 Okay, ladies and gentlemen, welcome to the first panel of today, looking forward to how the United States wins the Cyber War of 2028. Before we get into the panel itself, we're going to have a survey round with two questions just to get your sense of how you're thinking of these questions. So if we could have the first question, please. We're assuming a question will come up shortly. So you should have clickers and you can read the question and I can't. But the key thing that is in the next decade, what cyber threat is the most dangerous to the United States national security? And credit where it's due, I should say that these questions are very heavily based on a cryptic created by a science professor Thomas read about the threats that the US faces. Very shortly, we will have the answer to that, I think. Okay, pretty conclusive, if that's true. Sabotage is what you're all most worried about. We actually then have a second, it's changing, sabotage slightly ahead of subversion with espionage and battlefield threats coming in relatively low down. We'll let that settle. We then have a second question for you. If I could ask you to queue that up. Subtly different question, this time asking you which of those threats is the United States least able to manage. And again, pretty conclusive there that subversion is the one that the US government is least capable of managing and we're going to get very much into that question of subversion and disinformation as we go through this panel. So as we get going, as Albert mentioned, we have a fantastic lineup, just a recap. Rob Lee, who is a New America cybersecurity fellow, as well as being the founder CEO of Dragos Inc, industrial control system, cybersecurity company, and importantly, a former FOS officer. Jen Eastley, managing director head of cyberfusion at Morgan Stanley, but also an ex-army officer. We have Bob Schmidle, a professor of practice at Arizona State University and an ex-Marine. Well, I think you're never an ex-Marine. I think you're always a Marine. And Peter Singer, who is a strategist and senior fellow at New America author, amongst other things, of Ghostfleet, a novel of the next world war. So the premise of this panel is very much that the information technology is going to fundamentally change the character of conflict. And I think that's sort of built into many of the panels. But also that the United States, maybe even most countries around the world, have not necessarily fully made the mental shift to respond to that. I think the premise of this panel is also that this is not necessarily just a military problem. In order to set the scene, however, I'm going to hand over to Peter, who's been writing and thinking about this for several years, just to give us an overview of the things that we might want to think about. Peter. Sure, thank you. So thinking way of framing this is to imagine if we were gathered 10 years ago, what would we have identified as the key trends that might affect cybersecurity, cyber war in 2018, and use that as a way to look at, okay, how would we look forward 10 years? So if we had been gathered 10 years back, there's a lot of issues we might have talked about, but I think we definitely would have talked about three. One would have been the question of intellectual property theft and our adversaries stealing our secrets, and how might that advantage them or not on the battlefield. That issue was just starting to percolate, be taken seriously. You had had major U.S. weapons programs that had had serious breaches, et cetera. The second would have been some kind of question of surveillance and privacy, and what does that mean for this space? And the third, we would have likely had a debate back and forth about what kind of organization do we need in this space, and we all would have said something around, well, we need something like a cyber command, and this is what it should be and this should be how it's structured. Now, the challenge is that all three of those issues, we didn't solve them over the last 10 years. Intellectual property theft continues, and we've now seen the fruits of that campaign. So the latest U.S. and Chinese stealth fighter just coincidentally look the same. Surveillance, privacy, what we would have argued about back in 2008, we wouldn't have mentioned Edward Snowden, and we would have had a very different kind of discussion, so that problem not solved either. Encryption debate's still with us. The question of cyber command, it's here. We're having a different kind of organizational debate around it. Okay, none of those have gone away, but I would offer that if we're looking at the Great Cyber War of 2028, there's three more that have moved to the fore that makes it even more complicated. The first issue is the complete and utter collapse of cyber deterrence. The message that Russia and every other actor received in the wake of 2016 and the campaign of attacks on the United States and all our key allies is that this works. Related to that, we have the fact that Ukraine has been treated as a battle lab for learning all of the different things that you can accomplish in this realm. I think Rob's going to hit that really importantly, but again, this hits on everything from information warfare attacks and the like. Importantly, we've seen the crossing of key norms in targeting critical infrastructure. All sorts of things we said for the last 10 years you never ought to do. We've seen that crossed penetration and the nuclear power plants and the like. And then finally, we have the international efforts to build cyber security and cyber war norms and rules of behavior and international institutions. Those have all fallen apart. So I think if we're looking for historic parallels, we might look at this period as akin to the Spanish Civil War, where you saw Spain in the 1930s treated as everything from a battle lab for testing new technologies, tactics, et cetera. But we also saw the message received that the international community was going to let adversaries get away with it, that their activities would be low-cost high gain. The second thing I would toss out there is the hybridization of pretty much everything. So we have criminal actors being used to conduct state operations. And the Russian campaigns would be a great illustration that both targeting Ukraine, targeting the United States, you name it. We have the inverse, which is state actors being used to conduct criminal activities. So Lazarus Group coming out of North Korea conducting one of the biggest bank robberies in history. We also have the hybridization of realms in the United States. We separated cybersecurity information operations. Well, that's not how the rest of the world does it. They brought them together whether you're talking about Russia or China or the like. They're crashing together. So the targets, the tactics, basically all the activities are becoming hybrid. And then the third is that the internet itself is changing. We're moving to the end out of things. So we're not just using our smartphones to communicate, but we're looping together. Smart power grids, smart bases, driverless cars, you name it. That's wonderful. That creates efficiency. It also massively grows the attack surface. And we're recreating all the mistakes of cybersecurity on the other side of not baking in security. And so the final happy thought I'll leave you for the Great Cyber War of 2028 is that we will see kinetic attacks on the internet of things which will break things and which will kill people. The IoT being targeted will fundamentally change the politics of cybersecurity because all the rest of us are going to be able to wrap our heads around what it means. It's not just going to be, oh, millions of files were taken. It's going to be something broke, someone died. And again, that will change the politics of it whether you're talking about at the state, local, global level. Thank you, Peter. We know I'm going to ask the panel to unpack some of those thoughts based on their expertise. Then we're going to have a bit of a conversation about that, and then we'll open it up to questions from the floor. So please be thinking about the questions that you would like to ask this panel. But the survey showed that people are definitely concerned about sabotage. Peter raised that. Rob, you spend your daily life worrying about the cybersecurity of the industrial internet of things. Over the next decade, what do we have to look forward to? Yeah. So I would largely agree with what was said and note that if we look at the past 10 years as it relates to industrial infrastructure, so ICS and SCADA, those type of terms, when you look at what has happened, it's largely been an avoidance of the issue. So we've seen a lot of good discussions about it, but a lot of the insights and actually what's been going on in those environments have been in the private sector, in those industrial networks, away from where people are collecting and monitoring. Your large security companies who typically have great insight into the threats that we talk about and face and even reach into larger political discussions have always collected in enterprise business networks. That's where they have technologies and sensors and people to look and see what's going on. We haven't had that in industrial. Ten years ago, we could look at the campaigns and activity groups that were targeting the enterprise and getting reports like APT-1 and there was no mention of industrial espionage, industrial control attacks, but they were occurring. I should look back at that data set and see it was there, but the expertise and the collection wasn't there. We see that now going forward as well, where it's still just starting to come up to the discussion. So taking the Ukraine discussion as well as sabotage, if you look from 2012 to 2014, just over a two-year period, we saw a significant increase in targeting of U.S. infrastructure from our strategic adversaries. But it was all preparatory type work, just looking and identifying what they could find in our infrastructure. If we then look at 2015 to 2018, we have a number of concerning attacks. We had Ukraine 2015. I was fortunate enough to be one of the lead investigators on that, looked through that case and saw an adversary dedicate 20 to 30 people and a lot of resources to try to take power down across three regions of Ukraine. That was a lot of learning for them. It wasn't that they are this mythical, great adversary. I think we kind of build up the adversary at times. A lot of learning taking place. 2016, when they did it again, they codified it into software. So my firm identified what was called Crash Override. That was, in essence, whatever they learned in 2015, getting put into software to make it scalable in 2016. And then in 2017, we saw Trices, another thing that we got to be involved with from the defensive aspect. And that one hasn't gotten a lot of discussion, but I think it probably should, because it took place in Saudi Arabia, but it was the first piece of malware ever specifically designed to kill people. We are very fortunate people didn't die. So there's 10 years from now prediction about people dying, fully supported, because I was concerned that we were going to lose life last year when that capability was deployed. So what do I see? And what do I see as a problem? The first of which is that when we do get these opportunities to have a more nuanced discussion in the public and maybe even set some norms, we largely abdicate our duty to it. In 2015, first ever cyber attack against the power grid, what was done? Nothing. Not a single senior policy member, White House administration, anybody came out and even condemned that the attack took place. 2016, different administration, nothing. 2017, Trices, Saudi Arabia, nothing. We're setting a precedent that these attacks are actually a great investment because they don't come with the baggage that other types of conflict do. So when we give up our opportunity to influence the discussion on those key pivotal points, we will end up losing our ability to have these longer discussions in 2028. With the industrial internet of things and some of the technology that's coming out, and then I'll pivot to my other panelists, I see an over focus on sometimes technology and buzzwords other than actually focusing on what the mission is and what we're going to do with it. How many of you have had to listen to pitches on AI and blockchain? If I hear how blockchain is going to solve security one more time, I swear I'm just going to go become a farmer. Nobody actually needs a ledger. If you want a ledger, we can show you how to get a ledger without making blockchain a thing. But we have a sort of focus and over focus on silver bullets. We're just going to fix this. Blockchain is going to revolutionize AI. Oh my gosh, we have it for offensive and defensive purposes. I spent my career at the National Security Agency. If AI was that awesome, we would have already taken advantage of it for all sorts of things. It's just machine learning. It's powerful, it's useful, but it's not a panacea for these effects that we're looking towards. So I think we have to recognize the problems we have. Industrial is not going away. Industrial is actually the very fabric of the modern civilization we have. We have to treat it as such and we have to treat it both as a policy, business and technology focus rather than thinking that, again, ignoring the problems or silver bullets are going to fix it. Thank you. Jen. Merging consensus that what is going to distinguish sort of future war from previous wars is the U.S. homeland is going to be targeted and cyber is going to be the sort of vector for that. The critical infrastructure sector that has been perhaps most targeted to date is the financial sector. From where you are now, how do you see prospects for the next decade? Yeah. Thanks for the opportunity to be on this panel. And I'm going to try really hard not to talk about blockchain. Good, good. So I know we're looking out to the future war and I thought it was a great setup from you and Peter. I thought it'd be more useful to talk a little bit about the near future and sort of how somebody who's part of the financial services sector and critical infrastructure looks at it now and it'll pull some threads from what Peter laid out. But in terms of how we look at the threat right now, I think it's important just to kind of do a survey of the trends. If you think about just 2017, you think about ransomware, which was a big story over the last couple of years, some of the attacks from WannaCry to NotPetya to BadRabbit, obviously having significant impacts on people not being able to get to their data. So one major thing. The second, which was alluded to as data breaches, whether that was through publicly released vulnerabilities that were not patched in time. We saw massive amounts of personally identifiable information, obviously Equifax, Uber, all of this has significant impacts on financial services because ultimately degrades people's ability to authenticate into their network. So you see PII, which is widely available on the dark web, and that leads to things like credential validation attacks against certain systems that banks have for people to be able to log into. We also saw the distributed denial of service attacks. I think that were alluded to, speaking directly to lack of availability, if people can't get onto their accounts, it directly impacts the sort of credibility and the reputation of the bank. So that has major impacts. And then what also Peter alluded to was this swift, threat actors going after the global payment system has massive impacts on, again, the credibility and the integrity of being able to move money. And as I think was alluded to, we saw the Lazarus Group or allegedly North Korean sponsored actors responsible for the Bank of Bangladesh attack in 2016, going after about one billion. They only got 81 million, but then a series of other attacks against SWIFT. I think that is one of the more interesting stories and trends that we see are these sort of what one might refer to as a rogue nation state actor using allegedly leaked very powerful nation state tools to commit fraud or theft. And you could argue the other piece of that, not just Bank of Bangladesh, but the WannaCry attack, which was attributed to the Lazarus Group as well, using tools like Eternal Blue or Eternal Romance to do a ransomware attack. So trends that portend a very increasingly and accelerating and complex and dynamic threat landscape. And even that was just sort of 2017. If you look at the first quarter of this year and you look at these massive DDoS attacks against Arbor and GitHub, you look at Meltdown Inspector, which are vulnerabilities that affect every chip in computers. These have significant impacts on us right now with respect to the financial services sector. Your point, I think, is a good one, is that the service, the sector was hit pretty early on. And I think, at least from just having been at Morgan Stanley for a year, what I've seen is some really good efforts to get ahead of this increasingly, as I said, complex and dynamic threat environment by bringing together the key banks through the FSISAC, which has been around for a while now, or through the FSARC, the Financial Systemic Analysis and Resilience Center, which is some of the smaller banks that are very actively sharing information, which I think is great. But all of this, for me, at least in the near future, really necessitates making sure that we not only have the right organizational structures in place and I think there's some lessons learned from my most recent experience in government and counter-terrorism, but a real emphasis on technology process and probably first and foremost, people. I think we have to get the people thing right. And, you know, to the point of the last discussion with General McConville, the need to make sure that we are very deliberately managing talent, both in the private sector and in the public sector, and allowing for personnel policies that perhaps can facilitate the transfer back and forth between critical infrastructure and the military or the government to sort of raise all talent levels. So I'd love to talk more about that, but that's sort of the near future view of what I see. And we definitely will talk more of that. Bob, since you retired from the military, I know you've been thinking about this issue in various ways, but just very specifically for the purposes of our opening remarks, I wondered if you might talk a little bit about the threats to the deployed force. There is a natural desire to talk about Homeland Security threats, but you know, Peter wrote a best-selling book sort of saying that cyber is actually a big issue for the military. Are we in danger of forgetting that in focusing on all of the threats to infrastructure in the financial sector? Okay, so I think what we ought to do is to start with the way that we think about warfare, right? So when we say, when we even talk about the future of war, I would suggest that one of the things that we are not going to have the luxury of is having a clearly defined line between when we're at peace and when we're at war. And so just, you know, from my experience doing this, you know, the first night at Desert Storm when we all lined up on the runway at Shake ESA with our lights off, as soon as you plugged in the afterburners, you knew that everything had changed. It was going to change. The ROE was different, things were different. We were at war and we were gonna treat the way that we were behaving in a different manner. That's not going to happen, I don't believe. As a matter of fact, I would suggest that we are actually at war right now. And it is the war of ideas that has, so you can tell I come from New England, right? So we put ours on the end of the word, I guess it's up. The thing is, you can kill people and we do that and we found some really efficient and effective ways to do that over the years, but what you can't kill are ideas. And so, you know, the whole purpose of propaganda, for example, is to influence an outcome without resorting to physical violence. So if we think about the future, what I would suggest is that it is, the war is not gonna be declared. We already see the Russians talking about this from Gerasimov and others that have begun to say that in the future, wars will not be declared. They will simply be an increase in the level of violence. So if we are at war now, our general, our notion of what it means to be at war is something that I think we need to examine and that we need to think about how we're gonna fight this war of ideas. How are we going to be able to counter disinformation, to counter weaponized information? To how is it that we are going to be able to do that? If the purpose of disinformation is, and I would suggest it actually is not the content of that disinformation that is most important, that the purpose of that is to create a social bond among people that will then believe what it is inside of that micro world that they're being told. And this is the understanding why people seem to believe things in spite of the fact that all the evidence points to a different answer. You know, there's a famous American philosopher named Groucho Marx, who once said in a movie called Duck Soup, if you ever get a chance to watch this. After some event occurs, you know, Groucho takes the cigar out of his mouth and looks and he says to this guy and he said, so who are you gonna believe, me or your lying eyes? So just think about that because what's happening now is that we are subjectively, and we have been for years interpreting the things that happen out there. And we haven't accounted for the way that bots accelerate the disinformation that comes out, the way that people take in information that so much more of it now is coming through things like Facebook that tailors that information in a way that begins to simply reinforces your worldview. So to the point that Peter made earlier, I fully agree that there are some really Gucci technical capabilities that cyber is going to give us today, it has today, and into the future. The kinetic effects of cyber, again, I don't think that that's where we ought to be focused as we think about the future of warfare. We ought to be focused on the war of ideas and how it is that we are gonna counter the narratives that are out there now, how we're gonna deal with narratives that actually are having an effect on our view of the world, our enlightenment that we think that if all rational people can sit down and observe the same facts that will come to the same answers, we can't even agree on what the facts are. We have people talk about a post, or alternative facts about a post-factual, a post-truth world. I don't think that that's necessarily all completely accurate, but there has been, with the advent of post-modernism, more and more people believe that truth comes from those that have the power to be able to say what is and what is not true. And so when we think about that, and we think about the fact that we just spent the last century trying to defeat two totalitarian governments, right? The Nazis and the Soviet Union and the resurgent Russia that's out there today, we ought to be thinking about how those governments came to be, especially in countries that were, that had such a deep history in the case of Germany of enlightenment philosophy. So again, I think it's the war of ideas, I think we need to think about that, we need to think about narratives, and we need to think about the fact that in the history of the human race, we've not really been successful at killing ideas, not nearly as successful as we've been about killing each other. And I would suggest that the war is happening now. We're not gonna have a big bright day where you're gonna get up and all of a sudden everything's gonna be offline. That may happen, but that is the end result, I would argue, of a larger and more insidious change in the way that we think about, for instance, still this great experiment of ours in constitutional democracy, so. Peter, you spent the last two years thinking about many of these issues, writing a book that we will get to read in October, but give us a sense of where your research has told you about what we need to worry about out now and over the next decade on the issue of social media and disinformation in warfare. Sure, so the project, Ian, if you're gonna plug it, you gotta plug the name of it, but it actually aligns really well with what the journal laid out, it's a book project called Like War that'll be out in October, and it's a play on the idea of we're seeing realms where war and politics are coming together, so we are winning elections using information warfare techniques, and turn ISIS's winning battles by using the same digital marketing that Taylor Swift does, and so they're all crashing together, and I think if we're looking at the future of this space, I see again that parallel to the Spanish Civil War in the 1930s, we've spent the last couple of years experiencing what you can do with fake accounts, what you can do with the influence of sock puppets, whether that's humans posing as someone else or bots, we've seen the impact of fake news, and again, whether it's changing battlefield outcomes in Syria and Iraq, or it's potentially or arguably changing election outcomes, there's a really interesting study that just came out of Ohio State that looked at what exposure to fake news did to voter turnout in the 2016 election, and basically it depressed previous people who had previously voted for Obama if they were exposed to fake news like Pope endorses Donald Trump, it brought it down, voter turnout for them by 2%, which if you crunch the numbers, actually was enough to swing things, but if we're looking at the future, what worries me is to go back to this idea of hybridization, so it's not something that's completely fake, it's the melding of what's fake and real, which makes it more effective, and this is known, particularly when you look at the video side, is deep fakes, and like so much of the internet, this comes out of two places, it comes out of the porn industry and university labs, so if we've got a picture here, this is where someone melded the real face of Gal Gadot Versano, who's the star of Wonder Woman onto the body of a porn star, making it seem as if she appeared in a movie that she definitively did not appear in, so if you can go to the next slide, you can also not just meld but change, this is from a University of Washington experiment where they were able to synthesize a presidential speech that never happened, so you could make Barack Obama or anyone else if you've got approximately 30 visual data points, which through social media you don't just get 30, you get literally thousands, you can make them essentially say what you want them to say. Next slide. So we're just now starting to get a taste of this in our politics. This is from an Instagram that the young survivors of the Parkland mass killing made where they're advocating for gun control, and if you can go to the next slide, very quickly it was changed to make it appear as if she did something that she didn't, so if you saw she was tearing up a target, and quickly it was made to appear as if she is tearing up the constitution that was conducted, that was coordinated via social media, and then it was driven viral by a mix of alt-right and Russian bots and the like, so sounds familiar, and my point in all of this is that we, US government, need to understand this is a weapon, this is a weapon that will be used against US democracy and the US military, it is a weapon that will be far more important and far more effective than many of the real weapons that concern us, as well as many of the fake ones like EMP that get a lot of attention, and so we need to start to do R&D on how to rapidly identify and debunk and defeat this kind of weapon that's going to hit us, that's been proven to be effective, and in turn it can't just be on the US military, the US government to figure this out, it also is on the platform firms to figure out how do they prepare their networks for this weapon being used on them, are they going to need to a little bit parallel to the financial sector, come up with the equivalent of like credit card, the ability to mark transactions, hashes, maybe this is actually where blockchain will be effective. Digital hashing will do the whole thing for you without blockchain. We'll hear on that, but then it's also, the third part is it's on the media to figure out what are they going to do about this weaponization? Are they going to enable it or not? Which again was the exact same question they didn't ask themselves when for example foreign actors hacked people in the American political establishment, weaponized it to hit our democracy, they didn't go hold it, am I going to help this battlefield action from another side? So this is I think going to kind of, I would have said it's 2028, but I think we're going to see it starting and maybe as soon as, we saw the micro version here, what's it going to look like in the 2018 election? What's it going to look like in the 2020 election? How is it going to be used against US operations, BM and Syria, the like? So my job in all of this is to keep the panelists on point. So returning to our question of what it takes to win cyber wars and even that concept is a little bit debatable. What does this actually mean for the distinction between civilians and the military? I mean the consistent message from what you said is that we're seeing a blurring of responsibilities. We have a new cybercom commander, NSA director coming in. What should he make his job and how should that be different from what you know, you Rob, you Jen, Mark Zuckerberg should be worrying about? Great way to clump us in with Mark, yeah. Still no blockchain, would be great. But what does it actually look like for the military? So I think about this a lot. I get asked this a lot from my military peers and I would say we have to figure out who's lane in the road and goes to what problem. I see a lot of effort and resources continually wasted by very well intentioned groups, each claiming ownership of the exact same problem and then debating between themselves to fix it. I gave a Senate testimony recently on what we needed to do for infrastructure security and one of my big positions is when it comes to the government they need to stop and this can get into a political session but stop going out to executives at like power companies saying we can do your incident response and your services and your defense for free when a cyber attack happens. Even if you legally could which there are debates you're not well resourced for it in order to have the skills to do it at scale. And so getting ready to give this testimony was interesting to me that I had DOE, DHS, DOD and National Guard components each reach out to me to complain about each other hoping that it would get into my Senate testimony about why they shouldn't do it and how they should and my position is actually all of you should stop going out and advertising this capability. So when it comes to the role of these government agencies and private sector there's a ton of very well intentioned people with very good skills that each have a role to play but there are certain things the private sector can do. There are certain things the private sector is better at. Knowing what's in their networks and training and defending their networks they are better at. Going and making hard policy statements against the Russian state and being able to wage Title 10 or Title 50 kind of conflict and intelligence they're not as good at nor they should be good at it. There are purposeful roles of government, military, DHS, DOE, et cetera and we need to make sure we play to the strengths. One of my concerns for 2028 is well intentioned groups having a butterfly effect and killing those local economies. Good example of this goes back to the infrastructure debate. Right now there are many National Guard units many of them are right on point where they should be but many of them have gone out to conferences that I've gone to and said we will do instant response. When the Cybers happen call me and we'll come in and do instant response for you. And then you ask them their plan they're familiar with that type of control equipment how many times have you operated a high energy transformer any of these kind of discussions and it falls apart. But then what happens is the power company owners don't go to the instant response firms that are actually building those skill sets coming up with innovation and figuring how to do that. They think nope I've got this call the cert call the DHS number that's my instant response plan. So what it in effect does is it kills that expertise in the community that should be coming up against these threats and becoming quite literally battle hardened. I'll give one more that sounds like a complaint but it's really just a warning. I have seen, I have better intelligence today on industrial control system threats at my firm that I had at the NSA when I ran the mission. It has nothing to do with people and capabilities it has to do with being in those networks to collect that data and having well skilled people outside of bureaucracy. The problem is even when I publish a nice intelligence report to our customers and folks it will take about three weeks for it to come back to me as a classified report with our logos removed from it claiming that the government found it. That actually has introduced problems for me twice where it actually almost led to FBI type investigations thinking that we should have high data when we were actually the original source of it. This is an actual big issue. If you want to talk about building skill sets up and having capabilities of people in your communities who can actually do security my concern for 2028 is people not sticking to lanes where they actually focus on problems and instead when they run into challenges pivoting because they're really good people. Pivoting to something easier that actually is a place where private sector can and should be in. Yeah, just to your point on cybercom I guess I'd say a couple things. You mentioned the new vision statement that's out there. And I'll say up front I am personally very excited about Paul Nakasoni if and when he gets confirmed taking over both NSA and cybercom. I think there's nobody better for that job. Nobody more experienced both on the signals intelligence side as well as the cyber side and exactly the right person to take over that job and to grapple with the tough questions of how do we continue to build capacity and capability and the elevation to the unified command the question of whether they split the dual hats that was put together almost 10 years ago when I worked with him on the cybercom I team. I think one of the things that they're going to need to spend a lot of time on within that vision statement it talks about things like resiliency which I think we can all agree with but a more sort of active defense and a constant contesting of the adversary and so really figuring out what that means and then operationalizing that both from a military perspective which I won't weigh in on because it's been a while but in terms of their relationship with critical infrastructure I think is something that we need to figure out not 2028 but as we've all been sort of circling around these are current threats these are things we're going to need to deal with in the very near term whether it has to do with information operations that not only can affect our democracy but can also move markets in a pretty significant way these are things we're going to need to figure out how to develop that pretty strong connective tissue between the government and various facets of the government where the capability and capacity lie but where the right legal authorities and the policy framework I think still again having been away from it for a little bit could use some focus frankly and then to figure out again how we develop this relationship with all the critical infrastructure sectors to make sure that if there are significant attacks that we have the capability to work hand in hand to ultimately defend the nation so the just to pile onto that for a minute so if we agree that perhaps that the threat that we face in the future is a threat to the narrative if you will that we tell ourselves about this democracy and about how this country operates about what's of value to us how is it that you are then going to if that's sort of the quote non-traditional way of looking at this how do you focus an organization like the United States Cyber Command on that kind of a threat in the case of a National Guard unit how does a how does a National Guard unit in State X respond to a request to ensure that their voting system is in fact secure and when they discover that it's not just the sort of moat security right so we all know that that's not the good visualization I mean the big challenge is that there is no longer a home game and away game it's just the game and it includes everything so as we think about defending those kinds of things that are of value to us in the in our infrastructure part of which is this I would suggest the heart of it is the information that's out there how do we organize ourselves to be able to do that given what Jen just said which is absolutely the challenge today given the authorities that are stoepiped in every way shape and form that you can imagine to align with the piping of the organizations the line between what the department of Homeland Security would do in the event of an attack on the critical infrastructure and what cybercom might do in spite of the fact that we've been having this discussion for well nine ten years now eight years we still don't have a clearly defined at least in the minds of many of the folks that are going to be called upon a distinction or a delineation between where that line would be given that historically what we have in place is for natural disasters like think Katrina Hurricane Sandy whatever that when bad things like that happen at scale the US military is generally called upon to come do something no one knows quite what that is and we ride to the sound of the guns and away we go so how how we think about that even just being able to react to something like that and then but the more important question is how do we think about proactively dealing with this if you know the bots are in certain places and you know that they are bot farms that are owned by organizations that have an affiliation with government X what is the authority what is the what ought the authorities be what would the role of cyber command be in doing something about that and how we make the distinction between whether we're going to turn those things whether we're going to send them to Mars whether we're going to do something else it remains to be seen and but I think it's it's it's stepping back from what we've traditionally seen is the mission of the United States cyber command and thinking more broadly strategically about how this threat that has become so evident here in the last few years with regard to the what the information has done to affect if you will some of the things that have been happening in the world and very last thing I would say is that any discussion about this has got to go back to the weakest link in this thing so like cyber security we realize that the weakest link in the cyber security chain is us it's the operators right the weakest link in this chain of disinformation is also us you know we we we tend to forget that if any of you have a chance to Google this thing Orson Welles played the war of the worlds right from the mercury theater in the 1930s and three different times during that thing during that 40 minutes they came on stopped and said this is only a drill this is a this is made up it's fixed and yet it caused widespread panic in New Jersey now could have been because it was in New Jersey I don't know but nonetheless so Peter the general said the sort of 64 million dollar question what's the answer what should the strategy be the answer in so much of cyber security is w w e d what would Estonia do and by that I mean whether it is the strategy of building a digital economy but thinking about security as you build it and a convenient digital economy a lot more convenient than than ours to a strategy of resilience understanding that threats will you can't stop threats from hitting you it's how do you become resilient to them so kind of this overall strategic thinking to creating organizations to fill gaps so you know I'm in complete agreement with the idea that we need to make the transfer of knowledge between private sector and government or active duty military a lot easier but there's also at the end of the day and I think Rob also touched on this there's only so much capacity only so much expertise that you can locate within government or the military so we've built up national guard capability but at the end of the day to serve in the military to serve in the national guard you have to meet a set of physical requirements that the previous general mentioned not everyone meets you have to meet a series of criminal background what you can smoke or not you have to join the national guard even as a cyber expert you have to be willing to say yeah I'm a cyber expert but if you need me to deploy to Iraq or earthquakes in Haiti I'll have to go so that does not solve our human capacity problem and Estonia has a model called the cyber defense league that allows civilians to aid government on a volunteer basis the parallel in the United States is a civil air patrol which was actually created during World War II to fill gaps that the US military couldn't meet so it was doing things like submarine patrols to ferrying planes to teaching kids and again the parallel here for a cyber version of this is doing everything from red teaming to helping with incident response to just like the civil air patrol reaching out to schools and universities to aid in training or to draw people in so I think we need to be creative in building up other organizations that gap fill and do it in a very cheap manner so if you look at the civil air patrol it's something like a budget of like 60 million and again I think there's a lot more that can be done in this space but to go back to what Rob was laying out the challenge for it is everyone can't think that they own this problem and that's been one of the for all the capability building at Cyber Command or within the National Guard we've also seen a resistance to alternative structures that might aid more capacity building So I'm going to open this up to the floor in a second but just before we do I want to touch on that talent point we have several examples of sort of the US military sort of cyber talent now doing this in the private sector here on the panel let alone in the audience and elsewhere firstly how do we make sure we're generating the right talent in the private sector in the military and second how do we make sure that it is deployed in the right place see that all of the talent doesn't get sucked out into the private sector or we're kind of trying to do things in the military that could be done better in the private sector maybe we ought to think about this structurally a little bit differently so we talk about talent moving from the military into the private sector so maybe the way to look at it is to say alright so is that such a bad thing and maybe we ought to look at the mission space right so you know Cyber Command has three missions as you know it defends it operates and defends the gig and it does some other full spectrum whatever the euphemism of the day is maybe on the defensive side we think about pushing a lot of that out of government and we think about sending that using the commercial sector to do much of that sort of blocking and tackling stuff which would now free up assets and resources to use against some of the other missions that Cyber Command might do so there's just a couple different ways I think that we might be able to look at this in a little asymmetrically that might actually be useful I agree I mean I think we've seen this already where the various military services are talking about outsourcing certain aspects of IT to like Amazon I think it makes a lot of sense there are expertise that has become commoditized that's scalable and the private sector has knowledge on how to do and I think we should think about the problem differently because there is a role for everybody and we just kind of have to play to those strengths when I think of workforce development specifically for the government I don't really push back on weight changes I'm a fairly fluffy guy after I got out and I still don't think anybody should welcome me back in uniform like this let's not change the military because we think cyber experts only come in one flavor it's just not true I would say there's a lot of adages actually that we cling to and a lot of cliches that we cling to but we just have to get it right all the time that's stupid and wrong the idea that we can't detect novel attacks so that's completely throwing away the idea of an investigation during a kill chain type of effect there's all these things that we cling to one of them that I constantly hear is well people are leaving the military because they get paid more in the private sector that's not why I left it's not why most of my peers left most of the folks that I see leaving leave because of mission culture a lack of mission and a lack of pay you know pick one or two but if you have all three you're going to lose your folks so when I'm in no way cynical if you cut me I still bleed red white and blue and coffee but if you look at the military today there's an over appreciation on capabilities and an under appreciation of people that sort of pendulum swing is going to force you to lose a lot of people there is consistently a focus on putting leadership as a skill I don't know who started that on terms of like well he's a pilot he should be in charge of cyber why he has no skills for cyber well he's a leader that doesn't make any sense to your folks that are trying to come off the ranks I wrote a paper years ago actually pushing back against Michael Daniel no offense to Michael Daniel when he came out and said well it's great that I had no technical capabilities that it kept me out of the weeds well you just de-incendivized everybody in that whole chain of people growing up we get a business degree instead of cyber skills because apparently that's what leadership looks like and we get to incentivize people differently I think that's the workforce challenge the military is going to have personnel and procurement system fix those and fix a lot of the challenges from pilots to cyber Jen you recruited a military for your current role how do you see the talent piece? Yeah on the leadership piece I don't know if that's unique to Air Force it's very interesting I had a different experience in the Army so we don't need to go into that detail but I think leadership is core to the importance of across the branch of the Army but to the point about the talent management piece just to pick up on one thing you said I don't necessarily think people are leaving and I'm not just talking about military and we can just choose to talk in national security agency because we both have some background in that but even civilians who are leaving for one reason or another they're not leaving for the money necessarily but the truth of the matter is the private sector does pay more money and so what I'm getting at in terms of how do we look at personnel policies of if somebody does go out and work in the private sector particularly in the critical infrastructure sector which I think is a good thing for the nation it's part of our economic security with respect to finance if we wanted them to come back in for one reason or another or to be able to move back and forth I think those are the types of things that we need to figure out how to crack the code on that and so but from a larger standpoint you know I spend probably 60 to 70 percent of my time on talent management my current job when you think about it negative percent unemployment for cybersecurity skills to me it comes down to sort of a little bit echoing what Rob just said about you know culture you didn't use that word but I think it is creating the right culture whether it be in the military or whether it be in the intelligence community or in the private sector so that people feel incentivized to solve really tough technical problems and let alone by good leadership to be able to do that and power to do it so that they can be take initiative and have their risks underwritten and be innovative and also I think what is really important and we don't have a ton of time to talk about this but is inclusion in diversity I think to get to your question Peter it start very young because getting to the elementary school whether it's you know the cyber civilian or cyber patrol or cyber peace corps cyber teach for America we need to be able to tap into a much larger portion across all of our across all of our kids to include young women because I think ultimately at the end of the day you know the data shows that more inclusive more diverse organizations are more efficient more productive more effective and so I spent a lot of my time figuring out how to make a more diverse organization there's a great new book written by General Dempsey and Ori Brafman called Radical Inclusion which actually talks about some of the things you said with the war of ideas you know it's John Adams says you know facts are stubborn things but facts don't really matter that much anymore it's all about the war for the narrative but the the contention of the book is we can win the war of the narrative if we develop a more inclusive culture Thank you I know other people have comments on that I'm going to open it up to the floor if you have a question please put your hands straight up and we'll take three questions as a group so let's start over here Good morning I'm Colonel Scott Heath from the United States Air Force we talked earlier about the ability or the lack of responses to any type of cyber attack do you think it's a matter or a challenge that it is becoming more difficult to ID the attack or whether it be a non-state or a private entity or is it more of a factor of risk because if you do get that wrong and you're able to ID what's the challenge if it doesn't turn out to be what we thought it was Thank you we'll group these questions just so we have a chance so gentlemen in the blue shirt Captain Robert Robinson U.S. Army I just had a question in particular everyone touched on either video manipulation or power grid and cyber security with financial but I didn't hear anything in specific about supply chain management or logistics and how like false requisition would be a big issue on a global scale Thank you and one other front here Hi Matt Ryan from the Council for Emerging National Security Affairs you talked about the potential for private sector to contribute to these problems but history has shown that private sector can't always impose the stick so you talked about carrots but there's not a stick Richard Clark used the comparison of an oil spill or an environmental disaster for how some of these vulnerabilities are being treated in the private sector isn't there a need for the government to step in and punish those who are needlessly creating vulnerabilities in this space So three questions one identification of attackers I guess attribution second supply chain cyber security and third the role of the government to sort of hold the private sector to account for vulnerabilities but also I guess to enable them to do other things jump in as you see fit So the question about attribution depends on who you talk to it's either very difficult or not so very difficult the response to that is whether or not there is risk it depends one of the things that I think we ought to think about though is not necessarily thinking about responding to a cyber event with another cyber event that we ought to think about responding to a cyber event by any means that we deem necessary which obviously gives you more attack service it gives you a more asymmetric approach and that's really I think what you're after part of the issue that you're raising though at least in my experience has been that a lot of the people that are trying to make decisions about the actions or the reactions something has happened to educate themselves and even the basic technology to understand exactly what it is that's happening to them, to their networks, to their infrastructure and I'm not talking about making computer scientists out of them I'm simply talking about actually having them come to the level where they can understand this I don't know what you do in the Air Force but if you're a pilot for example not every pilot that I know certainly I'm not is an aeronautical engineer yet we all have some basic understanding of aerodynamics and airplanes do the things that they do that level of understanding with regard to cyber in the world of cyber is something that I've seen to be sort of spotty I guess I'll take the supply chain question we need to reframe our thinking our supply chain is now a battlefield and it's a battlefield in at least two potential ways one is if you look at the scenarios whether it's Russia in Eastern Europe or China in the Pacific there's power in a direct defeat but there's also power in just simply slowing down our deployment enough to create a fata comply I seize territory X or I take action Y and the United States doesn't show up within the day it's delayed for a week or the like and going after our supply chain going after the civilian companies that our military depends on to deploy going after GPS not just to make the Navy ship think that it's in the wrong place but to make the package hit the wrong place changing the package so that instead of ammunition toilet paper arrives by the bar code all of that has an effect that could shift the battle and allow the other side to win simply by delaying the normal efficient workings of our supply chain the second idea of it being a battleground is hitting the supply chain during the design or manufacturing process that is creating flaws in the technology itself so we've seen stealing of intellectual property but you may also see the insertion of laws hardware so to speak so that those microchips that you bought on scale and then deployed into your weapons on scale what happens when they don't work the way that you planned and again what hits I think a theme of this is that battle the effect of it might happen two years from now but the the most important battle happened in phase zero that is the war might have been one or two years before the war ever began Jen, Rope I was really going to mention what Peter mentioned I talked about not petcha earlier which is a great example of a supply chain attack that had hundreds of millions of dollars of impact and rippled operationalized through MEDOC accounting software so couldn't agree more that that's another sort of major trend and we certainly look at from a vendor perspective that's as important as our weakest point frankly to your point about regulation and legislation and all that I would just comment if you look at some of the things that the SEC is doing to specifically hold corporations accountable potentially related to coming out of the Equifax the way that Equifax dealt with their breach I think they are looking to basically inflict or to I don't want to use it or inflict to sort of create greater incentives for the private sector to be able to be more active in terms of dealing with vulnerabilities and then also the GDPR which will go into effect in May has a real impact in terms of corporations and firms that operate outside the US in terms of how we deal with privacy and so another example of just how we're going to be how we're going to need to shift based on government norms so we're pretty much at the end of the time so I'm going to ask Rob to come in and just answer those three questions and then I'm going to put you on warning that I can down the row and ask each of the panelists for the one sentence view of what the US needs to do differently to be ready for the challenges the next decade this is obviously going to be much shorter so knowing the attacker not important at all for defense it's important for strategic purposes if I'm doing instant response or investigations that can actually hurt the baggage that comes with attribution and thinking differently in the network 99% of your instant response is before the attack happens it's all the preparatory work and the investigation is the capital that needs to be put in therefore under any model people showing up to site to fix it after the fact is always a losing strategy on the discussion of supply chain still not a use case for blockchain if we are going from identifying where it came from where it went you still use digital hashing the whole discussion is much broader than security of it I think they hit it very well with the supply chain aspect of our suppliers and being attacked by foreign governments I was actually very happy to see seven leading nations come out and do attribution on the not petty attack and talk about economic sanctions something different than a cyber attack back at them I do think that imposes great costs on the security of our supply chain that's where government has a role software downloading and hashing it to make sure it's validated any company can do that knowing that the Cisco router didn't get intercepted along the way before it went to your facility there's a really good role for government to be involved in that on the aspect of regulations make sure that you are setting a base standard it's hard to define what base looks like the idea though is to always make sure it's incentivized and community structure more so than punishment the moment you utter the word punishment and regulation you're gonna have better lobbyist on the other side so when it comes to regulation figure out what we need to set as a base and understand that any level of regulation can't regulate away future problems it can only help us be more defensible against the problems that we know about. Okay one sentence is what you are allowed what is the one thing we ought to do to prepare for the next decade Rob? It has to absolutely be focused on workforce development people are always going to be your best portion of this Jen. I'll be boring and say continue to invest in human capital because it's the most important thing that we can do. So the one thing that we don't do well is we don't teach critical thinking skills in this country and Marie and I were at a conference last week and a professor from Columbia had just done a study on fake news and where it was coming from right it was the target audience the biggest offenders were 65 years of age and older and they were getting their news through Facebook so critical thinking isn't something you just learn in school and then forget about it's something that you probably ought to remember as you get older but again I understand memory is not quite as good so maybe that's why it happened. What? Lightly tapping someone's wrist that has already been lightly slapped will not change the lesson that Russia and every other actor out there took that cyber attacks on the United States and its allies are incredibly low cost high gain. Thank you very much before I go I want to give a quick plug to pick up Jen's point about women in cyber security inclusion for New America's humans of cyber security blog we're very focused on this issue we'd like to give more visibility to that and date yet arranged but I want to invite you all to come to the event that I know we must organize between Rob Lee and our blockchain trust accelerator which will come up sometime in the next few months but for now I'd like to thank Rob Lee, Jen Eastley, Bob Schmidle and Peter Singer. Thank you very much.