 Shane Harris is a great friend, a great reporter, great author. I strongly urge you, if you don't have it already, to visit our book stand in the back here and buy two or three copies of this book, because this book is something that anybody who's interested in national security today should be reading. Shane and I wrote this book together over many lunches at the Palm. No, I'm just kidding. No, but the book is excellent at war. And I know you came here to hear from Shane and not me, but I do want to say a couple words about my friend Shane Harris. Many of you know Shane as the Daily Beast's newest national security reporter. If you don't read the Daily Beast, you should now, because some of the best stuff on national security is coming from the pages of the Daily Beast and Shane Harris. Prior to being at Daily Beast, Shane, of course, was at foreign policy, where we all followed him religiously in his work. I know Shane even before that, though, when he was at Washingtonian and National Journal, and he's always worked on substantive issues in Washington in a way that both we can understand them and also understand the complexities. So Shane's always been, I don't like to say who all my favorite reporters are, but Shane has always been at the top, top, top of the list. And when I knew that this book, when I found out that this book was coming out so soon, I emailed him frantically over Thanksgiving because I was at home and my in-laws in Cleveland downloading a book by a guy named Walter Isaacson who writes about technology occasionally. And it was great because all of a sudden, I'm getting ready to find Walter Isaacson's book, well, at war pops up out at me. And I thought two things. One, Shane's publisher is really good and I'm glad that they're promoting his book that well. And two, I better get on the horn quickly and be the person to get Shane to launch his book, his Washington book launch here at CSIS. So without further ado, I'm honored and it's my pleasure and it's the pleasure of my colleagues at CSIS to welcome Shane Harris. Thanks, Andrew. He wants you to buy two or three copies because he's getting a cut in case you couldn't tell. Thank you very much for that introduction, my friend. It's a very, very kind of you and it really is, it's a privilege and an honor to be here at CSIS talking about this book, in particular because CSIS has done, I think I don't have to tell you all here, but just for those of you don't know, really tremendous groundbreaking work on cybersecurity and has some of the best minds and thinkers here under this roof on this topic, who for me as a journalist have been invaluable resources of analysis and insight. You'll even see some of them reflected on the pages of this book. So thank you to CSIS and to Andrew. Well, what I thought I would do tonight is talk a bit about the book and kind of give you a sense and a flavor of sort of the main arguments and the themes, but also try and tell you some of the stories that are in here. I mean, I tend to write in narrative style, and my goal as a journalist is to really use stories and clear language for unpacking and deciphering very complex topics frequently about technology, and certainly cybersecurity is one of the more complex and opaque domains, not least because it's shrouded in so much secrecy, which maybe we can talk a bit about in the Q&A of how I actually went about reporting a book like this, but obviously whenever you get into talk of technology, people's eyes can start to kind of roll back in their head, and it seems very distant and remote, but not so, I think, with cyber warfare and cyber security and cyber espionage, and certainly stories that have been coming to the fore even the past few months after the book came out, I think with the revelations about North Korea hacking Sony. Now people are starting to understand what a really common event, frankly, a lot of these sort of acts of espionage and cyber aggression are. So with that sort of setting the stage, I mean, I would point to a couple of things that officials have said recently to try and reinforce the degree U.S. officials to which cybersecurity really has become sort of the dominant national security priority for the Obama administration and for our military intelligence officials. Admiral Mike Rogers, who runs the national security agency and is the head of something called Cyber Command, which is a fairly new military command, recently said in testimony that the threat of a major attack against U.S. infrastructure, that is, people hacking into the computers that control things like our power grid and our communication systems, was in his words not theoretical, that hacking attacks on U.S. networks were literally costing his words hundreds of billions of dollars each year and would have, quote, a truly significant, almost catastrophic failure if we don't take action. And he testified about this publicly before the Congress, not too long ago. The risk of a catastrophic cyber attack, particularly on infrastructure or the banking system that would cause real damage and potentially even loss of life, has topped the intelligence community's list of global threats for the past two years. James Comey, the director of the FBI, who's been speaking a lot about the Sony hack lately, said the risk of cyber attacks and a rise in cyber-related crime to include espionage and financial fraud will be the most significant national security threat over the next decade. This is the director of the FBI, an organization that has been largely fixated on terrorism as the national priority, now saying cybersecurity is potentially even trumping that. So how did we get to the point where our officials were making these dire public predictions and saying, you have to pay attention to this, the point where the President of the United States is coming out and publicly blaming North Korea for attacking against a U.S. company and then imposing sanctions, maybe even shutting the Internet off in North Korea. We're still not sure who did that. This book tries to get at that question of where this came from and what gave rise to it. And I start in the beginning with a story that I'll relate to you now that goes back to the summer of 2007. You have to imagine sort of at this period of, not so long ago, the idea of companies being hacked and foreign governments stealing secrets was still a fairly novel concept, even for people in the national security community. And there was a really telling anecdote that I used is the moment where the light bulbs and the alarm bells really start going off and depending on about this in particular. So in the summer of 2007, senior defense officials called up several of the CEOs and their representatives from the major defense contractors in Washington. So we're talking about companies like Lockheed Norton, Northrop Grumman, Boeing, really sort of household names, the companies that really are the military industrial complex, if you like, and said, you need to come over right now for what was built as a threat briefing. So you can imagine all these CEOs being brought together to the Pentagon, they're ushered into a secure facility, a skiff, you know, leave your cell phones outside, you're gonna be hearing some really scary stuff. And they go in and they're given a presentation about how hackers, presumably in China, have actually penetrated a huge number of computer networks in the United States, gotten inside them, overrun them and are exfiltrating or stealing large amounts of data off those networks. Well, it turns out the networks are those of the CEO's companies. And that these hackers were actually after military technology and secrets, particularly about one of our major weapons programs, the Joint Strike Fighter program. So what they find out is that rather than go through the front door at the Pentagon or the Air Force, these hackers are making an end run and going and attacking the companies, the contractors, which have much lower security than the Pentagon has on its networks. So this comes as a revelation to many of these CEOs who, I think up to that point, really did not have much of a concept for how vulnerable they were and just how much data was being stolen. And as the meeting was described to me by one person who's familiar with it, a lot of these people went in with dark hair and when they came out, it had turned white. This was really scary stuff. So the Pentagon says to these folks, you are essentially the weak link in our security chain right now. We have a problem, you have a problem, therefore we have a problem. And the way that we're going to fix this is you were going to start to ramp up the security on your networks, but also you're going to start talking to us about the threats that you're seeing. You're going to tell each other what threats from hackers you're seeing. And moreover, we are going to start sharing classified intelligence with you about what we know about hackers and how they operate. A really extraordinary moment where the government is essentially saying to private enterprise, we're going to share with you the fruits of espionage to protect our stuff and by extension, your companies. It's a really dramatic partnership that takes hold in that moment. And I like this story because it kind of epitomizes what the current national approach to cybersecurity is. And it's really in very broad strokes all about trying to persuade companies which control the data, which control 85% of the network infrastructure in this country to do a better job protecting themselves. The government cannot go out and easily protect all infrastructure, all information, all companies in the United States, witness the fact that I think the NSA probably had some general idea about the threat that Sony was under. But probably the FBI and other agencies were powerless to step in and do much about that or chose not to. Rather, what the United States has done is to go out and say to companies, you are the essential part. We have to form a partnership here. And that is how we're going to collectively start to control and to protect what we know as cyberspace. That little meeting that started and depending on that I talk about gave rise to a partnership known as the Defense Industrial Base Initiative or the Dib, which many of you may be familiar with. And it started small and it's grown to about 100 companies today. And it sort of again epitomizes this approach of this public-private partnership which is a term that gets often overused in Washington, but here it has real meaning. We're talking about sensitive and classified information moving between the government and private enterprise. This model has been expanded to the point that now the government is sharing what's known as threat signatures or classified information about what we know about how countries are hacking, how groups are breaking into networks. The government is now sharing that with some internet service providers in the hopes that they will use that information to protect their customers and their consumers downstream. Big Marquis tech companies, including Google for one, have formed partnerships and agreements with the government to share information about hackers. Google actually in 2010 was overrun itself by Chinese hackers that stole some of its intellectual property. It notified the State Department that it was going to go public with this. And the day after it did that, it formed an agreement that is still classified with the National Security Agency that we know is sort of a kind of cyber threat early warning system where both sides are trying to inform each other and talk to each other about the threats that they're seeing. So defending cyberspace and also frankly attacking in cyberspace, which is what a lot of this book is about, has become a cooperative effort between government and the intelligence community and some of its partners in the technology industry. Some of them willing participants, some of them being legally compelled to do so. And this is what I'm really talking about when I get at the subtitle of the book, the military internet complex. It's sort of this, and I'm hearkening back deliberately to President Eisenhower, both from the descriptive power of that, saying the military industrial complex and also the warnings that he was trying to issue about the enormous power that can be coalesced here. But that's what we're talking about here is these powerful military and intelligence forces on one side and big technology companies and the people running the back from the internet on the other, coming together for this kind of collective arrangement for defending all of us really in cyberspace. Now I mentioned that this happens, that it starts to gain energy around the end of 2007, which was sort of remarkable because for years people in the government had been warning about these threats after 9-11. Very quickly he started hearing from people like Richard Clark, a name that may be familiar to many of you, who had been one of the few voices warning about al-Qaeda. Dick started jumping on the cyber thing very quickly after 9-11 saying, this is the other thing you need to be worried about. But it takes some time and I think part of the reason for that is not to be unkind to President Bush, but he was not necessarily the most technologically savvy of chief executives that we've ever had. He liked to say that he used the Google occasionally to look at satellite photos of his ranch in Texas. Not that his predecessor was any more technologically inclined. Bill Clinton, it's been reported, sent only one email during his entire time in the White House and of course he was there when cyberspace was almost more of a conceptual notion and it was still developing. So it's really when Barack Obama takes office that this whole sort of national defensive approach to cyber security really starts to gain steam, which is not surprising. I mean, Barack Obama was arguably the first and you might say internet president. He deployed the internet to great effect for fundraising and campaign organizing. He was hacked while he was on the campaign trail. As was John McCain, spies believed to be again in China, penetrated their campaign email systems and were trying to spy on them and get to know what they were doing. When he came in with his Blackberry, which he famously had with him on the campaign trail, intelligence officials sort of had a freak out when he informed them that he wanted to keep it. And as I was at a conference this past weekend where Mike Hayden, the former CIA director and NSA director was talking about how they took this Blackberry and sort of had to open it up to put in all of these new security features that it was gonna take to protect the commander-in-chief and they were nervous about whether they should tell him how many foreign intelligence agencies they suspected might already have targeted him while he was the candidate. So Obama comes into office getting this and CSIS played a role as well in preparing for him a big report on the state of cybersecurity for the 44th presidency. It does not take him long at all to really make this sort of the centerpiece of what his national security prayers are gonna be. In 2009, in May 2009, he held an event in the East Room of the White House, which is really where you convene the really big heavies when you wanna unveil a major policy initiative. And he was there to unveil his comprehensive approach to national cybersecurity and to really make a statement, I think, almost more than anything. And he got up and did some really extraordinary things. One, he talked about the fact that he'd been hacked on the campaign, which had been reported, but now he was acknowledging it in a very public way. He also came up and said that the power grids in the United States and particularly the systems that control electrical power in this country had been probed by foreign hackers. He did not say who they were, but for a president to get up and say this, to say that our system is vulnerable and we know it because they're already inside, was extraordinary. For years, people have been reporting on this, people like me and others have been whispering about it as something that you dare not say it publicly that the Chinese or the Russians had found ways to get in and possibly turn out the lights. And here was the president of the United States saying this. And then he talked about the fact that in his words, the vast majority of our critical infrastructure in the United States is owned and operated by the private sector. And he said, we will collaborate with industry to find technology solutions that ensure our security and promote our prosperity. Now think about this, we're going back to this idea, this public-private partnership. The president of the United States coming up and saying there is an interest in collective security and prosperity and promoting and protecting cyberspace and that we're going to do this by partnering with industry. He declared that the internet was a, in his words, a strategic national asset and that it was time to protect it as such. So the president in this speech, and frankly, even like President Bush before him at the end of his term, is starting to describe cyberspace as a domain, as a battlefield, as something that requires government intervention and protection from foreign intruders and invaders. The military has now adopted this terminology and calls cyberspace the fifth domain of warfare after land, air, sea, and outer space. I think it's a maxim that we're all familiar with in Washington. If you want to get a sense of where the priorities are at any one time from a policy perspective, you follow the money. And if you look at the defense budget in particular, where the priorities for cybersecurity are massive, and it's really the only part of the defense budget that's growing with any consistency, it tells you a lot about how the military and the intelligence community is viewing this as a domain of warfare. So for 2014, just as a data point here, the government planned to spend more than $13 billion on cyber defense programs, mostly just to protect government computers and networks and to share intelligence with private industry. Now that doesn't account either for the offensive component, which I'll talk about in a bit. To put that $13 billion figure in perspective, in 2014, the government plans to spend $11.6 billion on direct efforts to combat climate change, which Obama once called the global threat of our time. So we're spending more just on cyber defense in this limited area than we are on direct effort to combat climate change. The 2012 Pentagon budget had the word cyber in it only 12 times. The 2014 budget had the word cyber 147 times. It's becoming a term of art that is so widely used in fact that the chief official in charge of cyber policy at the Pentagon recently joked that he's seeing a lot of requests coming across his desk with the words things like cyber tank and cyber airplane stamped on them. Because if you just mentioned the word cyber, they'll fund your project. So government officials have talked a lot lately about the ways that were vulnerable and the ways that were at risk. And this is all true. To be cynical I suppose it has a way of drumming up support for new funding and defense contractors are talking more about this a lot because we're not building missile systems as much as we used to and you've got to pay the rent somehow. But this leaves out a whole separate part of the discussion, which is to my mind really the more fascinating and interesting one and hard to get at, which is the offensive component of cyberspace and treating cyber as a battlefield as a domain. I tell a story in the book that I think starts to get at how we're integrating cyber warfare into traditional warfare and frankly shows the ways that we have become really, really good at it and how it's really being used I think to great effect to change the tide of not only how we fight but the outcome of some of our most important battles. This also goes back to 2007 and the war in Iraq. We'll all recall that at that time President Bush ordered tens of thousands of additional combat troops to Iraq as part of what was called the surge and the goal here was to essentially stop Iraq from spiraling into a civil war and to put down the insurgency that was gaining tremendous momentum there and through the use of suicide bombs and IEDs and really threatening to just undo everything that we had tried to accomplish in the previous four years. It was a very do or die kind of moment and we were there of course battling al-Qaeda in Iraq which we all know now today as ISIS. We were having trouble with again. So the other component of this, the lesser known the secret component that was not talked about in national speeches was a cyber warfare component. Intelligence officials persuaded President Bush that now was the time to unleash the capabilities of the national security agency which is home to our elite best offensive cyber warriors our best hackers and the idea here was to completely take control of the communication systems in Iraq for intelligence purposes. So what does that mean? The NSA built a program, built a technological infrastructure if you like that was able to intercept every phone call, every email, every text message, every electronic or digital communication in Iraq at the time essentially to own the network of that country and what did it do with all this information? Well it turns out that if you have access to the data on who is calling who, how long they're talking, the frequency of those calls, you can start to build a very illustrative and detailed map of who matters in a particular organization, who are the bosses, who are the foot soldiers, who are the intermediaries, who are the couriers. With that information cyber warriors from the NSA teaming up with ground combat forces and our elite special operators were able to start mapping out the insurgency, the networks of suicide bombers, of roadside bombers, who their foot soldiers or who was financing them in foreign countries. All from looking at this technological, what you would call metadata. I write it in the book about a, at the time a young army lieutenant, a guy named Bob Stasio, who had studied physics when he was in college and got recruited into the army through ROTC and joined the intelligence program. And Bob was one of these guys who deployed to Iraq and started mining and crunching the data that was available to them in the country. He was a big fan of the HBO series, The Wire, which some of you may have watched before and there's a character in The Wire who is this sort of old grizzled police detective who decides that rather than going out and walking the beat and trying to find out who the drug dealers are in Baltimore, he's gonna start crunching their phone records. He's gonna start mining all of the records and the burners, the cell phones they throw away and start building a network. Bob Stasio kind of wanted to be that guy from The Wire and he was and he was really part of a vanguard of what I think are legitimately called cyber warriors who were going out, taking this intelligence and then handing it off to combat forces on the ground who would then go out and for the most part arrest these people and in some cases finish them off. These guys did some really other remarkable things too. They found ways to penetrate the cell phone networks so that they could send fake text messages to insurgents posing as people they knew and then lure them into traps. They penetrated chat rooms and websites and implanted spyware such as unwitting terrorists would be on these boards thinking they were talking to each other but really downloading programs that sent all their information back to the NSA. This was really extraordinary intelligence gathering on a national scale in practically real time that was feeding information from these cyber networks to people on the ground who then went and followed up with the information and it has been credited by no less frankly than David Petraeus for being the primary driver for what helped turn the tide of the war and was the reason that the surge succeeded. Petraeus actually said I'll quote him that this intelligence driven warfare was quote a prime reason for the significant progress made by U.S. troops in the surge and in his words directly enabled the removal of almost 4,000 insurgents from the battlefield. I go into great detail about this in the book but I think it's safe to say that the sort of the hidden secret weapon that helped turn the tide of the war in Iraq was a cyber war. Iraq changed the way that the NSA spied and the way the United States is fighting wars and what we see now today is that cyber is kind of taking its place alongside conventional warfare. It's no longer this domain of the geeks or something we should have shunt off to the side. The military is trying to integrate this into the way that we fight future battles and so are our adversaries as well. The North Koreans actually gave us I think a fairly good indication of the value that they're placing on cyber offense with the Sony hack. But there's some cautionary aspects to this advance. I think in its zeal to dominate cyber space the government in partnership with corporations is actually doing a lot of things that are making us all more vulnerable in cyber space which is exactly the opposite of what they want to be doing. So I'll talk about two examples here. What involves the use of encryption which if you're not familiar with encryption basically what we're talking about here is just a way of scrambling your data when you send it over the internet to make sure that it can only be viewed by the person for whom it's intended. And encryption is great for privacy, it's great for securing your banking transactions. It's also really good if you're a money launderer or a drug dealer or a terrorist and you want to make sure that the FBI or the NSA can't read what you're writing. Well, understandably the intelligence community and particularly the NSA wants to be able to unencrypt as much data as it can. It's a code breaking agency. But in the process of doing that we know now from some of the Snowden revelations there have been occasions where the agency has fundamentally and you could argue whether this is deliberate. Some people have argued that it's not. We can get into that more in the Q&A but intentionally inserted elements into encryption standards that are widely used by the public that fundamentally weaken them in such a way that the NSA would be able to decrypt that information if it intercepted that. And the NSA has been known on at least one occasion to have promoted the adoption of a particular encryption algorithm that people in the agency knew had been weakened and did not say anything about that at the time. When you, this is sort of the equivalent of the government telling everyone in the public to go out and buy a particular kind of door lock and to put it on the front of your house because we've reviewed it. It's a really great door lock. It'll keep all the bad guys out except we're not telling you that we have a key to unlock the door. Oh, and by the way, it's not a particularly well hidden key. A really devious burglar could probably figure out how to build one himself. That happened with encryption and I think it's something that the agency probably regrets having done and that we know now about because of the Snowden revelations but here again an example of in trying to treat cyberspace like a battlefield and prepare that battlefield to fight you're lowering the defenses for the rest of us. Another area is the agency's practice of going out and accumulating what are known as zero day exploits. And for those of you who don't know, basically this is the building blocks of a cyber weapon you could call it. Technology that we use every day whether it's on your phone, your computer is full of software, your operating system is full of lines of code which may contain vulnerabilities, may contain weaknesses and a good hacker will be able to find out where the weakness is that the manufacturer has not discovered yet and build what's known as an exploit to go after that. That sort of chink in the armor away into the system that no one has discovered. It's called a zero day because there are zero days to defend against it. Well, the NSA is the biggest acquirer of this information. It finds it's through its own research. It pays for it from security researchers also known as hackers on a sort of online gray market. It has contracts with defense contractors to go out and acquire this information and it needs that to have the building blocks of its offensive cyber mission. Well, arguably, if you are in the business of trying to defend cyberspace which the NSA says publicly that it is, you might think that you should disclose those vulnerabilities rather than hoard them. And this has actually become a very big policy debate in Washington right now. Should our intelligence agency, our biggest intelligence agency be more in the business of hoarding this information or disclosing it? And how do you strike that balance and how do you know when you've got that right? The president was actually given a recommendation by a panel of advisors that he convened after the Snowden leaks to say how could we change intelligence gathering? How could we change our cyber posture? And one of the things that they recommended he considered doing was essentially to split this offensive and defensive mission within the NSA so that it didn't face this policy conundrum of how do we know when to disclose information about weaknesses in our networks versus when do we hide them? He didn't take their advice. So we are still sort of, I think, going down the path, generally speaking, with offense sort of taking the lead ahead of defense. All of this that I'm describing, including the decisions that we make, the operations in Iraq, all of this has basically happened with no public debate. This conjunction of a huge war fighting machine with a growing technology industry is, I think, as President Eisenhower described, the military industrial complex of a previous generation knew in the American experience. And it's changing fundamentally how we all use the internet. Cyberspace, I argue, is too vast, and it's too pervasive and too important to how we live to allow a single entity to govern it or to dictate the norms of behavior. And I argue that this authority should not be vested inside an intelligence agency or solely within the military, and it certainly shouldn't be shrouded in as much secrecy as it has been for many years. There's no neat way to define cyberspace, and I don't arrive at a conclusion for that in the book. It's not a commons, but it's also not private. We've come to depend upon it like a public utility, as we do electricity and we do water, but it's still mostly a collection of privately-owned devices when you really come down to it. Yet cyberspace is undeniably a collective, which is why I think it's incumbent upon everyone who touches it, all of us, to take a stake in how we treat it and to harken back to President Eisenhower to find what he called in his farewell speech, quote, essential agreement on issues of great moment, the wise resolution of which will better shape the future of the nation. So thank you for listening, and I'll be happy to take your questions. I think we'll have some microphones circulating, but you can go ahead and let us know who you are and your affiliation, and I'll be happy to open the discussion. Yes, right here. If you want, I know that they might be for the other live stream, it might make it easier. All right. Okay. Okay, my name is Andre Silverzo, and I'm a director for Vietnam Southeast Asia and Washington, D.C. for the Interstate Traveller Company in Detroit. Now, my question is, she has a wonderful presentation. Thank you. But my question is this, do you mention Snowden and how he came to get what he did, what he did? Now, my belief is, and I don't want to, if I'm technically right or not, according to your knowledge, my belief is that he subjected the United States to a greatly increased danger of a successful attack on the United States by making it, well, for example, made it more easier for our worst enemies to conceal themselves because they're so much more alerted about our capabilities. And that was the point that Hayden made, and I just, based on what I know, much less than you, I agree with it. The question is more important, do you agree with that? Look, it's hard to imagine that in the volume of information that Snowden disclosed that there were not some operational clues and maybe even more than clues that were given away to our adversaries. And I think if you took a poll of people in the intelligence community about how they feel about Snowden, it would, somewhere between traitor and worse. And we should emphasize that we're taking a lot of cues into how bad the damage was from people in the intelligence community who obviously have a very vested interest in describing it as dire and awful. The truth is that capabilities are refueled all the time in lots of ways. There were a lot of capabilities potentially revealed in this way all at once. So the answer, not to try and back out of this, but I cannot tell you how much more at risk we are because of those disclosures, although I assume that there was a level of operational detail disclosed. Now, one data point that I can sort of look at that tends to make me think that maybe the damage was not as severe as some would paint it out to be. If you look at what's going on right now with our campaign against ISIS, remember ISIS is the next generation of Al-Qaeda in Iraq and Al-Qaeda in Iraq is the group that we basically disassembled and destroyed using very powerful intelligence collection methods. Those are not working as well right now against ISIS. And the reason for that, according to US officials, is they are very good about staying off the phones. They are very good about stripping out any information about their location when they send a tweet or they upload a video on YouTube. They are using technology that erases instant messages swing after they've been sent. I don't think that they needed to read the Snowden files to figure out the age that we live in now that your communications can be intercepted and monitored. And I think that this generation of fighters is probably savvier than the ones that went before them and maybe went to school, frankly, on what happened to the guys who came before them. So all that's kind of a roundabout way of saying that your adversary is always going to get ahead of your capabilities. And I think that's what's happened here as well. And I don't think that we can fully blame that on the Snowden disclosures. Yes, over here in the corner. And I'll come back to you, ma'am. Okay. Thank you for your presentation, which is very wonderful. I'm a research fellow from Taiwan at CSIS. I have two questions. The first one is, when we see cyberspace as a battleground as you mentioned earlier, how can we identify the boundary between a real line and a front line? That's the first question. The second question is, it is arguable that when we see in the physical world, we have three major conflicts. The first one is, I would say, crime in society. And the second one is terrorism in the world. And the third one is war. But that will be dealt with in different actors. For instance, like war is dealt with by military soldiers and the countries. But in cyberspace, when these three major conflicts has been combined together in cyberspace as a cyber terrorism, cyber crime, cyber war, how can we identify different actors who is responsible dealing with these three different matters? Thank you. Yeah. So the question of, where is the front line and where is behind the front line? And the front line could be anywhere. And the front line could be on Sony's networks. The front line could be in a defense contractor's network. And that's one of the more sort of confounding aspects of this, particularly when you're talking about trying to come up with, well, what are the rules of cyber war? Who is a combatant? Where is the front? And that's been a really confounding issue. And I think is sort of one of the dimensions of this that maybe we should be, I think that probably people in the military are trying less to solve more than just sort of live within that ambiguity. On the question of how do you use to distinguish I guess war from crime, from terrorism, it's something that's really important in cyber. And I was conscious of the fact that when I'm using the word war in a book about cyber, there are lots of people who will look at this and say most of the things, the bad things that are going on in cyberspace certainly do not constitute an act of war. And I would agree with that. And I think it's important that we sort of make these distinctions. I think President Obama tried to do that in describing the Sony hack as an act of, I think he used the word cyber vandalism, which is sort of now kind of like we're parsing the language even more. But that's probably ultimately to the good that we'd be more specific. In terms of the holding people to account, I'll just say two things. From a legal perspective it's extremely difficult. The Justice Department recently indicted five Chinese military officials for a hacking campaign against US companies. It's the tip of the iceberg and these men will never see the inside of a courtroom. It's a largely symbolic act. But what this does point to is the fact that the US government has gotten very good at finding out who is behind these attacks. We'll often hear in cybersecurity people saying things like the attribution problem. Well, how can we know for sure that this hacker was in China or was in North Korea or was in Russia or wherever he or she may be? And I read a lot about this in detail in the book. The government is a lot better than they might lead you to believe at finding out who those people are. And we saw a piece of that frankly with the Sony hack when the FBI came out. The FBI director came out and said, I am confident about very few things in life and I am very confident that North Korea is behind the Sony hack. We know that, not to give away too much of what's in the book because we are inside North Korea's networks and because we are spying on them and we can see what they're doing. And we built up a great reservoir of intelligence and information about what our adversaries are doing. The bigger, harder question is what do we do about it? Yes ma'am, you had your hand up in the back so I'm gonna go to you. You wanna take the mic? Yeah. With NSA. Sorry, wants to. Okay, Rand Paul wants to do away with NSA. How do you feel about that? I'm not sure that he said he wanted to do away with it but I'll take your word for it. I know he's got very strong opinions on it. Now look, I argue in the book, it's always sort of daunting when as a journalist who is not supposed to take policy positions, you start to write a book and suddenly your editors force you to sort of no pine and say well what do you think we should do about this? I think there's a lot of wisdom in the suggestion that the president's advisors made in the post-Snowden panel for looking at how do you clarify or maybe even to some degree break up NSA's mission. We can't not have a national security agency. I mean it would be foolish to do that I think. But you have this problem where an agency is on the one hand tasked with breaking into computer networks, offense, and trying to protect computer networks, defense. And sometimes as I talked about earlier, those two missions come into direct conflict with each other. I think we can do a better job of sorting out when those conflicts happen, how they get decided in the best interest of US national security. And I'm not frankly sure that they are. But I just don't detect any real appetite frankly right now in this administration for asking those questions and for changing much of anything that may come in the next administration. It will certainly be forced when we have to start making harder decisions about when we attack versus when we defend and how we respond to aggressive acts. We're at the very beginning of this discussion and debate and it's going to get forced when more of these attacks like the Sony attack frankly become publicly known. Yes, yes sir. John Kelly from the National Defense University. I guess the question I have is within the architecture of the intelligence community and the people who are listening and performing all of these operations that you're talking about. Is there a way to create an ombudsman or someone who could listen and where would you see that, listen to what the abuses are and where would you see that placed within the architecture of the intelligence community? Yeah, I think it's a great idea. There's legislation pending before Congress and I'll just sort of start getting at this idea with some reforms to the way the Foreign Intelligence Surveillance Court operates which is the one that of course authorizes foreign intelligence gathering. But that doesn't get you at the question of the broader pictures of cyber warfare and conflict. Ultimately, I think this is a decision, these policy decisions that rest in the White House. And I think there's a, you probably could put a lot of those functions within the National Security Advisor. I mean, to the extent that that individual is supposed to be a gatekeeper and supposed to the President and also supposed to manage all these different equities of national security, it seems to me that would be a logical place to put somebody who has to sort of watch over it and make decisions about what the priorities are. Now, in terms of an independent ombudsman and oversight, you know, boy, would I like to see inspectors general at all of the intelligence agencies giving a lot more teeth. That's probably not a likely outcome. But I think that you could put a lot more authority in the National Security Advisor to sort of draw the rules of the road a bit more. But these are decisions that the A President is going to have to make and we'll be confronting more and more. I'm gonna go over here, yeah. Hi, Melissa from Ditcha. You've spoken very forcefully about how this is an attack and this is a new domain. You have the President and it's coming out saying this is cyber vandalism. There seems to be a disconnect between the two narratives that are being put forth. Is this the next domain of warfare or is this vandalism? And why would they choose to downplay it and not really confront it as great a threat as it's being made out to be? I think there's a lot we still don't know about why the administration responded the way it did. And there's a lot that is confusing about it to my mind. So on the one hand, he's calling it vandalism, but we're imposing economic sanctions on them. The FBI is responding to this, not just as an act of, a criminal act, but as an intelligence gathering operation. It's been described as destructive. Well, what exactly did they destroy? What I know from talking to people who are close to the investigation is that the initial sort of panic that's too strong a word, but the conundrum that the White House faced was not can we attribute the attack to North Korea? And I don't think it was, because they knew that. And I don't even think it was, well, what exactly was the damage that they did? It was what should the policy be on responding to things like this, particularly when they become publicly known? And I think that if the attack had caused some physical damage, rather than attacking Sony, they had attacked a power station in California. If you look at the existing sort of documentation on this and the writings that have been coming out of DOD for a number of years, I think they would view that as an act of war. That would be a kinetic act, as the military calls it. And you would see a very different response. In fact, an attack on critical infrastructure in the United States is something that the military has said. They would recommend to the president that he has the option of responding in cyber, or not in cyberspace, to that kind of act. But the Sony attack, to me it's confounding because if it's vandalism, then why did it require a national response and why did it get elevated to that level? And I think, frankly, we're sort of seeing people improvise here a little bit. And I certainly don't think that it's completely coherent, but the next time maybe it will be a little more coherent, one hopes. I'm gonna come over here, yes sir. Just to continue speculating on the same lines, if the North Koreans did attack Sony, and if it was an act of war, we signed the North Atlantic Treaty. If we are attacked, there are a lot of other countries that are required to now defend us. I wonder if that enters into the calculus. And I wonder if it would enter into the calculus in a different way if the attack were on a critical infrastructure, say the financial, but not kinetic. Yeah, to your second question, I think, yes it probably would. And there's a very telling moment, and I write about this in the book, in 2007 when President Bush is meeting with his National Security Council. And the director of national intelligence at the time, Mike McConnell, who used to run the NSA, says, if the hackers on 9-11, rather than flying planes into buildings, had broken into the networks of a major bank or a financial exchange, and corrupted the data, erased it, manipulated it in such a way that the institution could no longer have confidence in its accuracy, and transactions could no longer be processed, you would have a ripple effect, and a panic, essentially, would be ignited. And he said, the economic consequences of that event would be worse than the economic consequences of the physical attack. And Bush is sort of incredulous about this, and he turns to Henry Paulson, his Treasury Secretary at the time, who of course used to be the CEO of Goldman Sachs, and says, Hank, is this true? And he says, not only is it true, but when I was running Goldman, this was the thing that kept me up at night. And it's this sort of light bulb that goes off, and Bush is mine, that compels him to start taking cybersecurity seriously. And he says that he'll launch a Manhattan project if he has to, to solve the problem. So yes, you can have an attack or an event that does not have a quote unquote kinetic outcome, but would nevertheless, I think, be seen by any president as something tantamount to an act of war that would necessitate a response, certainly justify it. The first part of your question was, remind me, treaty obligations. So NATO has now incorporated cyber attack into the treaty structure, such that a cyber attack on a member state can trigger the collective response. The question is, what's an attack? And then we were talking about this with some folks earlier before the reception. That to me almost seems like a question that maybe is a little scary to answer. And probably we're gonna maybe not try to answer in advance because it gives you the flexibility to say, well, maybe this is an attack and maybe it's not. And I think frankly it's one reason why in the Sony case, President Obama was, I think, deliberately not using the word attack. And I'm fairly sure if you go back and look at it, he didn't use the word attack and he certainly didn't use the word act of war. So there's an instinct to kind of de-escalate this, I think rhetorically, because the rhetoric has real consequences. Yes, ma'am. Oh, here it comes. It's okay. Victoria Feinberg, I retired from the Department of Defense and as a former DOD employee, I'm curious, how did you deal with the classified information? Without classified information, your book would lose a lot of interesting stuff. On the other hand, by revealing it, you probably faced some challenges. Yeah. Well, there is a surprising amount of information in the public record. It's one of the things that I was sort of struck by as I really got into the research. There are a number of speeches, there are a number of papers that have put out, and again, largely by the DOD and largely by the military, where they lay out in pretty exceptional detail. A lot of the thinking, a lot of the policies that's being formulated, a lot of the structure of what our cyber forces look like right now, and I read about that in the book. But to a large extent, I did rely on people who were the operators, people who were in Iraq, people who worked on operations in Libya, where we did some of these kinds of things. And we've kind of worked on the trenches of that. And that is where I think just sort of classic shoe leather reporting comes in and relying on sources and being people that you can corroborate their information and also sources that I have to treat confidentially. I read about this in the beginning. My editor actually was insistent that because there were so many anonymous sources in the book, he said, you need to put a note at the front of the book explaining why there are so many anonymous sources in your book. And I think it needs to be said too that this is a very risky time for people to be talking to journalists. I remember as a former CIA employee who was just convicted yesterday after a very long court battle of leaking to a prominent journalist here in Washington. And I definitely see it in people I talk to that they are much more reluctant to talk to journalists. Oddly enough, the Snowden leaks have caused some more senior officials to be a lot more candid because they sort of feel the need to defend themselves. But it's a real challenge. And I think that in national security reporting, as some people in this room know well, we have to be able to rely on our pledges of confidentiality to our sources. And it's always my preference to be able to name people and give you a sense of who they are and why they know what they do. And even when I can't identify them by name in the book, I try and give you a sense of why you should take what they're saying seriously. Yes, sir, all the way in the back. Now I'll go to you next. So go ahead, yes, go ahead. Thanks. I study the future of transportation energy and I'm wondering how this affects the practicality of self-driving cars and also the internet of things, which is supposed to coordinate consumer products in the future. Yeah, I think it bears directly on the security of the internet of things. I mean, you know, it's interesting. That phrase has taken on a lot of currency among defense contractors. And we're just sort of now kind of getting going. That's gonna, you know, driverless cars and your thermostat and your refrigerator hooked up to the internet and your phone. This is kind of what we mean by internet of things and consumers are starting to get a sense of that. But, you know, large DOD contractors, they've been talking about it for quite some time. And what they're sort of on the one hand, scaring them, but also is creating a business is every time you add something like this to the network, you've just increased, you know, the multiple points that you can attack and the interdependencies of those technologies are profound. You know, it's the GPS system that controls the car. It's the industrial control system that controls the generator at the power station. So, yeah, I mean, it's a hell of a problem. And I mean, but what I find so sort of, you know, guess the ultimate truth about this is we're not going to pull the emergency brake on that, right? We're not going to stop adding things to the internet. We're not going to decrease our dependency on cyber space. It's only going to go up. You know, the book is sort of, I'll say it's not short on policy solutions, but it's sort of more like imagining how you might create a safer and more secure internet, which I won't go into here, but you know, it's almost more in the realm of speculation because I think we're not doing a great job, frankly, of securing that internet of things. And we were kind of short on good ideas for how to do that right now. So I'm going all the way to the back because you had your hand up right behind you, ma'am. Nope, right there. There you go. Thanks for joining us. Andrew is extraordinary, so I really appreciate him having you here tonight. Could you look at the degree to which Saudi Aramco and excuse me, the Georgia crisis really put US intelligence in the military in sort of a Comte Jesus moment? Yeah, yeah, so the Georgia incident is when the Russians used offensive cyber against Georgia in their military campaign. That was certainly a moment where I think people in the US military said, aha, these two things are going to be combined. The kinetic and the cyber are going to start going together. But it was not the first time that it ever happened. I mean, in the Balkans campaign, we had some cyber elements. We were getting into the air traffic control and air defense systems there in Serbia and sort of faking out their radars and making them think that planes were coming from one direction when they were coming from another. Sort of classic sort of deception techniques and information techniques. But certainly what happened in Georgia kind of elevated this to a degree. And Saudi Aramco is another sort of one of those data points that people like to look at and say, this was an event where hackers got into a Saudi Arabian oil company and wiped off the data on about 30,000 computers and just caused tremendous amount of damage to institutionally to the organization. And sort of analogous to what happened with Sony where data was wiped off. That was another one that I think US officials like to point to. You know, the benefit of things, of bad things happening in the world is you get to hold them up and kind of scare people with them. But in this case, it was certainly pointing to real bad things that could happen and that were likely to happen. What I think is interesting about something like the Georgia case is why are we so fascinated by that? Well, we're doing it too. We love to come out and talk about all the ways that people are doing awful and nefarious things to us and they are, but we're also very good at doing it to them. So our understanding of the ways that were vulnerable is really kind of predicated on how good we are at attacking other people too. Yes, please. Hi, I'm Stefan Grober with the Euronews European Television. I want to come back to this North Korean Sony thing, which I found most frightening. And I wonder what your assessment is of the North Korean cyber capabilities. And we're talking about a country that is, by all standards, one of the poorest in the world. They can't feed the population. They can't run their power grids 24-7. This country should be capable of launching cyber attack against the United States. Is that serious? Or are we so weak? That's most troubling. What's your take? Well, the experts you've looked at the Sony hack, I think would say that it probably wasn't all that sophisticated, right? I mean, it took advantage of some pretty basic techniques for getting inside of a network. And what I think is sort of more interesting about the Sony attack is the political offensive nature of it, the way that they sort of decided to use this, if we believe the complete narrative. I'm not saying I doubt that it came from North Korea or was directed by North Korea, but to the extent that they were using this as a way to try and cause the silence-free speech or something like that, that's more of a political kind of act. And one that seems to me that they're pretty adept at. But you're onto something here, which is that, this is a country that only has something like 1,300 internet addresses in the country. When the internet went out in North Korea after the Sony attack, I mean, it was like shutting the light off in a room, not like shutting off the power grid. It's a fairly trivial thing to do to knock them down. I think what it underscores, whether North Korea did this or whether they outsourced it to a private group, is that the barrier to entry to getting into cyberspace and causing some real damage is trivially low compared to building an army or an air force or a navy, which is not to say that something like the Stuxnet attack that we in Israel launched against Iran was trivial. It could take, it probably took years to plan. But countries can do a fairly significant amount of damage or at least cause a lot of havoc and really sort of muck things up with some fairly unsophisticated operations. And I think that's probably what happened in the Sony case. Yes, sir. Thank you for your presentation. I have a question about, if you consider that everything we have in life has two dimensions, an apparent one and one that is maybe a little more hidden. If you take the internet, which is now at the domain of the virtual, all the things that happen in real life, can you think about the same thing happening at the virtual level with real people? You talk about at war. Can you think about a war happening now against the US or worldwide conducted by spiritual being based on what we see on the internet, which will be just aspirable? Well, I guess I'm not sure I fully understand the answer, but I guess if the question is, can you imagine wars that don't take place in the physical space that we understand more in this sort of cyber dimension? I think increasingly the line between the two of those is becoming blurred. So you can see events that happen in cyberspace that have a real world outcome. And it's important to remember that probably the purest definition of cyber war or cyber attack, certainly from the military's point of view, would be something that happens in cyberspace that has a real world outcome. So Stuxnet, you create a computer program that disables a piece of physical infrastructure. But those two lines are blurring all the time. And it's sort of one of the fun things to play with in the book, particularly at the end, where I'm sort of trying to imagine what the internet of the future looks like. And I tell people, particularly young people who are sort of starting out in computer science, if you really want to get into a sort of completely new dimension of thinking and challenge your thinking, cybersecurity is a growth industry for that reason. Yeah, we come over here. Any questions? Yeah, go ahead. Yeah. Hi, Tim Rada from the German Marshall Fund. Thanks for the presentation. In your reporting, and also I'm curious about your opinion, have you heard much about switching to a web 2.0 or creating other protocols, perhaps separate networks for critical infrastructure, that are completely de-linked from the main global internet? Do you see that as something that is gaining interest? Or what are your thoughts on that? Yeah, actually at the end of the book, when I'm sort of imagining what would a safer cyberspace look like, it's predicated on that very idea of would you kind of create separate networks entirely? Which the military is done, by the way, the military runs global networks that are not connected to the internet. Plenty of people have said, why are we connecting industrial control systems that control power grids to the internet? That just seems crazy to some people. But I often wonder too whether or not you could take the existing internet and sort of break it up into quote unquote safer zones. And this is highly speculative, and I'm sure technologists out there will probably tell me that there's no way you could actually do it. But I just wonder if you could almost create sort of like a gated community on some portion of the internet, where you put your banking and your Amazon and all the things that you depend upon every day. And the price to enter in there is basically your anonymity. It's you have to identify who you are, where you are, what is your computer, you have to be vetted and trusted. And you can operate in that space, but you will have essentially no privacy, no anonymity whatsoever, but the trade off is that you get a higher degree of security, more monitoring and some level of assurance there. And I wonder if maybe we're heading towards sort of creating these sort of clean zones and dirty zones on the internet, and that the cleaner zones will just be more heavily surveilled and monitored, even if they're not physically distinct. Yes. Shane, just an absolutely superb presentation. Thanks. Tom Goldberg with lineage. I'm just gonna make a quick comment on the last question. Harris Corporation bought up some fiber optic unused cables in the United States is trying to sell that out to industrials for that very purpose regarding your question. The second one, which is rather interesting, is that the Brazilians are running their own fiber optic to Europe to get around the switching and connectivity through the United States. So getting to Shane's point, it's becoming a reality. It's a little slow, and like everything else that you've described, it's fits and starts. Yeah. Okay. Yes, ma'am, right here. Thanks. I'm Lindsay Gorman from the National Academy of Sciences. Thank you so much for the great presentation. I'm wondering about the question of public-private partnerships, particularly as it relates to talent sourcing. You mentioned that the cyberspace is no longer the province of the geeks, but the reality is that at the highest levels of technical competence, it is still the province of that part of the population, which historically has not been the most inclined towards military service. So how do you see the prospects for talent sourcing to match these budgetary increases, particularly in the military context? It's hard, and I think it's harder after Snowden. I mean, Keith Alexander, who was before Admiral Rogers, the director of the NSA, the longest-serving director, famously a couple of years ago, went to the big hacker conferences in Las Vegas and took off the uniform and put on these black jeans and a T-shirt and tried to say I'm one of you and said, come join us, participate in this. And obviously the government's credibility is pretty low among a lot of those groups. But on the positive side, and that's been too bleak of a picture, it's a really, really high-end sort of of the cyber-offense scale, let's take it, where you have the really exquisite hackers. I guess the good thing is that you don't need as many of them as you need sort of lower down and more of the defensive and sort of more of the systems administrative kind of thing. So that's one. So you can think about maybe the requirement to find numbers is not as great at the top as it is skill. The military and the intelligence community's basic pitch to people who want to work in this area is yes, cybersecurity is a huge growing area in the private sector, but you will get to do really cool and fascinating things working for your government that you would never be able to do otherwise. I'm not sure that's entirely true because a lot of private companies out there do pretty cool things too and are doing a lot more of them and frankly in some cases know as much about foreign hacking as significantly equal to what the US government knows, but this is not stopping NSA in particular from going out and recruiting. The agency has a program where it will pay for your four-year education to get a computer science degree to come work for the agency and you pay it off by working for the agency for four years, they are helping to write curriculum at universities. They are always gonna face the challenge that they cannot pay, the government, the military cannot pay private sector salaries. I met one person actually after the book was finished who went through one of these four-year programs, did his time in the NSA and then he went out to Silicon Valley and did a startup where he's now a contractor for the National Security Agency. So I suppose like the model might be like, okay, if you're gonna go be a contractor just make sure you're one for us, but this is where the public-private partnership part comes in, the intelligence community gonna have to depend upon expertise in the private sector, it's just inevitable. More people are gonna go there, they're gonna be paid more and they're gonna find the work as appealing and I think the intelligence community gets that, they do. I think we have time for one more question, yes. Hello, my name's Richie Abel, I'm a student at American University and the implications of cybersecurity are definitely intense, we've talked about warfare, collapse of financial systems. Do you think it's time that the United States backs down and lets an international response to this a more multilateral response to cyber defense? The internet, it's an international issue, does it require an international response or are we better off on our own? Yeah, well it kind of begs the question of like could we head towards something like a treaty maybe? And we got this a little bit when we talked about NATO, but if we went broadly more like, is there a cyber warfare treaty to be had? I think the answer to that candidly is no because there's very little incentive for other countries to abide by these rules and how would you verify it? It'd be very, very hard to verify that kind of treaty. I think what's more likely is that sort of rules of behavior and the norms are going to develop over time and it's going to be very messy. I think that probably it certainly, if it didn't occur to President Obama at the time, it certainly has since the December 19th speech that he gave where he identified North Korea as responsible for the Sony hack, how we respond to these events is going to set rules of behavior norms not just for us but for other countries and we are setting precedence every time that we go out and respond to one of these events. It's one reason why I think we like to do a lot of this secretly is because when these things get exposed, you have this problem of precedent being set. There was a very telling story last year, I think it was when Secretary Hagel went to China with the military delegation and they sat down with their counterparts in China and said, we want to talk to you about what are the rules of, what are the kinds of aggressive acts that we see in cyberspace happening that we would respond to? What is sort of the tit for tat? How would we formulate? How would we signal to each other what our attentions are? And they laid out some of them for the Chinese delegation and the Chinese said, essentially, thank you very much and the meeting is over and we're not going to tell you ours. So this is tough. I mean, you're getting at really, I think one of the more intractable problems in this and I don't have the answers to that but I know that we're gonna get there through collective behavior and action and reaction and it's gonna be messy and ugly and contradictory and hopefully, it'll all be clear on the other side and that'll be the third book. All right, thanks very much. Okay. Okay.