 OK, I'd like us to get started. Welcome, everybody, to the panel on Cyber Weapons and Strategic Stability. My name is Michelle Flournoy. I am the CEO and co-founder of the Center for New American Security and former undersecretary of Defense for Policy and a very frequent collaborator with George and Ellie and others from Carnegie. I'm just very, very pleased to be here. So let me just spend a few minutes to introduce this topic. Cyber operations, as you know, particularly against critical civilian infrastructure, military forces, strategic command and control systems, are widely assumed to be fraught with escalatory risk, which may in extreme situations even include leading to the use of nuclear weapons. So this panel, we wanted to try to grapple with a number of questions. First, how might the proliferation of offensive cyber capabilities affect strategic stability? How might these escalation risks be mitigated? What are the implications of cyber threats to strategic command and control systems? What are the best ways to prevent and deter such threats? And how relevant are the theories that we derived in the nuclear age of deterrence and compelence and so forth? How relevant are those to dealing with cyber challenges in terms of how we try to influence an adversary's conduct? So we have a wonderful panel with us here today. Let me just give you a brief summary of their bios. Their full bios are on the conference app, I'm told. So first, Sir David Ormont, who is professor in the Department of War Studies at King's College, London, and a former UK Security and Intelligence Coordinator for the British Prime Minister. Then we have Dr. Emily Goldman, who's director of the US Cyber Command NSA Combined Action Group. And then we have Senior Captain Xu Menchu, who is a Chinese military expert on Chinese crisis management and international military cooperation, particularly on non-traditional security issues. And she's currently at the University of Nottingham. So we are going to start with a panel discussion. I'm going to ask each of the panelists an opening question. Then we'll have discussion amongst the panel. And the last half hour or so, we will turn to you all for your questions. You can see there are two microphones on either side of the auditorium. When we get to the Q&A portion, I'll ask you to step to the mics, identify yourself and your organization, and most importantly, ask a question. So with that as a frame for the discussion, I want to start with you, Sir David. Lots of theorists and writers, experts have speculated about the potentially escalatory nature of cyber attacks, including in peacetime. And yet, despite our experience of many such attacks, whether it's been the state-sponsored electoral interference or attacks against some aspects of critical infrastructure, that escalation has not occurred. And so I wanted to start by saying, why is that? Have we just been lucky, or are the theorists wrong? Well, thank you for the question. And good afternoon, everyone, and thanks to Carnegie for the invitation to be here. I think we are right to be very concerned about the future potential for cyber attacks to cause crisis instability. I pick my words there carefully, and I say future potential, because we haven't seen anything yet. This problem has really yet to manifest itself in a way that I believe it will. I say that for two reasons. One is technical, and the other is political. On the technicalities, we're only at the foothills of the digital age. To build an effective cyber weapon, and I'm a former director of GCHQ, we have quite publicly said we are dipping our toes into this water as a nation. But to build an effective cyber weapon takes advanced intelligence, detailed intelligence. Attacks have to be tailored to specific targets. It's very much what I would describe as a craft industry. And certainty of effect is, at the moment, quite hard to predict. Even a small updating of a target system can invalidate months and months of work. But the trend is clear towards application of artificial intelligence techniques, a code that enables the malware to adapt to changes in its host, that finds vulnerabilities by itself, that assembles itself from components of lines of code used by the system itself, and that can hide effectively until it's called for interaction. And so we will also, of course, in the future begin to see more attacks, attack potential using components with malware that has been covertly hardwired into it. So that makes me, excuse me, not just the British broadcasting service desperate to get an interview about this morning's hearings in there. So technically, this is a space to watch. There are some developments coming which will make these weapons more formidable. The politics of it, at the moment, when we do find malware, which we do, it's framed by a prevailing sense of, this is peacetime. So we call these things acts of sabotage or terrorism, not acts of war, acts preliminary to war. And we tend to find, of course, attacks which are intelligence gathering. And we excel at intelligence gathering, too, of course. And this is simply regarded as part of the Westphalian world. Everybody does it. We do it. We use digital means. So our responses when we catch adversaries attacking us tend to be those you expect in peacetime, ranging from indictments, expulsions of diplomats, economic sanctions. But our concerns should really be looking to the future, what might happen in conditions of some serious future military confrontation. The stuff of nightmares would be an eyeball to eyeball military confrontation, perhaps in the South China Sea. And then imagine your president is summoned to the situation room to be told by his defense secretary that destructive malware has been found in key command and control systems. And the possibility of more systems cannot be ruled out. We have the military edge. Today, the Joint Chiefs would say, but we can't guarantee it. We could lose it at any moment through the activation of this similar malware. Be a bit like Curtis LeMay's plea during the Cuban Missile Crisis. The argument would be, Mr. President, we've got to go now before it's too late. I can recall major NATO exercises during the heart of the Cold War that I took part in. And the scenario always portrayed rising military tension. NATO's nations reviewed their transition to war. At some point, the Supreme Commander Atlantic would ask the Atlantic Council, please, you must change the rule of engagement. Rule 316 sticks in my memory that I may have been misremembering to allow US naval forces to fire first if they are illuminated by an active fire control radar. And the NATO Council would then spend an hour or so deliberating, conclude that they didn't want to be the first to start World War III, but recognizing that a situation was facing us in which the advantage goes to those who fire first. And that led to norms of good behavior in exercises, Cold War, live exercises. It led to military confidence-building measures. Important safeguards against crisis instability. But my fears are that in the cyber domain we could wake up and discover that such a situation has actually arrived. So I'm sure we'll discuss this in this panel. I'm quite attracted to the idea of getting P5, to start with the P5, permanent nuclear powers, comparing their thinking, deepening their thinking, and perhaps coming to a common recognition that it's simply too dangerous in terms of crisis stability to start placing that kind of attack in nuclear command and control and space systems. Takes a long time for norms to emerge. Verification would be impossible. So a level of trust would have to be, and that would take obviously time. And I would be the first to recognize the difference between a destructive attack and one for intelligence gathering is only a few lines of code. But if we want to avoid the future that I've rather graphically cartooned for you, then I think now is the time the one we've really got to start thinking about discussions. Great, you've given us lots of things to come back to and dive into deeper, but I wanted to turn now to Dr. Emily Goldman and ask to talk a little bit about the use of cyberweapons in the context of a major conventional conflict between the United States and another major power. How would the use of cyberweapons potentially increase the risks of escalation, whether it's certainly to additional levels of violence or even all the way potentially up to nuclear use? Thank you, and it's a real pleasure to be here today. I think the short answer to your question is it depends. Not surprisingly, and I'll kind of give you some thoughts on the longer answer. I wanna echo the comments that were made just now that we're still at the beginning of this journey of cyber, and what we're trying to understand in different nation-states and military organizations around the world is how do you integrate cyber into other forms of military operations, warfare, how do you integrate it into conventional conflict? And I think that we should be careful about assuming it's only gonna be one way that based on the doctor and the strategy, propensity for risk, the culture, it will be used differently, and we're already seeing that in the way that states organize their cyber capabilities and their propensity to use them. I think there's something, we should be cautionary in this area because history shows us that when a new technology is introduced into a conflict, it can escalate. If you think back to the use of submarines in World War I, it wasn't long before hostilities emerged that you saw the unrestricted warfare on maritime commerce. So there is this propensity similarly in World War II, air power rapidly escalated to bombing of civilian targets. So I think we have to be mindful of the fact that in a conflict, we have to expect that the different entities that are engaged in that will possibly escalate in the ways that they use those tools. But to echo a point that was made earlier, I think we need to reframe the question a little bit and ask how will an adversary interpret the discovery of an opponent's malicious code in their networks? And will they do that differently in peacetime and differently in conflict? And I think it's important because there is no cyber button. Okay, you can't just say, give me some of that cyber stuff and it happens. And I think there is this sense that just like there is a nuclear button, there is a cyber button. And certainly political and military leaders ask for, I want this cyber effect. I wanna be able to create the effect at the time and place of my choosing. I wanna be able to hold a target at risk. But in cyberspace, the terrain constantly shifts with upgrades, with updates, configuration changes. So the terrain is constantly fluid and operators will tell you that persistent access is virtually impossible to maintain. And moreover, the tools have to be tailored to the target and tailored to the terrain. So your windows of opportunity come and go. And so arguably, this could create a first use imperative where a state would say, we have an opportunity now, we have the target, we have the appropriate capability. So there is that one potentially escalatory impulse in this domain. But we should ask ourselves, if that is discovered during a crisis, will that be viewed differently if it was discovered pre-crisis? I would argue that discovering it in a crisis could be viewed as very escalatory. In a pre-crisis, maybe not so much, in part because you cannot determine intent from code. So you don't know if this is just espionage or if it's possible that there is something that could be trigger a more dangerous attack. Paradoxically, during a crisis one might think that actually it could have a de-escalatory effect. If the entity that had emplaced it chose to pull it back and chose to say as a demonstration that we do not want to escalate, we are going to actually pull this malware back. Or if the target that discovered it could not assure that they could use their military forces in the way they intended to, would they have mission command, would that be assured? So there's a variety of questions here that it's not so straightforward. And I think another point to realize is that cyber capabilities have certain qualities inherent in them that might make them less escalatory than conventional weapons. So the damage is reversible. The damage can be short of armed conflict. Another thing about cyber weapons is that you could create an effect that the opponent could see, but not necessarily that the rest of the world would see. So you don't make it public. You're signaling to the opponent. And so you're not engaging their reputation. And you're allowing them to back down in a way that won't engage their public reputation. So there are some interesting qualities that we have to look at that cyber might offer that paradoxically might be less escalatory. I think that the key point is that context matters. So we have to kind of walk our way through a variety of the possibilities. I pointed out the fact that cyber, the user lose inherently creates an escalatory impulse. But it could also, cyber could also be viewed as escalatory if it's perceived that the party that is using it has limited resolve. They're not committed enough to actually do something conventionally. They're gonna do it cyber. So maybe they're really not as resolved about that particular outcome. And that may lead an adversary or an opponent to escalate. It could be de-escalatory if it significantly weakens the capabilities and therefore you lose confidence in your ability to continue to execute your military operations. There is also a case going back to the Kosovo war where cyber was used to signal to Serbian elites that they were going to face costs if they did not put pressure on their leadership to back down. Okay, so cyber in that way can be used if it's very targeted for example to influential members of a regime to get them to exercise some kind of control over the course of the conflict. And then another one which I'll just close on is that cyber could also be viewed as de-escalatory if it signals that you're more committed than the opponent thought. So there are countries that are very reluctant to use cyber and they've been very restrained in that. Should they decide now to use that? That may be a signal that in fact they're more committed than the opponent thought that they were. So I think that the questions you asked when you begin to unpack them, I think the bottom line is we have to look at the nature of the cyber strategic environment, the nature of the capabilities and we have to work our way through what's the appropriate strategic framework and whether the strategies that produce stability in the nuclear era are gonna also give us stability and security in the cyber domain. Great, thank you. So Captain Xu, I wanted to turn to the specific issue of the use of cyber attacks against command and control systems that play a role in nuclear operations. Several analysts in the US and China elsewhere have identified cyber attacks on strategic command and control as a potential trigger for nuclear use. How serious do you see those risks, both in terms of the likelihood and also the consequences? Yes, I agree with you, the cyber attack against command and control system could be a trigger for the nuclear use. In terms of the likelihood of such attacks, I should say the likelihood of such attacks is increasing. I give you the reasons, the four reasons. The first one is ending computer networks as well as the command and control system. They have the same working rationale. So the damage rationale is the same. So whenever your network is connected to internet or isolated, physical isolated with internet, the working rationale is the same. So the second one is the application of the advanced technology raise the sort of the risks. The internet, computer technology, information technology give you your efficiencies, give you your modernization. But in other hand, it can, they add the approach to make a damage to you. And the third one is, I should say, more countries make endeavor to develop the offensive cyber tools and as well as back doors. But we know it is difficult to penetrate to an internet, but we should say so far we got several means to penetrate intrusion internet. For example, the remote control, supply chain operation and air gap technology, even with the insiders. So we can get into the internet. The last one is, I should say, these sort of the offensive tools, offensive hacking tools, vulnerabilities, back doors is kept undiscovered by the long state actors. For example, last August, the hacking tools created by national security agency was leaked by hacker groups and sold online. And recently, the Wikileaks discovered a sort of the tools developed by CIA. And I should say these tools is focused on the intrude, the industry key control systems and they exploit the vulnerabilities to control the smart devices. So in conclusion, I should say the likelihood of such attacks is increasing. In terms of the potential consequences, I should say I'm focused on the likelihood of the worst scenarios. So if this sort of attacks was successful, it could create the accident connection on this strategic command control system. A second one, it could change the data and procedure of the strategic system. And then it could disable or disorder the strategic weapon platforms and then it can create the technical incident and disaster. So afterwards, if they were following the worst scenarios, they should be, they could be the reactors with cyber strike, with a kinetic strike as well as the nuclear strikes. So I should say the consequence is dangerous, very dangerous. Okay. Thank you, thank you. So I wanna open up to a more general discussion and Sir David, you put a very interesting idea on the table and that is whether there would be a possibility of creating some norms, taking certain types of attacks such as cyber attacks on strategic command and control, taking them off the table by some kind of cooperative agreement or understood norms. Could you unpack that idea a little bit, whether you believe that's possible from where you sit, whether we have any relevant historical experience about how we've come to other norms in the past that might be useful to draw? It's one of those areas where I think it's, you can't just look to other areas, that this is a nuclear conference, they're all the evolution of agreements and then finally treaties, because in the cyber domain verification really is, I think impossible and therefore it would have to come about through a process of deep discussion between those responsible say at the P5 level to understand the specifics of crisis stability and this cyber dimension. Now is that going to be possible when at the same time we have continuous experience of what I would describe as low intensity warfare? So cyber means are used, the Ukrainian electricity supply for example, part of that conflict where you have reconnaissance of United States utilities going on all the time. I think my own hunch is that the crisis stability problem is specific, is sufficiently narrow and specific that you could actually hold substantive discussions on it, but you're not going to stop countries using cyber weapons as part of asymmetric warfare, whatever you want to call it, in conditions of low intensity activity that is going to go on. But I have a hunch that it will be worth trying, it will be worth trying to put together some discussions which would then have to build trust between the experts and the senior military involved. Perhaps I'm just an optimist. Captain Xu, do you think is there any interest in China or in the expert community on exploring the possibility of norms and how do you think about that? Absolutely, I think it is quite necessary to establish the international norms, cyber norms. It could be a very useful way between China and United States were experienced very tensive cyber conflict two or three years ago, but by the two state summits, we reached the agreement, reached six corporation items, one of the items to push, joint push forward to set up the international cyber norms. I think international cyber norms, it is good, but it's not enough. It is difficult and the main problem is how to make it, how to implement of these norms. So we need to create the legitimate. We need the technical support. So Emily, I'd like to turn to you. Not to have you be put on the spot and speak for the entire US military or cyber command, but what's the thinking inside US cyber circles on the utility of norms and particularly how do we get to shared norms when countries may approach cyber doctrine and the use of utility of cyber operations in very different perspectives? So I mean, I think it's clearly the desire for a convergence of expectations about what is appropriate behavior is something that is broadly desired. I think the question is how do you get there, right? I mean, so, and I don't think that there is a clear answer yet. I think diplomacy is important. I think getting people around the table to talk about that, I'm a little skeptical in the short run that that's gonna be the most productive avenue because I see this space is one of intense norm competition, not only with states, but with criminal groups, terrorist groups, individuals, companies that are all acting and operating in the space and by virtue of what they're doing, they are creating de facto norms. If they're not contested and they're getting away with it, essentially that's what, if they're establishing or trying to establish normal practices. So I think that there are several ways that we could go about thinking or that people have thought about this. One is very much in the US side, I think conditioned by our history and the history of having emerged from World War II in such a powerful position that we could essentially dictate expectations of behavior to others in the international community and say if you follow these rules, you can benefit from being a part of the political, security, economic system that we're setting up in the West. And if not, then you can go on your own way and the Soviet Union, you're not part of that system. And so what, that's been sort of defined as like a Bretton Woods moment. And I don't think we're there in cyberspace. I just don't think the fact that we declare or we try that these are the norms that it carries that same kind of influence because it's such a contested space. A second way, which I think the US has tried is to model good behavior. So the idea is, and I think we do this with our military in general, in general trying to be restrained and not make it the first, the military tool is the first to use. But adversaries or opponents can interpret that as a lack of will and basically say, well, they're not responding and therefore there's no cost on the part of the other party to go ahead and to use that type of engaging bad behavior. A third way, which is probably one that we all would agree is not the avenue is to wait for some terrible, horrific event which everyone comes out of and says, boy, we need to have norms. So you think about after World War II and the Holocaust, norms of human rights became widely accepted and I don't think that anybody wants to count on that. I think the final way is that we have to interact in the space and so I think of it more in terms of the evolution of norms of naval warfare and what was developed over time in terms of Navy's understanding, where there would be contests and where there wouldn't, where there would be free commercial trade and those norms developed over time. So I think it's really a question of interacting in the space, contesting these low level interactions when one side or when an entity has no costs imposed because of their behavior and they get away with it, they're gonna continue to do it and I think that's the level of where we are now. So I'm a little more skeptical but hopeful. Okay, so David, you wanted to jump in. I just want to, it may be a false parallel but this is where wearing my old intelligence hat. I would say intelligence is a stabilizing force as national technical means were in the early days of strategic arms control because although agreements are not in this domain are not going to be verifiable in a traditional sense. If the potential adversaries all know that what they are maybe planning to do may well be exposed and they have actually engaged in these norms, these discussions, then it raises the political price. So I think having an intelligence capability that can actually deliver as we saw with the Sony affair, deliver an answer is very important. The other slightly more controversial thing I might say is that such discussions probably wouldn't get very far if it wasn't for the fact that the United States and indeed I may say the United Kingdom has declared that they will develop cyber weapons so that you actually have discussions from a common basis that this is something we really know about. Right, I mean it also seems to me that another way to approach the norms question is for areas where you talked about modeling restrained behavior. For areas where no cyber power has chosen to go in terms of an active attack on strategic command and control or critical infrastructure attacks that actually results in massive loss of life. There are certain parts of the chessboard where no one has gone. Could you start the norms discussion by trying to keep those off the table, at least in peacetime if not well into any other kind of conflict? Is that worth exploring? One very small area of that is the applicability of international humanitarian law. So the Tallinn manual for example and it was a very good attempt to try and get established the norm that international humanitarian law applies in cyberspace as it does in the normal three dimensions. You're not allowed to bomb hospitals as part of a military conflict. You're not allowed to cyber attack hospitals should be the norm. It's very difficult as indeed with kinetic means to distinguish when a civilian target may be critical to the military effort. So I'm not saying it's easy to do but there are some areas where you could I think say and I think certainly the British government has said we do believe that international law does apply. Humanitarian law does apply and therefore breaching the control systems of a dam to flood a whole area and kill a lot of civilians which is something which was done with kinetic means during the Second World War would now today be regarded as a war crime and whether it's done by cyber means or by high explosive doesn't seem to me to be of the essence of the distinction. I wanted to come to a slightly different topic with one that's very relevant and this is a question of analogous thinking about the use of cyber tools and we were having a little side conversation cyber analogies. We were having a conversation on the side of the stage earlier. You know in the nuclear age we had tremendous intellectual effort but be put into developing theories of deterrence theories of compelence strategies to influence an adversary's behavior but those were developed really focused on the nuclear domain and so the question is to what extent can these concepts be aptly applied in the cyber domain? How should we think about deterrence and compelence and sort of inherited concepts from the nuclear age when we're thinking about cyber? Do they help us or can they lead us astray? I wanna start with you Emily since you've just been working on this book on cyber analogies that will soon come out and then maybe turn to Captain Shue for some of her thoughts as well. Yeah, you can't today go anywhere to talk about cyber strategy without having it be about cyber deterrence and I think that that reflects a very successful history that we've had with nuclear deterrence and I think as well that people kind of forget how paradoxical it was with the concept of deterrence, the concept that your safety and your security did not reside within your own power but within the mind of your adversary and the goal was actually not to operate or not to attack or get into conflict versus to prevail over one should you. So I think deterrence was a very successful answer to the nuclear question and we have to ask ourselves what is the answer to the cyber question as opposed to presuming that deterrence and the intellectual baggage that the intellectual arsenal that it brings is really the way to get security in the cyber domain. So one of my colleagues, Professor Richard Hartnett, the University of Cincinnati is doing some tremendous work in this area and he makes the point that the nuclear world was, nuclear weapons were offensive dominant. You could not defend and that was the nature of the technology. Cyber is not offensive dominant because you can defend but you could only defend in the moment because the terrain is constantly changing and because the terrain is constantly changing and creating vulnerabilities, there's always an opportunity for an offensive capability. So he calls this an offensive persistent environment which means that you can defend but you cannot expect that there's not gonna be a tremendous momentum to exploit potential capabilities that can go after the vulnerabilities of your adversary and vice versa. So that's the first thing that we need to say what does the technology portray about the environment and then think our way through what does that mean? I think another point about the cyber strategic environment is that cyber is a domain of constant contact. Everybody is living on the borders of everybody else all the time. The private sector industries, individuals, adversaries, allies, friends, that's just the nature of the network and it's not about imminent contact as possible, it's constant contact, it is always occurring and when you think about deterrence, deterrence is about not doing something, it's about restrained action. So you have to ask yourselves, deterrence is saying I'm going to restrain and not operate in an environment where constant contact is inherent in the nature of the technology. It's why I think the compelence though will give you a lot more purchase because compelence is about operating, it's about actually going out there and contesting and doing something to communicate to the opponent that what they're doing is not acceptable. So in deterrence we're trying to apply this sort of doctrine of restraint into an environment where it really doesn't fit. Another question we need to think about is the absence of sovereignty in cyberspace. So we don't have borders the way we do in the physical domains that are agreed upon certainly and by having territorial borders that gave you a very convenient threshold, a trip wire, if you cross this border this is what will happen but where are the borders in cyberspace? So if you operate on your own system but it's located across the globe how do you establish trip wires? And that becomes very problematic for deterrence. And I think that as well the questions of attribution which people have looked at quite extensively. So I think that the bottom line is we have to ask ourselves what kind of strategy is gonna produce security in the cyber age? And it may be, what did it in the nuclear age it may not be but instead of presuming the answer we should ask the question and then follow it from there. I have a question, what are your thoughts on this? Personally, I should say it is difficult to borrow something from the nuclear strategy. But we can learn from the nuclear strategy because the cyber domain is quite different to nuclear domain. We have to follow its characteristics of the cyber because the architecture of the cyber is connectivity and anonymous. So we cannot emulate this essence of the cyber. And second, the cyber is with a huge application. So it's a huge dependence of the modern society towards the cyber. You cannot find any sections which without connection with the cyber. A second low threshold to carry out the cyber attack. So I think in my mind, the effective cyber strategy could be focused on the resilience. I agree with, a second it should be focused on the development. So you have to catch up with the development of the technology, use the new technology to safeguard your security. A second is the cooperating. Did you wanna jump in today? I think there are some very useful concepts from the nuclear era that can be used. I say concepts rather than kind of rules. One is the idea of deterrence by denial. In other words, can you raise the cost to the adversary? Of actually securing their game. We have a critical infrastructure which is not properly protected for historical reasons. You have a political process that turned out not to be properly protected. That can be fixed. It can be fixed relatively easily. We can make our societies very, very much harder targets. It won't stop the most advanced, but at least the effort of those doing the defending can be focused on that smaller group. There's some very interesting things about signaling. And there's a whole literature of signaling in the Cold War era and about the strategic ambiguity. So on the one hand, you have to convince the potential adversary that certain actions crossing the boundary of the NATO area with an armed attack, for example, will certainly be responded to. So there has to be a certainty about that. There has to be certainty about the capability that the United States and the other nuclear powers have in terms of their certainty of effect of their nuclear weapons. But then you need ambiguity about the exactly when and how the response will come so that you can't be gained by the other side. Now, some of those characteristics also apply, I think, in the cyber domain. There has to be that certainty that some kinds of activity will be responded to. There has to be a certainty that the response will hurt sufficiently to give pause for thought as to whether the adversary really wants to continue down this line because they know you have certain aces in your hand as well. So it's worth, I think, exploring. But what you're not gonna have, I think, is the dread that nuclear weapons bring, that people will literally be torn to pieces in the explosion. The decision to go to cross the nuclear threshold will be such a fundamental one. You can't recreate that, I think, in the cyber world. What your comments have made me think about declaratory policy and how evolved that became over the nuclear age, where we tried to, in word and deed, but in this case in the word, to very clearly signal where are those boundaries, where are those red lines that, where there would be clear consequences not always spelled out, but a clear statement of will that a response would be had. It seems right now that for most countries, we're dealing with how to respond to cyber attacks and intrusions on a case-by-case basis. We're kind of feeling our way into this new world, and we haven't really developed a playbook or a notion. I'm not sure you can ever get to doctrine, that probably sounds too rigid, but even a sense of are there some declaratory policies that need to be more clearly stated to start bounding the problem? Do you wanna? No, I think it's, I mean, senior officials have publicly stated that we treated on a case-by-case basis to this point, and that certainly with the Sony incident, there were people that thought that that was gonna be some sort of a tipping point in the sense that you had a state attacking a private company, but that hasn't happened, so I think you're correct to characterize it as we're feeling our way around. I think the other thing, though, is that we tend, well, it's common to sort of talk about these things in terms of intrusions or in terms of a hack or incident, and in many cases, they're parts of a broader strategic campaign. So you've got nation states that are incorporating cyber very holistically into the way they operate. I mean, in the United States, we have very, very defined rules and roles about what we do based on law and policy, and that's not, every state and every political system is different, so I think if we also step back and say we can't just view these in isolation, but is there a broader strategic campaign here that we need to be thinking about? I mean, I just threw in an example, which is it's a very small part of the picture, commercial espionage by cyber means where President Obama reached an agreement with the Chinese president that for the purely commercial benefit of companies on either side, they would ensure that that did not happen. Didn't stop and still doesn't stop espionage on companies where it's, as it were, a national security advantage that's being sought, but the purely commercial rip-off stuff, both countries said that's territory, we don't need to go into it, we don't want to, and President Obama sent out his directive accordingly. A tax on democracy, the democratic process, seemed to me one of those areas, we have to say this is so fundamental and central to who we are that any potential adversary must know, if you tamper there, if you mess around, that is simply not acceptable and there will be quite a significant response. So those are both rather small areas, but there are ways in which over time you can begin to signal these are the areas, on the other hand, adding to Klaus Witz's friction of war by a bit of attrition of logistic systems using cyber means, you're not gonna stop countries, lots of countries wanting to try and do that kind of thing. Captain Scher, I wanted to, before we turn to Q and A from the audience, so start thinking of your questions. You have done a lot of research on confidence-building measures, and I wondered if you could talk a little bit about how we should think about confidence-building measures in the cyber domain. Confidence. Confidence-building measures. Yeah, yeah, yeah. I should say it's a bit different from a nuclear domain, but we could follow the three principles. The first, this confidence-building measures in cyberspace, absolutely, based on voluntary. So, and each country has this right to choose its way to be transparent, to use sort of the measures to set up the confidence. The second is keep on sending the goodwill. I think it's very important. I believe you will receive what you sent. A second principle is a gradual process. So maybe we could find out the common sense among the powers, among the different countries. And second, we could think about to provide what sort of the public goods to support the implement of the confidence-building measures. Okay. I mean, you'll remember the controversies over the very first hotlines. Yes. But in the cyber domain, who do you ring? In the UK, we've just set up a national cyber security center that is part of GCHQ, the Signals Intelligence Agency, but it's also the National SIRD. So there is one place where, as it were, you would ring up to say, we have discovered something serious is going on. It's part of a confidence-building that you would know who to ring and it wouldn't be a call to somebody you'd never spoken to before. That's an excellent point. Interesting idea. I know there are people lining up. Actually, I'll save another. If we run out of questions, I will come back to one I wanted to ask you. Okay, sir, please introduce yourself and ask a question. I'm Michael Crapon at the Stimson Center. I'd like each of the members on the stage to suggest for us what an appropriate and proportionate response might be to an attack by cyber means on our democratic process. So who would like to take that first? I don't think you should ask a non-American first. I think the Americans should answer that first. No, let me help. Yes. Yeah, actually, I was asked the same question several times when we do the Sino and US track two dialogue on cyber security. If personally, I think the response to cyber tank on DNC is quite weak to the reaction to the Sony attacks so you can say this reaction depends on the depends on the capability of the adversaries. And I know United States experienced a very difficult time. When I was asked the same question, I answered China experienced, I have the same experience. We have the same very difficult times. But what we do, we believe internal actors, outside actors could be effected through or by the internal actors. So what we could do is to try to do our best domestic things. So try to improve our defense level, try to develop in advance. So that's our way to rope this sort of tech. In the early 1970s, the Soviet Union's intelligence effort in London had got completely out of control and far more spies of every conceivable kind than the security service could actually manage. British prime minister threw them all out. I think 112 people were just out and it completely destroyed their capacity to conduct intelligence in London for decades. The interesting thing is the response was the routine expulsion of a handful of British diplomats from Moscow because they realized they'd overstepped the mark. And so I think there has to be something that is sufficiently robust to make in this case, the Russian hierarchy, realize, well, we did that, but that's not a move we want to do again. A very small response, in fact, encourages repeat performance. And the only thing I would say is that everything, in essence, should be on the table in terms of those responses. I think that if you look at, I mean, the United States is not the first place that this has happened. I mean, this has been going on in many, many countries. And so to the extent that the international community where you can have some, you know, a little more sort of power in numbers, but I think it goes to this point that states will use this tool if it's not contested, if there is no cost. And right now, there has not been any. And so once again, this is another one of those, this is gonna be treated like a unique incident, not a unique incident, but it's different. How is this different than Sony? We haven't figured out how to think about that yet. The response is part of setting the boundary right for the future. Okay, over here. Go ahead and answer your question, I can repeat it. Ask your question, I can repeat it. No? So if you speak up, I will repeat it. Yeah, okay. Bomb damage assessment is pretty straightforward. Maybe we have something here, yeah. Okay, good, thank you. The bomb damage assessment is in some ways preferable. We also have a question about, at the small tactical level, it's not a problem, but at a larger strategic level, it's very difficult to predict with any certainty what the effects might be, which leads to the problem of unanticipated or unexpected cascading effects that your opponent might think you intended, but you said, oh my God, I didn't think it would be that bad, which could lead to further escalation. My question is, what impact might that have on the whole question of cyber deterrence that might you have a situation? My hunch is that could actually have a stabilizing effect because if you intend to shoot at somebody, but it could end up being a nuclear bullet, you'd be less likely to want to shoot. But that's just a hunch on my part. I wanted to ask our esteemed colleagues up here, what do they think about the role of uncertainty of effects and how that might affect the decision to use or not use, not tactical cyber weapons, but sort of strategic level cyber weapons? I will just say, well, I give my panelists time to think. Personally, being in the situation room, I have witnessed exactly that, a case where the effects were so uncertain that decision makers said, you know, we just can't go there because the second, third, fourth order effects were so unpredictable and potentially so large, but I can't tell you much more about the case. Sorry. Emily or Sir David? Yeah, just a thought. I mean, your line of arguments are a very good one. You might say that in some circumstances, the very design of the weapon, the fact that you need to design the weapons so specifically to do the required damage. I mean, the Stuxnet code, for example, the positioning of the dynamic link libraries meant that it could only do damage in one place. It did escape and it didn't do any damage after it had escaped. You could, I think, mount an argument, though, that the real effect of uncertainty is to make the aggressor pause as to whether the aggressor can be really certain of the effect, particularly if this is the first opening shot in some preemptive military act. You would have to know that it works. You have to know, be very confident that the air defense system will be knocked out as the bombers go flying in. And with cyber weapons, I don't think at the moment that's the kind of certainty you would have. But I also know that if there were any thought of a British use of one of our cyber, offensive cyber capabilities, the British Attorney General would be all over it in a condition of peacetime to say, you have to demonstrate to me that this will only do what it says on the tin. Yeah, I think that, so another problem with using this term cyber deterrence is people use it differently. So are you talking about deterring using cyber to deter some sort of unwanted behavior or trying to deter unwanted cyber behavior? So I mean, it's used both ways, but I think that the idea of using cyber capabilities is part of a broader deterrence strategy, threatening to do something. We will do this if you do that, because that's the key point about deterrence. It's the threat to do something. I think it's kind of a weaker form of deterrence. I mean, we have robust deterrence in conventional and nuclear. I mean, I'm not sure how much cyber gives you value added to that. And in terms of deterring unwanted cyber activity, once again, it's really hard to say I wanna do this now and be able to count on it because of the fluidity of the space. So I think that the uncertainty does complicate, does complicate it a lot. And I certainly recognize as well that there's a lack of understanding about, I mean, in some cases, there's a sense that the whole power grid's gonna go down. Well, it's segmented in a lot of ways, right? I mean, I think that people who study the technology haven't communicated really effectively about what the effects might be and what's the likelihood that you may have unintended consequences or whether, as you were saying, that you can be more precise. You can do things that might be reversible. You can do things that might signal but not be public, which actually will have a positive impact on the calculus of the opponent. I think it's also worth making the point that there's a difference to in the type of target that we're talking about because if you're going after the SCADA control system of a specific piece of industrial plant, that's one thing. But if you were going to do something which could have a knock-on effect on the internet itself, on which your own systems may well depend, then you would, that's a very different class of target. So I wouldn't generalize too much, I suppose. That's true, yes. My answer to your question, it is true uncertainty. It's the biggest characters of the cyber domain. So the best way is to learn to how to get along with the uncertainty and then embrace uncertainty. That's very self-explanatory. And secondly, we did, China, China's governor didn't make the distinguish between a tactic level and strategic level of the cyber attacks because the tactical operation could achieve the strategical objectives. As for the cyber deterrence, personally, I don't like the cyber deterrence strategy because it is difficult to make a credible punishment in cyber domain. So my suggestion, I prefer resilience. Okay, okay. So we're gonna, in the interest of getting more questions and we're gonna take a couple of questions, collect them and let the panelists choose what they wanna respond to. So go ahead, sir. Thank you, Mark Fitzpatrick, International Institute for Strategic Studies. A question about norm building or actually maybe norm breaking. When Stuxnet was introduced, there was some criticism that it was a double-edged sword because it gave Iran then the permission to attack a Ramco computer systems in Saudi Arabia. Two weeks ago, there was an article that the United States was investigating use of cyberspace to try to get at North Korean ballistic missile systems. And again, some questions raised about whether this might then give North Korea the right to also enter cyberspace in that way. Is there a sense that United States or some other country entering a new domain then opens the way for others? Or would they do it anyway? Okay, so question about presidents. Yes, ma'am. Andrea Howard, I'm an ensign and submariner in the United States Navy. You guys have spoken about the different approaches required in the cyber realm and the deterrence realm, nuclear deterrence realm. But since this is Nukefest 2017, I was wondering if you could speak more to the vulnerabilities at the intersection of cyber capabilities and nuclear technologies. Okay, who would like to go first? Question? Intersection of cyber capabilities and nuclear vulnerabilities. Yeah. Do you want to do that? Just through whilst others are thinking. I think we've already seen that Mark, we're in a realm where cyber attacks are being developed, are being used. Unilateral restraint on our part isn't, I think, gonna make any difference to the behavior of others. We do have to be careful, though, about one aspect, which is you release, I mean, the Stuxnet attack, if that genuinely slowed down the Iranian program, sufficient to allow the time for the JCPOA to be negotiated, then I think that was a thoroughly worthwhile thing the United States, if it was the United States and Israel, to have done. But I can perfectly well see that since that code has been exposed and reverse engineered and used in part on weapons that are now directed back at us, you probably want to be very careful when you do deploy these, and if you have capabilities, save them up for when you really, really need them. Yeah, I just would add that as long as the cost is low, the cost of entry are low, and there's no repercussion. My expectation was entities, and it's not necessarily just states, it's also non-state actors who will be looking to use these capabilities. I'm a nuclear one. I follow the first question about cyber norm building and cyber norm breaking. I should say, so far, you can say that the progress about cyber norm building are all long restriction norms. So it is important for the countries to keep a self-restraint. And second I would like to add is it is important to set rules on how to reward, how to rewarding, rewarding the rules obeying, yeah. So if I could just put a finer point on the nuclear and cyber intersection. We talked earlier about it's very difficult to distinguish sometimes in a sort of, I don't wanna say harmless, but a typical or traditional intelligence effort from something, a piece of malware or some access that might become kind of a Trojan horse for an attack. Is the fact that we can't necessarily or we can't expect our adversaries to tell the difference reliably? Should that create some restraints on even what we do intelligence wise against something like strategic nuclear systems or strategic command and control? Should we try to really limit that intersection in some way? I mean, obviously there are certain areas that are extremely difficult to even if you wanted to do things. I mean, there are certain systems that are entirely separated from others. I mean, the U.S. does that because it's so very important. So I think that you have to be cognizant of the consequences that if that is discovered, but then I would also go back to, if it were possible, it was discovered when would it be discovered, right? So if we discover malware and it's during peace time. And you're right in terms of the difficulty of telling what is intelligence versus what is some sort of an offensive capability. But I think the context is really important, but we need to be mindful. And then hypothetically, if things are heating up, maybe you pull stuff back. Okay, we're gonna have last two questions, one on each side. I'm sorry, I apologize to anybody that we didn't get to. Rachel Webb with SAIC. Earlier this month, General Hayton testified and called the American NC3 capability resilient, robust and ancient. So how would you balance the technological imperative with trying to limit the connectivity to that cyber threat, okay? And then on this side, last question. Hi, Raymond Wang from the BIP Monitor Institute. So I have a question about establishing norms in clear thresholds in the cyber realm. So one of the fundamental differences between the connecting methods of war and the cyber methods of war is that it is hard to recognize a good cyber attack. And the advanced persistent threat, APT is one of the most threatening vectors within the cyberspace. So given, and one of the industry recommendations in civilian nuclear industry is to assume that your systems have already been compromised. So given this fundamental difference between these two methods of waging war, if you will, how do you think our traditional ways of thinking of norm formation in terms of verification and establishing a thresholds can or should adapt? And on a broader level, how do you think, we've been talking about these issues for the last hour and we've been using sort of traditional and kinetic metaphors of shooting a bullet and stuff like that, but that doesn't really capture what sort of the core of the issue that we want to talk about. So how do you think our traditional methods of thinking should sort of adapt to the cyber challenges? Michelle, can I just squeeze in a short one? Very. Really short. Hi, Jeff Smith, I'm a managing editor at the Center for Public Integrity. A key difference between cyber and nuclear may be the following. In nuclear, we've each created weapon systems that we're naked to, that we know about on the other side that we're vulnerable to, that cannot be defended against. So that's why deterrence works. So the question is for Mr. Goldman, can you imagine creating a cyber weapon that you can tell the other side about that they will know about, but they cannot defend against and that you're sure they cannot defend against? So with all of those questions in mind, I'm gonna give each of our panelists one or two minutes to choose something to respond to. I gave up. To wrap up. I gave up because they speak so fast, I'm lost. Well, we'll give you one or two minutes to make a final point then. Okay, so, David. Okay, the British Chiefs of Staff met in 1954 and solemnly discussed what would they do if the Soviet Union put a nuclear, one of their new nuclear weapons on a freighter, sailed it up the Thames and anchored it in London. And they concluded, there is no defense against such. Nova, we have to rely on deterrence and everything then flowed from that. I don't think we can reach that conclusion in the cyber area because I don't think we'll ever have that certainty of deterrence. But we can certainly improve matters very considerably by improving our defenses and by making it clear to a potential adversary that they have assets too that can be held at risk. I wouldn't go so far as to try and publicize that in advance because it's too easy to produce countermeasures. The other thing I'd say is I do agree, we're just at the foothills, we're just beginning to think our way through it. This is the biggest revolution in human affairs since movable type. And that led to the Hundred Years War and lots of other things in Europe. So, the digital world is transformational. And it's gonna be transformational. Warfare just has been transformational in business and finance and our social lives and everything else. So, having made that point, I think the big takeaway for me is we've got to learn to live with what we've now got in the digital world. Not wish it away, not negotiate it away, but just learn to live safely with it. How I learned to love the cyber bomb or something. Yeah, absolutely. Just a couple of the last question. I think the question about, is there a cyber capability that would be so powerful that we can let our adversary know? There's, I mean, with nuclear weapons, you have a nuclear arsenal. If you use one, it doesn't necessarily invalidate the rest of your arsenal. Cyber, it does. I mean, you use that particular tool and then it's out in the wild and others can begin to mitigate against it. So I'm not sure that we're gonna ever really get to that place where you can say, here it is, here's a demonstration and we have this. But I would say that we have to think in terms of resilience is important. I think defense is important, active defense is important and offense is important also, that all of those. And it's really about, it's a very dynamic domain and it's about seizing and retaining the initiative and being able to do that, being able to defend yourself and exploit the vulnerabilities of the other because it's constantly changing. And I think until we kind of get our heads around that and begin to think about that and to really sort of do what they did after like in the 1940s and 1950s when the wizards of Armageddon, they got together and they said, look, this is this technology. What does this really mean for how we think about keeping ourselves safe and secure? And that is where we are and that is what I think we collectively need to do. Captain Chu, any final words? Yeah, I grew up with you. Okay. Well, thank you all and please join me in thanking our panelists. They've given us a lot of time to talk. Thank you. Thank you.