 Welcome everybody. Thank you very much for joining the second panel of the Brave New Cyberworld Conference here at Carnegie. The prior discussion is a good setup I think for our panel on active cyber defense as much as the conversation tends naturally to orient itself towards state level challenges. Much of the strategic action it seems to me is happening in the private sector. There are big unanswered questions out there in this regard. What effect will years and years of massive intellectual property theft have on America's economy? What are the costs of the erosion of public faith in the government that results from extremely low rates of successful prosecution of hacking? The answers to those strategic questions depend it seems to me more and more on how active cyber defense is deployed and developed by private companies and that is indeed the subject of our panel. We're fortunate to have with us today in a steam group to lay out the problem, explain why it matters and most important suggest some ways forward. Stuart Baker to my left is of Steptoe and Johnson very well known in this area and formerly of DHS and NSA. Shane Huntley joins us from Google, Google's threat analysis group formerly with the Australian government and George Perkovich at the far end from Carnegie formerly a policy advisor to Joe Biden. So let's just dive right in why don't we level set a little bit by by establishing what the problem here is that active cyber defense is trying to solve. How big a problem is what I've seen dollar estimates of hundreds of billions of dollars a year. What is the size of the problem? Who wants to take a first crack at it? Shane maybe? So the cyber problem is becoming one of the critical problems to our business but as more and more business goes online as more and more of the economy is tied up here the faith in the systems the kind of damage that can be caused we really see this as you know existential threats to the company and to companies in general but also just the faith in our institutions and in terms of and companies actually is you know a competitive advantage or part of our economy going head of overseas like how does Europe see the security of their data if they're entrusting it to an Amazon or a Facebook or Google and how do the consumer feel about doing business going forward and how much of our resources needs to be spent to actually you know defend this data and to defend their users. I think at the moment we've seen like you know what we just talked in the last panel like Sony a CEO being fired we've seen the Yahoo hack and what's been going on in government that these really are issues that are getting to the top of organizations they're getting to you know existential threats to the company so it's pretty hard to sort of like put dollar value on it but it's the reason why we are taking it very seriously. And all the trends are down the attack surface keeps getting bigger the consequences of successful attacks are worse now you can kill people if they have defibrillators that that have been implanted so all all of the security trends with maybe a couple of exceptions are in the wrong direction and we need to we need to do something pretty dramatic turn things around. OK so so the answer in large part will get to the absence of government response well no let's do that right now so isn't this a problem for government to solve and why isn't it getting solved. We have the computer fraud and abuse act but that's not getting the job done you want to explain what the problem is. Yeah I think the short answer is the computer fraud and abuse act which says you should stay inside your network and power there is sort of 1980s solution that's when the CFA was first adopted and it rests on the principle that the government can solve this problem but if you leave it to the professionals the professionals will find a way to deter criminal behavior. The sort of the architecture of it is anything you do outside your network on somebody else's network is potentially a crime. It is presumptively a felony. Got it. OK and so that leaves companies with limited opportunities to defend themselves because they basically have to wait for someone to come in break in do something and then even then it's difficult for them to strike back. So why don't we tackle then what the range of things that companies are doing with that constraint and how they're sort of pushing the boundaries George. I want to just pick up on and elaborate a little bit on this on this question and change probably in a better position to talk about than the range of things that companies can do but I think it's it's first of all we're talking about the U.S. here and the problem is global so whatever we kind of get right or don't get right here then you have to see how it relates to what others are doing but I think what Stuart said is very important government can solve this problem but from the standpoint of companies and customers and the system in large it's even in a sense worse than that because in a way the government can't defend everything they have to prioritize and they do reasonably and so they're going to prioritize systemic government systems infrastructure military so they're not going to do everything but then they clearly have their hands full with that but then but then they also can't say we'll tell you if we think you're going to be attacked company so not can't defend you but they may not notify you if you are attacked they can't promise that they will prosecute or go after the bad guys with the rates of successful prosecution are infinitesimal as we talked in the last panel the government hasn't set standards for security and hygiene so if you're a company and you're willing to spend money to have the highest standards but your competitors don't they may get a cost advantage and so the state hasn't kind of stepped at least the U.S. hasn't stepped in and done that and they won't indemnify you or or kind of work on the insurance problem so in that sense and it's talked to to French and other officials who say no that the state absolutely must have a monopoly here which reflects different cultural differences and they say this is the function of statehood it's kind of legitimate monopoly on the use of force or its analogs and I think the response to that in part is right but that that idea was based on a social contract where the state provided security and so you let the state do that because it was better than anarchy and the state could do it but but what we've been describing in the last panel in here is when the social contracts kind of broken down or never really fully extended to this new domain and and so the state doesn't do that and and and so what is the individual or the entity left to do I think that's the space we're in and the last thing I would say is you know if you can if you can understand the problem that way and then start thinking of it also could be very very dangerous to have lots of people out running into other people's networks and you know so you've got to find some way to do it right right to compensate for the breakdown that we've experienced so so let's talk a little bit about about exactly how the companies are responding to that very crippling set of problems on the one hand they're vulnerable on the other hand is extraordinary limits placed on what they can do that erodes trust and as Shane said at the beginning you know presents existential threats for the companies so but there is in fact as a result of that a very robust set of measures that companies are taking ranging from more aggressive measures inside their own networks but also offshoring of even more aggressive things that that could be illegal here in the U.S. Shane can you describe a little bit of what's the spectrum of active cyber defense so this active cyber defense term has kind of thrown around it's appearing a lot of marketing brochures at the moment and you know it's used to cover everything in some definitions everything from running a simple honey inside your organization or just having some something to like catch an attacker something where you're you're you're basically trying to draw attackers away from the stuff you actually care about all the way through like to the far extreme of like you know gloves off the kind of you know commercial entities have an active hacking campaign and are going going at it with the adversary trying to steal data and you know the reality is that you know you know I'm you know not proposing that everybody be kind of given gloves off everybody at it because there's enough hacking in this world without you know unleashing the forces of hell of every well-meaning security researcher but at the moment we're in the worst possible world with CFAA as you pointed out it's like it's incredibly broad so almost any activity can be kind of covered under it even from you know not obeying the terms of service that you haven't read on a website you can be potentially breaching the CFAA as we saw with Aaron Schwartz who even even more fun you may have seen that Burger King has a commercial that begins okay google what is a whopper burger which leads your phone to start reading the first sentence of the wikipedia entry for the whopper burger and there was this the hacking and counter hacking campaign in which Burger King tried to make sure that it's ad actually did turn on your phone and then google tried to make sure that it didn't but the most interesting question was did burger king violate the computer fraud abuse act by engaging in unauthorized access to all of our phones and there's a very good argument that they did which tells us something very bad about the computer fraud abuse act and I'll just jump in one one second here to make sure that the other side of the argument is represented to say that just as there is a danger a real strategic long-term danger of lack of faith from businesses and citizens in government if the government is no longer fulfilling its side of the bargain and providing security in exchange for its monopoly on force there is equally the potential for lack of faith in society in social compact with our fellow citizens if companies get to run around and do whatever they want to whomever they want in the absence of you know consensus on how we should behave so establishing norms for how to do all of this is critically important and i think we're going to get to that a little later in in the conversation we've done i still so i think we've got basically the range there's a lot of stuff in between honeypot and you know destroying hackers computers and we can get to some of that but that does get to sort of the possibility of some flexibility and some gray area where where things can be and i can give an example of like you know a very specific gray area that you know if the you know an attacker has a website which is like you know delivering exploits and then is sort of storing the results in an open way you don't even need to log into this website they are not a particularly good attacker they're leaving the data there in the open like you know if you know a security researcher that being goes and visits that website to actually like pull the log or pull the data or pull details of the exploit this seems like pretty normal research it's like the open internet or whatever but you know it's it's an incredibly but that nominally is a violation it normally could be depending on what law you ask like we are in a situation now that a company or like a good actor that really wants to stick by the law really wants to understand and do the right thing is in a situation that all normal actions could potentially be a breach if some prosecutor wanted to go up i'm not a lawyer but this is a fun little area because one I suppose we pointed out that even as we're at this advanced edge of technology somehow it's bringing us back to some very early common law concepts like hot pursuit is that a valid justification for going and chasing and collecting the kind of or there's some other ones but anyway it's sort of an odd quirk of this that we're going back to sort of root basic common law ideas in search of some grounding on this just where you were and to and to add on it and however us were to sort it out and so we're talking about law now we're talking about congress it becomes a little hard to imagine actually sorting this out in a in a coherent way the rest of the world has an absolute stake in it because you're talking about you know companies that which are totally global companies so it adds to the complication so it's it's not just like can i chase the kid who breaks into my house and steals my tv down the street it you know people in india are watching and paying attention to this and they have a certain view of kind of u.s culture and what the predilection is going to be and and for example i'm talking to an efficiencyist well i've i've served in your country i know what your gun control laws are i know about you know all the the mass murders with these automatic weapons and stuff and that's what you're gonna unleash in the cyber world and you know we're the ones that are going to get killed in the process so however we do it you have to think of it as actually a global response as well to build on your point fascinating and and and terribly complicated reaching consensus now it does i will say we unfortunately have it exported the computer fraud and abuse act to most of europe and and the large part of the developed world uh with the budapest convention it is slightly more flexible because it prohibits you from taking action without right and there's a lot of room in whether your action is without right i think you you could say if i'm not chasing my stuff onto a public website i'm doing it with right because it's my stuff but under the computer fraud abuse act that would not be with authorization so so in the absence of government solutions there's you know amendments to the cfa proposed every now and then there's always i i've never gone to an event with someone who does cyber and government without them saying how important public-private cooperation is but absent some leadership or movement on the government side it's sort of surprising to me in looking at it that there hasn't been more private sector organization to try and solve the the problem i mean other problems that business has faced the government has failed to face have been resolved through collaborative action what what's the impediment to the private sector are they just you know lost or is there a profit reason one of the problems that's clearly a question for sure yeah i know i'll tell you like let's say i'm we have so many problems in cyber security at the moment as an industry like there's this critical shortage of talent the government has even more of talent but even with industry i mean i do pretty well at google in terms of who i can hire but there's just not enough people to do the basic offenses so i do want to put on the record that i don't think that the lack of active cyber defense is the biggest challenge it probably doesn't even possibly make the top 10 challenges we face in securing our system today we have to get back to the basics of building secure systems being able to defend our systems being able to detect attackers being able to recover recover from attack and the active cyber defense part is you know a small part of this small part of this puzzle so i think that's one of the one of the public policy side of the puzzle but as you say right there's lots of private industry i challenge that because i think continuing to build our defenses the better defenses doesn't feel like a strategic response to the problem we're in as the attack surface continues to expand and we're just never going to be able to defend our doorbells the the way we defend our servers and we're not defending our servers that well and the one area where the technology is moving in a direction that is uh productive of peace in cyberspace is uh the ability to attribute attacks more effectively we're getting much better at that and we're getting better at it for the same reason that attackers are better it's harder and harder to hide in cyberspace it's harder and harder to keep people out of your systems and we can get into their systems and figure out who they are and then uh i'll cause them to suffer consequences for their acts that's how we that's how we police the world so it shouldn't be a surprise that that might work in cyberspace and if that's the approach rather than just building our defenses then we want as many people tracking the attackers as possible and to say to um our private sector you can only track them based on what they do inside your network is i think a strategic limitation that will regret but can i but yeah no i mean i think it really really matters how you do it and we have to something we're working on at point you know develop the principles of conduct for that action because i'm thinking about just over the last few months and also the San Bernardino shooting how kind of the online world figures out who did the crime uh and almost always it's wrong uh shortly but but i mean that's why we have entities that that get legitimacy whether it's the IAEA or the others in in the new prototype so so the question to put a constructive twist on your on your points to what it seems to me is attribution's growing so one of the questions is how does the U.S. and the international community develop kind of internationally legitimated ways to mobilize that attribution including by private actors to be able to do this so you don't get the wrong guy uh and and create a really destabilizing that's a complicated that's obviously a very very complicated thing and given how the the government has not led are there ways that private industry can begin to to to lead on this so i i i i challenge the idea that the government has not led they they they haven't monopolized this but uh you know the attribution of the sony attack to north korea was based on some pretty good intelligence collection which has never been fully disposed but there have been stories about GCHQ attributing certain russian attacks because they turned on the the cameras in the russian operating center so that they could watch the russians as they were coming and going and launching particular attacks so those are things that i don't think the private sector is going to be doing soon on the other hand mandiant if what we know about the chinese attack infrastructure we know not because the government told us because they were afraid to reveal their sources and methods but because mandiot caught them and ended up but you know exposing their blogs and their girlfriends pictures and a whole host of information about them that they were able to get acting more or less within the law i so there there's room for both to operate here i do think we ought to try to have it because i think this is the the hard question and at the end of the day the question we probably all wanted yet to which is how do you how do you control what the private sector does are you going to say yeah whatever or are you going to try to regulate that in some fashion and i think it's obvious that you have to regulate it in some fashion and then the question becomes what's your model do you want to use it like the private investigator model do you want to use it like repo men uh do you want to do letters of mark for people are attracted to that i i think this can be regulated in a wide variety of ways that are familiar to people who follow private supplementation of law enforcement and that's where i would start also are you suggesting that the government should impose penalties for not participating in those or are they incentivizing insurance schemes or how do you how do you get this set up do you have uh i would say the the way to start and this is something that the the justice department in the last administration actually was surprisingly soft on they're not going to propose it but they were not prepared to oppose it either which is you ought to be able to go to the justice department and say you've got this big statute that could mean anything and because you wrote it that way so you could prosecute bad people doing bad things with computers uh and now we don't think we're bad people what we want to do isn't bad uh will you tell us you won't prosecute us if we do the things that we say this is called a no action letter the sec which has an enormously big statute uh saying don't do bad things on stock exchanges uh has exactly this you go in and you say i don't think this is bad will you prosecute at me if i do this and they say as long as you do exactly what you said we won't prosecute you well that gives certainty to people and allows them to experiment with things that are obvious and useful uh without just blowing the doors off let me ask a lot of the motivation in in uh adopting some of these norms of behavior uh some of it comes from government encouragement uh some of it comes from financial motivation why what is the state of the insurance uh industry with regard to uh cybersecurity are companies able to buy insurance to protect their assets uh is that a functioning market thing i'd say not yet i think it's there's a little this amazing interest in it there's like you know spoken with these insurance companies try to educate them in some cases but you know at the moment you know nobody's really tested as far as i know this sort of like liability of what the liability would be in these cases and if so what is an appropriate premium and who's willing to underwrite it right and then there's also the other risks that you know insurance company might be able to you know protects against these financial risks but you know especially for the larger companies it's not actually being sued for a couple of million dollars which is the real risk here is that the reputation risk and and the other risks that insurance doesn't really cover we in the in the work that we're doing and and my colleagues ellie levite and and Wyatt Hoffman ellies in israel why it's in the uk we're putting out a paper in the next month or so it's a couple years of work on this we're working a lot with um some innovators in the insurance industry and it's it's as shane said although they're making progress and they're motivated so lots of insurers are writing policies on on kind of protecting companies against cyber loss but with very as jay made a kind of a joke about yes it with very little data or data that they're not that comfortable about so when you talk to some of them they say you know that company's just they're just throwing darts at a wall they're guessing uh and writing policies but the good news from the insurance company is you know the holder of the policy doesn't have any idea whether they're actually going to get paid either um because how do you characterize the threat and the actor that did the the theft uh within a policy will be an open issue so from the standpoint of insurers and the people we're working with they have multiple interests in this issue on the one hand it's can if companies are engaging in stronger self-defense in addition to all of the other modes of defense will that reduce exposure to to loss because they're actually harder to target and so there's a real interest in insurers to do that the related issue is in the act of defending itself will i create new exposure to to risk if they're taking the gloves off and go right and and so so the insurance companies are looking at it there can be a real positive side to this and we want to figure out how to understand what kinds of defense would be the least likely to cause risk that would be a problem for insurance and so they've been working with us in developing kind of principles of conduct that we're talking about and one of the analogies is to what happened with shipping off the coast of Somalia never went all the piracy was was going on and the we sent task force of navies out there and they couldn't stop it it was too big an area and too complicated and finally what happened after a lot of resistance was companies began putting private contractors in many cases with guns on ships and that caused a lot of countries to be very nervous and apprehensive about it but then the insurance industry got into it and said actually we're noticing that the hijackings are going down our losses are going down but we got other exposure if we killed the wrong people so the insurance company started driving kind of self-regulation by the industry and norms of behavior for these private contractors and so on so so are there natural international bodies or international commerce groups where one would look for guidance of setting norms of behavior in acd you know we should do attribution but we shouldn't do flaming other people's servers what what are the what are the what are the potential business consortiums they could start a discussion about solutions this is easier than that i i wouldn't search for an international solution i i think the at the start the U.S. government if they're gonna let people do this if they're gonna give them leeway under the computer fraud and abuse act ought to say and if you harm someone you pay for it you're just strictly liable because we want to discourage especially at the outset people doing crazy cowboy things and knowing that they're going to pay for any damage they do is going to make them very cautious which is exactly how we want this kind of thing to begin you don't need a lot of rules on that you just say you pay is that right though i mean in the process of hunting someone down can't you cause damage you can and then you pay for it i mean we're not going to turn off everyone wants to say oh you're going to end up turning off uh computers in the intensive care unit in some hospital but those you know highly unlikely that you're going to turn off any computers in an effort to find out who's attacking you or what's happened to your data you're going to be tracking you're going to be reading logs you're going to be pulling data that has already been encrypted those are things that are highly unlikely to cause damage and you want people to only let me ask let me ask the person on stage who knows exactly what's being done uh what what what he what he thinks about Shane uh how much do you think that this can be solved simply by uh one or two clarifying uh edicts from government and is it uh are you worried about what companies are already doing i'm yeah i'm a little worried about the cowboys out there at the moment that you know as someone who you know we run so much of the infrastructure now infrastructure that you know can be implicated falsely in the tax or whatever suddenly having every security researcher believing they can break into gmail or into our servers is something which is of great concern to us and people already we see you see a security researchers already stepping outside the bounds in terms of trying to meet their goals can i just hold on hold on hold on can i ask you're worried about people coming in and and i mean your business is based on trust to some degree uh are you doing anything that would cause you to be concerned when i'm in the other direction when you need to chase someone down are you uh are you doing some of that to a certain degree as i said like with the cfa a like almost any action we do and i run google spread intelligence team almost any action is very hard to read exactly what the situation is and it involves many many meetings with lawyers all the time and very even with very good lawyers very unclear answers so i think some clarification could go a long way are you just a stewart's point about collaboration and that it should be easy as i say just to take as example of attribution are you actively working with governments in the u.s around the world in helping them to do um we're appropriate yes and we do refer things to the fbi especially with regards to crime and other cases and i think that's actually a point that you know we could go very gung-holy we do actually have governments that do have mandates and we have mandates that are actually working right we actually have title 41 so we actually the fbi is involved in botnet takedowns and there actually are mechanisms that are working in the recent weeks where like partnerships with organizations such as crowd-strike or shadow server where a combination between you know government and legal authorities and private industry with a technical know-how are able to you know redirect these botnets of like many many compromise machines to cause them to be redirected and shut down i did see the in the new uh senior director for homeland security say publicly that google could i'm not sure he named google but it was clearly was talking about you could if it wanted to just shut down botnets is that is that accurate um it's a very simplification a powerful man i would not and called on you to do it i think he did yeah well i think we are involved in many things and to say look the the private industry has led the way right like nobody really called out chinese government hacking until 2010 when google stepped up and did you know the first attribution really which like everybody in the know knew everybody in government knew that there was chinese government hacking but you know google stepped up and did it we did again in 2011 when we pointed out that people gmail accounts were being broken into from jenon china you know mandina stepped up you know it's been very late with like you know the recent um you know naming of the russian gru very later in many ways the problem at the moment isn't the fact that this attribution doesn't exist so we don't have the powers to learn the attribution both in government it's that there's not the bravery to actually step forward and make the attribution like the government institutions especially they have all these attributions they know what is going on and they're not sharing this data even you know close doors with people like me but or openly about what's going on and that's something we need to get beyond and need to get beyond this classified world of like the fact that china does hacking is considered top secret or whatever like this is it's a joke so we need to work into a way that actually allows collaboration perfect could i just ask i thought the kinds of cowboy activity you see are you these people who are subject to the cfaa and are ignoring it or are these people whose business model is i'm not subject to the cfaa so i can get away with that's a good question i think it's i think it's a i think it's a range like you know i i think the security companies have worked out that the chances of them being prosecuted doing legitimate security research is close to minimal and so the risk for them is actually pretty well even if they produce reports that if you read the security report it's pretty obvious that they you can just like they they broke into the server to get this data you can read the security report they're writing on the actor and they know they're not going to be prosecuted for that and then you've also got everything down to the you know individual security researchers or just gung-ho employees like you know just you know helping like that new security hire i have like just turned 22 graduate or whatever like are we expecting them all to be an expert in exactly where the line is all of all of which gets to the original point which is none of this is building faith in the sustainability of the compact between the government and the government that that that we have in a viable trade going on over their monopoly of power and our willingness to give it to them but let's open up for questions from the room just to remind you you're familiar because you were here before there are microphones wait identify yourself yes right here in the check shirt hi good morning my name is Chris Jigran and with the congressional research service we spent a lot of time talking about the computer fraud and abuse act to change it a little bit to another law during the 114th congress the congress passed the cyber security act in 2015 which authorized you some defensive measures i was wondering what your take on the application of any form of active defense through the authorization of that law are you risk averse to it hasn't just not been tried do people even know about it so particularly for mr baker but also to the rest of the panelists as well so by and large the computer security act doesn't open up much room there's a little bit of room for ISPs to do a little bit on things of active defense on with respect of things crossing their network and beyond that the law is very clear in saying we're not authorizing action outside of your network and i guess i should devote one minute to the really pernicious role that privacy groups have played in this debate because they have finally found someone they trust less than government which is you and so they have taken it on themselves to say this is all vigilantism it cannot stand they are principal defenders of the computer fraud and abuse act which they are happy to criticize in almost every other context i and i don't quite understand why they took that position but they lobbied very heavily to make sure that the cyber security act did nothing to authorize and arguably to a little bit restrain this kind of action outside of your network i'll just speak up in defense of the privacy organizations who aren't here and say that that that there is i think a legitimate ongoing concern that somebody speak in favor of personal privacy not just from government but given the kind of shocking information that we've seen come out of the fdc about the extent of surveillance of individuals by corporations you know they the fdc estimated that every family in america has a file on it with some amount of data that is used in advertising and so on so privacy concerns also with regard to corporations are not entirely frivolous um uh yes here uh the glass is in there uh so collin anderson i see that there's almost uh two different separate conversations that are going on one is stewart your argument is is to a certain extent punitive that these letters of mark exist for the purpose of retaliation that might deter further aggression whereas shane's argument is is in certain respect responsive it's defensive in the interest of tracking remediation i think that we've seen especially towards the the former argument that doxing chinese and iranian actors is not really created a deterrence and sustained campaigns i'm interested specifically shane your thoughts as a sort of a practitioner within a private sector that you know supposed to beneficiary i can anticipate these sort of offensive actions can lead to short term ends such as aggressive takedowns or disruptions of botnets do you think in the long term that punitive actions disclosure of identities for example can meaningfully impact operations conducted against google or is it really just sort of uh continued rap remediation mechanisms that you're arguing for rather than being able to for example say that you can disrupt these actors entirely i think that's an excellent question in the fact that we do need to get beyond it's like the biggest question i have as you know a threat intelligence person is so what if you know exactly who's doing the attacker what do you do with that information and i think that is one of the points where you know this sort of community and both government and and you know the private sector needs to think about is like what mechanisms do we actually have to change behavior and people have been experimenting with this right like going back to naming china with regards to the google hack that was an experiment and it actually changed you know certain cyber norms so did the mantient report but we have to like draw these lines about what we actually expect as an outcome what pressure we're willing to place like and we have this debate about what are we willing to actually take against Russia with regards to the election interference what actions will we willing to take against china or cyber criminals stealing our intellectual property if there's no consequence to the actions then we can't expect to be any behavior changes with regards to naming and shaming like there's you know there's different thoughts on this that you know should we be you know calling out the individual you know chinese private which is actually undertaking intelligence operations and you know arresting them exposing them and along those lines i've always thought that we do have to be very careful with this because like we have you know young you know american privates also which are operating for our national intelligence services and other places part of our personnel retention policy and you know someone worked in government too right do i want to do we want all of our anyone who ends up working for the nsa or the fbi is no longer able to leave the country because they're going to be arrested on site when they step outside the united states so we need to draw this boundary between you know when do we start going after individuals when do we start going after the organizations and when do we start going off the real people you know sponsoring this sponsoring this activity and again there has to be some consequence whether it's diplomatic whether it's financial otherwise if there's me you know no cost and all benefit then the activity is just going to continue and if i could just clarify it is true i believe that in the long run punitive action is what human society is based on how we enforce our our norms we have a reward center in our our brain that leads people men in particular to harm themselves in pursuit of enforcement of a social norm we actually get a reward out of that kind of altruistic punitive behavior that didn't happen by accident it's because it's good for the species in some way so we do have to do that but i am not arguing that that is something that we should be asking companies to do that's what the role of government is and the idea that it is not effective i think runs a counter to what we've seen with respect to PLA behavior since the US government indicted in a very embarrassing disclosure of those PLA members was profoundly embarrassing and it seems to have changed all right just to offer a brief alternative to that dark view of humanity i would i would say that i would say that what has produced results in the chinese case is establishment of norms agreement that it's a collective benefit that there are shared interests and so in support of george's ideas proposed earlier there may be some less you know nasty british and short alternatives to process just real briefly and picking up on what the chain was i mean there's a process issue because this is again where one of the things we're trying to contribute is you know how do you have the opportunity for different companies given their antitrust issues and so on and different players in government to have this kind of conversation to figure out what you know what is reasonable what would be stabilizing behavior and to have it in a in a way where you're not held accountable for what you're about to say but also to do it internationally which is even further more difficult but in order to then build confidence especially when the companies are going to be the most capable to really defend and to defend the cloud for example have global brands they're they're everywhere so they really don't want to be exposed to a backlash that comes from you know the indian government and media or brazil and so on so you really have a process problem in addressing this issue is perfect yes uh right there i'm mike nelson at cloud flare i do public policy for them here in a globally i was very glad to hear the very broad discussion of all the aspects of cyber security wasn't this wasn't just about hacking to get that data it's all about integrity of data it's about d-dos attacks but i'm a little concerned that we've really been focused on attacks on corporations and normally where we focus along with attacks on governments but more and more we're seeing individuals attacking each other just a few hours ago vice published a report based on documents they'd gotten from hackers who had gotten information on 130,000 different customers of flexi spy and retina x which are tools you can use to hack on your spouse's cell phone and people on this list were clearly buying these tools to go after business partners romantic partners who's all individuals and individuals where do we draw the line if companies can hack back can i hack back if my partner hacks us a question story i mean this leads to a wild wild west no one is suggesting that you ought to be able to hack anybody you think has done you wrong in the country in a western sense of it i this is a question of what you can do in defending your network against attack and you know the i hesitate those because it will only increase my reputation in this room to quote the nra but they which way are you gonna cross they say you know when minutes when seconds count the police are only minutes away this is a real problem in this area where the only people who are patrolling for long action on the network are your private people and you want it that way and so the only people who can respond immediately to an intrusion who can engage in hot pursuit are the people on your network who work for you and you want it that way but they can't and so the model of policing that we have from the physical world where you get a 911 call or a squad car is patrolling the neighborhood and can respond promptly does not work in cyberspace but that's a far cry from saying yeah what the hell just hack everybody i you know if i had one rule that i would offer for this is that under no circumstances should anybody be allowed to engage in hacking to protect their intellectual property trademark copyrighted products because we have seen what hollywood and the recording industry have done with that kind of encouragement and it wasn't pretty and it cost them their industry and you know couldn't have happened to a nicer bunch of people i and the same is true for hacking people that you think are acting badly against you no one is arguing for that that's right here blue tie thank you for the great presentation simon lemage former state department i had a question about a third part of the the leg which is the public and the consumer and i was interested in perhaps coming from google and others on how you see the relationship and the any interest in educating and informing a public that is somewhat overwhelmed but very high tech and and can potentially be involved in making a situation worse for example facebook sent an update a couple days ago with better rules of the road for policing your own behavior i have to admit that like a lot of other people i spent two seconds on it said i'd come back to it never did have you seen initiatives to better partner with a perhaps less than literate public that can also present a seam or a gap as you as you think about longer term solutions i think everyone wants to have a more educated educated and informed user base in this space like it's like a long running sort of like catchphrase that you know the user is you know the biggest challenge in security and you know we have lots of efforts we have security checkups we have you know policies are paid in you know cyber security awareness weeks and we just try and get that information out there to allow people to make these like basic hygiene protect protections and as was pointed out in the last panel that's actually where we're going to have a lot of our protections like if our users were actually you know using security keys to set verification strong passwords updating their computers then huge amounts of these attacks would be going away and same at the corporations level and i suppose we really just need to work on the messaging and adjusting the messaging and like one of the messaging that we've been doing is actually pointing out to the users that are specifically the target of state's bombs and threats to actually let them know that they're actually the target of you know government backed attackers and providing them some more specific advice and i think that's one of the things we're experimenting with to try and make things real to them and provide something that's much more targeted than you know generic advice for giving to all users because all users are not created equal in regards to the threats they actually face but on the on the other side though i think the security industry can't just put all the blame on these kinds of users that one we have to defend all our systems we need to get better on countering abuse countering spam countering like you know fake login systems that you know it's a total it would be a total cop out if we started to say that all security problems are because our users aren't smart enough it's like we have the expertise there was a lot more we can do and we can't just expect people to solve the problem themselves yeah it's it's like saying we would solve the problem of venereal disease if people would just listen to our abstinence message i it you know it's yes it's a great idea but it's not a solution that's right here oh no wait in the way back sorry there we go oh anybody there well okay hi my name is Hidong Yang from Radio Free Asia i would like to hear your opinion about uh there was actually a report about by former foreign secretary of the UK uh mr robert riftkind that north korea's missile test was sabotaged by u.s. intelligence what do you think about that idea and do you think it's plausible so i'll just jump in on that one uh previous panel might have been a better one for that since this is focused on private sector and active uh cyber defense i think that that uh david sanger who is on that panel addressed and some of the other former and current government officials said it was plausible though not necessarily i jump in on this but just just because it relates somewhat to what we're talking about in that instance what north korea has been doing is in violation of existing u.n. security council resolution so it's not like hacking your spouse's phone or any of the other things we're talking about it's a very special circumstance where there already is in fact international kind of obligation on north korea not to do the thing that was being acted against whether or not it was hacked or not i have no idea fairly well established norms international legal norms for that so um yes uh sweater vest or no vest uh hi rich bell i'm with the state department's foreign service so you mentioned earlier about a lack of consequences uh there's no incentive to change behaviors um with that in mind how i guess would with the the recent disclosures of government hacking uh governments uh on inventory of zero-day exploits and the need for public public private partnerships to be effective in these areas i mean how is how do you see this affecting the industry and those public private partnerships given the the the claim that they were sharing information but clearly also keeping stockpiles i say so the question is is it how do we manage the government's use of zero-day exploits and i say does do you feel lack of faith in the government because they have zero days that can take google down um well one was approved that i'm not i wouldn't say that necessarily they have zero days that can take google down i would not i'm doing my best uh by rotation you know i think obviously we want more defense like we are on the we're on the defense side of this problem and but we recognize or i recognize the companies that you know us spy agencies are going to spy they're going to have these capabilities um but that actually puts us in a position where you know our incentives are not aligned with the US government at all times especially as a global company especially as a company trying to build trust um we have you know especially you know you know post-nodin post all these leaks you know the US government brand and is you know massively toxic in this space and you know as somebody who's like fighting you know government threat actors many of our users believe that the US government is probably the biggest government threat actor they need to worry about so all these things are in the background when any sort of proposals come forward with regards to like public private partnerships in terms of also there's also like a you know power asymmetry between you know the government and private sector in terms of the government has these like methods to like impel kind of data disclosure which also leads to a lack of trust so i think all these factors add up that working with government is very difficult and none of these things help and specifically on the vulnerability equities process um yes of course i think it is you know you know it is worrying the amount of exploits that are out there that are being kept and that there is this equity process but we're not seeing a lot of disclosure and the fact that we're seeing that obviously the you know US government is unable to keep control of the exploits it has over long periods of time and they're being leaked and how long were they out there like the shadow brokers leak which is the recent exploit leak of exploits obviously was leaked a long time ago but you know it seems they're happy to let it be out in the wild. Getting back to the original point about how corrosive all of this can be strategically in the long term when you lose faith in the government so thank you very much to the panel and thank you all and welcome Jared to the stage. Thank you very much to this panel and the last one you guys hang out or sit down doesn't doesn't matter but my name is Jared Cohen I'm the CEO of Jigsaw at Alphabet Inc and thanks to Bill and Carnegie and all of you for being so patient to join us today for what I think is a really important discussion and and one that I hope we'll have many more of. You know as we sort of wrap up I thought I would just say a few things or make a few points about where all of this is going and I think before you do that it's kind of interesting to ask a very obvious but important question which is why are we talking about this now as opposed to you know at this level three years ago and I think it's pretty clear that if you look at the last decade and a half it's really been a story about the advent of technology right that is sort of an access revolution which has brought us to this moment where you have about four and a half billion people around the world connected to the internet you know of those about 2.6 billion smartphones are in circulation but by 2020 you're going to have north of seven billion smartphones and essentially connectivity in every corner of the globe. It's already happening in really surprising places. I was in the tribal areas of Pakistan in December and I had better 4G access than I do in East Hampton so you know kind of go figure but we're basically closing the book on this chapter of history right where we were talking about you know what happens when technology and access arise so you asked the question what will the next decade look like and I think it's why we're sort of at this moment where we're trying to make sense of all this which is the next decade is going to really be defined by the ubiquity of technology and all of the implications that come with that so you know Bill and I have written about this and you know have had ongoing conversations about it for a long time but just a few observations about some of the things that happen in a world where technology is ubiquitous I mean first power dynamics shift in all sorts of interesting directions right so one of the things touched on today is that you know there does seem to be this consensus there's no such thing as cyberspace right in a world where technology is ubiquitous you have one international system and it has a physical front and it has a digital front so the powerful countries are the ones that can project their economic political and military influence in a way that's sort of sufficiently hybrid to reflect the new realities of the world and you have certain countries like the US and China you know that are incumbents that just get even more powerful right you have some friendly countries like Israel and Singapore that gain disproportionately you know you have countries like Estonia that are able to punch way above their physical weight you have very adversarial countries like Iran and North Korea which in a world where technology was not ubiquitous you know we're declining in influence every single day and now they've managed to resurrect a significant portion of that influence because of the asymmetric things they're willing to do in the cyber domain and of course Russia being the obvious example is a country that's you know been able to take analog motivations and use new tools to resurrect a lot of Cold War tactics that people are quite familiar with but it's hard to talk about the ubiquity of technology without talking about data and ultimately you know data is going to be a huge determinant of which countries are up and which countries are down and it's not just the volume of data it's the ability for a country to make use of that data it's the ability of that country to protect the data that they have and to me data is basically the digital equivalent of oil right it's the largest man-made resource the world will ever know you know it has a lot of parallels right it fuels economies it you know shapes geopolitics and influences societies for better and for worse and if you look at its you know collection refinement and distribution it involves many of the most expensive and complex man-made systems that the world has ever known but of course there's two huge distinctions you know that that I think will make countries pursue access to data with an even more voracious appetite the first is you have no geographic barriers of entry right 196 countries on earth can mass produce this and every single individual in this room or any country is their own kind of metaphorical digital oil well second you don't have the same economic barriers of entry which kind of speaks for which speaks for itself so in a world where you have a bunch of countries pursuing data with a voracious appetite you also have some of the same negative trends that that that follow as well so if we look at the story of oil and natural resources there's countries like Norway that got it right and there's a very long list of countries that got it terribly wrong and we'll see some of this normative asymmetry in terms of what countries do with their data how they're willing to make use of it and you know also how are they willing to weaponize it and I think one of the most sort of you know complicated trends that we're gonna see you know in a world where technology is ubiquitous is you know we're just living in an era where every war is going to begin as a cyber war and more often than not they're not going to spill over into the physical domain and when I talk about sort of all wars being you know cyber war beginning as cyber wars you're really talking about wars unfolding silently invisibly and relatively inexpensively and you have to be careful people talk a lot about taxonomy we throw these very broad terms around and these broad terms have very serious implications and if you think about the asymmetry of which countries have an indigenous or an organic capability to conduct you know widespread nefarious cyber activity there's no reason to believe that the lesser capable less capable countries terrorist organizations or criminal enterprises won't just procure it on the black market or procure it or trade it you know in sort of a you know sort of the equivalent of a cyber arms deal for natural resources from some of the more powerful countries but I think that we we need to study what it means to sort of go to war or engage in combat in the cyber domain because what's unique in this moment is is the marriage between the traditional more kinetic attacks you know which are the hacks on the systems and infrastructure with some of the disinformation campaigns which is really more about hacking the conversation and there's sort of three categories of these you know the first is what happens when cyber bullying becomes better organized better funded and state sponsored you know we call this patriotic trolling right it's the sort of you know it's the equivalent of going after the influencers on the battlefield and removing them from the battlefield right this is you know Erdogan's government you know trolling you know female journalists with dozens of rape threats every single minute and and and so forth you also have you know fake news which is a story that I think gets you know you know often hyperbolized and and everything sort of gets lumped into it but you know to me fake news is you know the digital equivalent of you know sort of information operations that you know we've known for for some time I think what doesn't get talked enough about is how autocratic regimes use fake news to digitally wag the dog right and and that's that's something that we see you know quite commonly but the most important one that doesn't get talked about enough is really these you know attempts at networked propaganda campaigns which are really the digital equivalent of insurgencies and this is really a sort of manufacturing of digital identities and digital soldiers that look quite real and their deployment as sort of key influencers and conversations where they blend in and look and feel like the rest of us and the goal is to influence the conversation online so it changes things offline so you know those are some of the trends that I think we have to be cognizant of as as the world sort of enters this ubiquitous technological moment and then I'll just leave you with you know a couple of questions to ponder which is always a nice way to wrap up you know the first is we talked throughout the day a lot about deterrence and you know proportional response and so forth and I think there really has to be a doctrinal recalibration that isn't sort of a perfect carryover of how we thought about deterrence and proportional response in the physical domain to the to the to the digital side of things but I think we really need to talk about what will incentivize a change in behavior and in particular when we're talking about you know proportional response we have to accept a reality where the retaliatory moment oftentimes because of attribution difficulties will come many years after the attack happened at which point the context has changed the relationships have changed sometimes even the governments have changed the second question we have to sort of ponder as we as we leave here is how should government organize to meet some of these challenges and this covers everything from you know how you recruit top talent to how you make sure that you're not orphaning everything cyber right you know to me there's a real question about you know how we integrate cyber into every single thing that we do so that we're tackling these challenges in ways that reflect their hybrid attributes and then the last question to ponder is you know what does this mean for all of you as individuals in this room you know as I sort of listen to this panel you know it makes no sense to me that we're not more cyber security conscious as individuals right if I was to stand here and take a sort of you know a plastic bag of white powder and just sort of throw it on all of you and you asked me what it was and I said I don't know but Bill gave it to me outside and said there was a five percent chance that it was a contagious virus you know all of you and all of you would sort of take turns you know punching me in the face and then you'd all go to the doctor to figure out if I infected you with some kind of virus and you think about the inconvenience associated with taking care of your physical health and the fact that we all sort of you know we blow up our schedules we you know spend time finding the doctor we get stuck waiting in the waiting room for the doctor all these different things and yet it's so convenient and easy and it should be seamless to take care of our digital health and yet none of us do it. I mean even at companies it's just annoying to you know wait for your sort of software to upgrade and so forth so there has to be a paradigm shift where we start to think about our health as an aggregate of our physical and our digital well-being and I think that actually is something that has to be an investment at the youngest ages of the people living in our society so with that just you know I'd really again like to thank you Bill and Carnegie and our panels and all of you for for being so patient you know let this be the first of many conversations like this so thank you