 So, thanks. So, all right, my name is Kenneth Gears and I work for NCIS, kind of like the TV show, but not quite like the TV show. I'm going to give the first slide to the cyber czar, and this is not the American cyber czar, it's the Russian cyber czar. So, I just gave this presentation to the Russian delegation, and the Russian cyber czar, his presentation was about that an asteroid is flying toward planet Earth, and we all need to come together to save each other and the planet before it hits the Earth, and he's talking about the threat of cyber attacks and cyber warfare. So, but he's a great guy, and he stayed up with us till 3.30 in the morning, us researchers, a couple of nights drinking, and so it was my experience at the NATO Cyber Center in Estonia prepared me well for the Russian presentation conferences, which are really quite a lot about drinking. So, I'm going to start in World War II and just talk, you know, a little bit from the perspective of the boat. I think all of us are in the boat together, and that's what I told the Russians, and we're looking toward the future. Last year, I took my kids to this beach, Omaha Beach, and you're sitting on the beach, it's beautiful and quiet, and it's kind of hard to imagine that not so long ago, really it was the scariest place on Earth, and it was sort of a pivot in history, which much turned, but this is a good place to start the presentation because you can see this superficial layer always has underneath it quite an important technical layer that we can't forget about. So, this is the ENIAC, the first electric computer, and it was built in early 1940s, and the hope was that it would calculate ballistic missile trajectories faster than a human could with pencil and paper, and it did. It worked very well 300,000 times faster than a person with pencil and paper. And so, anything this powerful, you know, is going in the national security space to be fought over among, I mean, imagine a couple of kids with a toy, right? Well, imagine nation states with this kind of power at their disposal. This is the enigma machine, and you may also know about Project Ultra, which was the allied effort to break the German codes so that we could see what the Germans' plans were during the war. Now, when Winston Churchill met the King of England after the war, he said it's due to Project Ultra that we won the war, and many analysts feel that the breaking of the German codes shortened the war by about two years. So, a little bit on the history of weapons development, you know, you're trying to go longer, faster, farther from a safe distance, you know, but Charles Babbage in the 1800s, he said, look, you know, there is going to be an information revolution that's going to change everything. This is the, on the bottom left, one of his mechanical computers. And then in the 1990s, we all get this power ourselves at home in our pocket. You know, now on your cell phone, of course, you've got more processing power than everyone had around the world during World War II. So, some people, you know, they shop online. Some people play chess online. There's a whole class of people around the world. When they look at the internet, this is what they see. They see a zero-sum power game in which, you know, they're constantly trying to either take space or defend space. And this, you know, this phrase, the advanced persistent threat. One of the ways to think about it is that a military or foreign intelligence organization has, or domestic intelligence organization, they have a job description, which is to hack networks and to own networks and computers. And if somebody dies or retires or gets transferred, takes a new job, somebody else is going to sit in that seat. And that's what really makes the difference between, say, a lone hacker and a professional organization. But this is the way they're looking at the internet. There's leadership. There's weapons. There's media. And they're constantly doing national security calculations around it. So, we're just going to look at 10 things that I think are really important areas to look at about cyber conflict. And we're going to see what Sun Tzu has to say about them and see going forward how we can use the art of war. And the art of war is a lot about peace if you haven't read it. And Sun Tzu says war is actually the last thing you want to do. So, first is the environment. Look, I think the internet is you can configure it any way you want, right? It's artificial. It's made by people. And one of the things that is currently hot topic in international cyber conferences is the difference between maybe, for lack of a better description, east and west today and how they view a malicious cyber attack that involves code that attacks, say, a device on the internet and malicious content, which a lot of times when authoritarian governments are talking about a cyber attack, they are talking about content that they do not like that challenges their government's position. And so, this comes up quite frequently now in international cyber conferences and it's something to be aware of. Sun Tzu says these ten quotes will be directly from the art of war. It says, the natural formation of the country is your, as a soldier, best ally. So, this constitutes the test of a great general if you can understand and so forth. If you are a potential cyber commander or hacker or a cyber defender, this is something that you can think about and take as advice from Sun Tzu. This is the Stasi, so the East German intelligence service and the quite famous during the Cold War, they were the most rigorous, the harshest intelligence service and so every letter that would come through, they would steam it open and read it and steam it back closed. And this is the extreme end of surveillance. And I think this is much more difficult in the internet era but don't underestimate the power, I think, of governments and organizations even though it's quite hard to do seemingly to duplicate that feat with internet communications. So, this is Burma in 19, I'm sorry, 2007 when they had pro-democracy protests. The government just decided to turn off the internet for about two weeks because as soon as they started cracking down on protesters, everyone's taking pictures with their digital cameras and flying across the internet and the government said, you know, we are far behind in this game and they pulled the plug, proving that the internet does have borders that can be sealed. So, here's just some thoughts on a cyber battalion. I'm working on this list with the great Rolof Temming, the guy who's founded SensePost in Poterva and so we're working on a paper on this. The top three you can say are very close from a historical perspective, you know, you need intelligence, you're going to need special forces and what you hackers call social engineering, I think, spies who have been around for a long time, they know as human intelligence, right? These things are very close but the bottom four, you know, if I'm the cyber commander and I need to get across a bridge, you know, I need a combat engineering battalion. In cyber war, I need somebody who can code me something today to get me across a digital river. An infantry, and this Rolof is writing about this, a network penetrator. This is the equivalent of somebody who kicks in a door, who forces their way into a hostile territory. And then lastly, weapons. Today we can see that information itself has become a weapon and it can accomplish any number of goals pushing information out in terms of propaganda and also even such as critical infrastructure attack. It's well known already that you can with code alone, you can destroy a piece of physical infrastructure. So I'm from a NATO environment. I spent four years at the NATO cyber center in Estonia from 7 to 11, 2000s. And so this is some of the stuff we're looking at. How do we help NATO to secure this stuff? And you can get a sense of how difficult it is. So these are a shot of the deployments in Afghanistan. And you might not know this, but NATO has zero troops, no troops at all. All they are is contributions from the nations that are part of NATO. So you put them all together on an ad hoc basis and they have different languages and different equipment. You name it, different perspectives, trying to get them all to work together, even the the most wizardly system administrator in the room I think would have some difficulty here. This is Kosovo. So you can see there's 24 NATO nations and also 10 non-NATO nations that volunteer to take part in this peacekeeping mission. Bringing them together and letting them communicate with one another toward some goal is quite difficult. I think to some extent it's important, this is the map of the world today. I just want to give you a small bit of encouragement. I think that never before have you in your seat today have had so much power, right? You know, historically governments had a monopoly on the use of force, on publications, the telling of history. But now, not only do you get real-time information, but you can push it back and say whatever you want to say and write your own story. And so what this means is that I think you're going to see, we're all going to see, in the next two, three decades, borders redrawn on this planet, right? Maybe green, not green, violent, nonviolent, carnivore, vegetarian. But the internet absolutely has the power to redraw borders. And so this is important time to think about that and I think this is a good map of the world today. So two, technology is moving so quickly. I think even if you are the director of the most powerful intelligence organization on the planet, it's a difficult time to sleep with both eyes closed. Is it not? Because you cannot be sure what your adversary has in terms of infrastructure, in terms of attack and defense capabilities. How many kinds of sequel injection attacks are there? You need to start defending classes of attacks and also reading Sun Tzu who says, there's a lot of great quotes in the book on defense. This is a good one. The art of war teaches not to rely on the likelihood of the enemy doing anything, but rather on the fact that you've made your own position unassailable. And this is really, really good advice. So if you think about how quickly everything is moving in cyber just in terms of infrastructure, but also attack and defense, you know, in 2007, the cyber attacks, basically they followed the chaos in the streets. That came first. The cyber attacks came after. One year later in Estonia, most of the analysis was about cyber attacks supporting ongoing military operations. They were simultaneous with each other. Soon after that, you have the Arab Spring Start in which most of the analysis is talking about how the internet and Facebook and Twitter are pushing the revolution, right? And this is how quickly everything is moving. And I think from a national security perspective, I sit in Washington, you know, you need to think of the internet itself as such a powerful player. And that's why governments around the world who have poor human rights records, authoritarian in nature, they are looking at the Arab Spring with great concern, because those question marks are going to get that list of question marks is going to get longer and longer and Arab Spring is far from over. So three, the proximity of adversaries, I think, really, everyone is a neighbor in cyberspace, right? And so this gives extraordinary opportunities for attackers. This is a great time to be a cyber spy. Mostly about connectivity and even closed networks are rarely truly closed, if ever, right? So there's always some kind of connectivity that can be exploited. From another perspective, cyber attacks have been compared to aerial assaults or submarine launches, special forces raids. The idea is to take advantage of surprise and anonymity in order to conduct an attack. Seizing cyber ground, I think, this is real interesting if you're thinking about traditional military doctrine, how do you take that hill and hold it? In cyberspace, it's really difficult to make a good translation of the traditional military requirement of taking and holding ground. What does that mean in cyberspace? In fact, it was almost always quite different. So here's a quote from Sun Tzu's Ordovore, and the general is great if you can design it so that the attacker doesn't know what to hit and on defense if the attacker doesn't know what to attack. And this is good advice. Who are these guys? These are representatives from philosophy and religion and military and politics and literature, and all of these guys said something very close to the pen is mightier than the sword. So I think just as we should reconsider everything in light of the internet today, this old phrase is well worth thinking about. And these two examples we can look at are WikiLeaks and Stuxnet, I think, because WikiLeaks has proven that the life term of a secret is shorter than ever. And this is great from a historical perspective. If your government is committing human rights abuses or war crimes, the idea that that is going to go undetected for very long is increasingly difficult to sustain. And about Stuxnet is really code alone has become a weapon. And these two things in fact have, I would say, even merged. And now you're never quite sure if the information is a pen or a sword. But one of the ways to look at this is to say via the internet now you can push everything out today. If I were to find Obama's birth certificate or something, I can push it out and it goes to the entire world today to prove this or to prove that. And never before has there been anything like the internet to state your case, to make your argument, to convince somebody of anything. And then in the other direction you can say, who are my adversaries out there? Who's the girl I'd like to date? Who is the country I'd like to attack? Who is the party that's bothering me? And you can find their presence on the internet and attack them there. So in this case, you know, with Stuxnet you're talking about one of the most hardened networks on the planet and they know that every intelligence service around would like to attack them and still, and it's not connected to the internet, and still somebody was able to get code inside internally on the network. So with Wikileaks there was a study done at the University of Colorado that said there's a ton of great information from military side to be published, particularly in Afghanistan. But on the strategic side, you know, you'd have to count quite a few documents to say that there was a strategic paradigm shift, if you will. But with Stuxnet I think it's quite clear. We can all see, you've seen it in the paper recently, we've crossed a certain Rubicon there, right? In which, you know, if you're thinking that, okay, the lights in New York City could go out tonight because somebody on the other side of the world has hacked in and turned it off. I mean, it can blow something up according to the New York Times, you know, they brought pieces of centrifuge and set them on the situation room table to demonstrate that code can destroy something. So before, I think the unpredictability, we really don't know where the internet is going, the future, I don't know if it's unscripted, but it's at least unknown from our perspective, right? And for attackers, this would seem like an ideal environment in which to operate, but at the same time, I think it's important to think that from a hacker's perspective, it's difficult to know if your attack is going to succeed until you pull the trigger. And you're never quite sure too if the defender might be watching you from some perspective and have a defense in place. And so I think from a defensive side, you can think about building some home field advantage around this fact, even if it's only redundancy out of band communications in order to cross-check information, the integrity of your network. So I like this, you know, the general should hide in the most secret recesses of the earth. And I think on the defensive side of cybersecurity, you should really think in this way, and how can I hide so that nobody will be able to find me if they come into the network, right? And so this is important, and this is really good advice. So I was in Dungeons & Dragons Club when I was little, I'm sure some of you were too, right there. And this is what complexity looked like, and it was already very complex because there was so much imagination in it. And this is a true story very quickly. I had a character die a long time ago, and I was so upset about it. And I said, the character had a wife, and they had a son, and they're going to inherit all of these supplies, right, all of the swords and stuff. And the Dungeon Master looked at me, and he said, I give that a 2% chance of any kind of truth. And I took the 10-sided dice, and I rolled a zero and a two, right? Exactly. But if you think about the complexity today, that first box of Dungeons & Dragons sold 1,000 copies. Today there's 10 million users on World of Warcraft, and accounts on World of Warcraft are often more valuable than credit card information, right, because you can sell that stuff for real money. It's not just that, it's all of the stuff that's taking place underneath the hood, right? And one of the quotes that didn't make this 10 from Sun Tzu, he said, I can tell you who's going to win a battle if you tell me the number of calculations each commander has undertaken before the battle has been fought. And so here's Orville Wright in 1901, and I'm sure he thought this was a fairly complex machine, and this is the cockpit of the new A380. And I'm sure that it would be difficult to count the number of memory banks and processors and network connections in that machine. So one more thing from Dungeons & Dragons, and everybody in here we can divide ourselves into somewhere on the alignment matrix and if you disagree with my alignment, we can talk about it later tonight over a drink. But basically you've got people there trying to do good within the law, you've got people trying to do good outside the law, and then you have lawful evil, and this is sort of like the 1984 or an evil repressive government, and worst of all you have chaotic evil like the guy in Colorado who's not buying by any rules and just wants to destroy things. You have the same kind of alignment on the internet. I think you have Skynet who wants to take us all down maybe in the future. You have the Khan Academies and Ted Talks and Singularity University, you know, which are trying to steer technology in the right direction. You have Anonymous who's trying to do good, but they're playing outside the rules, and then you have North Korea, which is so evil they are forcing their citizens to use Windows 95. So the advantage, there's a lot of talk about the advantage today of an attacker over a defender, and there's a lot of truth in that for sure, but I think to a certain degree it's like piracy, you know, it's, you know, hackers are like pirates and then they can catch you with your pants down, right, and they can sail away, and so the question is is whether you can turn tactical advantage into strategic advantage, and I think the answer is yes, but it requires, you know, a sustained effort and some history and momentum on your side. Rapidity is the essence of war, you know, take advantage of unexpected routes and unguarded spots, and I think this precisely captures what a hacker can do to your organization. So let's look at a current event, Syria, and see what's going on in the news today. This is a shot from 2007, and you may have seen this before, but if you're not familiar with it, the Israeli Air Force bombed an alleged nuclear reactor in Syria, and it's widely suspected that a cyber attack played a role in taking down the Syrian air defense, and it doesn't take much thought to think that this is absolutely possible, right? All you have to do is your reconnaissance up front, figure out who needs to talk to whom at what time, and you can slow that process down long enough for an attack to take place, especially in the Middle East where everything is a very small neighborhood. So here is an attack, and I like this. This is the Syrian Ministry of Defense home page. So it says to the Syrian people, the world stands with you against the brutal regime, etc. All tyrants will fall, thanks to your bravery, Bashar al-Assad is next. To the Syrian military, you are responsible for protecting the Syrian people. Rise up against your regime, right? This is amazing, right? This is the home page of your own organization telling you to do something against your own government, and so this is amazing to think of the possibilities. You might not know this, but there was a big uprising in Syria in 1982 in which about 20 to 30,000 people are estimated to have died. That's about twice the number of people who've died over the past, you know, 18 months in Syria today, and nobody really knew about it because what, because why? The internet did not exist. So here's quotes from the New York Times, you know, they cut all telephone and road communications, and there were no reporters, right? So it took a long time for the information to filter out. So I visited Hema, this is a picture of Hema, Syria. I visited in 1988, and I was walking down the main road in Syria, and as I walked, this guy started walking next to me, and he just started telling me the story of what happened in 1982. And so compare that to today when if you have a Twitter account, you can follow any number of live streams from the scene of battle today. Very different. And one way to look at it is that transparency encourages accountability, and accountability encourages responsibility on the part of governments. And the internet is going to play, and is already playing a huge role in encouraging the responsibility of governments. And I realize this is not a great case study, but I think the internet is serving hopefully the people well. So flexibility, there has never been anything more flexible than a cyber attack, right? It's best thought of as a means to an end, not an end in itself. But on the terms of espionage, I am absolutely sure. I mean, I'm on the defensive side. But if you're a spy today, I think this is the golden age to be a spy, because you can go out and pull down more information than you can ever read or think about. The destruction of Stuxnet, I think the most powerful thing is just using the internet, the amplification power of the internet, the peer review power of the internet, the network perspective to put information out there. I mean, it's just like the quality of encryption, right? You can't have something provide you have to throw it out there and let everybody attack it and make sure it's solid and good mathematics. From the perspective of the internet to push propaganda. So here Sun Tzu says, look, five ways of attacking with fire and you can think about a cyber attack as well. You can hit the soldiers, you can hit their transportation, you can hit their food, you can hit their logistics, you can hit their family, you know, he would be impressed. Here is a case of the Chechen conflict with Russia in the 1990s from the very beginning of the World Wide Web. They were pushing out propaganda and then they were collecting money all over the world and then buying weapons inside the area of conflict. There's even publications based only on Chinese hacking and cyber espionage and this is directly sort of feeding into a, you know, not just in China but around the world, militaries are collecting information so that when they go to war they can actually shut systems down and to facilitate victory. Here's cyber war in Georgia. I think actually a better case study is even 1991 when the coalition, you know, defeated a million man Iraqi army with very few casualties. I think that's when Russia and China looked, you know, and said, hmm, you know, we need to catch up with what the West is doing in terms of networking their forces. If you've seen this, we just had the 23rd anniversary of the Tiananmen Square massacre and this is the Shanghai Stock Exchange. It opened at 234698 and you can see the numbers but basically the Shanghai Stock Exchange opened on the top number and it closed at that many points down, right? So even it was based on millions and millions of trades during the day and you couldn't possibly arrange this, somehow these numbers showed up to remind people in China of 1989. You probably saw this in the news today or yesterday and the Iranian nuclear program is having more problems and their computers are all going to max volume and they're playing Thunderstruck by ACDC. So a cyber attack is basically anything you want it to be and let's go back to Dungeons and Dragons. I think it's imagination, it's timing, it's creativity but there is no one that is alike there like snowflakes. So attribution, this is huge, right? Because you can't prosecute, you can't deter, you can't retaliate if you don't know who is attacking you and so the other thing about this is that the ease of entry onto the cyber battlefield means that the number of potential adversaries is much greater. So this is actually has a compounding effect on figuring out who attacking you is not easy. I do think though if in the event we ever do see a real cyber war it will be clear who the attacker is because one of the things that normal citizens don't think about is governments have a lot at their disposal. They have signals intelligence, they have human intelligence, they have money, they have embassies overseas, etc. in order to determine attribution. So this is a great quote from Sun Tzu. Why is general forages on the enemy and one cartload of the enemies is worth 20 of your own and this is perfect for cyber because essentially hackers are stealing the credentials of a insider, right? And so then they kind of become a virtual spy in the other camp and I think this is really important for assistive administrators to look at it this way and to assume that they may have a cyber spy in their camp at any given time. I think for traditional spies this attribution problem is not so surprising because if you've seen this senior Palestinian figure that was assassinated in the Middle East about six months ago, you saw the team of assassins they looked like a family from South Carolina out to play tennis. This guy in Bulgaria the other day who was the suicide bomber on the bus against the Israeli tourists, I mean he had a Michigan driver's license. You know he looked very nondescript young backpacker and so from a traditional standpoint this issue is not new. Most wars around the world don't have 24 seven embedded reporters. You really there's a lot going on in the world that is quite low on attribution. These guys are the black hand in Serbia and before you think that the non-state actors aren't that powerful and they're even more powerful today by the way but this is in 1911 so they had played a critical role in pushing the world into World War one in which many millions of people were killed and also by the way there was a black hand 2.0 in 1999 when the NATO had the war of Rikosovo there was a hacker group that was attacking NATO during the conflict and actually had some tangible modest but tangible successes in their hacking efforts. Here's the EP3 that went down in China and you had patriotic hackers on both sides of the Pacific hitting each other. There was there was hacker portals, there was a China killer, a USA killer and the dynamic here that's interesting is that this means that you all can play a role in attacking and defending your country absolutely with no chain of command and no approval by anybody. It's only your personal nationalist pride as offended you know and so you're out there fighting and from a national security perspective from the government perspective that means that you don't necessarily have a monopoly on the use of force or on the level of tension or on the sort of the range of diplomatic options perhaps. So here's the soldier that was moved in Tallinn and if you know this story you know they wanted to move it out and the cyber attacks came back at them from from pro-russian elements and the issue here really is pride you know I mean if you know anything about Russia and Russian history you do not say anything bad about their role in World War II or offend them in this way. I mean it's like you showing up and somebody's dancing with your spouse you know at an event you know you are not going to be happy and so the Russians were very upset about this for from their perspective very legitimate reasons and so the point is though is there's a lot of nation-state hacking that could go on that is well outside the sort of the purview of government even within NATO so you have the Greeks and the Turks these are hacker groups you know in Belgium you have the the Francophones and the Flemish you know and here you've got the Michigan and Ohio State and there's no end to the divisions you can find in which you will probably find some level of hacking going on wherever there's tension in the real world there's tension in cyberspace if you haven't seen this is very interesting there's a lot between Iran and Russia Russia and Israel on in terms of conflict and so you're starting to see people post their picture to the web and saying hey you know I disagree with my government I don't want war I want peace so you can see that Iranians will never bomb you and look at this woman from Iran who fired back you know we don't want the bomb we want democracy we're your friends and here is a couple that found love and they're holding up their passports so from a national security perspective again you have to consider the power of people and non-state actors to contribute to the the level of tension that they would otherwise probably like to control cyber wars can be very quiet right you could imagine maybe a a decent size conflict taking place via the internet that nobody knows about except for the direct participants in the conflict right because there's no smoking hole and there's nothing you know it's a really geek versus geek here and so the Pentagon is trying to establish some level of deterrence policy and they're saying you know we could imagine attacking back in in real in physical world cyber attack I don't think we won't do it but it's difficult that's a difficult proportionality to work out and when you when you're calculating sort of especially the use of force there's a lot of lawyers in the room and they have to really think is this a proportional response to a the attack that we have received and what one final point on that the private sector I think is probably absolutely not ready to deal with a foreign intelligence service attacking their network and so if you think that these two countries might go to war and so they need to start undermining their electrical grids or their water systems this this is an interesting point and of course this in the paper today as well how much should the government require of the private sector in terms of computer security and it's a good question so divine art of subtlety and secrecy we learn to be invisible and audible and hold the enemy's fate in our hands this is really good so I could offer you something here I was at the NATO cyber center for for four years and and next year I'm going to play maybe a lead analyst role as well in the 2013 cyber defense exercise that they're going to run out of Estonia and five years ago this was a couple of guys in and beer and it has grown enormously now it's going to be the fifth iteration next year last year they had 350 people working on this and you can see the level of detail these this is built by the Swedish equivalent of DARPA here they put together a whole sort of model all these tables there is I think 12 12 factories there and the engineers in Sweden were quite sure that these are in terms of hardware and software quite realistic these are electricity plants and and what we did was we ran a test and we we we said okay these are terrorist hackers targeting these plants so this is getting bigger and bigger every year last year they had 350 people and so it should grow so contact me if you might be interested in participating in 2013 cyber defense exercise so Al Jazeera the economist and popular mechanics all very recently have had drone specific reporting talking about the the the evolution you know now the military has robots that can swim slither fly hop and and they're also being given some level of autonomy to make decisions on their own and you know that it's only a matter of time before you know lethal weapons with sort of autonomous thinking and decision making are here and if you haven't seen ghost in the shell watch it because taking place in the year 2029 in which case you have a very powerful cyborg you know this elite force but it's not just the it's not just the the fear that that this technology will be abused or will even operate outside its parameters in this show they look at the the issue of an unknown hacker taking control of that technology so you so in theory you have to think that foreign intelligence service would like to take control of your missile and fire it against your own city and at least in theory that has to be possible so subjectivity I think you know I'm on cyber defense at NCIS and and the there's just so much work to do you we have two lawyers that sit with us because they're you know they're trying to make sure that we you know operate within the law but then everything from the collection of data to the analysis of data reporting all of that are there's huge obstacles in order to to complete any cyber investigation and in terms of bomb or battle damage assessments you know you can say well okay they came in and they stole all of our new you know submarine data they did that's terrible what did they what exactly did they take well we're not quite sure because it was all encrypted okay and then they say well are they still on the network we don't think so you know can they get back into the network we're not sure you know these are very common answers right and it's very difficult to know you know necessarily the level of threat can they make it can they take advantage of that information can it be used against us all of that information is very difficult and it's from the there's a lot of subjective also thinking going on in terms of the the scale of the threat and so effects based you know well if nothing happens in the real world we might be okay you know if the light turns on every time i flip the switch great and if my pay keeps coming in to my account well i'm not going to worry right because i can still buy groceries um and so that could provide you some comfort but this violates the most important or the at least the most famous quote from sunsues art of war if you know the enemy and know yourself you need not fear the result of a hundred battles and i think even knowing your own network very well is a challenge enough but your knowing your enemy is even harder so there's a book i published last year it's free download from the nato cybercenter site i look at four areas deterrence this is difficult very difficult because if you you're deterrent your threat has to be credible uh and it's not credible because of these twin challenges of asymmetry and anonymity uh that take place quite often in cyberspace arms control if we can't prevent cyber attacks can we limit cyber weapons this also is very difficult because you need to be able to prohibit something specifically and how and it's very hard to define malicious code so it's very hard to prohibit it and then who can expect cyberspace it's too big there's 500 million computers in the united states um that are uh connected to the internet technology can you develop technology to the extent that you solve these problems and i think the answer is no let's give ipv6 the benefit of the doubt and saying okay it's a technical solution to a technical problem that's great because if you have a political solution to a technical problem you're not really solving the problem and let's say that ip sec and the infinite number of ip addresses will improve security because you can label things and you can track them and you can authenticate better uh vent surf recently said if he could do everything over again he would put authentication sort of uh on the top of the agenda um but i think even if we had every solution uh people would then drop out of the system voluntarily uh because we we we need some privacy we need some ability to anonymize our communications because you're never quite sure of government is going to be friendly in the future here's just one graphic from the book but basically it shows that that i looked at nine areas five problems and four solutions and and i colored them by uh by influence and by by hue here and you can see that anonymity i think is the dominant factor in the system and so if you want to change the uh the uh dynamic of strategic cyber security that's the key piece you want to change the the thing around which everything else turns because if you know who the bad guy is you can deter them you can prosecute them and retaliate against them in theory so then we come to art of war if you can't if you can't do any of the above uh then you need to improve your doctrine you need to realign your your people your training and your practices in order to deal with this threat and here i think the art of war does provide quite a lot of helpful support in terms of objectivity the strategy tactics etc uh in order to guide your forces and morale and so and so forth but the battlefield this is new i think the the the new part is is the the the the terrain on which cyber battles are taking place and this this is this new especially it's a whole generation that is going to have to be replaced before you get somebody in the white house you know who who has a networking background and understands uh code morality is the final one uh the final piece and then i think so far there's few inhibitions to cyber attack i think we're all sort of at a place like we're in the garden of eden again you know the internet has sort of changed everything and so now we're all looking at these shiny bright apples right and we're all really tempted and i'm talking about in part cyber espionage today you know what there's such a high return on investment uh via the internet but none of us would give it up because we've all benefited so much from it right from learning on the internet uh and and what what we gain in terms of being connected to the internet um and so far really the lawyers like at the cyber center in solan uh they would say if nobody dies this is not an attack right and this is interesting from the astonian perspective they're very interested in being a part of nato and getting defend your defense from the alliance uh but attacks are different these days cyber attacks look very different than tanks crossing the border uh but the lawyers so far are saying no and and actually later this year i can put in a plug for this the the cyber center at cambridge university is going to publish an update to the laws of war uh based on cyber attack and defense and and internet security issues but i think over time this is going to change hopefully it doesn't uh but if we see attacks that affect critical infrastructure and affect people uh in their way of life uh then you will see governments come together this is not without precedent and this process problems are not impossible to solve uh hijacking airline hijacking used to be a problem chemical weapons used to be uh um quite everywhere on the planet and today about 98 percent of the world governments are party to the chemical weapons convention and so they're all being destroyed um so it's really important to think about you know if if the lights started going out in new york city uh tomorrow uh you would probably see world leaders come together within three or four days and start to try and figure out some solution um look at these two quotes from the art of war so uh supreme excellence without fighting the best thing of all is to take your enemy whole and intact so it's it's wrong to think of sun sue or the art of war as as a um too aggressive um in fact sun sue says uh fighting is the very last thing you should do there is a whole theory around the just war concept and it is surprisingly complicated so let's also like ipv6 give some of these things the benefit of the doubt and saying okay you could have a just cause you could distinguish between military and civilian that's really a key aspect and of course in cyber that's hard but i want to get down to the bottom uh in particular we talked about prohibition but declaration of war you might remember a couple years ago the the former ci director gave the keynote at black hat in which he said that um he said why might it be uh okay to bomb a factory but not to hack it right nobody said anything everybody waited and he said the reason is is because you can choose to bomb a factory tomorrow he said you cannot choose to hack a factory tomorrow he said hacking a factory takes months if not years of painstaking subversion right and he said no if you think about this for the long term uh this is unsustainable and this is a recipe for chaos and a recipe for a lot of wasted time and money and so he suggested a couple years ago that looking forward with we might think financial sector um electricity grids areas that we come that governments would come together and say are off limits to cyber attack now may not be uh possible in your opinion but this may lie in our future uh but the problem is i think a declaration of war or a declaration of surrender very hard to imagine in in cyberspace i know these ones and zeros are kind of blunt instruments to look at these issues but we only have so much time here so another area is confidence building measures uh that that you know this is what cyber diplomats or diplomats who look at cyber are thinking about right now and this this is just five things that i put down uh that are possibilities but you may have your own ideas uh but i promise you within the state department today they're they're looking at these issues and wondering which ones are feasible uh and which ones uh we we could implement and so this they range from a non-aggression pact uh to joint investigations uh you know you could imagine a an incident response team that is on call 24 7 that is staffed by you know one person from every country in the world that would be pretty cheap right in terms of human resources but perhaps you bring them all together uh and then it's quite a statement as far as uh cyber defense so we started with world war two let's end with world war two uh and keep our eye on the prize and uh and particularly peace and security for the future uh and and to the extent we must look at the art of war uh to help us understand cyber conflict and negotiate cyber conflict we want to think about where we're going and how to get there which is which is beyond uh conflict thank you