The room and are thrilled to have richard as one of those. He is the former scholar in residence at the National Security agency and is currently at the National Defense. Or national war college. National war college. And aaron hughes who sat down as the Deputy Assistant secretary for all things cyber at the office of the secretary of defense brings a lot of policy expertise as well as a wonk at heart, so can marry those up exceedingly well. And last, but certainly not least, rear admiral will metz, former j2 or head of intelligence for u. S. Pacific command, Cyber Commander and has had roles inside the Intelligence Community as well as, obviously, the u. S. Navy. And is also one of our senior fellows. So thank you to the panelists here. I want to go deep with some of the deterrence related questions. And i think, aaron, maybe start with you, to sort of paint the picture. And articulating some of the challenges and opportunities to get to a deterrent approach. But what should we be thinking about . What is missing . I would argue it is greatly one of our big holes in our Cyber Defense strategy but help us think through some of that. Thank you very much. Let me first put a plug in as a 21year member of the national guard. Hoorah. It can help us get involved in the cyber domain. When im often asked the question around cyber deterrence i was always hard pressed because i think deterrence theory nit traditional Nuclear Cold War context doesnt lend itself to how we talk about it in cyber. Theres so many more of the capabilities fed rated across the different adversaries. Its not all nation state capabilities. So you have to ask yourself what are you actually trying to deter . From my state we were trying to just deter destruction actions in cyber. To some degree, whether it was a combination of kind of our broader military, economic legislative activities, we were able to deter actions which caused destruction. Now if the question is, can we deter malicious sieber activity across the broad spkt rectrum f the equifaxes of the world to operations and disruption of Network Traffic that happens day in and day out, i dont think well ever get to that point in time. Until we can agree on what we are trying to to deter there will never be an agreement on what our policy considerations should be. I do think we need to get to the point where weve absolutely been better in declaring certain things, as the congressman mentioned. I think if we talk about where the evolution is, its getting to the point where were more comfortable saying here is a capability and were willing to use it. That messaging aspect. I view this as a very difficult point because well never get to a point where we are able to deter all malicious cyber activity. And i would be curious. I think part of it we dont really deter cyber anyway. We deter actors from engaging in cyber activity, which is really a political will set of issues as well. Not to ask a political question but i think both administrations fell a little short in terms of how they responded to russias activities during the interference in the campaign. Previous administration was on their watch and we were opining about it. The Current Administration didnt really seem to acknowledge it was a significant set of issues. I would be curious what you guys think on that. So something that the department of defense advocated very strongly for a variety of responses around that activity. We raised it, obviously, all the way up to secretary carter, secretary of defense at the time. And i think he was vocal in our agency is it discussions about the nature of the activity that was going on and what potential options the d. O. D. Could bring to the conversation. Ultimately, it was a decision to not act probably in a timely fashion around that. We did get to the point where some sanctions and other actions of messaging was made but, yeah, i would totally agree with your assertion that we were paralyzed to act for the various Political Considerations at the time. Richard, any thoughts on the deterrent approach generally you dont have to touch on the specifics of recent events. But part of it is having the will to respond. I guess its kind of complicated. Deterrence works in cyber space. There are a number of countries that could damage our infrastructure and they dont. They are deterred from doing so. The problem is figuring out what level to start to get the political will. Many times our opponents are stealing intellectual property, they are installing Different Things on critical infrastructu infrastructure. Theyre doing things we dont like. Sony was attacked by north korea, right . The problem is that theres a real cost to deterrence. It is very costly to us. We have to get up the political will to say, okay, we really seriously will be credibly able to do this bad thing to you if you continue to do this bad thing to us. Its that political will. And the way its worked out, our adversaries have gotten very good at finding ways to undermine that political will. To put their attacks at a level where the frog doesnt quite jump out of the pot. They can continue to do this. At the same time, they use numerous techniques to keep our will from getting up to the point where we could retaliate. There are active lobbying campaigns on the part of opponents to influence our political system. So many senior officials, when they leave government, right, there is a i wont give names. There is a senior official a few years ago who used to rail against huawei in office. He immediately got out and went lobbying for them. This isnt unusual. It happens regularly. It makes it very difficult for us to develop the political will to be able to respond. Thank you. Will, anything from your perch . I think, first of all, its important to understand the focus of todays discussion. And relative to a policy on deterrence, as you alluded to, frank, we dont necessarily deter cyber actors, we attempt to deter those who enable them, whether its a nation state or a government or other agency. So it is helpful that, one, the trump administrations executive order, which specifically called out deterrence as a policy objective, which i suspect mr. Bossert will speak about later this morning, but i think as it relates to partnerships specifically between government and private industry to define, one, the type of capabilities that will ultimately raise the cost on the type of behavior that is considered to not be acceptable as a matter of u. S. Policy is an area of interest from a private industry perspective were certainly interested in assisting with. Aaron, because i want to build that i see you i do want you to jump in, but also, where do you see it going . Do you see natural progression in terms of where policies might evolve from the Previous Administration to the current . Or what do you think . Yeah. First i want to make sure its not lost on folks that, when we talk about cyber deterrence, its not always a cyber action that can deter the adversary. We are talking about the ability to publicly its not. Its the full range of what the u. S. Government can bring to the problem. I think areas that would help the public kind of better understand what we are thinking here would be, as i mentioned earlier, having some better declaratory elements of that policy. I dont foresee, if were talking about how we can evolve from the obama to trump administration, i dont foresee kind of any of the red lines. As the congressman mentioned, i think the strategic ambiguity has helped us to be a little bit more flexible in our response. I give the poker analogy. I feel like it always depends, right, depends on the situation, depends on your cards, depends on your opponent. That can help to form the calculus of what the response action should be. If it should be diplomatic discussions, indictments if its criminal, or if it should be military action or otherwise. You brought up the indictments. I was an advocate for the pla indictments as well as some of the recent russia indictments. The likelihood of any of them seeing the courtroom is zero. I get that. But it signals the capability, it limits their ability to travel and demonstrates that we take some of these issues very seriously. So i would be curious, given everyone here has had a bit of a military and intelligence background. Richard, do you see the military tool being the primary predominant tool . How do we get to the orchestration of whole of government and whole of Society Given the private sector roles in all of this . I would say absolutely not. The military is not the main element to use against cyber attacks. Economic sanctions are a by far more realistic and credible threat. Its the threat we could make where the opponents will say, they will actually go through with that if we continue this bad behavior. So thats possible. The flipside of the coin comes from a comment the former director of national intelligence, james clapper, made a while back in senate testimony. He was asked why doesnt the United States respond in some way . Why dont we do Something Back when these guys attack us, his response was we are afraid. We have so much Critical Infrastructure that they could hit and thats a broad topic when we talk about that. That were afraid that their counterretaliation would hurt us worse than our retaliation. You never want to be in that position. Thats really, really bad. So we have to do more to defend ourselves before we can start to think about retaliating or making Credible Threats against our opponents. United states is the most cyber vulnerable nation. Thats also led to our prosperity but in the virtual glass house thats the right point, we are not at this point resilient enough or defended enough in the Critical Infrastructure area to withstand anything, if it were to be escalatory in any manner. If i could its important to look at history. Looking at history, 2007, 2008. The situation with estonia. 2008, the situation with the United States d. O. D. Infrastructure and the ultimate incursion in both cases by a nation state actor. Are the response at that period was we really have to up our defensive game. And from 2008 until about 2013 or 14, at least from a. Go. Gov,. Mil perspective, it would have appeared to address some aspects of the Cyber Security threat. The expectation between 2013 up until now has been a significant escalation in an approach, tradecraft, by both nationstate and non nationstate actors. What might be the solution . The solutions are a boundary of Cyber Security is good but not sufficient. Therefore, building resiliency into networks and critical capabilities is an absolute necessity and one that at least our company is very serious about. Two, the discussion frame regarding active defense and preparing those that would be authorized to perform those functions on behalf of the United States government and or our allies is an absolute necessity. Third, the strategic capabilities that, as congressman hurd alluded to, those things that we must have but we will not discuss publicly. I wont say manhattan project, but i suspect that most of you can identify with those needs. In my opinion, those three capability sets are absolutely necessary to enable the policy on cyber deterrence. Thats an excellent point, and i am glad you brought up the international component, because ultimately cyber space by definition it is its own domain. It also transcends air, sea, land, we get that. The reality is its globally connected. I would be curious what the panel thinks in terms of what whether existing alliances are sufficient. Do we build on nato, the bilats or whether we need something new for cyber. The question is do you make sure that cyber is integrated in all existing policies, organizations and the like, which quite honestly may not be feasible because you have different outcomes of those. Or do we need something new with respect to cyber . Because clearly i think that we have some of the most robust capabilities, but we cant go it alone, nor should we. Quite honestly, not to sound pejorative, but ukraine is sort of they are sort of the canaries in the coal mine right now. What theyre seeing right now i promise you we will see soon. Whereas history may not repeat itself it does tend to rhyme in the words of mark twain. I am curious what we think in terms of alliances here and should it be government to government, industry to industry, bank to bank. Well start with you, richard, and then just go down. Yeah, absolutely. We need more integration. You cant do this alone as a nation. I think that we are doing okay in terms of our diplomacy. We are doing okay. We could do a lot better. I think the businesstobusiness relationships are where we need to go. Banks have started doing this and theyre making real efforts right now. Most of these interests with international. Most of the corporations were most concerned of are probably not even owned by u. S. Citizens, theyre international. We need to get organizations we would hope that organizations like this will Work Together to develop shared knowledge and also agreements so that one organization does not hurt itself by exposing the attacks that its been receiving. Its a competitive disadvantage. As the way things are lined up very often now a corporation that figures out its being hit doesnt want to share that information because it wants its opponents to suffer as much as it did. There have to be agreements made. Its difficult but i think in the long run if you can overcome the collective action problem, our International Businesses can help each other a lot. Aaron . Ill give a defense perspective. You know, we partner and fight with our allies and alliances in air, land, sea and in some instances space. We do the same in cyber space. We deconflict targets when flying fighters side by side with our neighbors, we deconflict cyber targets with our closest partners in cyber space. It was good to see, you know, nato declare cyber kind of an operating domain within the past year and come to agreement on that because it helps us plan and integrate our activities Going Forward as part of that alliance. I dont see us getting to the point that we, at least in the nato context, are sharing cyber capabilities, maybe in the offensive side with the total set of the alliance, but absolutely with our closest fivei partners we have been actively fighting side by side against common adversaries in that for some time. I see that continuing to evolve as other nations build up their capabilities in that area. The only reason i brought that up and of course these are you have close allies like japan that live in a tough neighborhood who are dealing with two big one erratic neighbor and one very big neighbor. You have countries like israel who dont fit into nato, who are also living in a pretty tough neighborhood, dealing with some very tough so the current alliances dont necessarily line up. Washington loves to look at the world through its boxes and org charts. The world doesnt care. And congressman hurd brought that up with criminal enterprises. So do we need to sort of rethink that a little bit. And will not to pick on that. Because i love those alliances, dont get me wrong. The last thing we ought to do is undermine whats working at the expense of any of those. Its that plus, its not that minus in my eyes. Will, what do you think . I would start, frank, by saying, as a consummate optimist, i am delighted to see the countries of australia, as an example, being very forthright and transparent about their policy objectives regarding cyber that tend to align with the u. S. Policy objectives towards cyber. I think it is helpful to see the United Kingdom and the work that they have done that tends to align from a policy perspective with the likeminded approaches of traditional five eyes. But i guess, to specifically answer your question, the question of does existing alliances are they sufficient for that which is necessary in the cyber domain, and i would refer to the comments made by australias cyber ambassador tobias fekin which basically said, perhaps not, the approach perhaps might be regional. A regional approach might be a combination of policy and diplomatic efforts between countries like australia, japan and others. So i say that to focus principally on a regional approach, but underpin with the policy objectives of likeminded countries regarding norms of behavior that are hopefully sufficient. Well said, well said. And what about the industry role . So weve launched a couple of track 1. 5 discussions with close allies here, and the one thing i have noticed is its not necessarily capital to capital, meaning washington to you name the the National Capital in other countries, but its also going to be the banking sector. When we talk about cyber, we tend to lump everything into the same. The reality is not all Critical Infrastructure is equally critical and not all Critical Infrastructure is equally ready. I mean, if you rack and stack its financial services, telecommunications, energy, electric and and telecommunications. So, others that are really critical to Public Safety that maybe arent up to snuff such as water. But where do you see the private sector fitting into all of this . And i am starting to see where there is much more comfort bank to bank than there would be government capital to government capital. Quite honestly cyber will be led by the pvate sector. It kind of goes to what i was saying before about these corporations having to Work Together and starting to do so. But it comes down to a matter of trust. You have to be able to trust the industry that youre working with, industry partners. Thats difficult because youre competing for the most part on most levels, so you have to develop the institutions that can allow trust, whether thats trusted third parties which can arbitrate or others such as bank of america are working to build. Youve got to build trust. I dont know what the