 Live from Washington, D.C., it's theCUBE, covering .NEXT Conference, brought to you by Nutanix. Welcome back to Nutanix Next Conf, everybody. Hashtag Next Conf, this is theCUBE, the leader in live tech coverage. We go out to the events, we extract the signal from the noise. My name is Dave Vellante, and I'm here with Stu Miniman. Stephen Hadley is here, he's a former U.S. National Security Advisor, and currently with RSG, who is an advisor to Nutanix. He's an expert on national security and foreign policy, public policy. Stephen, thanks very much for coming on theCUBE. Nice to be here. So very important topic, one that you just can't talk about enough, so let's start. I mean, we're here at this sort of infrastructure show. We're up leveling it now to this very important topic of security. There's so many things that are going on. We interviewed Pat Gelsinger on theCUBE five or six years ago and asked him, is security a do-over? He had a one word answer. Yes, so where are we at? What's the state of cyber today? Well, let's talk it in a couple of respects. You know, one of the things that's been interesting to follow your industry, and I'm not a technical person, but interesting following your industry, a lot of what was done, social media and all the rest, started to be a fun. It was almost a toy. And what has happened is you now have become, this industry and the services provide are a international, global and national resource, and is at the center of how we do business today. And it's been interesting to watch the industry deal with that challenge. It started out, what do you do about child pornography that gets onto the various sites like? Then it got to be, what do you do about terrorism? Now it's, what do you do about false news? And it's been interesting to see the industry, and I think very effectively start to respond to what are the responsibilities they have to their users in these various troublesome areas. And what are the solutions, technologically and process wise? And I think the industry is taking the lead and I would encourage them to do so because I think the industry needs to define the solutions. If you wait to Washington to define the solutions, we'll get it wrong as we usually do in Washington. Well, so let's come back and talk about that. But I like to think of sort of three categories of cyber threats. You've got the hackers, and like you said, it's maybe it's child porn or something else like that. You've got criminals, organized crime, and then you've got state sponsored. Where do you feel the industry, that you just sort of said, the industry really has to lead? Where do you think the industry should put its focus? Should they think about the attacker? Should they think about more about the defense? Is that a right way to look at it, those sort of three categories of threats? I think those are three categories. They are different kinds of threats. I think the industry is going to have to deal with all of them. I think the principal focus is going to be on defense. There has been a discussion in the literature, should companies have the ability to go on offense and to respond to cyber attacks by trying to reach out and hurt the attacker? That's a tricky question. And I guess as a national security type, my instinct is the industry needs to lead on defense. The government needs to think about offensive responses. I think particularly since one of the problems you've got in this business is the attribution problem. If someone marches into your country, you know who is doing it. If you get a cyber attack, it's not clear who the enemy is and who the attack is coming from. And it makes the issue of response very difficult. Secondly, the problem of collateral damage, as we saw beginning with Stuthnack and in these latest attacks, you try to hit somebody over here offensively with cyber and turns out you're hitting users in 150 countries. So I think the industry's responsibility is to defend and to try to prevent their systems being used by various nefarious characters. The issue of how to respond to cyber attacks I think is much more a state function, a law enforcement function in terms of ordinary criminals and the like, a national security function in terms of nation-states. Well, Robert Gates on theCUBE last April said that even governments have to be very careful about using cyber as an offensive weapon. And you mentioned Stuthnack and we saw what happened. But there are no standards with cyber war. With conventional warfare, there's the Geneva Convention, there's standards that we can apply with cyber that's the Wild West. So what is industry's role in terms of creating those standards of cyber attacks? I think industry can inform it. I think it's going to be difficult for industry to take the lead. And I think one of the, so my response would be, one of the problems is cyber attacks, the attackers pay no penalty with cyber attacks. It's hard to find, it's hard to prove, and there's no responses. And there's a whole question of what is the right response? So for example, some years ago, over 10 years ago, Russia pretty clearly took down the Estonian government which was a real E government. Now NATO is, Estonia is in NATO. NATO, one of the pillars of NATO is an attack on one, is an attack on all. Was that an attack? Huge debate within NATO, was an attack, was not an attack. Nobody died, traditional measure of where you've been attacked. On the other hand, the government was almost paralyzed. What's the right response? Do you have to respond only in cyberspace? Would you think of responding conventionally through conventional military power to a cyber attack? None of that has been worked out. And as a consequence, nobody pays any price for cyber attacks. And my own view, particularly with respect to state-sponsored cyber attacks, is until the country pays a disproportionate attack in cyberspace for a cyber attack, you won't get them to stop. But as you just talked about rightly, it's very hard to respond in cyberspace because of the unintended consequences and cyber collateral damage, if you will. My hope, the way out of this, is, as you've seen in these last attacks over the last week or so, which were targeted, I think the most recent one was targeted on Ukraine and ended up affecting 150 countries. I would hope that some of these, at some point, are going to bring the international community to its senses. And people are going to basically say, look, we're all vulnerable. We're all at risk. The United States is more dependent probably than other countries, but China isn't too far behind. And for the United States and China to start leading an international conversation about developing the rules of the road, I think that would be good. I think, though, there needs to be a panel from industry that supports that effort. Or my worry is the governments will get it wrong and will impair the growth of the industry, which is bringing so much benefit to the global community. Really interesting point. A couple of years ago, we interviewed the president of ICANN, the organization that oversees higher internet, Fadi. And he was really concerned that companies like China and Germany were going to say, we're going to have our own internet. We're just going to wall things up. Kind of goes against what you're saying, is we need to work together. We see dissonance between private corporations and governments now. How do we get globally working on technology, working together rather than fragmenting more? And you make a very good point. It's working together on the basis of our principles. Look, our view is that a global internet, free access for everyone is a powerful political statement and can be empowering of individuals. So it is a small D, democratic institution. And it is enormous economic power. It would be a tragedy if individual countries start to balkanize the internet and start to make them national systems. Because you know the countries that will do it are countries that are authoritarian and will convert a device that actually empowers individuals to be a device by which the state controls individuals. Secondly, it will risk cutting them off from the global community, which will have economic consequences, much less social consequences. So I think it is important for us to try to take the lead and start that conversation and to do it while we're still talking about a global internet and really haven't lost that. So this conversation needs to start sooner rather than later. You're the chairman of the United States Institute of Peace. I have to believe that there's some parallels between the work you're doing there and what we were just discussing. They're trying to co-operation and, you know... There is in this sense, one of the things that USIP has found is, and when I was in government, I always used to think about what governments can do to resolve conflicts and wars and preserve peace. And that's sort of top-down government policy. What US Institute of Peace is doing is bottom-up, you know, facilitating groups, civil society, and peace builders and peacemakers in war-torn communities to begin to resolve the ethnic conflicts, the tribal conflicts, the religious conflicts that are really the kindling and the fuel for conflict. And through an affiliated organization of the USIP called Peace Tech Lab, technology people are coming together with civil society people and saying, what are the tools you need that we can put on an app and use on an internet platform that will allow you to do your bottom-up peace building work? And it's very powerful. So for example, election violence, always a big problem. There are civil society groups using technology that we're able to monitor through social media the first signs of electoral violence and bombard them with text messages and the like to try to bring down the temperature. So what we're seeing at USIP is there is a bottom-up component of peace building that can be technologically enabled to allow people to try to maintain peace in their communities. It is the new frontier in some sense for the work of the US Institute of Peace. So with Stuxnet, we saw that Malware had the potential to kill people. Maybe in and of itself that Malware didn't kill people. People died and that whole dynamic with two nuclear engineers in Iran. My question is, and Stuxnet is 15-year-old technology. I don't think if Stuxnet was responsible for anything. No, right, yeah, let's clarify that. There was a separate. And it was associated with that whole initiative. There was an effort to set back the Iran. But it wasn't the Malware itself, but the Malware was demonstrated to do damage and it could theoretically and probably in practice kill people. So here's, as I say, 15-year-old technology and just scratching the surface. So God knows where we are today. You may know, I don't. But you sort of put forth this notion that countries, states need to come together and sort of address this problem. My question is that does the, well, I'm inferring that the U.S. has a lead. And as the leader with the best weapon, what's the motivation for the United States and other countries or the haves to work with the have-nots and actually create these standards? Is it because we have more to lose? I wonder if you could comment. I think it's vulnerability. I mean, look, we're more dependent on the internet. We're more dependent on cyber systems. Look, to your point, if you bring down and get into the control systems and allow you to shut off the water filtration plants and bring down the electric grid, a lot of people are going to die. They're going to start in hospitals and it's going to get worse. So what is the task? The first task is, and we've known about this problem of the vulnerability for critical interest structure since the 1990s that the first studies were written. Government has been slow. Quite frankly, industry has been slow. And I think that train is finally moving. Some sectors are farther ahead. The financial sector is much better and further along at hardening their infrastructure against cyber penetration. But we still are very vulnerable through control systems in our water system, electric grid, all the rest. And of course, the internet of things has only multiplied the portals through which people can get into these systems. So there's a huge task of defense and hardening that needs to go on. And that's a responsibility of industry and government working together. It can only be done if industry and government work together. That's the process we need within the country. Secondly, then can the US lead in a process to try to develop rules of the road that provide another layer of protection? But it's got to start with hardening our infrastructure here at home. I got to ask you about fake news. Fake news in Russia. Is Russia an adversary? Should they be perceived from a diplomacy standpoint? Should we be antagonistic? Or should we try to be more friendly as it relates to what's been going on with fake news? I wonder if you can tie those together and give us your thoughts. Well look, one of the things that's different about Russia today is what we've seen in the election. This effort through hacking, through disclosing emails, through probing our electoral infrastructure through a variety of things the Russians are doing, they intervened in our election process in a bigger way than we've ever seen before and they're doing the same thing in Europe. That is a new problem. We need to get to the bottom of it to know what happened, what happened. People do it from the standpoint of retaliating against Russia. I think the bigger problem is we need to harden our electoral infrastructure. Our electoral infrastructure turns out to be critical infrastructure that we have to harden just like our electric grid and our water supply systems. And fool me once, shame on you. Fool me twice, shame on me. If we don't harden our electoral infrastructure so this cannot happen again, next time it happens, it's our fault. So kind of a cyber Star Wars, is it, we don't know if it's technically feasible, that's not your area of expertise, that's industry's problem to figure out. Stephen, you are a fantastic guest. Thanks so much for coming on theCUBE. Really appreciate your insights. I'm delighted to be here. Thanks very much. All right, keep it right there, buddy, we'll be back with our next guest right after this short break. This is theCUBE, we're live from Nutanix.nextconf. We'll be right back.