 Thank you very much for the kind invitation. Let me also thank the Institute in Katrina in particular for inviting me and arranging my visit. And I thank all of you for coming up for this lunch meeting. What I'm going to do, and I suspect that many of you have seen the reports of the proliferation of alleged attacks on US interests. Many of them have kind of spy novel, coke and dagger, code names, Operation Aurora, Visiting Hades, Night Dragon, Shady Ratt. And these are a series of attacks on... Do you make those names? I don't make the names. McAfee makes up most of the names. Or the US government makes up many of the names. But what I'm going to try to do is put those attacks into a larger context, and in particular talk about how I see the competition between the United States and China in cyberspace. And through doing that, illustrate what I think, how US international strategy towards cyberspace is developing, and talk a little bit about what the US is doing domestically and internationally to try to shape this space. I hope to speak for about 25 minutes, half an hour, and then turn over Q&A. And what I'm going to do is talk about Chinese and US interests in cyberspace. Talk a little bit more specifically about what I see the motivations for Chinese attacks. Talk about how the US is responding. Illustrate what I think a possible agreement with China was going to look like, which I think is going to be very, very narrow and very limited. And then I'll talk about why things might get better, but you'll see my heart's not really into it. So I'm going to leave you with a rather pessimistic note. So let me start off with US interests. And as was mentioned before, the US now has clearly stated its interest in cyberspace and the international cyberspace strategy. It says the US's interest is in a cyberspace that is open, secure, and global. Open, secure, and global. I think the Chinese share maybe one and a half of those. Open, we all clearly know. The Chinese have a very extensive system of internet filtering and censorship in place, both on a technology side, through what's known as the Great Firewall, but also through intermediary liability. So the Chinese ISP providers are responsible for censoring their users. And you can see that happening now with Weibo, the Chinese Twitter-like platform where they are now actively engaging in censoring some very heavy users, but also in self-censorship. We have to realize that most Chinese users, like most American and other users, are using the web for social purposes to look at pictures of funny cats and to talk to their friends. They are not trying to get access to the State Department's most recent Human Rights Report or Amnesty International or any of these other things. So, on open, clearly the US and China have a different focus. On secure, the Chinese clearly have an interest in protecting their own critical infrastructure, both in communications, but also in electrical grids, SCADA control systems. And just several months ago, a US hacker basically came out and said, well, I've been all throughout the Chinese system. The Chinese systems are completely vulnerable, very easy to hack. And probably a lot of that has to do from the widespread copyright violations and pirating. So most Chinese users pirate software, which means that they're not updating it with the most recent patches. But the Chinese definition of security is different from the one used in the US and the West more broadly. In the United States, we refer to cybersecurity, which generally means the defense of these networks and hardware. China and Russia refers to information security. Information security means both the hardware and content. So if you look at the last week or two weeks ago, Russia, China, Tajikistan, Uzbekistan introduced what they call the international code of conduct for information security. And it talks about content and the use of information technology to threaten the cultural, domestic stability, regime stability of other countries. This is gonna be a major issue in any discussions, negotiations about cyber norms. This difference between information security and cybersecurity, especially as the United States and Secretary Clinton in particular promotes this agenda of internet freedom. If the US is funding what we are now calling an internet in a suitcase, ways to try to get around cyber surveillance or cyber controls. For the Chinese, that's the same as a hacker who gets into a defense ministry network. The two are the same. And it is very unlikely that the US is going to control it's what we would call a digital activist or a democracy activist in return for what we call Chinese patriotic hackers. We're not gonna trade off the promotion of freedom for somehow better protection on the US side. So this difference of security would be maybe half or a quarter of the points there. And the final is global. And then here the language is often interoperable, right? We should have standards that are scalable and interoperable and wide open to everyone. And here you can see that again, the Chinese companies could have an interest in this as they scale up and as they become global, they have a reason why to want to operate on all of these similar shared technology standards. But the Chinese basically see those standards as being dominated by the West, by the US, Japan, European technology companies. And they're afraid they're gonna be locked out of them. They're already trying to catch up. And so anytime they see the word interoperable, they're afraid that they're gonna be caught out and stuck in a technology trap. I should also point out that the US and I think most of the West approach to these governance issues are different than the Chinese approach. Chinese approach is still very state-centric. The Chinese white paper says that, yes, the internet is global, but it is an area of state sovereignty just like any other. And they are more comfortable in dealing in forum where the state is the dominant player. The US, at least rhetorically and more generally, has adopted an approach that we say is like the internet itself. Decentralized and distributed, involving state and non-state actors. So the US has been pushing both the state for but also places like the ITF, the internet engineering and task force, ICANN, other non-state actors. So we have both these different principles and a different process, a policy process approach to how we're gonna work in cyberspace. So broadly these different interests. Chinese motivation I think can be simply stated as the search for political, economic and military advantage. In all of these realms, the Chinese see themselves vis-a-vis the United States as being the weaker power. And so these all form a asymmetric strategy or a political strategy. So on political hacking, we see this both on a espionage gathering approach. So attacks on US embassies, Indian embassies, the Dalai Lama, IMF, EU, all these other international institutions. But also as a way of venting nationalistic sentiment within China. So attacks on the Nobel Prize committees. Website change.org, which was a website that was hosting a petition for the release of Ai Weiwei, the dissident poet and artist, excuse me. And so part of this is a, acts as a release valve, right? National sentiment inside China. How do you let it out and political hacking of these websites is one of them. On the military side, in Chinese open source writing, there is a great deal of discussion about information dominance. The US again is seen as a technologically superior power. How do you degrade that technology? You eliminate US information superiority. You would do that through attacks on C4ISR nodes, command control, computer communications, intelligence surveillance, reconnaissance nodes, which would cyber attacks on those networks as well as attacks on space. So anti-satellite tests, other things would be used preemptively in so many cases or in the first step, right, the idea that the Chinese have to seize the initiative very early in the conflict. And most of this discussion is in the context of a Taiwan scenario, right? So if the conflict broke out of this race, how would China degrade the US technological capability and also slow down logistics. So you could also attack defense department networks and slow down to grade the US response, sailing the ships from Japan to respond to US military strength. And then finally on the economic side, China is unhappy being the factory to the world, right? We have this conception as China economic strength and as an export model, but long-term that's not where the Chinese wanna be, right? The model now is labor-intensive, energy-intensive and polluting. And they are afraid they're gonna get trapped to being factory to the world. The model that the Chinese press likes to use is the DVD player. If you turn your DVD player over, 90% of them are made in China. But the optical reader, which is the most technologically sophisticated part of the DVD player was probably made by Siemens or Toshiba or some other foreign company. So when that DVD player is sold at Best Buy in the United States for $30, $35, four or five of it goes to the IPR holder and the rest of it goes to the Chinese companies, but 100, 200 DVD producers in China so the margins are incredibly thin, right? So the fear is that the Chinese are gonna get trapped, as I mentioned before. And so how do you break out of that? Part of that is just through traditional science and technology policy, increasing spending on R&D, focusing money on technology policy, but the other part clearly seems to be industrial espionage, stealing intellectual property rights and then giving them in some way, shape or form to Chinese companies. Of course, the big question in all of this is the relationship with the Chinese state to all of these hackers, right? I mentioned at least three types of uses of hacking and you have to imagine that there's a sliding scale, right? And in a conflict, you can imagine that the use of non-state hackers would have some major disadvantages for China, right? It'd be very hard for China to figure out how you're gonna signal that you wanna de-escalate or reduce tensions if patriotic hackers are going off attacking sites on their own. That said, the widespread assumption is because China controls the internet so tightly that there are very, very few independent, completely independent hackers. It'd be very hard to operate completely independently. Do hackers sometimes do things that the state doesn't want? Probably. Do they sometimes act illegally without the state knowing? Probably. But is there some type of contact with some state actor at some point? Probably almost definitely. We have numerous cases, again in the open source, where Chinese hackers then provide white hats. Security services to government agencies or they are lecturing at universities or providing services to the PLA. The Financial Times just last week had that piece about cyber-malicious within private sectors. So private companies having groups that are somehow tied to the local PLA unit are involved in cyber-malicious. So there is clearly some relationship. If that relationship is tolerance, direction, control, I don't think we're exactly sure. Before I talk about how the US has been responding to this, let me just say that the Chinese probably, in fact, they do see a high degree of hypocrisy in the US's position. First of all, they basically believe that the United States, many of the United States, are hyping the threat from China. The China threat, in their view, is part of a military industrial build-up. It's clearly driven by the military and bowing Raytheon, the other companies that are getting more spending into Raytheon, into cyber weapons and cyber defense. They also note that it was the United States that first set up the cyber command and that it was US strategy, although this is no longer the official strategy, but the official strategy two years ago was to maintain the dominance and deny the use of cyberspace to our adversaries. So we're the ones that are talking about controlling cyberspace. Second, the Chinese believe, and I think they're right, that the US has already highly penetrated all of their networks. I have to assume that the US probably can get, if more, if not as much, if not more from the Chinese than the Chinese are getting from us. Partly, as I mentioned, because if 95% of Chinese government offices are using pirated windows and we know how good security is on windows and you're using 93 windows or 95 windows, again, you have to assume that they are extremely, extremely penetrated. And as I mentioned earlier, they believe that they are totally dependent on US technologies. So when I meet with Chinese government officials and they complain, what are we supposed to do? We have to rely on Cisco and Oracle and Microsoft and we know that those companies all provide backdoors to the NSA, then of course our security is very bad. I always say to them, you don't understand, that's the same problem for us. We have to rely on Oracle, Microsoft, NSA and they're hiring Chinese officials, they're hiring Chinese nationals all the time and we're totally worried about the penetration there. But they are completely worried about that. That's paranoid, yes. Third, the Chinese themselves are a massive victim of cybercrime. The numbers, again, with the case of China are always hard to say, but the official Chinese numbers last year were 500,000 attacks on Chinese addresses and 15% of them, they traced back to IP addresses in the United States. Again, where US attackers behind that, who knows, but and from the Chinese view, they're not getting the response that they want. The Chinese official will point to five or six cases where they went to the FBI and said, we want cooperation on these cases and they got no response from the US government. That is supposedly supposed to improve, but that is the perception that they get there. And finally, I should just say that the Chinese probably have larger trends and the future is on their side, right? Right now, according again to Chinese numbers, there are 500 million Chinese net users. So the future of the internet is going to be Asian, if not Chinese. 500 million means there's still 600, 700 million Chinese to get on the web. So the future of the internet is going to be Asian, if not Chinese. So let me talk a little bit about the US response so far. And it's been mainly in three areas. The first, of course, has been at home, a series of institutional reforms and creations. The most prominent was the appointing of a cyber czar, Howard Schmidt, but the fact that it took at least seven months to finally get someone to accept that job, numerous people turned it down before Howard Schmidt finally accepted it, gives you some insight into the limits of that job. He is the czar, but actually he is a coordinator. He does not have a very large budget. He does not have a very large staff and all he can really do is bring people together. In public forum, Howard Schmidt always says that's great. That's exactly what he wants to do and he's perfectly happy with that. But there is some real concern that he does not have the power needed to make sure that the institutional agencies that are active in cyber are working together. And there are several bills now in the Congress that would create a new position that would be Senate appointed. A cyber czar that had real position. Of course, the White House is not interested in another Senate appointed job, but those bills are working their way through there. The distribution so far has been that the DOD will defend dot mill networks, so defend military networks. DHS, Department of Homeland Services will defend dot gov and some critical infrastructure networks. And they're commercial, the privatesector.com is on its own, basically. That has been the general fallout. From the beginning, there has been real concern that the DHS has the expertise to be able to defend the networks. And that the NSA has the expertise, but legally should not be involved on domestic networks. The NSA is not supposed to be surveilling U.S. networks, although, of course, we know what the wire tapped during the Bush administration, but the NSA does not always do what it's supposed to be doing. So right now, the most important progress in coordinating between the two sides has been an MOU, a memorandum of understanding between DHS and the NSA, where there is now basically DHS officials sitting in NSA and NSA officials sitting in DHS and manning certain sectors together. On the private side, the mantra has been information sharing, public-private partnerships and information sharing. Of course, we've been talking about information sharing in public-private partnerships now for at least 25 years. And there are something like 55 public-private partnerships, just in cyber, for specific sectors. So again, the question is coordination. And while everyone always talks about information sharing, the private sector will make two complaints. The first is that information sharing just means the private sector giving the government information. It does not mean adequate sharing from the government side. And that for most of the private sector, that information is a competitive advantage. So if you talk to the ISPs, to AT&T, and Verizon, and other companies, they'll say, why am I gonna share this information? This is a competitive advantage for me. Security is one of my differentials. So why am I going to share this information with both my competitors and with the government? There are also liability issues that are in play. There has been some progress on the defense, protecting defense industries. So there is a pilot program in place that does information sharing. Basically, the US government shares target signatures with the defense base. I hear, quite honestly, I hear a mixed thing. The government seems to say that it is a success. The defense sector, just said to me, was completely skeptical that there actually was anything that was being achieved. But this program is supposed to be expanded. Now I think it involves 20 pilots, it's gonna expand it to 40. And there's been some talk about moving it out to actually other high-tech companies. So that is on the domestic side. That's the main breakdown there. Of course, the other main push is on the defense side. As I mentioned, the establishment of cyber command. So making this a military issue, making this almost in many ways an existential issue, an attack that is a threat on the US national security, clearly signals its intelligence, its importance to the US policy structure. The Defense Department released its national strategy just a few months ago. Notably lacking from that defense strategy is any talk of offensive operations. How the US might conduct them, how the US thinks about them. There is a very strong deterrent factor both in the Defense Department strategy and in the international cyber strategy which basically says the US reserves the right to reply to a cyber attack with any means necessary. Kinetic, cyber, whatever other types of diplomatic economic. Or as someone told the Wall Street Journal, you take down an electric power grid, we put a missile down your smokestack. But how that would actually work is completely unclear. Cross-domain deterrence as we know from the nuclear field is always very difficult. How do you make a credible threat? Most of the attacks are espionage, which is not actually against international law. And it's very unlikely that we would put a missile down someone's smokestack for a cyber espionage attack. Offensive operations, there was a piece in the New York Times today as Katrina Pick pointed out to me about the US considered using cyber weapons against Libya in the beginning stages to take out missile and other intelligence gathering things. Legally, we decided against it. Partly for one reason I don't understand about hostility, the use of the War Powers Act, but the other was we didn't want to set the norm of being the first to use it in an offensive operation. So a lot of discussion is still going on about what the US believes is legal and who had the legal right to use these weapons on the offensive side. And then the third and final area is international engagement. The US, in the State Department, that there is now a coordinator also on cyber, Chris Painter, who is in charge of international strategy. We have pushed forward on many, many fora. We have basically stated that we don't believe there should be new treaties or new laws in cyberspace, that the existing ones should be applicable. So the Budapest Convention, the European Convention on Cybercrime, we want to expand that. The international laws of war and conflict, we believe cyber already falls under. There needs to be some discussion to clarify, but we believe that they're there. And the United States is engaging on a whole range of multiple forum about what the laws, the rules of the road, the norms should be in cyberspace about cyber behavior. But I would say the most important pushes have been on the bilateral and multilateral side. So the recent agreement announced in Australia that cyber attacks fall under the ANSAS Treaty, UK-US agreement discussions on cyber, US engagement of NATO, Japan, India, all these other places. And I would say long-term, the most important thing probably is capacity building. So as Asia, Latin America, Africa come online, security expertise is fairly thin. And those people are gonna have to look for help. If the US, the West, Europe is not there, the Chinese will be there. And Chinese help comes with both a kind of view of how the open the web should be domestically, but also these international norms that don't really, I think, push in the same way that we want to go. So those are all the kind of main things. I should say one part of international engagement is also naming and shaming. So occasionally the US will explicitly say we think the Chinese are behind these attacks. It happens actually much less often than you'd imagine. The prominent cases have been with this change.org, as I mentioned before, IWA, the State Department actually raised the concern with the Chinese. And then just last week, the Mike Rogers of the Senate Intelligence Committee, excuse me, House Intelligence Committee said the Chinese are behind these attacks. This is the largest transfer technology, legal transfer technology in the history, but there have not been very many public announcements in calling out. I suspect we'll see that moving forward, but part of the problem is that companies don't want to talk about it. Companies don't want to be both exposed to the liability issues. They don't want to expose their own vulnerabilities. They don't want to be open themselves up to retribution from the Chinese government. If you start claiming the Chinese norm is behind us. The SEC has just said that there is now a breach law, so companies will have to be more vocal and transparent about it. That I think is going to be a good thing. What I expect from all these discussions with the Chinese is very little. I don't see any reason why the intensity and number of Chinese attacks will go down. Quite honestly, it's just the benefits are too high and the costs are way too low. And I don't see that changing dramatically anytime soon. I think there will be, we are already discussing cybersecurity with the Chinese at the strategic and economic dialogue and Admiral Mullen, the Joint Chiefs, had a discussion with his counterpart in China. We'll have some discussions like we have with the Russians about points of contact, crisis communication. We might get some discussions about red lines in a cyber attack, what we might consider a threshold for an actual armed conflict. But other than that, we're not really going to get very much traction with the Chinese. And you can see that I think in the work in the run up to this conference in London. The last three weeks between the Chinese introducing this international information code and reading the Chinese newspapers where almost every day there is an article about the US search for hegemony in cyberspace. Conflict is almost inevitable in cyberspace. That they're really seeing this as an area of conflict and competition. So that's the past domestic ending. Let me give you why things might change. But as I said, my heart's not really in it. The first is, right now China clearly sees the United States as being more vulnerable than it is, right? The US military, the US economy are both more dependent on IT than China is. But you could see over time as both the PLA modernizes and China's economy can use to grow that they reach a similar level of vulnerability, right? As I said, it's clear that they are very vulnerable but it's probably very easy for us to hack into it. Once you get some mutual level of vulnerability, then you start having shared interests. You can start talking about protecting critical infrastructure and perhaps the internet itself, right? No side has any incentives to bring the internet itself down, I suppose, there. Second, I've been using China as a unitary actor, but of course it is not. And so there are competing interests within China. You can see this clearly on the technology and innovation side. So my other work focuses on how China thinks it's gonna move itself up the value chain and I've talked about that briefly, but the Chinese now have a policy that was called indigenous innovation. How do you move up that value chain? And a lot of that is forced technology transfer, access to the Chinese market for US and foreign companies to transfer technology. But there are those in China who don't think that it's a very good strategy, that a more mercantilist close view towards technology is not in China's long-term interest and they have a more open view. I have to imagine that on the cyber side there are similar views, that there are those who think that cyber espionage is not good for the Chinese economy and puts to risk some extremely important relations with the European Union and the United States and is that in China's long-term interest. So you can imagine that domestically there are debates going on and that perhaps US rhetoric, EU rhetoric, West wind rhetoric could help shift those debates. And then third and finally, for status concerns, China does not like being outside global norms. I mean, that has been the trend across a whole range of international issues. Proliferation is probably the best example. It's been incomplete, but if you look at what China has, where China has moved in the 80s and 90s, looking at missile cells and nuclear cooperation with Iran and Pakistan and North Korea. Again, it's not perfect, but it's certainly much better than it was. So if you could get to some agreed norms, both I think first with the US and its friends, then reaching out to Brazil, South Africa, the other major internet powers, it's gonna be very hard for China to be outside of it. But those are all a lot of ips and I don't see any of them happening in the short term. So I would say the future is going to be a lot more the same amount or somewhere between more and the same, this kind of constant kind of cyber irritation. Discussion of the norms is important, but unlikely to make any short term changes. And I'll stop there. Thank you very much indeed. Thank you.