introduction to law and policy relating to cyber. It's free, rather than having it published and trying to make some money off of it.
It's just a PDF, anybody can download it, you can find it by searching Bobby Chesney Cybersecurity Book. That'll probably find it. Actually I'll run a test here as we're talking to see if that works. But the goal is to try to just put these tools out there where everyone can benefit from them.
Bobby: And I think that now there's a lot of universities around the country that do some similar things, this will help us a lot. It's going to take time for the fruit to be borne. But it'll be useful for the country when it happens.
Eric: Bobby, when you bring students in and I'm assuming you bring them in at both the undergrad and the graduate level, correct?
Bobby: Yes. So these programs I just described right now, we built it out for the grad students.
Eric: Okay, so you bring in students who tend to have at least some work experience in one of the disciplines I'm betting, not across disciplines.
Bobby: You get all kinds. Sometimes you get ones who've done it, but some who have nothing at all by way of background.
Eric: No kidding, okay. And so what kind of feedback do you get then if you bring in somebody with a deep technical experience versus more of a legal perspective. Or somebody who just graduated UT Austin undergrad in whatever, public policy degree or something and then they're like, I'm going to this course.
Bobby: So part of what's going on is that there is a strong message that's penetrated the minds of many students from different backgrounds that this is part of the future. That this is a great employment pathway. And that it's a cool and interesting and worthy sort of place to work. There's this concept, this book was real popular a few years ago, but Hector Garcia and Miralles, these two people wrote a book about the Japanese concept of Ikigai.
Law Matters in Cyberspace Wars
Bobby: So you've got to picture of Venn diagram where one circle is something you can get paid to do. One circle is something you're good at, one circle is something that brings you joy and one circle is something society needs. And you need to try to be at the intersection.
When you get paid to do something you're good at, that you enjoy that actually matters in the world. I think a lot of students sort of look at the challenges of the cyber domain and especially the security aspects and the privacy aspects of it. They think, man, that sounds fun, this is exciting and it actually matters.
At a time when finding stuff that really matters that doesn't have some horrible dark side to it, insert social media. It seems like there's a hunger for this and I think cyber is going to continue to draw people in. And I think it's a great sign that this is moving beyond computer science and engineering, that it's happening with other disciplines now too.
Eric: We don't have as many episodes as you do with your podcast. But one of the things I'm picking up, by the way, that's The National Security Law Podcast. It is a fun show. I loved listening to it in preparation for the show here.
But law matters. One of the things in the hundred and whatever we're at, 70 episodes or so that we've done, that's really rounded my education out through the podcast Rachel, is the interconnectedness of all of these disciplines.
It's not just a technical issue. You can't just have the cyber team or the IT team do their jobs and do them well and everything's going to be okay. And part of it's the lack of headcount.
The Ultimate Vulnerability in Cyberspace Wars Is Us
Eric: The shortage in personnel in the industry, the legacy laws, the financial components, you name it, the advantages all the attackers have. I feel like we've learned a lot. At least I have, I won't speak for you, Rachel. It's more than tech. If I could sum up what we've learned on this show over those episodes, it's a heck of a lot more than tech, Bobby. And it's nice to see a school bring it together.
Bobby: It is more than tech. It's a societal challenge. Like you can say something similar. If we did this whole show, if this whole series was about the information challenges of social media and living in our current times, it's more than tech. These are both kind of related manifestations of the nature of our tech-focused society. We have technical problems, but you can't solve them in purely technical means. Because they're also cultural problems, they're behavioral problems.
We all understand that the ultimate vulnerability that'll never be fully patched is us.
Because we're human beings with our foibles. So as our economy and as our lives have become ever more wired or wireless, it was inevitable that the conversation on security and the reality, the practical reality of security would begin to track around these subjects. And if these were physical activities we were talking about, we would understand that you have to bring all these different disciplines to bear. Cyber's no different.
Rachael: Awesome. All right, everyone, once again, an amazing podcast episode. Thank you so much for joining us this week. And here, let me do my drum roll. And don't forget to hit that subscription button guys. Every Tuesday, fresh episode right to your inbox. Until next time guys, be safe.
About Our Guest
Bobby Chesney holds the James Baker Chair and also serves as the Associate Dean for Academic Affairs at the University of Texas School of Law. In addition, he is the Director of the Robert S. Strauss Center for International Security and Law. A university-wide research unit bridging across disciplines to improve understanding of international security issues.
Professor Chesney is a co-founder and contributor to www.lawfareblog.com. It is the leading source for analysis, commentary, and news relating to law and national security. He also co-hosts the National Security Law Podcast and contributes to the National Security Law Lectures series (which he co-founded with Matt Waxman). In 2021, Professor Chesney was appointed to the Cybersecurity Advisory Committee for the U.S. government's Cybersecurity and Infrastructure Security Agency.
Listen and subscribe on your favorite platform