Are hackers really a constant threat, or is hacking just another tool for media manipulation and fearmongering? To get definitive answers, the Curiosity Podcast sat down with the deputy chief of research at the Army Cyber Institute at West Point, Dr. Natalie Vanatta. She explains what government and corporate entities are doing to keep the average person safe online – and how people can protect themselves. Plus: learn where the international community draws the line between warfare and cyber-warfare. A lieutenant colonel in the U.S. Army and instructor of mathematics at the United States Military Academy, Dr. Vanatta's work at the Army Cyber Institute focuses on bringing private industry, academia, and government agencies together to explore and solve cyber challenges facing the U.S. Army in the next 3 to 10 years. Additional resources discussed: Army Cyber Institute at West Point Arizona State University Threatcasting Lab Shmoocon 2017 | A Widening Attack Plain - Natalie Vanatta, Brian David Johnson (YouTube) United Nations Definition of Aggression Defining War in an Ill-Defined World (New York Times) DOD needs cyberwarriors so badly it may let skilled recruits skip boot camp (Ars Technica) CyberCorps: Scholarship For Service (SFS) COACH: Crash Override's Automated Cybersecurity Helper Follow Curiosity Daily on your favorite podcast app to get smarter withCody Gough andAshley Hamer — for free! Still curious? Get exclusive science shows, nature documentaries, and more real-life entertainment on discovery+! Go to https://discoveryplus.com/curiosity to start your 7-day free trial. discovery+ is currently only available for US subscribers.
Are hackers really a constant threat, or is hacking just another tool for media manipulation and fearmongering? To get definitive answers, the Curiosity Podcast sat down with the deputy chief of research at the Army Cyber Institute at West Point, Dr. Natalie Vanatta. She explains what government and corporate entities are doing to keep the average person safe online – and how people can protect themselves. Plus: learn where the international community draws the line between warfare and cyber-warfare.
A lieutenant colonel in the U.S. Army and instructor of mathematics at the United States Military Academy, Dr. Vanatta's work at the Army Cyber Institute focuses on bringing private industry, academia, and government agencies together to explore and solve cyber challenges facing the U.S. Army in the next 3 to 10 years.
Additional resources discussed:
Follow Curiosity Daily on your favorite podcast app to get smarter with Cody Gough and Ashley Hamer — for free! Still curious? Get exclusive science shows, nature documentaries, and more real-life entertainment on discovery+! Go to https://discoveryplus.com/curiosity to start your 7-day free trial. discovery+ is currently only available for US subscribers.
Full episode transcript here: https://curiosity-daily-4e53644e.simplecast.com/episodes/fighting-in-the-fourth-dimension-the-u-s-army-on-cyber-warfare
CODY GOUGH: Hi, I'm Cody Gough. And I have a story about getting hacked.
ASHLEY HAMER: And I'm Ashley Hamer. And I really want to hear that story.
CODY GOUGH: Yes, it's pretty crazy. So, Ashley, did you know that I got hacked one time?
ASHLEY HAMER: You told me that once. But I don't really remember exactly what happened.
CODY GOUGH: Yeah, this happened in 2014, I think. I realized that all of the files on my computer were encrypted. And that--
ASHLEY HAMER: Like, you couldn't get into them?
CODY GOUGH: No, I could not open them. They were encrypted. They were--
ASHLEY HAMER: That's not good.
CODY GOUGH: --turned into a thing that you couldn't access. And a bunch of Notepad files were in the folders on my computer. And they all had the URL for a website. So online, I could barely go to any website. They just weren't loading except for this one website. And it turned out it went to this website that basically said, hey, you need to pay us $500 in Bitcoin--
ASHLEY HAMER: Whoa.
CODY GOUGH: --if you want us to give you your decryption key to get your files back.
ASHLEY HAMER: Oh, my gosh.
CODY GOUGH: Yeah, so I played a saxophone in college. And all of my recordings of all my performances were on there. And I had some files backed up. But my backup software hadn't been running properly for a while. So there was a lot of stuff that it was just like there's no way I'm ever getting this back unless I pay the $500. So I ended up paying the $500. And it comes with a happy ending. Actually, two happy endings.
So here's how I worked it out. I decided, all right, I will take $500 out of my savings account. I will buy Bitcoin with it. And I would go to the website and pay off the hackers. So between the time I bought the Bitcoin and the time I went back to my computer to pay the ransom, the Bitcoin exchange rate had changed because it's such a volatile currency.
And I suddenly needed more Bitcoin. Like, I needed an extra 0.2 Bitcoin or something. So I go back to the bank-- and I didn't know how it worked. So I was just like, I'm just going to buy another $500 in Bitcoin. So I end up with $1,000 in Bitcoin. I paid off the $500 in Bitcoin. And they gave me the decryption keys, which is crazy.
ASHLEY HAMER: Yeah, you wouldn't expect the-- they could just take that money and run.
CODY GOUGH: Right, of course. So I don't recommend this. This had a happy ending. I'm sure there are a lot of hacking cases where this doesn't have a happy ending. But in my case, it worked out. So it turns out that when I got the decryption key, I ran it on my computer. It decrypted all my files. I was good to go. I then realized what really happened was they had encrypted about half of my files before I deleted the worm or the virus or whatever I had. And then a second worm hit me and encrypted the other half of my files with a second encryption key.
ASHLEY HAMER: What?
CODY GOUGH: So I went back to this website. And there was actually a customer service form. I'm not kidding.
ASHLEY HAMER: Oh, my gosh.
CODY GOUGH: And this site is translated into 18 different languages. And I just typed in. And I said, hey, look, I just paid you the money. But I need another key. Here are the other files. Here's the code that I have. Could you please provide me the other decryption key? And they did.
ASHLEY HAMER: Oh, my gosh.
CODY GOUGH: They just gave me the other key. I was like, this is better customer service than some companies I've dealt with in the US. But these hackers-- thank goodness-- gave me the keys. The other happy ending to this story other than me getting my files back is that even though it cost me $500 at the time, I had this other $500 in Bitcoin. And I was like, well, I took this out of savings. So it was just sitting there anyways. And--
ASHLEY HAMER: Yeah, what are you going to do with Bitcoin in 2014?
CODY GOUGH: Right, and I was like, I've heard this is a volatile currency. So I'll just hang on to it. Maybe it'll make some money. Two years later, it was worth a lot more money. So I--
ASHLEY HAMER: It would.
CODY GOUGH: --actually made a significant profit in the long run. But I got really lucky. And a lot of people didn't get really lucky. So that's my brush with cyber warfare--
ASHLEY HAMER: That is an amazing story.
CODY GOUGH: --cybersecurity, cyber hacking. I called the FBI at the time. I actually got on the phone with the FBI--
ASHLEY HAMER: Oh, my gosh.
CODY GOUGH: --Cyber Crime Division. And I'm like, hey, can, you help me? And they're like, no, this happens a lot. And we cannot track all these guys down. So I think today, we should talk about cybersecurity.
ASHLEY HAMER: Yeah, that story makes me want to change my passwords right now.
CODY GOUGH: Yeah, back up your files. Always back up your files. And I think for cybersecurity, we need to call in the big guns.
ASHLEY HAMER: Oh, yeah?
CODY GOUGH: When I say the big guns, I'm in the United States Army.
ASHLEY HAMER: Yes.
[MUSIC PLAYING]
CODY GOUGH: It's easy to get freaked out about cyber attacks and cyber warfare. But how scared should we really be about getting hacked? We wanted definitive answers. So we went to the best place to find them-- the Army Cyber Institute, an army think tank. Their deputy chief of research is Dr. Natalie Vanatta. She recently spoke on a cybersecurity panel at Chicago Ideas Week. And while she was in town, we had a conversation you will not want to miss if you're curious about the future of your online safety.
ASHLEY HAMER: You can follow along with an interactive transcript of this episode on gretta.com. That's G-R-E-T-T-A. Visit gretta.com/curiosity to share your favorite clips with your friends while you listen.
CODY GOUGH: I'm here with Dr. Natalie Vanatta, assistant professor at the Army Cyber institute at West Point. And congratulations on the recent promotion. You were just promoted--
NATALIE VANATTA: Thank you.
CODY GOUGH: --to lieutenant colonel and cybersecurity expert, right?
NATALIE VANATTA: I try to be every day. I mean, it is interesting from it is a dynamic field that's always changing. And the adversary out there is always finding some new idea. And so definitely keeps you on your toes every day.
CODY GOUGH: What's the main reason you traveled to this city to talk about cybersecurity? What's the main message you're focused on right now?
NATALIE VANATTA: Great question. It's always super exciting to get asked to speak at a convention or a conference. And a lot of times, I speak at cybersecurity conferences. So the target audience are other cybersecurity professionals. But I was really excited when I heard about Chicago Ideas Week. Because my audience is not going to be cybersecurity professionals.
It's going to be the average citizen, and the average citizen that probably doesn't know a lot about cyber except what the media tells them. And at times, it can be really scary. You see all these nefarious people in black hoodies out there to steal every part of your daily life and information. And they're going to steal your credit. And they're going to steal your information and your baby pictures. And the world is ending. But it's not really like that.
And so I came as part to sit on part of a panel to tell that average citizen that there are things they can do. The world is not ending. There are people that work every day, hundreds of people that remain nameless, both in industry and in the government, to try to protect and secure their safety in the cyber domain. And so the panel is all about giving them ideas of things that they can do, things that they need to know about, where they can learn more information, and just beating back the mass hysteria that sometimes is really easy to fall into.
CODY GOUGH: So you're saying that the media blows the fear out of proportion?
NATALIE VANATTA: I'm just saying if it bleeds, it leads, you know? But yes, at times, I would say the media does.
CODY GOUGH: Well, don't worry. I am not the media. I am nothing if not the average citizen. So I am also not an expert in cybersecurity. And that's why I'm curious about what you've just mentioned. Because you mentioned there are things that I can do right now to secure myself. But I don't know if I want to get off Facebook or not tell Google certain things.
NATALIE VANATTA: I know. And that's what becomes real hard. But just like anything you are doing in a daily life, you have to make a risk assessment and decide to weigh your security or safety versus efficiency. All the time, you choose to buy a sports car instead of a sedan. And you choose to want to drive that sports car like a sports car in downtown Chicago. I think you're going to run into some issues. But it's a choice that you make.
Absolutely, go out enjoy Facebook. Go out and enjoy social media. Just be a little smarter about how you use it. Double check on whether, ooh, I'm going on vacation. I'm going to Aruba for a week. This is amazing. I want to tell the whole world about it. Well, maybe wait till you come back so you don't tell the whole world and robbers that have figured out what your home address is know you're going to be gone for the week in Aruba. Little things like that.
Passwords-- oh, my. When you actually look at most of the large security breaches that have ever occurred in the cyber domain, a lot of times it comes down to passwords. The media will talk about these zero days and these hackers that are writing all this malicious code. And they're going to steal your information. But a lot of times, how these attacks start is just poor passwords.
Someone, whether they're a user or an administrator, just from a laziness perspective, which we all like, don't you hate having to make 16-character passwords with numbers and letters and special characters? And you couldn't have done it in the last 10 times. And they all have to be different and separate. That becomes really difficult.
And so it's really easy to maybe reuse your passwords between your banking app and your Facebook app, maybe between other aspects in your life. Or maybe you're like, not at all. I can do 16-character passwords. I'm just going to write them all down and put them next to my computer so I can find them quickly, right, when you need them. So it's thinking about some of these decisions that we make, the little things we can do when it comes to our risk assessments for our behavior that we have online.
CODY GOUGH: So that's what an individual should probably do. But you're working with the military on cyber threats. So how is what you're doing different? What are you focused on then?
NATALIE VANATTA: Well, all of it. We have this humongous mandate. We're a think tank for the army. We are only five years old. So fairly brand new in the whole scheme of things. And our whole mission in life is to think 3 to 10 years in the future and help the army prevent strategic surprise.
CODY GOUGH: In 3 to 10 because you can't possibly go out further than 10, maybe?
NATALIE VANATTA: Well, we could. But there are already organizations within the military that look 15, 20, 35 years out. And that's really hard because you really get into the realm of science fiction, almost. And it's really difficult to do that. And the folks that are in the fight today, operators that are securing the nation and defending its people in cyberspace, they're focused on today and maybe the next six months.
So we're in that gap of things that we need to look at what's happening today. How we think those things are going to evolve, how technology is going to evolve, how society and culture is going to evolve, what people are going to want to be able to do in the future, what our adversaries might be doing in the future and how that's going to be translated into the battle space in the future.
So we can think about what's the equipment that we're going to need, what's the changes in the way that we fight, what's the changes in education or training soldiers need, what do our formations look like, how do we incorporate all these things in a holistic package to ensure that we can help set the army up for success in the future? So we're just this innovative little think tank that are told to go out and think great things. And that's what we do.
CODY GOUGH: And I saw you gave a talk at a convention in early 2017 about threat casting. And that's on YouTube. And we'll put that in the show notes as well, if people want to watch that. But is that what you're talking about-- threat casting?
NATALIE VANATTA: Yeah, that's a-- well, we stood up as a think tank first. And then we partnered with Arizona State University and a professor there Brian David Johnson, who was doing threat casting, as a way to help us focus our efforts. Because when you're just given a broad mandate of, think in the future, prevent strategic surprise, ensure we can continue to fight and win our nation's wars, that's really big. And that's a scary mission to be responsible for.
And so we were thinking, how do we nudge this down and the things that we can really be successful on when it comes to cyber domain? And so a lot of what Brian was talking about and doing really made a lot of sense for us. So we've partnered with him and Arizona State University to help us guide in our efforts as we're thinking about the future to make sure that we get some good wins.
CODY GOUGH: You've talked about wins and battles a couple of times. And cyber warfare, a term people throw around. But the word warfare, right, you're thinking one nation versus another nation. But that line is so blurry now. And I'm thinking about, let's say, you've got incidents like the Equifax breach, where millions of social security numbers are pulled from somewhere. The person responsible for that, let's say that person was a group of hackers in Russia or in Poland or in Australia, some other country. Those are individual citizens attacking individual citizens. But that's not war, right?
NATALIE VANATTA: That's a question we've been struggling with for the last decade and I think we will be struggling with for the next decade still-- at what point do you draw the line in what becomes actual war or armed conflict? And up until this point, we have been really lucky in life, I would say. Our domains when it came to war fighting were the lands, the air, the sea, or space. And the United Nations has a charter. And it tells us in the United Nations documents what is armed conflict and what is war between nation states.
ASHLEY HAMER: United Nations charters are pretty lengthy. But I can give you the CliffsNotes of how the UN defines these things. UN Resolution 3314 from 1974 defines an act of aggression as the bombing, blockading, invasion, attack, or any other use of armed forces by one country against another country.
A war of aggression is different and requires a series of these acts to be committed with sustained intent. The big difference is that the UN always considers a war of aggression to be a crime against international peace. To lawfully declare war, chapter 7 of the United Nations charter from 1945 lays out steps that must be taken before the Security Council will authorize the use of armed force.
If this all sounds like a lot of red tape to get through before you can attack another country, yeah, that's the point. But that's also why you never seem to hear about countries declaring war anymore. To sneak around the UN's laws, countries just call their actions self-defense, interventions, or police actions. Cyber warfare might be muddying the definitions of war. But modern military actions were doing a great job at that already.
NATALIE VANATTA: And you could do the calculus. And you know what it is. And we all agree what it is. But when it comes to the digital domain or the cyber domain, we're all struggling with what actually does armed conflict look like there. Because it's not just a kinetic fight. You can't just count the bodies lying around and decide, yeah, that's war. You can't see the nationalities of folks over a sovereign line drawn on a map and be like, yep, they're invading. They're not supposed to be there. It's a lot more difficult. And that's something that we're going to continue to struggle with for a while.
CODY GOUGH: Yeah, I mean, I think about it all the time with all the allegations of another particular country, perhaps interfering in the 2016 presidential election.
ASHLEY HAMER: If you didn't catch this in the news or if you're just listening in some distant future where we still have podcasts, what Cody's referring to is that around the 2016 US presidential election, Russian agents had created thousands of Facebook groups, YouTube videos, Instagram posts, tweets, and targeted Facebook ads about polarizing topics like gun rights, LGBT issues, and religious freedom in order to cause divisions among American citizens and interfere with the US presidential election.
CODY GOUGH: But let's say they bought ads on Facebook. OK, great. Well, Facebook's a private organization. It's not like they were hacking into-- I mean, if they were hacking into the CIA as database or something, that's certainly different. But if you're purchasing ads, let's say, on an independently run corporation or something, and it's not violating its terms of service, then it's like, well, where is the line? I mean, I don't know who you can blame. Can you really be like, well, what they did was illegal, kind of, but not exactly because of the channels they perused. It's very confusing to me.
NATALIE VANATTA: It's almost like we get upset at companies and our way of life that something that we've hold true for hundreds and hundreds of years of why this country was founded, the freedom of speech, the freedom of press, the freedom to be able to say your ideas, the democracy, the idea that you can go out and start your business and run your business how you see fit within the laws of the land, and now all of a sudden, potentially, someone else or some other groups are using that against us in our open and free society, potentially coming from societies that are not as open and welcoming of ideas, and now, all of a sudden, we want to get upset?
Well, I mean, this is what we signed up for a couple hundred years ago. And I don't think we're going to change it any time soon. So the problem is now we've got to change our mental model the idea of what's acceptable and what's not and what we're willing to continue to fight for and keep as a freedom and what we decide is not worth it anymore.
CODY GOUGH: Yeah, I feel like-- and a couple hundred years ago, of course, there was no internet. There was no social media. A lot have changed. But at the same time, technology has definitely outpaced our ability to process its effects and its consequences before it's out there. I mean, I don't think when Facebook was released, anybody sat back and thought, wow, this is going to completely change the way everyone in our country consumes information and hack a fifth of the planet. I don't think anybody sat back and said that.
So your institute or in any of the research you're doing, are you also looking at the current effects of how things like social media and the way information is being exchanged how that's affecting and impacting things?
NATALIE VANATTA: Yes, by propelling what it's going to look like in the future. And it's also the cop-out answer, right, is we're not responsible for what's going on right now. That's someone else's problem. We're supposed to be thinking about what's the next evolutional crank of this look like. And so that's a lot of what we do is picture, OK, this seems to be a problem. But what's it going to look like in 10 years? And what's the latest emerging technology? And more importantly, how is someone going to be able to use it against us in a way that we never guessed?
That was an unintended consequences, that it was the best intentions of everyone that crafted this technology or how we were going to use it. Best intentions-- but some nefarious actor decided to use it against us. And therefore, if we can picture how that horrible use case might be, what can we start doing today as we're engineering that technology either in the technology itself or in policies or law or guidance to help ensure that that either can't happen or at least mitigate the effects of that happening?
CODY GOUGH: Yeah, so once in a while, you'll come across a piece of technology. And you'll think, we should probably talk to Congress about this. And you'll be responsible for-- not responsible for, but you participate in maybe helping form some of those policies and proposals?
NATALIE VANATTA: We do. And we do it in lots of different ways. We write white papers. We speak places. One of our researchers, she is an awesome sauce ethicist and lawyer. And she's actually done a lot of work and helped written position papers for the Department of Justice to change what their policy is on some of these emerging technologies.
So we're a unique entity in that our whole purpose in life is to think about the future for the army. But what we find is the challenges the army is going to face on the battlefield or at home back in garrison on base are the exact same challenges the rest of the military services are going to face and, in fact, all of society is going to face in the future. And so there's not like this boundary we can draw around ourselves.
And so what we find is we're doing this research and coming up with these ideas. We share them across industry and academia and government. And some of them just get nugged on. And those are our success stories. And the rest of them, we're like, well, at some point, that idea might be important. So we'll keep pushing it along. And you know what? If it's not, because it doesn't come true, then that's a success story in itself because we help to prevent that thing from happening, so.
CODY GOUGH: Now, I know that for our military, we've got the Navy-- commands the seas. And the Air Force commands the air. And then you've got the Army and the Marines and all the other branches. When you talk about all this cyber stuff, are we going to create a new branch? Or is it the Army that's spearheading it? Or is this a cross class effort?
NATALIE VANATTA: So as an army officer, I have to say the Army rocks at cyber because we do. But we're still growing. And that's the thing when it comes to this effort. The other domains-- and we'll call them warfare domains-- are natural domains-- the water, the land, the air, space. We can draw a boundary. And we understand that.
We're like, land, that's a war fighting domain. Army and the Marines, you're responsible for land combat. Air Force, you have the air. And now, we can argue where that boundary is. Does the Air Force control a foot above the ground or person height above the ground or the top of the tallest tower in the city?
We can argue where the boundary is. But we generally know we're fighting on the land. It's the Army and the Marines. We're fighting in the air. It's probably the Air Force. And if we're out at sea, it's probably the Navy that we can argue with lateral waters, where exactly does that start? But generally, we all can understand who is supposed to be leading the effort.
But when it comes to cyberspace, I mean, this is the first man-made domain. It's everywhere. And so what we have done is every service has crafted its own cyber effort within the service. And we have lots of joint cyber teams that focus on defending the nation together as a joint entity. And so that's where we are right now is everyone has their own teams. We have some joint teams across the service.
The Army itself has crafted a branch. So now, there is a career path from a talent management perspective. For someone to join the Army, walk into your recruiter's office today and tell them you want to be a cyber soldier, and we'll train you up all the way through the end of your career when you retire as sergeant major of the Army or general of the Army, whatever it's going to be.
Eventually, Congress may decide that it's time to create a new service. But I think that would be a very emotional decision. And that would take, I'm sure, a lot of law and a lot of bickering. So who knows?
ASHLEY HAMER: Here's a question. So you do want to be a cyber soldier. And you do walk into your recruiter's office and sign up. If your job is going to be spent entirely in front of a computer, do you still have to do basic training otherwise known as boot camp? The answer is yes, the military trains everyone in armed combat, regardless of their specialization. Because they want every single service member to be ready, if the need arises. If you wear the uniform, you're a soldier. And if you're a soldier, you've gone through basic training. It's as simple as that.
That said, there is such an urgent need for cyber soldiers right now that the US Department of Defense has considered nixing that requirement for cyber operations. If you're a student with an interest in computers, you might want to check out the scholarship programs available in the cybersecurity field because there are a lot of them.
CODY GOUGH: Ashley, I feel like I'm learning a lot about cybersecurity. But offline, I still have one weakness.
ASHLEY HAMER: Judging from the empty boxes around the podcast studio, I'm guessing you're talking about interior design.
CODY GOUGH: Yeah, about that, I really need to check out our sponsor-- Havenly.
ASHLEY HAMER: You really do. We've been over this. Visit havenly.com/curiosity and enter promo code curiosity for $50 off their full design package. Havenly is the best online interior design solution. And it makes interior design accessible to normal people.
CODY GOUGH: But on average, traditional interior designers charge something like thousands of dollars for a room, don't they.
ASHLEY HAMER: Yeah, but Havenly's packages start at $79. I said normal people, didn't I? They've also got a Design Quickie feature that allows anyone to chat with a designer for free to get advice on any design-related questions.
CODY GOUGH: And if you go to havenly.com/curiosity, you can get $50 off a full design package with the code curiosity?
ASHLEY HAMER: Right, that's havenly.com/curiosity. Enter promo code curiosity and boom, $50 off the full design package.
CODY GOUGH: Cool. Any suggestions in the meantime?
ASHLEY HAMER: When's the last time you took out the trash?
CODY GOUGH: So describe to me like a day in your research.
NATALIE VANATTA: A lot of times it's spending time with current military folks that are actually operating in the space today to understand what their challenges are today to then take a step back and then meet up with industry partners or academic partners to theorize, well, where could this go, what would be the next thing? A lot of what I do is I read articles that people are writing, both in the academic realm and not in the academic realm. I see what people are talking about, thinking about, worried about.
And then to be honest, a lot of senior leaders in the army come to visit us at the Army Cyber Institute. Potentially, one could argue it's because we sit on the grounds of West Point, the United States Military Academy. And for home football game weekends, there's always a ton of visitors. But people come by. Go Army! And they visit.
And one of the questions I asked these senior leaders that are very gracious to give us 30 or 45 minutes of their time, I ask them, what's the thing that keeps you up at night? What's the thing that is niggling away at the back of your head? Because maybe you heard about it somewhere or something caught your attention. And you just wish you had the resources to put some people and some thinking on it because you think it's going to be important in the future. But you just don't have time to think about it today.
And I will tell you, from asking those senior leaders-- these are general officers that have been in the Army or another branch of service for 30 to 35 years and have seen a lot-- that idea niggling in the back of their head tends to actually bear a lot of fruit to get us started down a path that will lead us in a direction that's really important.
CODY GOUGH: Do you think this is happening in a lot of countries? A lot of different nations are also doing research and all this cyber stuff to try and keep everybody just protected from the ne'er-do-wells?
NATALIE VANATTA: I would hope so. I would really hope so. I would imagine that you probably have three different options. Either countries are looking into this to protect their citizens because they want to protect their citizens; countries are looking into this because they want to empower their citizens to be criminals, which could be; or maybe they're just standing back and watching to see what happens first and then just stealing everybody's good ideas so they don't have to waste the capital in doing research.
I don't know. I think it's probably one of the three, which is probably exactly what businesses are doing too. You're doing one of the three things to figure out where your competitive advantage comes from.
CODY GOUGH: Speaking of current technologies, I feel compelled to ask about blockchain technology. That seems to be popping up everywhere. Banks are investing in it. I think certain government agencies are probably doing some work with it. It seems to be a relatively difficult to hack or disrupt technology that is verified by lots of different computers and lots of different places-- my understanding.
ASHLEY HAMER: Blockchain technology might be popping up everywhere. But that doesn't mean it's common knowledge. If you've never heard of blockchain, you may have heard of Bitcoin. Bitcoin is a cryptocurrency that was created to bypass government regulations and financial middlemen and make transactions super secure and simple.
The way Bitcoin's creators did that was through blockchain technology. The blockchain works on a distributed ledger, kind of like a Google Sheets spreadsheet that shared among thousands and thousands of computers. The difference is that even though every record in that ledger, known as a block in this case, is visible to every computer, it's kept safe with a math called cryptography.
When someone requests a transaction, it's sent to all of the computers on the network, which run a series of algorithms to vote on the authenticity of the transaction. Once it's confirmed, that transaction is combined with other transactions to create a new block for the ledger, making it permanent and unalterable. The fact that it's visible to everyone makes it virtually impossible to cheat too. That's the simple explanation. Blockchain gets really complicated.
But the important things to remember are that blockchain is distributed. So there's no central authority you can hack into. It's visible to everyone. So it's really hard to cheat. And most important, it can be used for much, much more than just finances. You could potentially use blockchain to sign contracts, vote in elections, or do anything else that requires the utmost security and transparency. You can read more about blockchain in Bitcoin on curiosity.com.
CODY GOUGH: How do you feel about blockchain technology?
NATALIE VANATTA: So as a mathematician, I think it's absolutely fascinating. I really do. I think it has a lot of benefits for using it in different things-- to verify transactions and the things that actually have occurred because you have this decentralized system that would actually verify it. So even if you didn't trust-- you're not relying on one person that you have to trust, but lots of different people that don't potentially know who you are or know what this is.
I think it's going to be very interesting to see how it evolves in the next decade. I mean, it started as, hey, this is for only financial reasons. And it's very interesting to see how lots of different people now in different sectors are realizing that this could have bearing also on their business model also.
CODY GOUGH: Yeah, I also have a friend that works in quantum computing. And he's not allowed to tell me anything he does because he does work for the government. [LAUGHS] So--
ASHLEY HAMER: Quantum computers, how do they work? To answer that, let's back up and talk for a second about how a traditional computer works. Every computer you've ever used works by manipulating little particles of information called bits. A bit exists as either a 0 or a 1, two choices, which is why that system is called binary. A logic gate in a circuit thinks only in terms of 0 and 1. But from that simple choice, we've created things as amazing as Facebook and virtual reality and that little smartphone app that looks like a lighter.
Now, imagine if you had magical bits that could exist as 0, 1, and every point in between. Quantum bits can do that. A quantum phenomenon called superposition makes it so very, very small particles can exist in many states at once. It's only once you measure them that they decide on one state. That gives quantum computers the potential to be millions of times faster than our fastest traditional computers.
Quantum computers are in their infancy right now. But once they become mainstream, they're going to turn the technological world upside down. If you'd like a deeper dive, search quantum computing on curiosity.com.
CODY GOUGH: Do you see that radically changing everything in the next x number of years? Or is that beyond the 10 years of your forecast?
NATALIE VANATTA: That's awesome. And we struggle with that question. Because quantum computing, it's so awesome sauce. And what I think is the coolest thing about it right now is that you can argue in academics that are much smarter than me-- because I'm not a physicist. Mathematician only-- will argue that the theory is there. The theory, the physics, the math is there to explain how a quantum computer would work and how a quantum computer will absolutely revolutionize everything we currently do today. It's there.
What's not there is the engineering. And that is there have to be a couple of different breakthroughs when it comes to actually the engineering piece to construct a supercomputer that can actually maintain its state long enough to do the calculations we would want it to actually be done. So that's what we're waiting on. It's not the theory. The theory is there. And it's been there for a while.
And so when people ask, well, when's a quantum computer going to be here? Do I need to start worrying about ensuring that the next space I build can house a quantum computer to do our computation? My answer is, well, I don't know. Like, we need one or two absolutely radical fundamental breakthroughs when it comes to the engineering, and then a quantum computer is here. A quantum computer is here. It's large enough to do what we need to do. But there's no way to guess when those fundamental breakthroughs are going to happen.
And so what I think is really interesting is there's a handful of theoretical computer scientists out there that are trying to figure out, well, what can we do while we wait for that engineering breakthrough to occur? So how would we program this thing? If we take the theoretical physics and the math and go with it, that's what the construct of how it's going to work. Well, let's start figuring out what does this programming language look like. Because it'll be fundamentally different than anything we've crafted to work on a bit computer today.
So let's start crafting it. And let's start discussing it and maybe educating individuals on it so that when we reach that point that we're actually able to engineer and design a supercomputer that can maintain its state and is bigger than 8 qubits or 13 qubits or whatever academic organization or government wants to claim they have functioning for more than a millisecond to make a calculation, then we'll be ready to actually use it then instead of then waiting for everybody to catch back up.
CODY GOUGH: And then there will be a whole new set of problems and challenges for everybody, right?
NATALIE VANATTA: Yeah, and so we're trying to get ahead of that, knowing that that's what we're waiting on is this engineering breakthrough. And so that's why NIST has the callout for the post quantum cryptography algorithm. Like, what's the next thing that we need to use to encrypt our data that's going to be resistant to when this quantum computer finally gets here? Because whether it's 10 years from now or 35 years from now, the problem is that as soon as it hits the mainstream, you can go back and see anything that you've captured from today that was encrypted with the most difficult and strenuous algorithm out there. And you can tear it apart like it was nothing.
So if we spend some time focused on what is the next algorithm, it's going to be resistant to that. Then we can encapsulate all the data we have now with that so we don't have to worry. When that computer comes online, you're still not going to be able to break the secrets that we think are really important that no one knows about today like the route I took to work or whether I decided to wear brown boots or black boots to work today, you know?
CODY GOUGH: Right, where does that fall in your spectrum of serious potential issues in the future?
NATALIE VANATTA: Something to play with in my free time but not something actually is worth looking at for work.
CODY GOUGH: What is the biggest question mark that you're allowed to tell me about in terms of the next 3 to 10 years where you look at it and you say, this could be a problem; we've got to figure out how to handle this?
NATALIE VANATTA: So I'd say if you ask that question from any of the researchers, they'd all give you a different answer. Because the group of researchers that work at the Army Cyber institute were across multiple different domains. So we have computer engineers. We have electrical engineers. I'm one of four mathematicians that are there.
We have systems engineers. But we have historians and ethicists and lawyers and cognitive scientists and behavioral scientists and folks that do information operations. And we have folks that have been in the Army, that have worked for NGOs, that have been federal prosecutors, that have worked on the Hill. So it's a whole wide gamut of folks.
And the reason we bring this very diverse group of people together is because together, I think, we can come up with the best solutions for the problems. Because what history has shown, even the nascent history of this working and the cyber domain, is that there's not one right answer.
There's not a technical answer necessarily. There's lots of different ways to look at the problem to tackle it. So by bringing us all together with very different experiences and backgrounds, we come up with some really cool and interesting different ways to tackle a problem together that we wouldn't often are silos of our specific disciplines by ourselves.
So I would say everyone thinks it's slightly different. I think one of the challenges that are really interesting right now we're looking at is, what's the evolution of internet of things to internet of everything? And how does that affect us in a battle space? So the internet of things, lots of devices connected to the internet.
And so what happens within the next decade where the cost for computational power is so small that there are sensors everywhere? Ubiquitous everywhere, machine learning takes an even bigger play into the cell. And maybe we're seeing the start of some artificial intelligence in the background.
And so now, I'm a soldier going on a drill or working in a training area. But I have an immense RF signature to what I'm doing. Because I probably have my cell phone and a Fitbit and whatever the next greatest gadgets are. So not only the stuff that the military has issued me as part of my combat gear but also just my personal stuff because, heaven forbid, I not be connected to 23 things all at once at the same time. So I know what everybody's doing at every moment of the day.
CODY GOUGH: I'm a millennial. I can relate.
NATALIE VANATTA: Yeah, yeah, so that's the idea is, so I've got all this. So how does that interact with what I'm trying to do on the battlefield? And in the environment that I'm training in, how do you protect our own soldiers and our own forces while being able to detect and work against the adversary that we're going to be fighting with? So one might just say, as perhaps many of the older generation might say in the military, well, just tell those young whippersnappers they need to leave their phones at home! They can't bring that into the battle space!
And that would be great. But that's not going to happen. We're not going to be able to do that behavioral change, where all of a sudden, oh, no, now we're serious. Leave all that back at home. Because it will be even more a part of ourself that you're just not going to be able to get rid of it.
So we have to change our mental model to figure out, well, how can we protect our own, and how can we use everybody else's against them? Because we're not going to be able to say authoritatively, don't bring that over here, turn that off when you come to work. Because that doesn't work, so.
CODY GOUGH: But if you're in the military, you can do that.
NATALIE VANATTA: Yeah, it still doesn't work.
CODY GOUGH: Really? [LAUGHS]
NATALIE VANATTA: Well, I mean-- because mistakes are accidents happen. Like, you're going out, let's say-- I don't know. You're going out to the range. Leave all your phones at home. And you forget that it's in your pocket. Or you have your Apple Watch on your phone, on your wrist, on your thing, you know?
CODY GOUGH: There's no foolproof way to prevent that.
NATALIE VANATTA: Yeah, what are you going to do? Pat everybody down and send them through a metal detector before you go out to the range? That seems a little excessive, you know? Things just happen. And so what we've got to be able to figure out is, how do we operate in this environment, where we just have to assume that there are sensors everywhere collecting on us and seeing what we're doing? And so how do we protect our own troops, and then how do we turn around and use that against the enemy?
CODY GOUGH: Have you seen the reboot of Battlestar Galactica?
NATALIE VANATTA: No, I haven't.
CODY GOUGH: OK, because it just reminded me of an analogy-- I'm a bit of a sci-fi geek-- of the premise of, basically, the whole show is the Cylons, the evil robots, get a hold of some code that is linked to the network of every battleship and everything on the Earth. And then they basically destroy Earth. But Battlestar Galactica, this one Battlestar is a big spaceship. And it's old. It's like 100 years old.
And it doesn't have all this state-of-the-art equipment. And it's not all connected. So Battlestar Galactica is sitting there in orbit. They look around. And they say, well, everybody's dead. We got to get out of here. And they're the only ones not affected, but they're a 100-year-old ship.
That reminds me of some of this analogy with what may be some people who have been around a while just saying, let's go with the old technology and things like that. But you're just saying you don't think that's really a good route to go.
NATALIE VANATTA: No, because the problem is that I think nobody in the world would argue that the United States military is the premier fighting force across the globe. There is no one that does it better than we do. And so most I would argue, nation states and definitely small offshoot groups with their idealism. No, they can't go toe to toe to us in a kinetic fight against the best trained, the best led, and the best courageous soldiers, airmen, Marines, the whole kit and caboodle, sailors, that the world has ever seen.
And so they've got to do something differently. And cyber is a way that they can do it. Cyber is a way that levels the playing field potentially. And so we can't just assume that we can bury our heads back in the sand, and it will be OK, and we'll just use all this old stuff because our adversaries are increasing in number. Our adversaries are going to use this emerging technology. And we have to be able to counter them while defending our forces.
And so we don't have that luxury of just hopping in the old ship and just waiting for everybody else to self-implode. We've got to be there at that same time. And then that's that risk calculation of how connected can we get and ensuring that we can secure that and the benefits it brings from all this emerging technology that would make us more efficient. But understanding that as we push towards efficiency, efficiency becomes easier to hack.
And so we really have to be as worried as efficiency as security and safety at the exact same time. And that's something that we have never done well. And not just us, but government industry. Those two competing ideals have never played well together. And I think in the future, they have to.
CODY GOUGH: Yeah, so a lot of what you're doing is for military applications. But you're also looking at things on corporate levels and consumer levels and all over the place, just trying to make sure we don't get hacked.
NATALIE VANATTA: Exactly, because something that affects the military directly can potentially affect everybody else also. Because the military is not just the men and women that put on the uniform, but the civilians that work with us, their family, their friends, their communities. And so if we took this idea of we draw the boundary around the active duty forces and ignore everything else, we're not actually securing ourselves very well because you have all these tangent vectors that maliciousness or attacks could come in from.
And so we have to take a wider approach. And, in fact, we have to look at more of whole of society approaches, where we all start working together, both military, government, industry, communities, and academia to come up with solutions for the future.
CODY GOUGH: Cool. I think my final question then before we wrap up is, what can you tell people to make them feel better and not buy any of the media hype that everyone's trying to get your social security number and steal your identity today?
NATALIE VANATTA: It's the little things. If you just do the little things, you will protect yourself. And you also need to think about, do people really care? Do people really care about you and what you do? And maybe that should have some bearing in the decisions you make. But also know that people might be after you because you're a cog in the wheel to the next step and the next step.
And it all goes down to passwords. If you would just do that, that solves-- and I'm making numbers up, because I can, because I'm a mathematician. My PhD is in math. So by law, I'm allowed to make numbers up. So I'm going to say it's like 90% of most cyber attacks today can be drawn back to the fact of poor password management.
That's the key-- pick strong passwords, replace the passwords as often as you're told to, don't reuse passwords between important application. Just doing that and having a plan and ensuring that your family members do that too, that solves a lot of the problem right there and leave the higher end stuff. The nation, states were worried about hacking us. Leave that to the professionals. Because if you'll just shore up that easy stuff on the boundary conditions, that gets them to focus on everything inside that they can apply their know-how to.
CODY GOUGH: And we've written about this on curiosity.com before. But the number one way to improve your password strength is by lengthening it. It's not the special characters you use and things like that. It's just the shear length. You think 16 is a good starting point?
NATALIE VANATTA: I will say most of mine are between 16 and 20. It just depends on the application. Because some applications put an end cap on it too, just the way that the software is designed because that goes back to the whole efficiency is easier to hack. It's really easy to put end conditions on, not understanding that if you allowed it out a little longer, for those that are really worried about their safety and security, you would develop a better solution. But I tend to go 16 to 20.
CODY GOUGH: I actually specifically use weaker or weirder passwords for the applications that aren't important because I think, well, here's my bank account password. That one's really complicated and secure. Oh, I could reuse that one for this little tiny start-up website that I'm registering for that's a year old, and who knows who programmed them, and who knows how big their team is, and who knows how secure that actually is?
So it's not like these hackers are going to go into my bank account and hack it. But they could go into some weaker account, see that password, and then run it on 300 different web pages. And then lo and behold, it's the same one as my bank account.
NATALIE VANATTA: Exactly.
ASHLEY HAMER: Does that sound like you? I know. Having a different 20-character password for every single account sounds really daunting. But there are ways to make it easier. You can get a password manager like 1Password or LastPass, which keeps a library of all of your passwords under one hard-to-crack master password.
Most password manager programs have mobile apps and browser extensions that make it really easy to enter your credentials into sites when you need them and even come with password generators that help you create super secure and unique passwords for every one of your accounts. While you're changing your passwords, it's a good idea to go ahead and protect your accounts on the most commonly hacked sites by using two-step verification.
There's a great organization called the Crash Override Network that's full of resources on how to protect yourself from everything from online harassment and doxing to garden variety hacking. They've got a tool called Coach that leads you step by step through the process of securing your most important accounts like your bank, Gmail, Facebook, Twitter, even Skype. It's really easy. And I seriously recommend trying it. You can find the link in the show notes.
NATALIE VANATTA: I'll totally admit, on some of my messaging apps to friends as we're collaborating on research, I have a 10-digit password. It's a pretty crappy password. But I'm like, really, someone can get that? Who cares? It has no bearing and no way-- if you saw how I designed that password would it give you any bearing on how I designed any of my passwords for my banking or my email applications at all. So I'm like, that's fine. Take that password. I guess you could see what I've been chatting with everybody about on the Slack channel. Sure. But not going to do you much.
CODY GOUGH: You use Slack too?
NATALIE VANATTA: Totally use Slack.
CODY GOUGH: Really?
NATALIE VANATTA: I love Slack. Yes.
CODY GOUGH: They're using it in the military?
NATALIE VANATTA: Well, we use it-- we use it at the ACI to pass interesting news stories around. Because otherwise, your email box just gets so flooded with stuff, and you'd miss something. So we post interesting stories, notes, podcasts that are going on so that everyone can read them.
CODY GOUGH: Oh, my gosh, this podcast might end up in the Slack.
NATALIE VANATTA: It totally will.
CODY GOUGH: For West Point, that's incredible.
NATALIE VANATTA: Woo-hoo.
CODY GOUGH: That's a genuine accomplishment. I'm very excited about it. I'm also a little bummed that Slack's not a sponsor on this podcast because that would have been worth a zillion bucks right there.
NATALIE VANATTA: That totally would have been.
CODY GOUGH: Well, someone in sales needs to give them a call. Well, I'm just going to pull up my final question for you. This is the last part of that podcast where we do the Curiosity Challenge. And I'm going to hopefully teach you something perhaps or stump you with a little piece of trivia that you didn't know. I have a question for you that hearkens back to what we were talking about earlier. What is the best way to cool a quantum computer?
NATALIE VANATTA: Deep in the Arctic?
CODY GOUGH: [LAUGHS] Great guess. It does have to do, well, with cooling. But the Arctic, yeah. Not the Arctic. No, so this is actually a relatively new research and hopefully interesting for you. But it is a nanoscale refrigerator. And it was developed by a group of researchers from Aalto-- I think I'm saying that right-- A-A-L-T-O, Aalto University in Finland.
Basically, it's just a very small computer that cools the processor because, of course, the quantum computer is doing millions of calculations per second. Again, you'd mention the engineering as the most difficult part of it. In May 2017, the team takes advantage of a phenomenon known as quantum tunneling. It lets a quantum particle pass through a barrier due to the fact that it functions as both a particle and a wave. And if there's an inducement for an electron to be on the other side of the barrier such as more energy, it can blink through the material to reach it.
So the device is comprised of a superconducting channel and a non superconducting channel, divided by an energy gap. And there's a way that it manipulates the way electrons move around. You can read all about it at curiosity.com. But this is the challenge that quantum computing engineers are facing, where they have to come up with basically magic tiny refrigerators that are able to alter electrons and things at such a level that they're actually able to cool. I mean, it's pretty advanced stuff.
NATALIE VANATTA: I'm glad I'm not a materials engineer right now.
CODY GOUGH: [LAUGHS] And now, you've got a question for me.
NATALIE VANATTA: Actually, I've got two.
CODY GOUGH: All right.
NATALIE VANATTA: Just because I have faith that you'll get one of them. But I'm confident you won't get the second one.
CODY GOUGH: All right.
NATALIE VANATTA: OK, What is the only one state that you can type along one row of your QWERTY keyboard? Don't look. What is it?
CODY GOUGH: I'm not looking.
NATALIE VANATTA: Those of you listening in, don't cheat either.
CODY GOUGH: I'm just going through all the states. It's not Washington. It's not California. It's not Texas. It's not-- Alaska.
NATALIE VANATTA: Alaska it is.
CODY GOUGH: There we go.
NATALIE VANATTA: Good job. OK, so here's my second question, which I know you're not going to get. I worried about the first one. Here we go. OK, coming from the fact that I currently am stationed at the United States Military Academy, 1890 was the very first Army versus Navy football game. In fact, it is the longest running college football rivalry in the nation-- 1890. During that time, only once has this game been played in the Midwest. And, in fact, it was played in Chicago one year. What was the year, and what was the score?
CODY GOUGH: Oh, boy. You knew this off the top of your head?
NATALIE VANATTA: No, my office mate is an Army football player. And he texted me the answer.
CODY GOUGH: Oh, nice. But you're a big Army fan. That sounds right.
NATALIE VANATTA: Total Army fan.
CODY GOUGH: Wonderful. OK, so it was played in Chicago. You want to know the year. All right, let's just throw it out there. Let's go with 1925. And the score was 7 to 21.
NATALIE VANATTA: Who won?
CODY GOUGH: Army.
NATALIE VANATTA: Great guess. Totally wrong. The year was 1926, so very close.
CODY GOUGH: Oh, I was in the right decade. Wow.
NATALIE VANATTA: And the game was tied. Because back then, NCAA rules allowed for a tie game. There have been only six tied games between Army-Navy and the whole history of the series, which, of course, that number will stay where it is because the NCAA doesn't allow ties anymore.
CODY GOUGH: Wow. That was a great question.
NATALIE VANATTA: Thank you.
CODY GOUGH: It really shows off you're definitely a fan.
NATALIE VANATTA: Total fan. Go Army, beat Navy!
CODY GOUGH: And if people want to learn more about a place where people can-- I know they can watch the talk on YouTube.
NATALIE VANATTA: Absolutely, they can watch the talk on YouTube. If they want to know about some specifically the work I'm doing with regards to threat casting that we're doing with Arizona State University to think about the future, our threat casting lab that we established has a web page-- www.threatcasting.com. Really super easy.
CODY GOUGH: Nice.
NATALIE VANATTA: And then also, you can go to the United States Military Academy home page. That's usma.edu and dig down to the Army Cyber Institute. And we showcase some of the work that we're doing.
CODY GOUGH: Thanks again for joining me. I really appreciate it.
NATALIE VANATTA: Thanks so much for having me.
[MUSIC PLAYING]
ASHLEY HAMER: You can learn something new every day on curiosity.com. Earn yourself some extra credit with some trivia we recently wrote about. US President Dwight D. Eisenhower famously used a decision-making tool to help him prioritize his responsibilities. This method placed every task in two of four categories. Here's your extra credit question. What were the four categories utilized in the Eisenhower box? The answer after this.
[MUSIC PLAYING]
CODY GOUGH: Do you like surveys? Well, I've got some really good news for you, if you do. We want to hear your thoughts on the Curiosity podcast. So we created a super quick and easy survey. Please visit curiosity.com/survey and answer a few questions so we can make our podcast better. Again, that's curiosity.com/survey. It's quick and easy and will really help us bring you better content every week. There's a link in the show notes too. But one more time, that URL is curiosity.com/survey. We really appreciate the help.
ASHLEY HAMER: Explore history's surprising connections with a new podcast, The Thread With OZY. It's like a cross between Revisionist History and Six Degrees of Separation. You'll discover how various historical strands are woven together to create a historic figure, a big idea, or an unthinkable tragedy like how John Lennon's murder was actually 63 years in the making. Witness how their stories hinge on the past and influence the future. The show is already a chart topper. Get The Thread with OZY-- that's O-Z-Y-- on Apple Podcasts or wherever you listen.
Here's your extra credit answer. The Eisenhower box method is a matrix with just two columns and two rows. The columns represent tasks that are either urgent or not urgent. And the rows represent tasks that are either important or unimportant. So the four categories in the Eisenhower box are important and urgent, important and not urgent, unimportant but urgent, and unimportant and not urgent.
The box is nice and versatile since you can apply it to long-term tasks or just for the stuff you're trying to get through in a single day. To read more, click the link in the show notes or search for the word Eisenhower on curiosity.com. That's all for today. For the Curiosity podcast, I'm Ashley Hamer. And I'm going to go change my passwords.
CODY GOUGH: And I'm Cody Gough. And I'm going to go buy some Bitcoin.
[MUSIC PLAYING]