 Good evening. I could ask everybody to take their seats. Thank you all for coming. I'm Andrew Schwartz, Senior Vice President, CSIS. Welcome to the CSIS Texas Christian University Sheeper Series in Public Policy and Journalism. We have a great panel tonight. Thank you all for coming out and braving the weather. It will be well worth it. And with that, I'd like to introduce my good friend, the great Bob Sheeper. Thank you all very much, and thank you so much for coming out tonight. We had more than 300 responses to this. And then, of course, it rained. And here in Washington, it's the first time it's ever rained, every time it rains. But I thought we'd have a very small, intimate group here. But we have a really good-sized crowd that came out on behalf of the Sheeper School of Journalism down at TCU. I had really wanted to have this panel to delve into the corruption and the illegality and the immorality of the bowl championship series. Because we should have been going to the sugar bowl. And we're not. There's no reason that we're not. But we're going to do, instead, we're going to do cybersecurity tonight. And we've got a great panel. Once again, this is our 32nd of these sessions. We've done 32 of them now. And that's spread over a period of years, because we do once a month. And I was thinking about this. The great lesson for me in holding these sessions is it's very sobering. Because I've come to understand how many things that I really don't know very much about. Because we did Turkey last time out. But that's the good thing about being the guy who asks the questions. You don't have to know very much. You surround yourself with experts. And we really have some tonight to talk about something that, I must say, I think there are a lot of people in this country who want to know more about cybersecurity and what this really means. Ellen Nakashima is the national security, one of the national security reporters at the Washington Post. Her recent writing is focused on issues relating to intelligence, technology, civil liberties. She previously served as an Asia correspondent for the Post from 2002 to 2006. She was based in Jakarta at the Post. She also covered the White House during the close of the Clinton administration and the 2000 presidential election. General James Cartwright has just retired as the number two man in the US military. He holds the Harold Brown Chair in Defense Policy Studies, served as commander of the US Strategic Command before being nominated and appointed as the eighth vice chairman of the Joint Chiefs of Staff, served the nation's second highest military officer across two presidential administrations and just retired in August. He retired from the Reed Corps after over 40 years of service. General, we're pleased to have you. James Lewis over here is a senior fellow and director of technology and public policy at CSIS, where he focuses on technology, national security, and the international economy. Most recently, he was the project director for the CSIS Commission on Cyber Security for the 44th presidency. And before joining CSIS, he worked in the federal government as a Foreign Service Officer and as a member of the senior executive service. So with those introductions, I want to just start off and which of you would just like to just give us a general overview? General, maybe you should do this. What is this whole business about cyber security? What's it about? How important is it? And what are we doing about it? We could do a PhD on this. Yeah, I'm doing so. In 30 seconds. In 30 seconds here. You know, the advent of the internet and the growth of it was really invented, which we don't have very many domains that were invented. It was built by people and put together. It was an outgrowth right after Sputnik, DARPA, one of the DOD agencies, along with Stanford Research Institute and UCLA, put it together. They did the first packet between Stanford and UCLA. It was supposed to say log on. They got the L and the O and then the buffer overflowed. We kept trying anyway. And it has grown. But what has really become important, I think, in this security aspect is that a lot of our commerce, the majority of our commerce now is done across that. The majority of our financial activities are done in this environment. The majority of all of our communications now have moved to this environment. It is not a fad. It is something that is going to persist. It has been monetized in a way that has invaded all of our lives. And any place you put that much resource and that much intellectual capital is a lucrative target for people who want to do bad things. And so this is something that will be with us. It is not something that will fade away in the future. It is likely to be with us. So, Jim, what is the biggest concern? What is the thing we ought to be worried about most? Well, the thing we ought to be worried about most now is espionage, economic espionage. There is a potential for attack. And that gets a lot of attention. It's more dramatic. But we're suffering significant losses. And it's hard to put an exact dollar figure on them. From foreign competitors who are borrowing our technology and our intellectual property, terrorism doesn't really frighten me that much. Someday we'll have to worry about it. And we don't know when that day will come. Crime, a problem. But the biggest problem is espionage. Now, Alan, you wrote a piece that caught my attention. You said those who attack us need to know what the price is that they'll pay for that. Talk a little about that. And I think, in fact, you're probably referring to a blog item in which I was quoting General Cartwright. And then we were talking a little bit about it. This is Washington and this is television. I'll be further down before Jim. Just jump in there and check credit. That's all right. It was part of me. I'm getting over a cult, I hope. I thought it was a motion. It was a little bit about the debate over how best to deter or dissuade would-be attackers from coming in and stealing our intellectual property or trying to take out power grid. And some are of the view that we are building powerful offensive tools and capabilities that we are not really talking about or demonstrating in any way. So I think General Cartwright might want to elaborate on this. Joe, well, just to follow up on that, Kermit the Frog came to town. I helped light the White House Christmas tree and I interviewed Kermit. What did he say? And Kermit said, he pointed out that while he said he decided to run for president, he'd actually have to hop for president. But he said that he did want to point out that he'd been in town only one day and the stock market had gone up. And I said to him, Kermit, you figured out, Washington, take advantage of whatever good things happen. And so there you go. General, there you go. But I wanted to ask the general, though, if you do do. You have said we have to have more than a defense. In other words, we have to have an offense. And I think it's a very interesting point to talk about that. Well, I mean, from a military perspective, really, to defend only means that the attacker attacks without penalty. If it didn't work this time, we'll just do it another time. We'll try another way, whatever. But there's no penalty for attacking. And generally, we break things down into those things that violate our laws, for which we use justice, the Homeland Security and whatnot, to protect us. And then those things that rise to the level that we would call aggression and war. And you try to keep those two as far apart as you can and as recognizable as you can. And then you're trying to understand how you can say to somebody, if you attack us, there's going to be a price. If there's no price, then the attack is free. And given all the resources that's out there, whether it be intellectual capital or money, you're going to just keep trying until you get it. So the question becomes, and what Ellen and I had talked about was that you don't necessarily need to say to somebody, I'm going to shoot you between the eyes, and therefore you shouldn't do this, but I am carrying a gun. And that changes the calculus of your adversary. And so what I think we want to do as a nation is to start to think about, not necessarily what are the tools, but the fact that we have tools, that we can respond in cyber. We have other tools, not cyber, that we could respond with. There should be a set of declaratory policies so that if a server in a country is providing an attack on us, that, one, we have the right to self-defense, but we should have a declaratory policy that says, State Department, please let that country know that this is happening. They may not know it. Have them stop it. If they elect not to stop it, then we ought to have the right to go neutralize that server. No other collateral damage just neutralize that server by some means. And then we'll talk about whether it was law enforcement or whether it ought to be an act of war or any of those types of activities. But the adversary has to know that there is a price to pay. Otherwise, they're not dissuaded by anything. So you're just talking about the policy we had at the height of the Cold War, nuclear deterrence. We told the Soviet Union, if you launch an attack on us, we will wipe you off the face of the Earth. And these are the weapons, the missiles, the submarine, and the bombers that we have to do it. Well, not only that, but to say that if an ICBM came off of your land, then you're responsible at the end of the day. And you would like to be able to say, first, here's an opportunity for you to do something about it, and then we'll discuss it later. Don't immediately attack, unless you feel like your life is threatened. But have at least everybody understanding that we acknowledge they may not know that attack is coming from their territory. So give them the chance to act first and then to follow up if we have to with offensive action. Do we have the capability at this point to do that? We do, we do, we do. Jim, last month, the US government report pointed the finger at Russia and China as the two major sources of cyber attacks. What do you think is the best way to engage other nations in a dialogue about this? Well, we're trying to engage both the Russians and the Chinese. And it's been a little difficult because they have different views about how this thing should work. And one of their favorite lines, of course, is information is a weapon and we need to change the laws of war to take that into account. Now, that's just silliness. I suppose you could hit somebody over the head with a rolled up newspaper, maybe that's what they had in mind, but we need to have probably discussions at several levels. We're gonna need to engage at the UN like it or not. We're gonna need to engage with like-minded partners in NATO and other places. We're gonna need to engage bilaterally with the Russians and the Chinese because they are the most significant opposite numbers in this conflict. And then finally, we're gonna have to think of some way maybe to engage, maybe it's the G20, maybe it's something else with the emerging powers, with the Indians and Brazils. That's a complex diplomatic situation, but that's what's in front of us. Ellen, right now, as I understand it, the responsibilities for cyber security are really spread all across the government. You've been covering this story a long time. Is that working or should the government be doing something it's not doing in the year? Well, they're making some efforts to try to coordinate a little better. One of the more notable examples is this memorandum of agreement that the Department of Homeland Security and the DOD signed in about a year ago that would allow DOD to assist DHS if requested in helping to protect, defend the homeland and the domestic critical systems. But just how that assistance would play out and what are the rules of the road that are still evolving and there are still a lot of questions as to if you've got a real emergency, is there enough time to have the president call DHS and have DHS call DOD and meanwhile, your tax are, you hit your system and brought something down. So those are some of the questions that are still being debated and worked out. But in that report you referred to, which was 2000, December of 2008, we described federal organization for cybersecurity at that point as a fleet of well-meaning bumper cars, meaning they turned the wheel and it's better. So it is better now, whether it's good enough, I'll defer to others, but, you know. So what, you're just out of the government, General. Of, how would you describe it right now? My sense is that we're starting to move towards more coherence. The intent is all there of doing the right thing. What you would probably not want to do is go invent a bunch of new laws for this. You'd like to stay current with the current construct. So today, DHS has a responsibility of defending the United States inside the United States. DOD defends the United States from outside the United States. Independent of the technical means of doing that, the question becomes if the attack inside the United States is at scale. In other words, the power grid or something large. How long do we have to wait to go through the process? There's two ways that DOD can defend the United States internally. Defense support to civil authorities, which is normally what you see for a hurricane or a natural disaster, et cetera. And then the Insurrection Act, which we would never see, hopefully, but basically martial law. And defense support to civil authorities takes days to put in place. That's not realistic in a cyber world. So we have to try to stay inside of that construct, but then figure out how we can be more responsive. One of the ways that we're working, which goes back to the earlier question, is to start to share the common awareness of what's happening. So DOD is not starting from a standing start. In other words, they're allowed to get ready if they see a threat coming. They're allowed to tell DHS, here's what's coming. Here's what you could do about it. And then the coordination work starts at the national level about when, what organization acts at that time. But stay inside the current constitutional approach to this and then start to work with other countries. We alluded to it here earlier, but if you can start in the intelligence community with the countries that were normally aligned with the UK and Canada and Australia and come to a common set of standards and a common picture of what's happening on the networks, expand that, as was said earlier, to NATO or other organizations. If you added NATO into those few countries, that's 95% of the traffic of the world crossing those countries. And now you're starting to see what's happening. Then you can say, okay, I'm gonna try to repel it, but it's coming, DHS warn the banks if that's what we think the target is. It's starting to happen in Europe. It may happen here. And start to get in a common awareness and through that awareness, then decide how to do it. What you'll find is that the laws in each of the countries treat these activities very differently. So while we can share a picture, we can't necessarily share action. And the sooner that we start to recognize that and recognize that what is it we need to do to ensure we can be successful, we'll adjust those laws to real values rather than to talk about this in the abstract and then try to make laws and then see if they work. Well, Jim, I mean, how would you assess this right now? Are we in better shape in dealing with a cyber attack than say we were before 9-11 in dealing with a terrorist threat? Delivered by a threat. I mean, if we have an attack, we'll be holding hearings and discovering some of the things we found after 9-11. Well, so I can't take the fifth, I guess that's out. But are we adequately prepared and the answer is no. The good news is nobody's really adequately prepared. We're starting to see some European countries get their act together. But while things are better and while DHS has improved and DOD has done some really good stuff, the defense industrial-based pilot and the ESF and there's a lot of good things you can point to in the last four years. We have strategies, but basically we're still about as vulnerable as you could be. What would you say as a reporter? I would say that even as we improve our defense, offense gets better and gets better at a faster rate and offense has the advantage. It's a truism in cyberspace and offense has the advantage. So we've just got to keep trying to build those alliances, build that common operating picture and boost those defenses. But at the same time, there's also debate about just how far out to go in offense and what role offensive capabilities should play even in perhaps some self-defense. One of the questions that we came up with in our research is the militarization of cyberspace just unavoidable. Would that be a bad thing for the United States? I'd like you all three to talk about that. I think that's militarization of cyberspace is kind of shorthand for DOD being any place in cyber and acting any place independent of the geographic location or the sovereignty issues, et cetera. And we don't wanna go there. I mean, we built this country on a freedom of speech constitution and we wanna preserve those values, not lose them because of a particular technology. So the question becomes, how do you instantiate those in these technologies in a way that not only the government feels like it can protect its interests but that the man on the street believes he's been protected and is appropriately has what we in law call volunteering us. In other words, he's had a choice. He can elect to be better protected or he can elect to be at higher risk, but it's his choice. And there are ways to technically do that, but we've gotta have a little probably a little more aggressive debate in the country about the threat. If your identity's been stolen, you believe this. If it's not been stolen, which is really the majority of the country, you're not sure that there's really a threat out there. And so we haven't done a good job of really talking about that and convincing people, which is good. But we're gonna have to work our way through that because you don't wanna wait so long that you put the country at risk, but you also don't wanna throw the baby out with a bathwater and freedom of speech and other types of things. But would you all like to add to that? I've never been to a country that didn't have some sort of domestic surveillance program. So everybody, maybe the Vatican or Vanuatu or someplace like that, everybody else does some sort of cyber espionage and the question is how hard is it for them to expand it? That's 100%, let's say. This summer we did a survey, we found about 35 countries that are developing military doctrine for cyber warfare. And we know that there's five or six, six or seven that are really good, right? So when people talk about, should we militarize cyberspace, it's too late. Well, the interesting thing about cyber is it is in a way the ultimate dual use tool. It's used both for fun and just personal to send a holiday greeting to Aunt Ethel and Glendler to send some bits and bytes that might take out a nuclear centrifuge or something. And so you've got the same bits and bytes that can be used both for peaceful purposes and for military purposes. And even within the more malicious side, you can't always tell whether those are for espionage or for sabotage. So in a sense it's almost triple use. And they ride on the same networks. You don't separate out the civilian really from the military in most cases. So that throws up all kinds of challenges for the policy makers who have to decide who's in charge of making sure that the harmful bytes and bits don't harm our computers and we let the peaceful innocent ones go. Because as civilians we don't want the spies and the military in our networks, but in the military we don't want anyone else missing in our networks. And if we're spies we don't want anyone else missing in our networks. So it's part of that debate. What would a cyber attack be like? You say, General, that unless you've lost your identity or had it stolen, you don't really know that's a threat. What could happen? I'm probably the wrong person to ask about this because I think too many people believe what they see on television. Well, I hope they believe so. Yeah. I know. But today the likelihood that a nation state or any actor is going to knock down the entire electrical grid of a country is of the United States. Let's say that is very remote. And that's probably two to five years off on that kind of an attack. It's a very difficult thing to do. It is not some 19-year-old sitting at a keyboard. So today an attack in cyber is probably more about confidence. In other words, a small bank that gets knocked down still undermines the confidence of people in banking. But it's not the entire banking grid that got knocked down. In the future it may be the entire banking grid but that's probably unrealistic for today. And so as we start to look towards that eventuality, I'll go back to your nuclear equivalency, a nuclear weapon could knock out the electrical grid in any city, cyber could knock it out in the entire country in milliseconds. And so that's the worry is that it could progress in that direction and that now you are really talking about an equivalency to a weapon of mass destruction and how do we handle that and what do we do about that? That assumes that we don't do anything between now and then to prevent that happening in how we build our grids and whatnot. So you have to be careful about these. I don't wanna be the sky's falling approach on this but you can see a direction in which this threat could move that would look pretty bad. Jim, what do you see? What would you think? What would be the most likely attack on the United States if somebody decided to launch one of these things? I was really disappointed to hear the movies aren't right. I mean that's kind of, we've ruined my night. But and I understand there's a couple in the work so it'll be interesting to see if they can resist the temptation to have flying cars and burning buildings. Because I don't think that's what we'll get, right? And a lot depends on who's doing the attacking and right now it's only nation states, they're unlikely to do it unless we get into some sort of shooting match with them and then they're gonna use it against command and control. They may think about critical infrastructure but that's a big, big step. So right now we have some period of time as General Cartwright said, before less restrained individuals get this capability. And if we use this period of time to build our defenses, that would be good. The normal American practice that will be to wait for the big crisis. Where are the Iranians on this? You know, they're trying hard and they talk a good game and eventually they'll get there. It's like they're nuclear, the interesting thing to me is that both the Iranians and the North Koreans are pursuing cyber and they're also pursuing nuclear and there's gotta be some link there. And they're probably a little further behind getting cyber attack capabilities than they are from getting a nuclear weapon. The China and Russia or the two that are the farthest along on that? Well, the usual list would include a couple other countries. That would be the US, the UK, Israel, maybe France. Yeah, right. I wanna go to the questions in the audience because I know we don't have some. But as you're thinking about a question here, I wanna go back to Jim and ask you since we're on the subject of Iran, does the drone coming down in Iran, did that have anything to do with cyber? And do you think in fact that the Iranians brought down that plane? No and no. I mean if they, there's a remote chance and this is all speculation so that means I can be unconstrained, right? You know, there's a remote chance that they bumped into it somehow and were able to bring it down but it was more likely some sort of technical glitch. You know it's a solar flare, who knows, right? And the thing crashed and they found it before we did. So I don't, they don't have the most advanced military capabilities in the world. Not that they aren't good at some other stuff. You don't think they could have shot it down? No, no. Or brought it down by some other means? Well I did, I did bring up the thought wave example before, which is, you know. Maybe I'm trying to get you to say that because I know. It's just as likely, it's just as likely that. I think what Jim said and I'll let you say he was quoted somewhere else as saying. That the Iranians hacking into the drone control system was about as likely as I had told us standing on a mountaintop and using thought waves and the more I thought about it, the more I'm in the thought wave camp. Because I don't know. All right, that's a question there. There we go, right here, okay, come on. John McGaffer. Yeah, come up to the mic, John. John McGaffer from CSIS. It's a great quote. With regard to the notion of cyber security and particularly in our private sector world but also in government, can you talk to us a bit about the considerations with foreign presence on our nets like the issue of Huawei, the Chinese company. How do you think about what's involved? How do you balance that off and keep ourselves on the right path in both prosperity and security? How do you think about that? What do you do about it? Who'd like to take that? Okay. I'll tell you how I think about it. It doesn't necessarily make it right. But generally when you're looking at presenting a threat in cyber, you're looking in about three different venues. There's direct entry type of something in, send it across the net to a target area. There is the wireless, so any aperture that's out there is vulnerable to being attacked. And then there is generally what is called jumping air gaps. But moving to something that has been isolated. So you take a thumb drive or some other vehicle. And in that also is the supply chain. So what you're talking about here is supervisory networks or things like that that are built by a foreign nation could have code implanted in them. And so when you think about how to defend against something like that, we've gone through the, we'll only buy America and we will have special foundries. None of that really ever works because these networks are too pervasive. And as soon as you build a proprietary network, for instance, inside of an F-22, as soon as you start replacing the parts on the flight line, you lose control of exactly what's going in and out from that kind of detailed standpoint. So generally what you try to do is you have equal number of vectors to protect against it. So if you believe that the network may be in fact compromised, then you have potentially a parallel network, an alternative network, a different operating system that could operate on the same network, a different set of code and encryption levels that you could put in place. But you never wanna come at it with a single approach. You wanna come at it with three or four different ways to come at it. So as we start to design systems as we go forward, whether they be supervisory networks or whether they be airplanes or power plants, you wanna start to think about what would I do about supply chain intervention? What would I do about somebody coming in with a thumb drive or somebody coming in across the wires logging in to pay their bill and then at the same time attacking the network? Those kinds of things. And you start to work your way through layers of defenses and layers of offenses to go against that to ensure that what you have is actually working. Parallel networks really tend to be one of the most effective tools. You got two or three networks and you have one of them that's giving you an anomaly. You can start to change that. We do encryption changes in every few seconds in cell phones and things like that. Doing that on a regular network makes it next to impossible to hack. It really makes it be a sophisticated actor to work at that level. So never one way of attacking it. Anybody else wanna answer that? Bill Marman with the European Institute. We've talked about billions of dollars worth of military and commercial property being stolen. These are things that have already happened not in the future. And if we have this deterrent capability, why aren't we using it? And what is it, what would be involved, for instance, in General's talking about taking out our server? How do you do that? Well, there's a little button on the back. OFF doesn't stand for on for flight. I mean, there are different techniques, obviously, for taking a system out and I won't go into weapons side of the equation, but the question here about deterrence is to try to make sure that you can distinguish between those things that would be an act of war and those things that are things that ought to be handled by law enforcement. That's kind of the first step. And it's very difficult and really becomes in the eyes of the beholder whether something is sabotage and espionage and war or whether it is somebody that is just acting in a way that's inappropriate and violating a local statute, a misdemeanor type activity. I would say to you, if another country shot down one of our airplanes were knocked it out of the sky, would that be an act of war? And most people would say, well, sure, but I don't recall any time going to war over something like that, P3 in China, drone in Iran, et cetera. I recall losing a ship to North Korea and the entire crew, that was not an act of war. So it's in the eyes of the beholder. What you wanna do is set up the defenses so that it as clear as possible to all who see it and recognize it that it went by, it walks like a dog and try to get to that. We haven't done that. It's very difficult right now in the networks because they haven't changed much in the last 20 years. So everybody kinda knows how they work. It's very difficult to distinguish the 19 year old hacker from the nation state until you really look at the sophistication internal of the technical side. So we've got to start to change that and the intent would be obviously to have some networks that are relatively simple and as configured today, not much encryption, et cetera. Some networks that are more highly encrypted and protected and then those networks that are not only encrypted, but as the gentleman was alluding to, they've got a different supply chain, they've got multiple redundancies, et cetera. And start to look at how we do this so that one, we're not inviting bad guys in. We've got a risk management strategy that everybody understands. So when somebody comes after your bank account, it's much different than their ability to come after your password for Google. And so we haven't done that. We haven't done that. Most of our threats internal, most of the things that we've lost capital or intellectual capital really have to do with hygiene, hygiene on the networks. It is not a sophisticated actor. It's our own hygiene that generally is the compromise. An actor may get in, but it's probably because you've let your protections expire, they're out of date, or you just do something silly, like have your own name as your password or something like that. And so a lot of this is hygiene activity. We're gonna have to work our way through that to understand the threats. Can I just add a little note here is, you know, I think there's some general agreement that economic espionage is not something done by a nation state. It's not something that, you know, the US government is really gonna take a nation to court over. And I mean, even if they could get attribution sufficient to pass muster in a court, General Alexander likes to talk about how even you have, let's say you have what you think is sufficient attribution, but you wanna confront another country and they ask you, well, oh, okay, so what is it that you say you saw? Why don't you show it to me? And I'll go see if I can find it in my networks. And basically, you know, then you give up some of your tactics, techniques and procedures. So there's else that gained loss equation in trying to confront a nation state. But recently the chairman of the House Intelligence Committee, Mike Rogers, he publicly called out China as one of the major actors of aggression and economic espionage and said they're waging a massive trade war on us all and called on US and like-minded states to band together and apply pressure, perhaps diplomatically or through economic sanctions. Now, you know, whether or not that will work, I leave it to experts better than me to say. Well, it does raise the question. Obviously security was not the first order of business when we started the internet, but looking forward, who now should set the rules on all this and who should enforce them? I'd just like to get all three of your opinions on that. One of the things we sort of dodged in the last question goes back to the issue of just how far can you push existing rules, existing laws, existing agreements into cyberspace? And I'm pretty sure the answer is off further than we've done now. So I was at a meeting a while ago where we had some US trade people there and one of them said, his opening remark in fact was, there's nothing we can do under the WTO. And I thought to myself, I didn't say it because he was an old guy and didn't wanna offend him. You know, the first words out of your mouth should not be I surrender, right? There are things we can do. And so take them, you know, you don't, this isn't the international agreements or not a court of law. And if we take an overly legalistic approach, we're gonna get whacked over the head, but we can go to the UN, we can go to the WTO, we can go to the offending country and say to them, how about if you cooperate in a joint investigation and then what they're gonna say is, you know, and at that point, you know you've got something useful. So we need to start using the existing rules to push back a lot harder. Should there be some sort of a move toward, or perhaps there already is, no first use of weapons in cyber space? You follow all the literature. Well, I just, I don't see how you could enforce that. I mean, first of all, how would you count, would you count pieces of malware? And you can't even tell what's malicious from what's, you know, innocuous. And then it, you know, I think Russia wanted a ban on certain types of offense of cyber and the United States has consistently said, no, we won't go that way. I just don't see that as a workable. It would be very difficult, but I think if we start with a law of armed conflict, that's a good place to start that everybody recognizes. So you're not going after hospitals. You're not gonna go after, you know, things like FAA, et cetera, that would cause, you know, bodily harm. That would be an act of war and looked at by the Hague and others as a violation. And then there's likely to be a set of principles out there that you're not, if we said we're not gonna go after power grids, you're still gonna protect them. You're not going to assume that that's a blanket. But by the same token saying that if you went after these kinds of targets, the bodily harm, the harm to people who are not necessarily who you're after would be affected in such a way as to be horrible. You might find a few classes of targets that people would agree beyond the law that are kind of off the table. And we haven't had that conversation, but the European and NATO are starting to look at a set of principles by which you could operate. And that's what we don't have right now as a set of principles, guiding principles to look at and say this is inappropriate by any human standard. Okay, back to the audience here, right there. Yes, sir. Colonel. Good afternoon, everyone. I'm Houston Cantwell from the National War College. So there are some very interesting trends occurring in cyberspace. If we would have had this conversation 15 years ago, it would have been a pretty short discussion on how to protect email. Because, you know, we didn't do a whole lot on the internet. Well, 15 years from now, you may say, well, every day, every year, the internet gets more and more personal. You know, 15 years ago, we had computer centers now, and then we moved to personal computers, and now we've got computers we carry around on our hips. Additionally, things like Facebook and Twitter have made the way people interact, very dependent on internet access. So as this trend continues, 15 years from now, who knows how human beings will depend on the internet to interact and save information on the cloud. What's the government's role going to be in the future as more and more people depend on this internet access? We'd like to tackle that. My sense is that one size won't fit all. In other words, government intervention in certain areas will be more and in other areas will be less, and as long as it is representative of how the people feel, you know, it'll have variability. If you look at some of the different ways that we have employed the government oversight, it's very intrusive in some cases, you thou shalt and the laws reflect that. In other cases, like for instance, banking. You know, there's been a lot of discussion about if you had a combination of civil and government, where the FDIC is an example, has some government oversight, but also has some authority, and you look at it and you say, because the sticker's on this bank, it means that I know that the standards that they're doing their cyber to are adhered to, they're audited, they're looked at by somebody, and therefore the likelihood of them being attacked versus the guy next door who has no sticker is different. So there's gonna be some combination of government strictly, government private, and then probably private only. In other words, my company and my intellectual capital has a certain worth to me, and I'm willing to put a certain amount of money against it to ensure that the protection's there. And I think you're gonna see all three. Next. All right. Thank you very much, Raghav Birgol, India, globe, and Asia today. I go back what Alan said that, I've been saying this for the last 10 years, that Chinese and Al Qaeda or terrorists based in Afghanistan and Pakistan will be challenged to the United States. And today we are facing the same problem after 10 years. Who is the most dangerous Chinese, Russians, or the terrorists based in Pakistan? And because they might get their hands on the small nuclear arms. Thank you. There's a good line here. I guess I worry more about the North Koreans because they're A, dedicated, and B, crazy. And so that makes them, you know, I mean, who would you think, like, gee, torpedo a frigate? Good idea or not, right? And they came to sort of a different conclusion. So they're the ones, Iran might fall into that category. They're the two I think are most likely to get the capability soon, and most likely to miscalculate what the cost of using it will be. Alan, what would you say? I also think that the question is, who has the, when will the actors with the capability and the motive, when will those merge? That's when we have to worry. I, you know, don't know what, if Al-Qaeda ever gets the means or in subcontract out and get a Stuxnet-like capability, then I would worry, but I'm not expert enough to know when that might happen. General. I think the two vectors that you have to worry about the most are, as the technology proliferates, then we've never, we have 100% batting average that we guess wrong on who. So, you know, you just kind of point at that. But when the technology starts to proliferate and you've got this attribute called anonymity, whether it be in bio or whether it be in cyber, when you put that together, as we make a transition between what the lethality of a nation-state today can do versus a group. When a group starts to equal a nation-state, that transition is gonna be a very dangerous time. Can I just say one thing quickly? We still don't have access today to AQ Khan, who had transport technology to all these countries, North Korea, Iran, Libya and so forth, so many countries in the Middle East. So where do we go from here now? Yeah. My sense, you know, is that we'll assume what we're going to assume about AQ Khan. The pedigree of his knowledge that was proliferated out there is starting to emerge in a lot of different places and you can see it. So now, knowing that it was AQ Khan is irrelevant really, you're more into how are we going to operate in a world where nuclear proliferation is actually on the ascendancy? Even though we are doing a lot of things to prevent it, that knowledge is just out there and it's gonna grow and it's gonna become more evident. I think there's a question, yeah, right here, yes, sir. Thank you, I'm Bruce McDonald with the United States Institute of Peace. And I wanted to ask about, throw out this idea that if you look at cyber, unlike in the nuclear case where you could use overhead satellites and all you could see what your enemy had, cyber, there's no overhead satellite or anything that could image, you know, electron or configurations in a network. And it would seem to me that has kind of a self-deterringing effect because you don't know what the other guy might have. But on the other hand, to me a fascinating dimension of cyberspace that I'd be interested in the panel's thoughts on this is what I would call even sort of going beyond espionage and what I call special operations. And to me the classic example of that would be the Stuxnet virus. It would seem to me that as long as you can keep, you know, we talk about, oh, we need better attribution. Well, that's fine for other people but attribution and some of our work is what we don't want. But it would seem like they would, there is potentially quite a future for cyber in what I would call special operations, very targeted, not big catastrophic economic attacks but where you have a very specific objective and you go in in a way and try to accomplish something that is limited but potentially very important. I wonder if our panelists have some thoughts about what I call special operations cyber. Go down the line. Bruce, is it true that the motto of the institutes of peace is peace is our profession? If you've been with someone in the organization, it doesn't matter. You know, one thing, yeah, it sounded vaguely familiar. One thing to bear in mind is that this is a difficult area to know the full range of capabilities because the part that isn't looked at, similar to satellites in some ways, is if you are collecting intelligence on a foreign opponent, you may have knowledge of their plans, intentions, and capabilities. And if you're really good at that, you have a higher chance of succeeding in attribution. And General Cartwright and I were at a meeting in August where a senior military official said that he had 100% ability to attribute. That was a bit high, I felt. But at the same time where you were at a meeting... That was at the bar. We were at a meeting in 2007 where another senior military official said it was more like one out of three. So that's like playing Russian roulette with a three-cylinder revolver, and that has a deterrent effect on the opponent. And what I think will happen over time is the ability to attribute will increase, and that will reshape some of how we do cybersecurity. You're referring to Stuxnet, which was a milestone in terms of the use of cyber as a strategic weapon. And it's clearly something that... I was at a conference on cyber and law of armed conflict in Berkeley recently. And the subject of Stuxnet came up and it was noted that Stuxnet was highly targeted, did not result in any civilian death or damage other than getting into some other computers, but you didn't shut them down or break them. And so I asked Michael Knott, former Assistant Secretary of Defense who did WMD as well. So in the end, was it a good tool if your objective is to slow down under mine Iran's nuclear weapons program? And basically said yes. So there is some, I think this is a very, it's a rich area for policy debate. It's just not one that's very easy to do because so much of it exists in the classified and covert one. General, let me just ask you, and obviously there are some things that are classified, but if push came to shove, what role, what might, what offensive action might the United States government employ in the defense of our cyber capability? If somebody attacked us, what... What kind of cyber would we use to... Yeah, what would we do? What are some of the things that we could do? What were the... If they came in, if something happened like this and somebody came in to brief the president on it and he said to you, General, so what are some of the things actually been said or doing? I don't know. But I think it's fair to say that in a limited case, in limited activities, there's a role for cyber that can be very discreet and very targeted and appropriate in its effect. Proportional, things like that. In general warfare, cyber today is probably of the class of a supporting arm. It's not going to be the main effect, but it will support other effects and enable them. And that's probably the sophistication that we have today. It's probably going to increase over time, but today it's really more in the venue of a supporting arm, like artillery or things like that. All right, well, yes, go ahead. That point gets lost a lot and it's an important one because a lot of times we try and cram the cyber issue into the nuclear mold and for that reason it doesn't, and several others, it doesn't really work. So it's a crucial point. All right, well, this has been very enlightening to me and I hope it has for you all. Thank you very much. On behalf of the CEO, thank you very much.