 My name's Jim Lewis. Thanks for coming to CSIS. This is the first of the inaugural event in a series of cyber leader speakers where we thought we would invite the people who really shape policy here in DC to come and talk about their perspectives on what the, what they think the issues are, where they think we are in terms of the administration's policies and the situation we face. The other speakers will be people you all know. We will have a website, but I wanted Eric to be the first in part because I haven't seen him in a while. And in part, you know, I just don't know what it is. Come on, man, you can do it. You can, like, kill time for me for a long time. I didn't tell any of my jokes, so they're grateful. You're unlucky because Jim's jokes tend to be on the border of appropriate. What are we doing? How are you? I should introduce you. No, you don't have to. That's like, I'm late. I should, you know, you are late. It's embarrassing. Eric? So I've known Eric for a while and I was going to kid him about being in the army in October Fest, but maybe we'll skip that. My annual October Fest is this weekend, so that tradition continues on. Good. He was confirmed, so his title is now, and I had to write it down, the Assistant Secretary of Defense for Homeland Defense and Global Security. So let me introduce the honorable Eric Rosenbach. Yeah, now honorable. Thank you all very much. I was recently confirmed, which was great because I've been waiting for quite a long time. It's 10 months. And now the thing that really puts a lot of pressure on me is that Paul Stockton is the person who has previously confirmed for a part of that job. And as you all know, he's pretty good, so I don't know if I can ever measure up to that, right, Paul? It's gonna be like jumping over, Paul. He's already pressing me. Here I am, public event. He's sitting in the front row, grading my every word, right? So thank you all very much. I am sorry that I'm late. And depending on this morning, we were haggling about budget issues because it's program review season, so we had to have one of those fun talks about where to allocate our money right now. I today would like to talk about the idea of cyber deterrence. And the reason that I wanted to do that is because I find pretty often nowadays, both in academia and then in the press and in the chattering class, that a lot of people will say they're very disappointed in how little policymakers and political leaders are talking about cyber deterrence, thinking about cyber deterrence, that it's just not something we ever get around to. One of those people is Jim Lewis, who I even looked on his webpage said, policymakers aren't thinking about cyber deterrence. And there's something to that, although he, as you will see from what I'm gonna say, I think is very sophisticated in the way he talks about it. But I also am gonna do this in a way that it maybe is a little bit different than what's traditional for CSIS. And I hope you're all okay with that. At one point in my schizophrenic career, I taught at the Kennedy School, where you teach by the case method. And when you do that, you do a little Socratic method. So I hope you all are ready, because most of the talking is gonna be done by you. I'm gonna talk you through some questions and see what you think about this. And I will give you some of my thoughts as well. But I'd like to proceed that way if y'all are okay with it. So by tradition, I always start doing this by picking on the person in the back left corner. Because when you teach that person is usually the person who least wants to talk, right? They didn't do the reading. They're gonna try to hide behind their laptop. Unfortunately, I don't know everyone's names, but that's you, right? Yes, ma'am, you can stand up. She's looking, she's looking shocked and hoping that, please do stand up. It won't be a super hard question. That was good, all right. She looks, that's even better. I doubt that, I doubt that. But you know, we can learn a lot from non-Americans, so it's a good place to start. My wife is European, so she tells me that all the time. Okay, if we're talking about cyber deterrence, you know when you do this, you always have to start with what one's perception of deterrence is. So tell me that. What is deterrence to you and why? Yeah, oh yeah. Go ahead, please. Don't worry, you're not the last. You'll seem far more poised than almost anyone else I call on, I trust you. We also have microphones, so if you could wait one minute for that. Okay, all right, go ahead. I know you're stalling to try to think the answer, but keeping us on task here. Really, okay. Stalling, stalling, trying to flatter me. Okay, answer the question, ma'am, please. Deterrence, what is it? It doesn't have to be cyber deterrence. Just start with a more general elucidation. That's pretty good, right? Okay, good, right. Supportive audience, good, thank you. All right, after that then, I always go to the back right corner. This is even better, because it's a guy in uniform. Go ahead, stand up. That's you, yeah. Guy in the uniform, right, all right. He told me he was gonna do this, and I didn't believe him. Yeah, tell us real quick who you are. Okay, so there are two things in both of those answers that we're gonna pull out and talk about later. The first is that you're actually going to, in some way, communicate something, right? And the second is that there's an action, reciprocal action associated with it, all right? Very basic stuff. Who in here is one of the deep thinking, nuclear deterrent theorists who has their PhD from probably some Ivy League institution? I know who I'm gonna call on if I don't get an answer. Anyone who's like a nuke expert in here? No, there's no one? Okay, that's actually probably a good thing. But then, you know what I'm gonna do, is I know Paul Stockton has a PhD from Harvard, so of course, I'm gonna pick on him. Okay, Paul, when we think about the classic aspect of deterrence, nuclear deterrence, what is it? You know all these fancy theorists, right? Little schnelling. Help us think about that, just the nuclear part. And the reason I say that is, you know most often when people are talking about cyber and deterrence, they'll say, why don't we have a generation of new thinkers who are as smart as the guys in the 50 who came up with all these great theories about nuclear deterrent deherts, right? And it annoys me a little bit. Paul's not one of those people, because you know he was very young back then, but help us understand that, Professor Stockton. Sure, give up on trying to split as Richard Danzig has pointed out in the article. And then secondly, I believe there's an opportunity for deterrence by denial. And that is, we might be able to harden our networks and our infrastructure so effectively, they'll create uncertainty in the minds of adversaries. Okay, don't still not punch the line too much, right? That's okay, no, that was very good, but you know he is a PhD from Harvard, so it's sometimes hard to get them to be concise and then not give the extra part. But thank you, he has some of my talking points and I didn't even give them to him. Nuclear deterrence in a lot of ways, from my humble perspective, is way more simple to understand that it is with cyber, right? Because it's known adversaries with capabilities that are on the extreme trying to do known things that are also very extreme. That just makes the logic of it all a lot more pure and easy to dissect. So I'm gonna show you something that is also deterrence but is more complicated and that's in the legal world. So who here is a lawyer or has a law degree and is feigning to be an academic? Yes ma'am, okay, great, even the volunteers, stand up please and then tell everyone who you are. Oh, even better, this is not staged by the way, right? And see, you definitely weren't the only foreigner, right? Okay, so this is what I'd like you to help us understand. For deterrence when we talk about it from a legal perspective, how is that different than nuclear deterrence? Stand by. Sorry, go ahead. Under the law, say for example in the criminal code, what are we trying to do in criminal law to deter criminals from doing bad things? Okay, that's good. Thank you very much. You passed the test for that one. Who now can tell me if that's the philosophical idea behind legal deterrence, what makes it an open question both in reality and in research, whether deterrence from a legal perspective actually works, right? Because you all know there is the death penalty in the US in some states, but it's pretty unclear whether having the death penalty actually has any impact on whether people commit first degree murder, right? So that's the question then. What in aspects of legal deterrence makes it more complicated and maybe less effective, a little softer? Anyone? Maybe I'll pick on someone in the front row. You know who I also always pick on? People who are on their laptop. So this gentleman, very distinguished looking, he's got a great looking bow tie, but he made the mistake of being on his iPad. What from your perspective, sir, would be the things that complicate legal deterrence from a criminal law perspective or in the criminal perspective? On the side of the legal side, it determines. There you go. All right. Well, there's one side and that's the issue of how it's applied. So one of the problems in the legal system is if people feel that it's not going to affect them, then it doesn't become deterrence. Right, exactly. So it might not affect them. You may not be sure you're ever gonna get caught, right? Right, but on the other side, it also, deterrence has to do with will, values, culture, and motivation. So it's what you're trying to accomplish. So if you're in the middle of something, if we're having an argument, I may not think about the philosophical issues of deterrence before I take care of you. There was a, there was a sentence announced this morning on NPR of a guy who had murdered, shot someone because the music was too loud. And he's getting a live sentence and I don't think you probably thought about that. So it's also what you think about because it has to do with what your real motivations are in values. Right. And that's how it affects. Or the communication part or someone has to internalize it. Are you an actual lawyer? No. Oh, okay. Almost sounded like it. But you can dress like a law firm partner. Yeah, people ask for it. Only a compliment, okay. I just started with it a bunch of years ago and just kept working. Very classy. Okay, so in legal theory, it's actually much more like cyber than it is like nuclear, right? Because there are these things, a lot of what you've been mentioned is there's a lack of certainty as to whether you're going to get caught or punished. That's a lot like cyber depending on the cyber we're talking about and we'll talk about that in a second. There's a whole range of cyber in terms of the actions just like crimes that is much different than in nuclear deterrence. Nuclear deterrence, it's the act of a nuclear weapon raining down on you that you're trying to deter. Whereas in criminal law, there's a whole range of things, also very important, a whole range of actors, right? And nuclear deterrence, primarily the Soviet Union and the United States, but now a couple others. Much easier to think about deterrence when it's from that perspective. So in other words, these are two very different ideas and they help inform the way we think about cyber deterrence, but neither is really definitive, I think, in it. And so the rest of the talk now, we're going to try to investigate that. So my next question in this little Socratic dialogue here is when we talk about cyber deterrence, what is it that we're actually talking about? And you know, another reason that I like to do a talk like this is because I can ask people questions who are used to almost always being the person who asks questions. And you know who that is this time? Siobhan Gorman. She's right there. She's big time reporter for the Wall Street Journal, right? So one of those people who normally strikes fear in my heart when I see her in the audience, because I know if I make the slightest misstep, it's gonna be front page Wall Street Journal, Rosenbach said, and I won't even say what I would say in Jess because I could be quoted. So Siobhan, what is cyber deterrence? What are we trying to deter and cyber from your perspective? Or what are ways we could think about it? Okay, two things, right? Stealing data, that's a more specific thing. What kind of attack are you talking about? Right, exactly. Okay, that was pretty good. Are there other things in that range? Siobhan, you can think of that, you know, help us understand the wide range of, Yeah, cyber actions, yeah. She's really smart on this too. So it's not as if she's, you know, being cold called completely. Okay, thank you, that was very good. I should keep you standing and talking the whole time because then you can't take notes and write the article, right? And I'm sure Ellen Nakashima has to be here somewhere, right? No, her husband is having a medical procedure. Oh, okay, let's do that. Who's the other Washington Post reporter that I get to pick on? They won't even raise their hand. Okay. Dude, some chairs in the front though if I can make an administrative note if people wanna move up and sit down. Yeah, come sit down. They're scared, right? They say, oh no, I'm gonna be called on. You know, I definitely could call on the NIO, which is the smartest intel person in the government for cyber if I wanted to press him a little bit too, but I'll keep him safe. Okay, so we were back to Siobhan's point that there are a range of actions in cyber that quite frankly in the press and academia will all be called a cyber attack. If there's someone stealing your intellectual property, they say they suffered a cyber attack. If there's someone who steals your credit card information, they'll say it's a cyber attack. If there's someone who's stealing your personal information as a cyber attack, there's someone who's trying to hack an industrial control system to do something more physically destructive, that's a cyber attack. And so that's another thing that puts a lot of intellectual muddle into this conversation about cyber deterrence and what it is, is because too many people use the word attack to mean what most people think is the high-end attack, like a nuclear attack, something physically destructive. So if we want to get to a better understanding about nuclear deterrence, or excuse me, cyber deterrence, then we have to be more precise about what that, that it is. And here's the question I have for you all then. This is kind of philosophic too. I'll take a volunteer so you can start thinking. Do we actually as a country, and then the second question is, as the Department of Defense, want to try to deter all of those cyber actions? And then of course there's a follow-on question. Who has a thought on that? Yes sir, tell everyone who you are too. Really? Okay, all right, here's the thought. Stand up, you gotta face the studio audience, tell them who you are. Remember, you're on the record, Siobhan will put you in the article. Okay, all right, who else has a thought? Yes sir, stand up, face the audience, tell them who you are. Inside cybersecurity, he definitely should know what he's talking about, right? This is another guy I've always wanted to ask harder questions. So I gotta think of some really hard ones. Okay, go ahead, Chris. It is, because there is so much, thank you, it is very, very important that you try to prioritize what you're going to try to deter. And especially from my perspective, from the Department of Defense perspective, we have to think really hard about what it is we want to deter. And some of that has to do with what our role is in the government, right? We're not primarily responsible for law enforcement, cyber crime. We'll often provide support to the FBI or the DHS, if it's the Secret Service as the lead. But that's not our primary mission. And who has a thought about, on a scale of deterrence, so if you're trying to come up with a soft intellectual model right now, where you say least deterrable of all these cyber-actions is X, and most deterrable of cyber-actions is Y, who has some ideas that they would place in that spectrum, and then you have to give your idea of Y. So let's start with least, and then we'll work up to most deterrable. Anyone? Okay, I'm not gonna let you sit. Okay, you just got called on. Next, I'm gonna pick on someone else in uniform. And here, go here, this gentleman right here. Two yellow stripes, looks like you're from? Switzerland. Switzerland, all right. Interesting, we'll get the Swiss military perspective on cyber-deterrence. Okay, so on the left end of the spectrum being things are least deterrable. This is his personal perspective, right? I should have said the outset. He's not representing the Swiss government, nor the Swiss military. It's just his personal perspective, safe intellectual environment. You're kind of on the record, but because I said that, the press will treat you kindly. For me, the least deterrable- Can you guys stand up please? The least deterrable actors are probably criminal organizations. Yeah. And not states. Yeah, why is that? Because they don't care about your actions on the nation-state level. They're operating in a different environment. Okay, that's a good point. Who has other thoughts on that? Least deterrable, start, and we're working our way up. No? Yes, sir, go ahead. I think in crime- Tell them who you are, too. Hans Homer, intelligent decisions. Some of you might know me, if not, you're lucky. It's, when you're doing cross-border crime, it's really hard to get police forces to work together. There are different rules about evidence. There's all kinds of things that slow you down, and the amount of money at risk is often trivial in terms of how banks deal with it. Yeah. They can get the money back just by charging us more money. And they're fine that way. I'm not sure if they're fine that way, in my personal perspective. They think a lot about their business case, but you're right in that they may be able to absorb those costs or put it into the business model in a way. Really important point that he brought up is that if you're worried about cyber crime, enforceability, just like this gentleman mentioned earlier, is a really hard thing. What if one of the most powerful cyber-organized crime groups is in Moldova? Just for example, I'm not saying it is. And there's not an extradition treaty or any of the legal framework that you need to do the enforcement action. That's pretty hard, right? You can have a fair degree of confidence if you're that person in that country that you're gonna get away with it. Here's a story that I just thought of that shows this, but it's a good news story in the end. So a couple of years ago, I was teaching an exec ed class at the Kennedy School, and it was full of senior military people from other countries. And it was a senior Romanian military intelligence official, and he said, we had a big problem with cyber crime about five years ago. There was one village where, it's not a village, it was like 40,000 people. These three guys got very, very smart on how to steal money from credit card transactions. They were so successful that they made a lot of money, and soon a BMW dealership opened in this town of 40,000. And they taught a whole bunch of other guys in this town how to do it, and pretty soon, three years later, there were three BMW dealerships and two Mercedes dealerships just in this town of 40,000. The problem was at the time, there was no extradition treaty, the government had decided as long as there was nothing, this is at the time, that was being perpetrated against an EU for political legal reasons or Romanian person, it was gonna be basically too hard to worry about, and so they kind of were hands off. Good for them though, they figured this out, brought down the wholesale, and I'm sure all the car dealerships now are all closed down, but it can just go to show how, if you're in a certain environment where legal frameworks keep you from enforcing it, and you see that there's a good business case for it that can make it pretty hard. Okay, not to emphasize that too much because we're gonna get to the core thing of DOD. Okay, so we talked about cyber crime, what are other things on this deterrent spectrum that may be maybe even less deterrable than cyber crime? There's something set up, yes sir. Hi, Richard Parris from Interseed. So it seems to me the model we had with deterring homicide is very similar to cyber, so why do people commit homicide? The mad, the bad, the passionate. So I think if we look at cyber attackers, the gentleman who closed down air traffic control in Chicago by setting himself on fire is a great example of somebody who maybe is outside normal social norms, is the inside attacker, how do you predict when somebody on the inside goes mad? I think that's very difficult. That could be in the Pentagon, it could be in the White House, could be in Secret Service, wherever. I have to admit, I had not thought of cyber crimes as a crime of passion, but that's... Well, I'll come to that. So then if we look at bad actors, that could be the Russian gang that stole more than a billion usernames and passwords. Clearly bad. They're not going to be deterred by normal laws that we put in place to keep out for good guys. Just to make sure we focus on the question at hand here, on this spectrum of deterrence for cyber things, which specific one are you talking about and where is it on this? This is the horizontal spectrum. So then I think we get onto the passionate. So we may have different views to the Chinese and the Russians on how we behave internationally, but I don't believe, having been to China, having been to Russia, that the guys there in government are actually bad people. I think they're very passionate though about their social norms. And I think whatever we put in place, unless you have the equivalent to mutually assured destruction, they'll keep coming whatever rules we try to put in place from the West because they are passionate about their value system, at least at governmental level. Okay, we could dig into that even more, but I will agree on one thing. The Russians and the Chinese definitely are not bad people. One of the things I do in my job is to negotiate with them on cyber issues. And it's not that, but it is clear that they have different values in terms of how they think about cyber actions and what's appropriate under international law if international law even applies. So that is definitely clear. Who on this horizontal spectrum we're talking about will give me their perspective on where the theft of intellectual property is. That's something you hear a lot about. We spend a lot of time thinking about that too. Where is this on that horizontal spectrum? Anyone? Okay, yes sir, go ahead. Hello, my name is Charles Cox. I work for SOP North America. So on the spectrum, from individual hackers getting on your laptop or stealing your identity, that kind of individual stuff, I think there's something even lower than that. That's just not destroying anything, but putting bad data out there. Putting that bad data out there for malicious purposes. That can't be controlled or deterred. Deterrence is keeping someone from doing something, which I think it is. On the other end of that spectrum is not necessarily destroying any of our systems, but just getting, especially in the Department of Defense, our systems to do things that were unintended. That's a horrible threat that I think I hope is deterrable, and I hope that's a big focus of the people who are experts in this arena. That's really interesting. What do you mean by that? Well, you asked me to put something on the spectrum, so I was trying to identify for you what I saw as the spectrum and then tell you where I thought that question. You asked what was it, which was somewhere to the right of center near the uncontrollable, as opposed to the things that ought to be controlled, whether or not they can be. Okay, thank you. Who on intellectual property has an idea about how deterrable that is? Theft of intellectual property. Anyone? Okay, then I'll call someone. Oh, this is Joanna. I used to work with her at one point. Go ahead, Joanna. I would just venture, I guess. I mean, I feel like it's probably pretty difficult to deter somebody from stealing intellectual property because... Why do you say that? Because it's innovative and innovation drives the economy, and I think a lot of countries, especially emerging markets, I mean, they're all trying to get ahead in terms of increasing the GDP and so forth, so having that innovation is very, very important. Okay, so we're gonna come back to her and ask her then. I agree with that. So it's still on the left pretty hard to deter. We're gonna think about what could we do to make it more deterrable, more susceptible to deterrence. Okay, thanks, Joanna. Okay, who then, this is the grand finale for this part, what are the things that are the most deterrable and who's gonna give the perspective on that? Anyone? Yes, this is very thoughtful person, very well-educated and used to, in some ways, a little while ago, have some of the job that I have. Linwells, I'd say state-sponsored attacks against critical infrastructures that really have a destructive impact on the national and national. And so you also think, probably among the most deterrable. Most deterrable. Yeah, why is that, Lin? If you can trace it back, which is a big F. All right, we're gonna talk about that. Then you've actually got a, I know where there's an article five, or it causes ballet, but you've got something that really is a serious marshaling point for public opinion or for behind-the-scenes diplomas here, counter-failing actions. Right, exactly. We're gonna talk more about this, but essentially when you do something that is the equivalent under law of an armed attack, then it opens up a whole bunch of options that you have available to yourself as the Secretary of Defense, the White House, whatever the case may be. It's much easier because you have more tangible type of options. Okay, so we've basically traced the horizontal and if I were really teaching it, I would have the PowerPoint slide and it would go up there and you would see it and we'd have those on there, but you all have the vision in your mind. Now what I want you to think about is a vertical axis that is the who. So we've talked about the what. Now the who also matters a lot to deterrence and cyber. A lot like criminal law matters quite a bit too. Who has an idea about who the most deterrable actors are in cyberspace and who are the least deterrable. And then if you want to be super clever in this bipolar model there, you can say someone who's in one of the quadrants. All right, Air Force guy, I've got to pick on my fellow DOD citizens here. Sir, you can tell everyone who you are. Again, this is not DOD perspective, just his personal opinion. He's in uniform, so we got to protect him, right? Thank you. Got you back. Joe Harald, I reserve advisor to the CIO A6 for the Air Force. Good, all right. The easiest to identify would be other military because they're in uniform if they're affiliated with the military structure, specifically. I'm going to give you a break and I'll ask you this. Who can I ask, why is that? I agree with what he said, but why is that the case? This guy right here, he's also very smart. Come on, I know, you even took the class, right? That was great. Of course, stand up, tell him who you are. How much you're hating this? You're only having PTSD, right? Yes, Jason Tomah, former student. And I'm at Brookings right now. He had one whole J-term week of this intensively nine hours a day. Can you imagine that? Exhausting, okay, go ahead. It's nice to see you again, by the way. Good to see you as well. So, I listened better back then. What was the question again? I don't know, I'm sorry. Yeah, you're supposed to be well-trained. Why is it that on the deterrable actors, as our good Air Force colonel from the Air Force CIO shop said, that another nation's military may be among the most deterrable, that they as an actor. I think it comes back to the gentleman's point in the front row, which is if you make the assumption that the military is working for the nation state and they're under control of whatever that nation state's government is, I think there'll be some oversight and control over the military forces. And so the decision to use them deliberately for some type of aggressive attack would come back to the same points that the gentleman here made. That's exactly it. And why, or let me ask you this, are there, of nation states, are there certain nation states that you think are more deterrable in cyber than others? And why? I would assume just pause at a couple theories. I mean, some, the nation states that are on the border of being nation states, the border of potential state failure or where the lines between military, civilian control or blurred, they may be somewhat less deterrable. States that may be more deterrable would be the opposite end of that. Also perhaps more economically developed states that are more connected with the global economy and may have more to lose on that front. This is a really important point. Thank you very much. That was great. You can hand the mic to Melvin here. Melvin used to be my boss, so I have a special spot in my heart for him. So think about this for a second. What he just said is really important. Nation states are definitely more deterrable than say terrorist organizations or individuals. So just like in normal foreign policy, national security policy, that's something that's kind of self-evident. That's why fighting terrorist groups, al-Qaeda, ISIS, what have it, deterrence is a harder thing with those. But in nation states there's also a mini-spectrum within that that are more difficult. So take for example what he said, a country that has less internet infrastructure, almost no internet of things like North Korea. In my mind and in the way we think about this, that is something that's very worrisome to me. For cyber and where cyber occupies the spectrum of potential military foreign policy tools, there's a reason I worry a lot more about North Korea than for example Russia when it comes to deterrence. And you all can think through that. Okay, Melvin, this is Melvin Duby. Back when I used to work on the hill, Melvin always used to be down there, giving me the business, making every day a tough day. But now he's moved on, he's been in the private sector. So Melvin, you've got the whole model, right? So you have the advantage of all the thinking that everyone has done for you. You've got the horizontal, you've got the vertical. What do you draw from this? What are your new hypotheses? Knowing this that we've just set out for you, what are your hypothesis and the things you think about cyber deterrence? I told you, I had a special question for you. It's the hard one, right? It is the hard one. It's not factual at all. It's just your personal perspective on this. Don't worry, we're gonna ask a couple of people. So you all, you better be right in your talking points down furiously because I'm gonna go after you. So I guess I would say that we have a couple of problems that we have to deal with and one is attribution, which I think we've gotten better at over the years. Okay. If you want to deter. Important point, I'll give you a couple of minutes to think a little bit more because that was next on my outline here. Attribution is one of these things where I also think there's a little bit of difference between people who are in the government and high-end private sector and those who are in academia because five years ago you'd say, well, attribution is impossible and that wrecks the whole theory of deterrence because you're never gonna figure out who it is who destroyed your grid or stole your data. That's just not true. It's just not true. We're much, much better at that. And one of the things that is important for us to communicate publicly is that we are much better at that because if people think they can get away with it because they're gonna be anonymous or they think through seven different hot points we're never gonna figure out who it was, they're mostly wrong. I completely agree with that, particularly on the high end of the thread that we're much better at that, less so with the criminal attacks. Just as a footnote, I was in the room with Eric once where he said that we were with a group of Chinese officials and they said, can you tell us exactly how you do that? You want to know us even better? He told him, Eric has a magic black box that we've been doing R&D on for 15 years and they're like, magic black box? Second thing I would take away from the conversation is that we need to have a better risk reward model. So what is it we need to protect? Because as someone said, we can't protect everything. So where we need to put our resources because we need to balance that out. And then the third thing is I think that we have to have a much better developed sense of what our response will be and when something in one of these attacks crosses a line that requires some sort of response whether it's a cyber response or in the case of nation state or other bad actors that we actually go to a kinetic response for a cyber attack. Okay, that's pretty good. Okay, who's next? And this is the question I ask. Who in here is younger than 27 years old? You have to raise your hand if you fit that. Okay, this is perfect. I can ask our very helpful, what we call you, kind of like moderator, right? You can hold the mic up for yourself. You've been listening. I just do the logistics, that's it. No, no, no. Right. What do you think about this? Tell us your name too and who you are. I'm Brianna Thompson and I'm Jim's program coordinator. Oh, so you actually study this. It's a perfect opportunity. Something like that. All right, so we mapped out this model. It's pretty simple, highly imperfect, but... Aren't you glad I made you proofread all those papers on deterrence now? Yeah. And it couldn't actually be a better entree to something I'm gonna say next. Give us your thoughts, please. On deterrence as a whole or deterrence or cyber? Deterrence and cyber and in this, you know, kind of referencing this beautiful model we just constructed. In terms of the model, I think we see that the nation states with the higher levels of cyber capabilities are a little bit, in my opinion, easier to deter because you can predict that a little bit better. Whereas you have non-state actors or individuals on the complete opposite end, you don't necessarily have that sort of static relationship where you're working with an international law and that can in turn be a lot more difficult to deter. Okay, pretty smart. She could actually write a PhD probably just on that because you could get the data set, run the correlation between advanced military and deterrability, right? I can see it, okay. Who, below 28 and has an idea about cyber deterrence? I don't wanna, okay, there's good. Stand up, tell us who you are. Otherwise, I'm gonna have to pick on someone and it'll be like, you know, when you get ID'd at the bar and you'll say, I'm not below 28 and that'll be a compliment or, go ahead. I'm Josh Marsana with International Technology and Trade Associates. Okay. So based on the framework that we just built, I would say that there needs to be more concentration on international frameworks for two reasons. One, if we can get some of those in-between states to join those frameworks, that creates more accountability for them. So there's more reason for them to behave properly. And then also, it'll make the criminal aspect of it easier. If there's cooperation amongst these nations, it'll be easier for the US, for example, to prosecute in some random country that might not be very easy to deal with. Great point, this is a great point. So one of the things that we'll mention again later is that if what you're trying to do for deterrence is also make it less acceptable for a country, probably, when you talk about international public law and norms, essentially, what he's talking about is building the norms environment where it's less acceptable for someone to do something. And that's a pretty significant part of what I do in my job and what we're trying to do even more. So the White House has led an effort on that recently that's pretty interesting and try to do that. That's why we try to work with like-minded countries, more of the European countries or others who are worried about their intellectual property being stolen, for example, or the risk and repercussions of a kinetic-type cyber attack. So that's a great point. Okay, another person, 28 or below, who has ideas about this. All right, I'll profile. Oh, she's trying to look away. Go ahead, stand up, it was just too obvious. She's literally looking away and staring off into space. My name is Yana Florenda and I'm here with the Netherlands Embassy. This is not the official Dutch perspective. No, it's not. She's only speaking. So one of the things I've been thinking about, so we've talked a lot about countries and the denorms in countries, but I feel like a lot of the cyber attacks are also, they're not bound by borders. They're not one criminal organization from a village in Romania, that's one example, but there's a lot of criminal organizations that cross borders, terrorist organizations that cross borders, and we have to also think about how are we gonna target those that do not fit in our framework of nations and nation states. Yeah, that's hard. So if we have this simple deterrence model and we know that the people who are least deterrable are individuals or non-state groups, and that it's not unimaginable that you could see them doing the most destructive-type things, then that's something you would worry about. So I think that's a good point. All right, my point on trying to call on folks who are actually younger is a little bit going back to, no offense to Paul Stockton, the generations of PhDs from Harvard and the Ivy Leagues who have done traditional deterrence-type thinking, I more often than not find, they're kind of like stuck in a traditional mindset. So in prepping for this, I asked some of the folks who helped me, I said, try to find the best things on cyber deterrence that you can, and I want to try to highlight those. So lo and behold, and this is something Jim also didn't know I was gonna do and is not staged. Okay, I guess I have it right here. When I read through these- There's that door when you need it. When I read through these, it wasn't Jim. He is actually very smart on this, although he says senior policy makers don't do any thinking about cyber deterrence. We'll give him a buy on that. This is from a person named Sarah Weiner, right? Sarah Weiner was at one point a research intern at CSIS. I guess working for you under your mentorship and tutelage. Now I guess she's a student at Yale Law. So obviously she's way smarter than I am if she's there. But she said some things that were very interesting, right? That goes a lot long what we've been talking about and that I think are worth keeping in mind. Is that, let's see, where's the most important point? Okay, exactly. If defense strategists develop an understanding of cyber security that differentiates between cyber nuisances and cyber high level attacks then countries can begin to more credibly establish deterrence doctrines and red lines. That's pretty good, right? That's exactly what we've been talking about. And a lot of people have said things like that, but it's good to see, and it's part of my call to y'all too, especially the younger folks, that you can do good thinking on this and you don't have to come from kind of the traditional sets where you would normally find all this high level of deterrence thinking. Because, and remember, I'm kind of picking on myself. So don't think it's anything like that. I used to work at the Kennedy School with all the big brains up at Harvard. Used to teach there. But I'm finding more and more that I get the most value of people thinking about this from folks who are younger and they haven't been exposed to kind of like what the traditional mindset of deterrence is. And I think that's where we're gonna keep making progress. Okay, so now I know that if I only dwelled in theory for this talk, it would be disappointing to y'all. So I do want to talk a little bit about how we think more about deterrence at the Department of Defense. And then I'll be quiet for a while and let Jim ask me questions and y'all can ask questions too about this or something else. So the first thing is I'm gonna go through kind of following my model, talking about three different areas that we consciously think about deterrence for. The first, which I think is the most important is what we call the defend the nation mission. The defend the nation mission is the role the Department of Defense has in cyber just like we do in other domains to protect the homeland against a major high end cyber attack that would either have severe economic consequences or lead to loss of life. And when we think about that there essentially are four main components to our deterrence thinking in this that I'll explain to you. So the first is that we believe pretty strongly that if you want to try to leverage deterrence that you have to think about your declaratory policy. That means how often do we publicly speak about our thinking on deterrence our thinking on cyber and cyber attacks? Why is that? Because if you don't articulate this either publicly or in some of the engagements you have with foreign audiences in a more private setting then they never know what you're thinking. And remember deterrence when it comes down to it and it's very, very core is an issue of perception. It's what an adversary or an individual, a bad guy, a nation state. It's what they think they'll be able to accomplish in this cost benefit calculus. If they think the costs are going to be very low and the benefit is going to be very high and that's their perception then they're more likely to do it, right? Very basic type stuff. And because it's based in perception you need to make sure that there's some way that you communicate the way you're thinking about this. So that's the first thing that is very important to us. We think about how to articulate our thoughts on this. And we do this very carefully because it's pretty tricky especially when you do it publicly. There are a couple of examples that I would like to point out to you where we very consciously thought, we said, okay, we want to help the world and Americans understand how we're thinking about deterrence and how we're thinking about cyber actions. And the first was in 2011. So again, just to point back to the fact that this is still pretty new, literally the first time I can find an official kind of government DOD history that we consciously made a decision to make a statement about cyber deterrence was in a report to Congress in the fall of 2011. And in there, it was the first time also, by the way, that we'd ever publicly said that we conduct offensive cyber operations, believe it or not. That was only three years ago. So the two things were combined together. We wanted to do that because we believe very strongly in transparency. More often than not, when we're not transparent, especially about things like offensive cyber, they believe the worst and that we're trying to reign destruction on the world when the reality is it's very, very small and very, very, very, very carefully considered. It was in a report to Congress where we said, if directed by the president, the Department of Defense will conduct offensive operations in a manner consistent with the policy principles and legal regimes that the department follows for kinetic capabilities, including the law of armed conflict. Okay, so it seems like a very small thing, but when the whole world and most of your nation state adversaries are watching you very closely, then they pick up on things like that. And the reason I know is then when I was meeting with people from other countries, possibly adversary countries and then allies as well, without any prompting, they asked about just this one statement that was in a congressional report that otherwise would generate no attention. So it made us realize that we do need to do this. It's important and we should keep thinking about it. The other great place to communicate things publicly of course is when the secretary is giving a major speech on cyber. So in 2012, Secretary Panetta was giving the first big speech ever, I think I'm pretty sure about this, by a secretary just on cyber. He was up in New York and we had worked on the speech very, very long and intensively. And the headline, it made front page news, so that's always good, secretaries like that. On the New York Times, he said this, which we consciously were crafting as a deterrent statement, we defend, we deter. And if called upon, we take decisive action. In this new century, the United States military must help defend the nation in cyberspace as well. So again, we're saying we deter, we defend, we will take action. Just in case anyone wasn't sure about that. Secretary Hagel, also very interested in cyber, reiterated that earlier this spring. In a way, there was even a little more crisp. The Department of Defense signed its way to building modern cyber force. I'm gonna tell you about that because it's a core aspect of our deterrence theory. Building modern cyber force, and this force is enhancing our ability to deter aggression in cyberspace, deny adversaries their objectives, and defend the nation from cyber attacks that threaten our national security. Okay, another statement, again, just us trying to clarify this. And I know this sounds very simple to you all, but you know how it works in the international arena when you say things that seem very general, they then end up getting kind of amplified in ways that you wanna be careful about, especially the U.S. right now when we talk about taking action in cyberspace, especially against the backdrop of all of the Snowden stuff, which are two different things. Snowden is about espionage and things that the government may do to conduct espionage. Cyber operations are something different, different organizations, cyber command. We're not talking about the same thing, but people, they often mush them together, and we have to be very careful about that. So anyway, examples of the first aspect of the way we think about deterrence is that you need to think about how to articulate it. And the other thing that I hope you caught from that is that the second core aspect of deterrence from our perspective is that there has to be some type of response, right? The response could be something back in cyber, right? You could cyber them back if it were on the high end of that scale, but the response could be something that doesn't have anything at all to do with the Department of Defense. It could be a dimarsh. It could be sanctions. It could be an indictment. It could be a public statement that this is unacceptable, something that we've done a lot more of publicly in the last year in particular. Okay, so you need to communicate it. You need to actually have a response. Then another core aspect of this, the third thing is denial. And I promise we didn't script this, and it's not because Paul Stockton knew my talk or anything or even had this scoped out, but he said, you need to do this by denial. This is very simple again, like pretty straightforward math. If it's a cost-benefit type relationship that you're talking about, you want to deny the benefits of what the bad guy adversary is trying to do, right? So if you deny that, it can be in a lot of different ways. Or you're talking about defending the nation if there were a country who wanted to conduct a major cyber attack against critical infrastructure, take down electric power, but they knew either because we told them or they perceived it in our force posture, the amount of security, either in the private sector or in the government, they perceived that they were not going to be successful in that attack, that their objectives would be denied, that the benefits that they perceived from that were going to be denied, they're much less likely to carry it out, right? Again, it's about perception. It's about their objectives, cost-benefit and whether or not you can actually do that. So here's where this is really tricky for us and to defend the nation mission. We have capability. We're in the process of building the cyber mission force. I'll tell you a little bit more about that in a second. But the biggest problem is that we don't own the nation's critical infrastructure. The private sector does for the most part. Some are quasi-government and public. And generally there's been large under-investment in the cybersecurity of critical infrastructure. So it doesn't take a rocket scientist for someone to figure out that it is impossible, nearly impossible to think the Department of Defense, even with everything we have going on to intercept every single cyber attack against the United States' critical infrastructure. Why? Because the way people do this is they plant the bad stuff first and then with a single command, they let off the bomb. That's pretty hard to defend against. Very simplified, but very hard to defend against. So denial is important. It's more important for the other two things that I'll touch on briefly after this that we think about for our mission, but it's pretty hard. So the next thing that we talk about is resilience. So if you communicate it, they know there's a response, they know there's some aspect of denial of their objectives and they may or may not be able to do that. The other way you can bolster your deterrence is in the idea of resilience. This means that if they do attack, so we were not successful in the denial. They do attack. It is successful, but that attack actually leads to not very much because the network comes right back up or the lights don't go out or they only go out for 15 minutes or whatever the objective was is not successful because we built our networks, the technology, the human infrastructure in a way that it bounced right back that alters again that cost-benefit relationship, right? Because there's more cost. You did it, it came right back up. Now the other person, the bad guys, they're in a pretty bad position. Why? They launched something that's like an attack on the nation. They kind of did it, so we know what they were trying to do. It was very serious, but they weren't successful because we bounced right back and we were resilient. Then what do you fear? If you're the leader of bad guy country X, you're like, right, game on, someone's coming after you now, right? And it's probably not just gonna be cyber if you went after us in a major way, just as we said in that report and as Secretary Panetta and Secretary Hagel said. Okay, those are the four core aspects of deterrence from our perspective. There are a lot of sub-components that we think of for the defend the nation mission, as I described it to you. The reason that, as I mentioned, I would tell you more about that we've invested so consciously in the cyber mission force. The cyber mission force is Cyber Command. About 6,000 people went fully built out. The idea is it's gonna be a lot like the elite JSOC special operators who do counter-terrorism operations, right? We're starting with 6,000, which quite frankly isn't a lot in DOD. Highly trained, they go through a training pipeline that's 18 to 24 months depending on what their job will be. The services, so Army, Air Force, Navy, Marines, they're the ones building all the elite services. We do this because it comes down to human capability, right? You can invest a lot in technology for resilience in some part and denying it, but it comes down to having smart people who can defend and they know how to look at this stuff because the technology changes so much, you need the people to adjust on the fly. So we want these high-end operators of Cyber Command to be the core of that. Okay, I now just spoke continuously for more than five minutes, which is usually when people start to fall asleep and it's a good place for a little pause. Who has questions about that segment that you got right there? Yes, sir, go ahead. What the Department of Defense thinks of deterrence? The three areas that you started speaking about, which I was trying to figure out if those areas were the actual four components of the first one, which is we believe that leveraging deterrence is about declaratory policy and the transparency. So when you started speaking about denial and resilience, are those components of that first area or are those the other two areas? There are four specific areas, right? The first is that you have to understand that you need to be able to communicate this in some way, perception. The things that you might communicate, but they're separate, more operational-type considerations, are the three that were after that. Okay, watch, the pupil's gonna launch back on me. Okay, go ahead, Jason. And when I think of the spectrums we were talking about earlier, we have the spectrum of military conflict, which is high-intensity conflict on this end, low-intensity conflict. Then where's that line between defense and homeland in the cyber world? And how do you view sort of the role of defense and cyber command relative to, say, Department of Homeland Security and some of these things that you're talking about? Thank you. That's a great question. We, in defending the homeland, we have a very, very narrow mission. Ours is defending the country against this big catastrophic attack, right? And the language I used is significant economic consequences or potential loss of life. Only when we think that's what the action will result in is a DoD's job. That's defend the nation. Otherwise, it's DHS and FBI who have the lead on all things for domestic cybersecurity and defending the homeland. So I'm really glad that you said that because this is a very small portion of everything that's going on. Think about, remember the spectrum that we traced of actions that were deterrable? The most deterrable was the high-end one, but the things that are most frequent are all of the things that are much more difficult to deter. And also, quite frankly, a large part are not the primary mission of the Department of Defense to worry about. It's not that I don't care. I care a lot, but that's why there's DHS. They have the lead on domestic cybersecurity for critical infrastructure, FBI for ops. They'll ask us for help quite often, and we do that, but it's with them in charge under their authorities, kind of like a defense support for civil authorities and a request for assistance type model. So those are very good. Now, there's one other thing that is a good point. I don't think I taught this in my class. I don't know if I had done enough thinking about back then, but cyber, when it comes down to my perspective, is least often going to be used as a foreign policy to when you really want to foment mass destruction on a country. The place where I think it'll be most helpful to senior policy makers is what I call in the space between. What's the space between? The space between is you have blunt foreign policy instruments, right? You have diplomacy, economic sanctions, all the things that you all studied and have heard about, and then you have military action. In between, there's this space, right? There are very few options for senior policy makers, which is always really uncomfortable because you usually exhaust those blunt, softer ones relatively quickly, and then you're very hesitant, or at least you should be very, very hesitant, to move on to something that is outright kinetic military action, right? In cyber, there are a lot of things you can do in that space between that can help us accomplish the national interest without doing anything that would be against the norms that we feel strongly about, against international law, law of armed conflict. Yes, in the back there. Thank you. You mentioned the report in 2011. I'm curious, do you recall when Congress and DOD started using the term cyber as policy language? Oh, you know, I don't. And if I can be honest with you, it's still not exactly clear to every person in the Department of Defense what's cyber and what's IT or computer network attack or any of those things. And the reason it matters a lot now, this won't be shocking to you, but Secretary Hagel said cyber is one of the highest priorities, which means in a budget constrained environment, it's still a priority. That means a lot of people, they'll try to label something that doesn't have anything to do with TCP IP, cyber, because then it's protected, it can't get cut, it's really important, even will be audacious enough to ask for more resources for their cyber tank, for example. That's just, I'm not picking on the Army, that was made up, but an example. Yes ma'am, and then just very quickly, I'll talk about the other two things we think about for deterrence. Yes, thank you, I was wondering if you could speak a little bit about, on the scale of deterrability, we talked about established governments being the most deterrable. What about outsourcing cyber attacks when an established government decides to sort of try to find a way to make an attack non attributable by asking a non official group to carry out attacks? That's a great question, that definitely makes it more difficult. So, the reason it's an even better question is, just like certain countries will do with terrorist operations, they use surrogates, or they will use surrogates, and they'll try to hide the hand of who's really behind that. And it does make it a lot more difficult, but also, it's not impossible to figure out, usually just the size of the footprint of a nation state working on things like this is a little bit easier for Intel than if it were the, this is a little more unrealistic. The lone wolf who sits in his basement for four years by himself and then tries to take down the grid, but that's a good question. Okay, real quick, I just wanted to say, our thing about deterrence is not only for big attacks on the nation, also for two other things, attacks on our networks are really what we spend more than 90% of our time thinking about and working on, right? DoD has the largest networks in the world. We depend on our networks for everything we do. It's the core part of the way DoD fights wars, takes actions, operates. And because it's so large, the biggest network in the world, the cyber command I told you about is almost entirely devoted to defending that network, and there are ways in deterrence that you think about this as well. It's not as much offense, right? Because that's not as realistic that we're going to take kinetic action against someone who tries to intrude our network, steal information. But what we do is, on the denial, work very, very hard on that. A lot of investment in making sure people don't get into the network. If they get into the network, they don't know where they are, they're confused. It's denial by deception in some ways. Or that if they get in, and in the case of a warfight, it's not inconceivable another country would try to take down our network so that we're not able to do all the things we do that were resilient, and it pops back up, and then we can still fight in a contested environment, that's what we call the cyber contested environment. And so we spend a lot of time on mission assurance. That's the fancy DOD word for making sure your networks are still up and operable and you can accomplish your mission. Paul Stockton worked on mission assurance a lot when he was there, and Laura Cooper, who is a superstar at the Pentagon here, she's in charge of mission assurance. So if you have questions about that, we'll put Laura on the spot. So DOD networks, we also think about deterrence, right? That consciously, it is a very conscious type thing. The other thing that we care a lot about because it relates to us but is much more difficult is the theft of intellectual property, in particular from defense contractors. And defense contractors, they build our weapon systems, they help us move, they do our logistics. You saw recently a report that the Senate did after an investigation where they said, transcoms contractors who are doing most of the logistics for the entire department had had lots of intrusions and that's something that was very worrisome. We have been working very, very hard for the last several months to try to address as many of those things as we can. And in there you just have to think again, denial. There are some things that we have done in the past in the public to publicly highlight countries we're concerned about who are stealing intellectual property. We've done that much more openly the last year in particular. You may again in denial, you may do something with deception. This is I'm speaking theoretically but if someone is, I'm speaking theoretically, right? If someone's not sure the information they got is actually good information, then in the cost benefit analysis the value has gone down, right? If I'm not sure that's the real info, that's something to consider. So because those are the two things very near and dear to DOD, I just wanted to touch on those very briefly. Okay, Jim, I gave you only like a couple of minutes to sit me in the chair here if you want. And ask about things not deterrence or otherwise. Well, I'm just gonna say two things which is first, I hate it when people talk and then you have to go back and think. I'm not used to that at most cyber events. So it's like really, I'm gonna have to go back and think a little bit, which is hard for me. The second thing is this was the inaugural event and darn it, we may have to retire the title. This was hard to beat. I don't really have any questions. You hit a lot of them. I was gonna ask about the relationship between budget. You know, when we did deterrence in the olden days, people tied acquisitions very closely to deterrence and you touched on that. I was gonna ask about the status of the Panetta threshold that you touched on that, which it still appears to be valid. I'm not sure that the axis is perfectly right because if it's state, non-state, that doesn't capture the differences among states. So China and Iran are different. Russia and North Korea are different. So we might need a third axis and I couldn't do that in my head. That makes the modeling a lot harder. But remember on mine, when you're doing deterrability, it's most deterrable, least deterrable. So on that, you can have states ranked. Right, but not ranked by capability. So Iran capable, perhaps less deterrable. What else? What are we trying to deter you to get that? Go ahead, sorry. Yeah. You know, people ask and also, I would say, criticize fairly frequently that we don't have cyber red lines and they say, well, the problem is we haven't declared cyber red lines. And if we did that, then it would be much clearer to our adversaries that if I steal our intellectual property, commit cyber war, that this consequence will happen. After you leave this, try to sit down and figure out what your red line actually would be that you would tell the world and what you would promise the world you were going to do to them if they crossed that. And then keep in mind, when you draw a red line, everyone in the world says, good, I'm gonna see how thick that red line is. I'm gonna go as close to it as I possibly can because they're not gonna do anything to me because they said that. So it's understandable that people say that. I hope you all understand also, we can very consciously decide that we don't want to put a bright line on certain things when you're thinking about cyber in particular. We just have a little time, so I'm just gonna push back a little bit on that. There are two- Wouldn't be Jim if you didn't push back on that. True. There are two red lines that exist and you identified one of them, which was the loss of life or a significant economic harm that is in US declaratory policy. The other red line is in the UN Charter, which is that it has to threaten, it could be either violence or coercion, the territorial integrity or political independence of the state. So those are the two red lines that exist that justify the use of force. How does that fit into your deterrent strategy? It, when I mentioned that explicitly, it's because that's kind of the easiest threshold to think about because it's the one that is most widely understood in the international community is what is an armed attack, right? Armed attack in international public law, just like Jim mentioned with the UN Charter is something more widely understood. And it's true, as was mentioned by the gentleman in the back, that the norms environment in cyber is not well developed, but remember how norms develop. It's over decades, centuries, where people finally come to accept the way things are. Only in 2011 did we officially say that we had offensive capability, so you can see it takes time. These things develop. We want to do that. We're working with both allies and people who are maybe friendly competitors to try to keep that going and build it out. I do think there's a gray area, though, where it's not clear. Yeah, sure. But again, it's just like any other domain. What is an attack on the nation is a political decision, not big PDR. It's a decision that is made by the commander-in-chief, the president, as a determination, right? It's because it's not exactly clear in fact of law if you kill this many people, it's an attack on the country or not. Final question, and we'll let you get the heck out of dodge. It's an easy one. How do you think our most likely opponents, Russia, China, Iran, North Korea, how do they perceive deterrence? What do you think about their deterrence policies if they have them? I thought you said that was an easy question. I did, yeah. You know, we spend a lot of time looking for clues on that and I'm not sure that here anyway, that there are a lot of examples I can give where I understand exactly what their deterrence type theory is, so I'll just be honest about it. I'm not sure that it's very clear to me what those are. Okay, but that's a great area for other folks to do research on too. And so again, it's a really interesting area. Y'all are here so you're kind of like self-selected to be pre-deposed and wanna be studying it, thinking about it, but it's an area where just like in the 45s, 50s, everyone's thinking about nuclear policy. You can make a difference in cyber either as a policymaker, a thinker, a doer if you wanna join the cyber mission force, so I think y'all should go for it. On that note, let me say that you so far exceeded my expectations, I'm not sure what the heck to do next. They were very low. Please join me in thanking Eric. He's a good friend, but he's also really important and thinking about all these questions has a really important role in the way we interact with other countries a lot of ways. Definitely one in the leading thinker, so I appreciate a lot also what you're doing, hosting a session like this, and appreciate also Dr. Hammering, you know, giving us a lot of attention and thoughts too. Who was lurking in the back. I noticed he was laughing. Too bad, I wish I could have called on him. I'd have been calling on the former DevSecDev is always fun, right? Okay, thank you very much.