That was my First Experience with computers. Since then, with the centrality of computers to my life but all of our lives is almost impossible to fathom. For example, we live in a world where every year over 40 trillion emails are said to. The first read page was made 1991 now there are 30 trillion individual web pages it is no longer about compiling and sharing information but also to have an impact on the world beyond the online domain through the internet to of things. Cisco systems estimates of the next five years there will be more than 40 million internet enabled devices coming on line for refrigerators, cars, the thermostats google just paid a couple billion dollars for a thermostat business all linking together. So that means domains that range from communication, carvers, the infrastructure or conflict 90 percent of military communications run over civilian owned operated internet these are increasingly cyberdepended that we live in the digital age. These networks they are linked to we have reached a defining point just as ever dependence on this world is growing you can see this in a lot of ways. One is the astounding numbers. For example, every single second nine new pieces of smell where now where malware have been discovered. On the military side over 100 different nations have created some kind of cybermilitary command designed to fight and win wars. Theyre very first pole is a survey of americans what they feared most they found they feared cyberattacks were then iranian, north Korean Nuclear weapons, authoritarian russia or climate change. So these years that coalesce throughout the world also on the government side whether the National Level or state level with the bureaucracies. They also mean from all hope and promise we have to it meant we live through the era of cyberin security. At this point i try to do make that point as the challenge that was introduced before how you write on a technical topic to make it interesting . What kind of visuals when you talk about a space of zeros and ones . So i put together what i believe is a collection to make a point. It is my choices for the best and worst examples of cyberward barked. It will play to you for a couple of things to visually drive home the story of cyberinsecurity that is out there. Another is there are studies that found people are 60 more likely to retain if theyre looking at something it doesnt have to link it is just a weird way the human brain works that it goes back to the discussion that we need to recognize the human side with the strange foibles that we bring soulfully that technology will work and we have not been hacked. So to pull back why a book about cybersecurity and cyberwar . And is best encapsulated by two books the first is from president obama who declared cybersecurity risk posed the most serious economic and National Security challenges of the 21st century. The second quote is from the former cia director who said rarely has something been so important and talked about with less and less clarity and less apparent understanding. The cross between something that is incredibly important , but less and less understanding you can see it with different ways. For example, 70 of Business Executives not to see titos but executives in general makes some kind of cybersecurity decision for their Company Despite the fact no Major Program teaches its as part of your normal responsibility. That happens that the schools we teach our journalists, lawyers, diplom ats even those in the military. It is also filled with all sorts of strange, a funny in and sat anecdotes. For example, the former secretary of Homeland Security is in charge of cybersecurity talks about how she had not use email or social media over a decade. Not because she did not think it was secure but not useful. The Supreme Court justice that talked about how they had not gotten around yet to email. They will eventually but in the upcoming years they will decide cases that relates from that neutrality to the constitutionality but in their own world that they have not yet got around to it. This problem is not just an american problem. We see the same things nbd is with officials from china, a great britain, uae britain, uae, the lead civilian officials that is this is our in australia had never even heard of the Critical Technology in this space. That you have a gap is in issue and not as crucial at a personal level from areas that you carry about from your bank account to personal privacy to shaping the future of World Politics itself. In turn those issues connect back at the personal level like privacy with the day Edward Snowden affair. But it is treated as a domain for only one i called the i. T. Crowd they understand the hardware and software but it does not deal well with the human side all the ways it ripples sell beyond. And also looks at these issues through a specific plans and fails to appreciate the Ripple Effect so the dangers of the disconnect is diverse. Each of us would ever will be play with other professionals, business, the organization, citizen, what we think about political topics to how to protect ourselves of mind, online we make cybersecurity decisions that space shape our world and the real world. Met with eastern city essential concepts that define what is possible but what is proper and right and wrong and what is distorted. To obscure what actually happened with three are right now in reality and where we are headed to next. Some threats are overblown and overreacted and real threats that are ignored. For example, i am someone who loves history. Its pains me when i hear from senators to white house officials to prominent news columnist to say things that cyberweapons are just like the w. M. D. It is just like the cold war. It is a cybercold war. You see that terminology of the time. If you know, your history and the cyberhistory you will realize that parallel is not the one that they think they are making. If it is a parallel to the cold war period would we do not understand the technology but even more so the political dynamics it was driving with that period if history when we took the real world version of dr. Strange love seriously. What are some of these manifestations . We too often lulled together simply because they involve the internet. For example, the u. S. General in command of both military cybercommand and simultaneously wearing that hat as director of the nsa which we would not see happen in other fields but somehow it is okay here . She testified to Congress Every day Americas Armed forces face millions of cyberattacks end quote. But to get those numbers we must combine everything from unmotivated probes that never tried to enter the network to attempts to carry out pranks, political protest, economic espionage espionage, the National Security in espionage, altogether. None of those millions of a tax what they thought when he said it of a digital pearl harbor or cyber9 11. For example, digital pearl harbor has steadily been used in major government speeches been reported in the media over half a million times. So essentially when people talk about cyberattacks is a bundle together the various things simply because they involve the internet and related technology. The parallel would be like saying a group of teenagers with firecrackers or protesters with a smoke bomb a terrorist with a roadside bomb, a james bond with his pistol and a russian cruise missile. They all involve the technology and chemistry of gun powder but we would never do that but somehow it is acceptable in this space. Take the organizations. A senior u. S. Military official argued with me that anonymous and al qaeda were the same thing. Where every stand with anonymous i figured out i am probably more empathetic to anybody with the d. C. Security establishment but wherever you stand, they differ from al qaeda from the organization, personnel, a profile, their means the only thing they share is theyre both non state actors that begin with the letter a. That is not supported. These disconnects of policy in reality and technology is not only growing tension but feeding into poisoning the u. S. China relationship but also we are taken advantage of at the individual bubble. By that email you received from your mom saying i am stuck in iceland send me your bank account information. I did not know she was there but i better helper. We smile but it hits the most senior people. Of a group of diplomats theyve received the spear fishing email with the exciting offer if you click this link you will be able to see nude photos of the former french first lady. [laughter] many of them collect instead it down bloated spy wherefrom the Espionage Agency or to be taking advantage of that the business level or organizations level not doing enough to protect ourselves or hiring people who promise 100 Percent Security of the Silver Bullet solution. Frankly were taking advantage of that the National Political level which is behind a number of issues that played out with the nsa and Edward Snowden revelation. Reported the obama showed his frustration at the complexity of the technology with policy makers. Our inability to have a proper discussion about all of this not only can create a distortion of threats but a misapplication of resources. Maybe the best illustration is another number. The number of academic journals and articles focused on the phenomenon of cyberterrorism. Zero. The number of people that have been hurt or killed by a real incident of cyberterrorism. I joke is like shark week where we obsess about the danger of sharks even though you are 15,000 times more likely to be hurt your toilet but while jaws was fictional people have been hurt by sharks. I am not saying that terrorists dont use the internet there are several chapters how they use it to which is like the way the rest of us use it. The am also not saying there is the possibility or likelihood of cyberterrorism in the future with realworld impact. Like the first cyberweapon revealed. But that same story shows it is not how it is depicted whether the die hard scenario then all the power goes down or the way the former u. S. Military offical talkedabout how a couple of teenagers sitting in their parents basement wearing a flipflops carry out the did you md style attack. No. There is danger but it also requires to carry out at that height of a level a wide deep set of expertise. Everything from intelligence analysis and collection to expertise in fields ranging from Nuclear Physics it is not something of a couple of teenagers will get. But my point to put it a different way al qaeda would like to but it can. China could but it doesnt want to. For both of them. Yet. What im trying to say at a larger Level Strategy whether National Political strategy or Business Strategy or individual strategy it is always about choices, priorities. We need to weigh the centrality of of what we obsess about verses what is real and are other threats out there so while squirrels have taken down power grids more times than hackers have a does not mean it will not happen but the fictionalized scenario vs. Their real largest theft of all Human History that is happening right now. A Massive Campaign of intellectual property that involves Economic Security impact by one measure over a trillion dollars worth of value loss to a National Security impact with jewels of the crown may be decades of the future battlefield. So these may not be sexy as cyber9 11 discourse. Even how the military uses it. The military plays in this realm and look at the scenarios. Also from regular terrorism it is not about the direct impact of something but the Ripple Effect in your own action in response to determine the true story out it plays out. Put this critical value to the internet itself truss it is being hollowed out and damaged by the Massive Campaign of cybercrime that is out there but also damaged by other actions and response to threats. For example, the fear over traditional terrorism leading to meditate Debt Collection program that is not only to the National Standing in relationship to our allies but to American Technology companies where they estimated over 180 billion would be lost because of this. To the impact of the growing attempt of certain authoritarian governments around the world to push for a more state control the internet governance model. What does this mean for the future . This value of trust that has allowed the internet to run successfully, i would argue the greatest force for political social and economic change in all of history is being threatened. The internet that i grew to know and love may not be though one that my son inherits. That scares me. These disconnects mean sometimes react on bad assumptions are dont make assumptions in ways that truly matter. Take the discourse over offense and defense with interNational Security circles verses cybersecurity circles. A notion has taken hold that aside for offense is privileged against the defense. The u. S. Military report says it is not just at the advantage but it bluebead so for the foreseeable future as long as we can look out cyberoffense will dominate against cyberdefense. This has led the u. S. Military to spend almost four times as much on research and development as separative defense as cyberdefense but the first problem is cyberoffense is not as easy as depicted. You need more than that can of red bull to do an actual campaign. The defense is not lying fair helpless. There is a series of things they can do. With second, if you go to military history pretty much every Time Military assumes the offense would dominate they would get a break up call at the 100th year anniversary. Look at the european armies every single one thought because of the new technology of the day the offense was dominant they were feared stock on the defense they urge their government if there is any point of crisis we have to be the first to go because we dont want to be stuck on the defense. That is one of the forces to spark world war i. They were wrong. The offense was not so dominant. The third issue in terms of a metaphor the difference of applying a cold war by in every frame work to a more complex cyberworld. If you were in a class house worried about from gangs of teenagers to military attackers the best way to secure yourself is not to say i really need to buy a stone sharpening kitsch. That will solve my problems. What can we do . The last third of the book is everything from the global level to the National Level to the business organizational level to secure ourselves in the internet. I will not summarize 100 pages but identify what i think our key themes that carry through all of this. First Common Knowledge matters. It is vital we demystify the realm to get anything done effective to secure it. Move past the situation which we are in right now where the president of United States received a briefing on cyberissues then asked for repeated this time in english not to knock him but that happened in every major corporation, university and boast households. This is not solely for the i. T. Crowd or the domain for the nerds. No. It is for all of us. Second, people matter. Cybersecurity is the wicked problem because of the tradeoffs in large part not because of the technical side but because of the people side. It makes it useful from writers perspective tutto cool stories from the role of porn and the history of the internet to the episode of pakistan accidentally kicked after all the roles acute cat videos for one day. If you try to set up a response of the global or business level you have to recognize the people behind the machines are part of every thread and every response. Third, incentives matter. If you understand why something is or is not happening with Cipher Security look to the motivation, to the tensions that play. There is a reason finance companies are doing better not only with their own cybersecurity by sharing information with others and Power Companies because they are incentivize to understand the costs and consequences also pointing to the rule that government can and should play in this space. As a trusted information provider cover resource and in other situations with a wide variety of marketplaces to help change the incentive structures out there. Forthcoming history matters. There is a history to how we got here with the internet to understand that is key. If you hear of silly ideas expressed like we need a more secure internet. Just build that instead. My joke in the book is the idea to read through to the internet makes as much sense as to free brooch Beverly Hills nine 02 one no. We should act like it never happened. But also we can learn from other histories if we are wrestling with what do we deal with individual criminal groups with the domain of commerce communication and conflict . Looking for inspiration have they dealt with a different kind of direct if we are thinking about what Government Action is needed needed, lets get the instances of the most successful agencies out there. The case of the cdc which starts with literally members taking a 10 collection echoes on to eradicate malaria off, the small pox campaign or the back or the back channel to the soviets. Fisk on a ben franklin said in an ounce of prevention is worth 1 pound of cure. The cdc did studies that found his idea does hold true when you trust it with public health. Prevention is the best place to put resources and it goes a long way. The same thing with cybersecurity. Despite all of the thames to turn the fear factor up and complex the issue or for a bit where you need someone to save you whether a man in uniform or from a company, very basic steps of cyberhygiene would go an incredibly long way. One study found the simple measures would stop of to 94 percent of all cyberattacks. People respond to that and say i am special. But statistically we all cannot be in the 6 . Talk to your i. T. Department. If they do not have to spend so much time writing down low levels they could focus on the high and. The reality is many of the toughest challenges and advanced threats still issues basic steps. For example, the most important outside Foreign Spy Agency a classified military networks happened when a u. S. Soldier found a memory stacked on the ground in a parking lot and thought it was a good idea to pick it up and take it inside to the base employed into his computer to see what was on it. That is not cyberhygiene but basic hygiene. What is the 52nd rule . [laughter] this idea of hygiene is important to with prevention going a long way but also the ethics to build about our collective responsibility. At the global, national, organizati on, individual level. We teach our kids the basics of hygiene cover your mouth when you cough. Teach not just to protect themselves also to give them the ethics they are responsible to protect everyone else they come in contact with. That same epic we need to build with cyberspace that is the own only way to get to cybersecurity to bring full circle at the beginning of the top guy explained how i was first introduced to computers as a young kid. If you said to my seven year old self one day this machine will allow bad guys to steal money from people become a steal their identity, be a weapon of mass destruction, which begs him plead with my dad dont turn it on. Today we would not have it any other way because this is a machine and the world that has created has given all of us back then would have been thought of superpowers. To run down the answer of the question, to communicate , talk, as sees someone a world away and become friends with someone you literally have not met before would have been viewed as superpowers but we take them for granted today. The same as it was back bin and where i think it should be in the future we have to except and manage the risks of the online world and real world because of what can be achieved to steal a line from the title of the book that is what Everyone Needs to know. Thank you. [applause] we have some time for questions or comments. Please come to the microphone. What about the internet of things to watch out for somebody hijacking my refrigerator . And how does that tie into the idea of conscience . [laughter] this trend of the Internet Users to reshape the internet itself and it offers the incredible possibility in benefits illustrated with the classic example right now if you bought a new car it automatically would communicate to the manufacturer some will even make the appointment for you this is like the history of the internet itself. So your car communicates to your thermostat when you are 10 minutes away it has been connected to this march power grid will shifted but the problem is we are already seeing this. We have already seen carjacking where your car is filled with hundreds of computers it will do things other than what the driver once. Truly looking at this from the cyberwar side this is where removed from thinking about this before it is not disruption but a combination of the new target then gives it a much greater impact so now we were able to design a weapon that the intent is not just to steal or gm information but coopt the system to do something physically different. For example, the centrifuge not just to damage what they were working on but to spin outofcontrol. But now youre talking about the civilian side. With their prior book this is where drugs and robotics connect back because when you dont have a human inside the Weapon System either remotely operating or semi autonomous you move from destruction destroyed enemy tank to persuasion is you could get access and you could cause that tank to do something other than what the owner once. Something we have never seen before in the bore and never have been able to take the arrow to make a go a different direction or to have the bullet fly back. You cannot get into the plane in top gun to save maverick rico does all the f14s. We would laugh but the point is what can we do about it . There is something we can do in terms of individual consumers then let those devices are allowed to access but also connects back to the responsibility of manufacturers and government. One of the things we have to do is make security much more intuitive and cumin friendly and also understand from examples there is a big difference to use the example of states and drivers licenses and organ donor. Is that opt in or opt out . It reinforce his Good Behavior or not. With that security woven in a and the government will have to start to require that person is where we are stuck government does a great job to create optional standards but that is different than enforcement to use the example of the titanic everyone should have this number of life of boats but if you dont this is the fine. As director of the program mentioned in i am also a historian and history matters. We need to think of these problems. I want to ask about considering the life of the internet to is historical phenomenon. 20 years ago it was said this is a space completely different man real space now receives conventional wisdom has come full circle. Do you think this experiment is a triumph that has liberated us or tragic that we had great hopes for . Great question. I could write a whole book just on that. The idea that he famously wrote the declaration of independence for the internet that said you think of the old World Governments you have no role in this space. He was right and wrong. On and one hand it is the space that is incredibly challenged governments because it has no borders and a space and power word by a wide range of factors in collectives of people that want to share cute cat videos and those that want to gauge in cyberattacks that violate Internet Freedom anonymously. We have seen it to empower small states to reach out to in ways they could not be for. Like the iranian linked attempts we could go on and on it empowers that the traditional sovereign is not comfortable except when they say government has no rule or interest or power. Just because government is responsible to the needs of their citizens and we are such a cyberdependent world they have to care and how it to impacts them by the way their own operations depend on it you have no role but you depend on it for 90 90 percent of communication. The government has no power and the story of the activist groups they could do things in the way that was never possible but the government could still go after them but wikileaks is a good example and brings transparency to episodes that government did not want to happen. On the other hand, the founders is stuck in an embassy because if he leaves he is prosecuted. There is a backandforth. Non state actors can talk about the attacks but the states are the big dogs. The second part ultimately is this a triumph for tragedy . It is a revolutionary technology. The reality throat history of game changer, a disruption in the world is different before and after so that they would have a hard time imagining the world after. Every time it is a technology it is used for both good and bad. The first tools on human picked up a stone. Did they use it to build four dash someone in the head . The best parallel for the internet is the printing press. It led to mass literacy, a democracy, the citizenship, Sports Illustrated swimsuit model edition. [laughter] at the same time it led to the reformation if you are a protestant you think is great. The pope . Not so much. Looking at casualty flows approximately onethird of europe is killed in the wars that followed. Of the internet is one of the most if not the most important tool for political and social change in the world but that enables a lot of good and bad things. I dont know if we can plug to a triumph model i think it has created more positive things but there is bad stuff inside but as would be with every other Game Changing technology because the cubans behind it we are filled with a good and bad intent. [inaudible] following up there wasnt article about the internet and interestingly is getting ever Better Things are easier. But then there was that new technology alloys comes we get used to read and golan. What about the space in this partition . That is an interesting way to characterize it. There will be inadequacies but i would probably put myself into the third category except just we have seen these patterns before but the revolutionary technology. Maybe better expressed by mark twain who reportedly said history does not repeat itself but it rhymes. I feel like that here. The challenge of what motivates me is what will determine those first two categories. Will it be much better or much worse . So for we you are less likely to get the best at of it with the best responses if you are stuck in a strange brew that we have right now of fear and ignorance mix together. That is not the best way to govern or develop or run our business or to handle your own personal life. There is no issue that has become more important in recent years that is more understood then sever security and cyberfor. There was an aching need for a primer that tried to hit that sweet spot there has been a lot written but it is either highly technical or has a feeling of the spinal tap to get scared than trust me to give you the solution. But instead turn this into something we understand as long as we use the internet internet, there will be cybersecurity and cyberwar threats. Or how they become more resilient in the hour psychological approach also. As a followup as a journalist i have been daunted by this topic that there is so much hype in the technical issues to understand. I worry the experts that you hear have an incentive to inject that particular point of view. How did you find resources you trusted . With certain categories with professors of Computer Science at the University Like this would be useful . How did you inform yourself about this issue . Great question. The challenge for a journalist actually in two ways, one is the challenge how do i report on this base of cybersecurity . But there is the assumption it is a field put into one little area by yet to if you have the wall street beat to the china beach travis cybersecurity is now bowfin into it to precannot talk about how target will do in the next quarter to u. S. China relations with the understanding these parts. So i get back to the radio greedy to develop knowledge and comfort to constantly deal with it. By the way journalists are increasingly targeted because of what they report on a and the information they have. With the case of the New York Times was packed hacked going to the unit next to a massage parlor. But they went after the New York Times not because it was intellectual property or find out the secret recipe but find out who was talking to the reporters doing a story about corruption in the senior levels of chinese government. So now it is part of my tool kit but no journalism Program Teaches that. So with the methodology who do we trust . It is to any kind of academic endeavor. The methodology past windfalls a diversification of sources. You will notice i referenced different nationalities and agencies. Reaching out to experts and academic journals in different fields. Youll notice i am referencing in numbers weve seen those together because anecdotes are powerful and illustrate something and sometimes when you have an issue with no firm data one example but the other is numbers matter to compare things. In the news stories is challenging because they try to balance both the audience does not understand and rewarded for hype. In the book we talk about a story that was covered by major media a warnings the internet would break. Millions will lose access. That is a great headline but it did not have been. So what was really at play . With the case involving fbi and isp but journalists today are more reworded for the eyeball grabbing headlines over substance. Said you will see these things reported that it is not the case. Everything from 60 minutes reported a story about a cyberattack taking it down their brazilian power grid. It did not happen. It did not happen. A couple of do dash it took a rifle to shoot dash Power Transformers in california. It did not take down the grid but it did become a major news story in the wall street journal. So then i get a series of phone calls from journalists asking for my opinion on this cyberattack. Double layers. At the same time with the last question about hysteria and psychological approaches , at the same time six and a thousand people in pennsylvania without power the wall street journal has a story about an attack by rifles that did not leave anyone without power but then people interpret that as the cyberattack. That is a problem. One more question somebody who has not asked a question yet. Maybe another professor of Computer Science . [inaudible] in that case how should react . Unfortunately i was offduty on saturdays but with the people in your country . So what can we do . [inaudible] great question. It indicates they are watching. So what can we do about the Anonymous Group . One is to better understand the i. T. Particularly because of the iconic use of the way it has been portrayed in the media by government officials to understand the group it is not centralized but also understand the motivation. What can we do . Consistently the group said it has targeted that in some way or shape or form threaten Internet Freedom. As with all good stories it begins with tom cruise and one of the first major incidents was when he had an embarrassing video online then scientology tried to rip off to put them on the radar screen. That anonymous verses scientology. But it goes against everything from authoritarian regimes trying to cut off the internet then like the wikileaks episode governments like the u. S. That are unhappy with transparency. So dont get on their target list is not to threaten Internet Freedom. But then say i have to deal with the response. Nothing is specifically you make about anonymous. What you talk about not sharing information, not having records. It is not just about records for what happened but to establish a baseline to see when the anonymous anomalies are happening. It also applies to the external attack. You had an individual with wideranging access. You had individuals given in some causes passwords and then an anomalous amount of information being gathered. And snowdens case was using a web crawler to do it for him. These are the kind of things that, that should pop up as something to look out for, not just in a military organization but if youre running a bakery, giving an individual wideranging access, and then in the course of a job, of a person in this role, they typically access these files and this kind of information. Why is this person suddenly having 100 times that amount of activity . Maybe because theyve been given a new assignment . Or maybe Something Else is going on. Lets go down and ask them. That should be happening. My broad point is that the basics of cybersecurity would apply in a lot of different situations and would go a very long way to aiding things, whatever the threat that youre talking about, and, by the way, youre never going to get 100 security. Just like in life. And so anyone who is telling you that, if you do this just one thing, or you buy this one product, or you give me and my organization this much more power or budget, well solve this problem for you. Theyre taking advantage of you. Theyre taking advantage of the ignorance. So, thank you all for joining us today. [applause] there are paperbacks over here. [inaudible conversations] wed like to hear from you. Tweet us your feedback. Heres a look at the back fairs and festivals on booktv in the coming months