 Okay, we're back. This is Dave Vellante, and this is theCUBE. We're here live at the MIT Media Lab. We're exploring cyberspace and the gaps in cyberspace governance and international relations. We're here at the ECIR workshop, which is hosted by MIT. Erin Fitzgerald is here. She is a program director at the Minerva Research Initiative, which is the sponsor of this event. And also Michael Sumire is here. He's a senior policy advisor for the Office of the Deputy Assistant Secretary of the Defense for Cyber Policy. Folks, welcome to theCUBE. Thanks for coming on. Thank you. Thanks a lot. So Erin, let's start with you. First of all, thank you for sponsoring this event, and thanks for having us here. We're really excited to be able to come to events like this and what we say, extract the signal from the noise and share with our audience some of the developments that are going on. But why don't you talk about your organization and your role, and we'll get into some of your research and the relationship between you and the DOD. Sure. No, I'd be happy to. So as you mentioned, I direct the Minerva Research Initiative. This is actually a DOD sponsored program. It was actually, in 2008, then former Secretary of Defense Gates started this program. So it's pretty unusual to have a secretary of defense starting a research program. But the idea of this research program is in general having, building a fundamental understanding of what are the social and cultural forces that shape regions of strategic interest. So what is it that causes social and human behavior and motivations to happen? And Minerva covers everything from looking at sort of terrorism, terrorist ideologies, to looking at energy and environmental security, to looking at economic security, all the way over to cyber, sort of the human side of cyber. And the Minerva program has been funding the Explorations in Cyber-International Relations project for the last almost five years and are happy to be sponsoring this project. So talk a little bit more about the team that does the research, how you go about gathering the information. Sure. Well, so Minerva funds currently about 40 active university-led projects. And they run everywhere from single investigator projects to large team projects, a million dollars or so a year, which for social science, you can get a lot of mileage out of that type of investment. But Minerva's unique as a basic research program because not only is it very focused on fundamental understanding building and research, but it actually started as a policy initiative at DOD. So I work closely with colleagues like Michael who are a part of OSD policy to make sure when we're selecting the projects that not only are they high in scientific merit, but also in relevance, also in sort of the impact that may come from the project, et cetera. So what I do in my role is everything from managing all the research projects that we have to trying to understand what are the new research topics that we should invest in. So should we have more projects looking at cyber international relations? What about governance? What about security? Or is there another component of sort of cyber relations or other sort of non-conventional deterrence theory that we might wanna invest in more? Helping to select the projects. And I work with different, the Office of Naval Research and the Army and the Air Force to help choose what has the best scientific merit. And I work with policy to make sure that we're asking the right questions and selecting the projects that are going to be the most important. So I manage the projects and then I try to do a lot of outreach to make sure that as the teams develop the insights that come out of this investment with these brilliant researchers that they're not just doing this in a vacuum but that we're connecting it to the people who can benefit from the answers to these questions. So part of your job is connecting the dots across the research initiatives where it's relevant and then connecting it to applying it actually. Right, absolutely. So making sure that we have an ongoing relationship and engagement between the researchers and the policy, the community, the intelligence community, other parts of the government who are involved in national security issues. So roughly how many projects do you run per annum? I mean, if that's the right metric. Right, so most of the projects are three to five year projects. We start about eight or nine new projects a year, generally. And that depends, of course, on budget cycle and Congress and everything else. But given the structure we have, the portfolio, we try to have a good balance between topics. So I mentioned we have some projects that are in the cyber realm but we have a number of projects that are more looking at belief formation and propagation through a network, for example, or looking at different types of governance structure or more broadly just the changing role of the state in a globalizing world. So we have projects across that gamut and we try to have a combination of large projects, small projects, more qualitative projects and quantitative projects. And in general, some projects that might pan out and be useful immediately and others that might have 10-year long-term benefits. So, Mike, I wonder if you could talk a little bit about talking off camera about the missions of the department. I wonder if you could talk about that and then maybe Erin can maybe tie into it some of the research, how some of the research has supported those missions. Absolutely, thanks for having me. And you were able to capture the title that I currently have in the Cyber Policy Office very well. And so as background, it's a good first rule of Washington to always remember that the longer the title, the least important, the guy. So my apologies you are stuck with me, but at least I am able to talk a little bit about what our office does and the overarching missions of the American Department of Defense when it comes to Cyber Policy. We're part of the Office of the Secretary of Defense, an institution within the Department of Defense that was created in 1947 as part of a way to ensure civilian oversight. Systematic civilian oversight of the military. The historians in the audience will remember that World War II was usually was fought essentially with the Army, the War Department, doing one set of actions, the Navy Department, doing another set of actions, and after the war there was a decision to unify. So we are part of the civilian organization that tries to unify military policy, specifically as someone employed in the Cyber Policy Office. We spend a lot of time thinking about civilian oversight of the military with regard to cyber policy. So that's the background on our part of the organization. Erin is a great colleague in the acquisition technology logistics side of Office of the Secretary of Defense and doing the work that she does that she just told you about. In the policy side of thinking about cyber and how the military plays, it's taken the department a little while, but I think we're able to articulate three primary missions at this point. The Defense Department is an operational organization, and so we think in terms of missions. And these missions were articulated really by our former Deputy Secretary of Defense, Ash Carter, at a speech not too long ago in Aspen. And there he spoke about a mission to defend Defense Department networks. He spoke about a mission to ensure that cyber capabilities are available to support contingencies. And he spoke about a mission to make sure that the department can defend the nation, and that's a sort of proper noun, defend the nation in quotes, defend the nation in the event of a very serious cyber attack coming against the United States. A word on each of those very briefly, and then we'll go back. To defend DOD networks, you'll find people tend to start with that mission first because if DOD's networks are problematic and compromised, it's very difficult to do the other two. Not impossible, but it's very important to begin with defending our own DOD networks. The second, in terms of contingencies, just like any standard military operation, you wanna make sure you've got the full range of options available to the senior most decision makers when they need to be able to use them. And third, for defend the nation, this is really an example of terrific whole of government interagency support across the U.S. government to make sure that all your government is working together to make sure that the nation is secure from cyber attack. It's not, don't think of it as your military out in front doing everything all the time for everyone. Think of it more as we're making sure we're working with the Department of Homeland Security, we're working with the FBI, we're working with justice in general to make sure that the nation is secure from a cyber attack. So we heard this morning actually, sort of the premise is we don't wanna fork the internet, we don't have a China internet, the German internet, and the U.S. internet, et cetera, but maybe different militaries will have their own networks. So that kinda makes sense. Have you done research on that and maybe you can share some of the findings with us? Sure, well, maybe not research directly in that area, but certainly looking at the cultural components of internet governance and cyber governance and governance really in general, what are the norms of, what is the normative behavior of sharing information, of privacy, of being able to track information sources? So by kind of looking across the board at different cultures and trying to distill out where are compromises possible, where are they not possible? This is some of the investigations that we have ongoing right now. Most of the Minerva research is really looking to inform strategy rather than tactics or more immediate policy. So it's meant to try to look at big picture questions that Michael's boss and those with the shorter and shorter titles can help to make their strategic plans based on. But in terms of looking at specific countries and their normative effects, we've heard a lot today about the idea that really the government or that the internet, we wanna have a unified internet, but the idea of having a centralized, single party-led internet is also not feasible and in fact may lose legitimacy in the eyes of many of the other parties as we have sort of strengthening parties in other ways. So that again leads to a non-cyber question, but something else that my program might look at of how does power projection work for states? How do states sort of show themselves to be a growing power versus someone who's willing to let someone else take the lead? And those types of lessons can also help inform decisions that we might make for cyber policy at DOD and the other parts of the government and national security agencies. So I mean from a purely U.S. perspective, having this sort of whether perceived or real, and I think part of it is real, this U.S. controlled internet, not necessarily such a bad thing for the U.S. military. So you've gotta project forward what the impacts of sort of a more multi-stakeholder adjudicated internet would mean from a defense standpoint. What can you share with us as you look forward in terms of what research is indicating? Well, I think that the discussion that we've had today, first of all, workshops like this are not only to bring out some of the results from research, but it's really to help inform what are the questions that the researchers should continue looking at. So I think today we've brought up a lot of questions that hopefully the researchers at MIT and Harvard and other researchers in this area might look at in terms of again, what is in the U.S. best interest, the immediate gut reaction might be the more we control, the more it is in our interest. But again, there's that question of the loss of legitimacy that may move parties to look at entirely different governance structures other than those that we control, which may in the long run potentially weaken our position or not. So how can we look at sort of the large system of systems in international relations, both cyber and more broadly? And I think those are questions that we'll definitely be looking more at now, but in terms of trying to identify what are the levers that will define a successful U.S. program and a program where U.S. can help to control the outputs in the future. Understanding what is connected to what will help us achieve those goals. Well, in a way, it's somewhat easy for the department because you could be myopic. I mean, you've stated that three missions are pretty clear. You know, economic gain for corporations is not one of the missions. You don't have to worry about that, even though that's tugging on a lot of things, Erin, that you have to research. So, okay, so what are some of the other burning questions that you want to see addressed? By the specific group or more broadly? So this group, as I mentioned, have been funded for almost five years. So they're coming sort of to the end of the investment that they have. And in the meantime, this is a project that I'm not sure if you've discussed it. It's, you know, we're at MIT today, but it's a project that's multidisciplinary. So it's MIT's political science group, MIT's business school, Sloan School, MIT's sea sales and the computer science, and also at Harvard Kennedy School, their Belfer Center, looking specifically, especially at science and technology policy. So this is, you know, four very different perspectives all on specific issues. So the Belfer Center people have been looking specifically at policy issues and how to distill out lessons from specific cases in history so that we can generate inputs. The Sloan School people and the computer scientists are actually building models based on data that we have based on reported cyber attacks in different areas, based on sort of the growth of user bases in different countries to try to better model and understand whether or not we have the right parameter set or the right vision of what really is connected to what in terms of building a more secure network and enterprise. So I think as those groups move forward towards converging, I know there's a lot of people in Michael's group and others who will be very excited to see sort of the final conclusions of this five-year project. Excellent. So what's next for you? I wonder if you could share with us sort of, you know, what you see, you know, looking for a crystal ball a little bit, but you're working five-year stints, so you've got to have a long horizon. So bring out the telescope. What do you see? And that's a tricky part of basic research in general. If we're only looking at the problems, you know, if we only focus right now on cyber governance issues mediating between the U.S. and China in five years, that may not be what's important and it may be Brazil that's a larger player and maybe if we weren't careful, the questions won't generalize to help us inform those larger questions. So I think definitely having a good balance between specificity and generalizability in our investments will help us to have sort of the most broad and robust set of insights that might come out. But in the cyber realm, cybers, you know, it's been brought up several times today, cybers really one part of a larger system and is less and less of a standalone system now. So the idea of cross-domain deterrence is something that the department has talked very much about. So this is looking at an increasingly multi-polar world where you have more and more mechanisms of incentivizing and deterring specific types of behavior, you know. So no longer do we have sort of a kinetic or warfare types of levers and economic levers. We also have cyber both cyber controls and cyber attacks. We have, you know, what is the space realm that we're going to include? And when we have multi, you know, more and more players who have real strength in the world and we're not sure, you know, if an economic attack happens, you know, should we increase, you know, our cyber attacks by a certain amount or at what point do we start to escalate out of control or have sort of, you know, proportional responses across different domains. So I think that's one of the largest questions we have going forward in the cyber realm and beyond just how do these outputs really compare to each other and how can we have a better understanding of the escalatory dynamics that can help us keep the nation safe and secure and in control. Cool. A lot of interesting challenges you have ahead. So no shortage of things to research, right? Cool job. Well, Aaron, thanks very much for coming on, Michael, to appreciate it and good luck going forward. Thank you very much. All right, keep it right there. Everybody will be right back. We're live at MIT's Media Lab. This is theCUBE, right back. Thanks.