 My name is Nate Smith, I'm a Master of Public Policy candidate here at the Ford School. As a student with an interest in multilateral security issues and privileged to serve as a moderator for today's debate on the effectiveness of multilateral agreements regarding cyber security. Before policy union debates are intended to bring an informed discussion of international policy issues of importance and interest to the students of the Ford Policy School, the University of Michigan community and the wider policy world, as a part of the Ford School's mission to educate policymakers of the future. The International Policy Center plans to host one more event in the remainder of this academic year and continue this series in subsequent years as to reach the educational experience of students bringing leading voices on key policy issues to the Ford School and contribute to a wider, more informed discussion. Our debate today will be conducted in a fashion similar to a competitive forensic debate but with the difference that there will be participation by the audience. I'd like to welcome and introduce our participants. Dr. John Steinburner, Director of the Center for International Security Studies of Maryland at the University of Maryland School of Public Policy. His work is focused on issues of international security and related problems of international policy. And Dr. Steven Bucci, Director of the Allison Center for Foreign Policy Studies at the Heritage Foundation. Former Army Special Forces Officer and Pentagon official Dr. Bucci's work is focused on cyber security, special operations and defense support to civil authorities. This debate will be over the following resolution. This House resolves that the U.S. should begin multilateral negotiations regarding cyber security to establish international standards and guidelines on the use of cyber means in conflict for resolving and for resolving international disputes regarding cyber security issues to prevent escalation of the use. Professor Steinburner will argue in favor of the resolution while Dr. Bucci will argue that only after the U.S. establishes how to address U.S. cyber security issues from the standpoint of purely American interests should we pursue a multilateral agreement. The audience can submit questions for our Q&A period. As you came into the auditorium, you received cards on which you may submit your questions for this event. We'll start collecting these cards after the opening statements conclude and we'll collect them until 6.30. A panel of professors and students will then collate and prioritize these questions. You're welcome to submit as many questions as time allows. Following the questions, our speakers will make their closing statements. After that, we'll evaluate the results of the debate taking a second vote of the audience. And this is again using the iClickers that you received when you walked in as to whether or not the resolution has passed. So once again, welcome to our debaters and welcome to our ongoing series of debates. And before we churn it over to our debaters, I'm going to take a quick poll. On the screen you'll see the resolution and I'm going to display the results here. So click on A for affirmative, B for negative, and C for undecided. Looks like we have a pretty even split. Ten more seconds or so. Looks like we have our results. So after the event, we're going to take another poll in the same manner and we're going to look at how many minds have been changed. Now before we hand it over to the debaters, I'd like to welcome Dr. Bob Axelrod who's going to give a few opening remarks on cyber security issues. Thanks. So I just wanted to give a little background and context. You may have seen yesterday's story in the New York Times that the United States has established that the cyber espionage that has been going on for several years at a large scale has been traced to a unit of the Chinese Army and therefore the attribution seems pretty clear. And the question that the article raised was, is the Obama administration ready to call the Chinese out on this and insist that they scale it back or else and then what would be the or else? So the cyber security issues are with us daily but the espionage issue is one that has been on the forefront of the news media but there's others that can come. Now espionage has traditionally been dealt with by everybody denying they do it and everybody doing it and then everybody when they find somebody committing espionage they typically will deport as Prasada Nagrada and the officials of the other government and then arrest and prosecute anybody else and then the government whose officials were declared Prasada Nagrada typically takes exactly the same number of officials on the other side and expels them. This tit for tat has been going on all throughout the Cold War and the numbers are always precise but with cyber it's not so easy because there's nobody in particular to expel or to arrest or to prosecute and nevertheless the espionage goes on and for the Chinese side it's clear at least that they are after three different kinds of things one is industrial secrets for example they went after Coca-Cola you may wonder why well it's when they were negotiating to purchase an agreement with Chinese soft drink companies so there were billions at stake in that they've also gone after military secrets of course and they've gone after sources that would help them identify dissidents well the reason they, apparently the reason they they've gone after Google and New York Times and Wall Street journals are to find out in the newspaper case when they published stories about Chinese dissidents who was it that provided those names and what were they they wanted to get inside the reporters things but of course cyber issues could become very much larger than espionage they could become part of a major conflict either independently with cyber activities being in the fore or combined with what the Pentagon likes to call kinetic attacks kinetic attacks are things that go boom so those are physical attacks and of course cyber activity could be part of those as well and in the past we've seen them used by the Russians for example in two cases one against Estonia where they were denial of service attacks and it's still ambiguous as to whether the Russian government was directly supportive of that or whether it was sort of cyber patriots within Russia who were mad at Estonia but it was also done against Georgia when the Soviets, I mean when the Russians attacked Georgia there was also attacks on their government and industrial system that caused some damage the Iranians have also used cyber techniques for example to hijack an American drone and have it land in Iran where they could display it and of course the United States and Israel apparently have used what's called Stuxnet to interfere with the Iranian nuclear program and it was a crossing of the thresholds in terms of actually sabotaging an industrial system whereas other things have been strictly within the cyber domain a major question is can we prevent cyber conflict from getting out of hand by anticipating what some of the problems are and acting in advance to head those off by some kind of mutual understanding or agreements and that's exactly what the debate resolution gets to how can we go about in a cooperative manner reducing the risk of major cyber conflict and if so what has to be done to make that even possible to start down that road and with that I'll turn it over to our debaters and maybe moderate that Do you want me to go I noticed that Stephen has more minds to change than I do so I feel the pressure but my answer to the question is yes definitely we should begin negotiations but I want to specify with whom and for what purpose and set a little bit of a context the internet is clearly one of the most remarkable phenomenon that we've ever seen it began in the early 1970s with four people who imagined a network of 100,000 mainframe computers worldwide and did not fathom what was going to happen they didn't understand the power of PCs and the consequence of what was going to occur and as a result we have basically what's become a spontaneous public utility that's ingrained itself into virtually all aspects of life and so we are in very very serious ways dependent upon the proper functioning of the internet and anything that threaten is a serious question I do not think that we can negotiate protective rules about just everything but I do think that we need very urgently to begin discussions about those things that we have reasonable aspiration to be able to protect so what I would exclude from is sort of long sense out of bounds if you will the entire business of espionage which it's been a bonanza for intelligence agencies and marketing organizations and busy bodies of all sorts and it's the protection against espionage is up to the users basically and there's not much we can do about that that said though, however, I think that we do have good reason to worry about destructive actions against social assets that really could potentially harm our society and all others in very major ways and my candidates for this are power grids financial service clearinghouses navigation services healthcare services, emergency reaction services that sort of thing social functions that everybody more or less believes should be taken off the board for legitimate targets of hostile attack and so you can base at least instinctive principle that we should not be fighting about these things we should be protecting these things and I think personally I think power grids are the most challenging and important topic they are in principle subject to intrusion and destructive actions but it's technically conceivable to have massive disruption of the power grid so my argument is that we should begin immediately to talk to the critical players in this regard Chinese and the Russians in particular about fundamentally prohibiting attacks on critical infrastructure targets power grids in particular to set the principle and then discuss how we proceed to implement that principle by mutually supportive actions the main purpose of this is to prevent these major countries ourselves including for preparing attacks on power grids which we are currently doing and suspecting each other of doing we don't want that to happen it shouldn't happen but if it's not going to happen we're going to have to work out mutually protective arrangements and establish the principle much more thoroughly than it's currently established and I will sort of stop early with that point Thank you Dr. Sanbrother Hello Dr. Rucci give his open words Good evening it's great to be here and as mentioned I'm trying to convince you that I'm not opposed as in no we shouldn't ever do negotiations on the international scale regarding cyber but that not yet and the reason I say that is this right now in the United States we have huge differences of opinion between men and women of good will from all over the political spectrum not broken down along partisan lines that disagree about issues of security versus privacy is security and privacy really are they really the opposite ends of the spectrum of these issues should we use regulatory frameworks to try and increase cyber security or should we use market measures to do that who should be the lead in this area should it be the public sector or should it be the private sector or should it be some combination of the two and again this is not a republican versus democrat kind of deal if you look at the bills that have been tried to gotten through and have failed every one of them has had bipartisan support by the people who wrote the bills and every one of them has had very strong bipartisan opposition against them because there are actually some honest disagreements with this before we go into an international forum to try and negotiate with other countries who have in some cases very different visions of the internet than we do we need to figure out where the heck we think we should be I realize there might be some value with starting those discussions to help us come to those conclusions of where we should be and I think we should have a conversation but I think it should be a national conversation first then followed by the international conversation because if you go into a negotiation not knowing what is important to you not knowing what is critical not knowing what's negotiable and what isn't you're not necessarily going to come out with an outcome that is helpful or positive for the nation I just want to point out that there has been growing internationally a particular divergence between the United States the western democracies that stand with us and other democracies of the world and the vision that we have of the internet which is generally looked at as freedom free speech access to all the information that's out there this is countries like Russia and China and Iran and some other more repressive regimes in the world who look at that and say that's wrong we've got to control this stuff the people should only have access to certain types of information we should be able to close off our part of the internet from the rest of the world and they use it as a method of population control you must remember that technology like this is amoral you can use it for very very positive things or you can use it for very very negative things depending on the motivation of the people who are executing those policies I realize that some people particularly when they get into the privacy versus security debate many people are more concerned about protecting their information from our government than they are from anyone else and I understand that you know I don't want big brother looking over my shoulder either even though I make a point of trying not to do anything that might interest them but I got to tell you if you don't have some degree of security there's going to be a lot of people looking over your shoulder and a lot of them are not going to be from this country so we do need to come you know this is America we're never going to work out all the details but we got at least getting a ballpark before we step out into the international forum and start trying to negotiate with the other folks out there who I can tell you when they come into the negotiations we'll have very very firm very specific agendas that they're trying to push forward so again I'm not in no like I would never do this ever in the world but we need to go a little slow and I would rather see us not achieve an international agreement if in achieving that agreement it's going to circumscribe the freedoms and the benefits of the internet not just for our citizens but for many other citizens in the world thanks Dr. Steinbrenner if you'd like to respond to Dr. Bucci's opening comments yeah I'm not proposing that we negotiate about everything we try to regulate comprehensively all internet activities I say that we should focus on those things where we have very good reason to believe we have very very strong mutual interest even if it is not well articulated or realized I think we do know already we don't have to have a big debate that we have a huge interest in preventing deliberately destructive attacks on power grids for example and that I would be happy if negotiations focused exclusively on that or I would add other things to this category critical infrastructure financial clearing house transactions in particular to which the international economy is extremely vulnerable so the proposal is that we don't try comprehensive regulation of everything the internet does but we try to block off extremely dangerous destructive actions that are technically feasible and for which there is no single technical solution we need secondly I would say that we do know we have an interest in that we do know that any meaningful action would have to be global in scope so you've got to negotiate in order to do that and I don't think we could wait a long time before the US political system gets internal agreement on anything really but there is pretty good understanding I think I would argue that that particular piece of it we do not want to have destructive attacks on critical infrastructure targets we have reasonable agreement on that and we can begin negotiation and let me point out the way in which we form internal consensus is in part by discussing with potential partners or adversaries what it is that we mutually ought to do so that's a way of driving our internal consensus until you have global protection and we don't have protection so unless we can bring the Chinese and the Russians particularly on board with this principle don't attack critical infrastructure targets anything we do is going to be ineffective thank you Dr. Steinberg can I sit here is that a mess up cameraman okay yes we should participate in international discussions I'm making a somewhat narrow distinction here between talking to allies even talking to adversaries which is fine goes on all the time and a formalized negotiating process that's out in the international arena the reason I think we should participate in sort of more informal discussions of that nature is frankly we do need to keep track of what others are trying to do to be able to see what these this other block of nations that kind of has a different vision for the internet than we do and to protect our own reputation if you don't come to the table sometimes you get kind of beat up by everybody else and the United States does have to guard against that one of my main concerns with this is while in my heart of hearts I agree with John about the importance of trying to keep these very destructive acts from becoming the norm the problem I have with it is it's awfully darned hard to tell a difference between espionage probing and someone rummaging around inside your network just to steal your intellectual property or your data you use exactly the same procedures to get in to do everything that you would use if you were going to go in there and do destruction so it's very very difficult I agree we need to exempt espionage because you're never going to control that it's too ubiquitous it's against the law anyway and everybody still does it but the problem is while they're in there doing that espionage how the heck are you going to tell a difference between that and when they leave something behind at the time they get in there they decide to metaphorically pull the trigger and do something destructive just getting the United States, China and Russia to say okay we won't do that unfortunately in this world is not enough they are the biggest players they do have the most capability of any country out there but I got to tell you China can't control North Korea from doing nuclear tests Russia doesn't seem to be inclined to try and keep Iran from supporting international terrorism and the United States doesn't seem to be able to stop Israel when Israel thinks it's in their interest to do something and you know these are three countries that are very closely related to those three big ones and there's a whole bunch of other folks out there that also have cyber capabilities so a laudable goal but I just don't think it's achievable and that's why I'm in no particular hurry to get out there and negotiate I do want to say one thing real quickly if you have not read John's paper I don't agree with every single thing and it's really really well written and very comprehensive on this issue so I would recommend it he's probably too modest to say that it's really good thank you Dr. Steinbrenner, I wonder if you could respond to this this notion of informal versus formal talks and discerning between internet freedom versus what you describe power grid security things like that what I'd like to do is try to get some sense of the texture of your different approaches to this issue with respect to those two dimensions formal, informal, allies, not allies what I would like to see happen is formal negotiations about a specific prohibition on destructive attacks on critical infrastructure targets and so the agenda would be restricted to that I would concede however as Stephen is implying it may be very difficult to pull that off because the partners in particular are not going to want to talk about the internet without also talking about political intrusion in their system and we're not likely to agree on that we're certainly not agree on that nor are they going to want to talk about cybersecurity without other security topics coming onto the agenda so I would concede that it is not a trivial matter to get negotiations focused as narrowly as I've suggested and it may or may not be possible all I'm saying is it's worth trying because in fact I would say in reality there is a mutual interest that we can play upon here the three countries that are primarily involved in this US, Russia and China are preparing destructive attacks on critical infrastructure targets we have to assume that that's going on they haven't done it Harvard and all of them I think have some qualms about the wisdom of doing that that seems to me to create a situation where we have to talk right away before they have done it and try to establish the principle thou shalt not do what you could do we are not going to be able to eliminate the possibility the capacity is going to be there we're not going to be able to negotiate that away what we have to try to do is set a rule of behavior that says this is out of bounds you don't do it even though you can and you provide mutual reassurance that you're not attempting to do it and you collaborate to sort of enhance the protection of our respective systems in this regard I will concede however that that's you can question whether it's practical to set up negotiations as specifically focused at that without dragging in other issues about which we are not destined to agree anytime soon and maybe it's not all I'm saying let's try Dr. Bucci would you agree that he's narrowed down your point of disagreement here which is that it's not practical to get them to talk about a specific as narrowly as the topic in a multilateral setting yeah it's going to be very very difficult because again I think a lot of these countries have a set agenda they've settled on it and you know as soon as we say okay we want to sit down but we only want to talk about this they're going to come in and they might even say yes to that but when they get to the table there's going to be a lot of other issues that come up you know the thought struck me that you know cyber is difficult it's kind of like the dual use chemicals that you know have perfectly legitimate you know civilian applications but they could also be used for something nefarious building weapons something like that it's very very difficult to monitor those things you know well are they getting too much are they you know can we see that they're actually putting all those chemicals on their farm fields into their munitions plants it's very very difficult cyber you can do a lot of good things with it but you can also turn around and do a lot of damage and cause a lot of mischief both to your own population into the world at large and it's really really hard to monitor which one you're doing and particularly if you've already stipulated we're going to let you do espionage or at least you know we're going to try and stop you but we're not going to go bomb you if you do that when you know you don't know that it's destructive until it destroys something and and that's tough you know it's not the same as we saw the launch and there's something coming over the polar cap so we now have you know an ability to respond and really stuff that frankly the humans are definitely the weak link in this chain because we can't respond fast enough to do some of these things it's a scary field and to be honest with you all of you are the worst part of the security me too it isn't the machines it isn't even the software though we could get better with that it's the humans that play the role that we should and it gives adversaries a way to come in and exploit it and they tend to take advantage of that Dr. Steinbrenner Dr. Bucci brought up a different argument here he's pointing out that there's kind of a slippery slope between what we've tacitly allowed espionage these initial intrusions between that and disabling the power grid versus stealing for example IP could you address that point well just let me note that there is a European convention on cyber crime that declares as illegal virtually all the things you do either for espionage or for destruction so it's already been declared illegal and we are parties in some sense of that convention I think the Russians have in some sense exceeded to it as well so already there's a beginning of a discussion and what I would emphasize is that Steven is correct that this looks like it's going to be difficult but that is not a reason to say a priori it's impossible therefore don't try and I do think that if we initiated a process trying to focus specifically on what I talked to it's not clear we couldn't pull this off we would have to fend off issues we don't want to talk about and that would be a problem it's not clear to me though it would be such an intractable problem that we couldn't come to terms on what we most have the greatest interest in and we believe all of us do not want to see destructive attacks on power grids or financial clearing houses particularly the latter really does threaten the world economy and so it looks like there are deep enough interest overcome if you will all the things he was rightly pointing to and at least we ought to try to see if we could get agreement along those lines and you don't know until you've tried the United States has a lot of leverage here if we initiated because we are the big player after all and that and it's important for us even if we don't succeed to send the signal that this is the way we want the world to work we do not want people preparing attacks or even conducting on critical infrastructure we want to set these norms because we need these norms and formal negotiations is a way of setting the norms even if you don't get final agreement Dr. Bucci I wonder if you could address what some of the downsides might be to entering formal negotiations sooner rather than later I I would assume you see a certain sense of urgency in terms of preventing an attack from a power grid for example or financial clearing house but aside from the debate possibly dragging in other issues like internet freedom that we don't feel like addressing at the moment what are the other downsides that you see why shouldn't we do this? The main reason is right now we have more ability than anybody else and deliberately going into negotiations now and basically handing some of those abilities away while it it's sounds like a nice thing to do in the not so nice world of international politics it's I'm not sure there's a lot to be gained from that frankly I don't think some of these countries even if you know they sat down and signed an agreement that they would never do this stuff that it's really going to stop them from doing it so circumscribing our abilities and our options when we're sort of the wrestler on top right now doesn't seem to make much sense to me let me respond to that because this really is the fundamental issue we are better at it than other people we're also more vulnerable and so we're more exposed and we're better I think our political system is having difficulty accepting the principle that it is a good idea and need in some sense necessary to accept restraint in order to impose it this is an instance where we have to do that and it is true that accepting restraint we will put greater restriction on ourselves in the sense that we have the ability to attack than they do I think it is overwhelmingly in our interest in this instance to do that and that's not the only instance I mean there are circumstances in which that principle we do need to master that there are some things about which it's desirable to accept restraint on superior capability in order to impose restraint on inferior capability that nonetheless can cause us a lot of trouble I understand John's argument with that and while on an academic sense I think it has a lot of merit I'm not sure that in the real world it plays out quite that way we've seen our negotiating skills with our previously with the Soviet Union and since then Russians and it hasn't always served us well you know we've had that desire so okay we'll give a little bit more we'll give a little bit more and it doesn't necessarily work out to our advantage at this point I'd like to move on to audience questions I just got my first batch here and the first one is for Dr. Steinberg even if Russia and China agree with us the power grid shouldn't be attacked how can we be assured that they are not preparing to do just that likewise how can we assure them well the declaration that you're not going to do it is the beginning I mean they will be preparing as will we be preparing to do it that's not something we can since it can be done they will prepare and we do too as to how you would do it so the problem is how do you prevent people from doing what they could do and actually are prepared to do the declaration helps it sets the norm but I would go far beyond that I would say let's establish procedures for mutual protection to make it harder to do and the art here is to target this not at ourselves particularly but at third parties terrorists etc might do it to all of us so let's establish mutual protection against these notional third parties who might do this to make it harder than it currently is now that would mean that we're constraining our own ability as they would be theirs but we're not going to be able to eliminate the potential for this attack it's going to be there what we have to do is regulate the behavior and the first step in regulating behavior is to establish a very clear norm that can I respond as well two points one just so everybody's clear if you go any place else but in America we have a debate as to who the biggest threat is is the Russians who are the most sophisticated the Chinese who are sophisticated and there's a whole bunch of stuff going on or is it the Iranians who you know are not as sophisticated but have a lot more malice towards us everywhere else in the world it isn't really a big debate they all think we're the biggest threat because we have the most capability and Americans hate to think of ourselves that way but it's true the Israelis are well some of their local competitors would consider them a big threat but that has more to do with their kinetic capabilities than just their cyber capabilities but the we really need to realize that there's more folks out there in the cyber world than just the big countries and it's really easy you know if you thought it was easy to do proxy warfare in the cold war using other countries and special operators and that sort of stuff it's really easy to do in the cyber world I mean there's organized crime groups that get hired to do things and some of those have capabilities that rival a lot of nation states so it's I just again I think it's a very laudable goal but I just don't think it's necessarily achievable let me just point out that there's a benefit in that we are all three of us the big players are subject to this call it a terrorist or a criminal threat and it's useful to talk about mutual protection against that which is easier to talk about even though the effects are mutual protection against each other as well there isn't any absolute solution here the only question is can we do better than we're currently doing just one last point on that the we've had one example of trying to do exactly what we're talking about here with the Russians when the United States came up with the idea of missile defense the more recent one not the ones who are against the Soviet Union and I was in the Pentagon and we brought the Russians in and we briefed them on everything we're planning on doing where all the facilities were going to go we did everything but give them the technology and we showed them it was aimed at Iran and North Korea it wasn't aimed at their stuff and I mean we really went overboard particularly under a Republican administration to try and make them as comfortable with this as possible and they whether they bought it intellectually but rejected it for political reasons or whether they really just didn't believe us I don't know but they've rejected it and they've continued to reject it and they've continued to push back against it until today so that model of offering that level of cooperation that level of openness against what we considered a mutual threat you know because the Iranians well they buy a lot of stuff from them they don't necessarily like them any more than they like us they just weren't buying it I would argue that's a different circumstance and it would take us several weeks to work through all the details of why it's different okay Dr. Bushy, the next question is for you and it sort of takes us a little bit farther down than we've all taken path than we've even been so far nations always resort to their own interests in the end would it not be a suitable policy for the U.S. to engage its allies on this issue fully understanding that if a resulting treaty will be abrogated if doing so is in the national interest well I mean it's I'm not necessarily sure that's a useful discussion I mean it nobody ever has to follow a treaty there isn't any international policeman out there who's going to say oh wait a minute you signed the paper now you really can't do that if in the minds of the individual nation state they decide that's no longer in their interest yeah you're going to blow it off and you're going to do what you think is right but to be honest with you we kind of try not to do that I mean we've done it often enough and so other people have done it just as much but we really try not to sign up for something that we know ahead of time we're not going to follow so I'm not sure if we have absolutely the intention of following it that it really is good form to sign up for it it's just not what you try and do circumstances can change after the fact but going into it falsely I don't think we prefer to do that Dr. Steinberg would you like to address us? Just to comment we live in a world that is going to need global norms and this is one of the areas of many where it needs it to learn how to do it I agree we shouldn't sign up to something cynically it doesn't mean anything we're not that's not the way we operate or should we operate but we don't have to be completely reassured that everybody will adhere to our standards in order to try to set the norm it's a process and sometimes it takes some time and ok people violate the norm we catch them and we bring them up short as a way of strengthening Dr. Bucci you've addressed this topic a fair amount in your writings and so I'm actually going to address this question first to Dr. Steinberg but I'll definitely give you a chance to respond Dr. Steinberg how should the US continue its engagement and relationship with China given the mounting evidence of Chinese attacks on US networks that's the reason for doing it we want to back them off these attacks and let me say that I think Steve pointed out if you're in China you hear a lot about US attacks and if there's not a fair court to sort this out but if there were and if people were counting attacks if you will the US initiates most of them China maybe second maybe third if China's third then Russia is the second that's so everybody is doing it is the answer and the fact that the Chinese are doing it is not a reason not to talk to them about this is reason for talking to them just you know first of all and we talked about this a little before we started the idea of every cyber incident is really not an attack we use that term very cavalierly mostly because we haven't ever really defined it well so every newspaper person it sounds much more dramatic that we had 5 million cyber attacks this week then we had probes and scans and other things like that most of these things really are at worst espionage to steal data our spies trying to steal data from everybody else we also steal from our friends and our friends steal from us so they're not just our adversaries one of the biggest differences with China is that China like other centralized governments support their economic interests with that information we don't go steal China's economic secrets that are implied but also because we don't do that we don't use our intel community to prop up our businesses that's just not the model we use other countries and some of them are western european countries do do that and so there's a little difference in the I guess the breath of the espionage that goes on is that me maybe it is me they have government assets that are doing industrial espionage we don't have so much that ours is national security espionage in the more normal sense of it so yeah where you sit it kind of depends on how you evaluate this and if you were sitting in Beijing you'd probably look at this a little differently than we do it is true that there's a big structural institutional difference here and that the US intelligence community does not pass on its information to US corporations systematically for their benefit and the Chinese do and you know that's just an inherent difference in whether two societies work I think it's fair to say though to gather intelligence information about Chinese economic activities for which we do we don't pass it on to IBM but we use it and so they focus on that both of us are gathering the same kind of information we use it differently one other point a lot of people don't really understand you know I kind of laugh at the Chinese sometimes it's like the lady that's too much kind of stuff but you know that China is the most hacked country in the world by volume by several orders of magnitude mostly because they use a lot of pirated software and things that don't get updated so they're actually very very vulnerable and they're doing it to each other because they've got a very large dissident community who's trying to get away with stuff and trying to protect themselves I mean they do have a lot of stuff other countries like to route their stuff through China because they know once whoever's following it gets to China they stop because everybody thinks of China as the big hacker country I'm not defending China by any means I think they're pretty egregious violators but you know again it doesn't make much sense to get all sorts of moral outrage over it because we all do it our country does it all of our allies do it all of our adversaries do it you don't have to sneak into the pentagon with a bag and empty out of file cabinet anymore you just have to have some really talented people with a keyboard and hopefully someone at our end who does something stupid which is usually what it is it's not somebody malicious on our end it's somebody ill-informed On a similar note and I'll direct this to you first Dr. Gucci should the US government require non-governmental entities such as corporations to allow government monitoring of their networks in order to detect and to prevent attacks on those networks? I mean there's a lot of things that our private sector could do and our public sector should do together to add protection to our systems you know we the private sector gets beaten up a lot because they don't share their information when they've been hacked they don't give all of that to the government because in a lot of cases those companies consider one it ruins their reputation two it's proprietary information that once they hand it to the government it becomes eligible for FOIA suits so that their competitors can get it but on the same side the government frankly is really really poor at sharing information it has with the private sector so whether having the government monitor their networks directly is going to help they've been doing that in a defense industrial base you know companies sign up and say yeah we'll let you look at all of our stuff you give us intel so we can protect ourselves better you know that everybody always thinks monitoring the network is going to stop everything from coming in and unfortunately it doesn't because this stuff is so innovative and so dynamic that you're not looking for certain things you might catch some of the older stuff but the newest stuff that's usually the most effective gets in even with the monitors and all the defensive stuff in place Dr. Steinberg would you like to address this? I'll move on why since we are the most capable country in the cyber realm should we not negotiate as soon as possible from position of strength rather than when another nation has become more capable so I guess what's the character let me just comment there's a lot of talk here about sort of negotiation from strength and bargaining tactics as if the outcome were determined by relative strength most of the time that's not the case most of the time outcomes or durable outcomes and negotiations are determined by reasonable equity because that's what gets people to adhere to it and so usually sort of bargaining tactics and sort of leverage and all that succeeds in either speeding up or slowing up the outcome that is determined in terms of reasonable equity even between countries that are very different assets so I don't imagine any agreement that is going to lock in sort of relative or sort of protect relative strength an agreement that has any meaning in during power is going to have to establish basic principles that protect everybody and that's the only thing that you can really enforce Dr. Bushy why shouldn't we argue from a position of strength because I've seen the United States over the years negotiate and we go into something in a position of strength we usually end up giving away more so we we end up abrogating the position of strength to one of the best parity in some cases depending on how bad the negotiated settlement is we end up weaker than the people we're negotiating with I'm not a real fan of arms control negotiations so if you haven't figured that out yet I'll be upfront with it I just don't think it's necessarily the best solution and in this regular nuclear weapons and conventional weapons are a lot easier come to some sort of an agreement as you count the darn things other than all the ones everybody hides a lot more readily than you can with doing this kind of behavioral agreement I'm just not sure this is doable just let me point out I'm not proposing that we negotiate about relative strength trying to adjust it up or down what I'm proposing is that we regulate behavior whatever the relative strengths are and let me suggest we better learn to do that otherwise we're in very deep trouble our next question I'll also address to you Dr. Steinberger if an agreement on cyber attacks is reached but a signatory attacks anyway how can the agreement's punitive clauses be enforced given the difficulty of definitive proof in other words plausible deniability is pervasive in this environment how do you enforce I want to thank you first of all let me say it is important to establish as bright and normal as you can even if there are violations I mean we have laws against murder people get killed all the time we nonetheless think it's important to have those laws but I would say that in addition to just setting the principle we ought to establish the practice and as part of it of implementing it by of mutual collaboration and enforcement and in particular in forensic investigation of possible incidents it matters quite a lot whether the respective governments are contributing or collaborating in doing forensic analysis of intrusion or whether they're not so the agreement would set up the situation in which it's not impossible to violate and maybe encounter violations but it's a lot more difficult to do it effectively without getting caught so the point is just to make it more dangerous to whoever is doing it and with enough work you can get pretty close to identifying responsibility it is admittedly difficult but it's not completely impossible and keep in mind in any international relations type situation you don't necessarily have to have a level of proof like you have to have an American courtroom to declare somebody guilty it's always going to be an assessment and that there's interest that get factored in there's timing that gets factored in and if we had an agreement like this and the signatories decided that the country a violated it even if they didn't have enough proof to get it through an international court or a domestic court if they felt it was in their interest to take action to punitive action against that country they'd do it it's Americans tend to think very judicially at least as a population not necessarily the leaders about these things and I think we really we got to have that proof beyond the reasonable doubt it'd be nice but we don't always have that before we take actions in the international realm your ability to take action depends upon the strength of the norm you have a strong norm you don't need sort of definitive proof in order to enforce it if people really don't think that the action is justified you can do a lot of things even if your proof is a little squirrely and the proof will always I think at least for the foreseeable future will continue to be squirrely in this realm because it's really hard to get that definitive proof and while our forensics capabilities are getting better and better the techniques people use to obfuscate the responsibility are also getting better and better so it's another area in cyber that's chasing itself so with respect to capabilities we have a question here regarding how the U.S. might best enhance their own capabilities and so Dr. Steinberg I'll address this to you first but I'd like you both to comment what would be the best means of integrating the private sector into whatever U.S. and international agreements might be negotiated one of the things I think that we ought to fairly seriously explore is for operating systems infrastructure operating systems that carry heavy load for international that we ought to try to establish basically a trusted bank whereby source codes are deposited and then you can check periodically against changes to those source codes is a way of detecting intrusion and there's a lot of complexity associated with that idea you have to be very sure about the source code in the first place and you have to be very sure that the repository is trustworthy it's not itself a source of intrusion but that would establish a higher standard of protection against those things that are really critical than we currently have so that's one of the things I think we ought to explore doing the other idea that people regularly have is okay disconnect from the internet those things that you don't want that's easy to say and very difficult to do it's very very hard to disconnect any current operating system from the internet absolutely because the internet is so efficient but nonetheless you can think about the possibility of taking the power grid off the internet in some sense and how would you do that and could you do it and these are productive discussions to have the idea of taking things off the internet everybody always has this vision that there's just some switch somewhere we just flip it but if your adversary's intent is to lower your capability and take away from you all the advantages that you gain by using all these digital means you kind of did his job for him when he said oh there's something coming quick turn it all off okay he didn't have to hit you you turned it off yourself it's an unfortunately naive view of how it works and it's also counterproductive and I know you're not suggesting that I'm not being critical of you but it's just right now we are really really good at so many things in the world whether it's military intelligence or commercial because we have bought into this digital world 110% and we're leveraging every bit of it we can find we're using it even people that are relative Luddites are you know you're still totally immersed in the cyber world and it's really hard to get off of it I mean somebody once said they were talking about cloud computing that Gmail is the entry drug of choice to cloud computing and he was being really cute but it's we're all addicted to this stuff folks to a greater or lesser degree as individuals as a society as a nation and it's really hard to walk away from it even for a little while I know in Washington we had a blackberry outage for a couple of days and they were literally Jones and I they were shaking they couldn't get stuff on their blackberry on the metro it's really an amazing dependence on an ability to work wherever you are to be in communications wherever you are and when you lose that it's hard and I've seen it in the military we're really really good at using that stuff and when we've done exercises where you turn it off and suddenly you lose all that communications you lose all that logistical capability or management logistical capability you lose all the command and control and everything stops and finally the head general or admiral says okay you made your point turn all that back on let's get on with the real training and you realize don't you understand this is the real training because there are people out there that are going to do this against us so it's just turning off the internet or unplugging things from the internet we're way beyond that at this point so that's actually a good segue to the next question which this particular audience member feels is core to this debate and I'm going to address it first to Dr. Sanger it seems there are two core questions one, what should be impermissible even in war i.e. Geneva Accords what should we have for POWs and two, what should be impermissible outside of armed hostilities outside of outside of war it's a very good question the borderline between war and not war is getting to be an increasingly difficult question what I would say is the reason for establishing sort of legal restraints is to stay out of war in the first place and then I would concede that if you really get something that qualifies as war, fully declared and all that, that most of these rules are in jeopardy including the rules of war which are regularly violated but that doesn't mean that that doesn't undermine their utility if you would just represent that if you go and let me be a little more specific if we say thou shalt not attack power grids, that's an act of war and you establish that norm it certainly discourages anybody from contemplating that because it defines that act as an act of war and it opens up all sorts of retribution as a consequence for that so my basic answer to the question is you set the norms in order to stay out of war you would hope of course that they would contain any conflict that actually occurs but if we get war then there's a lot of destruction and this is part of it I mean that's sort of the essence of deterrence you have a declaratory policy, you tell people what is impermissible in this case I think that's a perfectly legitimate thing for a nation state to say you attack our power grid and we're at war and it doesn't matter we don't have to answer back with a cyber weapon system we can come back at you with everything we've got now there's nuances to that our Department of Defense announced that a cyber attack would be considered an act of war now it neglected to define what a cyber attack was I mean it was left deliberately vague so hopefully maybe you deter a few more things because you don't necessarily want the bad guys to say okay I know I can go all the way up to here and they won't come and bomb me but if I go beyond that I know they're going to come after me so you do leave some wiggle room there because that has an additional around the edges to turn effect but you know it comes down to them making a interest based decision as well as to whether we're going to see if they're really going to back this up because we think it's worth the risk to hammer them by doing that and you hope it doesn't happen I think frankly I think having a specific declaratory policy that you attack our energy grid in any way shape or form and we'll consider an act of war makes more sense to me than having a negotiation well the corollary to that is that we will not do it to you either if we consider an act of war we're ruling that out of bounds and you know that that's a way of the point is to set the norm how you set the norm you can debate about how to set the norm but it would be desirable to have sort of a legally enacted agreement this is the norm thank you gentlemen we've reached the end of our question and answer session but we'd like to give each of you five minutes to give some closing remarks to sum up your arguments and leave us with a final impression so Dr. Steinberg would like to start with you let me just say that there are deep issues I mean the cyber issue connects into a lot of other things as well and cannot really be separated from fundamental security relationships and all the interests associated with that part of what is behind what I'm saying is that we're living in a world that is going to require more robust regulation if you will of some things than it currently has and it is going to require sort of legally fine security relationships among the major players in order to cope with mutual threats coming down the line in case you haven't noticed is the looming issue overwhelming which although is controversial here is not going to be controversial forever this is a very, very serious mutual threat and that's going to change the security relationships of all countries over a two or three decade period and they're going to be driven into very intricate collaboration and this is just one of the features of that so what I'm saying here is the recommendation of just talking about this is rooted in a larger situation in which we're going to have to learn to regulate our security relationships with countries that we have historically seen or like to see as enemies for mutual protection because we have overwhelming mutual interest looming here and we have to learn how to handle it I just want to emphasize cyber threats are real it isn't hype it isn't just defense contractors around the northern Virginia area trying to get extra contracts from the government there are real honest to God threats out there from nation states from non-state actors from criminal organizations even everybody always laughs at the hacker it's the fat guy sitting in his mother's basement typing away on his computer those guys still exist and they're frankly much more capable today than they used to be because you can just go online and buy stuff I mean I could become a hacker and I'm not a tech guy if I just went online to some gray sites and bought some tools so the threats are real the sky is not falling however right the republic is not at risk today of collapsing under the way the cyber attacks were facing but what's happening does affect all of us if you are like me and have either not much hair or the hair has turned a different color you may take advantage of this and say look you know that's not my thing I'm just going to do what I do and I know other people are going to take care of it that's the wrong attitude you have to understand this problem you have to get engaged with it if you think that all the young people are going to take care of it for you you're dreaming the young people are very capable of using all this stuff and they have no culture of security whatsoever it's not a criticism it's just a fact that's not important to them so they don't think about the threats in the same way someone with that gray or less hair does it so you've got to have the mindsets of both together working to try and address this if you don't understand any of the issues that are out there get the knowledge dig in the government has a wonderful program that is supposed to put out awareness education and training and I spoke with one of these senior people at DHS and I said well how's that going and he said oh it's going really well we have six meetings scheduled this year where the secretary herself is going to get out and talk to people around the country 500 people in each venue 5000 people in the United States of America that's not very many so we've got to get this education out we've got to make people aware because this is the world we live in now your parents our age parents our parents the really old people how do you think they get all their benefits from the government now they've got to learn how to go online to get it and we're just getting started it's all moving in that direction it affects us as individuals it definitely affects us as a society and we need to get more astute and more capable at doing the right things so that we don't make it any easier for the bad guys that are out there who are trying to do us ill you do have a role in it it is not just an academic exercise thank you both very much for coming here mercifully he did not go pole that's right you forgot to do that I'd like to thank our speakers again Dr. Bucci and Steinbruner for coming here and engaging in a thoughtful engaging discussion I know I learned a lot I think that's fairly widespread here I'd like to remind everyone as they head out to get their M cards if they have the iClickers and I'd also like to take one final poll and if I can figure out how to do that here we go technology right if anyone wants to try voting there we go our resolution is here just so you can read it and it looks like we don't have anyone undecided so that's good once again I'd like to thank our speakers thank you very much and I'd like to invite everyone to our last debate from the Ford Policy Union series it'll be on March 26 on the topic of international drug trees and thank you all for coming