 Good morning. My name is George Perkovich, I'm a Vice President for Studies here at the Carnegie Endowment. Also a co-editor of the book that we're here to launch, Understanding Cyber Conflict, published by Georgetown University Press. And thanks to the generosity of the Hewlett Foundation, the book is also available online to be downloaded for free on a chapter by chapter basis or in its entirety. If you're interested in doing that as opposed to buying a hard copy outside or through your favorite bookseller, you could just Google Understanding Cyber Conflict and you'll see the link or go to the Carnegie website. I just want to say very briefly, the impetus for the book were a number of discussions that we had over the last few years with senior policy makers in about 10 countries trying to get their sense of how they were understanding the cyber challenge that they faced. And many of them spoke about both the natural tendency of themselves and their colleagues or their seniors to use analogies to think about cyber, because that's the way human beings tend to think. And these people that we were talking with, many of whom were professionals in the cyber domain, were saying a lot of time the analogies are misleading and it would be great if somebody would help us unpack those. And one of the people who really encouraged us to do that is on a panel later, Emily Goldman, and she and John or Kia had done an earlier version of book of cyber analogies, but thought it could be built upon in advance. So that's what we've done here with 14 chapters by different authors looking at key analogies relating to what are cyber weapons like and what might cyber conflict be like. And then the third section is on what might managing cyber conflict be like. So that explores policy options. And like I say, if there's a particular analogy that interests you or a particular challenge, you can kind of download it separately or read it separately, but the book hangs together quite well. What we're going to do now is we're going to begin by having a discussion with my colleague Elie Levita and Mike Morrell, who is graciously joining us. Mike is the former acting director of the CIA. He's with Beacon Global Strategies. He's also the author of a fine book, The Great War of Our Time, which I have read and profited from and urge you to read too. It's a memoir, but also a history, a recent contemporary history, particularly regarding the war on terror. So Elie and Mike, we're going to talk for a while and then we'll bring the panel. Thank you. And good morning to you all. We are fortunate to have Michael here because he's been thinking about these issues long before we started working on the book or even on the original cyber analysis. So with that perspective, Michael, what do you see merely all dynamics playing out in a new technological realm? And what do you see as something that is novel in its aspects, its implications, its consequences, and so on. So first of all, it's great to be here. Thank you all for coming. It's an honor to be up here with my friend. I think it's the question you ask is a fundamental one. It's really critical to how we think about this going forward. I'm part of that group who thinks that cyber is a new domain. Air, ground, sea, space, cyber. I really think about it that way. And I think that's true. And I think it's also true that we feel that we're struggling with this a little bit. And the very fact that you wrote the book and the very fact that you looked for a methodology to try to understand these issues is a reflection that we feel we're struggling with this. People feel that the United States government is struggling with this. Other governments are struggling with this. The private sector is struggling with this. Everybody's struggling with this. And I think when you put those two things together that this is a new domain and that we're struggling with it, I think there's a tendency for people to leap to the conclusion that this is fundamentally different somehow. And I don't think it is. I really don't. I think that a lot of the tools and policies that we use to manage security in the other domains can be used to think about and manage security in this domain. I think deterrence is a great example of that. One of the most interesting questions is why haven't we had a significant cyber attack on critical infrastructure? Why haven't we had the cyber version of 9-11? Why hasn't that happened? And I think the answer to that, despite that was the warning we heard from the intelligence community over and over and over again, is the thing that Secretary Panetta talks about all the time. Why hasn't that happened? The answer is because I think deterrence works. A significant attack on critical infrastructure would not be under the radar, would require a significant response from the nation state that was attacked. And I think the adversary knows that and they won't go there because deterrence works. I also think it's very similar in another interesting respect. And that is that covert operations are much more difficult to respond to than overt operations and therefore more difficult to deter. And that's true in the four domains that we've lived with for quite some time. And this new domain, in the physical world, one of the things that always struck me, and I've thought about this for a long time and I've never really figured it out and I think it would be a great PhD dissertation, is that the Iranians dating way back to the first Beirut bombing, the bombing of the U.S. Embassy in Beirut, have killed Americans. Beirut Embassy bombing, Marine barracks, cobar towers, providing EFPs to Iranian Shia militia, to Iraqi Shia militia. And the United States never responded. Any of those. We never responded. And the key reason, I think, is because they were covert. And it's very difficult when something is covert to have the degree of confidence that you need, that somebody actually carried it out. And it's very, very difficult to put a predicate on the table for your public to say, here's what they did and here's how I'm going to respond. I'm going to respond by bombing the Quds Force headquarters in Tehran. The exact same is true of cyber. Cyber by its very nature tends to be covert. And therefore it becomes difficult to respond to. And that's why you don't see a lot of response to the type of cyber activities that we see today. So I don't think this is fundamentally different. If you think about the other domains, Ellie, the ground domain has been around since the history of the first human. The sea domain has been around probably just as long. The first time somebody put a boat in the water. The air domain has been around for only about 100 years. And the space domain for 50, 60 years. This domain for 10, 15, 20. 10 in a significant way. So we're just at the beginning of working through how to think about it. How to think about what the, how we want to use it to our national security advantage. How our allies want to use it to their national security advantage. How our adversaries want to use it. What they're learning. You know we were just, we were just talking for example about, I don't, I don't believe the intelligence community provided strategic warning on the Russian weaponization of social media. I certainly can't find it in any worldwide threat testimony going back any length of time. There's a lot of talk about 9-11 style attack on critical infrastructure. There is no language in any of those documents about one of our adversaries using social, weaponizing social media against us. So our adversaries are coming up with creative ways of using this domain against us. And we're trying to figure out how to protect ourselves. We're trying to figure out how to think about it. I think one of the really valuable things about your book is I think it's a major advance in helping us think about it. I think the other thing I'd say, and then go to the next question, I think the other thing I'd say is the objectives of the adversary are exactly the same. They haven't changed. So it's been Russian policy for a long time to undermine the United States of America wherever it can in the world. To weaken us, to undermine what we're trying to accomplish in different parts of the world. That's been Russian policy. And now they've got a new tool to do that, social media. But the fundamental objective hasn't changed. So that's kind of, I don't think it's fundamentally different. So let me then try and summarize in my own mind what I think I take away from you but also what question I'm left with. The domain, the technical operational domain is different. The motivations are not. Tradecraft is not. But maybe the policy dilemmas are somewhat different. So I think, yes, I think so. So there are differences of degree here. So I can't think of a single policy dilemma that is only true of cyber that isn't true in one of the other domains. For example, one of the big, one of the big policy issues in cyber is the tradeoff between security and price. It is possible for our government to do a much better job of protecting us from cyber threats. It is possible. Close the internet off to the rest of the world. Nobody wants that. Nobody wanted, not a single person in this room would advocate for that. But that's possible. That's what other countries do. And if you think about it in another way, right, the security of your home and your neighborhood, right, police drive around all the time. They might even flash a flashlight on your bushes. But that doesn't bother you. That doesn't get at your sense of privacy and civil liberties. But to really understand what somebody's doing in cyberspace against you, they got to get inside that cyberspace. And that starts bothering you. But that security, privacy, tradeoff is true in some of the other domains. Absolutely it is. It's just more true in this one. You know, another example of where this is more significant in cyber is the use of offensive cyber for defensive purposes. So when you see, when the government sees an adversary about ready to conduct an attack, does the government reach out and destroy that server? Or is it about ready to attack a U.S. company or the U.S. government? Oh, that's a huge question. That's a huge question because that server is not in Iran or North Korea. It's in Switzerland or France because they've hopped multiple servers, right? So that would be the physical destruction of a server. In Switzerland, that would be conducting war against Switzerland, right? So it's a big, big deal to do that. That's a particular problem in cyber, but it also exists in physical space, right? IRGC officers in Syria or in Yemen, right? What do you do about that? Well, it makes it much more complicated, right? Even in physical space. So I think there are some issues that are of heightened importance, policy issues that are of heightened importance here, but I don't think they're completely... And the number of players and the type of players in this business. You think, does fundamentally change the policy debate? So to me, the fundamental adversary is the nation-state. Nation-states have most of the capability. Organized crime is absolutely an adversary, but there's a relationship, significant relationship between, as you all know, between nation-states and cyber-crime organizations. In some cases, the nation-states are hiring the cyber-crime organizations to do their work for them. In some cases, it's the same people doing the work, one during the day for Russian intelligence and the other at night for Russian-organized crime. In most places on the planet where cyber-organized crime is a significant problem, the state abets it. After that, I don't particularly worry about terrorists in cyber. In the narrow sense of cyber attacks, in the use of social media to get their message out, that's a whole different issue. But I haven't seen terrorist interests in using it to do damage. Terrorists like things to blow up. They like blood and death. Cyber does not cause that. In fact, I can't think of a single death caused by a cyber attack today. Maybe I'm wrong. Hacktivists, right? People who just have some social movement they're supporting. It's a pretty small problem. The insider threat is significant because of the access that an individual has, but in totality... It's not cyber-specific. It's not cyber-specific either, right? So I think the nation-state is the fundamental actor here. Going forward, we need time. But what is kind of a policy recommendation would you make about the things that need to evolve as we get better to deal with the confrontation in this new space? So the reason I like the book so much and I'm on the back saying nice things about the book, you should all buy the book. You should all buy multiple copies of the book. Thank you, Michael. You're welcome. The reason I like the book so much is because it's a serious effort to start thinking about your very question. And you and I, when we first talked about this, we were at the Four Seasons, not too far from here, having breakfast and we were kicking around ideas. I think that we have the capacity to be creative and innovative to think about how we deal with this problem. For example, the three big uses of cyber at the moment, before I think I'd say now, post-election, cyber espionage, cyber crime, and cyber coercion. Cyber coercion is what the Iranians do when they attack U.S. financial institutions, when they attack Aramco, et cetera. Those are the three fundamental cyber issues and I think the fourth is now the weaponization of social media, which by the way did not end with the election. It is happening to this very day. Russians continue to use social media to try to divide Americans, to try to deepen social, racial, ethnic, gender divisions in the United States trying to weaken us. It's happening this very day and it's happening in other countries in the world and other countries are starting to use the tool themselves. There's some evidence, for example, we were just talking about this upstairs, there's some evidence that the Chinese are now using this same tool in Australia. This is going to spread. That's the fourth. What do we do about these? If you're in a sit room and you're having a conversation about what do we do about them? Let's take cyber espionage for a second. Part of cyber espionage I don't want to do anything about because I want to be able to do it and you want me to be able to do it. I think cyber espionage for the purpose of collecting national defense information, perfectly acceptable. When the Chinese got inside of OPM, my thought as an intelligence officer was, good for them, good for them. If I had the opportunity, if I were the director of NSA, if I were the director of CIA and I had the opportunity to steal that same exact information from them, I wouldn't have had to ask anybody permission and I would have done it. Bad on us for not protecting it. Certain aspects of cyber espionage should be acceptable. I certainly don't want to stop doing it because it's a valuable tool to protecting the United States of America. The part of cyber espionage that is not cool, is that we have to do something about, is the stealing of intellectual property for the purpose of enhancing the competitiveness of your own companies. Which the Chinese continue to do, despite Xi Jinping's commitment to President Obama to stop. How do we do that? How do we do that? Well, one way, you and I talked about this a year ago, or a year and a half ago now, and there's some indication that there's some movement in this direction, is to treat it as an unfair trade practice. So if the Chinese steal intellectual property from U.S. steel companies, which they did, it's actually indictments, and that should be a WTO case, or that should be an FTC case that requires a remedy. That requires a financial remedy. So that's an example of a creative way of thinking about this. On cyber crime, I think there's two possible creative ways of thinking about it. If you were sitting in the sit room talking about this. One is, there was a time when Chinese industries were selling dual-use products, dual use for civilian use and military use without a lot of controls. And many of these dual-use items could be used for WMD programs around the world. And the West put a tremendous amount of pressure on the Chinese government over a considerable period of time to get these dual-use items under control, and guess what the Chinese mentioned? And they're doing a pretty good job of it. So in terms of cyber crime, we should be putting a tremendous amount of pressure on governments who are either abetting and assisting or turning a blind eye to cyber crime. Naming and shaming, diplomatic pressure, sanctions if necessary. It should be on the front page of the New York Times, David, Washington Post. That's the way you get people detention. Another aspect of the cyber crime is some sort of international organization that focuses on it. That is able to follow up pretty much instantaneously to try to find out who the perpetrator was and then go to that government and try to get action. If you can't get law enforcement action, then you turn back to the diplomatic approach. And this is not rocket science. I think the tools that we use in physical space can be applied in cyberspace. We just got to think about them. I think there's a danger, and I saw this around the sit room, and I see it in debates about how we should respond to what the Russians are doing to us, that if we get attacked in cyberspace, somehow we have to respond in cyberspace. And we don't at all. If we get attacked on the ground somewhere, somebody blows up an embassy, we don't just respond on the ground. We respond using all of the physical domains. And we should think about cyber that way. Coercion is probably the hardest to deal with because people like the Iranians and the North Koreans who are using coercion are smart enough to stay under the red line. They're smart enough not to go far enough that requires a significant response. And so that's probably the hardest to deal with. I don't have an answer here, but there's a lot of smart people thinking about this issue and there's a lot of smart people in government that there's got to be answers to all of these things and we just got to work on them. I would just add that there is a premise there that we didn't discuss but maybe put up at worth just noting that in the military space the application of cyber is like applying any other type of tool of warfare and therefore lends itself to the same rules of the game, logic of employment and so on, right? So therefore we kind of singled out where we think the creativity is required. The reason I didn't talk about cyber war is because I don't think it would be used absent a hot war, right? All right, perfect. Question from the audience? Just lift your hand. Don't be shy. There will be a microphone rotating there if you have any questions about the book. So how do you determine the intent between stealing secrets for national defense information versus stealing those very same secrets for the purposes of intellectual property, right? So for instance, if a hostile nation steals information on stealth technology, are they using that to... It can go two ways. Use it to build counter-detection measures or apply that to their own aircraft, right? It's still the same act, but there's two different outcomes. Right, so the question is, do they share it with their own industry, right? For the purpose of a competitive advantage. That's the difference, right? The United States of America has never done that. Most of our allies, not all of them, have ever done that. It's not like we did it once and stopped. We've never done that. That's not how we think about who we are as an economy and how we operate. So it's whether you share it with your companies for the intent of a competitive advantage. Question here, please. Never mind, then we'll go to the first one. Thank you. I'm Peter Shetley, retired Foreign Service Officer, and I was on the U.S. Start Delegation in the early 80s in Geneva, and my question is the prospects of some kind of an international accord or treaty or something to control cyber in some way. Where I'm coming from, and this is sort of an initial thinking, is we could talk to the Soviets about nuclear weapons by saying things like, what you're doing here, we consider a threat, explain what you're doing and why you're doing it. I'm not sure that analogy works in cyber. If you tell the other side what you're worried about, you're revealing your weaknesses. So my question to you is, what are the prospects of some kind of an agreement that restrains cyber warfare potentially among key countries? Thanks. You've thought about this more than I have, actually. Well, there are inherent challenges in applying it, and yet we firmly believe there is room for trying to develop rules of the game in that space. At the moment, the biggest challenge with cases like Russia would be that they won't let themselves engage in that kind of a sincere dialogue of the nature that is necessary, and clearly verification is much more difficult of a challenge in this space. Having said, I think what Mr. Morell has referred to in terms of the U.S.-Chinese dialogue and the ability to then follow up on it through diplomatic channels and so on is just one example. And I would add that one would start with an effort to try and codify some expectations. As a first building block, and those expectations could be conveyed privately, could be conveyed publicly, could be the building blocks of some broader understanding. So I don't think we are likely to see treaties and conventions emerge anytime soon, but I think the mere calibration of expectations and the gradual evolution of rules of the game is both necessary and within the realm of the possible. We have to think very hard about the question Mr. Morell has referred to, which is where do we really want those rules and where we don't because we believe that, for example, spying in cyber and national security purposes is perfectly legitimate, leave it to its own kind of rules of the game that are unspoken? You know, maybe a very specific example, I mean, I agree with all of that, maybe a very specific example is we started a conversation within the WTO about industrial espionage, right? And boy, that's a tough place for the Chinese to be in that discussion, right? Because most of the players are going to have a pretty firm view here of what's right and what's wrong. And so it's a good place to start thinking and start a conversation where you might be able to get to some norms. I'm John Quinn, a lawyer in private practice. You're in Washington. We were comforted by your statement that there are plenty of smart people in the government and many of those have had the opportunity to sit in the situation room that you referred to dealing with these issues. We've also seen, particularly this year, examples of senior government people disregarding science, having a completely different idea of the techniques that are, the judgments that are relevant to national security, et cetera. Do you have reason to believe that the same level of judgment and science is being applied by our government under the current administration that you've referred to? Yeah, so I'll say two things. The first is this too will pass. Guaranteed. The second thing I'll say is that Rob Joyce, who's doing cybersecurity for President Trump, former national security agency officer, a very, very talented person, ran the offensive program at NSA, I think is thinking about a lot of the things that we just talked about and is pushing forward pretty aggressively and he seems to have the running room that he needs from the administration. So I'm actually heartened by what I see Rob doing and certainly not ready to solve the big question of what is the government's role in all of this and exactly how is the government going to play with the private sector. But I think Rob's made a lot of progress and I feel pretty good about that. Thank you. One last question from the audience. Yeah, go ahead. Bobby Pastron, repurposed public health official. This discussion has been about international affairs and international relationships. Can you talk briefly about the application of these same ideas within a nation, for example, domestically within the United States, where companies or other actors might be using these cyber tools in relation to other national organizations, businesses? I think, I mean, I hope, if somebody's here from the FBI, maybe they can correct me. I hope that most of the illegal cyber activities aimed at U.S. entities, whether they be persons or companies, are coming from outside the United States of America, not from entities inside. There's probably some of that, but I would think it was pretty small. We have not talked about the importance of security here. It's absolutely critical. There was a great article in, I thought a great article in the Cypher brief last week or two weeks ago that really posed two really interesting questions. One was the first one I raised earlier, which is, why hasn't there been a major cyber attack on critical infrastructure? And the second is, despite all of the warnings and all of the risks associated with cyber, how come we're still so bad at cybersecurity? Why do people pay so little attention to cybersecurity? When these big companies test their employees on phishing attacks, why do 25% of the employees still click on the link? What's going on here? And so security is really, really important here, both to defend ourselves and for the sake of deterrence. Because as you all know, basic deterrence theory is denying the adversary his or her objective and then imposing costs. Well, the denying the objective here is security. And as I said earlier, the problem with the OPM hack was OPM. And so security is extraordinarily important here. I think part of the problem, I think part of the problem, and time will sort this out too, I think part of the problem is that there are too many cybersecurity companies. And there are literally thousands and thousands and thousands. And the way I think about cybersecurity is sort of a tree with a bunch of branches. And each branch is something that you need to do to protect yourself. And the vast majority of cybersecurity companies only deal with one little branch. They don't deal with a whole tree. So there's a bunch of people showing up at your company all the time who say, I'm here to protect, I'm here to solve your cybersecurity problem. And CEOs and COOs and CIOs and CISOs don't know what to do. There's just too many. And what they really need is somebody who can deal with all those branches. And so I do think that eventually there's going to be a significant consolidation of the cybersecurity business, right? If I were a PE firm, I would think about finding the best in class for every one of those branches and start buying them up and building that one company. So I think eventually we're going to have four or five companies that do the whole tree. And that consolidation is going to have taken place, but it's going to take years. There's a lot of money to be made there, I think. But I think that's one of the reasons why our security is not as good as it needs to be is because people are scratching their heads about what do I do here. There's just too much out there. I would just compliment the answer and then hand it over to George with two very quick remarks. One is this is a very international issue. The book is basically US-centric, but we definitely want to encourage a follow-up that brings international perspectives on this issue and so on. So hopefully that will be a next stage. But the second one, one of the unique challenges of cyberspace in trying to think through about policy solutions is that the dividing lines between domestic and international are more blurred than they are in the physical space. That big corporations are becoming a global player in this domain and so on, which is another complication. But just as to try and wrap up on the point that Michael had made earlier, the question is how do we use the instruments that are currently available for policing the domestic space. And I'm not talking just about government things like insurance companies. That would be the one that would set the standards of what is expected of you. Or litigation, or other things that would then ultimately drive the creation of order in that space and so on. And clearly also government interventions that would say if this has international implications, you are likely to face extradition. You should understand that and so on. So we need to create kind of a hybrid of instruments, and that's one of the other issues we're working on. So thank you, Michael. He will remain in the front seat for a little while longer. In cases, part of the follow-up discourse, you may have another question that just came to mind. So George, over to you. Great to be with you. Thank you. Well, thanks. That was a great start. I want to pick up just briefly on the point that Michael was making at the end there about the importance of security and how inadequate it's been only to say that there's a great chapter in the book written by John Arquia called Harbor Lights that goes back to World War II to explore why the east coast of the United States, the cities left their lights on for months which enabled the U-boats to destroy shipping coming out of the east coast early in World War II and what it took finally to get those lights turned off. And it's an apt analogy because the short answer is basically the mayors and businesses didn't want to undermine business in the evenings in their towns and cities. And it's a private sector issue and what the limits of government were in order to foster that kind of security. And so there is this kind of, especially in this country, when so much is left to or where government is excluded from so many functions and it's private actors and there are millions of them, how do you motivate the kind of security behavior that you need? So I would commend that chapter to you. I want to try to draw out some of the other themes that run through the book and I want to start by asking Emily Goldman who is a senior advisor to the commander of Cyber Command who's also the director of the National Security Agency and Emily wrote the chapter on Pearl Harbor in the book. But I want to ask a little bit broader question of Emily and this draws on the discussion we just had about Russia where there's another chapter in the book by Stephen Blank that looks at Russia's behavior. And that chapter isn't really an analogy but rather it looks to the beginning of the Soviet Union and through the 20s, 30s, 40s, 50s how then Soviet intelligence services used information warfare and believed in information warfare as part of the general political struggle against largely the western world. And the chapter was written before the revelations of the 2016 election came out but it's remarkable to read it and I urge you to read it because you're just going to nod and go, uh-huh, uh-huh, seeing that it's very consistent. And so the question to Emily to start is in your thinking broadly about let's say the last 20 years with cyber experience is it most often the case that a country assimilates cyber technology to its normal operating procedures and it's kind of the similar institutions command it and conduct the operation so they're assimilating technology or do we see the technology actually changing fundamentally the behavior, operation, strategic culture of a country? First of all, thank you and I'm going to thank Carnegie and also you George and Ellie for taking the idea that we had in 2012 to explore cyber analogies as a way to help people think through some of these complex problems and then taking it to the next level. Also for truth in advertising the paper or the article in the book was actually co-authored with Dr. Michael Warner back there who is the command historian for US Cyber Command so anybody who's got any question about the history of where we've been, this man is writing the history. He actually has a great chapter that he's so authored on intelligence and kind of how cyber changes intelligence or draws from kind of the history of intelligence. And I would just say that I'm kind of echoing what Michael was talking about in terms of thinking about cyber not as something different. I mean there are aspects that are different but I think we've come to believe that many of the things that you do with cyberspace operations you do them with operations in the physical domains as well whether it's intelligence and reconnaissance, targeting fires, et cetera and I think that it also follows the pattern of a diffusion of past military innovations. That we're at a point, I would say it's almost equivalent to the 1920s with air power where you have the emergence of a capability and you've got different countries that are experimenting with how to do it, how to use it, how to fit it into their existing doctrine and organizations and they're experimenting with that and they're learning from each other as well and I think that's where we are in cyber in terms of just the beginning of this journey. I think it's also a reason why it's going to be difficult to get international agreements on limiting it because if I go back to my favorite period in the 1920s once again you did have arms control agreements but they were on battleships which was a mature technology. You had no agreement on submarines which was a new technology. Countries are not willing to limit and constrain themselves on things that maybe they think they can leverage in unanticipated ways. It doesn't mean it can't happen, it just makes it more challenging. So that would be my kind of overall take on what we're seeing. Let me ask another broad question for... I'll start with David but for either of you. And again it draws a bit on the discussion with Michael earlier and it has to do with deterrence and Michael was talking about how we haven't had a major attack on critical infrastructure in part because deterrence works and at the same time when something does happen whether it's the manipulation of social media or want to cry or other ransomware people say what's the failure of deterrence and we're not succeeding. So I guess the question is... I'll start with David... is deterrence which basically became a dominant concept from the nuclear age. Is it important and helpful or is it misleading that so much of our discourse and the expectation is about deterrence? Do we need a different way of thinking about that? Well it's a fascinating question. Let me just start by saying this is a great project to work on and for a news correspondent who spends their time looking at the individual incidents and so forth the opportunity that you George Gaven and Ellie and everybody else involved in this project to sort of step back, write a chapter of the book I did the drones and cyber comparison but mostly to hear the discussions about this I found just enormously helpful not only intellectually but also just in thinking about how we formulate coverage of these issues so I urge people to read it just because it will change the way you are thinking about these. Deterrence is a fascinating question because as the nuclear chapter makes clear and other work you've done almost every question that comes up in nuclear deterrence also comes up in cyber deterrence and almost every answer is different. So for example, mad doesn't work out here because there is no assured destruction in cyber. In fact, as Mike pointed out rightly if somebody isn't even willing to go take out the power grid from say Boston to Washington which would be hugely devastating but not devastating on the scale of a nuclear attack from Boston to Washington what does that tell you about what works? And I think the answer lies a little bit in what Mike was saying before about covert versus overt. It would be hard to do a covert attack on the power grid. I just sat through two weeks ago grid X which is a once every two year exercise that the power industry goes through and in this case we're simulating a combination terror attack and cyber attack against a whole host of different critical elements of the grid. And two things struck me out of this. One was the government players weren't thinking very much in terms of deterrence. And secondly it was going to become pretty clear pretty quickly where the attacker came from even if you didn't know exactly who the attacker would be. So if we think of this in the broad level of something that is so large that it's likely to bring about a perhaps a military response but certainly a severe response then I agree deterrence is already working. The problem is that for most cyber attacks that we have seen they are all at the short of war level. So the Russians could have been doing an awful lot more with social media nobody was going to sit around the situation room and suggest that we take out a Russian city or conduct a military operation in response to a social media attack even when it came to the suspicion of the manipulation of voting machines. Something that's a little more physical doesn't really just get to the information people are getting but actual manipulation of data nobody would have suggested that although there would be a range of things you could do and a range of things that President Obama attempted in the last days of his campaign and we've all been reading about those lately because they get right to the charges about General Flynn. I would argue that if you looked across the breadth of the Obama years and maybe the Bush years before that but certainly the Obama years and the range of cyber activity that took place there was almost no deterrence created. So think about our categories here. There was the threat of coming back after the Chinese for the theft of intellectual property it did result in an agreement that had I think some good effects and that threat was basically going to be sanctions. In the North Korea case of Sony there were a few sanctions thrown against North Korea for its activities against Sony and that was sort of the purest case of a destructive cyber attack it took out about 70% of Sony Pictures entertainment's computing system so there was a physical effect and yet a tiny response. In the case of Russia prior to the election hack there were hacks on the White House on the State Department on the Joint Chiefs of Staff and the government of the United States would not even name the Russians as the suspected offender here even though everybody knew they were and I would sit in these lengthy interviews with State Department officials or whatever and they were told never to go and mention the word Russia in the course of the interviews. So I think one of the things that we've got to figure out how to do is come up with regular expected penalties for sub-conflict level cyber attacks if we are going to have any significant hope of creating some level of deterrence. Just briefly to jump in to make two very quick points. The first is I would actually start building on the terminology that Michael had laid out. Namely, I'm not sure we should talk about deterrence as much as we should talk about coercion and persuasion and I would say in the category we haven't talked about but which we, the two of us have discussed a lot in the last chapter is restraint. There are a lot of restraint out there that has nothing to do with deterrence as such or even with persuasion and everything to do with the fact that there is some specific aspects of cyber that hold you back from going all out. So that's one point. The second thing is that I think one of the conceptual challenges we have in trying to think about coercion, persuasion and restraint in this space is that we're not neatly talking about again as a point that Michael had made about things happening exclusively in the cyberspace or being responded to exclusively in the cyberspace. There is often a combination of the two both in the challenge and in the response and that ought to be the case. We shouldn't hold ourselves back to try and do or look off all these it could be sanctions that are the response it could be some cyber activity it could be some other types of diplomacy and agreements and so on and so forth. So I think the challenge for us is to actually think of how does the marriage of this with the physical space as distinguished from it separating it from the physical space is what we need to look at. Emily, yeah. So let me try to take a little, let's take a little bit of a look at the implications on this. First of all I think it's important when we talk about deterrence that we separate deterrence as an effect from deterrence as a strategy. I think we can all agree that we want deterrence as an effect. The question we're asking here is whether a strategy of deterrence which implies a prospective reaction to an activity is the best way to get deterrence as an effect. We look at it in the 1950s when with the advent of nuclear capabilities there were strategic thinkers who realized that there was something unique about this technology but essentially you could not defend. Therefore how do you create security when you cannot defend? And they came up with the idea of deterrence and they theorized on that and we have concepts of crisis stability and escalation control and all of these concepts are part of a framework that worked really really well for a very long period of time and still works today. But I would argue that what we should be asking is not how do we deter, but how do we secure in cyberspace and is deterrence an effective strategy to get us to security? I think we're really locked into a framework that maybe doesn't map to the cyber reality because in cyberspace you can defend it's just you only defend in the moment because the terrain is constantly changing and it's not what we call an offensive dominant environment where the offense always prevails because you can defend. So we've been talking, we've been thinking a lot about in the cyberspace as well in a domain of constant contact where you're constantly coming up against adversaries, allies, private sector in this domain because it's so interconnected you cannot get away from that. But how does a strategy that says don't do anything until you get attacked makes sense, right? So what we're seeing, I think, and it kind of goes in part to what David was saying is that, you know, I would argue that deterrence works for cyber attacks that have physical consequences like destruction and warfare, death and destruction. I think that that's why we haven't seen that, but what we are seeing are persistent intrusions and attacks across political, military, social, economic sphere below the level of armed conflict, below the level that would trigger an armed response and we're not responding to that. We're not responding to that. We have to argue that our restraint actually emboldens the adversaries. So we have to think about how do we contest that type of activity and over time our adversaries may come to realize that these sorts of activities are futile. But right now what we're seeing is these are going on continually and I would argue that the cumulation of those is having a strategic impact on our national power, political, military. So I guess my point is is just to say let's step back and let's ask the question as opposed to presuming the answer. The answer is deterrence, the best strategy of deterrence. Let's ask what is the best strategy to get security to turn to David on this and then we'll open up but I just want to add on many of these issues or dynamics a number of states would say that the U.S. has been doing this to them historically and in many other ways. If not through cyber through television, western culture, west toxification subverting their societies, trying to manipulate their elections and so forth and so it is an even more front dynamic the idea that we haven't responded they would laugh and say you started. That's a big problem. You don't have to go to adversaries for this. Go to Canada and hear them complain about American TV and its influence on them. I just wanted to pick up on something that Emily said on deterrence by denial here. The concept is if your security is good enough, if your denial is good enough, people aren't going to bother and say this isn't going to work so they'll go away. The best way that we can do that is by anticipating attacks and the best way we can anticipate attacks by putting implants in foreign systems and foreign networks or one of the best ways that we can and we do a huge amount of that. We don't talk very much about it but we do a huge amount of that and it's interesting when you go back over some of these cases including the Reichstag case go take a look at how we first saw evidence that they were messing around in the DNC. It was not necessarily from what we saw at the DNC. It's where this stuff was all ending up. That then gets to Mike's interesting distinction before where he said he doesn't want any rules about espionage because we want to be able to go do that and the difficulty in the cyber realm for this I agree with him that that's the natural instinct is that the same implant that you put in a foreign system to do the espionage that Mike made the good point we don't want to be able to limit ourselves from is the exact same implant that your friends at Cyber Command could come in and make use of if they wanted to go do an attack. We see implants in our systems let's say in the power grid and we say oh my god at any point black energy the Russian based malware that was sitting there could be used to go shut down our power grid it hasn't been but it could be or some other element of this and so when somebody detects this implant they don't know whether it's actually for espionage or they go to the next conclusion which is they're actually preparing the battlefield for doing an attack and that makes this distinction that we were discussing in the first panel all the more complicated and I'm not entirely sure how we work our way around that because we could never convince the Chinese or the Russians or the Iranians or the North Koreans that that implant that they've just discovered don't worry about it it's espionage we do it you do it you know all that just as we are not convinced of that when we see it in our own systems. Again I would commend Michael Warner's chapter on intelligence for bringing out some of these dilemmas as well I want to open it up but with also a plug for another chapter that I'm reminded of through this discussion Nicholas Lambert as a British historian has a chapter that's quite fascinating on Great Britain's use of economic warfare at the beginning of World War I which was because they had the strongest navy they had the world's leading economy they basically controlled the financial sector they struck in a sense early in the war against Germany to shock the German economy and it worked so well within four or five weeks that the blowback in the British economy and the financial sector was so severe that domestic organizations in Britain went to the governments and you have to stop this you're ruining us and so I'm mindful of the US vulnerability as the state that depends perhaps more on cyber commerce, cyber tools that's also the biggest exporter of these capabilities that if you start throwing rocks at others we're perhaps the most vulnerable and susceptible to rocks coming back at us and so I urge people to look at you know just to add George but I think that's where sets apart China and Russia because the Chinese have such a stake in the system they mean amenable to the type of norms that Michael was talking about and the problem we have now with Russia is they don't feel they have a stake in the system and that doesn't hold them back let's open it up for questions, discussion this gentleman here hi Ronald Marx I've owned or run a number of IT firms or software firms over the years the concept that we often use was risk management in the sense of I'm not going to be able to invest I mean I could invest my entire firms revenue and security and it's not going to work if not I'll have some angry 25 year old IT guy inside you know mucking me up the question I have for you on the government level is what kind of thoughts have we had in terms of reaching any form of risk management always seems to me that every time you're trying to protect everything yet you're actually not protecting all that much I think that we're very much adopting that risk management approach I mean I think you see that let's look at the defense department first of all I mean the primary mission of the command is to defend US military systems to defend those platforms and it is a challenge to identify where the critical kind of centers of gravity are what is critical terrain in essence that we have to we have conversations like that all the time in many cases because you know the defense department rides on the critical infrastructure of the private sector and it's really hard to see where things start or where things end you try to be mindful of the fact that the better you get at security your adversaries are going to go after the soft underbelly and they're going to look at ways to get in through contractors for example or so but I think that there is a recognition that it is about managing risk it's not being risk-averse but it's being risk management so I see that clearly in the defense arena let me compliment the answer because I think that one of our major errors of our recent research that isn't public yet is precisely on the question of you friends I would be very wary about the government's ability to actually manage that space for the private sector for reasons that part of which already been articulated by Emily namely the government is primarily preoccupied with protecting its own networks and then with critical infrastructure and there are also inhibitions about moral hazard that if you actually try to protect the private sector you get into all kinds of issues that are not where you don't really belong we have looked at these physical analogies of what it is that you're actually telling private citizens after your home or your corporation and so on and so the way we are ending up increasing is a very different balance between government and private sector mechanisms I already mentioned insurance where you for example I would see the SEC requiring reporting requirements but the reporting requirements would merely be designed to get consistent and comprehensive risk management practices within corporations because I don't think the government is the most capable institution to actually think about risk management and cyber for private companies including with a consideration of where do we put the money in and whether the strategy should be self-insurance resiliency operations contracting out or actually saying this is a risk that we can withstand and that's why we are now increasingly looking at what can one do and there are institutional aspects not just in terms of the kind of tools that you deploy for example if you begin to think about it the CISO is in one side of the operation the risk management resides with the CFO it's in a different side of the corporations and they rarely talk to each other so what this requires is a very fundamental shift in outlook and that's where we are now trying to look at private sector mechanisms of an existing nature that would be harnessed to deal with the cyber security can I just add one so we talked about government, private sector let's talk about the individual so how many of you have bought a major appliance recently like a refrigerator so if you went into the store and you're going to buy this appliance and they say to you it's going to break down it's going to be bugs with it it's probably going to break down every week but don't worry about that just leave your door open and we'll come on in and we'll fix it would you buy that refrigerator probably not but that's what we tolerate in software and so there's a question of the power of people to say this is what we demand in terms of more secure products which will incentivize but we realize nothing is going to be 100% secure you have to be able to operate in a degraded environment whether it's individually or it's not going to be 100% it certainly could be a lot better and we should be better back right there hi my name is Alex Lawson I work for Freedom House and my question is going a little bit off of the private industry and government and that is especially given talking about weaponizing social media and things like this and the other issues brought up in the private industry to kind of like what is the relationship do you think that it's going to change or what is it going to look like in the future to kind of tackle these cyber issues given the immense power that we now see these social media and other cyber platforms having well a partial answer you're asking a very complicated and a much different answer than the focus of the book just be very brief and say the following because the book is absolutely talked about cyber conflicts you know there are a lot of social issues that come up and cultural issues that come up as we're trying to think of what the private sector ought to do what not to do and so on and they vary from one country to the other some want a more centralized answers big by tradition I mean we're talking to the French for example they have a much more eustentric approach than they do have in the United States where the private sector is so and so we don't know that we can get the global answer because there are cultural differences across countries and so on there is also a different concept about what you actually want to do what you see as part of a competition right if it's a competition you have five big corporations emerging in a space okay and you do not you decide for reasons that are cultural or political and so on not to apply antitrust against it right I mean do we want to see a similar process of consolidation also in the cyber security domain or we don't and how would they actually work with each other so we're getting into a very complicated question here all I would say is therefore that we need to adjust to find some way of creating a level playing field and at the same time adjusted culturally to you know the kind of different systems and different system will come out with different answers on this issue and so we as Carnegie what we're trying to do is to find some common elements that one can actually think about where you can forge international collaboration but still have a lot of leeway for different entities to actually run it the way they see is more defeating their political and cultural system I mean also just briefly that the extent to you were talking about kind of the use and abuse of social media and things like that you're already experienced this whatever happy days or delusional days we had in the 90s about kind of our model kind of taking over the world or being celebrated around the world and adopted around the world you know that's been gone for a while but in China you know they look at what happened in the election and all of that here and you see you know this is why we don't do it that way and other cultures too you know you keep the creeps off you block things you protect people from this kind of abusive discourse misinformation and so on is how they will perceive it so I would expect that you're going to see kind of more variety in the expectation that we had and that Facebook and others kind of propagated of like this is the way of the world that's going to be undone you know over time would be one very quick thought on this just from sort of a more news media kind of perspective a year ago Facebook would not have considered itself in any way a journalistic operation they thought of themselves as a big pipe into which people put all of their personal information and their pictures and their friends and all that and they found ways to sell advertising around that and that was the business model then a few things came along in the past few years as George alluded to so we all came to an agreement child pornography's got no place inside that pipe so we took it out ISIL beheadings had no place inside that pipe so we put out an algorithm very quickly all that well those were the easy cases because it's fairly easy to design an algorithm or train some people to figure out what's child pornography and what a beheading video looks like it's a lot harder when you get to the kind of political messages that we saw taking place in the election and harder still because if anybody up here in the stage or anyone out here in this audience posted those behind their real name for secession and taxes or something like that you'd be completely within your first amendment rights you'd say we might agree with you we might disagree with you but you certainly have the right to go put that up on Facebook when we have a foreign power doing it with the exact same content we have a very different thought and that requires then an editing function in the social media organizations that they have always been allergic to and I was with some Facebook friends recently and I said to them these are friends at Facebook these are friends at Facebook I should say and I said to them I think five years from now you could end up being the largest employer of journalists in America mostly editors you're now calling this content reviewers or something like that all that editing since Gutenberg you know and that's sort of where they're headed yes, the lady in the middle and then the gentleman two rows behind if we have time we'll come back to you cyber technology has gotten to the point where it boggles my mind and I've heard even that the chips and phones are cyber and go obviously into cyberspace is there any point where individuals are not safe because of the access the cyber world has to the goings on of individual lives well there's one thing you can do to completely protect yourself which is that you can destroy your cell phone you can get rid of your Alexa you can take away your smart TV you can move to the woods of Montana in a small cabin and get rid of basically anything that transmits that's 100% protection but that's the only one I can think of I guess the only thing that I would say is that we as a society have to decide how how much of that information that we want out there I think that it's even though people would think this is counterintuitive but there's far more restraints and oversight on government and what it can look at than there is on the private sector and so I don't think people realize when they download an app and they agree yes yes yes and then they're releasing a tremendous amount of information so I think we have to become smarter about that and you know look at sort of realistically the way the private sector has access to a lot of different information and with artificial intelligence and with big data I mean the ability to to mine that information and you know that makes data itself is a target now for countries to try to steal like OPM because now they can actually process it and use it and figure out something so I think you know there are some big changes that are coming down the line that we're going through now but we need to look you know we as a society to have that conversation about what we're willing to put out there and what we feel is sort of off limits and every society may have and may strike a different balance and it's fascinating that people in this room who are perfectly happy to let Facebook and Google have that data would be protesting outside your offices if the NSA had access to that data or the metadata right yes sir in the back there you go Patrick Roberts I teach for students who want to go into cyber security what are the most important skills beyond the technical ones for students seeking a career in cyber security you're probably more of a be happy to talk with you about having some of your students come work for us but I think that you're right in the sense that the technical piece is very important but there's also a really important human piece and a cognitive piece so I think having an interdisciplinary training is going to help those students become more competitive I think that so there's a huge private market for that they're going to get paid a lot more than they would if they were to go into government but going into government you're working on a really profound mission I think we should sort of come out here today these challenges about how do we as a society protect ourselves and yet also allow ourselves to have access to the benefits of this free and open cyberspace so that would be my major suggestion is interdisciplinary don't forget the human piece and be able to be a really good writer that's also important just to add to what Emily had said maybe George would also want to come in I think that if we talk about the analogy of nuclear weapons or biological weapons it became clear sort of where the biologists and if the nuclear physicists and so on gradually became to understand that what the technology they were developing or what science they were developing and then the technology they were developing did have strategic social, cultural implications and so on and so over time they understood that there was a responsibility that came from with innovation we are now trying to do two things we're trying to do it for cyber that is already hugely out there and we're trying to anticipate what's coming up next in terms of artificial intelligence and synthetic biology and so on which are the next kind of technologies and so on our technology and international affairs program here at Carnegie so what I would say is what one thing you want to sensitize your students is to the sum of the broader implications of the development of that technology and the choices they make in what to develop and how to develop and what to consult and what issues to think about and so on the only one I would add to this is that I discover as I do some teaching and also engaging with our readers that you get a group of people who think that the solutions out here are technological and then you get a group of people who think that the solutions out here are political and it comes more out of what they've been trained in where they've come up and what was fascinating about the nuclear age was you got to a point by sort of the late fifties where at places from the Belfer Center, what is now the Belfer Center at Harvard but also out at MIT and projects here at Carnegie certainly at RAND you began to get the technologists the political types together some sociologists together and that's what began to give rise to the deterrence theories that we were discussing before you know Henry Kissinger's book Nuclear Weapons and Foreign Policy which was probably the first popular book on nuclear deterrence issues came out in 57 or 58 was the product of exactly that kind of combination and yet when I go around to many of the programs where you've got students working on cyber security issues and I begin talking to them about the possible political solutions like what we discussed before are there treaties for this are there norms we can discuss it's usually the first time that they've actually thought about those issues I mean just I would wrap up on that again that's one of the motivations for the book but you know having a sense of history learning some history of technology as well as then as Emily said because can't overestimate the importance of being able to write which is a rare and rare skill and yet in organizations is absolutely vital I think we've run out of time so I apologize to the gentleman in the back but I want to thank you all for coming I want to thank David and Emily and Michael for writing and Ellie for writing and being here again this is a product of the Cyber Policy Initiative here at Carnegie and stay tuned we're doing a lot more policy relevant work that we're going to be publicizing in the coming years so thank you very much again for thank you