 Hello everybody. It's a pleasure to welcome you here to the Carnegie Endowment for International Peace. My name is Timor. I'm the co-director of the cyber policy initiative and a senior fellow in our technology and international affairs program. I'm delighted to welcome you to this event, which is part of a series of events we are hosting on systemic cyber risk and topics of relevance from an international perspective. So I'm particularly delighted to co-host this event today with the cyberspace Solarium Commission and to focus on the international impact of the report that is forthcoming and will be released on March 11th. The event today will be moderated by Alan Akashima, who I will introduce in a second. And I would like to first start by thanking all the speakers here on stage and to you for making the time for what we believe is an important event. First off, I'd like to introduce Congressman Landrovin, who has been a thought leader on cyber security in Congress for now more than a decade. He represents the second district of Rhode Island in the House of Representatives, and he was appointed to be a commissioner on the cyberspace Solarium Commission by then Minority but by then Majority Leader Nancy Pelosi, actually, sorry, Minority Leader Nancy Pelosi at the time. I'm already in a different universe at this right now. We're better a speaker anyway. Next to Congressman Landrovin is Chris Inglis, who is currently a cyber security professor at the U.S. Naval Academy. Prior to that, he was the deputy director at the National Security Agency, and he also serves as a commissioner on the cyberspace Solarium Commission. I'm also pleased to say that he is a member of the Carnegie Encryption Working Group. So for those of you who are interested in encryption, we have a report that came out in September on that specific topic. To my immediate right is Angela McKay, who is a senior director of cyber security policy and strategy at Microsoft. For those of you who've been in Washington for several years, you will know that Angela has also been a thought leader on cyber security here in the Beltway, and she's currently leading Microsoft's global public policy and strategy work on cyber security with a specific focus on cloud security. And she's also been deeply involved in Microsoft's efforts to ensure a peaceful and stable cyberspace at the international level. To my immediate left is Ella Nakashima, who does not really need an introduction. She is well-known and one of the most respected national security reporters. She usually breaks stories that people love and loathe for the accuracy of her reporting, and delighted to have you as a moderator today. We will kick off with Congressman Langevin and Chris Inglis saying a few words about the Commission and the report. We will then have a moderated discussion led by Ellen, and then we will have a few minutes at the end for your Q&A. And so think about what questions you may have as we progress with the discussion. And with that, I'd like now to invite Congressman Langevin to kick us off. Good. Kim, thank you very much. And I want to thank you and Carnegie for hosting us here today. I'm honored to be on the stage with such a distinguished panel. And I take you to be here with my fellow commissioner, Chris Inglis. And it was a very exciting project to be involved with. And I believe that there will be a report that will be issued on March 11th is going to be both substantive and actionable. And there was robust discussion along the way of the high spectrum of what we need to do to better protect the country and cyberspace. And as I said at our final meeting of my 20 years in Congress, I think this is one of the most important projects that I've ever been. And involved with so did you want me to give an overview of the commission now? Or do you OK? It would be good just for context for the audience, which does have experts, but also people who are excellent. So the Salarian Commission was was modeled after the Eisenhower Salarian Project took place in 1953 after the death of Stalin. President Eisenhower recognized that our that our approach with dealing with the Soviet Union was geared more toward the person rather than the country. And that we needed a new strategic framework for how we would deal with the Soviet Union. And so President Eisenhower basically put together three groups, three panels, if you will, that would. Take three approaches to creating a strategic framework, whether it would be dismantlement, confrontation or containment of the Soviet Union. And those three panels, the National Security Experts argued, studied, worked out and look for the formula they presented to President Eisenhower on which strategy we should adopt. President Eisenhower was the with the final arbiter. And as we now know, his containment was the policy that he adopted and they guided you as policy and funding and programs, etc. Going going forward to the next several decades. So we took that same type of approach. The the the Salarian Commission was created in the National Defense Authorization Act in 2019. And it was a multi stakeholder group made up of individuals from the executive legislative branch and also from private sector outside experts recognize experts in cybersecurity. And we came up with a a framework that is now going to guide what we believe and should guide US policy and cybersecurity cyberspace going going forward. So again, it was a very meaningful project. And I know we're here to talk about the international norms aspect of the findings of the commission's work. And then obviously the full report will be unveiled on March 11. So I'll just add to that that the commission took on as its charge. How do we recommend a strategy for the United States, but in a world where we must, in fact, reconcile this to international strategies? How do we recommend the strategy for the United States that takes on the significant impacts that we've been suffering in and through cyberspace over the last 10 years and more recently, intensely over the last three years? What was important about the commission was not simply the character of the commissioners, but the engagement of the commission of the private sector of international bodies of the various stakeholders in this space. Commission over the course of a better part of a year had upwards of 300 engagements engaged about a dozen different nations and just about every instantiation of the private sector that you could imagine. And we had Tom Fanning, who's the CEO of Southern Corporation on the commission, representing in a real and material way some private sector interest, recognizing that none of the commissioners could represent all of those constituencies. And that the sum of those commissioners couldn't represent all of those constituencies. It was the engagement that I think informed the report as much or more as any discussion that might have taken place at the table. When it was all said and done, the strategy that we're about to recommend, the formal report will be released in detail a week from today, starts with a case for action, which I don't think would surprise anyone in the room, but we think it's important to put that backdrop in place. Then describes in a few pages what perhaps the broader strategy might be. And then in great detail for the subsequent for the remainder of the port describes six pillars, six broad categories that we would recommend. And within that about 80 or so very concrete, we hope implementable actions of those actions having been worked by the executive branch in front of the private sector by the commission, which includes the legislators. We think have more than a fair chance to be implemented. But what we would recommend that they be considered not in isolation one or another, but in summation, right, that it's the strength of all of those. It's the horizontal of the report that we think makes a difference. In sum, the strategy that we have come up with essentially concludes that while deterrence has not been working, it's clearly not been working in cyberspace. If anything, the threats are having a greater impact today than they have at any time in the past, we believe that it can. Having said that, it's not the kind of deterrence we would have known in the days of the original solarium, which was trying to in a world where nuclear threats, nuclear power was perhaps the existential threat posed to us by the Soviet Union. The job then was to keep the weapon, the nuclear power off the field, right, and if it entered the fray, then we knew that we had failed. And so it was a more absolute form of deterrence of how do you actually prevent even the possibility of a conflict in that way. In the cyber realm, we understand that cyber is persistent. It's the criminals, whether they be small or large, nation states or ordinary kind of criminals, but that's probably going to be something that is on the field all the time. And when we talk about deterrence is how do we actually influence those actors to perhaps kind of hedge their bets, perhaps curb their appetite, to perhaps join with us, the like minded nations, the like minded entities, and try to figure out how do we shape the ecosystem such that we have reasonable expectations, aspirations about what it does for us and how it behaves, such that we build that system so that it denies benefits to those who would take unfair advantage of it. It used to be called deterrence by denial, it still actually works in the modern day. And then finally, how do we impose cost on those actors who ignoring what the norms are, ignoring perhaps that there are some costs to be borne if you try to transgress in this space. So I'm going to do it anyway. How do you actually bring all the instruments of power available to us and not just the one that's perhaps most often talked about an instrument of power that might be in the hands of the United States cyber command. But all the instruments of power across the federal government across states across localities across the private sector, such that the proposition for an aggressor in this space is you need to beat all of us to beat one of us. Right, it's essentially about the joint. The six pillars that we describe won't surprise you perhaps the first of them first up looks like we've got form kind of you know kind of chasing function. But but we talk about how do we actually recast the things within the federal government so that it is a more coherent enterprise with respect to the cyber problem. And how do we make it such that it's a more viable partner with respect to the private sector or other governments. The second pillar about which I think we'll talk a lot today is how do we get the norms right in that space and that necessarily means how do we actually work with others the private sector and international entities nation states in particular. To understand what are perhaps the common principles what might like minded nations bring the bear in terms of expectations in that space and how do we actually make fit for purpose all the instruments of power that those nations and that those private organizations can bring the bear. There is a sixth pillar which will talk about the military instrument of power but not an isolation as a compliment to all those other instruments of power. The other pillars again they're already available on the solarium web site speak about how do you actually make the space more resilient more robust how do you actually create the ecosystem in terms of roles and responsibilities. But across the main we hope that when you read the report you think about the horizontal as much as you think about one of the trees in the past but that said turn it back over you for moderation. Thank you very much Chris for setting the table that way and laid out the answer I almost answered my first question. Before this started thank you all first of all for being here I told Congressman Langevin I think we first met over a decade ago when even before the launch of cyber command you just founded the congressional cyber caucus and so this is how long we've been we've been at it long enough to have seen. I don't know countless commissions and studies and different cyber strategies from the White House strategy do these strategy. We've lived through them all and then have become you know door stops others. There was that effort to do legislation comprehensive legislation that never went anywhere. So I come at this with a little bit of skepticism about how is this going to be any different. How are we going to meet how are you going to remove the needle. So maybe hopefully who our discussion and others you inform us how this will be any different than any of the other studies and commission reports. Thank you very much for that. I I do. Let's try to make this as conversational as possible. So I'll be free to. Or just jump in when you want to be called on and I just like to start off with we've as Chris mentioned been talking about deterrence for four years and cyber deterrence is different than nuclear deterrence. And obviously we're not talking about the absolute cessation of all malign cyber activity because you see how every day you know do these being attacked 600,000 times. So How do you measure success in deterrence. What what what for you that's not a complete cessation. Is it a diminution. How will you know it. And if for instance there was no Attack on or successful disruption of voting infrastructure in the midterms. The deterrence work. Can you one of you just talk to me about how you would measure success. So I would I would say this. We may never fully be able to quantify or articulate what success looks like. However I will say that success would be determined by preventing things from breaking out to the level of above the threshold of conflict. The other thing I would say is we we define success by preventing our enemies and adversaries from going unchallenged and unconstrained. So in the past. I think we could make a pretty strong case that our enemies and adversaries were sensibly running the board, if you will, and and maybe going on unchallenged and and we have changed that over years. We've seen this evolution. And on a number of fronts, both including standing up your cyber command to confront in that space and and a tour but also imposing sanctions and Using indictments to constrain behavior. I think what we have recognized again. This has been an evolutionary process that where we are today. There's certainly a greater level of awareness that that the cyber threat is is here. It's to stay and it's becoming more and more pervasive. We're the country that invented the Internet. We make most use of the Internet, but we are also unfortunately subject to its vulnerabilities. And so we need an overarching strategy in the cyberspace that will better protect the country in cyberspace and they're in part of that recognition is that we cannot go it alone that this is an international challenge and we are going to need to work with our partners and allies to maintain this This free, open and insecure architecture that that is the cyber ecosystem. And so again, this is a multi lateral approach, a national approach on collaboration in normed space regime that we build to curtail bad actor activity. Chris, the fact that we haven't had a cyber Pearl Harbor, we haven't seen an attack that went above the use of force or occasioned our response above the use of force. Doesn't that mean that to a certain extent deterrence has worked. And then so are we not just talking about deterrence at a certain level. Are we talking about deterring, you know, worse shamans or disruptive type of tax or Sony. We might not have had the Pearl Harbor that everyone would say, you know, kind of that that's me in that in that situation. But but we've had a few right so the not Petya attacks in the summer of 2017 if you're in the corporation the Maersk Corporation when that kind of worldwide global activity went down hard for weeks time attributable to a Russian nation state action taken against the Ukraine. That was a Pearl Harbor of sorts. You were the United Kingdom's health service and in the spring of that year, you went down hard because of the want to cry attacks that was for them at least a Pearl Harbor. But but doesn't need to be a collective Pearl Harbor in order for something kind of on the left or the right to inform that we're all actually in this dangerous place, and that it might come our way because you don't need any more to be the target to be the victim. These attacks are increasingly indiscriminate and fired into a place, right, which was going to naturally cascade without regard to the jurisdictions boundaries borders that we might think separate us. We can't defend in silos anymore. But but the worst perhaps consequences that if there weren't a Pearl Harbor, right, that we shouldn't feel safe because at night just be that it's the steady erosion of our competence in this space, or the termites in the house that essentially are just going to remove by that slow process of rot, right, any competence we have that we can achieve our end purposes in that space. And so all of those we think constitute somewhere between a cataclysmic and an insidious threat that must be checked. And it's only gotten worse in the last 10 years in the face of our otherwise restrained activities and our incoherence in applying all of these capabilities. If I might add to Congressman Langevin's excellent statement about what the strategic outcomes might be if the terms works, there are some leading indicators, and a few of those leading indicators might be if we all know what we all know at some moment in time in terms of the nature of threat in that space as opposed to I have to experience it personally in order for me to know something about that threat. So what is the degree to which we're actually laterally horizontally joined up? If we all have some sense of what the common best practices are, if we all have common expectations about what resources we can bring to bear and all the resources in the house, right, in the international house are being brought to bear, as opposed to we're sequentially applying these various tools, capabilities, and authorities as if they're champions that sally forth and try to perhaps defeat some adversary on that field. If we're joined up, I think that we'll know that we're on the cusp of something that's different in kind than what we've had in the last 10 years. So you mentioned Na'Petya, that was not Russia trying to attack Britain's national health services. It wasn't really going after Ukraine. I think that's how it all started. So if you're thinking, how would your strategy from the Solarium Commission have gotten at that issue, prevented it, tried to deter it, or maybe responded to a punishment to deter future such actions? We're talking about maybe deterring an actor, not so much. Yeah, so if you step back and kind of consider the section of the strategy that says what's the strategy as opposed to the implementation of that strategy, I'll try to connect the two. Thank you. The three parts of the strategy would say, first you have to shape expectations. And so there must be an expectation that's announced and transparent and clearly communicated that that's completely inappropriate behavior. That when Russia takes a swing at the Ukraine in that space and essentially cascades, ricochets off of that, and then bounces around the larger internet, that's indiscriminate, brazen behavior that crosses a threshold, completely inappropriate, for which there must be consequences. Second, we have to actually take time and energy to make sure that the systems are inherently resilient and robust. People who patched their systems before that happened actually didn't suffer the ravages of not petia or what ultimately affected the United Kingdom's health service, want to cry. And it's not that they're irresponsible, it's just that there's not a left local accountability and a local sense as to how do I actually participate in defending myself. We need to make that easier, intuitive. We need to make it such that the resources are available, whether it's to individuals, localities, states, or federal enterprises, to essentially make yourself reasonably robust and resilient, such that most of the things that bounce off of you don't care what they are because it didn't harm you. And then finally, there must be a consequence for that bad behavior. To my knowledge, there's not yet been a consequence for the Russians essentially conducting a not petia attack. And the consequence doesn't need to be the most kind of titillating consequence that you can imagine, but there must be a consequence. In the absence of that consequence, we can only imagine that it will occur again. If you want to jump in now and talk about how the strategy would apply in a case like not petia, what sort of consequence would result from your strategy and how do you make it international with more people, states joining in together to bring to bear? Yeah, and I'd like to connect it actually to your earlier question too about what makes this report somewhat different from perhaps the previous ones and why I think it's actually a very timely report to come out right now. Because a lot of the discussion in the last ten years around norms has been very kind of top down. You have diplomats negotiating language and you have the agreement that existing international law applies and then you have this catalog of voluntary norms that all the major states have agreed to. Not petia was a great example of a type of incident that may not have been on the minds of some of those diplomats at the time and the very coordinated action of the US together with its allies and partners at the time to issue this joint statement that highlighted specifically the indiscriminate nature of that incident and I think clarified where a line is being crossed. And with respect to the report, I think we're at this juncture in the US debate where the discussions that have been taking place among the diplomats and led by the State Department and the discussions that have happened in the national security community and some of the agencies that are more on the offensive side that didn't care as much or didn't focus as much on norms say five years ago. You now have people like Harknet Fischer Keller who were the brains behind defending forward and persistent engagement now writing about norms. Yeah, and and there's a growing notion that they're starting to be emerging state practice that things like not petty are starting to inform what states perceived to be permissible so it's coming together. And I think the report is doing an interesting brings these different pieces together in a way that we haven't seen before. So you have a bunch of Western nations and maybe Japan and Australia all joining in saying what what Russia did was better. We don't do things like that. But did it change behavior? We know that Russia's not going to do it again. So there was an interest just to add two weeks ago the UN had its open ended working group and member states met and apparently the Russian representative said at this meeting that apparently the norms aren't robust enough yet because foreign actors are able to interfere in the elections in the US, which, you know, that's an interesting statement to make given who made the statement. But ultimately the norms are actual behavior. And to your point, and to Chris's point, there is an uncertain whether the consequence has actually been imposed. The naming and shaming is part of like exposing it. But it's also to I think what both Congressman Langeman and Chris, which earlier the report outlines a more coherent framework for how to think the full suite of instruments of state craft to be more effective at doing that. Yeah, I mean, that's been one of my sort of pet peeves or questions over the years is norms are great. And I think they're important. But if they're ultimately voluntary, then really what good are they? I mean, is there any way to make them enforceable? How do you have leverage over other states? Michelle Markoff is here so she can probably speak to that at some point. But Angela, do you want to chime in? I see you writing. Yeah, yeah. So I think one of the things is linking norms are really important. And both our organization and many others in the tech industry and industry beyond have been talking about the importance of rule of law and norms. Then you also have to have and look at is behavior aligning with the norms. And then what is done about that? Right. And I would say, you know, from an industry perspective, you know, there are commitments that industry can make in this space and has made. So for example, the over 140 companies from the tech industry have come together behind the cybersecurity tech accord and committed to four big things, right? We're going to do defense, improve the security of our products and services in our supply chain. We're not going to do offense. We're going to collaborate with each other and we're going to build capacity. And those commitments are important. But then I get to what is the behavior that supports those commitments. And then when those commitments are not held, how are those how does that play out? And so I'll give an example relative to the tech accord, which is for many organizations, you can say we believe in this. But at the tech accord, any organization that is going to participate in the cybersecurity tech accord actually has to have a process for handling vulnerabilities. And if they don't, if after about three months in, they are called to the corporate and they cannot stay in the organization unless the behavior aligns with the commitment. And I think that's one of the really important things that we have to think about, not just as government or industry or the civil society community, but how do we collectively drive that forward. And I think one of the things I'm encouraged by with the cyberspace solarium and also quite honestly some of the behavior that you're seeing out of industry is a drive for greater accountability when norms are not followed. And so there are examples that we have seen over the course of the last two years where you start to see states not only calling out a particular behavior. In other words, Russia did this or Iran did that. But also tying it to the norm that was violated and then talking about the consequences that can be publicly talked about. And so I do think there is an interesting shift towards driving greater accountability. And I think what I light-handedly referred to in Tim as an email, defend forward plus plus, is an interesting way to start driving the behavior to align with the norms. I think the question you raised about the effectiveness of norms if they're voluntary, I think the more important question is what would we do if these norms wouldn't exist. If you don't have an understanding when a line may be crossed and where the majority of actors have an understanding that the line is crossed. And you will always have actors that may violate a norm because otherwise you wouldn't pay so much attention to trying to make it explicit. And I think the key question is what world would we live in if we wouldn't have an understanding of what these norms would be and when a transgression occurs. For the reasons that Angela just outlined that if we don't have that understanding it's unclear what the consequences would be and the actions would follow. Angela, I'm just curious to know what sorts of consequences are the members or stakeholders talking about when they say a norm has been crossed. They're moving, they're driving towards holding accountable and imposing costs or consequences. What kinds of consequences? So the kind of things that we're really focused on in an industry context in terms of changing industry behavior and support of our commitments usually is more of an incentive model, right? Sharing practices between organizations about what we have found to be effective and then trying to build the capacity associated with that. The one example that I had of if you don't have a policy and you're not able to handle vulnerabilities then it is a temporary place inside of a temporary situation where you ask them to bring it up to that level. And the organizations that have signed into things like the Cybersecurity Tech Accord are interested in raising the bar and so that temporary state is not something that lasts for a long time. I think one of the other things that as a community, as a multi-stakeholder community we have to think about is what are the kind of consequences that the private sector ourselves can impose and how civil society themselves can also engage in shifting behavior. We have a conversation and I think it's a super important one about the levers of power that government have, but I think there is a nascent and necessary conversation about if and how both the private sector and civil society can also support that. One of the areas that I have noted was around accountability, but there can be others as well. For example, how you provide assistance to certain communities that may be impacted by events if they are behaving consistent with the norms. But if you were, let's say, a rogue state that was affected by not petia, maybe you're not getting the same kind of assistance from the community. From your tech community. And so this is just something I'm not saying we're there yet. What I'm saying is, as you see government moving forward through the cyberspace solarium commission with this, what are the rules, how are we resilient, what happens when the rules aren't followed. I think there is a conversation to be had about what is a private sector and civil society role in supporting that. So could you tie, for instance, Microsoft's continued presence in China to, you know, changing the behavior of China? If China continues its massive theft of an electric property from U.S. companies and government, you know, the private sector say, well, you continue that. We're pulling out or you're going to give up a huge market, but is that at all in the mix? I don't think that's in the mix right now, but I do think you have the private sector talking more and more about what are the kind of values that we believe in? What are the commitments that we're willing to make? And then how do we then use the levers that we have in the market environment to shift behavior? There are a whole set of the authorities and accountabilities that are uniquely in the governmental space. And one of the other things I think that industry and civil society can do is really be supportive and help create political will for those things that governments themselves are uniquely empowered to do. I think that's one of the other things that is really important. Industry has been trying to do more and more to talk about the impacts of cyber attacks in a way that is relatable to the public. So instead of saying X number of computers in these countries around the world were affected by this piece of malware, which to most people sounds like, you can actually talk about, well, 90,000 people in the UK weren't able to go to the doctor. And then this is what that looked like from a surgical perspective. This is what that looked like in a human perspective. And so what we can do is then help people understand the impacts of these cyber attacks and create more political will for governments to be able to move forward with their unique accountabilities and authorities. Okay, Chris. I just want to compliment what Angela said. I thought that was really well said. I'm less interested in whether norms are mandatory or voluntary than whether they are crisply defined and clearly communicated. Such that any individual organization can say, given that those are the norms, that's the expectation of behavior and there will be consequences if you fail to follow those norms. I now can make a determination as to whether I want to enter into some risk proposition of actually acting there or dealing there or operating in that space. Microsoft will make a choice as to whether it operates in China, yes or no based upon their expectation of what the business environment is like there and the legal regime that makes it possible to execute business according to their values, their principles, and their shareholders' interests or not. And so it's about the enforcement. It's about the declaration of those norms and the enforcement of those norms more than making sure that everyone signs their name on the document of those norms. And I think the problem that we've had is the norms haven't been clear that there are excellent norms out there, but they've not been clear and communicated and shared. And we've not enforced them such that there's some confusion about, well, I think I understand the norm, but I'm not sure you'll enforce it. In some places I don't even know what the norm is in Country X. And we need to solve both of those problems so that life in the middle is more rational, more predictable, and therefore the risks that you take are ones that you understand. I think the norm becomes clear when the punishment is needed out. So a child knows that it's not good to cheat or steal candy when they've been banished to their room for the night or something, right? So when you talk about consequences, what sorts of consequences really would work here? Have been known to shape or change behavior. The tools we've tried and used so far are indictments, economic sanctions. In some cases, Cyber Command has undertaken some operations. But what tool or combination of tools in concert with like-minded states and allies would effectively bring about a change in behavior, whether it is to stop the theft of IP or stop disruptive attacks or stop meddling in elections? Any ideas? I think we have tried some of those tools, but to my recollection, we haven't tried all of those tools in unison in a coordinated collaborative fashion across national boundaries. And I think that we would see a decidedly different effect if an aggressor kind of knew that they were going to be subject to the full application of all those tools across all of the various national boundaries that they operated. I think if we tried that, we'd find that we had a materially different result. I think if the child recognized that you can't actually kind of work mom against dad, right, you can't actually escape one or the other, you'd have a materially different result. There's no scene that you can go through. And that's what we've not done enough of. Okay. So the phrase defending for where it has been mentioned a few times so far and for audience who part of the audience who doesn't really hasn't heard it much. It's a concept that the Pentagon has has first used, which General Nakasone, the commander of cyber command and director of NSA has defined as operating outside our borders being outside our networks to ensure we understand what our adversaries are. We understand what our adversaries are doing and and thus to be able to warn defend imposed costs and prevailing conflicts. So Congressman, how does the commission define defending forward. I understand you've expanded it a bit and how does it fit in your strategy. I'm not going to get out too far ahead of their report coming out on the 11th. And what I will say is that for our section, the purpose that we're going to talk about today is the international aspect of this and how we in a sense defend forward by acting in unison and concert with with partners and allies and and trying to build up those those expectations of what is responsive behavior and then the consequences that could go along with that. So, certainly, I think, you know, this idea of defending forward, it certainly means we want to have robust information sharing. And again, we can act either preemptively at some point, but, or after the fact, when we speak with one voice, condemning behavior or in consequence through through through sanction or indictment should become more of a an expectation on the part of bad actors. And so that we're closing the gap on the attribution side that we're closing the gap between action and consequence so that that is much more narrow. So we answer your question that way without getting too far ahead of report coming out. Tim, how does defending forward affect international relationships and building trust with partners. So just to build on what the congressman said, the report I think is really interesting because it looks at both the defending forward which have been driven by cyber command and the norm speeds which have been driven by the State Department and it brings those together in a way that we haven't really seen in the last 10 years of those two different pieces of the bureaucracy in a field that's pretty apolitical. I would argue that even in a different scenario in a different administration, we would have seen a shift toward a more hawkish posture during a Clinton administration similar to what we are now seeing during a Trump administration. So I think this feels actually stands out for how apolitical it has been. I wouldn't call it bipartisan but nonpartisan, I think. So with respect to the defend forward piece, we actually have a scholar at Carnegie, we have centers around the world, and one of my colleagues is a former PLA officer, a colonel who focused on cyber security and she wrote a peaceful law fair that her perception and that the way that the Chinese community has perceived defending forward was as an escalation and that the U.S. is presenting it as essentially defense and to Chris's point that perception in Washington has been that not enough has been done to actually keep some of the malicious activity below the threshold at a certain level, but that in the Chinese perspective was there was escalatory and that the Chinese may now further escalate. But that was also the intended effect to kind of communicate that the U.S. is willing to be more assertive and proactive in trying to say enough is enough. So the interesting piece about I think the perception of the report will be how is it going to be perceived by my colleague in China. But then I think a more interesting question is perhaps how is it going to be perceived, not in Moscow and Beijing, but how is it going to be perceived in New Delhi and Brussels in Berlin and how is it being perceived among allies and partners because some of the approach I think has some implications for how we engage with allies and partners, but then how is it affecting those countries that are being charmed by both the West and by China be through the Belt and Road Initiative and how are they perceiving the posture of the U.S.? Do they agree with the U.S. and the Congressman's earlier position about that the goal is to preserve and open and free and secure Internet and that it should be a level playing field, or do they perceive it differently? And I think that's one of the important questions for this report. I would hope in one of the things that will be a clear signaling and messaging tool aspect of the finance report are the increased role we'd like to see for the State Department. So we argue for the creation of CSET, if you call it the Bureau of Cyber Space, Security and Emerging Technologies, that would be robustly funded along with the Assistant Secretary of State reporting to the Deputy Secretary of State or the Under Secretary for Political Affairs, with the equivalent rank of Ambassador that would better coordinate our international approach to cybersecurity and raising its level of importance and stature at the State Department to reinforce that this is an international approach that we need to and want to take in protecting the country and our partners and allies in cyber space and promoting stability in cyber space. There's a little bit of news there, right? You're creating, if this recommendation is accepted and Congress would have to approve it, would they have to create this new Assistant Secretary position? That one, yes. If I might, before going to that corner, I would just add to the conversations already taking place, three points. One, it is a defensive mechanism. Defend forward is just that defend forward. It requires a provocation on the part of some kind of aggressor, and the proof in the pudding will be, over time, whether we recognize that we've actually responded to those provocations or did we create a provocation in and of ourselves? Thus far, all the evidence says that we've been responding to provocation, and that I believe thus far you could say that it's had at least a leveling effect. It's not had an escalatory effect, too. Just like we did in the Cold War, when we defended forward in places like NATO, Europe, on the edge of the Soviet Union, it's done best. It's done at all in an international context with allies, and therefore it must be similarly applied in this regard. And three, while we talk a lot about the most titillating form of power, which is the military power we might apply in and through cyberspace, it's but one of many instruments of power. Angela mentioned some in the private sector. There are many in the public sector, and all of those should have an equally proactive posture, which is to have the earliest possible discernment that there's an aggression taking place, the earliest possible application. And when at all possible, do that in an international context, such as we're bringing our legal powers, our financial powers, or diplomatic powers to bear in an international context to identify and to quell the disruptions at the earliest possible moment. If that's then described as defend forward, that's fine, but what we really mean is defend early. So in fact, a good example of that, I think it's mentioned in the Commission report, is what Cyber Command did in the midterms, the day of the election, and for a few days afterwards, by denying access to the Russian Troll Army, the Internet Research Agency, to the Internet, so that they couldn't go online on Facebook or Twitter and try to so discord or disrupt the vote. And I think that was seen as a success. Do you have any sense, and I gather it was done in partnership with other agencies like DHS, FBI, State was looked in. Do you, do you have any sense of whether, of how this was viewed by the international community? Was it seen, I'm sure Russia didn't particularly appreciate it, but did our allies like it? Would they have said, let's, we'll join in with you next time? And how do you think about that? That's just a concrete example of defend forward. So some of our like-minded partners did work with us, and we did have U.S. Cyber Command in part of a defend forward strategy, the administration put forward, that they were actually in those countries and looking for the bad actors that were on their networks and how they might be using those tools against us, and we used that as a way to defend forward as we protected the 2018 elections. Again, more of a whole-of-a-nation approach to saying we are going to use all assets of national power to protect our, or the cornerstone of our democracy, our elections. And that also meant working with partners and allies to defend forward. Do we think that action is going to deter Russia at all in 2020? They're going to think twice before they maybe try to do something online? Well, I certainly believe it will. It's going to make them think twice. They're going to have to certainly rethink their strategy and they're not going to be able to act with impunity. They're going to have to know that we are at the ready. And going back to 2016, we were caught up guard. It was a failure of imagination or whatever you want to call it. We were not ready. We didn't see it coming. We were definitely more ready in 2018, and we're going to get even better at it in 2020. So nothing will ever be perfect, but I'm a chess player. And so before, I think the enemies and adversaries were running the chess board. That's not the case anymore. We are much more proactive with our own strategy, our own defenses, and in some cases being able to defend forward. Just very briefly, you know, Chris really highlighted the importance of international or multilateral collaboration. One of the things that I think would be really useful as the new version of defend forward with all elements of national power is greater transparency about the use of those elements of national power. So it starts to create predictability. So one of the things is, and I get it, right? You can't always talk about your use of the military because you may then reveal your actual capabilities. But as we start bringing in other elements of national power, I think that defend forward with a higher level of transparency around the norm that's violated and the elements that can be talked about in the public domain will start to potentially shift behavior, and certainly create more understanding and predictability in the environment. And that in and of itself I think would be a useful positive outcome of it. I just wanted to make a quick comment you had asked earlier whether why we haven't seen a cyber armor getting yet and the cyber Pearl Harbor. I would actually make the case that 2016 election appearance to my mind is actually pretty close to that that you had a foreign actor who was able to target the core of our political system. And that I think is going substantiating part of why we shouldn't just focus on the use of force and under tack and the analogy to war, but really what is underneath it. And yesterday I know the Commission hosted an event that was focused on election security and the report has a few things to say about that. So I just wanted to highlight that I think the way we think about what is what are worst case events we've had, not just the Petia example but something that styles the border to influence operations. Exactly, because that wasn't part of our modeling. We were always talking about deterring IP theft or disruptive attacks. We're always looking in the rear view mirror. But we didn't we're seeing this sort of cyber enabled information warfare action that consisted actually of hacking and dumping emails as well as attempting to get into voting infrastructure, as well as the social media ad dies and patrols coming into the country. So, I mean, in a sense, you're really talking about deterring an actor and their modes and their goal, which differ from China to Russia to Iran to North Korea, then you are the actual, you know, act itself. So does this does your strategy or your new commission report address that that issue that we were looking at deterring actors and their particular goals and what you have to do to stop a China is maybe different than what you might try to do to get Vladimir Putin to stand up. As he does consider that the strategy actually begins by an acknowledgement that as you've indicated deterrence is actually felt affected in the head of a potential aggressor. It's not the action that you so much blunt block and Perry that that's tactically satisfying, but it doesn't actually affect right the decision calculus of the person who might then just simply stand back and do it again. So you want to convince them want to get into their head and as you've indicated different nations, different actors have actually different aspirations, different levels of tolerance for pain, willing to perhaps withstand the withering fire, whether it's diplomacy or financial sanctions. And so you do have to have tailored campaigns, but you need to bring to bring to bear the full range full panoply of all the tools that you have. And thus far we've not done that right we've oftentimes episodically brought a couple a few together very seldom does that actually result in a collaboration between the private and the public sector to essentially do that in unison. And I think that we find ourselves much more successful in our tailored campaigns. If we brought to bear all of the resources that we could tailor to the given actor for the given situation. One of the other concepts you've mentioned is deterrent by denial, and that is strengthening the the systems hardening them so that five minutes left for the cure until the. Sorry. And there have been efforts, as I mentioned earlier to get Congress to, for instance, regulate the private sector, which is where we all know the bulk of the critical infrastructure lies. Angela, is there what is your, what is the thinking now is as to what the best way is to really bring about a positive change in companies behavior and I get I get that, you know, banks are and the electric sector is ahead of others but Is it regulation is it the threat of lawsuits, is it creating an insurance market. What are the best leaders do you think. Yes, I think everything needs to be on the table. If I was a lawyer, I would say the right answer there is it depends, but I'm an engineer. And so I think from that perspective, one has to look at the system and think about where the system can use things like market incentives where there are standards where there are insurance where there may be liability and then where regulation may need to apply. You know, some of the challenge here and I feel like we have talked about this for probably 10 or 15 years, but still haven't really gotten ourselves around it, which is, you know, the markets are not intended to do national security, yet some of these risks are national security risk, right. And so that is I think one of the crux of the challenges and then the other pieces. Why can't it just be well let's regulate this or let's set up an insurance market is the diversity of the critical infrastructures and the diversity of the technology environment in them. What is going to work for IOT in a smart city is going to look incredibly different because the consequences are really high, and the market may be able to bear a higher level of security, but may not be the same as what we need as we start to look at IOT in the electric power sector. And then what you look at in the, for example, sectors who have not even thought about themselves as critical infrastructures where they are starting to move forward with digitization. So toy companies and these kind of things. The challenge is this is an interconnected system and the place of least protection is always the point of entry. And so you have to look at what the market can bear. And I think standards and incentives are really important. I think then you're going to need to move up to what the market cannot bear and really start to look at where regulation might be necessary to change behavior. Just to build on that. We are actually doing a lot of work on the insurance market right now here at Carnegie and there's an interesting case where zero insurance actually use the statement that came out blaming Russia as a reason why it's refusing to pay one of its clients by arguing that its war exclusion clause applies because there's a public statement accusing another nation state of having been responsible for an incident. So there's an interesting connection between the activity by government and how that may impact the market that underlines why that cross exchange is really important. But the point I want to make about regulation back in 2012 when the last draft comprehensive cybersecurity bill was in front of Congress. I worked at a different think tank and I was told analyze whether the existing public-private partnership model is working or not. And after several months this was an impossible task. The best study I could find was a GAO study in terms of quantification that had done a survey of 46 experts whether this model was working or not. We are in a different environment today in terms of if you look at Europe, Europe is going the regulatory route. They have the NIS directive, same for China. Whereas in the U.S. as you outlined the build and pass we still are in the public-private partnership model for different reasons. But in a few years we should be able to see which regime is actually having more of an impact on increasing the resilience and whether the regulatory route is actually feasible or because you don't actually have, if you look at Europe they don't have the capacity to implement it if the necessary exchange with the private sector that we prioritize in the U.S. That is the more promising route. So in a few years we should be able to actually, from the political sciences and me speaking, be able to compare and that wasn't the case in 2012. But I think Angela and Tim have laid it out nicely in terms of how the report comes down which is to consider the range of government actions. Hopefully preferring to allow market forces to handle much of this, to use incentives, perhaps the reduction of liability, help establish insurance markets. But when necessary, and by exception when necessary, to essentially declare that there's a public interest and therefore through regulation to ensure that critical functions have been tended to. But to do that by exception as opposed to by perhaps default. All right, should we open this up for questions? I guess is there a microphone coming around? We have a microphone. You'll raise your hand and then wait for the mic, introduce yourself and ask a precise question of the panel. Thank you. There's gentlemen right here. Thank you. Andrew Eversden with Fifth Domain. Any questions for Congressman Landresven and Chris? Can you expand upon what you want to see as the role of the State Department moving forward? I know you mentioned cooperation. Sure. So we want the profile of cyber to be raised as you know, there's an ambassadorial level position that was eliminated. And now the top cyber person there is Rob Strayer and appreciate the work that he's doing, but it's a very small shop and they need more resources, more people, more expertise within the State Department to raise the profile and also to be able to be proactive in being involved with international standing-setting bodies, groups that are involved in setting international cyber norms if you go. So that's what our hope is, both get additional appropriations, but a higher level ambassador, level Frank, secretary position and a new department that would be properly resourced. Can I just ask a quick follow-up because you gave me a good opening. So one of Rob Strayer's main focuses right now is the 5G issue to try to persuade allies, primarily European allies, not to allow Chinese companies like Huawei into their version 5G network. Why has the U.S. effort not met with more success with its allies, do you think? Well possibly because we were late to the game, possibly because we didn't have a focal point within the government that said this is what I think about 24 hours a day when I get up, when I go to sleep, this is the thing that I should worry about. Whether we're joined up and whether we have an effort not simply within the federal government, between the private and the public sector here, but an international effort. And so the recommendation we've made for that entity within the State Department is going to formally be called the Bureau for Cyber Space Security and Emerging Technologies. So that in the future hopefully 6G, 7G, 10G will be the responsibility of somebody, at least in terms of the international portfolio, the international engagement. And an Assistant Secretary of State essentially has the responsibility to ensure that the United States position, whatever that might be, is coordinated to the extent possible and viable with our international partners. Thank you. Back there. Gentleman in the back. Oh, yes, go ahead. Jessica Matthews from the Carnegie Endowment. I wondered whether the commission looked at individual Americans as a key actor in this equation. There have been references to civil society, but I'm thinking of something different, which is when I hear reports of warnings, the last one was just about a week ago from eight government agencies about foreign intervention in the campaigns. I have this intense feeling of frustration of wondering what people are supposed to do with that news, unless they're given an awful lot more. And I take on board the references to transparency, but it seems as though this critical, gigantic actor is not being made a part of the equation. I wondered whether the commission had grappled with this or whether others want to talk about it. Yes, necessarily, you know, kind of the individuals who essentially are oftentimes the ones who are on the front lines of the skirmish, they need to know what they should do, what protections they can expect, what perhaps lies in their job jar in terms of things to do. And so the commission does talk about the need for cyber education. It talks about the need to provide expected transparent services to that population. And so it's a range of things you do to think about the individual. It starts perhaps in school. It might kind of then talk about what accountability and expectations they have. But you need to make the world they live in a saner, safer, more rational world. And so some of that then falls to government and corporations to say, what are the expectations you have to when you place that person in that situation, give them something that they can deal with. And then they take it over because they've been properly educated about what their role is and what they should do. There is, it is, in some cases, there's some extraordinary education. Can I tell you, I teach cyber science in the United States Naval Academy. But there are some places where that's done well. That might be one of them. There are some places where it's just completely ignored it. So people don't know what to do other than to simply say, I'm not going to turn the computer on. That's not a great answer. So we need to have an all many few approach. Everyone in our society needs to know something more about cyber, whatever that is, than they do today. What are the true risks? What are the things you can do to protect yourself? What are the expectations about what accountability you bring to bear? There are many who don't think that they're actually involved in creating cyber systems that actually are. Whether they build airplanes or whether they're lawyers establishing legal regimes, they need to know something more about cyber in their professional practice than they do today. We need to invest those professional programs with that education and that lifelong passion for kind of keeping up with that. And then there are a few who have the word cyber or IT in their name, information technology. We need more of them. There's been a lot of focus on that. I think we're 500,000 short in this country over the next two years. But unless we take care of those other two clusters, right? You know, the work that those two few people do will not be enough. I think your point's really well made. Yes, sir. Michael, thank you for your presentations. I'm wondering like perhaps, and this is for the whole panel, like how does like proprietary software and international standards for like cybersecurity versus open source like Linux? And does that those two kind of schemes, if I could use those terms generally, have a role to play in terms of cybersecurity frameworks and policies? So I guess I'll start, you know, I'm happy to have the commissioner speak, but I feel like there's a little bit of small software and services company sitting up on the panel. I think one of the things is recognizing that neither open source nor proprietary software is more secure, but that we have to think about how software is made and how it is maintained and bring practices and expertise to bear in both of those market environments. You know, one of the things that I think a lot of folks don't necessarily know is Microsoft is the largest contributor to the open source community that exists. That's because anytime we are using open source in our products and services, we do a security review of that, identify any vulnerabilities, and then pay that back into the open source community. So I don't necessarily think that one model or the other model has a huge applicability to the kind of international security conversation that we're having, but rather recognizing that both models are going to exist and that the processes of how software is developed and maintained over time is actually an important part of the deterrence through denial that the commission really talks about. Just to add a comment and go back to Jessica's question about the education piece and how we do that, the fact that you can still graduate from computer science programs here in the US without ever having taken a course in security because it's not part of the core curriculum, I think, is one of the big challenges that we face. It gets quickly complicated because of how education is organized and structured in curricula, but that still gives you a flavor for you may have people who have taken computer science for four years go into a startup and write code or open source software but have never taken a course in security how to write code more secure. And I think that's a huge challenge that I don't know to what extent the report goes into but maybe something else is fine. Do you have time for a couple more? Yeah, I think one or two last questions. Thank you. Peter Slaughter Netherlands Embassy. I'm wondering in the Solarium Commission, what was the hardest nut to crack or the topic that you disagreed most upon? Well, let's see. I guess how maybe we would say engage with the private sector. There was discussion about that. And the other, well, without getting too far with my teeth, how we deal with Congress. That was maybe the other robust discussion about that and what should Congress's role be and how do we perhaps streamline things. We have different preferences around the Super Bowl timeframe, that's hard. But we also had a difficult time and it wasn't so much that there was contention. We didn't know quite how to get our arms around it. How do we actually achieve a meaningful collaboration between the private sector and the public sector? It's easy to talk about information sharing. It's easy to talk about permissions in terms of pushing information around. It's a far and away different thing to say. How do we actually co-discover, co-mitigate in a space when, by design, these institutions have been designed to operate separately from one another, to operate in their stove pipes? That was challenging. And I think we got to a consensus as to how we can move forward to make a transformative recommendation. I've been told we have to close now that the Congressman has to get back to the Hill. Thank you so much. Thank you very much.