Of course back here in Santa Ana I am pleased to welcome you to our annual Les Callahan lecture lecture is supported by the Cowan family who are very generous and down in the provided the Sam Nunn school where the list of organizations resident and less Callahan senior was a faculty member you're in I asked why you Department left us fun with us. We use various things but I think you're the have an annual lecture at the support major speaking opportunity. Last year I suspect many of you were here when we had General Petraeus and that was also sponsored by this every year and this year I am very pleased to introduce with us. Lynn Herbie is with the computer science and telecommunications board of the National Research Council and the National Research Council which was established the sixteenth is in a sense the operational of the studies arm of the National Academies of Science and Engineering which was established actually by President Lincoln it's not a government organization that was nevertheless it's stablished by President like that way back during the Civil War and eight hundred sixty three where you supposedly was doing studies for the United States related technology. The war effort of which frankly we can find very little evidence although they did do a study on the use of compass as an ironclad ship of all that the find the study that they are all like that if they go they get up for in any case the computer science telecommunications board was established. I believe in one nine hundred eighty seven or at least that when I first had something to do with it and they have been one of the most productive boards of the National Research Council and they have issued a number of major book length study several per year since the late one nine hundred eighty and since one nine hundred ninety one when Herman joined them that he's now their chief scientist Herb has been largely responsible for quite a few of these studies before coming to see S.T.P. was a staffer with the House Armed Services Committee where he worked on all sorts of problems some with him out of the studies that there might be with arms control and nuclear weapons weapons of mass destruction. More generally and then he came very focused on the information technology firm position. I've heard has personally written a little too modest to say this. Most of about a dozen studies that come out of the board in the last twenty years each of these studies and I have the one here that many ways behind on today are arranged in ways that many of your familiar with but I suspect some explanation might be useful for those of you. Why not. Committee is appointed gather from all sorts of supposedly expert people around the country to do the study and the committee is chaired by one or two people and the board itself provides able person and arms going for particular gave birth and the ultimately that the records of these books like records are written by the chair and an R.C. person and I can speak from experience that are number of the case and tell you whatever might say that he was responsible for writing most of the books put in the one that the chairs of the particular committee that were behind this study and offensive cyber attack it belittles and the various issues that are will be talking about the Associated with this I will. William Owens who was the vice chair of the Joint Chiefs of Staff and then the C.E.O. or president of S.A.I.C. after that damn third and various capacities first is deputy secretary of the Treasury that's the number two person Treasury and the deputy secretary of state the number three person in the state and I was senior counsel for I.B.M. afterwards and has throughout all this time since I guess the night. He's been a professor was University of Chicago her educated MIT before joining the House Armed Services Committee hearing there and physics you work for the force and just put a story on Philip Morris and the bar with her loose hair. I mean old person. Now I have a license for the little historical stories whenever I feel like doing it so I will do so. PHILIP. In his younger days was one of the junior high Los Alamos scientist during the Manhattan Project and that among other things enabled him to be a witness for the first Trinity explode but of particular interest he was one of a very small piece of young very very very capable people who are sent to Tinian to oversee the preparation and the loading of the first two nuclear weapons that were used against Japan in August of nineteen forty five. He was joined there by Norman Ramsey. Philip was and was a protege of Oppenheimer Ramsey was a protege of Robbie and Luis Alvarez who was a protege of Lawrence and William Parsons who was a Navy captain and who was the most ordnance explicitly ordnance oriented person and these people had the job basically of assembling and preparing the weapons and loading them and Parsons actually arming the weapon the first weapon to go to hook them up on the plane afterward the boss made the unilateral decision. I've given that to me in was at that time the largest airport in the entire universe it housed something close to six hundred twenty nights and everything that went with it and then an accident on takeoff would give the Japanese a victory of one peril of course that he unilaterally decided this on the web and that meant after the plane was safely like Parsons also by the way just that sort of an oddity was a classmate it was and that was last point there was a. Pardon roof over their current direction. No longer secure. Anybody who works there are nine years old and without further ado. Thank you very much for coming back. Thank you. All right so does how we doing on sound here. OK good. So thank you so I'm I'm here to talk about cyber attack as an instrument of U.S. policy here and now in terms of timing and so on. I have and I have about an hour is that. OK so the source material for this talk is largely these two reports one of which side held up means the other one. Here both of these reports are in fact they'll bill for free and in P.D.F. form and if you do a search for them on the web. You'll find you'll find them and are see a lot on the right and are see deterring cyber attacks brings up the volume for free if you do one on the left side of your attack Technology Policy and MacArthur Foundation. You'll go to the free Web site where you can download the P.D.F. for free if you do it if you do it the other way and if you don't put in Macarthur then you get the Academy website where you have to pay fifty bucks for the for the P.D.F. so don't do that anyway. So here's the one slide version of what cyber security policy is about today we all know that information technology is important for both military and civilian purposes. You've got to protect the IP functionality that you have and cyber security is about protecting is what you do in order to protect them so. No No No big news there are two dimensions to cyber security one is the defensive side the other isn't often so side the defensive side everybody talks about that includes antivirus programs and the things that you should be running on your computer system and so on and good law enforcement where the F.B.I. actually now knows something about the Internet and and the cyber crimes and so on and they are actually good people to talk to if you're the victim of a of a crime fifteen years ago none of this was true but it is it's true now. By the way I'm happy if you give me a business card I'm happy to send you the slides afterwards so patent you know feel free to pass on carts me later on. The other side of cyber security is very rarely discussed in public by government officials. That's the office of side of it and so this is the question of can you take off in some operations against an adversary for defensive purposes for example if you're the victim of a cyber attack. Can you attack the guy who's attacking you. In some sort of counterattack to prevent him from continuing to damage you. It's an interesting question and that's one of the issues that that that comes up in this. And of course once you have often some capabilities. You don't have to use them just for defensive purposes. You might be using them for often some purposes for example most of you. I think I've heard about stocks net which is allegedly a I tacked a computer based attack on the Iranian nuclear weapons production program and it has that allegedly there's a cheat various measures of success allegedly to all of these things because nobody really knows anything about it in the open literature. On defensive measures. I'm told that you can't hear me in the in the back true or if you eat all right I'll try and I'll try to I will try to. Rather Is that better. OK Thank you. On defensive measures. They're passive defenses antivirus software better passwords don't use A B C one two three or the word password for your password those sorts of things software that doesn't break. You know about the those things better law firms and so there's an international treaty on cyber crime that says that the signatories have to do certain things in order to cooperate with each other and to prosecute cyber crime. And so that's that's something that's great. And you're receiving more attention all of the names on here that the names by the way down here these people are people who wrote papers in this book here and there are these the positions that they advocate are one of these people says that you know you can use that modest market in for interventions to promote cyber security in the nation to give people incentives to deploy cyber security measures Cohen believes that you can that site cyber attack many cyber attacks against us are caused by the unwitting cooperation of third party infrastructure providers and you've got to find ways of holding them responsible if you can do that you can help reduce the threat to us. On Cyber hopper on cyber oftens of cyber operations there are two categories of interests. Which I want to talk about. Attack and exploitation. Attack us. When you try to actually damage the other guy's technology or the information that he has you want to alter it. You want to compromise its functionality. So that it doesn't do what it's supposed to do anymore. Destroy disrupt the grade etc The the better the bad guys information technology or information cyber exploitation is spying. That is you want to get information out of him in a way that he thinks is confidential but you've now got it. And so in the best of all possible cases. He's comped his information technology system just looks the. Saying it doesn't look any different at all. Only now you have the information that he doesn't want you to have. Often So operations come into flavors. Sometimes they're mixed there's the technical aspect in the social aspect the technical aspect is you can send in a virus over the Internet for example or you download malware make the guy download malware over a web page close access is when I break into the loading dock and swap out a chip or something or putting some software onto a computer that you reported mail order and you don't know about it. OK probably hasn't happened to anybody here. But if you were the family member in the Chairman of the Joint Chiefs of Staff on me and you ordered a personal computer from some manufacturer that computer would be an interesting one to target. And that you'd be social operations the usual it's often easier to bribe or trick somebody into doing your bidding than it is to hack through any sort of technical safeguards so easier to get a past work by bribing somebody than to you know breaking the encryption is often much easier than technical exploit the technical operation from the victim standpoint cyber attack inside works with patient look very much alike. That is you can't tell when something bad has happened to you you can't tell really what is doing until you know maybe not forever but you can you can take takes a long time to understand what it's doing to you. So it looks very very dangerous to you you don't know what's happening or so I point out that these attack and exploitation look very similar to the news media. We are and everything that bad that happens to us is a cyber attack and in particular the media conflated confuses cyber exploitation. That is a theft of information with cyber attack were able time and you see this in Congress. You see this in in the Washington Post. It's everywhere. Cyber attacks are different than side will exploit patients in the intent. What you're trying to. You and in the U.S. These are governed by very different laws. Of the U.S. different parts of the U.S. Code. Everything You Wanted to Know About office of operations on one slide. This is actually a pretty good slot. This would have been classified if we had done this on the classification. If we had had access to classified information we didn't. The indirect effects of a cyber attack. Almost every US poor and then the direct effect that is you don't care about killing the computer you care about killing plus attached to the computer the generator the the fire control system the radar whatever. And right and so that means you have to judge it. Judge the effect of a cyber attack by the total effects not just the direct effects and indirect here does not mean not primary the indirect effects are almost always the thing you're trying to to achieve. And so cyber attacks are not of lesser consequence just because it's hard it's only a computer and so a lot of people think that way and that's not the way to think about it you can deny cyber attack to cyber operations. No no I didn't do it and it's very hard to prove that you did that doesn't mean it's impossible on doesn't mean that we can't have some idea of who it is but this Take this is a very difficult problem and by using all source intelligence or the signals intelligence and spies and so on. Maybe we can learn about something about who is attacking us or exploiting us who's in the identity of the interest but it's very very hard on the outcomes of a cyber operation of our are highly contingent that means you have to know what your goals. What targets you're going to to attack. What targets you going to try to penetrate. Maybe all you have is an IP address. How do you know what's attached to that IP address. How do you. Limit collateral damage when you don't know what's connected to it. How do you conduct battle damage assessment you're trying to conduct an attack on a on a radar station through cyber means and you can actually attack in the radar station. Shuts down the Saturn you've been successful. Or does that mean you've been caught and the operator of the radar station has turned it off and he can turn it on again at a moment's notice. I assure you that if you're a bomber pilot flying you care which one of those true is true. Now that doesn't mean that you can't be instrument around it. There are ways of finding the equivalent of a smoking of a smoking hole in the ground but they're hard much harder to come by. And the success of a cyber operation really depends on having good a lot of good intelligence about the target. What's connected to it. What security measures are in place where they have don't downloaded latest patch from Microsoft that kind of thing and the preparation of the target system maybe you what you've needed to do is you need to implant the vulnerability in it. Three weeks ago in order to attack it today. And if you haven't done that then it's going to be hard to attack it to today. So all of these things suggest that if you're going to attack something. What you need going to need to do is to attack it when you've had the preparation time available so that means it's harder to do in the middle of a running battle where you don't have time to figure out what's going on. They'll to slide sorry about that. Often So technology is easy to obtain that is you know you can buy the basic technology at Best Buy and you can take courses on hacking over the Internet and in fact you can download cyber attack tools from the Internet and with point and click interfaces. And start lots of people have access to this technology and also often some technology in the space is very easy it is connected very closely to to commercial capabilities in infrastructure. It may be true. It's often true that a cyber attack can be. Can be launched. But maybe you can only use it once because what happens is that once you use it the other guy fixes it. You fixes the vulnerability that gave you access that this doesn't happen all the time it may not happen all the time but it's a it's a big danger so maybe you can. Only user cyberattack tool once when you really really need it. And so it could be limited in scope. Because let's say you want to go after one single I want to go after you computer I get the serial If I have the serial number of it I can program it to attack only one with that serial number and to ignore everything else or people who say stocks not work like that. It only affected certain specific configurations only going to affect many many computers. So. Cyber attack can be what I say it is people talk about you can attack at the speed of light with a cyber attack. Yeah that's true. That means when you push the button the effects are manifested you can be manifested quickly on the other hand most scenarios of using cyber that you have to think through a lot. You have got a plan to do a lot of planning. So it's big and so it's really not so much the speed of light the way I talk about it. The speed of light all it operates at the speed of law the speed of policy and how fast that operates and anybody who's operated in the building knows about how fast policy gets made. OK So couple of other people in this volume here talk about basically say that you know Greg. Trey who is a former director of the National Security Council for cyber security affairs says we haven't seen anything yet about what could be hacked what could be happening in cyberspace don't think about it but just think about Stone media and Georgia as models of cyber attack of one nation against another don't think about cyber nine eleven just I mean there are possibilities but there could be many other possibilities. We have appointed in all this is underscored in a paper by Rose McDermott who points out that operations in cyberspace are conducted with a rather amount of uncertainty especially about the environment in which you're operating and you can really get yourself wrapped around the axle with uncertainty in this and you've got to figure out ways of dealing with that a lot of people what people do when they're faced with uncertainty is they just say. I know for sure. I don't give me any other information and overconfidence is a big problem in in this space a little bit about national security policy today. We say we see as part of US official deal D. policy joint doctrine. We seek superiority in the in the cyber domain the state in which US and friendly forces have complete freedom of action the bad guys can't do anything we can do everything they can't do anything. And that's what we want nice if you can have it but the U.S. is starting the senior military leaders are starting to back off of this now for example the deputy commander of the US Naval U.S. Navy Cyber Command recently said I She even thought about bombing it sometimes takes maybe impossible. And the head of cyber command has also said that too so we're starting to back off from that but it's still not reflected in U.S. D.O.D. in doctrine. The implied the current Tory policy on cyber attack is that it's just like any other weapon. We just use it. Just like any other weapon except for operational considerations that is just like a cruise missile or team of Special Forces or what have you. It never is the most effective way of getting it done and they also say it's better. It's most suited for early use. Now you might wonder about this this interesting term and imply declaratory policy what the hell is a pilot declaratory policy if you if it has to be implied that is these aren't written these words aren't written down anywhere. That's an interesting question. This is what we've been able to figure out from various written statements but there is no official declaratory policy regarding oftens of capabilities. Except to say that we have them. Now that's a problem. How much you use Office of operations to defund to defend yourself so if you prefer an adversary attack maybe what you want to do is you want to live in the other guy's network and preempt his attack and attack him before the attack. US That means you need Office of capabilities. During the attack. Maybe you want to disrupt the attack in progress. This is that we've talked about this publicly that the U.S. That is the United States after an adversary attack maybe you need to conduct some sort of forensics that will choir hack back in order to figure out who was attacking you and maybe you want to conduct retaliation to discourage further attacks. And of course once you have these capabilities how much you use them for non defensive purposes. It was widely reported. And whether it's true or not I don't know I can speculate talk to me offline afterwards that the Israeli attack on Syria in two thousand and seven was the result and it was at least preceded by a cyber attack that this able to Syrian air defenses that allowed its missile to get through as if we can talk about that later. You can think about covert action it's a matter of public record that the United States has sought to influence elections abroad in a variety of situations. Imagine the possibility of using of hacking electronic voting machine of another nation in order to tilt the election one way or the other possibility. I'm not advocating this right. I'm not and I'm not I'm not an advocate for this are going on saying this is a possibility. These are the sorts of things that when you think about cyber attack these are the sorts of things that you want to think about as possible things to concern policymakers and disable exploitation you could figure out you could figure out ways of getting out find out their diplomatic negotiating position is there are there political plans you could steal commercial information from them to split for your own purposes as a matter of record the United States does not do this. OK the policy of the United States is explicitly we do not steal commercial information to benefit U.S. companies. By contrast there are countries in the world whose intelligence services are specifically designed to do this for example France they have said so publicly. So I can tell you about that. There's the. I want action dimensions of this right. So if you think covert action is a is a particular term of art in the in the U.S. the intelligence community has responsibilities for explore for exploitation for conducting intelligence by the way are there no laws regulating that within outside the United States the U.S. can do anything it wants to get information. No. U.S. domestic laws and turns out. No international laws against getting information about about espionage either. And there's covered action covert action means something that the United States wants to do that it can plausibly deny. If you just make the observation that if you were going to try to create an instrument that was ideally suited for cite for a court action. You'd come up with cyber attack something that have that has that completely deny I am. If you do it right and can have a ride ranging effects. And you can just be completely silent but you would. You would have a hard time coming up with something better than cyber attack. On this question of cyber deterrence. OK deterrence. Let's deterrence about deterrence is about keeping the other guy from launching attacks on you conducting hostile operations against you and how do you. So the question is how do you persuade them to not do this. And it seems like the obvious choice persuading that you say defenses aren't going to be good enough. Right. Your defenses. You can deploy more antivirus software and then and so on and it's all going to be ultimately a losing battle. What do you do. And law enforcement takes months to operate not minutes. OK So what do you do in that situation. What do you do when you've got a you've got to get the other guy to choose not to attack you and so we say we're porous worked in the past. Well the current more. Deterrence of nuclear threats. It's based on a threat to either do not to deny the benefits of an attack on the benefits of an attack to an attack. That is he won't succeed were to threaten them with punishment that is. If you do something bad to us try to do something best and we're going to really make you pay for it. So in practice we find that any sort of cyber security person will tell you that we haven't done a very good job on denial. That is our cyber security efforts really haven't done very much to stem the flow on hostile operations into us the effect of hostile operations. So you're saying well that means you have to think about punishment you can't do a denial thing about punishment. OK but the threat of punishment requires attribution to a specific adversary. Knowing that an attack is happening and credibility of the other guy have to believe that you're going to go after him. So here's an interesting question. We conduct a lot of military exercises all over the world with our forces. To show at least in part that we can do it that we can project power. We do a joint military exercise with Turkey and with Egypt and with South Korea and so we do these things to show that we can actually project power in those areas to as a show the other guys who are in the area. Hey we're here. OK we have significant capabilities. How do you do this in cyber space when you don't talk about your office of capabilities at all. That's an interesting question. I don't know how to answer that but it's an interesting question. The bottom line on cyber deterrence is that there's a lot of uncertainty about how to achieve how to apply the traditional concepts of dots of deterrence to cyberspace and so our deputy secretary of defense now says we have to depend more on denial. OK So notice the circle we've come the nihilist too hard. So we have to think about the turns not the turns is too hard. I have to think about denial. I don't know how to make sense out of that but that's the situation that's the policy space and the that is what we're operating in now. I started this by talking about nuclear as an analogy for cyber superficially obvious but on deeper analysis. Really does bad fit. OK the private sector for example doesn't have nuclear weapons. It's true that many of the same questions arise in the nuclear domain as they do here but the answers are completely different and so that's that's maybe a way of thinking that if you if you have some experience with a nuclear site. Asked the same questions but don't expect any of the answers to be the same and it may be that biological weapons are better metaphor for a strategic point of view. When you saw other people have interesting facts about the term about deterrence. Things that you know the cyber threat is still young. By comparison is true and we went overboard we went crazy in responding to the alleged Soviet threat. So we have a chance now to make mistakes and not to do with all frantic overreaction. That's that's his point of view. Clacking Landau there's a certain that point you can the number of cases where you actually need to actually be sent to a specific person very limited You don't need that very much. And babytalk makes the argument that even if you have perfect forensic attribution. That is if you could trace back to a specific site who was attacking you. It wouldn't have a significant deterrent effect. And that's an engine. It's a very interesting claim. You also want to think about escalation and terminations right when you're in a conflict. You don't want to grow out of control a smell you don't want to smell conflict turn into a big conflict. And so deterring escalation preventing it from growing is really a big deal. And so on and you get unintended escalation the experience shows that you get on the tennis collation into situations. We're in this where the guys at the top don't know what the guys at the bottom are doing very well. And the second is when the outcomes are. Actually the more uncertain. Let's talk about the the guys the top not knowing what the guys at the bottom are doing this is the armed forces or the you know MIL is this the number of banks who is a million people right civilian million people. So. If you want to move a division that would have significant effect the people would have to issue orders to move a division but they are the people in this room just the you know fifty people in this room but armed with the right side where technologies and with a good internet connection. Maybe could do significant damage that could cause an international serious international incident and if it were done in the middle of a crisis that could be really bad news because a bunch of people here in this room. You know military you're all you know sworn to uphold the chain of command and so on. You might go off and do something. Not because you're bad. Not because you're wrong but because in the normal course of operations. You do things that the bad guy that the other adversaries could interpret as being provocative and if it's happening in a crisis. They might see and how do you make sure that our national command authority is trying to negotiate an end of this crisis trying to tamp tensions down. How do you how do they know what you're going to do that means they have to understand what you do in a very very detailed way and that's a very rare thing and then there's the interesting question of how do you terminate a cyber conflict we're in a strutting rule in cyberspace with me OK and now I'm going to say no no we're going to stop. We're not going to stop shooting at each other inside cyberspace. How do you know of that the other guy is stop shooting at you in cyberspace. How do they know that we've stopped shooting because one of their cyber attack that's a tarring by lots of other people players. It doesn't mean for example we have to tell them where we have implanted Trojan horses into their software systems into where we have taken advantage of their vulnerabilities. We have to tell them all of that. I mean it's an interesting question how would you know goshi them and what are the. Missions that you would look for to know that each side had stopped big problems. International law has a has not caught up. That's basically the the argument that Michael Schmidt makes who is a former Air Force judge advocate general. What counts is the use of force for example is unclear. There are two legal paradigms sort of what happened in the UN Charter which governs when you when are you in a shooting war and and the Geneva Conventions what happens when you are actually at at war and key terms in the UN Charter are not the fine use of force armed attack self-defense. Nobody knows what these things mean I mean the UN charter was written in one thousand nine hundred forty five. I promise you. Nobody was thinking about cyber attack then. And whether that was mean those terms mean. Now in this company in and in in the cyber era. Why do you care when it's a cyber attack a use of force or a war an armed attack. It matters if you're the attack party if you're the victim because you want to if it crosses some threshold. Then you know you have certain rights. For example if you're the victim of an armed attack you have the right to to to invoke you can invoke your right of self-defense and we've done this on a variety of occasions. But it also matters if you want to be the one to attack someone else because why would be better because you might want to stay Fabray from any law and that would give them the right to attack you in return is an interesting question as to what could you do what could we do. That's the end of the line that we could do presumably more freely. Here some hard cases. But if you cause economic damage without causing physical damage let's kill it. So you bankrupt the country you can bankrupt the country. Money from its accounts. Does that count as us as an armed attack or as a. When I say use of force. But if you go through. If used if you hack an electronic voting machines and you with. Trying to overthrow a country. Overturn a government. OK Does that count as i mean that doesn't sound like a friendly action but doesn't meet the threshold for armed attack don't know where if you just destroy data. The computer system is just as good. You just destroyed the data where that sort of fuzzy to write and what if you just interfere with the computer system and then you stop interfering with it is just as good as new Does that count is reversible. And that if you put it into the other guy's computer system a Trojan horse that is meant for exploitation. That is for spying who steals information back. But you give it a capability for being remotely operated so that today it's an exploitation agent and tomorrow can be turned into an attack agent. How are you supposed to treat the initial introduction of this of this agent. Don't know don't know the answer to those who are this particularly interesting to the meeting. What's the meaning of neutrality. OK If country A wants to bomb country B. and wants to and has to fly through country C. to do it. They have to A has to request clearance permission from country C. in order to to fly it through its airspace. That means country see if it says yes is not no longer neutral. But if I want to route an Internet attack against a wants to conduct an Internet attack. Internet based attack on B. and routes and uses and goes through C.. Turns out that is not a violation of neutrality. So which one of those is the right model. For thinking about neutrality. So there are lots of questions that arise in the conduct of war and so there are principles underlying the laws of war for example you can't pretend to be in a protected entity you have to care. You can't impose too much collateral damage. You have to attack only military targets and not civilian targets so let me give you an example of how this might be some weird space that this might get into OK. We now fly airplanes with U.S. stars and stripes on the insignia. Our cruise missiles have the insignia on it. Our senators want distinctive uniforms so that they can be shot out in war and we don't I mean that's part of why we. That's part of why we give soldiers uniforms that makes them they are legitimate targets during war where civilians are not. OK. Thank you for your willingness to wear a uniform. It's OK so think about this does that mean that if we introduce a Trojan horse into some adversary system. There has to be a label on it that says this Trojan horse is the property of the U.S. government. I mean it's consistent with the spirit of putting the Stars and Stripes on. That's an interesting question and that anybody can do this right. So now we need to have a way of verifying that the string was in fact done by the US code I need a public key infrastructure to verify that attack was coming from the United States. No I mean this is I'm not I can't and I don't want to be quoted as saying this is a serious proposal that this is not a serious proposal but it illustrates some of the mental space that you might be might be in if you want to separate targets in cyberspace. Does that mean you have every military target has to have a label on it that says I'm a deity computer I'm a legitimate target. What about hospitals do they get free passes. They say we are and we're not a legitimate target. You know we're protected. Now there's a Red Cross have to go. It. The International Red Cross have to get into the business of issuing certifications that says this is a legitimate. This is not a valid target. And I don't know the answer to these I'm actually going to talk to the Red Cross in the next three days or so I'll let you know what they say. Cyber attacks and non-state actors that the non-state actors are very very problematic in the matters of radar and the UN Charter all based on nation states but there are lots of actors that can exercise power and reach comparable to nation state but are not national actors and especially in cyberspace and how you deal with them. That's a big problem. Private sector private sector is also I mean some private sector jobs most of cyberspace. How are they supposed to respond should they conduct oftens of operations and response. Well it turns out there. RAZ against that right now but are those laws appropriate now. Not sure what should there. What they can do right now is they can put up a bigger fire better fire walls and they can have the cops but they can't. At this point we don't know they're not allowed to shoot back to retaliate. Can they conduct investigations. Can they conduct hack back and want to get back their compromised data can they try to figure out who is attacking them if they have to hack some of those are much more unclear. Nobody knows what the limits of that are. Those If you give them the legal right to do this. Does it increase the threat or decrease threat to them. I don't know the answer. Could their operations interfere with U.S. government operations that's a real possibility. And if the US government responsible for private sector actions. So you have one choice where the US government says no no these are laws against it and if you do it you're on your own. That's one set of affairs and the other is that we do it with the we do it. We establish a set of regulations that govern straw. Back in the private sector. Now we can't say we don't have anything to do with that anymore. Now maybe the rest of the world sees that we're responsible and would see us as responsible how that place don't know. Some facts on that you know again from out of this book on the private sector Nexus Paul Rosenzweig asserts that U.S. government responses. I don't quite properly are not just limited to cyber That is somebody does a cyber attack against you you can do a lot of things to them and you could do economic You could do the planning law enforcement and so on. You could even launch a Tomahawk cruise missile against them on there in the right circumstances. You don't have to be it's not doesn't have to be cyber for cyber He further advocates that if you do see deal with the cyber with the private sector that has to be some sort of collective response and he does advocate a U.S. government chartered organization to conduct responsive operations. Caisson and has also think that a government that the government should have some active defense measures against people who are conducting denial of service attacks. Talk about international regimes. OK arms control agreements in the classical term but it's not necessarily meeting arms here. These are ways of reducing cyber security or threats and risks right of reasons for why you might want to some sort of agreement international regime. We are very dependent on on information technology and the bad guys or other other parties in the world are less so that means we're in big trouble. If we have no trouble if information technology gets compromised so there are a variety of reasons why we would right to do this. Lots of reasons for skepticism. For example ever countries may see our information technology vulnerabilities as an ideal way of waging conflict against us. And you know it's also true. Limiting capabilities in this space is pretty much impossible. Because the technology is everywhere. The knowledge can be built any intent can be developed anywhere. You can't restrict the colon and the infrastructure needed to conduct attacks is you know to smack easily could it no satellites that are looking in on you. Maybe you could come up with restrictions on the use for example we agree or you know Nations could agree to not attack. Power grids in our financial systems because we're all interconnected could be the argument the sort of like the argument that says we're not going to attack hospitals. We're not going to use lasers to blind soldiers and so on. By the way we have signed that convention of lot of other players have and maybe will sign it some day. This might require these kinds of of use restrictions might require some sort of cooperative measures but you know maybe that maybe that can be worked out. Sure that attacker can violate those things but you know we could too and maybe that kind of reciprocal threat keeps them in line. It has might maybe has some it's has some perhaps has some value in the in the conflict. OK. But it's a complicated business to get into and how you go how you pursue it is is is is problematic. We have to live with any regime we what we say we want. So it will not fly to say the U.S. can do anything wrong and other guys can. That will not fly. So if we say we know for then no attacks on US critical and no attacks on power grids. We have to be willing to say we want to attack somebody else's power grid and are we willing to do that. Are we willing to give up as a Vashon that as a national option. That's an interesting question. I don't know the answer that one of these questions by the way are being debated in the five sided building in Washington and. You might say for example you know you want to do what you need to be able to conduct. Televisions hate to understand what's going on in the adversary during a crisis and this is a good thing we want to understand their thinking is this important to do. But if that starts to affect if they see our exploitation this is an attack during a crisis that can be really problematic. So how how you power that plays out is not clear. Some of your observations. Again from from from this book. So fair who is a former general counsel to the State Department makes the argument that no single state is going to be able to deal with cyber security issues on its own therefore you have some sort of agreement. So it's pretty simple argument. What kind of agreement that's an interesting question. But at least you he says it could be international cooperation this is a necessity if you're going ever going to get a handle on this. Are Luke a sick makes it goes further he says that nations should agree that they should be responsible for what comes out of their countries. That's an interesting thing to do that would be an interesting thing the interesting thing to think about especially given the fact that most of the bad so a large fraction of the stuff bad stuff in the world comes out of our country. What are we willing to do to take responsibility for bad stuff coming out of our country. That asserts that the Council of Europe convention on cybercrime is a an effective tool that's the treaty that binds Nations to cooperate in matters of cyber crime but it's got too few participants in it. There are some interesting questions from research I'm at Georgia Tech a prominent research organization who cares and that cares about international relations and science. Let me give you some interesting questions that come out of this OK. Talk about I'm going to go through these quickly and then you elaborate on on the first example. To be interesting to establish a common vocabulary about cyberspace. Our satellites and with our adversaries. That's first. Second how would you conduct a cyber operation an office of operation to convey your intent to the adversary. You're not going to say you're going to send in an agent say this agent is only for exploitation don't worry it's not going to be used for attack. So when they disassemble the code they see the text ring in it that says not an attack agent OK we don't have to worry about that. That's not going to read right. But what are you going to do you want to be able to say things that will help to reassure the other guy so that they know what you're trying to do. How do you assess adversary intent in peace time and in your in crisis. You know we're the worst case analysis syndrome is rampant everywhere and especially when you have no idea what the other guy is doing right. The other guy is is is ten feet. If you don't know what he's doing that he's going to be ten feet tall and since you know all of your problems you're going to be two feet tall. And this happens in peacetime happens in wartime. What are their intentions in a crisis there and they could do X. they could do Y. they could do Z. and X. Y. and Z. are always the worst possible things so that means we have to we have to prepare. We saw that a lot in the cold war. How do you go up and down the escalation paths are the the escalation ladder. How do you prevent a. And I tak. From getting out of hand. A conflict I'm getting out of hand. How do you often see capabilities actually in the Hansard to detract from your defensive posture. I think nobody understands that all and if you don't understand some threshold conflict what I mean here is that most of the bad things that happen to us in cyberspace are happening to us. In we belong to any level of war. MALLETTE of the armed attack threshold below or the use of force threshold and how should we engage in that conflict and we just give everybody a free pass. Well up until now more or less that's what we've done. Is this a good thing to do you know. It's an interesting question. Let me read through this example this particular example OK of possible ways where the U.S. in particular in China might get confused. There is a great story in the in the two thousand and five Wall Street Journal article in which the US was talking with China about engagement between the two countries they want to promote engagement and the Chinese there were scratching their heads and said engagement that's either a marriage proposal or an exchange of fire. And they didn't understand. OK didn't understand what we meant by engagement. OK So there are a lot of there and there are a lot of stories like that. You know what is the matter deterrence mean does it necessarily doesn't necessarily mean by punishment could it be deterrence but if it's some people some translations of deterrence come across it. The translation is intimidation. That's sort of not the connotation that we want and we want to deter other people but if somebody's trying to deter us they're trying to intimidate us. That's an interesting you know what are we trying to do here. The rim of the private sector. We can't believe that the private sector and the Chinese government act separately. They can't believe. OK. They think that we're Kalat our private sector and our government our own collaborating all the time. There are reports of that the National Command Authority is in China and you know with the civilian military are not necessarily in full alignment on various things. As are true that are in a cyber context it's harder to come in to exercise command control than in traditional military operations because you've got these big things moving around in the traditional military operation space and it's just a few strokes on a keyboard with with cyber. Other contested issues U.S. is very loud in public about its interest in cyber security China is a lot more quiet about it they have different views on you know what might be a little a cyber target. OK. It could be in for it could be the hardware the software. The information there. It could be the artifacts controlling the body the computers. It could even be the confidence of the adversary and other things that you're trying to do what constitutes a good ultimate target. And then there's this question of what counts as political as it is hostile information. OK. Does it matter where it is sending malware or a hostile communication. Is sending random bits in a part of a denial of service attack hostile. How about you know sending in pictures of him in square. Does that count as hostile. Well I guarantee you the Chinese think that is. So those bunch of interesting questions in in in in this space cyber crime. What counts of cyber crime is it the use of technology to commit a traditional crime where is it a crime against technology. Same thing with terrorism rocks of issues related to the law here is less a barrier to government action or is it just a guideline. It's an interesting question there whose I'm out to conduct cyber attacks. Is it just members of the uniform on behalf of the on the avenue that is just a uniformed military or is it just the uniform military where can reserve forces do it or random people picked up in the street U.S. has a very different view of this than other nations around the world. And then does this question of you know this hard business of cyber conflict that's based on deception which is it's not it's there deception is somehow an antithetical to many arguments about warfare it's about. Bottom line. OK serious studies have needed here. I hope I've been tending to raise questions out but I haven't given you any answers and hopefully we'll raise some interesting questions. You've got to have you've got to figure out what we want to do before we can come make any serious progress. We're going cybersecurity and it's been terribly introduced in. Right. Disciplinary project and I believe that tech is a great place to do it. You've got the interests here you've got the experts here in a variety of disciplines all relevant to the subject many interesting questions in the policy space here. This is you can read this here I understand that for example just in the technical side there are very interesting questions related to cyber warfare on the technical side that have to do with more than just engines preventing malware from getting you. For example you might want to be able to keep track of where your Trojan horses propagate not be an interesting thing to do. Let's the side require launch of a lethal radius if you have a nuclear weapon you blows up you know you can calculate the five P. S. icon to his word and everything within that with no harm to five B.S.I. gets destroyed there what's the what's the sequence of a cyber lethal radius and what would that be. It's not measured in meters. But what would it be a variety of that it just seems. And I don't know but the weather report that we're talking about there. That's in this valley in here. They're fifty interesting questions. So. I think I promise. Forty minutes or so and I'm happy to entertain discussion and argument than commentary. So. We're here. OK good night. Yes that's right. Our way already. Right but that is yes. The point the point this mean made is that you're advocating our speaker here is advocating the cross over the point at which cyber across a little bit of physical that's when you have to start worrying about it because right but before that the fear crosses over then it's just in cyberspace right and we're undergoing cyber attacks all the time. That's the and and well that's why I assume that what you mean by that is and therefore to end it at a lower level of seriousness than it is in the in the physical space in physical world is that the implication I mean that I think that's why why the question is right that is why we're talking about cyberspace as a as a new domain and that's in fact the lawyers say that it isn't. Many of the international lawyers on this say that you have to figure out how the existing international laws that govern conflict apply in cyberspace. OK So they they have to figure out what it means to say a use of force. OK what is what is the use of force in cyberspace is a you know a lot of the say if you if I drain an a national treasury of a trillion dollars Is that a is that a use of force and I mean there's no consensus on that at this point. So it's that's exactly the sort of question that you would have to answer any other over here. Our news was more about stars whose. That was the claim. Right Larry. OK So the question was that Russia was disturbed by stocks not because of the claim that it could have led to a meltdown and that to the best of my knowledge reactors. Don't you centrifuges. And so while it's true it's it's absolutely true that stocks now spread to a variety of different installation infected many many many computers tens of thousands of computers but by most reports that I've heard from people of the ME I've only known what I've read in in in the open literature about this mostly if it found that it wasn't in a computer that was associated with a particular configuration of hardware on it it shut itself down it infected lots of computers it didn't harm very many and only the harmed a few namely the ones with the specific configuration of a skate a systems attached to it and so on. So unless the Russians have a particular nuclear reactor that uses the control systems that they talked about. I'm actually pretty skeptical about the claim that other thought. Back up there. Sorry. Can't you. So that is right. The question is is there on are is there serious research I'm going to like that's in fact one of the questions that we've done that we outlined in our in our report. It's a serious question and a fact of the sort of the example that our our speaker just used is this question of what would the Chinese conduct a serious attack against our national financial system given. That they own us now. And that's I mean it's an interesting question and you know I personally am actually not particularly worried about that might be more worried about a Chinese attack if we were going to go to war with the Chinese which I hope we're not going to that was a more very much more targeted thing where the effects of blowback would be minimized and the interesting question about blowback is how do you publicize blowback in such a way that your potential adversaries know that it's just they should be worried about it and that's a very interesting question and I don't know the answer to that either but there is there is research that should be done here we have one here. Continually frustrated by what I have read captured parts of this product captured in Iraq. Rocky from any front in recent years and they have all been there has been to my knowledge no retaliation nothing said to Tehran. You are taking life and limb of our troops. If you continue will make you and my frustration. We've had all these good men and women who have lost arms and legs or worse who come home damaged for life or come home in a casket and Tehran has had home free up to was why do we not have as a matter diplomatic policy or why you hurt our people you will lose your national command center. We will close down the bank of to run it cetera et cetera. For me. Ethically is acceptable because Iran has been at war with us. Modern heiresses ninety seven and they've gotten away with everything up till now and I don't see why we don't you correct to hurt them in that way because we have a legitimate real. Three reasons and you are morons understood and there is an interesting question here as to whether I mean I don't know what back channel messages have gone to the you know to terror and government. So this is what I'm about to say is complete speculation just pull out of the air complete speculation. So there's been a back channel message that says to the year Iranians that we were responsible for stocks that will deny it if we're ever confronted his we are responsible for stocks. Net and part of the reason they were sending us against you is because of you know we want you to suppress the people that are sending off these two to war rock and Afghanistan on and if you don't cut it out. We're going to do something worse. Maybe that has happened. I mean I don't know why you say it hasn't stopped OK but it. We I.E. you these things don't stop you. No clue Turkey. That it's hard to control a bunch of loosely affiliated groups and may not get the message and going to take time to suppress them and so on but I don't know this is that I'm just this is just pure speculation on on on my part to the in response to your question is that. What it is. So the question is would that be a valid use of our of our side but often some capabilities and that's an interesting question. I'm not on I'm saying whether it's valid or not would put me into the position of trying to act as a policymaker and I'm not OK so I don't why I don't want to comment on on that I may have an opinion about that as a citizen but I you know I don't have any expertise on that. So I'm going to I'm going to dodge that question over here free. How the question is how difficult little is the craze hackers The answer is on if you just limit yourself to technical means it can be very if he doesn't make a mistake. It can be very difficult. I mean virtually impossible. On the other hand there are people may. Mistakes. OK So for example. Let me just as this is a just to speculate you know speculate get a speculative thing. Some people like to put signatures in you know the signatures they use they used made up names you know somebody is you know the Ghost Rider or something like that. Well you know maybe this guy school who calls himself the Ghost Rider also uses Ghost Rider on his Match dot com dating profile and you know I mean you know and you know people. It's hard for people to come up with completely random names. And so if you know you if you've now identified a this guy is ghost writer on Match dot com I mean you have another way of learning more about him and we have to make sure that that binding is is correct but you know that that could happen. OK so if you use non technical means and signals that maybe monitor a phone call that says you know bragging about this you know about it. Somebody maybe you'll catch him that way but the point and there was a recent New York Times article about this point in the make basically made this point you know for a reason I know you're very good friends. Right right right right. Yeah OK so there are and so the question is one who's been responsible for most of the attacks and the cyber attacks on the United States and the answers. I don't know. Nobody and the United States has not made public statements about it. I'm sure there are classified assessments of that but I haven't been privy to them so I can't tell you anything if I could even if I had the clearances to see that I you know I couldn't tell you. Is there a way of knowing what attacks happened on some central listing Well there are people who the the Computer Emergency Response Team based at Carnegie Mellon does keep is as good a database as as any one of the interesting things in this is that we thought. You know in our report that site held up there. The cyber attack important to the one we have there ought to be a central listing of all the cyber attacks that we've conducted. OK I don't know highly classified absolutely sure absolutely. Classified you know them with lots of a lot lots of words and say you know don't release. OK But you know I have I don't want to go right now for policy why would you have it for policymakers to know what we're doing the people at the National Security Council are to know what we've done in the past and we've also said that there ought to be a centralized listing of you know a centralized budget number system which tells us how much we're spending on developing cyber attack capabilities very turns out that both of those things are very hard to find anyway so when there are other questions or comments or thoughts are no yes no yes are you coming out or give me your opinion on it and the reason I'm here. Militarily if we're roles that I'm having problems with this we're being asked. We're you know you're OK If you say it. We're all tied together back on our our you know water production type thing and I'm questioning why the military is all in there. I'm curious you're you're dealing with the fives I believe in you know your thoughts on military and what I think is corporate responsibility. So the question is why is the military being called upon to defend essentially private sector assets. Essentially that's the question right. And you know at least part of there are two reasons for that one is that the military depend on commercial assets. Right. So ninety percent of. Communications flows over the all over public networks and so that's a big deal and how lab would. You know you're in a military base survive without external power without the power grid in locally I mean they have backup power sure but backup power lasts just so long and then at some point they're going to go dark too. So there. So there's certainly a military dimension to it there's another dimension to it which is far less talked about. OK which is the fact that the military has most of the capability and knowledge in this area. Whatever else you may think of N.S.A. from a civil liberties point of view or whatever a lot of people are you know and N.S.A. from a civil liberties point of even the people who are anti N.S.A. from a civil liberties point of view say that they have the technical expertise. OK And so the D.O.T. has enormous expertise to bring to bear on this problem that policymakers say why don't we use this. Why don't we use this expertise to help protect the private sector. Now that gets into all kinds of interesting questions about you know you have certain people saying no no the N.S.A. can't be trusted. Other people saying but they're part of the U.S. government and you you know basically are saying don't trust the government you know you have all those kinds of all the arguments which you know I don't participate in those arguments. I just observe them. Other people are there. I want to question is are there a law school teaching side law yes there are some there are a few were there and there are not as many as you would like but for example Jack Goldsmith who was on our committee and a former senior legal counsel in the Justice Department is teaching a course in cyber law at Harvard. And the national security dimension of the stuff are very very interesting and it's untested unplowed ground. All their thoughts are. Up there. The question right. The question is is cyberspace. The question is are learners thinking about a new legal structure to govern cyberspace essentially right. And this is one of the things that legal people and technology people come to blows with all. And with each other a little time on. OK the technologists like me say cyberspace is really really new and really new and innovative and different. OK And the lawyers don't care about precedent. Right. They don't really care about precedent and they they extend their thinking by going into new domains by citing precedent. OK And it's a frustration for me as a technologist I know it's a frustration to the lawyers. I mean economists are like this through. They always say No no there's nothing different about information technology. I have to say as a technologist I don't like what they say but as an analyst. I'm in I'm afraid that I'm not as Pro technology is difference as I used to be OK. I mean I've come to believe that the lawyers and the economists actually have some very useful things to say about it. It's not different in certain ways and I you know with the good policy person to pay attention to that. So what you described is an interesting you know it is interesting. You will find many lawyers who say let's throw it all out and start all over again much as the technologist would like that. Other you would. That's right. OK I understand other thoughts or comments or. You know up there. I run right back there. A fascinating question what counts as peace. Right. In cyberspace want to count this piece. And have we ever seen it. I think the answer to that it has been is largely you know we haven't seen it. I think the finally you know defining pieces of this is a very interesting. It is a very interesting question and I don't think you know I have not seen any serious legal analysis of whether we're at war in the sense that people understand the term. Now I mean there are people holler about cyber war or which I think is all overblown rhetoric on but I haven't seen any serious side any serious legal scholars argue that we're at war and cyber war now so that means not must mean we're at cyber peace. Now does that mean there are not bad things happening. No but you know if they're criminals in the street does that mean that we. I mean Peace is not a or trump peace and tranquillity domestic tranquility does not mean the absence of crime. OK means that it's kept that manageable levels. Well it's an interesting question as to whether the cyber attacks that were being subjected to. Now all of management level a lot of people say yes no doubt people say you know people like Sally and me we make our living off of saying no it's not manageable now it's only getting worse. OK I've spent a lot of time sitting you know say making that claim. OK So you spent more time making that claim. But there are a lot of people who by their actions say how and so bad because they're not doing anything about it. I mean one of the interesting things that Patrick Morgan in his paper here points out is that if you're trying to do it you're trying to deter somebody. This is a big deal. You have to take lots of actions to demonstrate credibility demonstrate results you do lots of things you build missiles and you know you launch crash projects and so on. We haven't done anything in cyber space. It's all been rhetoric. According to that argument. OK So that mean this mean we don't take the certain very seriously. No we're not doing any much of any deterring at all. Nobody's taking nobody's suffering any consequences for having attacked us. What kind of deterrence posture is that. And so that you so you get into the you know so far by their actions say Well Nancy not a big deal. That drives us crazy but that. I think that's what they were talking about. Yeah there was no problem right there. I'm going on about it right. At last report there were roughly fifty different bills which drip reported to address some part of cybersecurity and every committee on the earth in Congress wants to have a piece of the action here. So the problem is not that there is no interest. It's that everybody is interested in it and so when you have lots of competing legislation. OK And you know you have every committee wants has its own cybersecurity bill. So I'm not sure that's what you get is OK so. So the comment was that there are all. Mostly I talked about nation states and that there are lots of non-state actors like the criminal organizations and you're absolutely right. But we don't even know how to deal with the nation states. OK everybody understand who who is a serious scholar in this understands that the non this or that the that the non national actor the sub the sub national actor is a big deal in this and may even be dominant. OK everyone understands it. No one has any idea what to do about it because nobody understands how to deal in an environment in which got Nate governments are organized around Nations and you know this is the Westphalian system right. Nobody's proposed any significant alternative to the know what. And if we regret it. What if we're going to if solving the cybersecurity problem involves overthrowing the Australian system of nations. A lot of time. So you know and I think nobody nobody really understands how to deal with the non-state actor in this that people you know who who try to think about it and we agree that that is a we. That is a big problem but how you deal with it. Know when the nations aren't really willing to step up to the plate. It's a real problem and about the right. Well that's a good question. The question was if we want to know how to do it in the physical dome how to deal with non-state actors in the physical domain. How do we do it. How can we do it in the cyber domain and that's a great question and I think that a lot of the lessons apply but we haven't done it. We haven't done a very good job of combating terrorism in the physical world either. So you have something here is where a lot would be where is our problem being drawn out of the process of the Russia the Russian. I have been trying to get the U.N. to focus on this for a long time and there are in the end the U.N. does care about the problem with the going through the U.N. for a lot of people is that when you start talking about matters of cyberspace you start talking about matters of governance of Governor how do you govern cyberspace and the U.S. is very strongly opposed to any attempt to quote govern cyberspace in the way in which most of the international community wants to do it because what they interpreted the as is government control of what happened what transpires on the Internet and so with it. Say you know if it requires the U.S. cooperation on this. It's the it's not going to go anywhere because the U.S. So they say says that you know all these attempts to govern the Internet after do with content regulation. And we don't want that at all so. It's very very visible. If you use those issues. There's a physical Yes it is for a physical attack. Yes yes there is precedent because cyber is different then and no nobody has nobody has yet cling to to a cyber attack that's caused the deaths of three thousand people in a you know an hour if and when that happens maybe maybe we will but so far we haven't we haven't crossed the we haven't you know come to that limit gun yet. Yeah commitment wise receives the news. You know we Russians have been engaged in this subject for trying to get some sort of international agreement to ban information attacks since nine T. ninety six or so and there you can speculate on Russian motivations the prevailing belief within the United States is that the Russians want to do this to cut off a U.S. a strong U.S. advantage. That's that that's the claim.