 This is Dave Vellante, and we're here at the MIT Media Lab. I'm here with my current co-host, Charlie Senate with the Global Post. Charlie, great to be working with you. And Joseph Nye is here. He is the University Distinguished Service Professor at the Harvard Kennedy School. Joe, welcome to theCUBE. Thanks for coming on. Thank you for having me. So this is an event that is up your recent, certainly recent alley, the sort of gap in governance and cyber space, the pace of cyber space outgrowing, really international relations ability to keep up. And you gave a talk this morning, sort of giving some parallels with nuclear proliferation. So where are we in terms of cyber space? Is it, I mean, we love sports analogies here on theCUBE, but is it, we're past the first inning, but we're certainly not into the late stages of the game, are we? We're probably on the 10 yard line. Ours. And basically, the analogy I like to use is when the world finds a totally new technology, let's say nuclear in 1945, something that's transformative technology, takes a long term to learn how to cope with it, both domestically, but also even more difficult internationally. So if you look back on nuclear, you know, Hiroshima is 1945, you don't get the first international agreement, the limited test pan treaty until 1963 and the nuclear non-proliferation treaty in 1968. So basically you're talking two decades before we learn how to cooperate internationally. And the internet, some people say, well, it's an equally transformative technology, totally different type of technology, big impact on people and how we organize ourselves. But people say it's a totally different technology and it is totally different. But what's the same is that when we cope with a new technology, how do we learn? I mean, how do we develop the habits of international cooperation? And if it took two decades to learn in nuclear, then where are we with cyber? And if you think of cyber as basically taking off, so to speak, in the late 90s, after the World Wide Web makes the internet commercially usable, you see a curve of use in the late 90s is going up exponentially. So you can argue that in that sense, cyber is only basically 20 years or so. And so we're at about the same point that we were in nuclear. So when you look at the state of nuclear in terms of, let's say, what happened after the breakup of the USSR and the increased complexity and threat matrix that now exists in the world, it's scary to think about what's in store from the standpoint of cyberspace. Now Charlie said, well, think about the positives, Dave, but still, I wonder if you can comment on that. Well, the big difference that I think is in nuclear, while we do worry about non-state actors, terrorists getting old nuclear weapons, it's a pretty complex technology for terrorists or individuals to access. Cyber's not, I mean, cyber is basically any 12 year old with a computer, I mean, I'm thinking of my grandchildren, but there's so many ways in which an individual can participate at such low costs. There was this great cartoon in the Yorker 20 years ago about two dogs in front of a computer screen and one dog looks at the other and says, don't worry on the internet, nobody knows your dog. Well, basically if the lights go out in New England, we would know it probably wasn't a dog, but you wouldn't know whether it was a government or whether it was an individual hacker. So in that sense, the threat is perhaps maybe less horrific with an individual incident, but certainly more potentially insidious. Yeah, the threat is very real and so real in fact that at Global Post we've experienced an attack if we can use that language by the Syrian electronic army, which we think may have been directly connected to pretty aggressive coverage that we've done inside Syria. It was a very brave and courageous reporting. The media is certainly part of the equation here in the sense that the media can be vulnerable. The media can play a great role in helping us understand this equation, the need for better governance. But one thing I was really struck by in your opening remarks was your comment that the language needs to be toned down, the rhetoric of cyber war, cyber attack, cyber threat. Certainly we felt very much attacked, but are we overdoing the language? Are we over-bloating it? And what's the peril in doing that? I think that, yes, we are over stating things. I mean, and the peril of that is that we wind up not thinking clearly. We hype the problem. The cyber attacks, I mean, if you talk about any effort to intrude into a system, you know, there are tens of thousands of cyber attacks every day and it's more than that. And, you know, as long as we realize that an attack isn't like being mugged in the street, some of them are, some of them are worse, some of them are much less. It's like knocking on a door to see anybody's there. So the word cyber attack covers a vast multitude of actions. Cyber war, which has been bandied about, I think we should restrict it to only things where there's the equivalent of a kinetic or real world physical effects that we would call war in the real world. Otherwise, you wind up with cyber wars like the war between the sexes or the war on poverty or so forth. And once you use a term that broadly, you devalue it because it covers everything and therefore you can't make useful distinctions. Joe, you've always been someone who has helped us frame major issues, coining phrases like soft power, hard power, and helping us really think through how we're going to think about the future of warfare. How concerned are you about the vulnerability of the United States to cyber threats? And are we really entering a new phase of the way we need to think through the security for our country? Well, I think there are real problems. I don't mean to be little bit, but I do think that exaggerating them doesn't make this thing clearly. The estimates, these are off the top of the head, estimates that about 80% of the threats that are faced could be cleaned up by better cyber hygiene. I mean, by basically this low-hanging fruit. We get rid of a lot of the things that are nuisances, creating frameworks for botnets and so forth by better cyber hygiene. And that would allow us to focus on the things that are really more important. One is the loss of intellectual property through cyber espionage. That's, I think, a real and costly in our society. Cyber crime is also very costly to our society. There are a variety of estimates of how much it costs each year, but none of them are low. And then there is the prospect of cyber war. In other words, if you imagine you did get into a conflict with another country and they decided they wanted to use cyber to deprive our military of its ability to use network systems, so many of our weapons systems now depend on cyber connectivity, or if they decided to attack our infrastructure. And that could be another country, or as I said a minute ago, my little joke about the dogs. It could also be terrorist groups. It could be activist groups of different sorts. Is this already underway? Would you say that the presumed alleged event in which Israel is alleged to have actually gone after Iran and some of its nuclear capability through a cyber attack, are we already seeing this era and was that sort of the opening of it? Stuxnet, even. Well, Stuxnet, which is often attributed in the press to the US and Israel, was clearly an act in which damage was done physical objects, a thousand centrifuges in an across the border in another country. Is that war or not? We would argue it's sabotage of war, but that you reserve the word war for something that's more serious, but I suppose if you're an Iranian it might look like war to you. So we, but what's interesting is that we haven't seen that many such things. People will talk to the denial service attacks in Estonia or Georgia as examples of cyber war. It's a bit stretching. I mean, somebody said it's better to think of them as cyber riots, that you're recruiting a lot of computers to deluge another country's computer systems, but that it's, it has a full-scale war. It's a bit, it's, it's, the fact that we haven't seen them is that because the technological capabilities may be out there, the organization structures may not be there, or is it, is it perhaps that we're still in pre-season, the preparations are going, that's the nature of security in 21st centuries. You don't actually know when the threat is embedded. Well, I think it's, I think that things will get worse, but I think, and certainly the technological capabilities for denial service attacks are there, and denial service attacks happen all the time, and they're measures that are taken against it. I guess my point was that I don't think a distributed denial service attack is really a war, cause it's a, it's a riot of disruption or something, but you know, I think war is too strong for that term for it. On the question of could the infrastructure be sabotaged in ways that could be damaging, well Stuxnet shows that it's possible. Do you feel like Stuxnet was sort of potentially opening Pandora's Box, showing people the way, a playbook? Well, some people believe that it did allow others, actors who we wouldn't have less confidence into, to do things which they might not otherwise have been able to do. I think the, you know, the question of why don't, why haven't we seen more of it, it has something to do with technology. It's also something like Stuxnet was beyond the aptitude just the ordinary hacker. I mean you required a large amount of human intelligence by a large intelligence service, and a lot of preparation that went into it, which was beyond the realm of the sort of group of kids who get together and say let's go and stop the electricity someplace. So potentially state sponsored, but so, is that what we can expect going forward, is that it's likely that you have to have resources of a government behind you, or do you see potentially, I mean, look at Bitcoin, started by, you know, Stetson will be a bunch of smart guys. I know, I mean the point is that the directions of technology are making a lot of this easier, and I think individuals can play roles. The other point is that if you think of criminal groups, they are pretty sophisticated technology and they can recruit a lot of money. One of the questions for the future is, suppose that terrorist groups or activist groups that wanna cause harm hire a criminal group, or pay them for some of their innovations of technology, and they wanna, we've already seen some of this, where you blackmail a company by saying you're not gonna be able to contact your customers for such and such a time, or if you want to get access to your computers, which we have now encrypted, you have to pay this amount of money into this account, somewhere at Kazakhstan or whatever. So I mean that sort of thing is already happening. Question is what happens if a future al-Qaeda decides to buy that capacity from a criminal group? And you can do this on the internet. I think it was Fadi Shahadi this morning said I'm kind of tired of playing defense, and I took that to me that the security has traditionally been very reactive, but my question is, is that really the case? I mean it seems as though for instance the NSA with Prism is being proactive, I mean certainly reacting to 9-11, but taking proactive measures, is the community being more proactive and going more on the offense that the average person doesn't see? Well I think NSA would probably say that what it does in surveillance is defense, not offense. What's done by intelligence communities that may have been behind the Stuxnet, that would be defined as offense, I mean if you are trying to find ways to anticipate an attack, whether it be a terrorist attack in the kinetic world, or whether it be a cyber attack on other systems in the cyber world, that type of surveillance I think would be thought of as defense. So Snowden has implied anyway that he's got more information that he can potentially leak. In your view, is that a viable bargaining chit should the US entertain such offers because of that potential threat, or in your view, no way? I don't know how much, I mean I simply factually don't know how much is still left in Snowden's treasure trove. I mean I think if there's a lot left in his treasure trove and we could get it back and be assured that it wasn't copied or mirrored in third systems, I might just as a practical bargaining point, listen. Listen, yeah. It was a big gift, but frankly it depends on the facts. Okay, well Joe, thanks very much, I really appreciate your perspectives and the good work that you do in this community and appreciate you coming on theCUBE. Well thank you, it's my pleasure. I keep it right there everybody, we'll be right back, this is theCUBE, we're live. MIT in Cambridge, Massachusetts, right back.