 Wow, these are cushy. Excellent. Thanks, Laura. As Laura mentioned, my name is Rob Morgus. I'm a policy analyst with the Cyber Security Initiative at New America. I'm joined today by an excellent group of folks. We're going to talk about a few things, Russia, China, amongst them, but then also some allied strategies. And what all of that really means for the US is they potentially look to devise a new international strategy for cyberspace. Directly next to me here is Graham Webster. He is the author of the US-China Weekly Newsletter. If you're even remotely interested in US-China issues, you should be on that newsletter, so catch them after the show and make sure that you jump on that. He's a senior fellow for US-China Relations at Yale Law School, where he focuses on all aspects of the US-China relationship, not just cyber, but they do a lot of track-to stuff with China as well. Next to him is Jackie Kerr. She's a post-doc research fellow at the Center for Global Security Research at Lawrence Livermore Laboratory in California. And next to her is Elaine Korzak, who is a cybersecurity fellow at the Middlebury Institute of International Studies at Monterey, formerly known as the Monterey Institute. We're going to start with Jackie. So we've seen Russian actors become more and more assertive via cyberspace in the last couple of decades. How has that practice evolved and how does it comport with strategic doctrine and what you've been seeing coming out of Russia lately? Sure, thanks, Rob. So Russia over the last decade and a half has dramatically changed their approach to cyberspace both domestically and internationally. We've witnessed something of a learning curve and evolution of strategy. And since the second half of the 2000s, you've especially seen a lot of very dramatic changes both internationally and domestically. On the domestic side, Russia in the 2000s stood out as a regime that, despite cracking down on independent media and freedom of expression, seemed to be allowing the internet to flourish and develop without as much censorship as in countries like China, for example. But that has started to change, especially since the 2011-2012 protest movement. But even before that, in the late 2000s, you saw increased aggressive behavior against neighboring countries in cyberspace by Russia. The hacking attacks and DDoS attacks against Estonia, Lithuania, Georgia, Kyrgyzstan, Kazakhstan, and most recently a number of different cyber attacks towards Ukraine and the DNC hack with which we're also familiar. Things to note about these activities are that they vary in type. You don't just see what our thought of as conventional hacking attacks or cyber attacks that are focused on data or networks or computers on physical damage. You also see attacks which are focused more on control and manipulation of information and public discourse. And you see these mixed and matched in a variety of ways. And so you have everything from DDoS attacks on particular groups at particular moments to block access to important information, both domestically and internationally, to spread of viral media, propaganda videos, and things like propagandistic media internationally targeted at particular audiences. This fits with several lines of Russian strategic thought both about domestic policy and political stability and about international security and military doctrine. So on the one hand, you've had since 2000 Russia's information security doctrine, which has continued to evolve and the most recent version of was published this past fall, this past December, which has always been seen as a counterpoint to the American and allies position on cybersecurity internationally because it is defined as part of security, concern and security risk, things which are on the content layer of the internet, including media and it flows of information and in the most recent iteration of the doctrine much more explicitly than previously. And this doctrine is in line with the recent crackdown and redefinition of legal categories to legitimize the blocking of certain categories of information online, the development of a block list and various takedown orders and mechanisms domestically. But it also is in line with the attitude towards internet sovereignty and domestic control over the internet that Russia has espoused abroad. And at the same time, the recent turn to aggression in cyberspace internationally has built on traditions in Russian military doctrine going back to the Cold War era, attitudes towards reflexive control and maskerovka that depend on psychological manipulation and deception. But it's taken to a new level and the 2013 Gerasimov doctrine, an article that was written by the chief of the general staff of the Russian Armed Forces, Valery Gerasimov, develops this and has then been built upon in recent years by other theoreticians. It conceives of cybersecurity in a way where it is part of a broader military doctrine where in order to respond towards fears and concerns of Western encirclement and potential destabilization of the domestic political regime that was exemplified by the Arab Spring and colored revolutions in neighboring states, the idea is to use new means of achieving political and strategic goals that mix non-military and military measures and exploit the vulnerabilities of opponents, sometimes opponents which in terms of traditional military forces are more powerful, finding their societal vulnerabilities, not just their military vulnerabilities, using the information spaces and using cognitive psychological forms of influence. This includes both media and information and it also includes cyber attacks all at the same time sometimes as kinetic attacks and it relies as I said on deception and manipulation of opinion as well as actual use of force and one of the goals being to actually minimize the use of force necessary in order to achieve strategic ends by changing the attitudes and political situation in opponent countries. So we've seen several trends happening at once both domestically and internationally in Russia's posture towards cybersecurity and the internet and it's important to realize to what extent they're intertwined with each other even though we sometimes think of these as separate spheres of activity. Thanks, Jackie, that's great and provides a lot of insight into the way that the Russian state in particular is sort of thinking about the evolving nature of information security, cyber security and sort of the mesh of the two. Graham, you're a China guy and we just heard from Jackie about how Russia is thinking about things. We know that China just released a new strategy. What are some of the things that stick out to you in that both sort of internationally and domestically? Yeah, well thanks. Looking at China's cyberspace strategy both in cyber security and other areas I think it's important to start with a focus on what are the interests that the Chinese government is after here. It's classic, you'll hear it in any domain but there's a concern for domestic stability. There's a concern for national defense and there's a concern for development and the economy which feeds into both of these. I think the first day of this month the Chinese government released a new international strategy for cooperation in cyberspace. I wanna note a couple of interesting things there. It's a long document and very rich but in the military strategic area there's this interesting tension. Without naming any particular state the document seems to call out the United States by saying that the tendency of militarization and deterrence build up in cyberspace is not conducive to international security and strategic mutual trust. We've all seen a focus on deterrence and trying to find workable models of deterrence in the United States. Here you have the Chinese report hoping that we wouldn't do that. But at the same time while saying that militarization and deterrence are not a good idea the document announces that there will be an expedited development of a cyber force quote to prevent major cyber crisis, safeguard cyberspace security and maintain national security and social stability. So there's a desire to both de-secure ties and also build up forces. That's part of a long transition. Various cyberspace capabilities have existed in the Chinese military for a long time at the very end of 2015 there was a reorganization in the PLA that integrated some capabilities under the strategic support force but we don't really know exactly how that's gonna turn out. I wanna emphasize and some of this is common with Russia but there's an element of the conversation that is where cyber security is really a domestic focus and here is gonna be some of the bigger challenges for the United States and other countries internationally in coming years and this is the focus on secure and controllable internet infrastructure, IT products that would be purchased by different parts of the government and the party apparatus and we've had a progression of different laws and regulations, the 2015 national security law, the 2015 counter-terrorism law and the 2016 cyber security law all passed after drafts were out there, comment periods were had, some disagreements and lobbying on the part of the international community was there but out of that progression there's something that's a live ball right now which is that the cyber security law and the national security law both give the Chinese government the responsibility to review certain IT products for security and controllability when it comes to purchases by key entities and the rules to review these things and setting up the organization that'll do the reviews came out for review, for public comment, I mean earlier this year the comment period has ended and we haven't seen the next draft yet but these are going to cause serious challenges for international firms who want to sell their products this is a major concern for US industry and for IT companies around the world and you might hear from Chinese sources that these reviews are really targeted on a very narrow set of clients it would really only be the most the highest security consciousness elements of the government but this isn't quite so clear because the definitions always have an et cetera this type of core thing, that type of core thing and other security priorities these are just some of the things that are out there integrated pursuit of the interests across the domestic and international and I think there's going to be a role for US government and industry and engaging and pushing back on some of these things and adapting to others It's great Graham, thanks Elaine let's pivot quickly to talk about the ally some allies and what they're doing I'm thinking specifically UK and Germany how they're organizing both to meet these threats and then also to sort of build up their cyber defenses more generally quickly if we can go through that at a high level and I'm curious to hear from all of you starting with Elaine what all of this sort of means for the way that the US sort of forges forward internationally and their engagements with both allies and with potential adversaries Sure Rob, so just a quick note first on the UK and the German strategies so we've seen that most of them most of the European countries are going into their second or third iteration of their national strategy so in the case of the United Kingdom for example they had a strategy out 2009, 2011 and now in the late half of 2016 they have the third iteration very similar in Germany 2011 they had their first strategy out and now November 2016 they announced the next iteration of that unfortunately that's not out in English yet so it's the German language document that I've been working with and there it's interesting to see the evolution of the thinking so the strategies before were more broad a little bit more vague but now we see it's sort of it's a very more concrete and discreet set of catalogs or set of issues that these national cybersecurity strategies target so with that to dive into the issues in contrast to what my colleagues on Russia and China said there are a lot of issues that are very similar to the debates in the US so the main questions or topics that are covered in the cybersecurity strategies are about the securing of government networks it's about securing critical infrastructure it's about economic espionage so it's a lot about there's a big emphasis on the driver of ICTs for economic development and for countries to keep their economic competitiveness overall but also in the IT security sector so for example according to some statistics Germany has the fourth largest IT security sector so they're very keen on preserving that competitive edge and evolving that there are also the sort of good old quandaries of government industry corporation and information sharing that also play very prominently in allied strategies we also see cybercrime as a major issue that needs to be addressed and also workforce development how to build the skill set and the number of employees that these economies and countries will need in the future now that having said that so there's a lot of similarities but there's also a couple of quirky things or new things that have come out in the latest two iterations and that is on the one hand there is more openness about talking about offensive capabilities so this goes back to the militarization issue that has been mentioned by both my colleagues that countries such as Germany which may be surprising to most are much more comfortable and just putting it out there in their strategy but it comes with a caveat both countries the UK and Germany very much emphasize that their use will be in conformity with national and international norms so this goes back to for those of you who've been in the conversation with Marina Kalliorand and Sean Knuck about the international norms debate so they're very adamant they specifically and explicitly put this in their national strategies that they find international law to be applicable now two more quick things one is encryption is mentioned in both and I'd be happy to talk more about this later there is a very interesting German approach for encryption, security through encryption and security despite encryption now the UK, same way has mentioned cryptographic capabilities a sovereign cryptographic capabilities in their national strategy so it's gonna be interesting for the US to see when that back door debate or the going dark debate is no longer just in the US, held predominantly in the US but other countries are actually pushing forward with their own national solutions on this how this will affect the debate in the US and the last point is that there is a more general liking towards regulation so I was surprised the British strategy from 2016 was quite blunt in saying in 2011 we very much trusted in market forces and some light government incentives to get this thing going and now five years later we look at it and it just plainly didn't work so be prepared if required there's gonna be regulation I mean same thing in Germany there's much more awareness or awareness for regulation the possibilities just to enact regulation so there's gonna be also a thing that's gonna impact US policymaking in this area that European countries are much less allergic to the word regulation and to the activity of regulation which might put some US companies in a tight spot Great, Jackie and Graham I think we'll go Jackie and then Graham what do you make of the US's approach and Elaine feel free to chime in from the German and the UK perspective what do you make of the approaches when it comes to dealing with your country of expertise so in Jackie the case of Russia how has US strategy and how has US diplomatic relationships and diplomatic efforts gone vis-a-vis Russia and are we on the right track are there things that we should change same to you Graham Badly, well so one thing that's important to note is that there's been this long-standing debate or contest on the international stage over what the discussion should be about norms and legal frameworks and Russia along with China has supported the position of framework of information security and internet sovereignty and the US and allies have pushed back against this and conceptually the idea of information security has stood at odds with the US approach and that of our allies which has focused more on critical infrastructure protection protection against vulnerabilities protection from economic espionage and attacks on networks and data and computers but not so much on the content of the internet or information manipulation in ways that could affect media or public sphere development and the DNC hack and there are other incidents too but that's the particularly noticeable one it would appear the public reaction and the government reaction to it was driven particularly by the political ramifications of the spread of information online and through the media not by the actual hack itself and so in some ways this would seem to justify the point of countries that have supported an idea of information security and that it's seen as aggressive if a country does something that spreads information we don't want spread on in the content of our media and internet and of course the correct reaction to that could vary is the correct reaction to a seed defeat in the conceptual battle between whether we should be talking about norms of information security versus cyber security or is the correct reaction to that one of going back to the basics and thinking about other possible alternatives for how to think about that things that have come out of that discussion and that set of issues include the discussion of fake news and of online viral propaganda and terrorist recruiting and various other forms of online extremism and it's very important to be careful how we talk about these things realizing that these topics of discussion the notion of online extremism as a concept has been used as a justification for censorship in a number of countries including both Russia and China and how do we discuss this in a way which is nuanced and takes into account both sides of this issue and one thing that seems really important for that is to take into account the positions of various stakeholders and while we have many multi-stakeholder forums and events that occur domestically and internationally there is a risk of tech companies as platforms taking a go-it-yourself approach of developing technological solutions to things like fake news without consulting or involving other actors and representatives of civil society and the media that should be involved in that kind of discussion about those categories. So quickly I'm just gonna jump in just so we get Graham and Elaine a chance to talk. Do we meet them halfway? Do we have to restructure the way that we approach these adversaries? What's the best way to approach China at this point, Graham? Well, I'd say there was some limited success in the Obama administration. There was a lot of effort put into addressing the very real concerns that many companies and policymakers had in this country about state-sponsored cyber espionage and stealing of commercial secrets. So much effort was put into that that, and this resulted in a parallel statement by both presidents, renouncing this stuff, something that went on and was endorsed more widely. But that meant that the cybersecurity and cyberspace policy agenda between the two governments, at least at the highest level, was fairly limited. So I would sort of suggest that what needs to be done is to continue on to engagement on further issues. I think there's a tendency of some people to believe that discussing cyber norms, international cyber norms between the US and China, with the US and Russia is not productive. Well, it may be very tough, but I think it's important to continue and keep that open. And the last thing I'll say is that there are challenges that in the US-China context will face both countries and where these two countries have unusual leverage in addressing them. And those include new cybersecurity challenges worldwide based on issues like Internet of Things security. As new technologies come online that are being developed and manufactured heavily in the United States and China, there's reason that at the industry level, there could be cooperation on addressing these challenges. And then both countries face non-state actor cybersecurity threats. It's not one versus the other. There are a lot of other things to worry about collectively. So we're gonna go to questions from the audience here just in just a second. So if you could stick your hand up and get the mic runners poised and ready to field those questions. But before we do that, I wanna go to Elaine. You're an international lawyer. You've been involved in the international norms processes. Do you feel like they're working? Do you feel like it's the right track? Do we need to restructure the way that we're thinking about it? Or do we, same question basically, do we continue to stay the course? The million dollar question. I would echo what Graham said that fundamentally I think the UN has a value in just providing a venue for discussion. And that discussion must be had somewhere. Although I understand that a lot of people and a lot of actors and stakeholders are frustrated with the very slow movement in that debate. But I'm always reminded of just generally the UN only gets so far as the member states want it to go. So in the end of the day, if it's the irreconcilable differences and interests and opinions of the member states, and of course the discussion is not gonna have a major breakthrough anytime soon. But I think there's still, to echo Graham, there's still value in continuing that. At least having the channels open for debate. But I think ultimately we're sort of stuck in the here now and the next two years, three years, maybe you know what's happening after the GG. But I think the more interesting question is far more long term. Because right now it's still a very isolated, it's a very elite, if I may use the word, discussion. It's only very few countries that it can afford to talk about cybersecurity in the first place, but then talk about norms in cybersecurity and how international law applies. And if we think about the World Bank report that's half the world's population, so four billion plus are still to come online, then 20 years, 30 years down the road, that's where international law and the norms are gonna be shaped. So then for me it's rather to be more proactive down the road to try to shape the discussion that's gonna come after and to try to shape the opinions and the viewpoints and interests of all those countries in the middle that right now don't have a voice in that very small UN process to sort of swing them to our way to view things. And if you buy into- The swing states one might say. Harden? The swing states one might say. Yes, the swing states one might say. So I'm gonna do something a little different. I'm gonna take two or three questions all at once here. Should we have them out there? So let's go to Ted over there. And then I think I saw a hand in the back middle as well. Or not. Ted Johnson here, a fellow at New America. So my question is the future of cyberspace. I'm curious if you think it's going to become more of a Westphalian model where it's carved up and the nations sort of have established borders in cyberspace or if it'll be more like the open ocean where it's sort of a global commons, anyone with a boat can sail as long as you sort of adhere to an understood set of norms that the international community agrees to. Okay, so let's take the two right here then as well and then we'll answer all of them together. So I'm interested in part whether or not there is an appropriate conversation to be had about who are we and who are they. Is here a lot of policy makers who are basically saying we're under attack by them. And because we're under attack by them, we have to respond. But like 90% of critical infrastructure is owned by the private sector, which governs a very interesting outcome. And who are we? And I wonder whether or not different countries have ways of thinking about that and how that governs the American response in return. Yeah, on that note, what kind of international pressure do you see to share cybersecurity vulnerabilities? Like, you know, commercial software, intelligence agent, you know, recent documents indicate the CIA has been keeping some of the secrets. I assume other nations do the same. What kind of pressure has there been to, that you've seen to share more of those vulnerabilities? Okay, so we'll answer those three. Are we gonna see fragmentation? Are we gonna see a Westphalian system? Are we already seeing that? Who is the we versus they? Critical infrastructure, providers in particular. And has there been any movement on vulnerability sharing and coordinating that? Let's start with Graham, because I know you have thoughts especially on the first one. Okay, yeah, thanks. You know, my view is that in a sense, we're already in a hybrid situation. The sovereignty that states enjoy by virtue of international law and norms is does exist when it comes to the network infrastructure and the way people interact with networks domestically. And I think the disagreement really comes not with whether sovereignty exists. It's whether it's how it gets exercised and the sort of the general US view although there's quite a lot of diversity among different interests in this country would be that cyberspace should be kept as a more borderless, more commons based thing. And both China and Russia have national priorities to exercise sovereignty more extremely. I think that the debate is not whether there's sovereignty, it's about how to use it. I don't know anything about vulnerability sharing in the Chinese context. It's possible that this is a discussion and I just don't know it, but I will confess to not knowing. And on we and they, I agree with the point that I feel I try to be very careful to say the Chinese government, not China and the United States, not we. But I don't have a real great insight on that other than that I think Chinese internet companies sometimes have a different interest from their regulators and they'll tell you about it in private. Jackie. Right, so on the Westphalian versus global commons I think to some extent we're already in more of a Westphalian internet than we were 10 years or 15 years ago. And it's not, but it's not perfect. It's not equally Westphalian everywhere you go. So some states have created more Westphalian style control over the internet within their territory than others. Russia and China being examples of this versus to some extent the US and Europe are more towards the global commons model into the spectrum. But then it's also important to distinguish between layers of the internet involved. And a lot of the sovereignty exertion we've seen up until this point has been especially on the content layer of the internet. But increasingly those things get tied together with some of the protocol layers and technical layers and there's a real risk of that leading to more fragmentation in coming years. Especially with things like the going dark debate which we've seen play out in other countries already to a certain extent Russia and China both have recent laws that put more constrictions on the use of encryption in Russia's case require the sharing of keys. And so as we see more involvement of the technical layer of the internet in these efforts to control the political use and media use of the internet domestically this could have more of a fragmenting effect. I think probably the most important thing in the context of the multi-stakeholder aspects of internet governance is to do the best we can to and I'll come back to the use of we in a second to continue to build resilience to the technical layers of the internet globally so that it can withstand those efforts to exert sovereignty over the content. And that will be a challenge. In terms of the we and they I completely agree with your point. I think probably it's very difficult to be in the space and not occasionally lapse into usage of it in a way which you yourself be critical of and it's very important to be cognizant of who you're talking about. I've myself made it a habit of bouncing back and forth between locations that in Silicon Valley and closer to Washington and also have talked to people in the private sector in places like Russia and you see often quite a bit of tension between the private sector and the government and it's important to understand that they're not always coming from the same page and that there are many different stakeholders involved besides national governments and in terms of the vulnerabilities I know more about that domestically in the US than I do in Russia. It's an interesting question and I think there's certainly something going on on that side but it's not something that the information about which is readily available in the Russian case. Yeah. Elaine. So to the first question West Failing Ocean I'd agree with Graham and Jackie that sovereignty in the West Failing System is already to a certain extent here and we live in it now but I would also say that's nothing new. I think it's playing out in cyberspace but it's the same debate that we have in the good old physical world with different with countries exercising sovereignty to different degrees and there's international debates around humanitarian intervention where does sovereignty start and where does it end or the good old debate about human rights and cultural diversity and local differences. So that's something I think that we have lived with for decades and that pops up in all other kinds of contexts so now we see it popping up in the cybersecurity context but one aspect I wanted to point out is we talk about governments asserting sovereignty and trying to assert sovereignty in cyberspace but I think a key player in this is also companies the big multinational companies and platform providers so we see this in Germany for example where the government is trying to exert sovereignty and through their free speech sort of limits online harassment libel all those things and they're having a hard time because the main providers such as Facebook are playing in a different playing field so to speak so we have this state perspective that we always pivot back to when we talk about sovereignty and the Westphalian system but one of the complicating factors perhaps sometimes even more important for certain countries are private companies in this context. Third question on cybersecurity vulnerabilities an interesting aspect in the GGE 2015 report that I was very curious about there was this sentence on the governments across the world should responsibly disclose vulnerabilities now that didn't get any attention whatsoever and I was always curious how that got in there because that seemed like a very quirky thing to agree on so long answer to short-winded no I don't have much insight into it but there's been it's been picked up internationally signal intent yeah there's been intent signal yeah so I'm curious where that's gonna go or if it's not gonna go anywhere and then to the S2 who are we I agree with everything that's been said before that there's a lot of nuance out there but for the sake of things or making arguments we usually just tend to put things in binaries and black or white or not but even in the like-minded camp if you want to take that the West I mean there's a question of what is the West and who is the West but even if you look at the national strategies there's actually there's there are a lot of nuances and differences that matter. Well I think we're out of time and I know I learned a lot I hope you all did as well join me in thanking these three