relations hosted this one hour event. [background noises] kirks all right good afternoon everyone. thanks for joining us. i have the pleasure of presiding over this conversation about diplomacy and deterrent. we are going to get started today by having our panelists introduce themselves. my name is camille stewart i am the global head at google at the intersection of our product security team and top social security team i have worked across government and private sector and cybersecurity issues. >> i am emily harding i and the deputy director of the international security program at the center for strategic and international studies which is a very long title. i just means i get to oversee the work of six scholars doing tremendous work in intelligence, defense and tech policy. two decades working the federal government both in the senate and senate intelligence committee and then in the intelligence community in a couple years at the white house. >> i am from intelligence and shop. we look at threats all over the world using response and a dozen different ways to collect the data we bring it all back to one centralized hub where we are looking at threats all around the world. for about 12 years before that was with ia and diplomatic security at state looking at the russian threat. >> max next? >> i'm a senior researcher for security studies and direct the cyber conflict on research. >> as you conceive got a great panel ahead. but actually going to do is have each of them give a two minute overview on their thoughts on diplomacy and deterrence in the states. we set is a conversation for. >> sure i will get started. so the very broad topic. you need to take it back to basics when you think about operations and cyber domain. another snow comment lexicon there is no norms and understanding here my colleague jim lewis does tremendous work in international agreements on cyber security and cyber issues. those have yet to gel into a broad set of norms that govern work in the cyber domain. this no agreement on what is cyber crime, what is cyber espionage, what is cyber attack, what is cyber war. your politician to sometimes understanding cyber domain sometimes don't calling things willy-nilly as a act of war what does that really mean if it is? so given that why is it so hard? why is it difficult? it is a combination of things something that the game changing technology, hypersonic weapons, nuclear weapons, those all came with a debate around what norm government and how they should be as what is a proportional response. we have not really gotten there yet in the cyber domain. it's a combination of two things. the speed of attribution is very difficult in this domain john can talk extensively about this. he is not a title work in this field. the ease of deniability they've proven themselves adept at staying at arms length remove from any kind of cyber activity they do not want to claim and claiming it when they do. those combinations of things make it very challenging for policymakers. to respond to a cyber attack to a cyber operation, what is this mean and how do we react to it? it also means it prevents the threat that is at the core of deterrence and that is a quick and decisive response to an activity. if you can't attribute it quickly and you don't have policy options ready to go, it is very difficult to pull something on the shelf respond immediately and thus sent a message or deter future actions. i can talk about this a lot more later. the 2000-point senate intelligence committee resolve this splat and excuse you in detail the obama administration. of all the sympathy of the world for the mini ring but this also total unprecedented situation. they were under attack but they could not say with one 100% certainty from who and what that meant. that delay to pull something off the shelf and innately deployed a nearly disastrous consequences. we cannot do for years, five years, six years later it's time to get that settled and move it forward. i think we will get better. we will get faster people like john who are doing this work are doing tremendous strides in that attribution piece get to a place we can act quickly. there's a solid story to be told right now about ukraine that is just sort of emerging. i have hope for the future. it's just that right now i think we still need to really wrap our heads around this as an issue. >> thank you, john. >> i have been asked i think the last four months now. [laughter] since a christmas or the beginning of the year what is the likelihood of an incident against nato allies against the united states. these usually turn into good-natured arguments. as a question of whether or not a cyber attack against the united states would be crossing a major redline but i have argued that doesn't a major red line. the one thing for the most important things we have to sort of keep in mind as we talk about cyber attacks. we are talking about disruptive destructive stuff. everything from hitting an industrial control system to a widespread destructive event they word i keep throwing around is limited. those incidents we've seen that they are largely limited. they did not take a society and bring it to its knees they did not bring the economy to a major halt. they are survivable. we will get -- and probably for a society that's art experience covid-19 a lot of the effects may not necessarily register the reason these actors carry out these incidents is not to bring society to their knees. there isn't a major question of the prospects of turning up the off the power for three hours at a time is going to have that effect. they do it for the psychological effects. they do it to undermine institutions. they do it to undermine your sense of security, your sense of places like ukraine their belief the system is safe. in the united states in 2016 they did it to undermine our elections. we had actors in systems where they could conceivably make some edits or changes to the system or may be altered some things. but really they were going to change the election. they had no -- but they don't expect to do that. what they expect to do is change our reliance for secure brits undermining our institutions. think their real important watchword is limited, right? it is good news somewhat, but it also means this is a great tool. you could conceivably use it without starting world war iii. don't bring society to its knees and conceivably get away with it. and historically the attacks we have seen these actors kind of got away with it. six years in most cases for us to even accuse them of doing the elements i talk about philip x all the time, the gr you who we were talking about earlier attack the olympics for the track to take the opening ceremonies off-line. this is an attack on the entire international community. took us four years to even bother to blame them for it. there is no hope for deterrence and a scenario where we don't even blame the actors for four years. that is it incident that affected literally everybody in the international community. i think these actors recognize they can get away with this type of activity that makes it a good option for them. they were looking for the psychological effects, that is what they really want they went to undermine a resolve particularly in ukraine redoing to undermine our elections elsewhere for they went to undermine her sense of security. >> max you want to talk about nato? >> there's already great points mentioned about the olympics and realized as an obvious connection here. many are not convinced it was russia you will know a lot more about that. i wanted to take a conversation about the nato alliance here's the main take away. what we've seen a convergence on alliance in terms of the need to develop a cyber posture we have a divergence and what this should look like. in particular offensive cyber and the rule of the military let me talk 30 seconds about these kind of key components is what we see is a cyber posture. capability, strategy and illegal understanding grade capability site but we have seen since 2018 is now the majority of nato members have established in military cyber command with some offensive mandate. an operational capacity is enormous. on several others operationalizing this the majority of nato allies still have commands operating on a budget of a couple of million dollars. it is enough to be officially part of the cyber club but certainly not enough for a second one of course all the countries have established a cyber strategy we've seen some significant difference emerging with the u.s. developing the cyber commands of engagement. with the focus of operating globally continues. they could be strategically meaningful they have a role to play and at peace time. that is not something most nato allies are willing to do so and changes the perspective. the third one which connects to this is what we have countries not just saying international law applies how it applies in the one hand sovereignty as a rule with franson on the other hand the uk sovereignty does not apply. the last point here is is dangerous to argue the differences between the alliance come from simply differences in maturity. there actually of a different policy part. that requires some real coordination and cooperation to at least bring us closer most start with. she you mentioned norms view mention the lack of taxonomy we've got a lot of work to do. where are our nations currently consists succeeding, where are they falling short? where should we focusing our intentions on to make progress in this space? >> all pick one from each category. where we really are succeeding as he cooperation of the tactical level. the kind of things that max mentioned different levels of coordination but it is happening. at the working level people are sharing indicators, people are exercising together. right now the big nato exercise the nato alliance the hunt for this is how we are going to win in this domain. i think that is where things are going well. that level of tactical cooperation really needs to be paired with a strategic discussion. and that is hard for lots of reasons. when i was on the hill we were doing oversight of these government people he succumb in all the time and brief us reading a boiled on every single briefing to to work it's hard and we are working on it. so that's true with this too. it's hard and we are working on it. let me talk a little bit more about why it's hard and why we still need to work on it. the hard piece, people need to have a strategic level discussion are swamped. they are staring at china they are staring at russia and ukraine. a whole host of global issues from supply chain to food shortages. sitting down and have a strategic level broad discussion about what the norm should be in cyberspace is like yes, we should do that. that is about 15th on my list of priorities. we need to create the urgency before the age urgency is created for us and have those discussions. the other piece of that is i think a lot of these are very fuzzy they are wrapped up in domestic values and national values. here in the u.s. we have debates all the time about free speech what can and cannot be regulated in cyberspace given our first amendment rights. our european friends had very strong views on privacy and have implemented that in a whole host of different ways that will eat into this debate as well. it is difficult. but if you can take it up a few levels, my friend sue gordon said if you disagreed down here take it up a couple levels get to a place where you agree. that place where we agrees the norms and values. this is the place where it nato allies, like-minded democratic countries can sit down at the table and say we all agree that spies are going to spy it's the thing that's going to happen. but when you're engaged in operations that affect human life, that affect public safety, that is a different level of threat. that is where we need to be building the norms in the guidelines. >> i am so, so glad you brought the points about being strategic in the lack of bandwidth they are. we have to prioritize that if we want to make progress because quite frankly there will always be the next ukraine the next ransom were attacked the next whatever. we are not making progress on the more strategic initiatives will never come to that consensus. so can we get some norms? can we find consensus and nato? what work should we be doing in nato to do that? >> max fix this. [laughter] may pick up on the point on the norms and also on the sharing side of things. just to get a potentially annoying different angle. guess we should think about that. i don't how many people are currently sitting in the room but if everyone in the room can come up with a couple of different potential clients to consider new critical infrastructure attacks, financial systems should not be attacks, healthcare off-limits all of those things. but there is a second question there now particularly the u.s. considering it's change in depth perception it's argued rightly so i think one gigabyte of data being sold by the chinese is not a big deal but doing it repeatedly is a big deal. the second question is what is not a redline? it's a really hard question to answer. i've answered a couple times in different rooms and rarely get a clear response to what is off limits it verily that isn't strategically argued all strategic activity should not be done. as a strange kind of norms question that has emerged. the second point is i am sharing the importance of sharing in some ways we are doing this already but equally i think were not doing it enough. we've got a couple of different initiatives, the first one was obviously the notion sovereign cyber effects. they cannot share exploits when we went to achieve an effect and secondly we can conduct these exercises much more can be done cyber ranges and infrastructure. that is where there is a space which is one incredibly costly for many countries to establish and to do it well. and second, where you see potential opportunities for collaboration where the use of one country or one actor, or one training program does not necessarily reduce the effectiveness of another country to use as well. and so the photo make a pollutant recommendation like what should allies do in the coming years, this would have i think even a billion-dollar cyber range for the training of their operator development system who are crucial for the workforce military. and potentially intelligence agency. >> great recommendation. john, with this intentionally below the line with the need for more collaboration and creating cyber rooms and the dynamic of cyber criminals as a shield to continue to blast the attribution we were talking about earlier, how can we make progress where should be focusing our tensions in terms of deterrence? >> what a good questions. we almost need to rank and stack our problems, right? they're going to change constantly. it will always be changing. you look at a lot of different problems in the space and i don't think we have really prioritized. a good example is the ransom ware problem there is the elections problem, there is the espionage problem. i personally think the espionage problem is probably spies are going to spy by the least effort issue. the most addressable issue if you look at the vulnerability problem it's fairly large. there now getting a lot of critical infrastructure with healthcare with the raging days of covid they are crossing a lot of lines. at the very least we want to push them back were not necessarily pushing those lines. the election promise another good example. it is not solved. in fact the unfortunate reality is the last election we saw new players when the proud boyd things happen the russians that i couldn't say that i did not have any evidence whatsoever here they are a we have been waiting, and waiting this is it this is the play. i thought even just that the problem is growing. i think we need to have a conversation about what problems we want to stop and start ranking them and going after them. also, i feel like we are running from one fire to the next and that is not going to work. i do think the ransom ware problem is largely addressable. it is absolutely out of control. potentially costing us the most money. >> with the problems i went through that same thing. there is a time around that 2018 election the 2020 election i just did not sleep there is too much to worry about. the proud boys/iranian problem was i think disheartening and we saw this new player burst onto the market in grand fashion. but in a large way it was a success story. the united states government and its allies, that's really key point, had their eyes open for this kind of potential activity. the excellent folks at dhs has done a lot of prep work, so much prep work to say to people this is somewhat normal election problems and this is what more difficult election problems. then, once activity was noted it was located, attributed, downgraded and released, shockingly quickly. it was like 36 hours. this is actually as upset as we all were to see it happen this was a good news story in the way it was handled. now to max's point about redline, i am not sure who were ready to do something to respond to the iranians and create deterrence for the next time around and that is where we need to do more work. >> that is a great reminder better point about being strategic. in that prioritization talked about the investment and attribution, getting things there really quickly are signs of that coalescing around being more strategic and focusing their. how can we create actual consequences? especially those hiding behind criminal groups in plausible deniability. our our current tools working he said this was a success story the iranian context to what end? did we deter the behavior were just able to make attribution? how are all of those things actually moving us open at the nav of your. >> i can start out with that because i brought up the point. the iranian thing was a success story and that we were able to broadcast very quickly to the american people who were in the midst of a very difficult election this is not a thing, this is not real this is not something you need to worry about they are not these bad actors all over the place we can leave aside the question of domestic issues in the 2020 election. on the specific issue was a success mostly diffuse i would not call it a success is a broader strategic policy. you brought up several things the sanction question, the indictment question, sanctions are great until they are not. there's only so much you can do. don't really care, there are ways you can make life painful for a russian oligarch, for a hacker who is working ten levels down from a russian oligarch more difficult to create deterrence pain there. indictments, same thing. they want to visit their kids in college or take them to disney world or the u.s., great. trying to find them and arrest them is much more of a messaging jewel than anything else. i think honestly tool of last resort. if you look at the way the d.o.j. and fbi operate, they are law enforcement officers paired with they want to do is to build evidence, prosecute a crime that's just not the model that works effectively for these actors. it takes too long, it is too slow while the building case for prosecution they cannot take the information shared. that honestly is the most important piece. this is where i'm going to make a pitch for the private/public collaboration on the deep, deep importance of her in the u.s. government, its entities and private sector operations at sea this on the front lines, on a daily basis during all of the collaboration possible to try to go after this problem set. my soapbox. works wouldn't you hit on all the points i wanted to make. as we go through, as far as t