 My name is John Hamery, and again, thank you all for coming. Delighted you're here. When we were putting together this conference, the structure of the conference, we knew we wanted to do something on cyberspace. And I must say I agonized over this topic, because it isn't something that we normally talk about. But then all of a sudden, yesterday in the Washington Post, cyber weapons on Pentagon's fast track. You know, I thought, well, I guess that's going to. Ellen's here. Pardon me? Ellen's here, so. OK, Ellen's here. So this is all off the record. That's obviously not going to work. This will be a very interesting conversation, and it is a conversation. These are three individuals who have done more creative and collective thinking about cybersecurity than anybody I know. But we are going to take them into a somewhat of a different space. Most public discourse tends to be about cyber terrorism, or espionage, or things of that nature. We thought we are at a stage where we need to talk about this as a war fighting domain. It isn't a happy topic, but it's an important topic. It's an important topic for us to think through and to understand. And so that's what we're going to try to explore in the next hour or so. We're going to try to get much of this to come out in the richness of their interaction with each other. And of course, I'm going to be turning to all of you, because I'm going to be looking for your help to make this interesting. One of the real questions, and I'm going to start with General Cartwright, it was a year ago when he stated, and I'll quote this, if it's OK to attack me, and I'm not going to do anything other than improve my defenses every time you attack me, it's very difficult to come up with a deterrent strategy. So let, and of course, deterrence, by definition, means the other guy knows what's going to happen to him. That's a core. And yet we don't tend to talk about this. So General Cartwright, I'm going to give you a chance to talk about this. Why don't you amplify on how do you think about deterrence and involving cyber? Yeah, I'm glad you asked that. Yeah. My concern is, one, a strategy that is pure defense from a military construct is, as you said, very difficult to then plug into some sort of a deterrent strategy to somehow convey to an adversary that doing this comes at a price. Right now, the price is all on us, because we just keep being attacked. And for the most part, we're probably losing intellectual capital. If you're in the business world, you're probably losing other things. But most of it is associated with intellectual capital and secrets that you want to keep for competitive advantage. The question from our perspective, at least if you think about it in military terms, is how do you turn that equation around? Today, and Bill, I know you've got the numbers you've been quoted, but it's a couple hundred lines of code to write a virus to go sneak something out of somebody's network. And then companies like McAfee and others and Microsoft spend a lot of money on at least a million lines of code to patch it. And if you think about it, it's a surface, and you're going to put a band-aid on it. So what you've basically done is you've made the surface larger. So now I have more area to attack with every patch. So it's called the divergent strategy. Everything is in the favor of the attacker. And as long as you stay that way, it's a cost-imposing strategy on you. And in order to turn that around, you have to think of a way to convince the adversary not that you're going to build the perfect shield, but there is, number one, there's a price. Number two, that you have a means by which you can impose some sort of discipline on the activity and change the calculus of cost to more to your advantage as you defend. And then number two, you have to have a credible means by which to do it, and you have to demonstrate you're going to do it. And I use the airlines as an example. We over the years have had first, you know, back in the 70s with the hijackings and now with the problems that we've had. We have used a fair number of, say, air marshals, but nowhere near the number of flights there are in a day. But it was enough that people who thought about hijacking said, what's my likelihood of being successful? And I may not be successful. And so they were deterred. And it was credible. And if every once in a while you caught one, that was all it took. But there was a conversation that we're doing this, i.e., an acknowledgement, a demonstration of will, and therefore it was credible. The question in cyber is not to go out and say, gee, I have this tool and that tool. I'm going to attack you this way and that way. The question is, are we willing, as a nation, one, to set a level of tolerance for this activity, two, to say that we're going to do something about it, and then to demonstrate, one, that we exercise and show governance over it. And then we apply it, like we would in law, when we feel it's necessary. And that basically then has the opportunity to convince an adversary that it may not be worth as well. It's not a shield. It'll never be a shield. But it changes the calculus and the cost to play. And that's what I think you need to do. People have said, well, gee, let's talk about the specific weapons. We don't need to do that. You just need to demonstrate, one, the will, to the ability. And then once you've done that, that changes the game substantially. Now, the question here is, and we get into this with the lawyers, oftentimes, is gee, what's the difference between being attacked and stealing something and espionage and all of those things? I'll leave that to the lawyers. The idea here is you want to affect your adversary's belief of their likelihood of success. And that's what we've got to start to change in the discipline here. You've got a lawyer sitting right to your right. I knew what I said. You set him up beautifully, Bill. Why don't you jump in here and then Jim, huh? Actually, I initially committed not as a lawyer, but I think here the experience we've had in nuclear strategy is helpful. When you look at deterrent theory, there are two classic types of deterrence. There's deterrence by imposing costs, and there's deterrence by denying benefit. And I think we're going to want to use both. The initial nuclear world was heavily the imposing cost. That's mutually assured destruction, essentially the ultimate cost. And that gave us stability for a while. And I think that we want to pursue both models depending on the circumstances and the actors. For major nation states, that conventional model of deterrence by imposing costs, which is a lot of everything what POS was talking about, works, I think, quite well. Because they have assets that you can hold at risk. And if you show, as Haas is saying, you show that you have the political will and the technological capability to hold those assets at risk, you're going to inhibit their actions against you. And I think that there's some in cyber who suggests that attribution becomes more of a problem. I think it does. I mean, missiles come with a return address. Cyber attacks don't. But I think we've gotten to the point where particularly when you're talking about major nation states, our ability to get pretty close on attribution pretty fast is quite high right now. Moreover, if you're a major nation state, you really want to bet the farm that we can't do it. I think it's a little bit your air-martial analogy. So I think that model applies pretty well in that world. I think it applies much less well if you're dealing with rogue states who do have assets that can be held at risk. But if you're in this kind of cyber war in the title cyber, some sort of cyber hostile world, you've probably done something to them which may cause them to think that they have nothing left to lose. And so then it's going to be harder to deter them. And then terrorist groups, it's even worse that you can't find, I think. It's very, very hard to find. Assets and terrorist groups, you can hold at risk. So it's really hard to pursue a policy of deterrence by imposing costs with that kind of group. And there I think you have to turn more heavily to deterrence by denying benefit. What you want to do is make it so much harder for them to do this that they frankly turn to other avenues. There's always going to be a door open. But what you're trying to do is close as many of the doors as you can and raise the cost of the attack such that it's not seen as a worthwhile activity for them to pursue. I think these two concepts start to merge a bit as you get to what we've called active defense. I mean, active defense, I think there are concepts of active defense, which are hunting on your own network, diverting attacks into a safe zone. But there's also concepts of active defense that look more like preemption. That you use the intelligence capabilities of the United States to anticipate the attacks and try and stop them either before they occur or as they're occurring. Now you're starting a little bit more to get into a deterrence by imposing costs. But again, I think what you want as a matter of national policy is both flavors of deterrence. And you need to shape them based on who it is you're trying to deter. Jim, do you want to jump in here? Sure. In the Cold War, we have this belief that deterrence worked. So it might be true. But one of the things that deterrence didn't do is it didn't deter the other side from engaging in espionage. And so one of the things we have to realize is there are limits to what can be deterred. And unless we want to change the definition, the implicit rules that govern this and include espionage, which would not be in our national interest, unless we make that change, deterrence can only be just one card in the deck. We need more than one card to play this game. Bill, you raise the point that we use nuclear warfare doctrine, a good deal in our thinking about this. And I want to just dig in a little bit on that. You said that there were two dimensions to deterrence. There was imposing costs and then denying benefits. We went through that a little bit in the nuclear world when we said that city busting wasn't going to be a legitimate doctrine for the US. We would not simply destroy cities because we considered that to be, I guess, an immoral use of nuclear weapons. And it was the ultimate denying or imposing penalty. And instead, we went to counter force. We were going to target the other guy's weapons. So much more of, as you were, denying capacities, in this case. So let me take that port this over now to cyber. Cyber, of course, is so different, at least for us, because the infrastructure is in the private sector. So are there concepts of legitimate and illegitimate targeting in cyberspace when the infrastructure is in the private sector? Let's say you want to go after a, you want to shut the power out on an installation and it's right next door to a hospital. How do we think about that? Are there doctrinal guidelines that help us thinking about cyber on a target that you guys are thinking about? You were thinking about, how is this starting to be formulated? Let's start if you would, please. I think cyber is different, but I think some of the same principles apply. I mean, you want, to the extent possible, to limit collateral damage. You need to be proportional in your response. You need to respect the rights of neutral states. And I think all of those concepts apply. So in your hospital example, I think you would do what you would do if you had a target near a hospital is what's the risk to that hospital? What can you do to minimize that risk? How important is the target? And it's that concept of collateral damage proportionality. I think you go through the same steps in the analysis. I think there are things in cyber that make it more difficult, in particular the speed at which you have to act. You will have less planning time unless you've done it beforehand, which puts an emphasis on doing that. But if you're responding at network speed, your ability to understand collateral damage from getting this or that server, this or that installation, may be more limited than you'd like. But again, I think it's going to require decision makers to make that judgment. Is the risk just too high? And I need to forego, or I need to wait? My sense is, and we get into this discussion quite frequently, the difference between cultural norms, what's acceptable, policies, and then law. The law of armed conflict is very clear. You don't attack a hospital. You don't attack infrastructure that would hold that risk innocent civilians. That's pretty straightforward. It has to be in your doctrine. It has to be in your policy. But it's law. The concepts that are not there in law, like city busting and things like that, then become cultural issues that are somewhat situational in that we as a nation change them from time to time based on whatever external stimulus and internal stimulus comes to us to do that. But they're not necessarily consistent across the world, or they may be consistent against by a set of nation states, but not by another set of nation states or by terrorists, et cetera. And so it becomes difficult. And there isn't a lot of body yet, although it's developing very quickly about the cultural norms. What's acceptable here? What's not going to be acceptable? Are we going to say that it's OK to go after infrastructure or banks or whatever? And that's the area that is really ripe for discussion. It ought to be discussed. It shouldn't be decided in a closed room. And I think that discussion is starting. The issues of collateral damage against those things that are generally in the law of armed conflict, like hospitals, et cetera, is pretty straightforward. So that tends to take for the military, you in a direction that says, treat this as if it is fires. Treat it as if it is any offensive weapon. What can I do with it and what is inappropriate to use it for? The areas that are different here are, in fact, the network speeds at which they occur. But that's not in the planning process. That's in the execution process. Understanding that what you may think occurs may not actually occur because you can't forecast as well in cyber. We just haven't got the background. So what you think you went after and then you end up with collateral damage you didn't forecast are things that are going to happen. They just are logically going to happen. But they'll be refined over time. And people will be held accountable. Where it gets more difficult is in the proportionality side, which is really under the law of self-defense. What can you do in self-defense? What is proportional? What is proximate? What is hot pursuit? All of those questions, how do they apply in cyber? And how are we going to use them in cyber? And how would you use them if what you're worried about is somebody stealing your intellectual capital or secrets versus somebody is disabling your ship, airplane, tank, whatever? And how is that going to happen? And how do you say to a commander in the field, here's what you can do in self-defense? How do we do that today? And that's the discussion that's starting to emerge about rules of engagement. How do we handle that? How do we say to the commander of a ship, here's what you can do if you're attacked? Let me just dig down a little bit deeper here and then I'll come to you, Jeff. Of course, in Kosovo, the air war, and of course these last wars in Iraq and Afghanistan, the opponent learns pretty quickly what we consider to be lawful and unlawful use of force. And what happens is pretty soon, missiles show up inside churches and mosques because they know we don't attack them. So this is the quintessential dimension of that. How do we think about this reactive opponent that's going to, especially because they can mask themselves so easily in cyber space? It's a new domain. It's not different. And so what we see most often, probably, or at least in my past experiences, what you see most often off is countries will come to the United States because our laws are very protective of people's rights. And so if you want to have a website that is advocating things that maybe you're out of the norm, let's say, a good place to do that is host that in the United States because you're well protected. Or you can find other countries that have laws that way. The question then becomes, where do they cross the boundary conditions? But that is more of a law enforcement issue, more of a diplomatic issue than it is a warfare issue. And so this idea that, and this is where we're having a lot of discussion, I think, in this country and globally, is the difference between law enforcement, how you defend the homeland, when is that appropriate, when do you apply diplomacy, and how long do you apply diplomacy when you're dealing with network speed, when can you use it? And then when is it an act of aggression, which is in the eye of the beholder, and how do you behave once you've determined it is an act of aggression? Jim? Couple points, and I think that Bill and Hass have raised the key issues, which is in a lot of ways this is just another weapon, and that's a good entry point. There are areas where it's different, and that's maybe something we can tease out, but a couple of quick points. We all know that in, I think it was 1940, President Roosevelt wrote to Churchill and Hitler and said, please don't bomb cities because that would be bad, and they agreed. Okay, we won't bomb cities, and they agreement and asked it, I don't know, maybe a month. Context will determine a lot of this. If we're in a conflict, people will change what their notion of a legitimate target is, right? And we've had the luxury of fighting conflicts. This sounds terrible, but it's true. Where we haven't had a lot of the problems we would have against a near peer competitor. We aren't gonna have to think about air superiority, we aren't gonna have to think about some of the things we will have to think about in a bigger conflict, and when you get in that different context, the notion, I think, that will drive this is overriding military necessity. So under the laws of war, you can shoot a hospital if you need to. If the commander decides and his judgment is subject to review by at least four million lawyers. But if the commander decides there's overriding military necessity, he can shoot that hospital. Another thing to think about, and I think this was Bill's point, different actors, different values. We know that some of the guys that we might someday face in cyberspace don't have any hesitation about attacking civilian targets. And presumably when they acquire the cyber capability, they'll use it the same way they use IEDs or truck bombs. John, I think the new part of cyber here is what Haas alluded to. The conventional collateral damage is your hospital. Geez, if you come too close to the hospital, don't have to be careful, and of course you do. The precision there in cyber is probably pretty good, and we're in a position, I think, to make those kinds of judgments and balances, and I think that where cyber is somewhat different, and where, as Haas indicated, the adversaries already are adapting, is to use our laws against us. Is to use neutral countries to launch attacks, to come into this country and play on the difference between national security and law enforcement. And now we have different organizations and different rules and different sets of protections. And so I think that rather than the collateral damage it's not the collateral damages and an issue, but I think that legal and policy entanglement in cyber is far, far more difficult than it is in some of the other demands. Let me ask, Bill, let me ask you, Keith Alexander testified, I guess about a month ago, I think it was, every month, it doesn't, but about a month ago he testified, and he basically said cyber weapons are gonna be presidential released. Again, it's back to this nuclear analogy. It's pretty hard to see how there's a, the president is going to do that unless it's a reactive posture. Do you, I know that this is, I'm bordering on what you guys can talk about from your previous experience, but do you think it's possible that cyber can only be a presidential release weapon in the long run? Well, I mean, I think there's a couple of dimensions you need to take that on. One is, what are the circumstances you're talking about? If you're talking about an actual conflict, I think it's much less of a challenge, frankly. If we're at, frankly, at war with some other nation, using cyber weapons isn't gonna be the decision process I don't think is gonna be that much different than any other set of weapons. I think when people talk about that problem, they're not really talking about a conflict situation. What you're talking about is one of two other things, either a pre-conflict situation where you're walking towards a conflict and tensions are escalating, and I don't think I'm gonna use any examples for a diplomatic reason, but you can imagine circumstances where it's escalating and there it does somewhat become a presidential decision because you don't want to take actions that lead to a conflict you're trying to avoid. So it's not so much inherent in the cyber as it is in the context in you're trying to walk a, I know it was Cuban Missile Crisis or whatever, you're trying to walk a line here that defends your interests without provoking an outcome that you don't want. The third situation is you might think about it's sort of the covert action world. You're not really in a conventional conflict at all, but we have bad guys we're worrying about and we're doing things about it. And without getting very far down that road, generally covert action things are presidential decisions and I don't think in that context cyber will be any different. So I think you have to kind of look at what the context is. The thrust of your question was going at a different dimension which was again the network speed issue, is can you really have time to call the president up and have a deputies meeting, then an NSC meeting and by that point the power grids down or whatever it is you're worried about. I think there that puts a high premium on rules of engagement. I think that what you want to give essentially cyber command to Homeland Security is here's the kinds of steps that you can take in response to these actions and here's the things that you can't take and you have to check. We recognize that in fact that there's a cost to that we may be a time lag, but we're gonna live with that. If you can make those policy judgments to the extent possible in advance and I think you can do a lot of this is to just give cyber command here are the rules and what you're gonna tend to do is you're gonna be able to take defensive actions, even aggressive defensive actions based on your own authority. If you start to get something that really looks like an offensive action, you're probably gonna have to check with the White House. Is that a perfect world in terms of depending the cyber or cyber assets? No, but is it the world we live in as a democracy? I think it is. Either of you guys want to? My sense is that the real question and I think Bill's hitting on it here is President just by the law is determines what weapons in what theaters and where all the time for every weapon, not just for cyber weapons. If it's an area of hostility where something's going on, the delegation is more broadly given and more capabilities are provided to the regional combat commander to employ. If it's not an area of hostility that's been declared, then covert that type of activity, it still requires presidential approval. I think the key issue that Keith is touching on and that you're hinting at here a little bit is the issue of the speed, the network speed activity. What's going to be appropriate in the defense for, again, I take it back on the military side to a captain on the ship, a pilot that's in command of an aircraft, et cetera. What are they going to be allowed to do once they determine they've been attacked in cyber? And if they can even make that judgment, but we just carried far enough to say that all their systems don't work and they can't figure out why. Is it gonna be just to isolate themselves? Are they going to be allowed to respond? Can they respond in kind? How do they determine proportionality? Those are the questions that we're trying to, that I listen to the debate right now on standing rules of engagement. What do they look like? How do you know? And what is proportionality and Keith's worry about? If all you can do is defend yourself and move away from the problem, which is a good start, before you can take an offensive action against it to stop the attack and you need to come back to Washington and get a blessing and all those types of things. That could be long enough. It wouldn't, this is my sense and there are a thousand situations, but for a ship or a tank, okay, you just park, okay? For an airplane it's a whole different story. I mean, they're not able to park, so to speak and wait it out, wait for somebody to decide. It may be the same for critical infrastructure. And in those cases, how are we gonna handle those activities and what authorities are gonna be delegated from the president? There's still his decision, but what are gonna be delegated for quicker response capabilities? And that will be tailored my estimate based on what we think the lethality of the attack could be. An airplane obviously or a hospital would be much different than talking about a truck, a vehicle, something like that. Jim, do you want to jump in? Leads us right to a topic I think we'll come back to later, which is active defense and how do you use offensive capabilities to shape the environment in a positive way? Okay, so you let us, sir, why don't you take us there? Oh, okay, because what we've learned the hard way, I guess that's traditional for democracies too, is there aren't really good defensive solutions yet. So if you're going to think, and part of the reason there aren't good defensive solutions is you have a set of opponents, our most active and our most skilled, who are protected by sovereignty, and I think this is some of the points Bill is getting at. So when you look at the people who are engaged in reconnaissance or espionage or crime right now, using that as a way to prepare for potential military conflict, what do we do back to them, right? And you raise a whole set of issues. When is it appropriate for the US to take action in another country's territory? Who makes that decision? Can we define the space for conflict in a way that keeps us in some ambiguous area where it's not American territory, where you trigger all kinds of annoying laws, and it's not their territory where you raise a much greater risk of conflict? Can we do that? What do you want to say about offensive operations? A lot of this depends on the target. If you can be very precise on the target, you know, maybe then you would be willing to delegate some authority. If you can be precise on the target and precise on the collateral effect. And all of these things are things we haven't tested. So I'm gonna say country X, there's the server, they're bad. I'm gonna shoot the server. Well, do you know what will happen? Do you know how they will react? And we haven't worked through those issues. Okay, I think it's really interesting. Let me, obviously the first thing that comes to mind is the analog here is electronic warfare. You know, you're going to send airplanes over the border next time. You're gonna send jammers up in advance. You're gonna scream. You're gonna blind out the radars, you know, so that you can carry on the attack. That, of course, is great when you're in control of executing the pre-planned play. It gets a little bit harder when you get into the more dynamic nature on day two, day three, day eight, you know, kind of thing. Have you guys been thinking about this? I mean, huh, where are you in this? Because I understand that preemptively and proactively using the tool, and I can understand that in the outset of a war plan. How about when we get into combat? Again, this is my own bias of take it as such, but, you know, there are generally three levels of control areas that we work. There's the combatant control, which is theater and regional, operational control and tactical. The tactical things occur on the battlefield day in and day out, and they may be a denial of service, they may be used to mislead your adversary as you try to position yourself in an advantageous way. Any number of things, operation, or tactically, that you can do that things like radio battalions and signal cores and whatnot do on a day-to-day basis that are delegated down, they must be contained inside the theater, they must be tactical in their use, but they're blessed, and you use them in how you plan out your activities and react to the unforeseen. At the operational level, you're usually talking about inside of a single nation state or an area of hostility, and as long as your activities are applied in that area, the tools can be used multiple times and are used multiple times to go out and affect the adversary and an adversary's calculus of their perception of the world. At the strategic level, that's much more difficult, and I think those questions become hard for us to use. And when you talk strategic, is it something that's launched from here in the United States and goes to country X and did it pass through somebody else en route? All of those questions become more difficult. Do we treat it like air and water? Are there commons where it's okay to pass? I mean, those are the questions now that are being debated. There's somewhat, I would say esoteric, when you debate them in the abstract. When you have a real concrete example, then it gets a little more, it becomes easier for us to apply the law and say this works or it doesn't work. If recent examples that have been out there of organizations that have put out information on the internet, how to build a bomb, how to rob a store, whatever it is you're trying to do, if they do that in one country, move it to another country, the fact that you can go after a single server probably doesn't do anything other than temporal shorting from one server. They can spew it from a whole bunch of other places. What's the law look like? What's our ability to go to that country intermediary and say, stop that. For me, in the Standing Rules of Engagement, the first thing you wanna do is a diplomatic action. You wanna turn around and say, okay, I'm gonna protect myself, I'm gonna isolate my network and then let the State Department talk nation to nation, stop that. And if you don't, then we reserve the right to defend ourselves. That's pretty straightforward. The more approximate is if what they're doing is so damaging and so evil or whatever you wanna say here, then do you wanna take that time? And that's when it becomes hard at network speeds. The diplomacy, stopping for diplomacy may not save the lives of innocent people. And do you wanna do something about that? And that's a judgment. But it's hard to argue that in the abstract. So tactically, it goes on. It's generally handled day in, day out. Operationally, as long as it's an area of hostility, it's day in, day out. It has to be constrained inside that area of hostility. It's the strategic level that starts to become a problem for us. I wanna just add one thing to that. I agree with House. I think our institutions are best able to deal with the circumstance you started with, which is a conflict situation with military forces. We're working our way through, Keith Alexander, Cyber Command are working their way through, kind of how do we act in those? Applying some electronic warfare or other concepts. But I think my sense is that we have a path forward there. What worries me much more as it goes to more hostage and I think it's a problem we need to solve is what happens with critical infrastructure and if it's not in a conflict situation? So you're seeing an attack, a major attack now coming at critical infrastructure. How do you respond? How do you respond at network speed? What actions are you gonna allow? Who's in charge? I think those are the questions. Because as you noted at the outset, this is all almost entirely in private sector hands. It is not a conventional military problem like air defense where you kind of hand it to the military and ask them to do it. But it's not, at least I feel strongly, as I'm very into the Chamber of Commerce, that this is not just a private sector problem and you can just ask them to do good and figure it'll work out. This is the, and so I think in my sense to take it, rather than just throw out a problem, offer some sense of where I would take it, I think we need a structure that still has homeland security as the, in charge of protecting critical infrastructure, but behind homeland security, you have to have the cyber command and the NSA expertise to be able to deal with these issues and you have to be able to be organized structurally so what you're seeing is not a day-to-day threat but becomes a national security threat. You need to be able to pivot so that essentially at network speed or close to it, probably requires a presidential authorization so not quite at network speed. You're able to pivot cyber command now into the floor because you're now dealing not with a law enforcement problem, not with a few incursions, you're dealing with a national security problem and that's a different set of agencies, a different set of constructs. Let me, I've got a couple more lines in query and then I'm gonna open up to you guys. Let me ask you about how we're organized here. I mean, right now at the same time we're having this seminar we got another one across the hall that's about how to organize the use of special forces and of course when we created the special forces, the Klinger Cohen, not Klinger Cohen, I think it was, forever it was, when we created program 11 with the special forces, the great debate was how much authority were you gonna give special forces to operate autonomously on a global basis? Were you going to require that they be used exclusively through regional combatant commanders, back then we called them Sinks? Or were we going to give them the capacity to operate completely independently under positive control by the White House, of course, but under positive control? And we came up with a compromise back then, which was very narrowly defined, but it's still with us. Now let's take that over to cyber. We're trying to figure out how to organize for this. We put it under Keith Alexander, but it's not, it's still under STRATCOM. It's not clear to me, when we're thinking about offensive cyber activity, not defense, offensive cyber activity, how do we structure this vis-a-vis the task force commander that's running an operation or the regional combatant commander or the cyber, what should be the organizational structure for offensive operation? Are you comfortable with where we are? Do you seek this, is this a long-term solution? Is this just the only thing we can do right now because it's what we got right now? How do you see this playing out? I mean, you've worked on some UCPs. I mean, it's a good debate and we ought to have the debate, but we've had this same issue over the years with multiple different venues, space. You couldn't quite figure out how to do space. We're still struggling with missile defense because in missile defense you may have the weapons in one country and the sensors in another country or another AOR or however you wanna look at it. Multiple AORs just to guide one missile or intercept another. Cyber is yet another venue in which this occurs. It's very straightforward at the tactical level that it needs to be under the regional combatant commander and he needs to be able to or she needs to be able to use it in that situation the way they see it. It's same at operational level. It's when it becomes strategic and you're moving across AORs and what we have done thus far with the functional combatant commanders which are SOCOM and STRATCOM in particular in this venue is to use them to synchronize the activity for the most part reserve the right that if the president or someone else sees it to our advantage in the particular situation to use either SOCOM or STRATCOM to actually be supported rather than be the supporting guy but the default is always to the regional combatant commander who's generally in charge of the local fight to make sure that all fires are coordinated to come into that AOR. I think that's a starting place. Do we wanna modify it because of the character of cyber, the speed of cyber, et cetera? I mean these are things that are age old arguments. And I don't think we should solve them with one answer because we give the adversary then a stationary target. Our ambiguity is sometimes our best, the best ally. Internally it causes kerfuffles back and forth but the reality is it gives us a greater flexibility to adapt to the unforeseen. And so I wouldn't lock it down. I think we're starting to find our way. I would caution rushing to have cybercom be a unified command which means that basically they're in charge of it globally. And the reason is just like space is that they don't have the context of the regional activity. And you really need that context to apply the art of war and the weapons to affect the adversary's mindset. And so my sense is we're not ready for that. What happened to us in space when we went off and made a command associated purely with space was that nobody knew how to use it because it was a big secret that only space command knew how to use. What you really want here is that you want it to be fires. You want it to be something that Lance Corporal Cartwright understands how to ask for and where it's gonna come from and how much he's gonna rely on it or not rely on it. Keep it out of the annex here. Yeah. Either Jim do you want to? One thing to bear in mind is we're in a, this is a new military capability. And so we're in a period of experimentation where everybody's trying to figure out what organization, what doctrine best gives me advantage. So when you look at other countries, a lot of times the US is a precedent, right? So we set up a cyber command and everybody else has a cyber command too, you know, next year. But when they do that, they're focusing on the defensive side. And when you look at how countries like Russia, China or Israel are organizing their offensive capabilities, they're trying different models than we are. And in some ways it's because they have different strategies. But we should bear in mind that folks are gonna try different models. And in some ways we won't resolve this till we get a little more experience. Just briefly, I mean, I think we did the right thing with creating cyber command. I think we've got about 80% of the value with that. The last 20% is where does it fit? Should it be continue to be under STRATCOM? Should it be a standalone command? I can argue it either way. I mean, I can tell you just, history, I think we would have actually done a standalone command, but for two things. One was what Hoss mentioned, that the cautionary experience with SpaceCon kind of caused people to say, oh, that didn't work out very well. Maybe we should do this, if we're gonna do it, do it two steps rather than one. And then the other was, frankly, the politics Congress was skeptical of a cyber command. By doing it in this two step, you bought more support. Could you ultimately go to a standalone command? Yes. Do you have to? No. I mean, but as I said, I think we've got the 80%. We want to continue to refine it, but it's a secondary. Okay, let me take my last one. Forgive me, I apologize, I'm having too much fun. And Jim, I'm gonna start with you and I'd like to get reactions from colleagues here. I know that you've been engaged for a couple of years now in a quiet track two, track one and a half thing with counterparts in China over cyber. And obviously from a national capability standpoint, we're gonna have one point of view. But it's also, we share some things that are not immediately obvious. Neither of us wants to let a third country get us into war with each other. You know, obviously we're gonna want to find some way to not let somebody else spoof us into a war with each other in cyberspace. We both have an interest to make sure that problems in other countries don't spill over into our space with each other. We both have an interest in not letting criminal gangs act as government entities. You know, we want to be positive. If we want to go to war with each other, let's make sure we're doing it intentionally. Let's not let it happen by somebody else. So it seems to me there's a space. Now we've kind of explored this in kind of the traditional world of combat by, and it resulted in things like the Geneva Conventions and certain things. We all agreed had dimensions where it was in our shared interest to find rules together. Do you think we can get there in cyber? And where do you think would be the most promising way to think about that? Hey, this wasn't in the script. You were supposed to ask me that. It was not in the script. That's an outrage. Through your curveball, okay. Now I have to think. I think the short answer is no, right? And so what do we have now? Very high levels of common concerns. But in some ways, and this is true for other countries as well, it's mere imaging concerns, right? It's not that we have shared concerns. It's we have sort of the same concerns pointing at each other. There's big differences on political values. This whole debate over is information, a weapon, seems to be reciting a little bit, but reciting whatever. Recreating a bit, yeah. But it's still there, debate over political values. You have a high level of distrust for the, we have a high level of distrust when we think of the Chinese. They have an even higher level of distrust when it comes to us. Same's probably true for the Russians, although they're a little more malleable. Lack of experience in negotiations. You know, like when you say law of the sea or ink sea, you know, that's a new thing to these guys. I would put this in the larger context, particularly with the Chinese of our relations with them. I think you can't pull it out of that. And so if you ask the same question for any level, whether it's the LOC or what, I know we had a session. The final thing I'll say on this is that one of the things that's affecting our ability to get a deal, and maybe the most important thing is the Chinese assessment of the trajectory that the United States is on. And their assessment is that we are a weakening power. So, you know, if you're in that, if you're a negotiator and you say that, it's like, I'll wait a year and they'll be in worse shape. It'll be easier for me to get a favorable deal. Sorry, I can't bring happier news. Well, either you want to comment on this? Yeah, I mean, cyber's not the only domain that we're having trouble with right now. I mean, look at the sea. Where are the mineral resources? Where are the energy resources? Where are boundaries in the sea? Where aren't boundaries in the sea? Which ones do you go by? I mean, these are all things that in every domain, we question whether, you know, what is the norm and the norm changes as the situation changes to a large extent. But I think you have to think about cyber and whatever it is you're going to do in cyber, not about how you're going to fix it internally, but how it's globally going to be applied. Because this is the commerce highway. It is the commerce highway of today and for as long into the future as we're gonna see right now. And so on that highway, are we gonna go right to right or left to left? How's it gonna work out there? And I think people are starting nation states, I'll put it that way, are starting to come to a set of norms and they're starting to adjust. I mean, we have had multiple interactions with our allied partners about how to move forward in cyber. We have started on the intelligence side with what was called the Five Eyes construct because we had a security arrangement between the five countries about how to share information at a classified level. That's wonderful. That allowed us to work in cyber at a level of detail that we could not have done in the past without compromising each other's capabilities. If we could apply that also at the NATO level, then quite frankly in the physical real world, that's 95% of the wires and circuits in the world, the Five Eyes and NATO. That's a big coalition. And we're starting to have that dialogue in NATO now, but that thinking about cyber out, not cyber in, is critical to how you approach the problem both in theory and in action because of its reach and because of its so-called strategic depth, its ability to go any place at light speed. But it's gonna be a coalition activity where we set norms. They may not be laws, but there'll be norms. We'll tell each other, something's coming your way. Or I'm going from here to there, everybody else is going in the same direction. We're all gonna pass left to left. Here's how we're going to move. Here's how we're going to treat the rules of the road in cyber. And when we deviate from them, what are the penalties depending on how bad the activity is? Yeah. Bill, I'll let you... I think it had a different dimension. I think the biggest challenge that we have in the cyber ring with China strays away, not so much on the military side, it's theft. It's the theft of intellectual property. The transfer of wealth that's going on, the stealing of technology is just enormous. This is an old problem in the sense that nations have been stealing each other's intellectual property for centuries. And if you go back to the beginning of industrial age, the British were complaining about the Germans and us stealing their manufacturing processes. And then they were right. The difference, I think, is there was a buffer before in how quickly you could make use of technology. There was a lag and basically the leading nation could generally just outpace its competitors in terms of how it introduced technology and you'd never catch up. Cyber, I think, may have changed that. The volume and the speed with which you can steal technology is, I think it's a paradigm shift. And I think that requires us as well to shift how we deal with that issue. So the usual kind of trade sanctions and diplomatic approaches probably are not enough because I think it is now a class A problem where it wasn't before. And so in my mind, that's the biggest challenge that we have dealing with China at this point. Okay, thank you. Let me open up here. We've got 15, 20 minutes where we can take some questions before we break up. So anybody want to get started right over here? Or John, we've got a microphone coming to you. Please use it because our friends in cyberspace want to hear you too. This is a cyber discussion. Colin Clark, AOL Defense. Let me try to drill down a little here because there's been a lot of big thoughts offered. We have very clear, well, moderately clear, laws of piracy on the sea. The right of a police officer who is threatened with deadly force is to respond proportionally to that force. Why can't we form some sort of civil cyber-conflict for police to engage in direct proportional retaliatory attacks on those who come after us? It'll be fun. Start with you, what does it work right down the line? One, I'm not sure you need a separate force. I don't disagree with you though that the FBI should be able to prosecute in the article three courts and hold people accountable for all of the things for which there are rules against, so to speak, and those rules can be augmented as we learn over time, but I don't disagree with you in that concept at all, and I don't know that anybody in the government really disagrees with that. The question becomes, as you keep up with the technology and the scale of the technology, how much decision time do you have? How quickly do you have to react? And are the certs, as an example in law enforcement, how should that relationship be manifested within inside DHS and the law justice system inside the United States? And then how should it be applied external to the United States? That's where the little bit of the debate is. If somebody is attacking us and we establish who it is, and we usually, as my understanding, can do a pretty good job of that, why can't we go straight back to the offending computer and do justice that way? It's kind of a stand your ground law? Well, no, but this is- Sorry, I'm teasing, I'm gonna give you a hard time. But in law enforcement and in war, this is the concept of hot pursuit. So in other words, the person who's offending is someplace where you're not supposed to go, but they're still shooting at you. And how far can you chase them? Under what conditions do you break it off, et cetera? Thus far, limited experience, we generally go the first hop back, the first server. And we don't shoot the server, we figure out who owns it, and we say stop it. If they don't stop it, FBI goes in, law legal venues or at the war level or at the combatant level, you either get out of the area, we talked about this a little bit earlier in the comments, and remove yourself and turn it over to diplomacy. Up until now, the regret factor for doing that has not been enough that you have to take immediate action other than to defend yourself by isolating your networks. The question is when does that, when that barrier is broken, which it likely will be broken and somebody does an attack for which the regret factor is too significant to wait, what are we going to do? Most of what we've seen to date doesn't require that kind of, most of what we've seen today doesn't qualify as an attack, it's really exploitation. It's either theft of commercial intellectual property or the theft of military secrets, espionage. We generally don't react that way to those kinds of things. I think what both Hoss and I are saying, and I think maybe what you're saying, Colin, is you can see not too far out in the future a world where you would truly call it an attack and you need a different set of tools to be able to deal with that and one of the tools that you would want, although you have to be careful about how you'd use it is, could you go out and just stop it at the server that it's coming from? And I think with the appropriate protections, that's a capability that you'd like to have for a certain class of things that you wanna protect. Generally, I would put those in the category of critical infrastructure. Couple quick points. Only dopes commit cyber crime in the US because the FBI will get you. So Darwin will drive cyber criminals to live in sanctuaries, right? But then you've got a problem and that's what you're not dealing with here is that you're saying we're going to take an action in another country's sovereign territory without asking their permission. That usually doesn't go over too well, okay? So you can't do what you wanna do without some agreement on cooperation and that leads us to problem two, which is back in the olden days in the Clinton administration when we did the commercialized the internet thing, we had two working groups. We had the commercial working group, that was Ira Magaziner. We had the security working group, that was John Deutch. The two of them rarely talked, right? We never talked and so we have a whole governance structure that grew out of that process that's incredibly feeble and you can just make up letters and put them together, WISIS, IGF, whatever you want, I can. We have a feeble governance structure that makes it really hard for us to agree on rules for cooperation and security and that's what we're probably gonna need to revisit. Right down here, question? And then I'll come right over here. Kevin Gunnerson from the House Homeland Security Committee. I had a question about Iran. To what extent do you see Iran having an intent or capability to conduct a cyber attack against the U.S. homeland? You mentioned critical infrastructure. In a conflict situation like a U.S. or Israeli military action against Iran or in a non-conflict situation such as the sanctions become so bad that they feel the need to lash out and don't wanna do it by mining the streets of Hormuz or some type of kinetic military action? I think it'd probably be better to do it in the abstract rather than to a specific country but I take your example. The likelihood that the venue would not be the destruction, let's just pick the power grid, the destruction of the power grid. We couldn't destroy the power grid. It's, there's no blueprint for it. Nobody knows exactly what it looks like. It would be pure luck shooting at it. The weapon of choice here actually is the confidence of the people. If you can take out one area of electric power or one bank, the question that that puts in people's mind about the security of others is what you're really worried about. It's not the physical damage to it right now. I mean, I think that's the state of the art today. Maybe in the future people could take large areas of the grid or your financial structure down. It's pretty hard to do. I mean, it works in the movies but it's pretty hard to do in reality. So it's really, I think the biggest target of a cyber attack today is the confidence of the population. And that's where, if you can isolate it quickly and tell people you've got it under control and then demonstrate that by having, in the case of the electrical grid, the lights on other places, I think you're okay but then you start working your way back. That's why today the issue isn't one of, I gotta shoot back right now. I mean, that's my belief right now. Just to work the room to get enough questions in. If you guys have crucial things you wanna put in to comment on that. One thing to that, which is, I think that without staying with us without getting terribly specific, I think right now you can look out over the threat and say most of the, almost all of the sophisticated cyber capabilities are in the hands of major nation states. There's no reason to think that's going to continue to the indefinite future. So in my mind we have a window of opportunity where the threat hasn't developed along the lines it's probably going to develop and we need to get ahead of that cycle and act to put in better protections against critical infrastructure and other things that we care about before those capabilities migrate to rogue states and ultimately terrorist groups. The Iranians feel like they OS-1 in cyberspace. They feel like we were responsible for Stuxnet. They're mistaken of course but they're gonna look to get the capabilities they're gonna calculate whether it's safe to do something in the US. When have they ever made the right calculation when it comes to launching some kind of attack? So far it's only been regional but that's because their capabilities have only been regional so stay tuned. Okay we've got a question right down here. We'll put your arm up so she can see you. Right down here at the front table. Thank you. Carlo Musso from Film Mechanica. Hold it close. Carlo Musso from Film Mechanica. The point, one question is who in your view could be the next major actor of this kind of cyber attack? During the Cold War there was the Soviet Union then we had the terrorist groups international terrorist groups but in the future, in the next future should be some state or other group or even private or some, who could be the most probable actor or some. Jim, start with you. Oh I, you know we hit a lot of them here. I mean the Iranians and North Koreans want the capabilities. We did a study last year that found 35 countries are trying to acquire military capabilities. The non-state actors are really interesting. I mean, so far terrorists haven't been that interested but there's politically active hacker groups and hard to get data on them but they're a good group to watch, good set of groups to watch. Let me just say God help us if a criminal gang ever got the code to Stuxnet. I mean that's a far bigger risk. To hold a company hostage at any time. I mean this is a non-trivial issue. The real point is the number of potential opponents is growing more rapidly than we're thinking about how to control them. But I think you're asking a question that's almost impossible to answer but here to four, you know the rules of the game today a nation state has armies. They had those armies go against the armies of another nation state. Now when you're dealing in something that doesn't require the raising of armies, et cetera, is more of an intellectual capital enterprise, still takes scale in a lot of people. We've seen other countries use surrogates. We've seen them hand out capabilities to others. We've seen people steal weapons. So those tend to be activities that can last for maybe 20, 30 days and then it's too easy to figure out what they're doing and you can stop it. And that's the downside mostly of the non-nation state. They don't have the capital and the scale to continue an activity and hold it in place. That may change in the future. That may change when you look at these groups that are starting to band together that have really no structure. They're just aligned, find like minds and they come together independent of national entities, et cetera. That could change. John, I'm gonna give you the benediction here. Well, put your arm up so she can find you because we're coming to the hour here. I need to let people go. Well, thank you. The question I had is you talked about some of the activities that are underway and how we might feel either our legal authorities applied or how we might respond either organizationally or the substantive effect we wanna put on another country. The thing that I struggle with the most in cyber though is that kind of activities that have occurred so far, it's hard for me to categorize quickly. So as an example, in the physical world, if another country had attacked a large firm of the United States, such as say Google, and taken their intellectual property or in another case, they had been an intrusion, interruption in the Defense Department's operations or perhaps what I read about in the papers regarding exploitation of things like our largest weapon system, the JSF, we would know how to act. We would understand what that meant for us in the United States and then we would have either invent some declaratory policy or it would fit within some declaratory policy about how we might respond. In cyber, it's not clear to me also if these individual acts occur, when do you regard it as an attack? When do these things blur together? Are we sending some signals? Do we have to first get in touch with ourselves in the United States or in another country? What you regard as a serious activity, how do you communicate that in advance and plan for it? Because in cyber, the advantages are all to the offense, it seems to me, and in real time, deciding when does something equate to an attack? Is it a mild attack? Is it a major attack? What equals proportionality when you're not sure of the totality of what's occurring to you? So anyways, I know what the problem is in my own head. I don't know what the solution is, that's why I ask you. Each of you can respond then we will, as you want. Any final comments on this and reaction to John? Sure, let me take it just a little bit. I mean, I think the fundamental thing, what you said, John, is that we've got a system now where there's enormous advantages to the attacker. I mean, Haas mentioned the lines of code, which I've used before, just to give you that a little bit more. Right now, the most sophisticated defensive system is probably about 10 million lines of code. Five years ago, it was a million lines of code. So it's moving up exponentially. Not the most sophisticated attack, but a malware that can be successful even against that 10 million line of code is 120, 200 lines of code, and that hasn't changed in a decade. So that gives you kind of a feel for the leverage the attacker has. I think one of the long-term things that we need to do, and Reggie, Haas and I tried to jumpstart it in the Pentagon, is there's no reason that has to hold. Over five or 10 years, you can rebalance. I mean, this is a product of how the internet was developed in terms of the focus wasn't on security, it was originally a closed community. You can, I think, put means of much, much stronger security in the internet itself and rebalance that without giving up the openness and the ability to expand and develop. And I think that it's a role for government to leverage that kind of research much the way DOD did with high-performance computing. Like, there are reasons for national security for DOD to do that, but the benefits would redound on a much greater degree. So I think, in my mind, that's a significant investment that the nation ought to be making. I don't think I would go just a little different direction. I absolutely agree, and I think that's probably close to what you're asking, but there's another venue here. I mean, you look around at what's happening globally today, but in the United States in competition between industry corporations. And we are trying to manage and govern that with patent law and 20-year cycles in a Moore's law world that works at 18-month cycles. So the idea that Company X can come up with a new idea and that somebody won't immediately be doing it 18 to 20 months later is crazy, and yet we're trying to manage that. And you can see it in all the lawsuits that are going on. We can't make the two match. And so R&D and who pays for R&D, and how long do you get for what you invent, and all of those questions are now getting so tangled up in this rapidly turning. So it's not just purely a cyber issue. I mean, this is more at the basic governance of how do you get advantage? How do you protect advantage? What should you get for the advantage you invent? How long should you get it? Because it doesn't work anymore in an industrial construct. It's way out of whack. And so look at all the lawsuits between the IT companies for what they... And so we've got to figure out how to give the person who invents and creates competitive advantage a reasonable expectation of gain and then allow that to proliferate out. And we haven't figured out how to do that, not just in the United States, but globally. And so you have that tension in addition to the question you're asking. And the two are in conflict. We're in an IT world using basically industrial law and industrial constructs to try to manage it. And we're trying to adapt them. And in some cases it works. In other cases, it's just not working. Companies are going under because they're losing intellectual capital looking for a 20-year advantage and it's just not there anymore. Jim, your last word here. Chalking. John, I like the idea of getting in touch with my inner cyber warrior. I can say it doesn't feel like an attack. I actually was doing that on last Friday and I'm keep worrying the FBI will come. But what we have is we have the most complex machine ever built in history. It has billions of parts and they're all connected. And it's global. And it challenges us in ways that we're not accustomed to thinking about. How do you get all these countries to work together? And what we've done is try and map cyber to precedents from earlier eras, whether it's the UN, international cooperation. And the map is okay. I think you heard, you know, and these guys did a lot of work at the Pentagon. They actually did something good, which I rarely say about people, you know. High praise. Yeah, really. And we are discovering the limits of mapping precedent to the new field. And that means we're just gonna have to work through it. It's a research agenda. And the near term question is, how do we work through these issues in a way where we can still keep the US safe while we try and figure out what the heck we're doing? You know, we could go all afternoon. It's such a fascinating conversation. I wanna thank each of the three of you. It's been really an exciting afternoon to listen to you. We'll wanna follow up on this. So would you all please share your thanks to them? I really appreciate it. Thank you. Thank you all for coming. We've appreciate having you here and we hope that you'll see us next year. Thanks.