When weighing his thoughts on cyber policy, the first name that came to Michael Hayden’s mind was Jim Lewis.
During a recent event, Hayden, a former director of both the CIA and the National Security Agency (NSA), was explaining a controversial opinion about possibly allowing companies to conduct defensive cyberattacks. He paused, then acknowledged: “When I say this, really smart people like … Jim Lewis over at CSIS [the Center for Strategic and International Studies] begin to get very forceful in response.”
Lewis, who heads CSIS’s Strategic Technologies Program, is a rare cyber expert with a history that bridges the technical, international relations and warfare components of cybersecurity.
“I did the political military stuff for many years, but I still am sort of geeky,” Lewis said, laughing.
Lewis, who’s been writing computer programs since high school, sat in on White House meetings during the so-called “crypto wars” of the 1990s, helped the NSA roll out its first major public encryption device, travelled extensively to Asia with the U.S. Foreign Service, learned about the private sector at the Commerce Department and met with Chinese delegations and Defense Department (DOD) officials to talk cyberattack attribution.
“I was a bad federal employee,” Lewis joked. “I was more like a tourist.”
But as cybersecurity quickly evolves from an IT issue into a geopolitical concern that cuts across almost every agency, Lewis’s tourism has made his a top opinion sought out by administration officials and lawmakers alike.
“It’s a topic where there aren’t a lot of people who can make useful suggestions,” Lewis told The Hill in a recent interview in his office overlooking Rhode Island Avenue. “If you worked on technology, if you worked on security, if you worked on intelligence and you worked on commerce, that gives you sort of a unique blend.”
The massive cyberattack last November on Sony Pictures “is a good example,” Lewis says.
The high-profile hit crippled the film studio’s networks, exposed troves of internal data and emails and almost caused the company to cancel a big-budget comedy. It also generated ample armchair cyber analysis.
Many security firms have cast doubt on the government’s narrative that North Korea backed the attack in retaliation for the studio’s comedy, “The Interview,” about a plot to assassinate North Korean leader Kim Jong Un.
Lewis has been one of the few to strongly back the government’s explanation. He enjoys adopting a Kermit the Frog voice when imitating the arguments of government doubters.
One in particular stuck out to him, regarding the language of the code that was used to take down Sony’s network. The FBI cited the Korean-language basis of the code when laying out its case against North Korea. Some doubters pointed out the code had more indications of South Korean language than North Korean language.
Or, as Lewis said in semi-Kermit mode: “We know it wasn’t North Korea because North Korea and South Korea have different languages.”
Dropping back to his normal tone, Lewis replied. “Really dude? There’s only one problem with that. I’ve been to Korea four times and no Korean has ever told me that.”
The language that has developed regional and cultural differences as a result of the half-century of minimal contact. But, Lewis said, those differences aren’t substantial enough to use as the basis for a counter-argument.
“Knowing what I know, I think it gives me a little bit of an edge in analyzing problems,” Lewis added.
Policymakers agree. Lewis regularly briefs lawmakers on cyber issues and has advised governments from China to South Korea to Australia on cyber concerns.
In recent years, the tenor of these meetings has changed drastically. Only two or three years ago, when Lewis briefed U.S. lawmakers, their attitude was: “Why are you bothering with this stuff?”
Now they have a whole host of questions for him.
How does the U.S. balance its economic relationship with China while the country bombards America with cyberattacks? How should the U.S. respond when it believes North Korea has destroyed data at a private American company? What are the benefits of sharing cybersecurity information between the public and private sector?
“What I mainly talk to them about is, let’s not lose sight of the big things we’re ultimately going to have to do, but what are the things we can do in the interim that might make things better?” Lewis said.
Many believe Congress has the bipartisan support to move a bill this year that would enable increased information sharing between the government and private companies. Proponents of the bill — namely industry groups and intelligence officials — argue such an information exchange is necessary to better defend the country’s infrastructure from cyberattacks.
Lewis thinks it’s one of the “interim” measures Congress can take.
Administration officials also seek Lewis’s advice.
“They’re more focused on the immediate results,” he said. “They have that sense of urgency that doesn’t really exist on the Hill.”
In May of last year, the administration indicted five members of the Chinese army for hacking the U.S., straining bilateral cyber relations. Following the Sony hit, President Obama decided to impose a round of economic sanctions targeting Pyongyang’s arms dealers. Both moves are helping shape the international norms on cyberattack punishments.
“There’s a strong sense when you talk to State [Department] or DHS [Department of Homeland Security] or DOD or the White House that they need to do something now,” Lewis said.
The administration is also weighing its stance on modern encryption, roughly two decades after the “crypto wars” of the 1990s, during which Lewis helped shape the government’s initial thoughts on the technology.
“There were negotiations underway, which I was involved in back then, on how you make the Internet secure for both users and for law enforcement,” he said. The Clinton administration decided it wanted to have encryption publicly available.
“They would take the hit on law enforcement and intelligence in order to make people more secure,” Lewis said.
He recalled a meeting with then-CIA Director John Deutch and FBI officials to discuss the decision.
“Some FBI people said to them, ‘If we do this it’s going to create major problems,’ ” Lewis said. “And [Deutch] said, ‘Look that’s my problem don’t worry, I’ll take care of it.’ ”
But the decision was decades too early. The public didn’t care about adopting encryption, and it remained a fringe technology.
That has caused the same argument to come roaring back after former NSA contractor Edward Snowden revealed a number of secret spying programs that collected mass quantities of Americans’ data. For the first time, desire for encryption has gone mainstream.
Prominent companies like Apple and Google have built default encryption into their devices that they claim keeps the government permanently locked out. The FBI has responded in the same fashion, publicly and privately criticizing companies for aiding and protecting criminals.
“All the complaints you see about the FBI and Apple and Google, that’s a replay of the crypto wars of the ’90s,” Lewis said.
Pro-encryption and civil liberties advocates were unhappy when Obama seemed to partially side with the FBI a few weeks back.
Following a meeting with British Prime Minister David Cameron, the president endorsed the British leader’s push for “backdoors,” or intentional weaknesses built into technology that give the government permanent access to communications with a warrant.
Lewis believes in strong public encryption. He even thinks the government “should mandate encryption for some activities,” but acknowledges “it’s tricky because you make people’s data safer but that includes jihadis.”
“That’s where you have to think, ‘Is there a balance, is there another solution?’ ” he said. “All that takes time to cook up.”
It’s all part of managing a rapidly developing, and often unpredictable, invention — the Internet.
“I don’t know if the others would say this, but nobody expected the Internet to take off the way it did,” Lewis acknowledged. “Nobody expected the tidal wave.”