 Well thank you all for coming very, very much. I really appreciate it. So, I'm on my way back from four years in Estonia, back to NCIS headquarters. I'm a cyber analyst there and so I really haven't been back to Washington really yet. And so I'm without a computer and a cell phone and a lot of things. But before I left I was able to publish this book and it's available as a free download from the Cyber Center site. And if you want a copy of the hard copy, I'm sure I can get a copy to at least your organization. So today in Syria, right, if you're watching the news, there is literally a war going on between the government and the people. And the thing about cyber war being a lot of hype is true in many contexts. But I think that if you think about it from the perspective of so many people around the world, it literally is a matter of life and death every day. And so in Syria, even just in the New York Times, following just the headlines, you can see that when the activity started basically the NGOs were trying to sneak in satellite phones. And then that was a victory but then a week or two later the government had figured out how to turn them off. And so it's a game of cat and mouse but really this stuff shouldn't be taken lightly. I think it's quite serious and for millions of people around the world, it is truly a life and death issue and we're fortunate to be here at such an event where we can do all this stuff in front of the media. So there's also in Aspen, Colorado today, there is a group meeting called the Aspen Group. And these are people, Madeleine Albright, Colin Powell, kings and queens show up at this event as well and they discuss national security issues and they're meeting today. And I'll let you guess what the topic is at this year's meeting. It's not goat herding, it is cyber. And so I had a chance this week to look at their topics of discussion and as you can imagine at this level these are all academics and diplomats. The theme was the piece of Westphalia, right? I don't know how many historians we have here, I don't know a lot about the piece of Westphalia but basically it was the first modern diplomatic conference that sort of ended the 30 and 80 years war and it was sort of the foundation of one of the big pieces founding the modern nation state and so creating discrete blocks that were governed by governments. And so one of the papers they're going to discuss is a recently released paper from MIT, I guess a Mallory perhaps professor there in which he talks about tagging packets on the internet according to their country of origin cryptographically so that you can more quickly tell which countries are responsible for bad behavior online. And I'm just passing this to you. This is today also what the senior foreign policy and national security thinkers in the country are discussing today. So I'm going back to NCIS and they asked me to say that we have at least five open cyber intelligence positions in Washington DC so you can get in contact with me if you're interested in working in Washington. So a little bit about me, I was a signals intelligence guy since 93 for DOD. I did French and Russian language and then I sort of switched over to cyber and then went to NCIS and did a tour four years in Estonia at the NATO cyber center and I strongly believe that NATO and or the EU will play a major role in the future of cyberspace and the reason is because it's a large group of affluent countries that have serious assets, serious expertise and they're on the same political military agenda to a large degree. In fact in Afghanistan, right, they have 50,000 soldiers that part of ISAF that are fighting a war and when you fight a war together obviously you're going to share a lot of secrets and try and mitigate various threats and I strongly believe that well because the cyber sort of security problem at least from a national security perspective is an international problem. I work for NCIS and of course every time you want to do investigation, the first thing you see are tons of foreign IP addresses. So then you're stuck with dealing with the law enforcement or counterintelligence organizations of another country and before you can proceed unless you want to take measures that might be illegal yourself. So all conflicts today have some kind of a cyber dimension and that's because we're all using the internet whether you're sort of a student, a soldier, a spy, a diplomat, a politician or a televangelist, right? You're using the internet and so spies and soldiers are no different. In fact they're ahead of the game. They've got more resources and more engineers and more kinds of attacks because they've got signals intelligence, they have human intelligence and they have, they've got this difference, you know, the APT, the advanced persistent threat, the difference between a lone hacker, even a hacker group and the APT is that these are organizations that have a mission to attack you. So if somebody in that organization gets sick or goes on leave or retires or dies, somebody else sits in their seat, right? And they have a bonus, they have retirement and all this and that's what makes it the APT, right? There's not going to be a time that the intelligence service of country X is not targeting intelligence service or the government of country Y. But nobody knows how big of a threat cyber war and cyber terror are. In fact there's a lot of hype and there's a lot of arcane tools and tactics that politicians don't understand and they're speaking about without sort of connecting the tactics and strategy of cyber. But this talk is going to be about strategic solutions and so I think it's, you know, cyber security has essentially evolved from a tactical, technical discipline to this big strategic concept that politicians can understand. And they, instead of managing one, ten or even a thousand computers, have to think about millions of computers. There's about 400 million computers in the United States that are connected to the internet. So it's a lot like alcoholism or, you know, the drug policy or education or something. You know, you're trying to think about how to come up with national solutions to this and so that's what we'll look at. These are a combination of different mixtures of technical, political and military. But I'm trying to think if you're sitting in the White House or you're sitting in the biggest office at the Pentagon with a window, you know, how you're thinking about cyber security. And I think IPv6 is one of the possible solutions that you're looking at. I think basically updating military doctrine in accordance with the best of our understanding of military doctrine, i.e. Sun Tzu. You're trying to deter cyber attacks. You're trying to threaten either to deny someone the ability to attack you or to punish them for attacking you. And you're trying to articulate that to your adversary, which is deterrence, and then arms control. Is it possible to limit the spread of cyber weapons? And so these are four different strategies. And what I want to do in this research is just look at them individually and then try and prioritize them. If you had $100 to spend on these four strategies, how would you divide that money up? So the book basically has five parts. And in the beginning I talked about the history of computer security. And I started in 1837 when Charles Babbage at Cambridge University first designed the analytical engine that was never built because it was about 100 years ahead of its time. And so moving really past World War II, when you had examples of really powerful computers that demonstrated the UNIVAC basically saying with 1% of the sample of the United States population, you could predict the winner. In fact, it did. So I talk a little bit about my background as a cybersecurity analyst and the challenges there. And in particular, some big events like in Estonia last year we did a seven country. There was over 100 engineers involved. It took us about a year and I got to be the analyst to it. It was called Baltic Cyber Shield. And we did a terrorist scenario against power plants. And so we had seven blue teams from Northern Europe. And then we had a red team of 20 hackers trying to basically turn off the lights. And so in the real world impact, I talk a lot about internal security. And that's where it all starts, I think. And it's never clearer than if you look at Belarus, Zimbabwe, Turkmenistan, China, North Korea, countries where there is a high level of tension between government and civil society on the Internet. There's plenty to look at to understand how on a daily basis cybersecurity really, really matters. And governments like in Belarus, for instance, every time there's an election, basically the opposition supporters and the opposition parties can't speak to each other because they either turn off the Internet or they make it so slow that your packets basically takes 5, 10 minutes to load. So then I look at the strategies, technical, military, and political. And I use this thing, it was developed in Switzerland called the Decision Making Trial and Evaluation Laboratory. It's really, really simple mathematics. You just try and put things on the table and push them around and sort them until you see which are the most influential pieces on the table. And then that's where in part you could place your money. You want to see if your goal is to get from here to there which pieces are more influential or more dominant in the system than others. And in particular, Demetral calculates indirect influence. And they just does that through a simple matrix mathematical calculation. So if A affects B, but B affects C, well how does A affect C? And that's what Demetral does very quickly for you. So IPv6 being a technical solution, Art of War, purely military. And then the other two are sort of hybrid. I think this is interesting. Deterrence, I think, is military, political. And arms control, political, technical. And this has implications, I think, which you'll see later in the presentation. Well, IPv6, right? So this is, you know, after doing this research, I really think that it was never more clear to me that a technical problem needs a technical solution. It sounds intuitive, but if you have a, you know, a cybersecurity problem, but then your first inclination is to sign a political agreement not to attack each other, it really doesn't get you very far, does it? Right? Because you are, you're relying on the, you know, the current events. You're relying on, you know, rationality and diplomacy, et cetera. So just this morning actually on the History Channel, as I woke up, they were talking about the sale of F-14s to Iran in the 70s, and this was a big deal because, you know, these were the most advanced, you know, fancy planes in existence, and we decided to sell, you know, I think 79 of them to Iran, and then they had a revolution, right? And so all of a sudden these planes that we had intended to be sort of, you know, hedging against the Soviet Union, all of a sudden we were trying to figure out how to destroy them. So with IPv6, I think it's, the beauty of it is that it's a technical solution, or it's a proposed solution to a technical problem, and what's the problem, okay? With IPv4, you know, it was chosen because it was simple and easy to manage. It didn't have the fancy, you know, attributes of some of its rivals. IPv1, because it was simple and easy to manage. Well, IPv4, okay, is great, but it has flaws. Nothing is perfect. Neither is IPv6, by the way. But with IPv6, one of the things you have is you have defined within the protocol IPsec. So you have a greater, to a greater degree, with native abilities you can authenticate and encrypt. And that's why the Pentagon and China, you know, are very interested in IPv6. When you, now from the Pentagon's perspective, when you launch a satellite into outer space, you have to think at least eight years in advance, right? And so these have all been IPv6 capable for a long time. And basically, you know, from the American perspective, to quote one of our generals, he said, you know, in the future, with IPv6, anything with an electron will have an address, right? And the thing about IPv6 is, so you always see, I just saw yesterday in the news, it was saying it has a lot more addresses than IPv4. It is, that's not even close to the truth. Each one of us on planet Earth could have our own personal collection of 50 octillion addresses with IPv6. So it's essentially limitless. We can't even, our little minds now can't even imagine what to do with all those addresses. And so China, if you look at China, they're looking at basically the Internet Society Spokeswoman there has said that the future of the Chinese Internet is no anonymity. Currently, China just has one IPv4 address for every four of its citizens. But obviously, they have made enormous efforts with IPv6, and it had been building their intellectual property base here, all of the 2008 Olympics from soup to nuts. So start to finish, it was entirely an IPv6 operation. I do believe that it's a game changer. It's not a silver bullet, and it's not going to solve, there's still software vulnerabilities, user vulnerabilities. And one of the big problems with IPv6 is this long transition phase in which hackers are going to have a greater attack surface because they're going to be able to hit more network interface cards per host and more code stacks per nick, et cetera, et cetera, right? And so it's going to be a real challenge for system administrators to manage all this, and it's auto configuration. And one of the big problems I see is that there's a lot of operating systems and applications that are IPv6 aware, but vice versa, the cyber defense side, something like Snort out of the box today is not IPv6 aware, you have to turn it on, right? This should be an enormous blind spot today in global traffic analysis. Art of War. So Art of War, I'm sure you've read it or heard about it, if you haven't, it's well worth a read. But basically, everyone is using Art of War around the world to find a date, to be successful in business, to win in sports, and it's concise, it's easy to read, and it's very compelling. And so that's one reason it's lasted for so long. And considering it, just say the ideal military doctor, and you really can't read a modern military treaties without 10, 20 quotes of the Art of War, you could say, okay, this is the ideal, and what we're going to do is we're just going to treat cyberspaces domain of warfare, which militaries are going to do, it's a no-brainer, but can you use the Art of War in this way? And what are the differences of cyber? Here in the bottom, those two bottom pictures, by the way, are left and the right. This is in Syria, this is an alleged nuclear reactor. And if you've seen it in the news lately, the IAEA in Vienna is still very upset about this and is trying to get Syria to open to inspectors, and they won't do it. But this is the nuclear reactor before and after an attack that was almost certainly the Israeli Air Force that demolished it. But the key piece here is that it's been widely speculated that a cyber attack essentially turned off the Syrian air defense prior to the jets crossing the border. And so this age-old question now of whether an electronic Pearl Harbor or a digital Pearl Harbor is even theoretically possible has probably been solved long ago. Only we didn't hear it, we didn't see it, because as I saw in the news today, one of the speakers said that in Starbucks no one can hear a laptop scream. So that's pretty clever. But in my paper or in the book, I talk at least about 10, these were maybe the top six, aspects of cyber warfare that really, as I think of Sun Tzu and read through the text, I can't imagine that Sun Tzu wouldn't be quite surprised at these differences between the era when our generals grew up and today, what different things are. So some of these are characteristics of the cyber battlefield and some of them are characteristics of cyber attacks, but just think it's an artificial environment, entirely made by people, that you can in fact tailor to national security requirements. You can in fact, if you don't like it, you can change it. The geography, if you're planning an attack on your adversary and you've been spending months getting ready for the attack, what if they unplug from the net for routine maintenance the day of your planned attacks? The only equivalent would be an earthquake or a snowstorm in the real world. Physical proximity, everyone is a neighbor in cyberspace, and so the beauty, if I'm an American hacker and I want to hit an American bank, I route my attack through Africa, Asia, and Europe, and then I hit the American bank, right? And it might be down the street for me, but my attack has traveled through countries with which my government probably has poor law enforcement or counterintelligence cooperation, and so it's going to be difficult to find me. One of the things I think about too is the blinding development of technology. So even if you're the best intelligence service in the world, I think this is a very scary time for you because you cannot be sure that your adversary, your rival, your peer out there hasn't developed some kind of an attack of a zero-day that you don't know about, that you couldn't even conceive of. You can't imagine because you're coming up with such attacks, but so are they, and perhaps you will never know about it, right? And so this is a real challenge. Lastly, I'll just mention that I think there are a few moral inhibitions to hacking, and I think this is because, you know, in Aspen today, they're going to talk about what can we do as international diplomats to lower the level of essentially computer network operations, right, C&E, around the world. And I don't think there's much they're going to be able to do because I think probably all governments today are very tempted to take advantage of the vulnerabilities in the internet, and at the same time, they're aware that they're probably not going to go away, right? And so this is probably going to limit, you know, the ability of negotiators to come up with solutions. And I think it also reinforces the fact that you need a technical answer to the technical problem. You can't really have a diplomatic solution to it. So next, deterrence. So up on the top left is anybody recognize this guy? Wilkie Collins. Anybody read this guy? He's a contemporary of Charles Dickens. And he sort of, evidently, he's a great writer. But he also, during the Cold War, his name came back into prominence because he said back in 1870, despairing about war in Europe, he said, you know, we're only going to stop killing each other when we develop a weapon that will destroy the whole planet. Right? He said, I can't imagine it's going to happen until then. And so in fact, mutually assured destruction during the Cold War was in fact that, right? We had developed all these nuclear weapons that could destroy the planet. And so that was a major fundamental piece of security during the Cold War, was the fear that, you know, you couldn't attack your opponent and win, right? Because they had a second strike capability that would also, you know, end your civilization. So on the bottom right, this guy's name is Bernard Brody. And he is known as the American Klausovitz. And so in 1946, he wrote a book on nuclear weapons that is still very important in the field, in which he said also something very profound. He said, as soon as we developed the nuclear bomb, he said, the very purpose of armies has changed dramatically. And it's no longer to win wars. It's to prevent them, right? And so this is really powerful because he said, look, you know, all armies around the world, their number one goal now is to prevent us from getting to a nuclear exchange. And so I could talk more about these pictures, but I think I'll move on. It's an analogy with deterrence, but the point is about cyber attacks. I think that cyber attacks are their best thought of as a means to an end, a very powerful means to an end. But they're not an end in itself. But if you look at the New York Times and Department of Energy, what you will see is over the last probably 20 years, China has stolen technology related to our nuclear weapons program to a staggering degree, right? And this is all through C&E, right? And if you consider that it's a cyber attack, you know, but what is a cyber attack? Cyber attack gives me access to your computer. But what if you're a nuclear scientist, you know, at Los Alamos or something, then that makes that cyber attack, you know, a very, very powerful weapon. Now, it's not the end, but it's a means to a powerful end. So deterrence, the theory is quite mature. So it's easy to see if it's helpful in the cyber domain. There are essentially two deterrence options, denial and punishment. I can deny you the ability to gain a nuclear weapon. And this is why international diplomacy has so much trouble today with Iran and North Korea, is because they're trying to gain, you know, nuclear weapons and through the non-proliferation treaty they're not supposed to, right? In fact, not only that, but then those who have nuclear weapons are supposed to get rid of them. So denial of the technology is a fundamental piece with deterrence. However, it's hard to imagine that you can deny access to hacker tools and tactics. And that's a fact, right? I mean, look at us here today. You know, there's been over a thousand presentations given at DEF CON since it began. And we can sit here and talk all day about hacking. So denial is probably unreasonable. So then we're left with punishment. And on the requirement side for either option you have to be capable of enforcing deterrence. You have to be, it has to be communicated to your adversary in compelling terms. I mean, a big part of military doctrine is not only to prepare your soldiers for battle but to communicate to your adversary what will happen to your adversary if they cross a certain threshold, right? So this is really important. So with hacking, you know, not only do you have to be capable of attacking back but you have to communicate that, which we're trying to do. You've seen the Pentagon saying, you know, in response to a cyber attack, drop a bomb down your smokestack. And I think the STRATCOM commander said, you know, retaliation for a cyber attack will not necessarily be limited to cyberspace. So they're communicating. They're trying to communicate. But the fact is, I think, two key aspects of cyber attacks make deterrence unlikely. And that's attribution and asymmetry, right? So those need no, I think, definition for you. But basically, if you're trying to punish an attacker and you don't know who they are, that sort of negates the capability to respond, right? That's the attribution problem. And the asymmetry problem, when with Mafia Boy, you know, you can, at 15 years old, shut off, you know, many of the most prominent companies on the Internet and then head off for school. That's an example of asymmetry. And there's countless examples of asymmetry. And just think of the perspective of a student. If you're a student, instead of, you know, the older people in the room, when we were students, we used to have to go to the library at night and page through books. You know, what are books, right? But today, if you're a student and you think, I want to write about this particular topic, you log into an academic database and then you go into Thompson Reuters or something and you sort, you know, a search on your topic just by citation count. And in minutes, maybe two, three minutes, you've got a list of the top 20 articles ever written on the topic you want to write about. And you can print them off or save them to your desktop. It's a big difference. So attribution and asymmetry, I think really chip away at capability and credibility. So lastly, we have arms control. So arms control. I'm involved from the cyber center. I've gotten into a joint Russian-Chinese group that meets twice a year and we discuss the current state of diplomacy relative to cyber security. So it's been a lot of fun. We meet in the spring and Garmish in the fall in Moscow. And the Russians in particular have suggested that the chemical weapons convention be a model for a cyber weapons convention. So then at one of their big conferences, basically that we've had, I wrote a paper on it and presented it and I had it published in the Computer Law and Security Review as well. And basically, I thought it was quite fascinating, you know, because, you know, the idea that you can define a cyber weapon and then prohibit a cyber weapon and then inspect for a cyber weapon. This is really key because these are fundamental aspects of arms control, which is sort of coming to an agreement saying, I'm not going to, you know, buy this weapon. I'm not going to use this weapon. In fact, the weapons I have, I will destroy. So, you know, I don't want to go into all these, but, you know, a thumb drive today. This is, you know, the 256 gigabyte thumb drive, which a few months ago was about $700. Over two trillion bits of data on that thumb drive. And you can see one of the inspection vehicles at the top right. Bringing these two things together is really going to be a challenge, right? How do you inspect cyberspace? And so, again, with arms control, this is a fairly mature and well-defined domain. And so, what I did was, I looked at the Chemical Weapons Convention, and I came up with these five principles. And I think easy to apply or political will, you can find no end of political leaders saying that, you know, this is a threat to the world and we have to address it. A really funny story, if you missed it a few years ago, was that Angela Merkel from China, sorry, from Germany, whenever she was going to visit China, Spiegel magazine, right before she left on a major diplomatic or head of state visit, ran this expose on the fact that her ministry and many other German ministries had been, in fact, infiltrated by Chinese cyberspies. And so, that became the story of the day. Instead of, you know, regular diplomacy, it was all about cyberattacks. And so, really shortly after her visit, one of the most senior Chinese officials in an armed forces journal published an article basically saying, look, you know, we also are major victims of cyberattacks and we lose vast quantities of data and we need to come up with some kind of a strategy in the future to lower the level of tension. So, I'll skip over to the hard to apply. Basically, I think prohibition and inspection, and these are two fundamental aspects of arms control, very difficult to imagine in cyberspace because how do you define a cyber weapon? It's very, very difficult because, you know, the imagination of a hacker is big, right? And so, in fact, hackers are quite adept at guessing passwords, using default configurations to break into a system, et cetera, et cetera. And there might not be any hacking at all. There might be anything that looks like a cyber weapon. And so, it's very hard to define. Even last year in the month of May, Kaspersky Lab had over 40,000 unique specimens of malware. And there were so many of them that they couldn't really categorize them. So they said, you know, among these 40,000, these are suspicious, potentially unwanted, advertising, unknown, et cetera, et cetera, et cetera. And so, you know, you don't know what this thing does, right? I mean, there's this program. I mean, it's too hard to know for sure. And so, you have to sandbox them. You have to figure out. If you can't quite figure out, you know, you can't quite understand what all these things do, you have to try and figure out how to come up with a strategy for malware, as opposed to being sure that you know what each individual program does. And inspection. So, who is going to begin to inspect cyberspace is a good question. But don't put it past the politicians, though, to try to come up with some solution for this, right? You know, I think there are plenty of borders. We talk about the borderless internet, but I think, in fact, that's quite wrong. I think there are plenty of borders in cyberspace. It's all to our benefit to keep it open and free for sure. But I mean, you look at Berman 2007 and when they have a pro-democracy uprising and the government squashed the protesters, they turned off their connections to the internet for about two weeks, right? And so there was no connectivity between that country and the rest of the world. So anyway, inspection is a real challenge that I think, for arms control, chips away at it. So let's get to this thing called Demetel, the decision-making trial and evaluation laboratory. So the first step here is to try and put your ideas in buckets, like cards on a table or you name it, maybe wine tasting or something. Whatever suits your fancy. The 10 boxes on the left, I presented at Black Hat in 2008, a paper called Cyberspace and the Changing Nature of Warfare. And I looked at those 10 issues. And essentially those are threats, you know, traditional threats to national security. And then I looked at the cyber attack advantages. What is it about a cyber-enabled attack that is different? How is national security different than it used to be? You know, and a national security threat hasn't changed, but essentially the internet has provided a means to either amplify the threat or to make it more specific, to make it quicker. However, I mean, but again, there's all kinds of ways you can look at it. Like an example like WikiLeaks, one, maybe point of information, maybe a classified database, and you're broadcasting it to the world, right? That's an example of, you know, this. But if you're looking at Stuxnet, you know, that's taking advantage of the connected nature of everything today to dive in on a particular point, right? So they're really two different examples, I think, but both of them illustrate the amazing change in terms of national security that has taken place. So then look at the CIA in the middle and a couple of targets, but then on the right, that's what I've spent the last couple years doing is publishing on these four things, particularly, you know, deterrence and arms control, Art of War and IPv6, and basically on, you know, trying to think of them as a national strategy with which to mitigate the threat, right? In Europe, this was funny, mitigate. Everyone was so excited. I mean, you probably know what that word means, but that was really a new term to all the Europeans that I tried to present this material to, and they're all writing it down and looking it up online. So this slide is a blow-up from the book. It's not quite that clear, but essentially you've got this national security threats and the targets, and then you've got those advantages matched with, say, the traditional attack categories brought together to amplify or make more specific or make easier recon, you name it, lose physical distance between adversaries. And then you've got basically the strategies, the four strategies we're looking at, you know, and those can come directly from the national security apparatus that is being affected to try and mitigate the threat or take those advantages and reduce them. And so, again, just to recap the four, each, I think, will be tried. It's not a matter of is either or. All of these things, governments are going to move to IPv6. They're going to try and update military doctrine. They're going to try and deter cyber attacks. Even if it's, you know, even if you can't hit somebody in a military sense, you could still collect data on the intrusion and publish it, right, and embarrass someone and say, look, your hackers are in my network. Get them out or else, you know, there's more that you can do besides military, diplomatic, economic, peer pressure, whatever it is. So each will be tried, but it's really just a partial solution. So the next thing you do is you put these things, and I chose just in specific those things that I presented at 2008 Black Hat, I chose the advantages and the mitigation strategies, put them in a square matrix, and this is real simple. It looks, you know, there's 81 squares, but basically all you do is you sit and you think, right, and you drink coffee or beer or in Estonia, you sit in the sauna and you drink vodka, and you try and come up with a number that is the relative influence between the two concepts. And I wouldn't get it hung up on any one of these because I'm sure there are mistakes and you would have your own, but the cool thing is is the mathematics is really simple and you can tailor a matrix very quickly, actually, to your own needs. But basically you can see here there are rows and columns, and if you look across the rows, this is the influence that the concepts are projecting into the matrix, projecting into the system. And then if you look at the columns, they're the same concepts, but it's how they're being influenced by the other concepts in the system. So it's real easy and I'll show you in a second more clearly, but basically you add the rows and you add the columns and then you can do more creative things. If you add the rows, what you get is the direct influence, and so all you're doing is adding those numbers across. And the clear winner to begin with in the first matrix is anonymity, and I do believe this is quite logical. The most important factor today in strategic cybersecurity is the anonymity of an attacker. The reason is because deterrence, retaliation, prosecution, pressure, you name it. If you don't know who's attacking you, none of those things are going to work or at least work very well. The second thing is the myriad IT vulnerabilities that they have that they can attack. So there's about 100 additions to CVE every month. And so that provides an enormous amount of room of attack space, and there are zero days. And if you're talking about a military or an intelligence organization, they have signals intelligence, they have human intelligence. If they want your password, they're probably going to listen to your phone call. And they're going to get it out of some out-of-bounds channel. And so what does that do? I mean, that's sort of a nation-state threat, again, that really separates nation-state from any other organization, is just the engineering resources, the money, and the time horizon and the mission that they have. So down at the bottom you have deterrence and arms control. And I think that's also quite intuitive because these things rely on politics, rely on diplomacy, trusting an enemy to do something. And so it's not surprising that they're going to be down, I think, at the bottom of the list. Now that was adding the rows. If you add the columns, if you can visualize the matrix again, just add the columns, it's how each concept is being influenced by other concepts in the matrix. And what you see here, what I call, for the purposes of my book, is susceptibility to influence. And so at the top you have cyber-attack deterrence. And I think, again, it's purely political military calculation. It's subject to the human failing, psychology, et cetera. And so there's no surprise that it's at the top of susceptibility to influence. At the bottom, and this is going to be key for the final result, is IPv6. And IPv6, it's not surprising, it's at the bottom because it's just technology. It's not susceptible to influence in the way that politics, diplomacy, et cetera are. Now also, a real challenge here is that the two top factors on the previous slide, anonymity and IT vulnerabilities, these are the two most dominant factors in the system. Also, from the bad guy, on the bad guy's side, these are the two hardest things to influence. So this is going to make not only those two concepts powerful in the system, but this is going to make them even more powerful in the system. And you'll see that in a second once I run the numbers. But not only are they projecting influence into the system, but they're not receiving too much influence from the other concepts in the system today. So another thing you can do with Demetel is draw a nice causal loop diagram. And so this is simple. This is only at the level four. So this is only if it does or if it has the potential to affect the other concepts in the system. And it's colored lighter or darker based on the number of arrows it has leaving it to other concepts in the system. And you can see how anonymity is the darkest color and the two lightest, in fact they are white, is deterrence and arms control. Because they're not affecting anything at a high level, at least yet. So here's what Demetel does well as it figures out how, in this case, C is affecting A. Even if C doesn't really affect A or have a low level, you know, if somebody in the front row has an influence on somebody in the second row and somebody in the second row has an influence on somebody in the third row, if you think about it is absolutely for sure that somebody in the third row is going to be impacted by somebody in the first row. You get the general idea. And that's what Demetel does. Basically it's very simple mathematics that basically, if you look back to the other, you'll see that nothing in the beginning matrix affects itself. Those are all zeros down the big diagonal. But if you jump down after Demetel has done its mathematics, everything affects every other thing in the system with indirect influences. So that means it also impacts itself. So that's how you see the numbers work. And you can see all the numbers change. You can still see, based on the darkness of the color at the top, that the cyber attack advantages are still much stronger than the mitigation strategies. However, things do move a little bit in the system. So this is an index that is a little bit more, takes more time to analyze. But what I'll point out is that the total influence, it's essentially, what it's trying to do is say that whether it's receiving or giving influence, if you add both of those factors together, you get something called total influence, which makes it a critical factor in the system. So anonymity, for instance, is still at the top of the list, but not only does it give a lot of influence, but it has a certain amount that it's receiving. A better example is inadequate cyber defense. Here, it's people, it's training programs, it's salaries, it's processes, you name it, acquisition. And that, I think, is a good example of in this particular index showing you that inadequate cyber defense, that means hiring the right personnel, getting them certified, getting them focused, taking them out so that their morale is high, et cetera, is important, is in fact quite important. Because as soon as you have the ideal computer network defense personnel working for you and they quit or go to start their own company, you can imagine the impact on your enterprise, right? So this is trying to point out critical factors in the system with total influence. But what Dematel does on the next step, basically it takes the first row and then subtracts the second row for a new number. And this is what Dematel is really trying to get at, is which are having a positive influence into the system and which are essentially net receivers of influence. And you can see that anonymity and IT vulnerabilities, those are the clear winners after Dematel has finished its mathematics. And the two losers are arms control and deterrence. So everything else is kind of in the middle, but at least based on my writing and this Dematel analysis, the two top factors in cybersecurity pushing influence into this is the dominant players are anonymity and IT vulnerabilities. And the two weakest are arms control and deterrence because they are just ideas that we're only beginning to articulate now. However, the winner in my research is, you probably already noticed, is IPv6. And you can see that after the Dematel calculations, basically it jumps ahead of some other factors in the system including three of the cyber attack advantages. And so for me, you have to interpret all these results. My interpretation is that the susceptibility to influence index, basically one way you can look at that is reliability, right? If a table is relatively secure from influence because there's not that much you can do with it unlike, say, a person, it has a higher reliability score. And so IPv6 has a fairly high reliability score because it's pure technology. It's something that you can count. Like for scientists, it's something that you can calculate. It's something that you can configure. And so in this case, you see that anonymity is the dominant player in the system, I believe, in strategic cybersecurity today because if you can name your attacker, essentially you can deter, you can prosecute, you can retaliate, you know, capture, kill, right? Your adversary. And the only factor that is potentially affecting anonymity at a high level is changing the technology, right? Is IPv6 in this research? It's because, you know, I believe that in the future, also if you think about it, the level of encryption on the Internet is rising every day. And then with IPv6, you have auto-configuration, you're going to have mobile devices coming in and out of your network. I think that in the future, as scary as it sounds, white listing is going to be much more a part of our lives, not just black listing, trying to stop bad IPs from hitting you. If everything is encrypted, you are going to more than ever want to know who you're communicating with and who the people in your organization are communicating with. And so how are you going to do that? You're going to try and authenticate them, right? You're going to authenticate them with IP, SAC, DNS, SAC, telephone, you know, biometrics, you know, however you're going to do it. But you're going to want to be sure who you're communicating with because everything is going to be encrypted, right? And so that's why you need to affect anonymity. Not only do we need to affect it today, but as everything gets encrypted, it's only going to be more pressing the concern. And so the one factor in my research that I think with a high level of reliability can affect anonymity is a technological solution, not a political solution or a diplomatic solution. So here, these are the cyber attack advantages. They don't change, but the mitigation strategies after the calculation of indirect influence do. The winners were IPv6 and then arms control passes deterrence. Deterrence was essentially what? It was military political, and arms control was political technical, right? Even though it seems very challenging to try and figure out how to inspect malware or to prohibit malware, at least it gives you something to work with, right? And it gives you hopefully something that computer scientists can work on. And so in conclusion, I would say from the tech, military, political technical, military political, $200 to spend, I would suggest that you focus first on fixing a technical problem with a technical solution and then updating your military doctrine and only lastly trying to sign some sort of international diplomatic political agreement. And I'm by nature quite an optimist. So that's against my better judgment. These are the publications that went into the book. And again, it's a free download, so the price is right. And feel free to email me or call if you have any questions or if you'd like a hard copy for your organization. So many thanks for your time and all the best.