About the geopolitical vulnerabilities posed by the neck in his book the darkening web. He was part of a panel discussing the risk of cyber attack and the potential for technology to undermine governments around the world. From the atlantic counsel this is an hour and a half. C my name is frank kramer. Im a distinguished fellow in on the border of the atlantic counsel may want to welcome all of you to this session. Delighted that you are here. This event is hosted by the council cyberstatecraft. We are being followed on twitter and i welcome all those folks who are there on line. I encourage you to join the conversation ac cyber abc scowcrofts. The attack in ukraine and multiple sets of questions. The internet raises issues that the originators really never thought about is going to keep it going and how do you really do that and at the individual level theres issues of privacy, privacy from government, privacy from corporations. Theres an approach called a multistakeholder model and questions fo who are the stakeholders and how do they relate to the. All these racing sets of issues and as you think about the questions, it is useful to have at least the framework in your mind at will change over time it certainly changes in mind. But what problem are you trying to solve not the technology but the problems, what are you trying to do, and the problems range vary considerably mentioned privacy already individually give us a. Then you have the whole influence arena if you will some people talk about hybrid and implements and how it is implemented at her from attack on the operational systems you have the meaning of exchange of information and what is the role of government and all o in all d the private sector the eu about a year ago recently established a code of conduct for online hate speech where you can notify the platforms and is illegal in many places in europe and they are required to take it off and they created legislation to that effect so all these issues are front to say the least we have terrific people here for all these questions, alexander has really written a book on this called the darkening web is a senior fellow at the initiative as the Program Directo a prograe hague center for strategic studies at the institute and European Security policy counsel welcome, glad to have you here. Jan is also the board of directors of the council and ceo of north america and former deputy secretary of the department of Homeland Security and was right at the head of the department. The most recent addition to the Cyber Security initiative previously the director of one of the premier Cyber Security firms, welcome very much. And then for the moderation of political reporter for cnn as well as other National Security topics. So i think we have a great group and fundamental questions that span a wide set of issues and with that lets me turn it over to alex who is going to give you a summary and lay out some of the things the panel can get to a. Thank you it is a great pleasure to be here and im very proud of my affiliation. I spent more time at the Atlantic Council then i did there so i cherish this place for its values and i think it is clear that right now the values far more than the governments and they also include an impressive commitment to gender balance. We have a fantastic panel and its not that easy to get the sourcassortmentso congratulatios well. We will be talking quite a bit about values and hope we have a chance to get into the weeds and discussion later on, so i want to give you a rough outline of what i think some of the main points in my book are namely the u. S. In general very often concentrates on cybersecurity and cyber warfare while the countries like russia and china concentrate on cybersecurity as a psychological issue. The consequence of this is that the r. In the middle of the most transformative invention in the field from my point of view and what most people consider to be universal good that advances the freedoms that we might see this universal good transform into something darker that is used to suppress individual freedoms and also potentially to become the medium of control. This is a night nightmare for some individuals pursuing. So they are useful analogies i once conducted an experiment in harvard some of the students to try to figure out what is more common, common nightmares or Common Dreams and he cam we came conclusion that people tend to have different dreams but they have common nightmares they are afraid of and this is one of the reasons there was a good point of departure. There was one single nightmare they were all afraid of anyone cloud that bound us together to make sure we had a proper discussion on the threats we wanted to avoid. We dont have that in cyberspace. We dont have a single nightmare that both sides equally fear so the most common is the cyber war narrative due to inadvertent escalation of the accidental war to spiral out of control that we correctly assess and all those catastrophic infrastructures that can be restored to the 1950s or the iron age depending on who you actually are this isnt the worst possible outcome, this isnt what they fear the most. So the most realistic threat is their own existence. They see it as the means to encourage and undermine the rule to allow the nations including the u. S. To question and interfere in domestic affairs. For them the most realistic is not cyber or any type of attack that effectively the world to be undermined for some type of pricing that would be a threat to them personally so they are concerned with matters of governance and Law Enforcement then fixing the application of International Law. So i call these the cyber serenity faction but the simple goathat has asimple goal they wo fundamentally change the way that its run which is by the linked complex of actors and the Civil Society for the private sector and government and by the way that the order of priority that the private sector builds and maintains it and the government can blow things up but it hasnt really been built or financed in its early stages. They want to move the control as it is among the different acto actors. They want to move it away from the registered nonprofit that is very internationally minded from the Domain Name Service sometimes called the telephone book of internet and the reason they want to do that is ultimately they see the information is in control of different parts of the internet to enact the law and present regime that would effectively enable things to happen such as translated copies of the New York Times were taking down the website or similar things of that nature. The key to accomplish this is to rethink of the way the governmengovernment sees a roleg cybersecurity particularly in the west. So the russians have been encouraging this since the late 19 90s theyve been introducing a bill on the code of conduct and many other different ways they are pursuing this. Primarily its the way the internet works which means it is quite difficult to run the agency to take things over so everything there is a cyber attack or a report. For a talk aso they talk at lent comparing cyber as a disabler to the nuclear period so they are on this issue roughly around the 1960s so we are still figuring things out. But he also cautions putting too much stock in this paradigm because the actors involved are dissimilar in the case of Nuclear Weapons it is pretty clear. So who else is supposed to be in the room and the governments as i said dont play that big of a role in cyberspace and therefore deciding who else should be in the room and the discussion is part of the problem. The biggest part of the discussion itself by having the government is the sole arbitrator and the authoritarian states are furthering the objectives pushing the governments into the controlling rule is a quintessential problem. The more i try to push the issue away, the government stands up and says the more the government is taking up too much in this space and diminishing the role of the otheof theater actors ane the furthering of those that want to see cyberspace controlled by the governmental organization. In fact aiding us in something was behind getting them to do something in cyberspace is very often the objective of man objee Cyber Attacks to give you two examples that are quite pertinent for instance a French Tv Network went through a number of channels, went off the air for two days into the perpetrators are supposed to be on this who claim people straight everywhere. If in fact the intelligence that had been behind the Critical Infrastructure. Now the question was why would they do such a thing and from my point of view they wanted to have cyber terrorism is the narrative. Thwe have the terrorist use of e internet is a big issue in a complicated issue but we dont have cyber terrorism yet. For six months i spent a large portion of my time in europe running after the new discussion the french government put out and at one point it moved away from the cyber attackers and because fundamentally in the west, one of our agreements is that we dont support because ultimately it means control of content. There is another example of where it might be more interesting to basically blow something up rather than to steal data and this is why i keep coming back to how important it is than to just stand what a cyber attack might be in the Information Warfare attack they might not be interested simply in trying to steal the data, it might be simply more interested in pushing the narrative. As we saw the last couple of weeks its been established to be not grandson. Even though it was ukraine and the nonmilitary essentially, in any way what was the purpose . Does like others have a pattern to them and the pattern is simply pushing the government to do something on cyber by effectively grabbing the narrative and the narrative is also construed around Security Issues just to give you another example in the uk after the attacks they wanted a leading role for the data and even to dismiss the comparisons to the way the patriots actually considering the levels of intrusion. Theres many analogies for cyber and they tell a lot about you that you talk about cyber war than you think the government might be the answer. If you talk about Public Health issues then you might think some type of model will be the answer. Climate change could be the answer. I think all of these models are useful but there is one problem we should keep in mind above all else. What is the worst possible outcome we are trying to avoid for ourselves when we engage in the government regulation lacks anything that we do including regulation, treaties, developing the capabilities. What is the worst possible outcome that we are trying to avoid and that is something i think we have to talk about. For me, it is quite simply we need to avoid falling into traps of Information Warfare that amounts to the weaponization of information that means cnn, the washington post, Atlantic Council become pawns of the larger game sanctioned by government. This is a scary vision that is and likely to happen and five, seven or ten years but i think it is a much more likely than the cyber armageddon that kept us on our toes. The only way we can avoid this is by having a full commitment to how the internet is run and in the proper segmentation of these issues that need to be highly silo and separate so they dont contaminate each other and in danger oendanger the free int is today because without the Free Internet there is no free speech and we do not have the free society. With that i would like to move to the panel. [applause] thank you, alex, who you are all familiar with. I am a reporter over at cnn. Our other panelists we have laura and into her life be if jane who youve heard about earlier. We will dive right in. Fascinating stuff and lots to cover. What might be useful is to talk with a particular case that perhaps we are too familiar with at this point, but the russian meddling in the 2016 election. Its interesting because it has become discussed as some sort of cyber event because it involved the hacking of personal emails with a sophisticated spearfishing campaign and then dumping them on the internet and the construction of the figure to disseminate. They were sort of separate spamming incidents of the voter rolls. One actual breach that has been confirmed and possibly one other, although as you mentioned there was no data exfiltrate should or changing perhaps. So, my question for the panel is actually useful to think about what happened as some sort of a cyber event, or do we risk limiting public understanding, conversations of what to do about it by viewing it only through that when . I dont think anyone t anyons onlto useit only as a cyber eve. I think there is a broad sense that ye yes this did happen, and there is broad outrage. Whether that would seep into action is a completely separate story. What do you do do about what we know and this brings us i think to the heart of the book and framed the question very well. They never imagined the evil to which this instrument might be put, and it represents such a Universal Group for so many it is connecting, it is a universal good. The next question who will keep it good to through none of us really thought that it would happen. It was in the realm of the unimaginable but then who will keep the internet a good. To add this point, the 2016 example in fashion interference showed a clash that alex detailed so well in the book which is we have this Information Security layout of how countries, we will use russia and china but particularly russia as the leader in this juicy information in the main currency of cyberspace is about, then weve got this other side of the Free Internet section. So we are thinking about cyber as word of a technical realm and 42016 signified in a huge way is to shapes passing in the night on how to think about the problem. Russia spent a good 16 years or more at that point on how Information Security works, protecting the information, thinking about it as a weapon and something that needs to be used to protect people. Theyve been advocating the sovereignty approach saying cyberspace is a place and you are putting that out there year after year and the u. S. Is doing its best to ignore that or disagree with sovereignty as a principal cyberspace because it goes against these principles. When you have the different views of sovereignty and defend the network gets hacked into the breech the sovereignty in a way that russia sees the sovereignty and cyberspace and youve are at a challenge for how the u. S. Government can start to address this and its putting us right at the center of the debate for what we want to cyberspace policies to look like and how the state should exhibit power in how you define the domain. I love how much the book started to unpack some of those questions and start to deal with those mindsets to deal with those over the next year. I thought it was very apropos for the terminology to become such an essential component and to give you the chance to respond, you talk about Information Warfare and what we are witnessing and sometimes how the response can play directly into the hand of the person orchestrating the event how do you start to think about it if you aryoure on the receiving ef one of his campaigns. Theres the general concepts we need to come back to operation significance might not only be about achieving a total in the system or stealing data or repositioning for the war but also might have a very political objective and this is something more aligned with for instance how the kgb and soviet union conduct at this point experiments rather than how the west psychological warfare has always had a highly constrained issue. Its what can be done about it and they hear the interview is interesting. They will say weve been putting up for this the last four, five, seven years. The level of this ramped up if you look at the countries like sweden, theyve been undergoing and it puts the u. S. To shame. It had everything in it, threats to individuals, military threat, there was every thing there. Everything there. And what happened . Effectively if i get the numbers right, the Approval Rating being neutral went from Something Like 16 to 49 and now they are reintroducing the draft so whatever the objective was, it failed. Why was it so successful in the u. S. When it failed in denmark and sweden and a lot of other countries. This is one thing i address of the tail end of my book because it happens after i finished writing it. Its quite easily summarize the. If you look at the two numbers in the back you can see the level of trust and only 20 of the u. S. Public health at the Mainstream Media was doing a good job in only 6 of the populists think congress is doing a good job then it cannot be a surprise to u. S. As a soft target and the question should be why was there such a low level of trust . You cant find anything like that even in the eastern Eastern European nations and this was from the plat point we have not sufficiently addressed how can you have an Approval Rating. China used to say the Economic Growth dropped and there would be a mass unrest in the position of the Chinese Government and now they word it but fundamentally they dont think they can get by with 20 or 30 or 40 Approval Rating. No democracy can survive that so howd we get that Approval Rating . That is the question that we need to ask. The United States is exceptional but we are not particularly exceptional than the public is angry. Everywhere around the world of the public is angry whether it is in the streets of london, paris or in the United States. The Occupying Movement for many was a manifestation of this unproductive and unguided im not going to take it anymore. But i think its fair to say the public trust in institutions globally have collapsed. We dont trust banks, businesses, the media, the market. In these institutions are they react to. The institutions have to go back to the fundamental principles. With an independent observer seeking out the facts presented by not arguing that the media is perfect. I emarketing, i traveled a lot back and forth to europe and one conversation in berlin was particularly effective to me. My german counterpart had an interesting colloquy. First they were so embarrassed and right under our very noses how could this have happened. Others were criticizing the leadership they were shocked that there was espionage going on but then they turned to me and said why arent more americans outraged and i said it plenty of them are between no fundamentally in our system when we move the system will correct itself. I place a lot of faith in the third and publicly have in the United States we will correct ourselves and they said thats what you dont understand about our political system. When they move to the edge, a pullover. I was struck to hear that. 70 to looso they need to look an this instance. There will be more and it will happen in other places. We need to understand this fundamental question of trust and how the architect trust in public spaces. The fact publics everywhere are angry. People kill each other with this anxiety anger and we are not sure we know how to architect of trust what we know anymore how to architect trusts in institutions in public spaces. That is at the heart of this question. How do we get to the 6 . Maybe the question now is how to get back up to 15 and the congress has done that. But actually in the past few years the Approval Rating certitude pick up a little bit over what john mccain loves to say the media has taken down to that level. One of the things you said in your introduction is the object of is to consolidate power in government. And you mentioned others experienced this on the eve of their election they had a similar episode. Some Campaign Emails were hacked in a figure emerged on the internet purporting to have all these insider details. France actually had the ability to save the 24 hours before you cant cover this and in fact many of the west institutions also operate in france followed these rules because he would sort of follow so you see that sort of what do we do and is there something more to protect ourselves where you seem to be arguing the exact opposite must be true so how do you sort of unpack that almost inherent tension of wanting us to have a National Response but almost fearing that could play into the hands of the objectives . You come from the private sector perspective where they often have as good as intelligence ofe into the highest level of classifications because we see it sort of on the open market but how do you think about what is the rule of government and society in that response . It is a huge question and if there were an easy answer to that [inaudible] at the heart is who do you trust in a space that is abstract and one of the wines i like is if cyberspace is an abstraction just like science you have to have an interlocutor whether its the government or the media, what have you to understand what is going on on some larger level in cyberspace, so im not convinced theres any easy answer that the government holds the cards to all of that and in that kind of obvious statement its life has persevered as long as it has given the ups and downs and changes how its worked over the last 15 years and over all these different elements that have changed in the time that weve been watchinwe havebeen watchin. So, thinking from a more proactive stance where what steps do we need to take or what questions to me to ask of the institutions that exist to govern the internet or translate what is happening to the internet is who holds what role and where do they carry forth that role and in the private sector frequently they are looking at whether they are investigating a fortune 500 network fo500 atwork for the fbe first to call so maybe the private sector has been on it last year or what have you. Where there is insight coming from the industry, what is the right level if kind of oversight for how the findings should be shared. When you are sitting there in a government or private seat on the network and send and now where thats never been used before on Something Like that what is your duty to talk about that to the rest of the world knowing how huge the implications are. A lot of the response to the hack came out and said we know these russian government hackers into the Intelligence Community followed through months later. Even originally backed in the report of this group we lost a lot of sleep and theres people in this room that have lost a lot of sleep deciding whether we should reveal if we had a judgment that the russian Government Group and the tools behind it and that contributed to that in 2016 so these are really waited off questions a lot of people are dealing with and the mechanisms that make them more consistent or predictable with or without government oversight is a huge question. The trust issue that we will keep coming back to starting fec trust from the macro level and we picked up to the level of National Response, theres interesting thing is to learn. Information security and to the quirks of the trusted level. People Exchange Information with each other according to their own pot of gold. A lot of times it shouldnt be shared because of legal reasons or contractual obligations. Trust is the most important thing among the defenders of the internet and it would also build the internet and it cannot work if it were not without its. The operators and other pieces would collapse immediately and it really is built around trust. This trust on the verified elements and by having additional people involved it is based upon trust and its not an immature way of approaching the problem, it is a mature way and at a slightly higher level we are talking about National Responses and endangering trust on a National Level one of the things ive argued before in the book is the only way the government can do something called the whole nation response which is not like the whole of government because it includes nonstate actors if in the western democracies to encourage the cooperation you can of course simply going to say i asked the french government where is the proof with private Partnership Policy in okay you can do it that way but if it is probably not going to cover all the bases you want it to cover and its interesting to note the tv channels designated as Critical Infrastructure before itherefore it wasnt an f war. Its like you missed the tv station so we will knock that one down. So its like going up to the line and putting your finger over it to see what happens. So endangering trust from the Government Point of view is critical if they want state actors involved. We saw for instance in the Obama Administration a big push to go out and encourage both Silicon Valley and other actors to be more supportive of the efforts in this space. That wasnt by accident but they also went out of their way to encourage trust with international partners. President obama gave a famous speech where he announced limitations on the use that had never been done before and during very much the first and they were aware that it may be developed how we communicate Cyber Capabilities per se when we talk about trust so there is no public definition of what exactly Cyber Capabilities are. You can look and find documents and a lot of other acronyms, but you wont find declassified positions of the operations and exactly what they can do its like basically saying heres the Weapon System we cant tell you if it is a plain, tanks, submarines, biological weapon, but thats fair. We might use it and we might not use it so it would be helpful to have transparency on what the cyber is able to do and that would encourage public discussion among the states and would be helpful to understand and then we can also figure out what our common life there is because we do have a common nightmare. Nightmare. They will always be interested in the physical security if we can make it clear this is what we can do to you and were prettwhen yourepretty sure youo us. Lets figure out a way not to let that happen at least by accident and we can make a huge step forward. To bring this to another case study because we could probably talk about this longer than we are allotted today ended in to talk about some of the ransom where attacks are of the things thats interesting is the department of Homeland Security has been saying this is an example of how the model has worked they havent hit the u. S. As hard as they say because we have such a robust encouragement in the private sector to do the basic software update. There are not as many bootleg versions in the u. S. And that type of thing so when we talk about the ransom where attacks on how many best practices emerge and when we talk for those that were not actually ransom where the hell does that affect the model for one of your favorite topics . Theres a couple things that are maybe historically interesting, how the governments have struggled, every single government has struggled with its role in cyberspace. The key question how the architect citizens we can trust from those we cant and how do we ensure the integrity of information and identity in the open internet and what should the role of the government be in every government that has been tackling this problem has had a fight internally between the military intelligence and that community and the rest of the government and you can see who has one. Fofor a long time is that we cannot run cybersecurity as if it is an Intelligence Program for this country. The key role of the government has to tell us how to distribute responsibility for cybersecurity and flesh of my role be as an enterprise or a manufacturer of hardware, so i may be made to cyber hygiene and why isnt the government telling us and every enterprise there are four or five things you should be doing that will reduce your vulnerability by well over 80 . Hardware inventory, do you know what is connected to your inventory, do you know what is running or trying to run. Permission control did you know who is wandering around your network. So people with access to information they have no business having access to and then an Automated System to alert you and are you patching. People would ask at Homeland Security keeps you up at night besides working 20 hours a day. [laughter] but what is the greatest threat you see, unpatched vulnerabilities. Absolutely. The government has been discharging their role. Alex is arguing strongly that they are overplaying their hand and theres a movemen is a movee government to control the internet. Theres a host of governments that believe the government to be at the heart of who sets the rules, who has access to two then and under what conditions. Then theres others like the United States and a number of countries who believe that in this multistakeholder model why is this so important. Because i think in my lifetime there have been four strategic questions the world has had to confront and we can then confront them multilaterally. Governments at the National Level might not have this right but ask any mayor that he would havyou havebeen to see it only t things done the work with the private sector, forprofit or notforprofit, churches, they are the equal opportunity for solving Community Problems but those for strategic questions have been in the wake of world war ii hell do we save the world from this happening again. We have the un, nato, a number of multilateral institutions that were established and theyve gone a long way to answer that question. During the cold war and the potential for the Nuclear Annihilation in the post cold war when we are struggling with these issues and today, we have not presented that answer so alex may be onto something the new multinationalism is multistakeholders. Do you feel like there is a way in anywhere or any lesson that can prepare us . I remember a couple years ago i was watching a panel and he was like i can envision a world where we just consider it the cost of doing business with to pay 20 that claim to open the refrigerator were to get into our cars. Ran somewhere would be so ubiquitous. What happens when it shuts down hospitals like you mentioned. So what are some of the lessons. Did we do something right or did we just get lucky . To come back to the multistakeholder point in how the regulation fits into it because that is the key question and its important to note Government Support government and there are different views they include france and the many seo that is even more liberal thethan things that intellectual property so theres different views among those that support the model and it is different views on how the local regulation should work. The plaintiff of the stakeholder model is that a hands off everything and to use president obamas expression, cyberspace is a wild west but it doesnt have to be that way. There can be a shares an shareds but they are agreed in a framework that accounts for the stakeholders. When you work in the interNational Security, and ive been part of these negotiations now for eight or nine years you have to explain to diplomats and generals its nice that they function like this that really these Information Security responders and researchers, the hackers if you were, they havent already and they solve those problems 50 or 60 of the time and that is the cyber hygiene issue. If we had for this new requirements in import and we wouldve drained the swamp of hope and love for the level at which serious things can inflict damage. So theres two things effectively in cyberspace one of them is 89 of all Cyber Attacks can be taken care of with good resilience measures and protection. They will always use the cheapest tool at their disposal. Why should they use the magic tool. On the other hand, a committed attacker will always get in and that isnt going to change. The easiest cyber attack is if i call you up and ask you to give me your information that is the social engineerinwhatsocial eng. Cyber is a detour. There will always be different ways and we wont be able to technically fix all of them but if we drain the swamp of all of the distractions and the ways we can deal with more significant issues and that can be done with local regulation but its not a contradiction to the local stakeholder model at all. Its to say there is a general body worldwide says all content has to obey this particular criteria and one government or instance is a problem you are obliged to take it down no questions asked. Thats the type of model that i have been for but i think that its also important that this also means private sector and the trust with the government they are able to manage themselves particularly even in the European Union they thought effectively they find them a lot of money but there is however on both sides and awareness into there are these big massive bodies and small bodies like the factors that build you t built d with and give them their due. I think its the question of how we engender trust. I think there are a couple glimmers of light the Information Security committee was the first to figure out by accident and redirect and basically stop over lunch. He was very humble about taking credit for this but its a good example of where the community has been the first to the scene on some of these major situations that have happened. The other kind of glimmer of hope i was in kosovo when this was happening and inc in cosa th everyone couldnt stop talking about it because this was the moment they could use this to wake up decisionmakers on cybersecurity and even though some of these incidents might be looked down on like it was so simple, they had an enormous wakeup call not only on the cyber side but for practices by companies and governments at large so it can have an enormous effect on the mind change so that is what this signifies. Its funny you talk about the cyber wakeup call. Ira member having panels when we talked about the target hacking and it seems the principle we are talking about really have not changed. I want to pull a different thread for the moment one thing that struck me as we continue to talk it seems old and cliche but relevant is the question of attribution and you sort of reference to this but how important is that when you respond to Information Warfare or ransom ware how important is it to establish who was behind it and what their motivations are and when we are also talking about trust and how Many Americans still have doubt fed by people that russia was behind some of what we saw in 2016. This isnt only an interesting question that an important one. Its evolved around identifying threats are posed to you and i think one place we have not gotten it right if they treat every Single Person here as my colleague here would call a special snowflake. You need information about you. Theyre all encountering 90 of the same stuff and that is why this message is powerful. We need widespread adoption. Whats the most important invention in the history of mankind . Soap. [laughter] my colleague said it was retailing soap. But the point we still have this fascination with the upper end of the highend cyber threat to a. I think the United States government was the last so why if hygienists of effective way are we not hearing more from the government to be more authoritative on this . The government is preoccupied with the highend and for a long time we treated these problems ais a matter for the intelligene community and it is treated as a nuisance wanted to go away and if we only knew what the government knew, we can protect ourselves just give that information to us. What we have learned from others is that its going to take a village. Brinkley i tell my daughter the short teeth, wash your hands, dont share food, to successfully get through her day which is what most of us need. Attribution is always going to be a question not just of human nature but the requirement for the response to any of these threats. I think the point on yes, weve been talking about threats and in the defensive standpoint, do you have a sprinkler is more important than what kind of of arsenal arsonists are out there today. So we are talking about the questions like how do the states respond to whatever the incident might become attribution is always going to matter. I think we have come a long way from where it was still a sort of throw your hands up and say its going to be the defining feature impossible to do anything about. There was a desire and we were motivated to figure out how to explain this property that we are seeing in to put a face behind to explain it but the goal wasnt attribution in and of itself, it has to figure out how to do something about it. So attribution as its own sort of the zaire state isnt really a question, it is what are we doing in order to achieve. You well better have your questions ready but im coming to you next. Its a very interesting one. People were furious on this. One of my favorite beams was put out a couple years ago by a gentleman who said he believed in the james bond series of technology that anything that was ever any james bond movie would have been in reality and somehow is a magic black box in a movie that exists now. So what we saw over the years is basically in response to the level of knowledge and we havent necessarily solved that yet. The point they try to communicate is that it doesnt have to be cyber. It can be diplomatic, economic, Something Else but it also means you can time delay can reverse it and do all kinds of things. That also works at other levels. However, would we still have a problem with this communicating even on the u. S. Side but has magic capabilities such as they. When we have a certain country where certain nation, some people including decisionmakers in the u. S. Might think that means high probability means like the radar. I can tell you 99. 9 probabili probability. I dont think its ever going to be possible in cyberspace depending on the attributions you might get six euros 70 . But even if they are sitting on these machines it could still be in operation which is why its so important somebody else is doing it and they are pretending to be that after. They are pretending to launch it. Thats why its so important that we develop a non kinetic response an entity of the race o respond that dont involve cyber thats been a key development. I dont think weve made it clear things can go catastrophically wrong. One thing im concerned about that puts them against tv station i talked about which would be a vehicle to totality and we wouldnt have the ability to see 100 for sure this is what happened and even if we did what we believe the government that has the capability to see this and this would be a problem. When it comes down to it at the end of the day, the community really doesnt want to believe. I saw that after the sony attack. People who knew better were questioning north korea being the highly advanced actor. Its very unlikely they got that wrong but they were still questioning if based purely on the political circumstances and this gets back to the Information Warfare. That is the ultimate man in the Information Warfare, to weaken the trust. And one of these trust elements that we have is between the citizenry into the government ad also between the private sector and the government. That is what we should not allow to happen. It leaves me wondering if there is a play left on the table. I would love to turn it over to folks in the room. Of the working theory as i understand is that the attack was based on the wee weak from e nsa in april. Given the nature of information that it can be copied endlessly and proliferate, do governments have the responsibility to prevent the state level tools . If the folks could introduce themselves. I reai would second that. And the fact that the u. S. Government was apparently involved in the attack by not having effective control would be an International Law matter, so they have to have a sense of control and that would be a very key point. So that is easily answerable. Is thais thats something ths to go in but in terms of how we think of as a government what can we construct. Even in the remote possibility if thats not quit is not quites expected and not just securing what they had. To speak on the example in the higher level eiffel talk of course you do. Theres a number of other areas. Medical doctors told you this. When they are mounting defenses and when we do more damage than good, how do we control what will happen into the public has the right to expect with the government is going through in that kind of calculus for all kinds of things. Even though they are always trying to balance out the competing interest for instance the cyber weapon or the design of something similar, cyber things to do partially g did pag overall. There was just an overall emphasis on offense rather than defense. I think there are many reasons were that and also because it is really expensive not only expensive to do on the level, the political about the financial level, we might have to introduce legislation and do this and that, so it is much easier just to draw up the capabilities of. Theres many other reasons its difficult for instance both countries like sweden and the netherlands can do that. Now that things are increasing with the cost thats what i meant. But i would say that part of those costs are simply should be on themselves to realize how much trouble they can get into. It wouldnt require that much. I take your point that some countries are better at cyber defense. But were larger and dont have the luxury of some of the conditions they do. We also have a larger role noble governments. My concern is this. I like the idea of a multi stakeholder internet which is a global commerce. A place where we express our interest. The might be too selfreferential. Weve glued that to our Critical Infrastructure. Weve glued it to the electoral system. If someone regards this as a battlefield they will regard the internet as part of that battlefield. We might see an evolving concept of operation. We might not have the luxury of referring to the internet is a multi stakeholder Global Common that we admire. But i would like to see is an entirely different concept of operation. Just as germany had an unpleasant concept of warfare but it redefined that in the Second World War and other countries had to adopt that redefined concept, we might be forced to do so as well. We will need to take it into account. Ill be curious to take that from a policy perspective. Other countries might d be defining it as a battlefield. Has the government model already one . I think other countries it differently, i totally agree with it. I agree that many things are attached to it that have not meant to be attached to it. The German Government refused to consider cyber structure because you shouldnt put anything critical on it. While tough luck now. But since that happened and we have jumped into this fully unsecured environment should we now make it more secure by redesigning it . We dont necessarily have to redesign the whole thing but it could be made more secure naturally. Thats whats happening all the time. So when you look at the want to cry outbreak theres many other examples. Things happen every couple of years and it brings us further down the road, but essentially it brings us back to the argument that superCritical Infrastructure and we should be thinking things differently. Theres something to be said about certain systems. They shouldnt be allowed that right now. Thats one argument. The fact that the way these guys are connecting the internet is a bad idea. They have default passwords that are in the hardware and cant be changed. People have just been lax of days ago with their approach. That has to change with time. What i think would be the wrong approach is that this is built by kids but i also try to explain the Chinese Government when they voice their opposition the only government that was responsible for this its an incredible issue for everyone. I said lets play this back, so you lets take this part of the un is not part of that part of the internet. All they have is nonstate volunteers to sit down and write this stuff. You get it take orders from some other agency, no youre going to go off and build another internet. Thats what they did with some other things. Theyre still going to build the internet in different parts of it. If we try to commit and build it theyre going to build it and it will be completely illegal. I think its important that we keep the people who built the internet come forward and that coming in with the government has preferences to a domain that was built is not going to solve the problem but make it worse. Will highlight other Security Issues. Youre basically protecting the power grid but your endangering free speech. In this world you can be first, you can be fast, governments are not first are fast but they are powerful. When they are powerful it doesnt matter when you arrive. To your point, many people believe governments are already militarize. We glued our infrastructure to the internet. Theres no enterprise that delivers value without relying on cyberspace and access to the internet and it. So for the same reason we glued our economy to a functioning roads, rails and bridges system. In warfare when youre posing your adversary takes account of that. The interesting question that you revoke is if we move to more symbolic and less kinetic warfare because we can do such devastation whenever siberian cyberspace. Weve seen preliminary example that may suggest the answer to your question. I mike nelson. I work for an Internet Security firm. Been working for multi stakeholder processes says before was born. Im excited to hear your support and your confidence in elevation. Ive seen a lot of multistate colder processes that go off the rails. At the Internet Task force and some of the efforts i was involved in for y2k, we had deadlines either selfimposed or external. We also had everyone in the room who could veto any solution. The problem with what youre talking about making the internet more secure, putting controls on Cyber Attacks is that we dont have deadlines we dont have everybody in the room that could possibly veto a solution. You dont see the Intelligence Community there and you dont hear the Cyber Warriors often their own classified space. Do you see any global setting either intergovernmental or nongovernmental that could bring enough of the key players together and give them a sense of urgency so we might get a solution on a broad agreement on some approach to answering the questions . To the security of the internet all her overall . Youre talking about the Cyber Attacks and when its appropriate to bring down someones infrastructure, theres a lot of talk about cyber norms and doing something to pull governments back using these tools, encryptions and other areas where it would be nice to global agreement on how encryption would be deployed and if theres backdoors. Theres probably five or six problems and theres no place to get an answer. There many different questions that i want to describe the book as being fellow by blind people which is a favorite metaphor to use. You see looking at a wall or fan, it wont really have a common picture or talking about common things on the panel. And for instance intergovernmental issues, those are dealt with Government Agencies and different priorities. So very different. We need to have cross ventilation between many different silos. People shouldnt be merged together because they do important jobs right now. Quitting arms control people in lawenforcement everybody has on job to do. Theyre not really aware of whats happening nextdoor. That makes it difficult to draft response measures are understand what the dangers of those are. So for instance its with crisis communication, the osce were as part of a working group is the great, we now have a hotline telephone. So well just add that to what the u. S. And russia have, and another one for others. So now we have five different hotline telephones. Which one will you kickoff first . People were just developing or reinventing the wheel. This is what i call norm collision. The fact is that its very complex issues in many different parts of it. No one expects to understand every component of medicine, we do need to be able to understand different components. The way you were referring to the interstate issue, i think you have to be clear that the triad approach to cyberspace. You have International Peace and security issue. So go ahead and talk about International Law and what youre allowed to do and not allowed to do. Its important conversation that governments need to have. The second basket talk about Economic Issues and crime. Then have the discussion about terrorist use of the internet. Then theres the context round for instance the budapest convection its not like we agree that all of this is illegal, we only agree with how to communicate with each other and the third basket would be internet governance thats about running the internet infrastructure itself. That is infrastructure not maintained completely by the private sector. Were talk about small components of it maintained by the community. In my mind the triad approach keeps it separate them from being merged together from the stark web consideration for government exercise controlling interest over all of these domains. Who else would be responsible for were fair. The have a problem to be solved there about which companies to involved in the un discussion that they can figure it out. That discussion should happen there and not all discussions on internet content or infrastructure. Though should be held in internet governance department. This in my book i keep it separate. They cannot be merged together and cannot be compromised. Youve seen how things really slowdown, they also attempt to take over parts of it. Ive seen Engineering Task force by government and companies were standards are set to run the internet. They try to make the new standard their particular topic of interest for their particular code they said this is going to be the thing that runs the future and we own it. And people go someplace else and try to do a quota. People dont understand that its not like an organization, its not an official organization and it belongs to Something Else. If nothing else somebody comes over by the hotel theyre just gonna go someplace else i think its very slow and cumbersome and ugly. One of the things you mentioned within corruption were starting to see these laws now and technology is not country by country so to once again get you into the voice of the private sector and theres a marketplace thats also affected by these things that they may or may not be obliged to respond. Let me pick up on the last point thats a good question of how do you attack this, you can even define this. I get this thrown at me all the time. Says if were talking about the domain like is Something Like you cap broad expertise on these issues. Theres a huge power categorizing a bucketing. So how the un is doing it but Cyber Security is an enormous field and conceptual area that the power to say, this is where the liberal majors of the world gets a plan this land, is this something we havent seen before . Or something that should fall under arms control framework . Are there existing mechanisms formed in the last 60 years . I was challenge, they come up and say whats the right role, theres a huge translation problem that we have in a need for bucketing that the technical side and strategic political and policy community can play together to figure it out. And jane had to step away, but as i may, we have a question from twitter for someone watching in cyberspace. In terms of the loss of Cyber Weapons which i interpret to mean losing control of a weapon thats been developed into your point to have an existing framework, how would that be handled under International Law, how would it be handled today, and ideally what would you like to see in terms of that issue . Im non issue International Lawyer. But with effective control of Cyber Weapons is a dicey use issue that ive been following for a couple of years. Its undermined by the fact that we dont have liability loss. If your sufferer breaks and you get killed by you cant sue anyone. So how could you sue the u. S. Government if they lose control of the cyber. Fundamentally there is a political commitment to be careful how you use your cyber asset. Its not only losing control of your soft where but also when your staff and Cyber Warriors often do something on their own time, especially if they got do a hack with the contractor. This is been the case probably in china and russia, they did that on their own time he wasnt really working for us. International laws very clear on the and if you go out and do something naughty government is still responsible. A little bit more difficult when its about a tangible software. I think theres a political liability. Think has are being scratched to want to cry and people were embarrassed about what happened. I only hope there embarrassed enough because they wanted in the future. Thats a huge question. And how you would even try that is a question in and of itself. I guess youll have to carry that one out to another day. The last question. [inaudible] a question about the concept of forensic Cyber Security is a solution to this problem will be the thread on this . It goes back to cyber forensics and what role that place, can kick us off on the. I hate to say it depends, but, theres so many different elements involved in attribution but more broadly figuring out how to prevent the type of attack or compromise that you see, to prescribe a framework that would give the community that government, other players who were looking at how to handle forensics would be difficult. Think a place for government can play a helpful role in the consistency of reporting around forensics. Everyones a version of cyber attack is completely different. You can take Computer Network attack, you can go under attack and make a cyber version, you can pick whatever your choices. So any level of consistency so that when the British Government comes on says xyz is happened at the hospital or the french government comes out after an incident in 2015, theres some level to report that with fidelity of what happened. I think thats how we are in our ability to talk about network. How big of an issues classification . We talk about trust been able to describe what happened. One of the ways that the remains to be doubt is all this released top level stuff. You might get some specific ip addresses that their proprietary information and from the governments considered non releasable because it reveals some tactics, are we ever going to be able to get to common sense of forensics when theres so much stuff thats consider must keep . On the one level theres forensics which is looking at reversing that piece of code but thats not necessarily the way government will get its attribution. The more they get that then then theyll do it they call the mini haystack approach. You gather a lot of information and use that to give a probability of an behind a certain event. Its a very different approach than looking at who might be programs and what they might do with it. So how would government present that information which is based on highly classified sources and in this proposal in a year to is like an open debate on having attribution organization for cyber thats something microsoft was keen on putting forward. The idea would be there be an organization that says this has been a bad boy and cyber because it did this in this. The big question was how do they deal of classified information from government in that setting . I think nobody has answered that question but its the way its currently dealt with. The nonproliferation treaty, they get classified intel at a high level they dont fully understand whether its credible or not. More importantly its about trying to establish common metrics because that would be enormously helpful. On the diplomatic side we need to define Cyber Operation and have a dictionary of terms. Everybody thinks its impossible just like National Security it would always be what you wanted to be like pornography, you will know it when you see it. Its been hard to define. If we push it and really asked the people who work on the riskmanagement community to be specific in their types of classification and types of attack that might help move the dialogue forward and i hope move it and keep it not necessarily talk about weaponization of information. I believe were out of time for this conversation. There might be some opportunities to continue without microphones. For those of you minus p. M. Thank you to the Atlantic Council, and to all of you for tuning in for your great question. We have many of these and we can look forward to more stimulating conversations. [applause] [inaudible] [inaudible] winston item book to the books about the 2016 election at a decent Hillary Clinton talks about her book, what happened. Then, Jonathan Allen with the book, shatter. An interview with the author of, how trump one. Susan talks about her book, the destruction of Hillary Clinton. Part of a week of book to be in prime time here in cspan2. American history tv on cspan three is in prime time this week starting at 8 00 p. M. Eastern. Wednesday night, the 60th anniversary of Little Rock Central High School integration with former president , bill clinton. Thursday night, a discussion for the lead up in response to the first disaggregation of Little Rock Central High School. Friday night from the oral history series interviews with prominent photojournalist document major events throughout American History. Watch American History tv this week in prime time on cspan three. Theres, live at nashville tennessee for the next stop on the cspan bus 50 capital store. Phil will be our guest on the bus starting at 9 30 a. M. Eastern and join us thursday for the entire washington journal starting at 7 00 a. M. Eastern on cspan. John and jeremy are coautrs