 We're here to talk today about five cyber incidents with Jim Lewis, Bob Deets, Judith Miller, Franklin Miller, and Bob Geisler. And I'm going to turn it over to Jim. And Adrian, you should have introduced yourself. We have Adrian McCoy. I'm sorry, you need no point. What we're going to do here today is we're going to bring up a set of incidents. It was hard to come up with them because every time we thought we had a final slide deck, one of our foreign friends would do something else funky. And so we'd have to revise them, revise them, which drove the panelists a bit wild. But what do we want to do here today? We have some goals that are a little different from the normal discussions of cybersecurity. And I think I'm going to steal Frank's line. I think Secretary Lynn teed some of them up for us. When we look at these incidents, the U.S. now has a national doctrine, right? And it was in the international strategy. It was previewed in the president's May 29th speech. You'll see more of it when the DOD strategy finally emerges in the next year or two. That was a joke. It didn't work. What is that declaratory policy? It's that cyberspace is a vital national asset. And we will use all means to defend it, right? So what does that mean? And we have a very experienced and distinguished panel who can go through these incidents and tell us when does something justify a military response? When does something justify the use of force? When is title 10 appropriate? When is title 50 appropriate? How do we signal to malicious actors in cyberspace our discomfort or our intent to do something in response? What are the measures that we could use? We say we'll use all means to defend it. Well, what are those means and how would we deploy them? These are questions I don't think have been asked at least publicly before. So what we'll do is Adrian will bring up an incident. We'll give some relevant details as if she was briefing these senior officials and then they will tell us how we think the U.S. should respond. What are the constraints? What are the legal requirements? I think this is going to be a lot of fun. They look a little puzzled now, but, you know, they'll snap out of it. Don't worry. Adrian. Okay, no briefer was ever this concise. In January 2010, Google revealed that its network had been hacked and intellectual property had been exhumed traded. The company reported that it had traced the attack to computers at two campuses in China. Google had recently clashed with the Chinese government over censorship of the Google search engine. The State Department filed a demarch with the Chinese government but received no response. Okay, so this was a particularly galling incident in some ways and the question would be how should the U.S. respond? When you see things like this, what should we do? And we'll go through a set of incidents. Some get closer to something like the use of force, Stuxnet. Some get closer to the ability to confirm attribution. Some are directed at high-value military targets. We have one in here about breaking into defense contractors. But in this Google episode, what should the U.S. have done in retrospect? If you have some allegations, some evidence, and we might want to talk about what evidence is necessary for planning a U.S. response, what would a good response have been to Google in this particular episode? I don't say anyone would want to. I can talk forever on it from a think tank. Go ahead. Well, let me pitch in for Judy. I get it. Yeah, sorry for the delay. Mechanical, irresponsibility. Anyway, you know, a couple things. I do think, going to the point of evidence, if you were actually having a real discussion with officials about this, you'd know a lot more than what has just been very briefly said. You'd also know a lot that you didn't know. I mean, I'm not saying you would have all the answers, but you would have much more available than what has just been teed up for this discussion. And you'd have an opportunity to query a whole range of people in the government and at Google about what they actually knew. And so there is a little bit of, I guess, inherent lack of rigor in discussing this. And the reason I'm pushing that point is that I think that happens a lot in our discussions of cyber. One of our biggest problems is that we operate at a level of generality and a level of abstraction that makes it really hard to have the kind of detailed discussion about what the U.S. should do in a particular spot. So one of my themes, I guess, in talking about this is that we should be more transparent in talking about the kinds of attacks that we're up against and what we might be able to do in response without giving up the crown jewels of the specifics. I mean, you can talk with more candor and effect about what we're facing than simply saying, oh, it's cyber and then, you know, somehow thinking you can have a discussion about that. Second, one of the reasons that I pushed that point a little bit is that because we never get beyond abstraction, we never actually create a policy to speak of, even though the U.S. government is now in the process of how to do that. So you would like to have an international framework for having a discussion about this. I mean, you know, the law of armed conflict applies if this were a use of force. I think based on the facts that we have here probably wouldn't be particularly applicable. But you might very well say, you know, that if there was like, you know, China had been doing this for a long time. Loads of people have been attacking Google and other systems in the United States. You know, there is a possibility that you could say, even if you can't attribute this to the Chinese government, if they can't control their own people in an effective way, that there may in fact be some discussion that goes beyond a Dimash about their responsibility and what the U.S. government properly could do to position itself in taking steps that don't look totally ineffectual. I was going to say, I think the nature of cyber is ambiguity. And so we're moving into an era where we have to face policies and choices with far more ambiguity than we ever have in the past. In the Cold War, where the Soviet Union engaged in egregious espionage against U.S. and nation-state secrets as well as with industry, we pretty much knew it ultimately was a KGB or GRU operation and traced it back to a Soviet policy that they were going after us for competitive as well as national security reasons. But today, in this case, university servers are notoriously vulnerable. It could have been a pass-through to a U.S. competitor launching that probe for IP from the United States. It could have been somebody from the EU looking for IP from a competitor elsewhere. Or it could have been a Chinese commercial competitor as well as a Chinese government interested in that. I note with interest, though, that our default after the Google hack was this is the Chinese government going after Gmail to try and repress Chinese dissidents. And we made some gross assumptions. I'm saying media-driven dialogue. Made some gross assumptions that ultimately we never could prove. It could very well have easily been a Chinese variant to Google looking for their search algorithms in source code. So I think we had to be very careful immediately couching this as a nation-state problem when in fact the larger strategic issue is the trillions of dollars of IP that's stolen every year on a commercial basis. China introduces a unique problem in that a lot of their industry is nationalized and a lot of the agencies that are doing or sponsoring hacking also have commercial interests. So you start to have to pry out the intent of this and start accommodating for that very ambiguous intent of the actor as well as the actual event itself. I think that one of the things that a policymaker would have to confront at the very beginning of all of this is what kind of constraints do we want applied to what we may be doing. And so in the world of Title X and Title 50 policy makers need to be very careful about setting standards which would apply to everybody else except us. Because however good we are we're not that good that we would not get caught at some point. So I mean that's an overarching element for this entire discussion. Secondly, and I think that Judy was spot on when she talked about discussions on rules of the road. And I think there are two elements of rules of the road. One is in the world of commercial intercourse we're going to have to evolve over time some way for people to protect commercial IP. And even that is in China's interest over time. That's something that can and has to be worked out. And just as in the Cold War we were able to sit down with an implacable enemy of the Soviet Union and work out means of discussing first strategic arms and then limiting them. There is a way forward here that requires government involvement. I think the second part of the rules of the road which really doesn't apply to this case but which applies to other cases is that even in the Cold War at the point Bob made there were pretty much rules of the road in espionage. I mean there are things that we did and that the KGB did and that we didn't do. And when one side crossed the line there were ways of letting the other side know. And again it doesn't apply here but I think the concept of rules of the road both in an official and public way and also in an official and private way is something that demands a great deal more thought as to how to bring actors together. And as Judy said there is the problem of patriotic criminal hackers who are either in it for their own commercial benefit or they're doing it because they think it's the right thing to do. And it clearly the United States government doesn't have the ability to take care of all the hackers and nuts running around this country. Think about the Chinese government. It's not to absolve the Chinese government for responsibility in a case like this but it is a problem that again fits into the rules of the road and criminal conduct and all the rest. Could I just pile on one point which is that on the rules of the road for the U.S. and what's at stake. I mean I think Deputy Secretary Lin this morning certainly made a fairly clear reference to the point that the United States is more dependent at this moment on IT than anyone else. And so we ought to be clear about that. And my own opinion is that it's more important to protect all the stuff that we are dependent on than to protect the ability to have some agile offensive capability that we would like to use but wouldn't want to see used against us. If I could I'd like to make a general point that applies to all these scenarios so I'm only going to mention this once. Actually before I do let me say that I'm expressing my own views. I'm not expressing the views of the U.S. government or any agency and I have no insider information on any of these events so I just want to be clear about that. To me the problem, I'm not sure it starts here but it is certainly worsened by the fact that we do not have a regime, a legal regime to address these issues. What we have are various laws basically designed against hackers or in the case of NSA laws dealing with foreign intelligence collection. What we don't have is a legal regime dealing with the protection of IT. If you listen to news broadcasts about hacker attacks almost always it's something like it is believed that these attacks come from country X. Imagine in the kinetic world if we were attacked with a rocket and the military came back and said well we're not sure but we believe the attack came from some country. People would be outraged by that but the fact is that because of our legal regime it is often unclear where attacks come. And that's again because there's not a legal way of doing hacking back at least a way that's likely to be successful. What information protectors would like to be able to do is you take an attack and you start tracing the jumps backward but under current law that's not possible. So what we end up with in this country is a fortress regime. A fortress pentagon, a fortress milled out for mead or a fortress America. And that's good. I'm not attacking those kinds of defensive measures but the fact is that I don't think it's likely to be successful in the long run any more than a fortress America works in the kinetic sense. And so what I believe is true here and is true in all these scenarios is we need a new legal regime specifically to address attacks. People will often say well wait a minute isn't that likely to have people and I say folks for example running back through university servers. And the answer is probably yes but I can't believe that we could not design a legal regime where that would be possible in a way that would satisfy privacy advocates. I mean my metaphor for this is there's a very big difference between cops breaking into a house in order to search it and firemen breaking into a house to put out a fire. You know I think it was Holm said even a dog knows the difference between being stumbled over and being kicked. And in this context intentionality matters. To just clarify that a little bit what you mean is a student opponent would complicate any U.S. response by doing maybe the last couple hops through U.S. persons. It's my understanding that that's routinely done and there are people here probably know more about this than I but you know you start with a you make some jumps in the foreign country then you come to this country go through some university servers go through my server at home and so forth and then finally conduct the attack. And that's what makes attribution so so difficult. Just one quick comment though which is that part of it is it's not just Title 10 and Title 50 it's also the divide between military, intel and law enforcement because absolutely clearly the computer crimes unit at justice it can get it may have to get authorities here and there but they can do this kind of backtracking without any difficulty and they were doing it in the 90s. So you know it's not necessarily that we don't have a legal regime that you can't patch together and make work it's just that we're patching it together because it's you know sort of trying to make statutes and authorities that were designed truly in a different world and at a different purpose and trying to make them kind of work instead of taking a step back which can always be exciting and saying to Congress well you've really got to change some of this. I do want to agree with one other thing though which is that I actually think you can do this and sustain privacy rights if you bake it in at the get go so that you have credibility with everyone in this country about what we're doing you can do that you have to give it up and you can I think create a consensus of some sort that would allow us to have a legislative change that would be at least the building block for the international rules. I think that's right but I think there is one element in what Bob was saying that complicates all of this and that is law enforcement or the Title 50 agencies may be reluctant to reveal the fact that they can trace it back and there may be times when they will be perfectly prepared to do that and there may be other times when they're not and that does complicate our ability to go to this kind of regime although I support very much the notion that if we don't move to that kind of a world where there's a rule of law it's going to be bad for everybody. Dragging that back to your point on there were ways in the past that we could signal the other sides when we were unhappy across some line does that complicate what would that look like in cyberspace and does an unwillingness to reveal what we may know who complicate that? Sure. You know I think the signaling is both over and undeclared at the same time. You're not going to handle this with a D-Marsh. It's like theatre on the international stage. We've got that out of our system. We're happy now we can go on doing our business. But you also have to show that by demonstrating that that behavior has some equivalence from our perspective. If you assume PLA is the ones that did the Google hack or PLA continually penetrates DOD networks or any nation state for that matter then there are ways you can noisily go about penetrating networks just like during the Cold War we used to fly up and down coastlines in a very, very sometimes provocative demonstration that says I'm going to be as aggressive as you are and I may also have a tiered approach where I'm going to very quietly conduct intelligence operation but at the same time I'm going to be very noisy and put some sort of equivalence operationally on this so that we can finally start having some adult dialogue at the diplomatic table. But until you start showing an actor that there is equivalence or a reciprocal action at a pain point that finally gets them to pay attention and to adjust their behavior that will continue. But I think that actually raises we're probably going to use this one slide to bring the entire discussion forward. One of the interesting elements in signaling or indeed even in responding is to understand that you don't have to do so in the same medium. That particularly applies to countries who are not as reliant as we are on cyber. If you want to inflict pain or if you want to signal that you have the capability to inflict pain you need to find the point of pain and it may not be in the cyber world. It may be elsewhere. And that's why I think this entire discussion is a really rich vein because you have to figure out what the vulnerabilities of the other side are and you have to be able to say, okay, to the degree that I'm willing to say, I know you're doing something that's a very bad thing to do and other things could happen in other realms that would not be a good thing for you. But it requires us to think through this a whole lot more carefully rather than to go into the reflexive while we've been attacked so we're going to use kinetic or non-kinetic or cyber. One of the things I worry about with signaling and it's not a big worry but we had had a long time to establish Kabuki theater with our Cold War opponents and so you could do a tacit or implicit signal and they knew what it was. And when you talk to some of the potential opponents today other than the Russians they don't have that understanding so how would you develop this capability? I was in China a couple weeks ago and was talking to someone from the PLA and brought the notion of equivalence forward and it was a surprise to them. They were complaining about our intelligence vessels coming into their EEZ and I said, well, you know, some people use ships for intelligence purposes and some people use other stuff. And I was like, what? Huh? So how do we... they didn't like that. How do we build... there's a formal rules of the road that you've brought up but there's also some informal understandings or rules. How do we build that? Let me jump in because that's one of my hobby horses and I think it applies to our relations with other governments whether friendly, foreign or neutral and I think that one of the lessons of the past several decades is that we cannot rely on being too subtle. There are times when we think we've really communicated a message and the other side hasn't got a clue and there are numerous instances. So whatever it is we do in terms of signaling it has to be accompanied by a pretty clear message in private to someone in authority who understands what we've done or we could even say, oh, by the way, you may not have noticed but we've done something because we're not happy with what you did. So I think it's a combination of really blunt diplomacy and private and whatever the signal has to be. Let me use that as a transition point to the next incident because this one is a little clearer. I'm going to assert at the beginning that we have some strong ideas about who is responsible. Thank you. In fall of 2010, DOD revealed that classified and unclassified military networks have been penetrated by malware residents on thumb drives given to service members in Iraq in 2008. The exploit created an opportunity for the exfiltration of classified and sensitive data to foreign servers. DOD says the attack was perpetrated by a foreign government. So in this case I don't know but we didn't necessarily, do you treat this as just okay, one for their side and now we run around on the defense or what would a response look like? This clearly I would think does not rise to the level of being considered under international law an act of the use of force. Unless you knew that they left behind, unless you really knew that they left behind things that could blow up the whole system and endanger the department's ability to respond at all. I mean you could always get to something that's more dramatic but there's nothing in these facts that would get you even close to thinking about that. So that's sort of a, the leave behind is one of the thresholds we want to I think so. I'm not even sure that'd be a threshold. It's just because leave behinds can affect dual purposes where you can control data, you can disrupt the integrity of that data or you just pull data off of that. But the fact that they, in this case is well known malware the means to ex fill the data was well known if it was ever done or not is not subject for the debate. But as we know the data has presented to us there is no leave behind as Judy said that it infers the intent to do damage to that network or the data on that network. But I do think it makes, going back to the point that Frank was making earlier about how you don't have to be confined to the cyber realm to think about how to respond in a variety of ways. One of the things that I've noticed that we tend to do is to just look at what, the actual attack itself instead of whatever, the supernet attack in this instance instead of also saying well we have lots of other intel sources and other ways of figuring out what's going on in the world it isn't just confined to the cyber tracing back road and what they did with it. So you can in theory hypothesize that you actually through other sources realize that they actually do have some intent that goes well beyond what our particular facts are and that would create a different discussion I think. But that's not the discussion that this sets up. My sense is that this is a, we got outwitted and you're not going to start a war over something like this and I have a hard time imagining, again assuming that there are no leave behinds. This strikes me that there are some morals that ought to be drawn from this for our side but I can't imagine doing much of anything else. You know we have to I think continually desensitize target audiences, our audiences, particularly policy makers in saying this has happened for the last 2,000 years in conflict and in peacetime finding an intelligence capability inside of our network is honestly going to happen as a standard and something we have to accept. I think the military is finally grappling with the fact that our network is going to be penetrated as a norm and we're going to have to work on how to fight through that. We got that now. I think from a policy perspective as intelligence and as forensic start to roll in you have to make sure you couch that very carefully as far as intent and more importantly what data we don't have as far as the actors are concerned and the intentions and I think that's very important. We tend to still overhype these things not only in policy making but also in the media where it becomes a massive echo chamber that vastly outstrips what really happened on the ground. I think that's right. Were we having this discussion? They throw out most of the people in the room and then we have a real discussion but someone in the room would stand up and say well we need to talk about intelligence preparation of battlefield which opens up this giant door and I'm not going to open that door but I think you're absolutely right. I think we have to get used to the notion that people are going to be operating inside our networks and we need to figure out which networks are going to be air-gapped and absolutely sacrosanct. I don't know whether leave behinds are necessarily something that you draw a line at or not Just one bit of information. I just don't know but I think that is it's the discussion of both of those aspects about our own intelligence preparation of the battlefields, whatever they may be and what a potential enemy may do and what we're prepared to accept and what we're not prepared to accept that forms the basis for this discussion. There is a more fundamental point that DOD I think and Bob you touched on it is grappling with right now which is if you can come in if you assume that the cybernet is open effectively which has not been the operating assumption for DOD or that it can be easily penetrated when need be even if there is no leave behind then that raises all sorts of questions about the reliability of our defense capability in a big way. If the commanders are worried that they're being spoofed or that they actually can't use kinetic force because of the internet connections that it relies on, that's a big deal. So one of the going to Frank's comment one of the things that I think we ought to have more on the table than I think we've had so far is a real discussion about architecture and I'm not a technical person so when I say this I then have to look to the people who actually know who are computer engineers and things and actually know how this system works but I think we ought to at least start thinking about whether some of the first principles that we put forward when the internet was first started and the ones that we've been building on ever since which is sort of speed, speed, speed, speed as opposed to security in addition to speed and functionality I just think we need to take a step back and this really would require an international step back but perhaps with some US leadership around it about whether there are things that we can do not to shut down the internet or make it horrible but things that we can do that actually build in some of the issues that we're facing not just the Department of Defense but our companies if you look at the Sony PlayStation example which has been in the news recently and I think the Wall Street Journal or someone reported that they had quantified their loss to date and don't hold me to this something like $170 million I've had discussions with CEOs before when I was in private practice and what have you where it was like I can't invest in this cybersecurity thing I'm not at risk, there's no problem and quantify it for me Well the Sony PlayStation example in a totally different realm than than national security I think's quantified it in a way that would get anyone's attention and that's like even for a very successful company that's real money that goes straight to the bottom line and I think that might open a different way of discussing whether it's worth spending a little more money and research to think through a different way for this architecture to operate so that we don't have to just have the given that every system we have can be penetrated because that's fundamentally that's where we are defense is always going to lag offense I personally believe if we continue with the architecture that we've got that's not a winning game for us I think there are two things one, in terms of signaling overtly and clearly we do have to say there are certain things that are absolutely off limits and we have to say to other countries for example don't mess with our warning networks because if you mess with our warning networks we might do something that you would really regret and if you found something in a warning network that should merit a very strong response that I would say actually at the head of government level the second thing is Judy's absolutely right that defense is always going to lag offense but we also I think learn from this incident and others that we can through training get our people to be just a little bit smarter I mean there was a certain embassy in town here that will go unnamed that for Christmas a couple of years ago was handing out thumb drives with lovely pictures of a capital city in winter you know don't take the Christmas present there are things that we can tell people it's not going to be foolproof but we can make people a lot more intelligent about the kind of things they're doing even on the unclassified level under any set of the rules of the road that we've been talking about and I think we will need some kind of rules of the road under any set of those rules would some more forceful response to this be justified or will this end up being any other intelligence exploit they got one we didn't move on I mean what would the rules of the road look like for this kind of thing because in this case it was significant it was against the military so is it the same as everything else there's one other element of this particular case in that it actually disrupted combat operations it impacted the flow of information in an area of operations as disclosed in the media so you run into analogies well what if a third party actually interrupted combat operations in Vietnam and what would we do to that third party and so the idea of Chinese involvement in North Vietnam and Russian involvement we still have rules of the road as far as what we would do to them that I think remains sacrosanct even in the cyber arena and I think you will have those rules with any nation with any evolved nation state and saying what you just did was a foul and that's why and we don't expect that kind of behavior again I think the problem remains that ambiguity is you just don't know who to talk to and there's sufficient gap between the responsible officials that you can talk to and the potential actor in this case the attribution still remains foggy that the responsible officials could say I have no idea what you're talking about so again I think this is a new era statecraft we're going to have to figure out how to breach that gap between responsibility and the action and we're still battering our head against that but that is why at least suggested briefly that you could look at the response if you at least have it in a country right you know you can look at the responsibility that you know it's not a failed state it's the opposite of that but you nevertheless can look at the country's responsibility for enforcing rules of the road for its citizens so that it's maybe one of the rules of the road is it's not enough to say oh it keeps happening here it's happened a billion times but you know jeez we don't know how it happened I think that's ultimately going to be it's going to have to be the answer I would offer the implications though are that in the Estonian Denial of Service case 17% of the computers that attacked Estonia were in the United States so if you flip that scenario and say did the Estonians then have the right to attack us and conversely what was the government in the United States responsibility for that 17% of that attacking force and what could we have done under the rule of law to alleviate that pain from the Estonian government implicit in what I think both Bob and Judy are saying but I think it's worth making it explicit is that attacks are really really cheap in the old days you don't build missiles in your backyard but these days a sophisticated hacker can do enormous harm the attack may look to a rational player as if it came from a government but it could well just have come from an underemployed youth and that makes this problem much much more complicated let me ask two things on this though because first what's the drawback to going to somebody and saying stop even if it turns out it wasn't them right and I guess there's some embarrassment I don't know that's ever stopped us from doing things in the past so what's the drawback that ambiguity creates and the second thing is how much does aggregation influence ambiguity so you have a certain certainty that it was a country it was Russia and it's not enough the first time and you have 30% in the second incident you have 30% in the third at what point do you say to heck with it I'm going to go talk to these people and say look I discern a pattern what are you going to do so you know I don't is ambiguity that big a threshold for going to someone and then at what point does other factors other than specific evidence on a specific incident reduce that ambiguity I think ambiguity is a factor in a couple of ways one is if you go and accuse somebody or divorce somebody and they're the wrong person you risk having that information get back to the real perpetrator thereby reinforcing the perpetrator's view that I'm in good shape and so that's one issue when you go forward you want to have a pretty good case and your lawyers are going to make sure that you do and rightly so and aggregated series I think starts to undercut the notion of ambiguity if you're getting I was a policy don't ask me to talk about compounded probabilities but you can get there but I think the third thing and it's a point Bob Easter brought up is you do need to choose your target you do need to choose the person to whom you are speaking with great care because you could go into the foreign ministry at a senior level you could talk to the foreign minister you're absolutely wrong I know nothing about and that could literally be true so if you do make these to marshes they might have to be the head of the intelligence service or indeed to the head of state so think about the stealth aircraft and secretary Gates to China and you know but anyway so it happens in other realms I will point out that we didn't we thought very carefully about setting up this panel we wanted to reflect the realities of Washington so we have two policy guys two operators and two lawyers so that struck me as a realistic representation and yet another slander Judy I have never been in a session where lawyers were not slandered but it was a subtle slander I mean it was an implicit somewhat ambiguous ambiguous and a signal so maybe that means we should go to the next incident which is a little clearer I think and this one is different it crosses the line why don't you go ahead sure in September 2010 as we'll all remember Stuxnet malware cost physical damage piped out roughly a fifth of Iran's nuclear centrifuges the sophistication of the malware has led experts to suggest that it was produced and deployed by a nation state in the US 36% of industry direct executives from critical electricity infrastructure enterprises queried in the 2011 McAfee CSIS study had found Stuxnet on their systems this one strikes me as there's one area where you could say it's not ambiguous there was physical destruction so it would be interesting to know if you agreed this could qualify as something that was the cyber equivalent to the use of force there is actual damage there's actual destruction it's not dramatic and there aren't thrilling TV photos of smoking ruins but this would for me qualify as an active force which doesn't end the discussion because even if there is a use of force by the other side against you for example bring it home to us for a second you still have to go through an analysis the response is then force or something else and that is affected a great deal by how much damage really occurred and whether it's really necessary to use force whether in the same realm or a different realm to respond but at least I think that the physical destruction you could up the ante and say Stuxnet hypothetically in the United States it or the equivalent which attacks control machine so that's a big deal for the electrical grid so if you had evidence that there were Stuxnets across all the important nodes of our electrical grid system and that would be a really kind of interesting problem the first problem would be can we get this out of here before it actually makes everything crash because that would be a disaster and if the disaster occurred for sure that's a use of force against our country that we would then want to think about responding to appropriately and quickly I'd offer a control system attacks the most damaging attacks have traditionally been from insiders who know not only the system but also the processes they intend to disrupt so economically insider threats to critical infrastructure is a big deal so if we were all in a room getting this intelligence briefing I would try to throw right back at the briefer and say well who says it wasn't an Iranian insider that caused this proved to me that somebody else did this as opposed to an insider proved to me it actually happened a lot of this is anecdotal and proved to me what aspects of this attack were nation state versus economic what were the Iranians being being brought or extorted I'll take out your nuclear reprocessing capability if you don't give me two million dollars which is something we actually see a lot of in global commerce so there's a lot of questions that still have to be answered now as you start tearing apart Stuxnet you start seeing aspects of a nation state attack it was very limited very targeted there obviously were lawyers involved who said make sure you limit the attack proportionately to what your objectives were I'm speculating now so one infers that this was a mature nation state saying this is what these are your limits one infers that they actually were concerned about international law when they were crafting that or because Stuxnet ultimately proliferated there was either an element of desperation or somebody goofed as far as trade crafts concerned so I think everybody can authoritatively say there's a nation state attack nobody has been able to attribute it you know again the ambiguity of the cyber arena but the point is I think Stuxnet uniquely has I should say lowered the threshold for conflict in the cyber world because somebody got away with it somebody actually damaged a strategic asset in another country and I think we now have to say that inherent threshold of deterrence or inhibition for cyber operations has been lowered inextricably for the first time in history it's an interesting concept to explore because now you have to start saying who's living in the glass house and are we prepared are the Israelis prepared or for that matter are the Chinese prepared for the next round that is going to inevitably occur because now that Stuxnet out somebody has the architecture for some advanced payloads and for some advanced control system attacks that I think we haven't heard the end of Stuxnet three points I mean the first is is I don't know that you can set as a threshold the fact that something was destroyed I mean it is very serious but then again can one say that there's never been an intelligence operation ours or somebody else's in the history of the Cold War that didn't destroy something I mean Tom Reed's got a couple of books out where he says that we blew up a Soviet pipeline in the 1980s I don't know whether it's true or it's not true so the question is is the physical destruction of something the red line or is it physical destruction which threatens great losses we'll come to that later so I mean that's sort of I think physical destruction yes no impact of that destruction and then Bob's point which I think is really worth hitting and whoever was behind one hopes thought this through having taken this kind of an action you would expect that the other side might mount some retaliatory action what do you have to deter that you know is there in the world that none of us know about a signal that said we did this but don't even think about coming back because and I don't know that either but you're absolutely right with advanced payloads people need to think about what the third and the fourth and the fifth step is down the line and I would think anybody coming in with a really bright idea to an NSC or a principal's committee or deputy's committee meeting had better have that sort of chain of events thought through and at least having built a plausible case that you could get through all of that I would just add to Judy's point it seems to me the issue is not only the immediate destruction but what else was put there it seems to me that and this applies of course to our next scenario but it's one thing to damage something it's another thing to put in trojan horses or whatever logic bombs sometimes called that could cause enormous damage down the road when certain events happen and it seems to me you'd want to look at those very carefully as well to decide what kind of responses is needed and I use the electric grid in the United States as an example and set a hundred percent take down as a premise for saying okay that would be something you would want to think really seriously about responding to appropriately but if you took down instead a tiny bank in I'm not trying to pick on any state but just some small bank someplace that really didn't have any impact on our economy at all that would be a very different kind of analysis and even if it physically destroyed that network for that little bank you know would probably not be thinking that we're starting World War three so the scope issue is something we're just going to have to kind of grow up our way towards scope I'm sorry but we do it all the time in the in the kinetic world and that's one of the things this is not I mean science to apply the standards that we have and we've used you know routinely and I would argue reasonably successfully for you know decades in the kinetic world it's just that we're not used to doing it in part because going back to my sort of opening point we're not transparent enough in talking about what these capabilities are we haven't gotten we just haven't gotten practiced enough and I think through exercises and simulations we could get more so actually think through these issues so that when Frank says you're walking in you know if you are walking into principles or a deputies meeting to talk about some of these issues the people around the table are not like all deers in the headlight we don't even know what you're talking about but instead they've been through it in the way they've been through a whole variety of other things that are endemic to national security discussions scope I just wanted to add not only sort of the breadth of the damage but also what's lying there in the future cause for potential damage yeah I think that the those two points are kind of crucial ones in that we have treated cyber warfare or cyber attack as this you know unique thing and the more we can push it into the realm of traditional experience noting that there will be areas of ambiguity right but the more we can say that the laws of armed conflict apply the easier this will be to deal with and easier it will be to think of responses I was going to say I think universally all four of us have lived through that and the more you deal with cyber the more you realize it is the same the same rules of the road apply the same rules of armed conflict apply in international norms there's some fuzzing us on the edges but I know these two in particular have beat me over the head years ago on that topic only when you deserved it and I was encouraging but I think as we talk about scope it reverts back to an earlier part of our discussion about rules of the road and and picking up on Judy's point a small bank in some state may not be a big deal but as the world is just a little linked in terms of e-commerce and e-banking it may not be impossible to develop a rule of the road among nation states that you don't touch the financial sector unless it's World War 3 you don't touch the financial sector because everybody's implicated in the end you don't touch electrical grids and we'll come to that but there may be areas where you can actually get people to cooperate I share the view of my colleagues that we do have models from the kinetic world that are applicable so it's not this is not all new but what does make it I think somewhat different that we need to understand is again some really bad destructive stuff can be done by just a couple of people and that's different and I mean I could easily imagine a scenario in which we demarch some government and they said we have no idea what the hell you're talking about and mean it and so I expect what might be a little bit different in the future is some of this may end up being more police style action as opposed to you know armed conflict kind of thing but again Bob we have traditional models for law enforcement and I think the whole debate after 9-11 how we handle terrorism where terrorists can do massively destructive things and there's no nation state behind them good point a good way to test somebody's response if you went to another government and said what happened and they said we have no idea maybe the next question should be then okay so cooperate with us in the investigation by the law enforcement guys and if they say no which at least some of our opponents right now would probably say no you know that's a good tip you know so there's maybe the next step here is okay it wasn't you I accept that help me investigate and that's part of the responsibility of the nation state that I was trying to suggest earlier which is you know you can't just say ah well it's happened but that's life that's life there's more to it but I do think even now I'll sort of switch back slightly I do think that there are lots of sort of examples in the kinetic world that we're used to that absolutely apply here but the fact that people don't get it right away I think sort of requires us to have a more explicit international conversation about what those rules are and how they do work in this world even though it shouldn't be rocket science to figure it out what would that international conversation look like this is a self-interested question well you come first right yes exactly I mean I think it's hard because I remember seeing some there were some efforts as I recall pushed in part by Russia in the 90s had some sort of complexity behind the motivations at least we proceed and so I'm not saying it's necessarily easy to do but I think as countries over time and I don't know how quickly a country like China will recognize that the tipping point has come where it has a lot at risk as much at risk as it does in game but over time countries are going to get more sophisticated about if this can hit Iran, if it can hit the U.S. supernet if it can hit Sony PlayStation if it can hit all these things maybe there really is something there that we ought to be talking about and we sort of do know how we have treaties for lots of stuff we can start having a process that would lead whether to a treaty or just rules of the road but there are various convening mechanisms that we've used in the past and I think we should settle on one or two and go for it someone from the PLA said to me a little while ago that in cyberspace America has a big rock in its hand but it also has a big plate guest window and they realize now, he said China now realizes that we have a rock but we've also got plate guest windows and he was sort of making the mutual vulnerabilities argument which I thought was neat but what's interesting is there's asymmetries in that plate last window and if you talk to a PLA their concern on the internet is internet freedom and the ability to control voices and potentially internal unrest go to the Middle East the same way if you come here you're going to have a conversation about catastrophic process control system attacks the electric power grid or the air traffic control system so I think anytime you go internationally you have to be prepared to talk that asymmetry and say okay if you let up on taking my IP I may consider relooking our internet freedom policies if you go to EU that conversation is going to be so infused with privacy issues there's going to be a completely different conversation so you have to be prepared I think almost in a bilateral as opposed to multilateral conversation to deal with those kind of internet asymmetry but I think you've just opened up a door that we all should have opened up a while ago and that is there is a linkage between what happens in this world and the other kinds of policies that we pursue and so without passing judgment on the administration's internet freedom policy and clearly some governments view that as an extremely unfriendly act there's always been well always certainly since the Carter administration and before there has always been a debate within an administration as to the degree to which human rights becomes primus into Paris of our national security goals and the world is connected and I think that again is something that would have to enter into all of us and there may be areas where we say we're going to throttle back a bit on that policy because we understand that we are causing you internal political problems which are serious and which lead to possible loss of political control and it becomes more complicated because it is a very divisive issue here at home but it cannot be hived off of this broader international discussion and perhaps even rules to the road. Before we go marching off to some international issues, I think it strikes me that it would be useful to focus on some U.S. policy as well. We've got you can hook up any old piece of equipment to the Internet. I find it astonishing and let me say that I'm either burdened or blessed with the ignorance of the technology involved but when you take the cheapest piece of electrical equipment there's a nice tag on it, U.L. and it basically, as I understand it, is certifying that when you plug it in the device isn't going to blow up. So far as I can tell there's very little and there's nothing equivalent to that in the computer world and so all kinds of devices can be hooked up to the Internet that are extraordinarily vulnerable and it seems to me that under the Interstate Commerce Clause, the Constitution Congress could easily say, look, there are so many vulnerabilities here, we're going to tighten up the laws on what's allowed in the Internet, what devices and so on. Now I know the Internet's the vaunted freedom and so forth but even Dodge City eventually realized that some laws were useful and I think we've gone to that point in the Internet world. One of my rules is never to talk about viability so I'll just skip that one. I will come back to it but let me go to the Internet freedom one. I've had both Russian officials and Chinese officials tell me information is a weapon and the U.S. uses it against us and the classic line for me was a Chinese official who told me that Twitter was an American plot to undermine governments. That's a legitimate observation and you have to factor that in obviously. They also assume that we don't have a greater degree of control over our media than we actually do and they control theirs. No grown up country would just let a newspaper. They don't believe it. So what do you do in a situation like that and one of the things that has come up as an idea and don't scream is to harken back to the Helsinki Accords where you got a certain degree of freedom in exchange for something, recognition of borders that the other guys wanted is a Helsinki like model at all reasonable for this sort of approach? What would it look like and what would we, we don't know? I think we have to acknowledge that the Internet is becoming increasingly nationalized. Syria cuts cuts the entire country off the Internet. Iran tried to do that. Iraq certainly tried to nationalize the Internet for keeping the population at bay. We certainly saw the infrastructure when we rolled into Baghdad for that. And I think we're going to have to recognize that the Internet as we know it is changing rapidly and it's becoming an instrument of state power just like every other capital asset that we faced in the history of mankind. And I think that's going to drive such a multiplicity of policy complexities that we're just going to have to we're going to have to start dealing with far more nuances than we traditionally have in Internet policy. I'm not sure we're there yet. To an authoritarian state, freedom of information is a threat. To us it's the lifeblood of our political process. And to the degree that we insist that we're going to it's like freedom of free Europe. So it's jammed. We kept broadcasting. But this is more serious because it can reach hundreds of millions of people. And it's the kind of discussion. Again, I'm not prepared to off the top my head come up with an approach. But I think the idea that you came up with, which is a Helsinki conference that talks about various national security requirements is not a bad place to start. We're to keep on schedule more or less. Why don't we go to the next slide? And that takes us a little bit away of where we are at the end of this conversation. It gets us back to the middle of the last conversation. Certainly the the phrase free flow of information means radically different things to anybody to the different countries that use it. As of spring 2011 U.S. electrical company networks have been probed thousands of times every week. 6% of executive surveyed said that their company's networks had been infiltrated at least monthly. And 74% of them believe that there will be a major cyber incident within the next two years. Senior intelligence officials say that some of these intrusions represent reconnaissance by potential opponents. So let me get on my soapbox here. You know I, brief or show me the data. Show me the intent that it's reconnaissance. As opposed to I love picking on the Chinese. As opposed to a Chinese company who is interested at how a U.S. electric power utility accommodates for weather fluctuations in its load balancing operations. You know we constantly see the collection of data between nation states for commerce purposes. And yet somehow we automatically tag everything in the cyber arena as a national security threat. And I think we have to resist that constantly. And constantly better people like you Miss Briefer, to say what assumptions have gone into this. Show me the data and if we have none don't make that leap. What will happen when we make leaps in the national security arena? In fact in the cyber arena I would suggest the data says this is not a national security problem. Google this is your problem. You got in bed from an industrial perspective in China and you knew that was a hostile environment. You knew that was an ungoverned terrain and you should have been better prepared. Electric power utilities. You have IP you need to protect. You know the traditional methodologies that even your competitors would like to have and they can go fishing on the internet. So shame on you. But let me help you fix that. But for us from a policy perspective we constantly see ill intent at the nation state level and I don't think that's good for not only the public private dialogue as public policy. It certainly isn't good for international relations. If we go jumping into these things with April. I agree with Bob which makes me sort of question myself. Bob and our old colleagues I hope nobody takes that seriously. I agree with him I suspect it's very tempting for executives of any private company to want to shift costs to a governmental agency. We're being attacked implicit in that is you the military or you the police force you've got to stop those attacks on me. I don't think that's necessarily an accurate assumption and it seems to me that Bob is right in the sense that look if your system is so vulnerable that you're being attacked. Monthly. Maybe you ought to tighten up your system and limit that. But you know it's interesting because FERC has some regulatory authority over the grid. Specifically on this but it's very soft. It's just that they get to review the standards put forward by the industry group that comes up with them. So nothing's really happened. This is a discussion we had in the 90s. We're having it right now. Nothing really has changed. Although the authority of attackers whether they're nation states or just kids has grown a pace. There's legislation pending on the hill and there's also part of the president's own initiative to do cyber and different approaches. My own bias is that on the grid putting aside whether we have definitive evidence that somebody's doing something really malicious right now. It's clearly a vulnerability and we've got to find a way to address it. I think you have to mandate some standards from Congress. That's my personal opinion. That may not be what everyone else thinks. You probably have to find a way to finance it because the utility companies are still in this mode for better or worse. They're rate based. They don't really want to do anything unless they can pass it. It's perfectly rational from their perspective. They've got to pass the costs on and if you don't have a basis for doing that you've got to have an integrated approach. I actually think we ought to pick off the grid as a specific example and get it done even as we're working these other I agree. I agree with Judy. Absolutely. I'd take it in two directions. One, based on some experience I had a couple years ago consulting with one of the larger cyber defense companies in town the electrical they're not going to spend the money to protect the grid and I think they should be made to do so and there may be some federal assistance but I think that it has to be done but I think also this is the kind of message that needs to be put out by the United States government publicly that interference with the grid constitutes an extremely serious act which could lead to potential loss of life in the United States and which would be subject to very serious retaliation whatever that may be you know we here suffer outages after a thunderstorm and things are bad I was recently in Tuscaloosa the tornado they lost power for about eight days they lost power they lost water you know I mean you can cascade this if you lose the ability to generate or distribute power to an entire region of this country we are going to be in very serious trouble as a nation there will be loss of life there will be huge economic impact and it is not impossible to take over portions of the the SCADA networks and destroy generating capacity which we don't have the capability to manufacture in this country anymore there's a lag time what two years so these are serious actions and I think these are the kinds of things where you're absolutely right we need to push industry with legislation if necessary but we also need to put down very clear markers to me the two key areas right off the bat are the financial sector and the electrical distribution network beyond electrical distribution pipelines the whole SCADA industry out there absolutely I think there's an interesting argument had about the efficacy of the compliance regime in cyber in witness what I would call of FISMA that over the period of four or five years cost $3 billion and one can argue that the .gov domain was no more secure at the end of that $3 billion so I think it's a hybrid where you got to have compliance a regulatory regime as well as an assistance regime but from the U.S. a true partnership between the U.S. government and critical infrastructure where the government comes in and beats some poor utility over the head but it actually comes in help so I think there's some encouraging trends from both the national security side and DHS at moving away from that purely compliance into an assistance regime and I think that's the actual key for critical infrastructure providers but I will tell you they are operating on razor thin margins as Judy alluded to and if you roll in and say you've got to harden all your networks up to nation state standards they're just going to roll over and die so you've got to come up with a better solution than that that's where I thought what Frank said was kind of interesting because it links us back to the Stuxnet thing which is there are domestic measures you need to take out of some but there's also international measures and you need them both you need to have some way to tell other countries this is a particularly sensitive area and it's you can't do one by itself we haven't ever done this before one by itself is an adequate a lot of our cyber security focus has been on the domestic side albeit somewhat fecklessly for the last 15 years and we've never actually done the declaratory approach and somebody will immediately jump up and say well now you're drawing Atchison's red line and saying everything on the other side of the line is up for grabs I understand that point but that doesn't justify inaction and signaling this would also seem to be a sort of activity if it was a government and if they were doing reconnaissance it is something that we would normally tolerate it's a little bit different because they are intruding into US space in a way that other reconnaissance activities didn't satellites well you know they're photographing down it's true human spies on the ground I don't know that I'd agree with that it's one thing to associate you with my work it's one thing to do military targeting and God knows we used to have lots of discussions about what targets were we're legitimate and what targets are not legitimate and that's in the kinetic world if we well I don't know that I see that you've had to go for one I was going to I was waiting where this was going I'm not sure where it's going I'm not it seems to me that this demonstrates hostile intent and to the degree that we can identify the source let me be clear Bob's right, griefer needs to make very clear that there are leaves behind that in fact could be activated to disable or destroy the network but if one found those kinds of things then I would take that extremely seriously I expect the government to take that extremely seriously we were at war with Iraq we took out the electrical generation or distribution system because in some cases the generation system in 91 I was not privy to those discussions at the time but if I are a government official then I would take this extremely seriously well and they're just sort of when you talk about and certainly electricity generation is part of the command control structure of most hostile forces if we're actually in a war and so you then have you can then in fact have a discussion about whether that is appropriate target, what does that do in terms of collateral damage is that acceptable? Duration is really a big deal there's a whole set of issues that you can go through in the kinetic world you have to do the same but if your conclusion and your briefer is strong enough and your conclusion is that this preparatory activity could take down the entire electrical grid of the country for six months as opposed to 20 seconds that would be a big deal the facts actually matter here as everywhere else suppose there are no leave behinds though suppose it's just planning to do a leave behind what do you in the kinetic world you've lowered the temperature and we've talked about we're going to have to get used to living in a world where networks, albeit changes along the lines and what Bob and Judy have said networks are indefensible so do we just grin and bear it I think you do two things one, you heighten your defences back to that discussion as to how you pay for it there's also a word that's crept into the lexicon both here and I know Mark Grossman in one of his State Department studies when he was on the outside did a study for State Department on cyber and my friend Sir David Oman in the UK is using it as resilience and we need to look at ways to be able to suffer some damage and still to be able to recover and that is again, it's a government policy in cooperation with industry so one prepares for worst case situations and decides what triage is necessary and makes certain that one has the capacity to do that triage that's why I've also talked about architecture and going back to first principles because the internet grew in this marvelous way helped along by DARPA originally and optimized around principles that made sense at the time but they could be rebalanced I would argue and that might make it possible to have less abject inability to actually defend the network so I don't know whether that's possible I don't think it's an easy task exactly but some of my tech friends say actually it's just that no one's ever it hasn't, no one will pay for it and it hasn't been a priority as a result but again looking at some of the real damage that's been inflicted just on regular people like Sony and Lockheed and a variety of other people you know this might be a moment where you could actually get some smart people to reconnect on whether there are some things that make sense that doesn't mean the end of the internet as we know it just some things we could do to actually make it easier to build security along with privacy and freedom some people have actually suggested a parallel internet I mean one where you would pay a monthly fee for security and you know that kind of thing whether there's a business model for that I have no idea but it's certainly true that the internet has initially darped and that was never designed for these levels of subscribers and volumes and so on I think there's .mil there's .gov and I think there's .critical infrastructure and I think those things need to be protected you know the Cold War analogy is the US paid to harden some aspects of critical infrastructure during the 50's and the 60's and sustain that run by private industry but it was federally funded I think the same can be said for critical infrastructure now from a cyber perspective and the resilience issue is interesting and I think the deputy talked about it this morning when he suggested that there's you know an aspect of deterrence that comes from resilience and complexity as opposed to a big strategic target that is extremely brittle that will guarantee to attract hackers like Flots you know let me see how big a bang I can achieve and yet if we build resilient infrastructure that is hardened that is continually updated dynamically against new threats all of a sudden you'll find them going after softer targets it's like putting a thing on your steering wheel so that somebody steals a car next to you and the same phenomenon happens in the cyber world you know you still get through it but you know you just want them to go after Frank's car although there's a counter to that a little bit which is that what you really do if you do all that stuff and you don't fundamentally change how it operates is that you make it harder for the kids and the people who are not super sophisticated but you still you sort of weed out some of the real jerks but if you have kind of strong faith, organized crime or whatever who really spends some money on it you still will be vulnerable but it does at least narrow the playing in terms of what you're supposed to be looking at one of my assumptions is that that is the path we're on you compared who had capabilities 12 years ago when it was you know three kids in Mendocino who would pack DOD and we're eventually going to squeeze out that lower end and we'll be left with nations, advanced criminals maybe a few others, maybe some terrorists so I think we're moving towards the high end and that's where some of these issues might come up is we'll be in an environment where we'll have fewer opponents and not fewer opportunities but we'll have a harder time stopping them but that's when the whole government approach and law enforcement in particular has to get involved you know and I think from the original CNCI simply talked about technology and I think that's where later strategies coming out of the US government I think are more important because against the nation state threat, no amount of network hardening is going to stop a dedicated attack forever so you've got to have the diplomacy you've got to have international legal regimes that provide you that holistic solution and you've got to have a deterrent you've got to figure out what makes the other side hurt and you have to make clear that if certain things happen life won't be much fun at home let's do that as a transition point here to the final incident where I'm going to be a little more going home I think Adrian was too we've changed the name to protect the innocent as they used to say on DragNet you can probably figure out who this was yes it's not too subtle I speak for yourself so this month fishing techniques were used to compromise authentication technology by DoD and major defense contractors the authentication data was put to use in an attempt to penetrate defense contractor networks and exfiltrate data on advanced weaponry based on forensic evidence the companies involved suspect proxies acting on behalf of what Jim characterized as a foreign intelligence service in Asia okay so this one you're all smiling I don't know if that's good or bad you know this one's interesting for a couple reasons first it was a two step kind of like stuck snap right somebody did we are making some assumptions here and you could push back on that but somebody did something that was a preparatory action that was then used later in what would appear to be a more classic espionage activity so what's the response here and some of the variables might be how often have we seen this right is it the same actor how confident do you feel if you don't know what was actually lost does that inhibit your ability to respond you know if the outflow was encrypted and you don't have a good sense what do you do in a case like this this is the kind of thing I think we're going to see consistently in the future a very sophisticated setup to an attack you're all going to take the fifth you can't do that well again to beat up on the briefer what you haven't told me is was anything lost you know we're describing an active espionage whether it's industrial or nation state but you haven't told me whether there was any damage you have described a methodology that is a little bit more sophisticated in that instead of one key that I had to in order to break into the dungeon I had to go steal one key I had to steal two in this case in order to get both keys in the same lot but it's fundamentally the same act the techniques and techniques leading up to that were a little bit more complex that's good news from a defensive side you force the attacker to actually do a lot more work but unfortunately they did that work very well and did an attack so we haven't seen the rest of that story again I'd recommend in the media went absolutely crazy on this again when they didn't have any of the data that says okay they did an attack they did it nicely from a technology perspective but was there ultimately no story in it nothing was lost even from a policy perspective need to hear the rest of that story before we start building all the options that we would present to the White House Will can we expect that from industry necessarily can we necessarily expect industry to want to give us that information you know I think in this case you know with the defense industrial base there's a great dialogue you don't bite the hand it feeds you so that's not leverage but I know of cases where that hasn't happened in the past particularly the farther away you get from government contractors purely private sector my recommendation to my former government colleagues in responding to those kind of events is don't roll in and say give me everything that just happened to you roll in and say let me tell you how I can help you and then all of a sudden you'll find that dialogue opening up a significant amount of my reputation a bit it's interesting that with the explosion huge growth public posture of the internet that espionage activities like this get a lot of press play you know in the past if you could borrow in and find something or get something people got intelligence medals and nobody was the wiser well ok so now it's shifted into this realm this honestly doesn't excite me very much because it implies and I have no knowledge it implies that we're not doing the same thing to other countries if that were the case I would think that that percentage of my tax dollar that goes to the IC is being badly spent so so this is going to happen shame on us or on our companies that allow really sensitive data to be classified as FOU or unclassified and stored in places where people can get at it but I mean this is what intelligence organizations do and ok so now it's on the internet this has been going on since Diamond Memorial this doesn't bother me that much it can bother you only in the sense I think of the authentication technology that people thought was a strong protector so it kind of again lands and maybe one of the reasons the media has been excited about this is to the extent some of our most sophisticated companies in the department thinking that they can rely on this particular kind of technology as another firewall not officially a firewall but a real protective device and that behind it you don't have to I mean you still have to have cyber hygiene and all that stuff but it's really something that you can kind of rely on and this shows that you can't and so what it really does is deliver the message again we've been saying throughout this discussion that there isn't any way of protecting stuff right now and you know that's something I think we really ought to grapple with because while you're right frankly it's always gone on you know it's still in our competitive interest economically along other things not to have everything flow just because this can happen doesn't mean that we should allow it to happen in terms of allowing data to be unprotected but as far as carrying it into the state to state realm that's a different story again a shame on us for having data I mean what was the story a couple of years ago that there was enough all the data that was stolen was unclassified but when aggregated became classified well you know we're the people doing industrial security at the various companies that shouldn't happen that's our fault I have to admit I admire the guys because they identified a crucial target that could give them multiple points of accurate so I hope they did get a medal we're at the end of our time and I'm going to do two things I'm going to quickly say what I got out of this I thought it was a great panel and you guys did better than I expected um well expected damnation of fate there was tremendously high expectations and they of course succeeded it I'm going to say quickly the couple points I got out of this and I'm going to ask you if you have any final quick words here I thought the emphasis on ambiguity and uncertainty was interesting in the notion that we're in a permeable environment that may not be fixable absence and very large strategic level changes the application, the ability to extend the rules and how we think about policy making and law that we use for kinetic incidents and the cyber is a useful path and one that's probably the best thing the whole of government approach as a way to think about this problem particularly the rules of the road internationally ways to signal potential opponents, build common understandings I thought that was great and finally the whole discussion of critical infrastructure dragged in something that doesn't get dragged in very much which is you know for these guys it's a business and they have to remember the magic letters ROI and how do we how do we get into their thinking about investment in the example of heartening the telecom structure during the cold war is a classic where we basically paid we the government basically paid for that so got a lot of good stuff out of this any final words from our distinguished colleagues? If I could just make a comment about the economics of it you know with the introduction of the internet there were tremendous savings available to companies and I think companies kind of thought that these were free goods and I think that the point that a number of us have made is they're not free goods there's a tremendous potential cost and the question of course is who's going to bear that cost and that look I mean that's the foundation of our tort system is who pays for injury and but I think a serious conversation needs to be had on that basis of is this a government responsibility you know protect me or do I have some obligation to put good locks on my door? I think the other thing that this discussion demonstrates is that we're really in the infancy of the policy and you know strategic and architectural it's odd that we haven't been able to advance this discussion more in the last 20 years despite you're working on it all the time Jim and being amazing and so I'd like to see a little bit more urgency around this problem because there's just too many examples of whether it's Sony or the electric grid or whatever that there's a real problem to work on and if we actually thought about it we might be able to fix it I agree with that the only thing I would add to your list is pushing the government to identify what are truly red lines thinking through the kinds of threats that it would like to make which would not be mere image threats to make clear that there are things we will not tolerate in this realm and the other question I think that did come out and bear some some thinking and some discussion is how do we balance as Bob started us off on the question how do we balance some of our policies about internet freedom which other states view as hostile acts with our own concerns about our own vulnerabilities to what they do to us I think one of the more fascinating areas of understanding cyber security network intrusions is the psychology of it and people forget this is not just technology there's people involved there's a gap between operator and policy maker and legislator there's a gap between how government how cultures perceive operations and activities on the internet that they have to accommodate for and then there's a gap between technology developer and the operator that actually has to use that and the psychology of understanding why do you keep on clicking that URL in an email period and there's some interesting academic work being involved there but clearly not enough and I think the biggest problems I've seen in my career has been the people where in the psychology of trying to convey a very technical problem and a very emotive problem because of the sense of violation that people get when their computer's been attacked to a more rational understanding of what is a real problem what is a threat what do we have to go about it Please join me in thanking our camera