From Semiconductor Supply Chains to Dirty Bombs: Summary of the September 2021 OODA Network Member Meeting
OODA Network members are invited to participate in a monthly video call to discuss items of common interest to our membership. These highly collaborative sessions are always a great way for our members to meet and interact with each other while talking about topics like global risks, emerging technologies, cybersecurity, and current or future events impacting their organizations. We also use these sessions to help better focus our research and respond to member needs.
To encourage openness of discussion, these sessions take place with Chatham House rules, where participants are free to use the information in the meeting but are asked not to directly quote or identify other participants (we also keep privacy in mind when preparing summaries of these sessions, like the one that follows).
Topics for discussion on the September Monthly call were:
- OODA Loop Wargame Exercise
- Small Data vs. Big Data. What is Small Data?
- Apple’s patch of the NSO vulnerability
- Cybersecurity and Infrastructure Security Agency (CISA) and Critical Infrastructure Research
- What about the Terror Threat? An Event in France
OODA Loop Wargame Exercise: Matt reminded the group that we talked last month about the potential for wargaming around the questions or potential issues that might be of interest to the group. Matt when on to share with the group that “the intent of these war games is to keep them simple. We are going to work with members of the network to produce what we consider to be four proposed futures and then get the group convened in a wargaming session to look through what are some of the potential outcomes associated with those scenarios. And what are some of the potential mitigations: ways to manage risk, opportunities that present themselves. Again, the idea is to keep it a very simple format at least to start out and see how it works to bring this group into that type of engagement.”
A network member asked about the timeframe of the scenarios: Are we talking about 5 years? 10 years? 25 years? What timeframe? Matt confirmed a five-year timeframe to make it a little bit more manageable for enabling decisions.
Two potential topics were flagged in our discussions with network members:
Taliban 2.0: What are scenarios for the future of the Taliban including the impact on US business and security interests, and what actions might leaders need to consider based on these scenarios?
Computer Chip Supply Chain: Which scenarios should business and government leaders plan for regarding disruption of chip supply chains? What are the scenarios, what indicators will we have that can help us know which scenario is playing out? What actions can be taken now to improve resiliency in these scenarios?
Bob Gourley then posted a Zoom poll for a vote to select the final topic for the wargame. The result of the poll was:
Final Topic: Computer Chip Supply Chain Disruptions
Matt also informed the group of the length, time, and date of the wargame:
Length: 90 minutes
Time: 1 PM EST – 2:30 PM EST
Date: October 13, 2021
Network members then had a brief discussion about the term “wargame”: one member noted that “we’re all familiar with the term wargames, but both topics illustrate that some of the challenges that we face are not war. This is competition and it is not benign, it can be extremely dangerous. But there is an asymmetry because we know how to do war. But some of these other threats, we are not so good at. I know I’m talking semantics, but you get where I’m coming from.”
Both in the discussion and via chat the members suggested other monikers that might prove compelling: Scenario Modeling, Strategic Decision Game, and Geopolitical conflict. There was a broad consensus that the war metaphor was overused, while some network members felt that it connoted conflict in a general sense that was an appropriate use. The group committed to exploring other nomenclature for the exercises in the future.
The open discussion for network members then began:
Small Data vs. Big Data. What is Small Data?: A network member recently expanded on recent writing by Georgetown Center for Security and Emerging Technology (CSET)and operationalized it with writing about the real capabilities and real-world use cases of small data. The network member shared his point of view, including a general introduction to the small data approach. Prior to speaking on the topic, the presenter shared his thoughts on the Computer Chip Supply Chain disruption wargame topic, speaking to the potential for the interruption in the supply chain of chips specific to the growth of AI and Machine Learning. His perspective on the topic will be used in the formulation of the scenario matrices for the wargame.
This feedback on the chip supply chain topic was an informative segue way to the topic of small data, as small data are technologies that allow machines to learn from less amount or fewer data points – which cuts down on overall chip demand and power consumption – and may be a strategic opportunity for solving compute power and scarcity issues in the event of a severe chip shortage.
“Small data” means “the ability of machine learning or AI systems to learn from small training data sets.” Small data technologies include transfer learning and one-shot or few-shot learning. In transfer learning, you use a model trained with (lots of) data from one domain and transfer it to a different but related problem. One-shot or few-shot learning aims to learn from one or a few labeled data points. Typically, some form of prior knowledge is incorporated into one-shot or few-shot learning models The presented made the point that if you are going to fund or seek funding for a small data project, fund the solution to the problem, not the approach. For example: How can you run a clinical trial in four weeks over a year’s time?
The presenter and/or the OODA Loop research team will be following up on the topic of small data in expanded posts on the OODA Loop website. After the presentation, a participant asked the contrast with the role for synthetic data in specific applications, particularly ones around privacy, where you have fixed systems in which you can define expected behaviors, 95% of the time. The presenter responded “I would include that in this label, small data. I think if you do that, it is important to have some idea of what the distribution across your growth is because if you make a mistake there, you are synthesizing data along the way. I think as long as you have some idea of what the distribution looks like, it’s really interesting.”
Apple’s patch of the NSO vulnerability: A member provided a brief overview: NSO is a company that builds exploits for profit. NSO had a vulnerability against iPhone that was exploited by many NSO client companies. Apple finally came out with a patch that mitigates the vulnerability, but it is not going to fix anything if you were already intruded upon.
The main presenter provided more details: “That’s it, that’s our understanding. what companies we have spoken to are saying is that this resolves the issue for infection and preventing infection as we go forward. But if you are already infected and have this, it is not a mitigant to it. It is a vector to get infected and that vector is closed. So further mitigation efforts include a factory reset of the phone, a new Apple identity, and then do not use the data that you have. I think depending on the kind of environment that you are in, right, if it is a burner phone, no big deal. If you have got your life on it, maybe more of a big deal.”
Follow on research topics discussed by the members on the call included: What scanning tools, what anti-virus, what malware capabilities are already in place for iCloud if any? What kind of IDs IPS for the exchange between the iCloud and the device that it is going to if any? Are there companies that have been around for a while or a new round for a while and looking at startups doing work on protective endpoints, certainly for mobile, or looking at a variety of scenarios, right? We have talked about the offensive side. Where is the defensive side for people to protect themselves?
Another participant underscored “the movement towards zero trust architectures, which would say that in a, bring your own device world, if you are going to bring your own device, you need to containerize the data that is put on a person’s device, so that doesn’t get out and get into places like their iCloud account or replicated across all of their Apple devices. Which could have other vulnerabilities. So this just underscores that this is going to be in our future. The same kind of thing is going to happen again and again.”
The main presenter noted that “there is no more inside, outside for the corporate network. Everything now is point to point connections through VPNs and connecting into different clouds and coming back together and peering or policy enforcement points are an interesting dialogue in general.”
Another member turned the conversation to the geopolitical aspect of NSO’s exploits, as it has been proven that activists, dissidents, rival leaders, and journalists have been targeted. Similar activity was also discussed in the context of the recent DoJ charges against three employees of Dark Matter who were also former CIA NSA people. Questions such as how severe are the charge for this activity? Is it treasonous? These activities have taken what should be a technical issue and blew it across the planet.
Another participant broke the issues down further: “I think there are two problems there. One is the accountability over use of the tool. It gets much broader. The fact that we do not have access to the list as to what countries have been able to purchase it or even be able to get access to someone targeting. Regarding the Dark Matter charges, I feel like these three folks are going to get off, but it is clearly a warning shot with regards to the potential legal peril if you follow in their footsteps.”
Finally, based on years of experience, A participant played devil’s advocate and suggested that just maybe, these 3 people who were charged were acting on behalf of a government or government agency – and that the implications of the story are bigger than anything discussed on the call.
To conclude, a member clarified the issue for the group: “In this instance, I believe the original work that they went over for was in cooperation with the United States around joint mission areas. It was the mission creep and the targeting of dissidents, activists, and journalists that became the issue. So, I think, yes, the pretense for them going over originally was a little bit more aligned with US/Patriotic interests. But it was the failure to adapt when they saw the capability being used in a way that was not acceptable. So, it is a gray area. And I think that is why we saw charges being brought against the individuals, but then the charges being dropped as well. But now people know there is some accountability there.
Cybersecurity and Infrastructure Security Agency (CISA) and Critical Infrastructure Research: Bob offered up an open question for discussion by the group: Is there anything that we could research at OODA that would provide some actionable context for CISA as they build action plans to improve the critical infrastructure? Questions discussed included:
- Why the lack of innovation?
- Are we in a Cyber Winter?
- Why only incremental not disruptive innovation?
- Is the solution to focus the nation on innovation and trying to figure out the new models and novel approaches that we can take to solve these problems?
- Do we need new models for thinking about that or do we need the development of innovative technologies that have a 10-to-20-year window knowing that is the most appropriate timeframe in which some of these things might be replaced?
- What does innovation mean for CISA and Critical Infrastructure?
- Do we see advancements and innovations in other technologies like CRISPR and the potential in the medical/biotech space – or some of the machine learning that is happening from a general AI perspective and apply that to cybersecurity?
- The Zero Trust Architecture has been here before. Will it stick around?
- Are their models where people are not running their own security?
- How do you create a community-based investment opportunity at scale for critical infrastructure?
- Other industry verticals have regulatory agencies (SEC, FDA, etc.). They have auditors and regulators that come in and check, validate, verify. Is a set of requirements in place for CISA?
- If not, why can’t these things be addressed? What is preventing a company like a Colonial Pipeline from having a “bad fishing day” – root cause aside?
- What are the practical elements of incidents that are reoccurring? Why aren’t these things getting attention?
- Is it a regulatory burden? Is it not enough regulatory burden? Is it not enough Torts cases?
What about the Terror Threat? An Event in France: Bob provided some initial context: “On the 26th of August, a 28-year-old eight French citizen, who had apparently self-radicalized, he was a Neo-Nazi and was bragging at his adult education school that he had built several bombs. The school overheard it. They told the police. The police raided his house and they found four bombs. And he had also been bragging to people that he had uranium. The question for discussion was: Are events like this under-reported?”
Subjects, related to the core topic, touched upon during the general discussion were:
- The commercial availability of radioactive isotopes.
- The role of the lone wolf. Reporting by the NYT Berlin office on New-Nazi groups. What is the connection between this individual and those networks?
- A breakdown of the isotope he had access to and other varieties available on the market.
- Most of the radiological events we see are hoaxes.
- The General public’s knowledge of these threats is low;
- This is an important subject matter. A topic for future OODA Loop wargames or scenario plans?
- Short of the cities officially participating in the DHS’ Cities Initiative, most American cities do not have the capabilities to deal with this threat.
- Why are the people who sold the uranium oxide not required to report that sale (in the EU)?
A member and subject matter expert on the call offered some regulatory perspective on the U.S.: “In the U.S., we monitor most of that stuff and have increasingly so over the years. we’ve similarly tried to do things on some of these precursors for ammonium nitrate, for example, and other stuff. In the California Mass Destruction statute, we actually entered a lot of those types of triggers and updated it with some biological agents. So there is a cursory framework to do some of this work and it is covered under international law statute.”
The conversation returned to the initial incident in France. A participant provided an update: the report was that it was trace amounts. E-bay as the acquisition platform. So third-party sellers, individual sellers, and my guess is that given past activities, he was acquiring devices on eBay, that you could derive some minimal radioactive sources from like engineering inspection tools and things of that sort. So highly likely this is not a typical commercial type of sale that would result in something being reported but was happening on the online markets like Ubanks.
The discussion continued:
- The news cycle if this happened in downtown LA or Santa Monica or Fairfax would be of a much larger scale, exposure and amplify it would put a real, real hurt on the entire response community”
- These incidents are highly disruptive and can have real economic supply chain issues, on the economy, and synergistic cyber impacts. Most of the people in the public-facing side of law enforcement do not understand the cyber part of the domain because it has not happened to them.
- Various historical case studies of radioactive/dirty bomb threats were broken down as case studies: A subject matter expert on the call added: “None of these cases were there we casualties or even an explosion that led to a costly cleanup problem and absent that – I suspect that we’re not going to see a lot of changes in the rules that govern -again, uranium or any of the things that I think the fellow in France had – at plants across the country.
- A network member added: “There was no social media back then. And if there is one microcurie, picocurie of radiation, anywhere that will be amplified and every social media channel and fake news, and you will hear the trumpet sounding, and it is the end of the world, and it will be quintillion fold from anything we have ever dealt with before. That is the difference. So, we need to think about those issues.”
- There has been a concerted effort, both in the U S and internationally to improve security. And that means tracking as well as physical security and all radioactive material not just radioactive material that is considered more dangerous.
- The security concerns have not extended to being able to buy on the internet, i.e., a genuine piece of Uranium ore from some mine in Utah. We need to start treating that as we do more highly enriched uranium fissile material and the more dangerous materials. So, if there is not enough, there is not enough.
Questions for follow up research and analysis were:
- Are we dealing with the outrage or the incident? Are we dealing with the risk of the incident? Are we doing both? Depending on which lens you are looking at, right? We could me making inappropriate risk decisions to deal with outrage and vice versa.
- Does the threat to public safety exceed the threat of the explosion itself? In other words: in most of these cases are you dealing with the psychological reactions or are you dealing with public concerns?
- If people are in a panic situation, are public officials going to be able to assure them that there is nothing to be concerned about? Will any assurance be followed either by a television camera crew with a Geiger counter or your evening news, or a 12-year-old boy that has bought something from eBay, or a lot of 12-year-old boys who are up to no good? What are we going to be dealing with as a public mitigation issue? It is a panic issue? Is it not a radioactive contamination issue?
- So, as we are working through all these dimensions, how do we assess it from the investigative side? How do we get down to what did occur? how do we do the transition and keep the investigation going and how do we manage the political fallout?
- If we pull from the previous conversation on CISA and critical infrastructure, what do we need to change about our models and approach to these threats? What role should innovation play? Is part of it cyber and the use of technology in general? How about the risk of the misuse of technology? Technology is embedded into everything we do: does this public safety space have enough of a perspective on it? How do we highlight this type of innovative change, for this threat and for this public safety community?
The following links and resources were shared by network members over the course of the discussion or via a very active chat:
CSET Report, “Small Data’s Big AI Potential”
The Presenter’s recent blog post on small data on Merge flow, “Small data: Machines that learn more from less”
For the Taliban 2.0 scenario and the role of the Taliban’s opium business, see The Taliban and Drugs from the 1990s into Its New Regime, see
A book about Total Information Program, which was also mentioned on call. Those involved in the program may not be fans of the book: The Watchers: The Rise of America’s Surveillance State
Regarding Nazi Networks in Germany, recommend this article is recommended: On the Path to Day X: The Return of Germany’s Far Righ
Katrin Benhold on New-Nazi Networks in Germany: Katrin Bennhold is The New York Times’s Berlin bureau chief
Brian Jenkin’s book: Will Terrorists Go Nuclear?
On the governance and regulatory regime of radioactive materials in the U.S., see “Governing Uranium in the United States.” CSIS Proliferation Prevention Program. March 2014