 Good evening everybody and welcome to the Center for Strategic and International Studies. I'm Andrew Schwartz here at CSIS It is such a pleasure to have you here Thanks for bearing with the weather or non-weather, whatever we call it here in DC This is a terrific panel we have tonight, but before we get to it I have some people I need to thank first I need to thank the Stavros-Nearchos Foundation who have made this series possible with their generous grant I'd also like to thank the Horned Frogs at TCU. We didn't make it to the national championship this year But we would have been Ohio State, so My wife's from Ohio and half the family went to Ohio State, so I probably shouldn't be saying that in public Without further ado, is there anybody better than Bob Schieffer? Did you guys watch last night on the State of the Union? Bob Schieffer Let me introduce a Gotta work on the hand drops a Terrific panel here tonight Jim Lewis, and I think most of you here know him director of senior fellow of the strategic Technologies program here at CSIS used to work at the Department of State the Department of Commerce Foreign Service officer authors has authored numerous CSIS publications on the relationship between national power and technology got his PhD at the University of Chicago where one of the Sanger children is about to Enroll and he I have to say is the go-to guy on cyber and when I Moderated the presidential debate Last time out. He was the first guy I talked to about cyber and it convinced me He knows more about it than anybody. I know so we're always glad to him have him Sean Henry Now the president of crowd-strike services and company It's a computer security company. He's a retired executive assistant director at the FBI credited with boosting the agency's computer crime and cyber security Investigation capabilities oversaw crime investigations across the globe Including bank and corporate breaches and the state-sponsored intrusions and our buddy David Sanger As I'm sure all of you know national security correspondent for the New York Times twice been a member of reporting teams that have won the Pulitzer correspondent bureau chief for the times in Tokyo for six years Covered Japan's rise in the world as the second largest economic power then his downfall into recession He has also shared his reporting and insight many Sundays on face the nation In the author of a recent book on all of this stuff and we're always glad to To have David with us. Well, let me just start out by asking the panel a question last night Of course was the state of the union message the president Addressed cyber security I just like to hear from each of you and we'll start with you Jim Tell us what the president said What did you make of it and should he have said something other than what he did say? So I'd like to thank David for opening the statements here, no, I'm just kidding It was a good try though. It didn't work I didn't part of it is it they'd already shown so much leg and gone around briefing people I didn't really think there was anything particularly new in what he said They're They didn't go into a long Exegesis on cyber security, you know the drill in the state of the union is you always try and get like your issue or your Paragraph in it and because then we can say that are on an interagency discussions while the president said in the state of the union But in this case, I think more is going on than he said they put a lot of emphasis on Information sharing because that is the current primary task for the guys doing cyber security at the White House They have both a legislative package not particularly new and also some kind of executive action that we'll see probably next month so One of the things I think you said this use You were David said a little surprised you didn't utter the words north and Korea in sequence It would have been nice. I guess they thought maybe it was a little I didn't hear about a sequence well If you look at the beginning and the end of the text he actually never mind You know that one has turned into more of a debate than I think people would have expected and it says something Maybe about why they they kept it as a relatively Neutral statement is that there is a lot of skepticism about what the US is doing a lot of questions You know, I know that more is going on behind the scenes so it didn't particularly bother me How about you Sean? I I know that there's more going on behind the scenes, too I think that was the perfect stage for the president to tell the general public what's happening You know the public is looking at Target and Home Depot and JPMC and a whole Sony and a whole host of other things And I think that there's a lot of concern in the general public I think that there are people who don't know what's happening They don't understand how the the threat to our critical infrastructure what the risks are and what the cascading Implications are of something like that when there's a destructive attack not just the theft of personally identifiable information But actual hardware that's being destroyed from 6,000 miles away I think it was the perfect opportunity to tell the general public two things First that we're addressing this. This is important We recognize it as an issue and secondly there are actions that we're gonna take You know we're focusing on terrorism certainly we're focusing on crime certainly But this issue which is a new threat and emerging risk to the American public It's something that we're attentive to we understand and we are gonna send a message to the rest of the world about how We are going to address this because the risk is too high so I think there was a missed opportunity there and I think that much of the statement was General and and needed to be a little more emphatic what would you say Sean that the threat? That cyberposis to this country is greater or less than people Recognize right now. I think I think that it's greater than the average American Recognizes I don't think the average American really understands and I'll use the Sony breach as as an example Why what I've read and what I saw and I've watched a lot of media on it and I've heard people talk about it I've read the blogs etc. What I saw and heard about the Sony breach was Angelina Jolie is a spoiled brat and it was in a in an email and that you know people stole these emails which happened and People wanted to disrupt the distribution of a movie which happened, but there was a physical attack There was a hardware attack. There was destruction of physical equipment that is a Changing and evolving risk and I don't think the average American Recognizes what that risk is what they see in here is theft of emails somebody lost twenty five thousand dollars Somebody lost their credit card number. I don't think they understand the physical implications of this and that to me as a concern You know, I that's an interesting point. Someone was telling me today and I was totally aware unaware of this Sony's IT system was pretty much wrecked I mean there were people in that company out there still don't have email because Of the damage that was done to their system and that's something that I have no idea about you've just made my point That's exactly right, but some would say it's it's a good thing. They don't have access to email after David Tell me what you know, I know as a journalist I don't expect you to pass judgment on what the past president said last night, but You just hear two gentlemen say that and I know you never do. Oh, of course, I I have no opinions as you know but You just heard these two experts on this What could the president have said? No, I agree with Sean This was a missed opportunity and the reason was a missed opportunity as the president said less Then he actually said in his December 19th news conference where he took the major step of identifying North Korea and its leadership as the group responsible in his view for the Sony hack Now why was the Sony hack different? Sean hit the first point on it. This was the first major state-sponsored destructive attack in the United States We've only seen a handful of major destructive attacks Stucks net Olympic games that was the US and Israel against Iran an Attack on South Korea that people are widely believed but hasn't quite been proven was North Korea in 2013 An attack on Saudi Aramco, which has been attributed to Iran There was an attack in Germany recently against a steel company But you can count on one hand the number of serious destructive attacks that we've seen and this was the first one in the US It's the fact that it was a destructive attack Combined with that sort of 9-11 ish sounding threat to the theaters that you heard the week before Christmas That raised this in the White House in a way that other attacks had not prompted a national response Think of the other attacks that were mentioned just before Home Depot target JP Morgan Chase could have added Banco America from a year before in each of those the president's view was The people who run these systems are are responsible for protecting them and the US government can't step in and Retaliate for every commercial attack that's out there in the Sony case He made a different decision Largely because it was a destructive attack and he wanted to begin to try to create some sense of deterrence And that's why he said we will deal with the North Koreans at the time and place of our choosing We've never heard that before in the case of a cyber attack. And so the missed opportunity Bob I think was just to repeat What he said in front of a much smaller audience during that December 19th Press conference so that he could begin to create some sense of deterrence A last point on this we did an interview back in June with Admiral Rogers the new then new head of National Security Agency and we were talking about some long-term goals and he said, you know David The one thing I've got to do while I'm here is get past the moment where people think that cyber attacks on the United States are cost-free There's got to be some sense of a price to pay and The Sony one was the first one where they began to create that Jim, I know you've Written a lot about this, but I'd love to hear from from both of you on it. Why did so many experts? so called experts Question the government's Conclusion that this was the work Well, the the internet is you know people talk about it being a platform for democratizing information and expertise and it is but democratizing doesn't necessarily mean good So it's kind of a giant sounding board where bad ideas can reverberate Endlessly people aren't trained in this kind of analysis. It's not something you just pick up by watching a couple of the born movies you know and there's a I For obvious reasons a not out of insight into the intelligence activities that lay behind the US decision That said I think the fundamental reason was distrust of the intelligence community a distrust of the American government Damage to the credibility of the government over the last 15 years has been What we saw reflected in this in this incident night, I'd ask some of the loudest critics, you know, I said you You believed in Snowden you said everything that Snowden said was true and You love snowden. In fact, you wear a snowden mask at home at night in your bed, but But Snowden said it's not so I have a snowden mask upstairs if anyone wants to borrow it You snowden said NSA spies on everyone all the time everywhere And yet you refuse to believe that they knew it was North Korea not talking about how they knew but how is that and You know that people get defensive and say well, you know, it's not the same and blah blah blah It's you don't want to believe that NSA could do this You don't want to believe that the US could do this and again this is a point We were talking about a little earlier We have not always been the most open government when it comes to the capabilities We have acquired in cyberspace either for offensive action or now for attribution and that's because of the close link to intelligence Sean you don't have any doubt that North Korea is the one You know attribution is is very very difficult I think that you've got to look at the totality of the circumstances of the totality of the pool of evidence to come up with a Conclusion a reasonable conclusion, you know, we we put people death row for proof beyond a reasonable doubt It doesn't mean that there's that's never wrong, but that being said, let me say this We in at CrowdStrike where I work we Look at intelligence indicators indicators of attack indicators of compromise we We work very very diligently to do attribution in a whole host of these types of investigations Because we believe that it's really important for some of the points that both David and Jim made It's important to do attribution so that you can send a message to the actors whether from a criminal perspective you're bringing somebody to justice or from a national security perspective you're able to To launch some type of sanctions. There's got to be a cost people have to understand So we do attribution and we have looked at the indicators that that the FBI put out and we have been tracking North Korea for Six years and we believe that it is also likely as the government came to a similar conclusion That North Korea is involved based on the tactics and techniques that were utilized in this in investigation or in this attack Based on prior attacks. We've done had conversations with folks in South Korea about attacks that David alluded to earlier where It's it's believed that North Koreans were involved and when you start to look at Numerous attacks in the aggregate and all the intelligence that's collected over a protracted period of time You're able to start to put the pieces of the puzzle together In listening to what the government has said and in listening to what some of the skeptics have said Those skeptics have a very narrow view of and they've seen a very narrow view of what actually has occurred and the totality of Circumstances the totality of the investigation, which is the intelligence community. There's forensics on the ground. There's interviews. There's Siggent through the intelligence community. There's humans through the intelligence community. There's Siggent through international partners There's human through international partners I know what goes into these investigations because I worked them for many years in the bureau and it is a wide-ranging Collection of intelligence that leads to a conclusion So we looked at the indicators as a private sector company and we said we believe that this is likely tied to North Korea The US government made a similar conclusion their Totality of circumstances. I'm certain is much broader than ours and David that was a whole Basis of this extensive reporting that you did you you reported how the United States was able to to make This determination, you know, I come into this Bob as a reporter like you not as a cyber expert like our other panelists but One thing I know from covering cyber issues for as long as I have is that attribution is slow and painstaking Takes a lot of time so This attack was on November 24th and By the second week of December, we had people in the US government saying there's definitive evidence that it was from North Korea and Then the president comes out and says this on December 19th So not even a month after the attack and as soon as those words came out of his mouth He had to think that he must have seen something pretty definitive because what we know about President Obama is he is very cautious He's particularly cautious and somewhat suspicious on intelligence issues and He was highly critical of his predecessor Leaping to conclusions on intelligence about weapons of mass destruction in Iraq. In fact, it's part of how he got elected president So the fact that he was willing to Basically get out there and make this accusation Not simply that the attack emerged from North Korea, which is something they've said before about Attacks from Iran or Russia or so forth, but that the leadership was responsible told us that he must have seen something and It was an illusion made before to the Snowden documents a lot of people talk about the Snowden documents And a lot of people talk about the privacy issues in them If you actually go and read the Snowden documents or at least those that have become public you find a lot about US use of implants in China and Some in North Korea and in fact just this weekend just before we published our piece Der Spiegel the German magazine Published a series of new Snowden documents and one of them referred specifically to one operation to get inside North Korea We link to it from from our story. So There's not a huge amount of mystery here if you're going to have Rapid attribution it's usually because you can see the attack massing and you can only see the attack massing if you actually Have your computer surveillance underway inside the the location where it's coming together Well, what should CEOs take away from this attack and and Sean Wilkins seed They should hire your company that would be there first thing they ought to do, but I mean what Jim what? What should they What did they learn from this or what should we learn? What we should learn and what they should learn are different and Sean gave you a clue as to what the CEO should learn Which is they probably underestimated risk? They need to recalculate the risk of cyber attack and most companies have risk management Committees, I hope they all have cyber as part of the risk management portfolio. They need thank you They need to think about Recovery plans because a company is not going to be able to stand up to a state opponent They need to think about what they put in their email Some of us learned the hard way that you should think about what your emails will look like if they're on the front page of the times my Example of course used the word frog in an unflattering way towards the NATO ally and when you see that you have to think When I'm writing this it's a postcard. What do I think about so you got to think about damage control and mitigation? You've got to think about Estimating risk and spending more and you've got to think about what you put an email I know that's tough for people because we're used to thinking of this as a private communication That we can write anything we want and it's just not true. So that's what I mean Those are the same things I tell my 13 year old granddaughter, but I mean it's all As adults we all need to remember that too Sean What do you tell me? Oh, I agree with everything Jim said I think that Organizations I do a lot of of speaking to the C-suite and to boards and I can tell you that this this conversation has Evolved in the last decade from system administrators who are the people that are you know kind of hands on the keyboard working on the networks all the way through To CIOs corporate general councils and now it really is sitting in the board of directors That we are we can't prevent these attacks What many people still today don't understand is that the US government we're talking about the government the US government Has a fundamental responsibility to protect its citizens That's its primary role in my opinion and we do that in the physical world Against missiles and against foreign armies and against foreign jet fighters But we do not do that in this space and that there are malicious ones and zeros that are landing on corporate networks every single day And the government can't stop it What I tell CEOs is you are responsible for this because the government can't not because they don't want to But there are policies and there are capabilities and there are capacity issues that won't allow it today under to in today's environment And I know there's legislation that's pending etc. But under today's environment. It's not going to happen Therefore mr. CEO you've got to move Into a detection phase because you cannot expect that the government will prevent this you can't expect that your existing Technology is going to prevent all of this You've got to move into detection and into remediation and if you detect these issues quickly enough You can mitigate the consequences in most of these investigations that I've been involved with both from the the FBI side and from the Crafts Rec side we have gone into environments where the Network has been breached for months and in some cases years Completely undetected and if you give the adversary months or years of time on the network They are going to do whatever they want on that network theft of intellectual property research and development and Destruction of data if you can detect it quickly you can mitigate it So it really is about them understanding the risk and then taking proactive actions on their network To identify these threats today and not relying on somebody else to prevent it You know Bob in the case of Sony it's sort of interesting because we think about this as an attack that happened The week before Thanksgiving, but it actually began in early September. Well Over the summer there were warnings to the State Department a letter the North Koreans sent to the UN Secretary General saying that they The release of this movie the interview Which was not necessarily the most sophisticated comedy I've ever watched with the kids But you know nonetheless Would be an act of war. Okay, so in September There were spear-fishing attacks on Sony and what we determined in the court that spear-fishing attacks of those emails You know you get that they all you know, they may look perfectly friendly but when you click on it it downloads some malware into your into your system and As we went back and did the reconstruction What we learned was that the North Koreans then quietly spent or whoever these hackers were but if you believe the government's account the North Koreans They spent the next two months Mapping the Sony system undetected Figuring out their file structure figuring out what was vital what wasn't so when the attack actually launched on November 24th that's why it did so much damage and shut down so many computers and You know one of the few mistakes That the hackers made was that they put this sort of skull and crossbones and so forth up on the screen Which warned people who actually had their computers out at the time and were sitting in front of them There was an attack underway and some of them reached back and actually unplugged their computers Which is why they were able to recover some of the data from their hard drives had the North Koreans not put that up on The screen and Sean would know this a whole lot better than I would I suspect they probably would have done even more damage well, you know I Not to get too basic here, but What should I do every day? Okay? I work in CBS. I have I have a computer. I'm you know I'm online all the time What should I be just just as as a person there? What are the things I should do? You need to go back to pen and paper, Bob? You know, I'm not against that Particularly, you know, but I mean okay the things pop out there It just don't open anything that you are not aware of I mean you don't know where it's coming from or what you have to assess How much risk you think you face as a person and because a lot of these things are things you're not going to want to do So change your password. How often do you change your password? It's a pain in the neck, especially with this complex password stuff I Changed my password after every trip, right? That's a hassle, right? Yeah, and I change it randomly and I do things that make me forget it and I can't log into stuff And it's a pain in the neck right change your password data back up Do you have the the stuff that you care about stored somewhere that's not online? It could be a thumb drive thumb drives are amazing now you have to store that stuff and then you have to think about what you're writing and I was going to say communications discipline, which is one of my favorite lectures, but I won't you have to think about what you're You have to think about what you're writing and if you you know, it's the New York Times what the New York Times test or sorry The Washington Post test depending on Are you going to want to see it in the times? So password the other stuff is basic hygiene that hopefully your network administrators take care of at home You know, are you doing the patching and updating if people want to get you they're going to get you but you can minimize the damage by storing offline and by restricting what you actually communicate Do you have any tips on passwords either of you? I mean, well tell me yours and I'll give you a tip But it should not be anything that is familiar to it is it better to use numbers is it better to you? So one time I was in a meeting with some of our foreign friends from a signals intelligence agency and this probably gives It away, but you know the London Times Crossword puzzle which I can get zero on this guy was sitting there It was actually a woman doing it in ink and it took her about six minutes Right the people who do this Are going to figure it out if you use a word right for crying out loud and especially use a word to link to you And you've put it on your Facebook page. Oh, thank you Thank you social media because I I can I can harvest your password. So don't use your dog's name Don't use stuff. Don't be cute, you know eight hackers. I'll put a z at the end instead of an s I'll never figure that out, you know, it's like so you really have to But that makes it hard, you know, that makes it hard So I won't even tell you which accounts I'm locked out of right now because I can't remember my complex password But it's a choice Do you if you don't do the password you're going to be you you and we've we've said this before You two guys and probably you too. You're great targets. I mean access to your files. Who wouldn't want it, right? Access I don't know what you keep on your computers, but it'd be a lot of fun Right, so you you are a higher risk At higher risk than most most of us But when you talk about this spearfishing, I mean, I guess the point I'm trying to make this could happen to any of us I mean these and is it these people that have these Of extortion schemes from Nigeria that you know, what happens if you open that? I mean when I open it by mistake and then I delete it immediately But that's not good enough is that you really shouldn't open it depends So if there's a if it if the email has a payload in it that will Infect your computer and give the remote operator some kind of control Yeah, you're in trouble if it just I get them all the time and I'm so upset man Where are my friends? I just told me I won the French lottery and If you get one of those that just say hey, you won the lottery, you're probably safe You won't get the money, but you're Why did North Korea do this is it for what would seem to be the obvious reason? Or is there something beyond that? Let's say you were a god At least in your own mind and certainly in the minds of those around you But you're a worried god because you've had to open your economy up It's not the hermit kingdom anymore. And so people go to china You know, I They see how people live in china, which is infinitely better. They've given them smartphones You're you're a vulnerable god in a way that perhaps your grandfather wasn't vulnerable And somebody does this movie That tastelessly shows you Being blown up at the end and this is damaging to you in a couple of ways. Yes, boy Yes, right But the comparison you want to make uh tooth out here. I'll do it. I'll do it. They can't stop me Hans bricks. Oh, no Team america Kills kim jong-il, right And the north greens couldn't do anything about it. Here the the the god figure had been Killed and there was nothing they can do. Thanks to the internet. There is now something they can do It was political Oh, can I for yeah, I I agree with everything that jim said there, but um as somebody's covered north greea. I'm off since I lived back in tokyo Cyber is a weapon that is perfect for failed states That feel as if They've got very little ability to strike back at their adversaries And it's perfect for several reasons. First of all, it's cheap Don't underestimate the importance of cheap when you're dealing with a country like north greea Secondly, it's a lot more usable than a nuclear weapon a nuclear weapon is on and on off switch The north greeans like to have the nuclear arsenal because it can help preserve the regime But they know that if they ever used it, they know what happened 60 minutes later 32 32 minutes Thirdly, there are a lot more accurate than north korean missiles Think about north korean missiles And They're on instead of being on and on off switch They're they're like your thermostat. They're on a rheostat, right? So you can turn a Cyber weapon up or down And try to modulate it in a way that you don't think that there will be retaliation especially if you think somebody can't figure out that it was yours And uh, this is why I think adamel rogers was talking about why there's got to be a price Because because the attribution is so difficult it makes a lot of people feel safe in using them And because they can modulate it they think well, I can stay just below the threshold where someone's going to come back And get at me And in this case the question is did the north koreans Get that setting right I'm not sure the sanctions that the Obama administration announced Against north korea on january 2nd are going to make a huge difference to their lives since they've been sanctioned by every president since Harry truman and it's kind of hard to figure out new sanctions that would make a difference So in the end, I think the question about this is going to be did they really pay a price? do uh One thing that we were talking about what the president said last night and I think david reminded Has the president ever talked about our? Offensive capability if he has I've missed it and I watch it pretty carefully It's interesting because obviously the united states after Uh as the nuclear age started because we had dropped a bomb on two bombs on japan It was no secret we had offensive Nuclear weapons and we spent 25 years debating how to use them and ended up in that debate in a very different place And we started off in the case of drones the united states wouldn't discuss them for years I was white house correspondent for most of the bush administration and you know the white house press secretary couldn't even use the word drone Remember how many times people came on your show and they wouldn't use the word drone even though you did in the question, right? But in the case of cyber the united states government is still in that phase where they think that They don't want to acknowledge having a significant arsenal of offensive cyber weapons And even after the disclosures about olympic games the attack on iran And the fact that the code itself got out in that particular case because of nobody's fault It's just an accident even then the united states has never acknowledged it At some point the us is going to have to do it because at some point We're going to try to get into negotiations as a country to set some norms about how one uses offensive weapons It's very hard to have that conversation if you don't acknowledge owning some What about that? Well, we are having that conversation and of course what governments say in private to each other Might be a little different than what they say in public and that might be unfair DoD did put out some recent doctrine that if you know what lies behind it it points towards offensive capabilities We are having discussions with other countries about the norms for the use of cyber techniques For force for attack and for coercion It hasn't been an issue in part because everyone assumes the nice thing about So a friend of mine was telling me when I started negotiating with the chinese long time ago He said you have to remember that they think we're like the borg You know our motto is prepared to be assimilated. We're in advanced technological power that brooks no opposition And that's what people think when you talk to the russians or the chinese So we don't have to tell them we have offensive capabilities in their wildest imaginings They think we have death rays and flying saucers and you know What have the americans thought up now and they're freaked out about it so I The conversation on norms is difficult and this might be one reason why you don't see As much public discussion and there's an issue that you don't usually think about but it's the third party issue To carry out one of these attacks you have to go over somebody else's networks It's very unclear how international law how the laws of armed conflict apply to that and so countries currently take in the position of saying What are you talking about? I don't third party. I don't know any It's it's too hard to deal with and there are discussions. There are norms. There was agreement in 2013 on Some very general norms by the general by the un general assembly. So all nations Those discussions are ongoing, but they're very difficult legal issues that make you think maybe I shouldn't be so open about this Nobody nobody else comes out and says I have it too And nobody else has come it's it's interesting though because you you raise a a big question then for me Because if the chinese and the russians both believe that we've got certain capabilities That has not dissuaded them That in and of itself has not dissuaded them from stealing the intellectual property and research and development from major corporations around this country And quite frankly around the globe We've done attribution back to russia in us energy companies. We've done attribution back to china in you name the sector And that's been communicated and it's very clear. There's really no doubt there yet They have not They have not They have not acknowledged any red line They continue to cross over because they have not seen the results or the the impact of any of that breach No, I think they have acknowledged a red line and so under international law Espionage does not justify the use of force in response You can commit espionage and nobody's going to go to war over it. We should be thankful for that, right? And there is a there is an implicit threshold now becoming more explicit in international discussions The threshold is use of force or armed attack What qualifies as use of force or armed attack that would justify a military response espionage is not use of force or armed attack I'm not suggesting use of force for that. I'm talking about Going back to the the norms that you discussed There's not been anything Dictated certainly not that I've seen that clearly lays out what the ramifications are going to be for crossing that red line And they are over that red line every single day right now today Well, the the the only legal instrument the only international may agree to instrument that the We possess would be in the trade realm in trips And in wto i'll accept that so china nobody forced china to sign on to wto They did it willingly to get market access But they also committed to protect intellectual property and treat foreign companies the same way they treat their own companies They're not living up to that commitment. Now. You're asking why haven't we as a nation pushed harder on that? That's a different question ask that question why? Well, some of it is this is still it is uh it is um Closely linked to intelligence people don't like to talk about it The trade lawyers are relatively conservative when I started talking to trade lawyers about this He's three or four years ago the the first one I talked to said there's nothing we can do I was like don't open the talks by surrendering, you know There's a reluctance to take this on and you as with north korea People put this in the larger spectrum of our bilateral relations. And so with china for example Um previously there was a desire Not to rock the boat when we were in our economic recovery And so the decision was we're not going to push them on this Because it might hurt us economically. I know I'm being an articulate on this That's usually that and when I close my eyes means I'm thinking a class if I thought Um, you're trying to I thought you're trying to remember your password. No No, I've given up And things have changed now. So the indictments were a good first step now. We have to see what falls on Bob, you know just listening to the president's language on this Tells you How difficult it's been for the government to deal with this subject So in some interviews he did just before he went on vacation in hawai you may remember He was asked whether this was cyber terrorism Happened right after he identified north korea as a culprit and he stopped and he said no, this was cyber vandalism And then we had a couple of senators Step in and say president doesn't know the difference between Cyber vandalism and cyber terrorism. This is cyber terrorism. And then we asked some people on the hill So what's your definition of cyber terrorism? And they said well if you conduct a Cyber attack with the intention of destroying Thanks So we asked the question so if it was the united states that was behind the attacks on the Natanz nuclear enrichment plan was that an act of terrorism? Well, no not exactly If that's what happened. So we were having real definitional problems here What uh When david cameron came here, uh, we know he came here And he was going to urge the president In some stories they said to criticize u.s companies for Resisting efforts to give the government greater power to read encrypted messages. What does that mean? So just to a quick follow-up to david before tackling that one Remember that espionage is a two-way street and we've told other countries. It's a two-way street You spy on us. We spy on you. This is what big powers do There's a difference though. We are not involved in commercial espionage U.s government is not stealing from foreign companies and giving it to u.s companies and that is happening U.s companies are being raped and pillaged every single day. Uh, and so In discussions with the people's liberation army and the ministry of state security I've heard u.s officials say Exactly that and the response has been You know, uh in china For us building our economy and growing our technological base Those are national securities issues. We think this is legitimate And that's a fair point to have a discussion on and maybe we need a new norm relating to espionage But you know, they want to play the ball game that's going to do the best for them We want them to say no play by our rules where you automatically lose Gosh, why won't they go along? So I we can't we can't send attorneys over there Then who say we can't do anything as their opening position on his when his stuff on olympic games came out I was talking to some chinese friends and I said, um, so were you guys surprised by that? And they said no, we always knew it was you and I said, yeah, oh, yeah How do you know it was us and he said and the individual said who was a chinese official? He said no other country has that many lawyers involved in in their programs. So So but then I said you guys don't have lawyers and he said no, but they're increasing so Give him a couple years. You can send you can send your you can send your lawyers. I'm not saying lawyers. You went over there with a lawyer But on this thing is this I guess the another question I was going to ask related to camera Are we going to see a different attitude in this country toward the national security agency and so forth after seeing this This hacking incident here. I don't think frankly There was a a very vocal Group probably I'd say 20 25 of the population that was very hostile to nsa very Hostile to its activities and I'd say the majority of americans understood what it was doing I don't know if you agree with that. It looks like you don't well I was going to say I think that there's something that has changed in this encryption debate I think you touched on it, Bob If you listened to Cameron last week He said we need to have a way of getting into iChat and we need a way of getting into What's app and other encrypted forms of communication and what's really changed the argument I think Came about last fall When the new operating system For the iphone came out along with the iphone 6 Because this operating system automatically encrypted data But not only did it automatically encrypted it did it in a way where apple didn't hold on to the key So only you had the key really to go do it and that changes things because in the old days The fiza cord or an ordinary cord could issue a warrant They could go to apple with a With a physical telephone and say download all the messages that are in here Now with this new operating system as it takes off If you go to apple with that and you ask them to download all the data They will hand you a large pile of complete gibberish And say good luck send us a postcard when you've decrypted this in about five years And that is what's driving the intelligence agencies and many of the law enforcement agencies a little bit crazy Because at the moment that apple and google and some New products they're going to be rolling out and microsoft as well Throws away the key then they feel like they can't get at it and that's what cameron is talking about banning Now president obama Had never really spoken on this before but if you look carefully at what he said At that news conference on friday with cameron He seemed to come out closer to where cameron was than i've ever heard him before But not endorse it entirely did not endorse it entirely Let's have some questions from the audience anybody have a thought this lady right here Former senior you unofficial former former Former head of the united nations institute for disarmament research in geneva And I I have two questions. Um, this was a fascinating panel. It was really interesting and different perspectives Um, but I have I have two questions and they they tend to relate to the issue of seeing Um, the cyber issue always through the national security lens and how Perhaps that's not quite The whole picture the holistic picture. So the first question Is we were talking about this attack on sony as being the first attack on attack on infrastructure That did something destructive in the united states except that the first attack on infrastructure that did something bad was Pretty much we think from the u.s. And israel on iran in stuxna And there are a lot of lawyers international lawyers who said at the time That the iranians might have been able to make a case under un Under under law international law that this was an armed attack that they could respond to They didn't I would like to ask the panelists about how they think about that and what they think might have been the motivations for not and Why we didn't and all of that The second question I have is that if you're really looking at national security We have a big problem here because in order to defend stuff Both nationally and internationally the government who knows about Ways of attacking and and bugs and etc. Etc. Has to actually warn the private sector But if you want to keep offensive tools In your arsenal, then you don't tell anybody about those zero day attacks that you've ordered from hackers On the on the gray net or the black net and you're keeping in your arsenal to be able to attack other people But every time you do that you leave everybody else, especially the private sector open to attack So how do you balance that in a national security realm? because that's that's a really Hard question, right? So I'd like to hear the panel some response of that. All right. Well, let's see Uh, Iran was killing American soldiers in Iraq The u.s. Chose not to go to a war with uh, Iran It's a political decision and so You know from pueblo on The fact that it qualifies as the use of force does not mean therefore That it it is an act of war. And so that's a political decision Iranians made the right choice. They wouldn't have liked anything. They started Um, I forgot the second question because I got annoyed with that one. So go ahead I I agree. It's a political decision. It's the reason we have to have these discussions I think nation state to nation state we have to define what the norms are and there has to be clear lines drawn about what's acceptable and what's not and I see this issue similar to weapons of mass destruction and a nuclear issue and at that level because the cascading impact of of these types Of attacks is going to impact the globe Critical infrastructure It's going to have a global impact on human life. Uh, I believe that so I I think we've got to have those discussions at that level Another question Right over here. Okay The guy who's looking around that he's Here's one Hi, uh, jason tom from brookings just pull on the thread on the, uh deterrence theory piece and the cold war analogy So We don't want to propagate our capabilities seemingly Because we have superior offensive capabilities or at least we think we do But at some point deterrence theory doesn't there have to be a credible threat of response You know, for example in the cold war it was the nuclear testing regime What what's is there an analogy for that in the cyber realm and will there be a day where we have to Propagate our capabilities. Thank you David, do you want to talk? Well, sure, you know, there are a lot of analogies between cyber And nuclear and we do them because nuclear is familiar to us during the cold war We went through a period of time where we were ahead with the weapon and then the Soviets got it the chinese got it the indians the pakistanis the israelis and others and And so all the questions about deterrence that came up in the nuclear era Are the same questions in some form or another that you would ask in the cyber era The problem is all the answers are different And they're different because in the nuclear era States were completely in control of the weapons by and large except in the past couple of years after aq con began to To start peddling weapons around So In the cyber arena States can have cyber weapons patriotic hackers think about those who Attacked other states on behalf of the russians criminal groups think of the target case or the home depot case Teenagers And teenagers and criminal groups They don't tend to sign treaties much So uh, so that's why this is so much more complicated in many ways Than nuclear is now on the other hand it may not be as devastating Which is you know Truly good news and we used to talk in the nuclear age about how you could get bombed back to you know, the stone age In in a big cyber attack, we could get knocked back to like the 1970s or something like that We'd all be dressed really badly But uh, so there's a little bit of it. There's a little bit of a difference I let me add if I can david because I I agree But there's one disagreement and that is with those that asymmetrical threats So if it's not specifically in the nation state and you can't have a treaty with a teenager organized crime group What you can do though is hold nations accountable for its citizens in terms of cooperating I've personally worked and I've traveled internationally quite a bit talking to senior level officials in law enforcement and intelligence agencies about this About them helping because it is a collaborative effort between the fbi and other agencies with our foreign counterparts And they've got to hold their citizens accountable if those agencies came to To the us because there was an organized crime group targeting their financial services sector I know what the response would be here, but I've not seen reciprocity Sometimes not all the time I should point out quickly that the csis and the nuclear threat initiative have a big project on trying to figure out how deterrence Works in cyberspace and one of the issues is Credible threat to whom in the cold war we had one opponent Now we have multiple opponents and different threats might be what works with one may not work with the other One more question right here Stove pipes in the pentagon and through our government. So maybe for shawn and the panel How would you assess, you know, the united states government? All kind of corporations as far as like pulling the information together. So we have a unified front I think that there's been a lot of progress in that area In in the u.s Domestically here the bureau started the national cyber investigative joint task force Which was a collaborative effort with the entire usik nsa cia dhs all flavors and dod to look at All the intelligence that each of those agencies bring against common adversaries China russia and nation states as well as some of these organized crime groups, etc Each agency has different authorities different capabilities different capacity And for each of them to be able to reach in and utilize their specific skill set and bring that to the table Makes the nation much much stronger in intelligence collection and then also in what the response is providing senior policy leaders or officials With key information so that they can make policy decisions. So that has happened here I think that that can always be better But I think it's on the right track No, I think shan nailed it. I mean the Cyber coordinators office the the response to sony is a good example Look how quickly they did it. So and some of this comes from what was the name of that guy they caught in bangkok You remember the experience of terrorism has helped shape Cyber security because it's the ability to combine intelligence disciplines get law enforcement fbi nsa DoD working together that gives us an edge And in that we've learned the hard way why it's good to cooperate Well on behalf of tcu and csis. Thank you all for coming