 delighted to have you join us here at the Carnegie Endowment for a discussion with David Sanger on his new book, The Perfect Weapon, War, Sabotage, and Fear in the Cyber Age. I'm Kate Charlotte. I'm the director of the Technology and International Affairs Program here. I was also a Department of Defense cyber official during much of the time period of this books. I found it a very fascinating read. And as we can see just from the news of today, from the supply chain news to indictments in one single day, it shows how much cybersecurity and cyber policy is affecting us on a daily basis. It's on the top of the US agenda as well, the recent announcements of the new Pentagon cyber strategy and US national cyber strategy, as well as new authorities that the White House has discussed on more flexible authorities for offensive cyber operations. So what David is writing on is really profound. And whether or not cyber tools are the perfect weapon, they have fundamentally changed and will continue the way to change the way we think about cyber conflict. So tonight we're going to go beyond the headlines, who is somebody who has written many of those headlines. We want to talk about David's insights into the dynamics, shaping large and small states, competition in cyberspace, the US government's approach. And we also want to have a forward-looking conversation based on all the insights that he's gained over the course of his investigations about what this means for the future. So a couple words of introduction. David Sanger, national security correspondent with the New York Times and three-time Pulitzer Prize winning journalist, most recently in 2017 as part of a team that reported on Putin's efforts to project Russian influence abroad. He's also published other award-winning books on foreign policy and national security, which collectively have had a significant impact on national and international dialogue and decision-making, including on cyber tools and cyber conflict. Joining the conversation also is Ariel Levita. He's a senior non-resident fellow contributing over the last 10 years to Carnegie's work, both in the nuclear policy program, as well as the cyber policy initiative. He's on the cyber side. He's been doing a lot of impressive work on cyber conflict, norms of responsible behavior in cyberspace, ICT, supply chain, cyber risks to nuclear stability, and much more. And he previously held senior positions in the Israeli government, including the Israeli Atomic Energy Commission. So without further ado, welcome. And we will turn it over to Ellie and David for an illuminating conversation on the new book and beyond. Thank you. Thank you very much, Kate. David, delighted to have you here. Great to be with you. And on the spot. And on the spot. Oh, yeah. I know how much you're going to enjoy having this flipped around. So just by short ground rules, we'll ask you kind of a serious question, kind of a barrage of questions. OK. You would obviously answer whatever you want to answer, as always. Can you imagine me evading one of your questions? And then clearly we turn to the audience to ask you a few questions, which I'm sure you can handle as competently. Then for the people who endure this one hour, there'll be drinks. Perfect. And the ability to get a copy of your book and have you sign it outside. So I think that's the agenda in front of us. I think one compliment that hasn't been given to you yet is in addition to being a journalist, you're also someone who teaches and does research at the Belfast Center. And I think the book reflects the wisdom of someone who is not just a journalist, but also. So having given you a few compliments and probably some others adieu, I would ask you, why did you call your book The Perfect Weapon? Good question. Well, first, thanks to all of you for coming. Thanks to Carnegie for doing this. Thanks, Kate, for hosting us. And thank you, Ellie, who's enormously helpful, as I was trying to think through some of the arguments for the book, but is responsible. He is responsible for none of them, particularly those he disagrees with. And there are a couple of those, as we know from our past discussions. So why The Perfect Weapon? What's characterized the past couple of years here has been the ability of states to use cyber as a great short of war weapon, a way to go influence their opponents. Not only steal data, but manipulate data. In some cases, accomplish the cyber means something that previously could be accomplished only by bombing or sending in saboteurs. An example being the American and Israeli attack on the centrifuges in Iran. But that's not the only example by a long shot, the North Korean attack on Sony and so forth. And also to now, as we've seen in the elections, but also as we saw in the indictment issued today, to use cyber in a range of different influence operations. So what makes It The Perfect Weapon? Deniable, hard to attribute at times, relatively easy to deny. Stealthy, dirt cheap. To get nuclear weapons, you need uranium or plutonium, millions if not billions of dollars in equipment, a lot of expertise. To do cyber in a good way, you do just fine with some teens, 20 and 30-year-olds, some stolen weapons from the NSA. There seem to be a lot of those floating around right now. Maybe a case of Red Bull that would really help. And with that combo, you're pretty well off to the races. Something that jumped out to me today as I was writing the story with my colleagues about the indictment that was issued by the US and the releases by the Dutch and so forth is that the Russian team that went after the DNC, and if you believe the indictment, some of the same people who did the DNC also went after the anti-doping agency and many other institutions, is fairly small, tight groups of people here who can move around with relatively little equipment. And that really... That's the cozy bear, the shadow bear. This was fancy bear. You've got to keep your bear straight in this business. But... We're talking codes, so people who haven't read the book would actually have to look at the pages. That's right, that's right. And I'm always getting cozy bear and fancy bear next up, I confess. But so what's really... We're talking about the GRU and the SVR. That's right, these are different Russian intelligence agencies, all of which sort of broke out after the fall of the Soviet Union and reorganized. And even the GRU no longer calls itself the GRU. So what made it the perfect weapon are all of these issues of deniability. Now, there are a lot of imperfections about the weapon that are in the book. The American attacks on the North Korean missile program, which I delineate in the last chapters of the book, appeared to be only modestly successful and only briefly successful. You could argue that even the most famous of the attacks, the Stuxnet or Olympic Games attack on Iran, was successful in buying some time, but only a year or two. So that means that it may be an effective weapon, but maybe not a permanent solution. To keep the traditional life of disagreeing with you and trying to provoke you in the process, you can't avoid some collateral damage. You have many unintended consequences of some of which we will be discussing later. The damage may be transient. If you're trying to send signals across, interpreting those signals as you repeatedly point out, it's not a trivial matter, and often you get misinterpreted what it is that the other side was trying to communicate. You can reverse engineer some of those weapons and so on. There are low barriers to entry, so others can emulate them and use them against you and so on and to retaliate. And even deniability that we used to think was quite easy may not be given, attribution has become a lot better and willingness of governments to attribute. So now that you have actually put everything together, would you still think that this is a perfect weapon, or is it a perfect weapon for some people under some circumstances for some purposes? It is a perfect weapon for states that don't wanna get into a straight-on confrontation with the United States or other adversaries. But the Chinese, the Russians, the North Koreans, the Iranians, all the major actors in this book, they know what they don't wanna do. They don't wanna be on a one-on-one military contest with the United States. They also think they don't need to be if they can make use of this. They also recognize that for all of the drawbacks that you described, I would certainly concede are imperfections in the technology or at least temporary setbacks in the technology. For all of those, we haven't figured out a deterrent yet. I mean, we've had all kinds of ideas. One idea that we've had is in-dite and embarrass those who you catch, because as you say, attribution's getting better. But the fact of the matter is, we've embarrassed the Russians three or four times now. I don't notice that they're slowing down any because they've come to the conclusion there's not. Maybe it's a better one or not. Well, maybe it is. I mean, maybe they've come to the conclusion that just the accusation that they can park across the street from the chemical weapons investigators in the Hague and managed to get into their computer systems, or at least attempt to before those guys got arrested, shows that there's nothing that's safe. But what hasn't happened to any of them yet is they haven't seen the kind of retaliation that would bring about a significant military setback or response. I'll give you a great example of this. Think about the Sony hack. The Sony hack is a very, very, very, very long-term The Sony hack, for those of you who have forgotten about it since 2014, was based on a North Korean effort to stop Sony from distributing a truly terrible movie called The Interview, okay? And the movie basically envisioned a couple of journalists who were going off to interview Kim Jong-un, it's a comedy, and the CIA hires them to assassinate them. Now, you've spent enough time around it. Can we expect now the servers of Carnegie to collapse? Now that you've mentioned the story of the DPRK, are you trying to? I'm trying to do, right. So, Ellie, you've been around journalists enough that I suspect if you were out to hire some hit men, they're probably the last category of people you would reach to. The DPRK, yeah. No, no, it would be the journalists. I'm the son of a journalist, come on, yes. So anyway, imagine for a moment that the North Koreans did not have cyber as a way to bring down what became 70% of Sony Pictures Entertainment's computing capability. They would have had to land at Long Beach, right? Grab an Uber, go up to the studios, probably commenting along the way they never knew that many cars existed. Now get on the studio tour, stick some dynamite under the computer center and then just run like hell, right? And what would have happened if we had seen the smoking wreckage of a Sony facility and Stoney Studios or even just the computer center? Whoever was president of the United States would have had to make something blow up in Pyongyang. The pressure would be too great. People would be out saying terror incident, you know, launched by the North Koreans. But because it was cyber, because it took a while for them to attribute it, because it was impossible to see for most people, because there was no smoking ruin on CNN, the response was a couple of sanctions that I doubt the North Koreans ever noticed amid all the other sanctions we put on North Korea. That's not a bad day's work if you're the North Koreans. And you inflated the reputation of the cyber power. That's right. So I have a question to you. I mean, for those who would make the enjoyable effort of reading the book, would find that on balance, at least this is my assessment, you're quite damning in the way you look at the Obama administration handling of the election hacking and not particularly flattering in the way they've handled the DPRK, Sony and so on. How much of it is idiosycratic having to do with either the fact that it's a first-time experience, it's a novel technology and so on, it's a first-time being attacked in this way and so on. And how much you think, though, this is structural? It's the predicament of trying to deal with those bad guys who are doing these kind of things to you. I would say it's roughly 50-50. So in the Obama administration, there had been a lot of discussion of the things you could go back and do to a country that is doing cyber attacks, I mean. But President Obama was famously cautious, not just in the cyber realm, but think of the red-line example was Syria, where he was headed to doing a modest attack against them for their use of chemical weapons, and then the end pulled back. It was cautious in Afghanistan, it was cautious in Iraq, and that's fine, I'm not arguing against caution. But what happened in the Obama administration was that as they got into the discussion, particularly after the revelation of the Russian activity against the DNC, is they tied themselves up into knots over one of these arguments about escalation, because one of the other utilities of cyber is it's not clear to the adversary what the escalatory ladder looks like. So President Obama would ask his staff, so supposing I took your recommendations, supposing we exposed Putin's ties to the oligarchs, supposing we cut the Russians off from the international banking system, supposing we did any of the steps that came in to suggest. What's to stop Putin on election day from going in and doing just enough damage that he would play into Donald Trump's argument that this election is rigged? And nobody could answer that question. So they decided not to do anything back other than to issue a very stern warning to Putin, which the president himself issued at a meeting in China, until after the election. They assumed Hillary Clinton would win, they would go off and do this. In the end, what they did was throw out, I think about 35 diplomats who were actually spies and closed two facilities in the United States, and I quote somebody very senior in the Obama administration is saying on the day that they did that, that it was the perfect 19th century response to a 21st century problem. Yeah, that's one of the best quotes in the book for sure. So in retrospect, you think with the benefit of hindsight, you think the Russians would consider what they have done as success in terms of the election hacking and so on, or they got something they haven't asked for, right? I mean, they got more sanctions rather than sanctions relief. The president has that they got the kind of president they may have wanted, but he's not behaving the way they wish him to. Well, he may be behaving the way they wish him to. The rest of his administration isn't, which is one of the oddities of what's going on. I mean, relations between the US and Russia. Not very good, right. So I can't imagine that they don't think this was a success. By virtue of the fact that nearly two years after this hack happened, we're all still sitting around talking about it, worrying about Russia, worrying about what they might be doing in the midterm elections, worrying whether they're using the midterm elections to practice for the next presidential election, making them a player. And if you read today's indictment with activity that was going up through July of this year, it certainly doesn't seem like the exposure of their activities slowed them down in. Doesn't necessarily make it into a success. Doesn't necessarily make it into a success, but if Putin emerged from this thinking, not only was this a failure, but it kept sanctions on that I'll never get out from underneath and all that, you might think that he would have rethought his tactics. And in fact, You may not have that many available. I mean, well, that's an interesting question. But let me ask you a related question before we ask one forward leaning question, move the turn to the audience. When we try to reconstruct the Russian logic in doing certain things in the Ukraine, in doing certain things in cyber, in doing certain things that towards the United States of the elections, we often run into the argument saying, you think we went first? We didn't. We were just really alliating. The opposition in the Ukraine blew up some of our energy supply and so on. So we showed that we could do it even more sophisticated. You try to manipulate our elections in different ways and so on. And so we showed you the taste of what that looked like at its double edged swords. Do you buy any of that? Yeah, some of it's right. Look, if you're Vladimir Putin, his view is we weren't the first to go mess with elections when Hillary Clinton criticized the parliamentary election. When she was still secretary of state and said that it had been rigged and that led to protests on the streets in Russia briefly. Who knew? Vladimir Putin does not like street protests. But his view was Clinton was out there messing with questioning my legitimacy and the legitimacy of my party. I'll show her. And I think one of the reasons, one of the many reasons that the United States wraps so much secrecy in my view and big argument in the book is way too much secrecy around our cyber operations is they worry, government officials worry, understandably that countries will look at what the US is doing with offensive cyber and use it to justify, rightly or wrongly, their own activity. President Obama was explicit about his concern about this when he was in the situation room of proving Operation Olympic Games, the Iran operation in 2009 and 2010. And he said, look, at some point, this stuff's going to get out because everything gets out. I mean, he may not have known it was going to get out as quickly as he did. You think that you're buying the argument that if the US were to be timid in this domain, others would be as well? No, what I am saying is that the US activity in this domain gives countries an excuse to do something that they probably wanted to do anyway. So I would ask you whether we now look at the things that the book details, this book details, in some beautiful prose on some things that others have done to the United States, but in some previous, some of your previous books, you've also discovered, you also described some US operations. And there are a lot of US operations described in this book, yeah. So who was first? Is something that the US does in this, has done in this domain more benign that what others are willing to do? Or were they're equally acceptable and nefarious or whatever and so on? Can we, the US has tried to say that sort of commercial espionage was out of bounds, but other types of espionage was, in essence, acceptable and so on. I mean, do we see a fundamental dividing line in terms of what the US has been willing to do in terms of, say, penetrating other systems, corrupting software, corrupting hardware, whatever and so on, as compared to others, either in terms of purpose, the technology being used, consequences of that activity, or goals that you want to accomplish? You know, we have a lot of lawyers in the city as you may have noticed, and the result of this is that every US cyber operation goes through layers upon layer of legal review and people ask questions like, is this gonna bleed over into the United States where the intelligence agencies aren't allowed to operate? Is the action we're taking proportional to the threat? All of these justifications, they result in reams of classified legal opinions that make people confident we can go out and legally do what we wanna go do. The problem is, in other societies, where they may not have as many lawyers, but certainly they don't have as many rules and reviews underway, all of that isn't obvious. And so if the United States wants to make an argument, hey, we use this very selectively, we use this in conditions where it is clear that we have the right to do it under international law, rules of law, rules of international warfare, under proportionate retaliation, so forth and so on. They won't make that argument explicitly. You can't if it's a covert operation that you can't even acknowledge that you're involved in. So the result is that all of this brilliant analysis about why what we're doing is legal and the other guys are it, is totally hidden from the rest of the world. And we're supposed to all intuit it. David, you would be out of work if there were no secrets. That's absolutely true. There would be nothing to go do, but there's a serious argument to be made here. And look, I'm not suggesting that every cyber operation is going to go be made public that we're gonna come clean on each one of these things. But the fact of the matter is, as you know from your work in the nuclear arena, that we've said much more about the conditions under which we would and would not use nuclear weapons. We've said much more about what would prompt a nuclear response. We've said much more about what kind of controls we keep on our nuclear weapons than we've ever said about cyber. And why is that? And that's continued into the Trump administration. So when President Obama tried to rationalize the system by turning out something called Presidential Decision Directive 20, which laid out who had responsibility for what the US government, who does defense, who does offense, so forth and so on, there was a classified version of it. It leaked, thanks to Mr. Snowden, and a declassified summary of it. In August, President Trump signed a new Presidential Decision Directive that overrides Obama's. That's his privilege, he's the president now. We never saw even a declassified summary. We've only had leaked-out bits and pieces of what it may or may not say and what kind of restrictions, how it devolves power down to US Cyber Command and the NSA. Many in the administration tell me they're very proud of that because they want to keep the rest of the world guessing about when we might use this. My own view is that's fine if you want to keep them guessing, but if you want to begin to set an international set of norms that says here are the conditions under which we use cyber weapons, here are the things we think are off limits, the secrecy actually gets in the way of the norm setting. Which is a lot of the work we're doing here in terms of trying to think of what are practical norms that make sense and what are the ones that won't. So just a final question for me before we turn to the audience. Is unshackling cyber calm an answer? You've talked about the weaknesses of deterrence and the hindrance of being so secretive about what the US would do and would not do and how it would respond. Is the general message that the US is willing to be much more aggressive, not just in applying sanctions on entities that it doesn't like or hunting down people, perpetrators of cyber attacks and so on, but in actually doing some serious cyber attacks. Is that something that relaxation of the rules of engagement and so on, something that you think would change the equation in the US favor? It would only change the equation in the US favor if it is done in a smart and at least semi-transparent way. Because if you're doing it in complete secrecy, then you're losing a good deal of your deterrent effect, right? You're not only trying to send a message to the country that you may be attacking or attacking preemptively, you're also trying to send a message to everybody else in the world about what happens to you. So if it's all hidden, that isn't terribly useful. If you're doing it without explaining your legal rationale, again, I think it may actually get in your way. The unshackling of cyber command may mean that you're pushing decisions down to commanders. General Nakasone, who is the new NSA and US Cyber Command commander. That's fine as long as the kind of activity he's taking place, that he's engaging in, and he's a pretty cautious man, or at least my interactions with him so far would suggest, that all of those actions take into account what your other bigger strategic goals are. And at some point, you can push things down to the point that you're sending the wrong signal at the wrong moment. You remember there was a moment in the Cuban Missile Crisis where, unbeknownst to Kennedy, a U-2 flight went deep into Russia and was cited by the Russians right at the height of the crisis. And Kennedy said something, I'm probably cleaning this up along the way, but he basically said, there's always some SOB who doesn't get the memo, right? In cyber, that possibility is extremely high. It's especially high because the main way that we prepare for cyber conflict is by putting implants into foreign systems. You can't just decide tomorrow morning that you're going to go after the North Korean or Iranian or Chinese cyber actor that you're worried about. You have to have implants in their systems that you're nurturing kind of like an orchid and watering and keeping happy and keeping hidden for months or years before you activate it. Well, that's fine, but when we see those same kind of implants in our utility grid or we see those in our emergency responder grid or the cell phone network, we immediately come to the conclusion that the Chinese, the Russians or somebody are getting ready to go take us out. And what are we going to do about this? Great crisis, their warnings have come out. So your approach would be to tell them that it's just waiting as in case you need to retaliate? Well, my approach would be even if you don't tell the individual country, you can say, look, here's our overall intent. Yeah, you're going to find American implants in your systems because it's no secret to you that's how one does cyber attacks. But here's our intent and here are some relatively clear lines beyond which we may actually have to go activate these. And we're not willing to do that because so far with this weapon, we are not willing to get out and even talk about what many of our capabilities are. There have been some rare exceptions to that. The Obama administration did talk about its efforts against ISIS. It wasn't terribly specific, but he did talk about them. It did identify the North Koreans after the Sony case. It didn't identify the Chinese in the attack on the office of personnel management that revealed so many security review files. And it never named the Russians in the attacks on the Joint Chiefs of Staff, the White House, and the State Department that all preceded. They left it for your book. They left it for the book. It was very kind of them. So as we turn to the audience, I mean, who do you worry most if you marry capabilities and intentions in the cyber world? The Russians, the Chinese, the North Koreans, the Iranians, or maybe there is the 400-pound gorilla sitting on his bed. There's a 400-pound guy sitting on his bed. Yeah, exactly. So who do you worry most with the Sanger list of who to worry most in terms of the cyber activity? So I worry most about the Russians because for them, it is just another great tool of disruption. The only game they have to play right now is to disrupt the international order, American power, European power, NATO, to tear things apart. So they've got the greatest motive and the least price to pay. The Chinese, I worry about from an SBNI viewpoint, and Mike Pence talked a lot about the dangers of the Chinese today. But the fact of the matter is, as in financial transactions, there is invested in the health of the American economy as we are. And they can't afford to bring down our power grids or anything else in anything other than a full wartime situation because it would redound on their own economy. The North Koreans, well, for now we love the North Koreans. So I've heard that the president said that he actually fell in love with Kim Jong-un. But, you know, sometimes love affairs go bad. And if that possibly happened here, not that I'm predicting for a moment that the president might discover that Kim Jong-un doesn't love him as fully as he thinks, but if that happened and the rare possibility that that happened, the North Koreans aren't gonna reach for their nuclear weapons because they know what the country would look like 45 minutes later, but they will reach for their cyber weapons. And the Iranians? The Iranians are saying, you wanna go put full sanctions on us and bring down our economy? There are other games we can play as well. So you got the breath and the depth of David Sanger, a few tantalizing details of what is worth reading in the book without giving away the stories. So people would have to look at the book in order to get the full story and so on. They don't have to look at the book, they can get the audio version. They can go to the audio version and they can get the autograph of the author. Who would like to pose a question to David? Go ahead. There are microphones on the side, so. Thank you. I was curious to know, in light of the comments you were making a few minutes ago about Cybercom and the idea that maybe we'd actually launch offensive cyber operations. Do you sense from your contacts across the National Security Establishment with this administration that people understand that if we punch, we better be prepared for a punch back and it may not be, shall we say, like immediately mutual, that is we try for something that's really of interest to Moscow and then the next day, conditism goes dark for a week, say, just to make a point. In other words, is the war gaming, is the strategizing that's going on in Cybercom in your estimation, something that has figured out. If we do this, not only do we have to be prepared to offer a strategic or legal justification, but that we better be prepared when the counter punch comes because it may not come where we expect it or want it, nor can we predict what the impact will be. A good question. So, yes, there are a lot of people who war game this stuff, do this all the time. So it's Cybercom and the NSA and many other elements the government do, especially remembering that Cyber is not separate from all of our other capabilities. If you look at American war plans these days, it's integrated the same way air power is integrated, the same way mining a harbor might be integrated. So it's not living in a separate world. For all of those war games, for all of that activity, it turns out that for the major cyber attacks that the US has suffered, we have an absolutely perfect record, which is to say we have seen none of them coming, right? We did not predict the Sony attack. We did not predict the White House State Department or JCS attack. We did not predict the DNC attack. We did not predict the Office of Personnel Management, where it turned out we weren't even thinking about the fact that some of our most sensitive classified files weren't sitting in the hands of the intelligence agencies of the DOD, but instead in the hands of the most boring bureaucracy in all of Washington, which had in turn stored them in the incredibly well-protected computer systems of the Interior Department, where they would get the same protection that say bison migration. Not to mention the NSA contractors who... That's right. So we've had Snowden coming out of the NSA, right? A contractor. Two people who were later arrested and indicted, contractors or internal employees of the NSA, who came out with files that were used inside the tailored access operation unit, which was the previous name for the operation within the NSA that actually does foreign computer attacks and what they came out with were the actual weapons. And we're surprised to discover now that a group called the Shadow Brokers has posted many of those. So yes, in theory we understand we can get counterattacked, but in specific, we don't know where or how. Yes, please. Yes, we get the majority of our electrical components and microchips from China in this country. And just recently yesterday or yesterday, it was disclosed that possibly the iPhone or the Amazon products have been embedded, chipped about the size of a smaller than a piece of rice that the Chinese have installed in this equipment. Doesn't this give the Chinese another tool to be able to use or maybe their allies use against the United States? And where do you think this is going? Sure. So supply chain is a big issue. Bring people up to speed on this Bloomberg story. Sure, okay. So the Bloomberg story, which I've not had time to dig into, I've seen Apple and Amazon and others issue pretty categorical denials of some of the specifics in it, but seems like a well-done piece of journalism by some very good and talented board. Well, it seemed to claim that, they have clearly claimed that some administration officials have confirmed the story. That's right. It's correct. So supply chain's a big issue. It's a big issue in two directions. If you go through the Snowden material, you'll find programs, American efforts to get inside the manufacturers of SIM cards, those little cards that you put into your phone that identify it with a phone number. If you can get in at that base level, you can do an awful lot of surveillance inside a phone. So would it surprise me that the Chinese are doing this? No. Have we seen cases of the Chinese doing it before? Absolutely. And the case of the- Are the Chinese the only ones who are doing it? And they're certainly not. So you've seen in recent months that the US government has been banned from using some Russian origin antivirus software. And in at least one of those cases I mentioned involving an NSA official who came out or a contractor who came out with files, he actually put them in a laptop computer that had Kaspersky antivirus software in it. And it looks like two minutes later, the classified files made their way to Moscow. Funny that, okay? So yes, supply chain's a big issue, but we live in a global economy where you are not going to be able to necessarily go check out, at least at the commercial level, you might in your military systems, every single line of code and every single circuit that goes into your machinery. So the question is, do you have ways to detect this and do you have resilience if it happens? I think there are also some rules of the game and there are other procedures that one could follow and there is a fair amount of work that we here at Carnegie are doing. Kate is working and I, so watch our supply chain issue. So stay tuned and look at our website. But there were people there further in the back. Go, let's go for, yes, yes. And then we'll come back up. Right, we'll make it short so we'll get more questions into David while we hold him captive. Okay, so in all the use cases in your book and a lot of the conversation around cyber, we talk about finding vulnerabilities and finding something that you're not supposed to find in order to get in. But what I'm wondering about is your thoughts on the other side of cyber security and in terms of social media use to sow disinformation because all the indictments are around the actual hacking of the DNC but I don't know this to be true for sure. I don't know that anyone will but I imagine that the effects of those leaked documents were much larger due to their dissemination all over social media and all of the proven links that the GRU has to Facebook groups that sow disinformation. So I'm wondering how you think about that, especially in light of the fact that they're actually using that platform, not looking for vulnerabilities but using it exactly as it was intended to be used and actually being very successful at it. Sure, so first of all, some of the indictments do go to the use of social media. There's an interesting Mueller indictment of the internet research agency officials. And when you read the- David gives a lot of space to him congratulates them for their accomplishments and also I think what the salaries they're getting in Russia. By Russian standards, it's not bad. If you're a 20-something in Russia and going to work for the internet research agency turns out to be a lot more profitable than almost anything else you can go do. But, and you'll see another Mueller indictment of the GRU that also goes to the use of social media advertising. Right, so the Russians have done an extremely good job of figuring out the vulnerabilities that we've put into our own system and playing off of those. If you go into the indictment that was released today by the Justice Department, it suggests to my horror that journalists can be dupes. And it describes how 70 journalists had communications with this group that called itself fancybear.net or whatever. And playing off the journalist's desire for scoops was doling out exclusive stories that came from stolen material from the anti-doping agency, from athletic groups and all that, and then waiting for the journalist to publish those stories and then reposting the Russians would then repost the stories to give it credibility, right? Is there anything illegal about that? Well, the stealing of the data was illegal, but leaping off of the competitive juices of journalists probably isn't illegal. The solution to that's gotta be at the journalist's age. Look, in the social media side here, the only thing that's new and different is the speed with which you can repeat a message that in the Stalin era moved very slowly. Stalin would take out fake ads and farm newspapers or they would buy off reporters and they'd put in false news stories. And you could never measure the effect or even their reach. The thing about Facebook is you can't. Now, the good news is these are more susceptible to exposure than most things. So Facebook's been playing around with some technology that would say, I know you think that Facebook post looks like it came from Ellie and it has got adorable pictures of his grandchildren, but in fact, it looks to us like this message came out of Russia. I didn't realize it would. Yeah, so they're going after you, Ellie. Well, my grandchildren is, but the particularly war is some aspect. I think, I just mentioned that in David's book, I mean, one of the most interesting connections that he makes in terms of the sophistication of the Russian operation by this group was in how they were able to organize real live events based on cyber activity and then get a lot of people to show up for those events. There was one in Dallas that was written, we wrote about a lot and others wrote about a lot where they got a group of protesters to go out on a set of issues, and then they also got a group of counter protesters to show up in hopes of starting, you know, a good street riot in Dallas. Now, it turns out it was way too hot in Dallas the day they were trying to go do that and they didn't get enough. You wouldn't tell it in St. Petersburg that that was the case. That's right, that's right. Yes, please. I'll get to you next, so why don't you go to, yeah. All right, I think there was a Chuck Huggle that coined the term cyber per harbor. I would like to ask you if you have any particular scenario that keep you awake at night, is there any per harbor that make you not sleep? Yeah, the phrase cyber per harbor, which I deal with some in the book has been used for about 20 years, but Leon Panetta, the former defense secretary and CIA chief, but during the time of his defense secretary, used it. And I called him up as we were working on the book and said, so why did you use this phrase? And as described in the book, he used it mostly to go motivate Congress to allocate some funds to get this thing done, because it's a lot easier to scare Congress by getting Congress to think about shutting down the entire electric grid between Boston and Washington or San Francisco and LA than to explain the very subtle uses of cyber. And so while I'm worried about a cyber per harbor, I actually think it's the least likely scenario because it's the one that would bring about, if we figured out who did it, the military response. Whereas data manipulation, going in to change the... Shutting down the grid for a couple of hours? Maybe shutting down the grid for just a couple of hours, but the problem when you shut it down for a few hours is you don't know whether it's gonna, somebody's gonna be able to turn it back on. But data manipulation that changes blood types in the military's database of its military personnel or changes financial transactions. Or was... You're not gonna give a target list here. All of these are sort of pretty well known and pretty well discussed. All of those things would be harder to find and thus harder to bring about a big military response than a cyber per harbor. I think the cyber per harbor gets reserved for big military operations. And the book describes one the US had planned for Iran called Nitro Zeus. Should we get into a full military conflict with Iran? This gentleman there, yeah. One of the interesting things about cyber, and by the way, I enjoyed your book and you've made it a number of excellent points, but I have an interest in stability and crisis dynamics. And one of the things that's interesting about cyber and space as well is that you can't exactly predict what the effects will be. If the people happen to change their operating system in two days before, it may be totally ineffective or it may be a lot more connected than you realize and causing a lot more damage. And the problem is in a crisis, if you're using some of that or the bad guy is using it, whoever the bad guy is, the other party is gonna say, they intended to do that. When the reality is, and if they say, well I didn't mean for it to do that much, well that's not gonna go very far because the other guy is gonna think that they intended to do exactly what they did. Does that, in your mind, does that make it a more destabilizing situation or knowing that that is possible, would it make countries more reluctant to use more powerful cyber weapons precisely because it's not a finely tailored effect? Very good question. I think the net effect is likely to be more destabilizing than stabilizing. There may be other cases. We don't think the North Koreans were intending for WannaCry to shut down the British healthcare system, but instead it turned out the British healthcare system used a lot of XP, Windows XP machines, operating system that's been outdated so long, you know. A lot of it is intact. But unlike many others, had actually paid for them. I mean, they bought, they actually bought the Windows. They bought Windows, but Microsoft doesn't update it that much anymore. In the Nat Petir case, the Russians clearly intended to go shut down a lot of Ukraine's systems because they went in through an accounting system that an electronic accounting system that's used in Ukraine a lot. But I'm not sure they really expected that to go right down and turn off a lot of Russian networks as well, which- Or hit Maresk the way it did. Or hit Maresk, which was the big shipper. I don't think they lost any sleep over the fact that it hit Maresk, but I'm not sure they intended it. So you're absolutely right. And I raised this question in the book in the section that discusses the American attacks on the North Korean missile program. So I don't think anybody really thought if we attack the North Korean missile program, the North Koreans are gonna come back after our nuclear arsenal. But I bet we would be more hesitant to do the same thing to the Chinese or the Russians. Exactly because of the unpredictability about how destabilizing it might be. Let's get to the last two questions. Yes, here. And then keep it brief, please, so we can- What do you think is the most consequential part of the recently articulated national cyber strategy? And do you think that policy adequately addresses the current cyber threat to the United States? The public part of the cyber strategy read to me a lot like cyber strategies that were turned out by the Bush and Obama administrations. There were some changes in it, some emissions and all that, but fundamentally in the discussion about having to defend private networks, get public-private partnerships, and all that, I was pretty familiar. The classified presidential order I referred to before sounds to me like it differs significantly from the Obama era one, sometimes in some good ways so you could argue that the Obama era orders got too many ideas involved. But that's where I think the bigger differences may be and you can debate how worrisome they are or not. We had an op-ed that appeared in the Times yesterday from associate professor up I think in Rochester who made the argument, I was entirely persuaded of this, that it was a bad approach for the Trump administration to take until we actually see or hear some more about what that strategy would do. I'm not sure we're ready to make that judgment. How dare you ignore the fantastic column that Kate Charlotte had made on how to assist. That was actually. Being in national cyber systems. That was a big omission on my part. Kate, my apologies. If I was going to ignore anybody's writing on this, it wouldn't be yours, it would be Ellie's. Okay, thank you. Please. Good to see you again, David. My question is in terms of longer term counterintelligence capabilities of the US vis-a-vis cyber warfare, how do you see the longer term trends? Because I think the challenge today in the next 10, 15 years is going to be disrupted even more with AI. And so how do you train the next cadre of really good CI officers? Very good question. So in the other questions we've had today, we've had little elements of the counterintelligence problem here. Supply chain, that's one big part. The fact that as was clear in the indictments issued today and in previous indictments, you don't need to have agents in the country anymore to go do your counterintelligence work. I mean, a lot of these were operating from an office just off of Red Square and they do their work and go out and get dinner. So that makes it more difficult. In the parking space at the chemical weapons organization. That's right, that's right. They were actually in the parking lot of the Marriott Hotel across the street. Just better than having them in the bar at the Marriott Hotel, but maybe if they'd been to the bar they wouldn't have been arrested by the Dutch that quickly. Then you raise the next question, which is, does artificial intelligence, quantum computing, increased encryption capability make this a vastly harder problem to solve in the future? And I think it does. If we have similar quantum computing and AI capabilities, we'll just be in another form of the arms race. And that's why we need some of the kind of norms that Ellie and Kate and others here have been working on because if you don't have that, you're just off to sort of an endless Wacka Mole effort here to stop one effort and somebody comes back and comes back with a more ingenious one. Well, please join me in thanking David for sharing his stories with him. Thank you very much.