 Good morning, everybody. Good morning. Thanks. All right. It's 9 o'clock in the morning, and you are here to discuss cyber war, which suggests to me great intellectual curiosity, or perhaps you didn't get to sleep last night. It's quite possible that if this panel goes the way I think it will, you may have trouble sleeping tonight. Because we're going to talk about some issues that loom large, and have been in the headlines a lot in the past year, and that the only thing that we really know about this subject is that it will change extremely rapidly over every month and year ahead of us. We've got a great group of people here to talk about these issues, and I will introduce them as we go around and talk about this. There's some fancy WEF technology we've got here. You just need your phone to do this. They want to take a poll of all of you. Has the first cyber war already begun? What you do is you go up to the link that you see up there, www.wef.ch slash vote, and then you can answer yes or no. And then at the end, all of you who answered no will stand in that corner over there. Oh, man. Because you're not paying attention. Anyway, I chaired this panel last year, and we had a great discussion about cyber war. And almost none of what we discussed about cyber war is what dominated the cyber war headlines in 2016. And that tells you a lot about the nature of what we're talking about. Tom Donlon, you are not only one of America's best national security advisors, but you were kind of sort of the first national security advisor of the cyber war era. You accepted it. Prior to you, there was a long tradition among national security advisors of not using email. So we were making a big leap in the United States government there. But I'd like to talk a little bit about how the last year looks to you. And if you could start, I don't want to direct you, but if you could start, one of the things that's, I think, essential to this discussion is, what do we mean by cyber war? Because when we discussed it last year, we're talking about hacking, denial of services, these kind of things. And much of the cyber warfare of the past year, or what we focused on, were things like information warfare, using technological tools to influence social media and political discussions in a country. And the first question is, is that part of cyber war? And is this definition evolving? And how do you view 2016 in the evolution of that definition? Thanks, David. So I think what 2016 was was a preview of things to come. During the course of the year, and the things you talked about last year are also quite current and valid and will be in the future, cyber will be part of any war-making plans that a government has going forward. You have a whole range of attack vectors, ranging from nation-state activities from espionage all the way through the kinds of things, information warfare, which I'll talk about in just a second, criminality through insiders. And that all will be the playing field. What we saw the last year, though, of course, most notably has been the blurring, if you will, of the line between war and peace, or being at war formally and not being at war formally during the course of the last year. And the most visible of the most celebrated, I guess, example of this has been the Russian comprehensive effort to affect the US elections in the United States. And that, again, though, I think is an example of what we've seen in terms of doctrine moving forward here, which is to compete in these gray zones between war and not being at war. And what we saw in the United States was a comprehensive effort by the Russian government to try to affect the election. What, of course, is notable about a number of things, including the fact that it was a nation-state moving beyond espionage. I mean, we have nation-states will have and will continue to spy on each other and to steal secrets. What this was, though, was stealing the secret and then releasing it strategically to have a desired effect. And this, we saw previews of this, by the way. Over the last 10 years, we saw previews in the hybrid war operation in Crimea. We saw it in operations in eastern Ukraine. And we saw it really beginning in kind of in Estonia, in Georgia in 2007 and 2008. Again, part of a comprehensive effort to have a set of effects that are enabled by technology here. And there's a lot of different aspects to it, which allows you to get into this gray zone. It is covert. Attribution is hard. It's done without kind of physically crossing some border. But I think it's a preview of things to come, frankly, and kind of a blurring this line. And the Russian government denies it, by the way. Well, then it's probably not true. Well, of course, that's demonstrably not true, the Russian government has engaged in its activity. And I think it's the last thing I'll say about it. It's really is a, you know, it's one of the enabling techniques in information warfare. And we saw a comprehensive effort in the United States. And I think we'll see it going forward. And I will say this last point on this, is that Europe has a year of elections in 2017, a very significant year of elections. And this is, I think, a preview of the kind of threat that Europe needs to be very aware of going forward. And there's already signs that it's happening in some of the discussions in Germany and in elsewhere. By the way, as we were coming up here, Moises noted that we're all Americans here, to which my response was, as far as we know. You know, with the sophistication of Russian espionage, I'm not even sure where I'm from. But there's a reason we're all Americans here, I think. And that is that this has been an area where the US has led. And it's led, Tom, because of the private sector. This is an area, I mean, although the NSA is the leading organization of its kind in this, this is a form of warfare that has actually been cultivated as much outside of government as inside of government. That's something new, isn't it? Well, it really is. The engineering really came out of the private sector. And when you take a look at the way the taxonomy, Tom, put together of how the different ways you look at this, you have hackers or hacktivists, that's one category, and they use a certain number of techniques. You have plain, simple cyber espionage. We've known about that, and it's been working for a long time. There's a set of techniques there. The place where it's really accelerated with a lot of the techniques that were built to defend the private sector is when you get into hacking for money. And about, you say 15 to 20% of global GDP is being lost in this whole notion of hacking for money. And then there's the one that I think is the most dangerous, and Tom would be an expert. I don't wanna push you on this, but who is they, when you say they say 15% of global GDP is being lost? That came from a report that I read from Oppenheimer that just released a 36 page report on comprehensive view into how security is being done today and how it needs to be done in the future, and they use that as a stat to try to justify a different way of thinking about cyber warfare. And then the last is nation states. So the private sector has been defense, defense, defense, but using the same techniques that you do for defense to cause harm, it's a similar technology. So the more technology we build to defend, they take that technology, repurpose it to attack. And I think that the private sector and public sector coming together will have the best opportunity to make the threat vectors go away. So Shirley, one of the things that I hear in this is that among our biggest initial challenges are vocabulary challenges. How do we define this? I'm talking about hybrid war and gray areas. I think that's a really important point. If there's something you're gonna take away from this, that's one of the first ones to walk away with, is people are testing the limits of gray areas in cyber, in hybrid war, in international law generally. Frankly, one might argue in some domestic areas in the United States as well, they're trying to see where enforcement actually starts. The absence of new norms creates an opportunity, where the lack of international laws application creates opportunity, where the lack of doctrine on the part of countries in terms of enforcement response creates opportunities, and where the lack of political will creates opportunities. And we've seen this take some interesting forms. So for example, when the Sony hack occurred, President Obama sort of seemed to be struggling for the right words. And he referred to the hack as vandalism. And some people said, well, he's doing that because if he calls it a military attack, which he would if North Korean guys came in a little boat and blew up some computers in a building in Los Angeles, he would have had to respond that way. And by referring to it vandalism, it gave him more options. How do we, you've advised governments on this? How do we tackle that? Well, I think we're comfortable or more comfortable if an attack is a kinetic attack, if it causes some physical effect. And of course, if there's the additional quote unquote collateral damage of people physically being armed, then governments feel more comfortable in responding. So a big question becomes, what is disablement? Because that's what kinetic attacks do. And what does it do to the welfare of the population? And so I believe that actually there's going to be a need on a domestic front to think about how much translation there can be from what we use with respect to response to kinetic attacks to say, what is disablement? And then on an international basis, it took a long time to get the UN Convention on the Law of the Sea, took three UN conferences. And finally in 82, the convention was, completed, but it didn't come into effect for another 12 years. But when you think about some of what it tried to do in terms of the use of the oceans for commerce, then I think as we look at cyber space, we're gonna have to think about some of those sorts of things. But let me make one last comment. The thing we haven't talked about, but I know it's something that Tom knows quite a bit about, and that is the whole question of networked infrastructure. Because you mentioned the Sony attack. And in fact, there was disablement of Sony's actual computer capability that came through the attack. There were actually machines that were destroyed. And so that's correct. And so you could argue that that crossed the line into its own kind of a kinetic attack. And so I'm not saying it's easy, but I think there are lessons that we can learn. And so much of our critical infrastructure in the cyberspace does rest in private hands. And so when you talk about hybrid war and gray zones, to me one of the greatest emergent gray zones is how shall governments respond when there are attacks on critical infrastructure that could really cause disablement. And with that disablement affect people when that infrastructure's in private hands. Okay, so one of the things that I'd like to do here is I'd like to have a discussion about the changing nature of threats. And then I'd like to follow up on your point and have a bit of a discussion about what is effective deterrence. Because absent deterrence, there's no sort of effective way of protecting people. But my sense is we look at- I'll add one concept to your list if we go forward up here, which is also resilience. Because these attacks are going to happen, right? And part of them, one of the most important aspects of deterrence will be resilience. Right, so okay, but I think that's an important point. We should come work that in. But my sense, one of the challenges we face is addressing these attacks, particularly in these gray areas, in the context of a liberal democracy. So how do we struggle with that? So on 9-11, an al-Qaeda taught us to talk about asymmetric war. WikiLeaks and the Kremlin have been teaching us about asymmetric cyber war. Al-Qaeda's attacks were, as you said, kinetic. They had physical consequences and damages. And cyber attacks of many kinds are having political consequences, for example. And if you take that perspective, an asymmetric war is war between belligerents that have very different capabilities or use very different strategies and where the traditional definitions of resources and power change. So we said here, and I agree, that the United States, that the one of the reason why the US is so represented in this session is because the United States has been leading thanks to the private sector and technology and all that. But it's clear that it's also lagging in terms of doctrine and strategy and foreign policy and other and defense policy on what to do with this. So it's leading technologically, but it's lagging in terms of policy responses. And that is not just the United States. I think that liberal democracies are at a disadvantage in cyber wars. I think autocracies and dictators have more capabilities, not technological, but institutional and political and the frameworks that they use. It is very interesting how, if you look at the list of the victims of cyber attacks that are political, they're mostly in liberal democracies. Wouldn't we have liked WikiLeaks to leak some of the emails that come out of the Kremlin? Wouldn't we have liked to know more about the cyber communications of the Chinese Communist Party or the Iranians? But note that all of what we have gotten is information about either political leaders or political organizations and governments that are liberal democracies. That is a challenge and I don't know that that challenge has a technological fix. I think it requires new thinking, as you say. We don't even have words to describe exactly what is going on or how to react. And as you say, Tom, we have this hybrid thing, which is both kinetic and traditional and new. And as you said, it changes every 15 minutes. The threats, the capabilities, the victims, the protagonists, the belligerents change. But the essence, what has not changed is the symmetry in which liberal democracies are at a disadvantage. I mean, that hasn't changed in many respects, although clearly WikiLeaks is working for somebody and it's no accident that WikiLeaks is not leaking on the people who pay their bills, right? But we also are seeing an evolution where countries like the United States are developing a massive capability in this regard. And where cyber warfare, the line between, we're talking here about the line between kinetic and cyber. But we're not talking about what I think may be an equally important line, which is the line between cyber and automated warfare. Because we're moving forward towards a period in which robot armies and drone swarms and other technologies that are animated by artificial intelligence or smart systems are fighting wars on the part of the very big nations, often against smaller nations and smaller adversaries. And so even what Roy says is true up until this point, but that's evolving. Now you are a national security advisor. We have a new national security advisor coming in who you know very well. If you would like to characterize him, we would all be welcome. You don't welcome your characterization. But you know this guy very well and he knows this stuff pretty well. If you were talking, have you talked to him? We briefed the staff on it. We did a report for President Obama, which is essentially a transition report for the last eight months on cyber security. Okay, so if you're enumerating, what you see as the top threats, what would you tell him? Okay, well a couple of things. One, you talked about the line between cyber and kinetic. I don't like the direction that this is going in though, because we're moving towards cyber being a kinetic effect as well. You go from spying to cyber-enabled theft of intellectual property, which is a huge problem of time that we've been addressing, to disruption, to information warfare, to destruction. Because you're right, the Sony attack was a disrupt. Well so was the Stuxnet attack and so was the Siemens attack. So I don't know if that line is not, I don't think that line, that line has been blurred, I think, and we're moving, I don't like the direction, frankly, that that's moving in. On the advice side, we have some doctrinal deficits that Moises points out. The DNI, Jim Clapper, who's been the director of national intelligence in the United States for a number of years now, for the last three or four years, when he goes up to the hill, David, as you know, he gives a global threat report every winter. And he, for the last three or four years, has put cyber security as the number one threat to the United States. And that may surprise people, given we have a lot of threats and we have a lot of challenges in the world. But the first point I would make is that the resources and mind share and attention, although it's increased pretty dramatically over the last decade, is not anywhere near that we put into counter-terrorism, homeland security and things like that. We're really uneven. And of course this has been made very clear in some of the attacks, right, successful attacks on United States government information, right? And most, you know, a good example of that is the Office of Personnel Management with 20-something million files were stolen. And so the next point would be that we need to do a lot more to harden our defenses and we can do a lot more to do this. It really is, it really is. You know, there are a number of things that can be done which can have a lot of positive effects, both in the technological side and in the management side, including doing a better job on authentication identity management. We have a much better job on conduct, right, by individuals and organizations. There's a number of things to be done that are... But we're skipping ahead here a bit and I know you want to respond in this regard, but I'd like to just give everybody a clearer sense of the threats that they need to deal with and whether it's, you know, hacking, asymmetric hacking. I mean, I know when you went out and talked to the Chinese and you said, let's work on this issue. You zeroed in on government attacks against private sector as an area, but there were four, right, but there were four sort of major areas that you were talking about. And I just, I think it'll be helpful for everybody here to understand that taxonomy. Yeah, I think, well, I'll just do it very quickly. One, obviously we have increased nation state threats along a whole range of dimensions that we've talked about here. And we've seen, and I think we're gonna see going forward here, cyber's part of this kind of overall information warfare, hybrid warfare thing. And so that's, you know, the National Security Advisor, you are thinking very hard about nation state threats. We continue to have threats through, and there are some groups that are mixes of kind of supported by government, but if a gang, if you will, kind of cyber gang operations, you know, the Russian, in Russia, for example, some of the private sector, if you will, a hacktivist, have capabilities as good as most nation states, right? And that, I think, isn't a growing threat. And third would be our critical infrastructure and threats both from nation states, but also from people who want to disrupt things. And you have that economic threat from criminals and others who disrupt for profit. So just, this is our threat round here. So I just wanna go around and talk a little bit about what you see as perceived threats. Are there areas that Tom has not enumerated that you see as being of concern? To be provocative, I would throw the notion of what would happen from a threat perspective. If you take a look at the capability of a lot of private sectors, they understand cybersecurity as well as many nation states. What would happen if you had an employee that detected a hack, understood the nation state that did it, and on their own accord, attacked back? That's unprecedented. But it's not a zero probability that could happen. What would be the thinking, you know, if you're running a company, you wanna protect your company, but you also have to protect the behavior of your company. It'd be highly ill-advised. But it's not, it's not. You don't know who's on the other end of the attack. All right, and you may get yourself in a very difficult position. But it's not a zero probability that could happen. And I think this gets into one of the problems of cyber, which is threats come from the private sector and they come from the public sector. They come, therefore, from literally thousands and thousands or millions of potential sources against thousands and thousands of millions of potential sources, I mean targets. And each of those targets has the potential to react in a different way, in accordance or not in accordance with the law, in accordance or not in accordance with public policy, but with potential consequences for the country of law. So I think we're trying to separate things that are not so easily separable. Now I'm gonna come at it a little bit more from the technological side. You know, we talk about cyber and then we sort of talk about the internet of things and then we kind of talk about autonomous entities as if these fall into three separable buckets. And in the end, if you're really talking cyber, you're really saying there are three sorts of things that play off of each other. And they actually are represented by the fourth industrial revolution that we've been talking about here. And they are these. What is, from my perspective, cyber, it means you have something that is algorithmically driven. Somebody's written some software and it can cause certain things to happen. You also have connectivity. So that connectivity allows hacking. That connectivity allows the invasion of, the use of, the destruction of connected things. And then you have a kind of intelligence that can be embedded into networks and into things. And, but again, even that intelligence is algorithmically driven. And so we shouldn't think that these things are so easily separable because those tell you the avenues of threat. And so then the question is, who are the threat initiators? But they tell you the avenues of threat. And so when you wanna think about where the threats are, you better think about the architecture of how we live. Because if we don't, then there are no effective responses. I think this is a vitally important point. And it gets us into an area that you don't normally get into in a conversation like this. But we are within 10 years of what you might call the internet singularity. The tipping point in the history of the planet when for the first time in the history of humanity, every human being will be connected in a man-made system for the first time. Because everybody effectively will have access to a smartphone. And that has massive benefits. It also means everybody is vulnerable to everybody else in some material ways. We also have as a result of that some changes that you've indicated and the internet of things raises this too. Because not only is the internet of things contained smart, but it's producing data all the time. And we are moving to a database economy where the fundamental units of economic value are bits and bytes that are moving around in this system. And we don't even have a philosophical framework with which to deal with that. And if you combine the lack of a philosophical framework with the lack of a taxonomy, with the lack of a generation of leaders who understand this, we've got a problem, right? So think about this question. What are the most disruptive and transformational weapons of the 21st century so far? What are the new weapons that have transformed war and warfare in this century? First is improvised explosive devices. They were a major factor in Iraq and Afghanistan, right? Second is drones, but they glorified landmines. Glorified landmines, but surely, they're all technologies, but surely were the most important transformational. The most deadly. And more deadly, the most casualties. There's no doubt that improvised explosive devices were important. And the barrier to entry to build one is negligible. And that's where I'm going. The second one is drones, right? 21st century is drones, IEDs are drones. And the third is cyber. What do they have in common, these three? That for the first in history, the big transformational weapons systems were always under the control of the state. The military controlled the most important weapons of the time. Now they are under the state, but anyone here, any of us here or in the world can build a drone, build an IED, combine a drone with an IED and do some cyber. And as you said, and as the director of national intelligence has confirmed, there are individuals and actors that have more potent capabilities in cyber than nation states. If you put all this together with what you just said about the internet of things and about the number of gadgets and systems and individuals that are going to be connected, what you have is a story where nation states are just trying to find doctrines, reactions and ideas, but are very, very impaired in catching up with the velocity, the complexity and the novelty of all these things. And if you then add Leon Panetta, and you know he was Secretary of Defense, he worked at the White House, I think, with you, he famously said that we, at some point, the United States was going to have a cyber, a cybernetic, a cyber per harbor or something like that. A cyber. A cyber per harbor. A cyber per harbor. Well, the United States just had a politically cyber per harbor, right? And then it is possible that when the Japanese attacked per harbor, there was immediate retaliation and there were immediate costs and there were immediate consequences. Maybe we're watching a situation here in which the United States is attacked successfully by arrival and there are no retaliation. There are no consequences, even though the President Obama and others have said that there are some overtly and covertly, overt and covert reactions to what the Kremlin has done, we may be seeing a political cyber per harbor that does not create the kind of retaliation that the other one. Look, this is a vitally important point and it's a hard one to get into at nine o'clock in the morning. But it's a harder one to get into at nine o'clock this morning and I'm gonna say something and it's not political. I'm gonna make a bunch of factual statements here. The man who today will be sworn in as President of the United States won the election by a very, very narrow margin in three states totaling less than 100,000 votes. There were a number of issues that swung the election but among those issues were debate about the security of Hillary Clinton's emails, the consequences of Russian hacks into the behavior of her and the Democratic National Committee and the debate surrounding the legal action stricken by this and so on. In other words, this election was the first in American history that turned in material degree on cyber related issues and given the narrowness of the election, it's impossible to discount the possibility that those things changed the outcome of the election. And you can come at this from any political point of view. What you can't do is say that there is a zero possibility that this cyber stuff tipped the balance and what you have to do is say there's actually quite a high possibility that they did tip the balance and that the man who will be sworn in as President of the richest, most powerful country in the world will be sworn in in part because of cyber actions against the United States and cyber related issues. That's a watershed in history. That is a cyber pearl harbor to some degree. Is it not, Tom? Well, again, it's not possible to know exactly all the factors that led to an election outcome. That's not really a problem. It's not possible to know, but it's possible to know that they played a role and that they were material. Yeah, well, we don't know the latter, you just don't know, but the intelligence committee has said that in fact they, and they put out a public report indicating that the Russians in a comprehensive way tried to interfere with the election, but they have not done any analysis on the effect on the outcome. Somebody has to do that. Everybody's afraid of that analysis, but I would just argue each of you has to do some analysis and ask yourself what was the potential consequence of this? Could it have swung 100,000 votes? Do you think it may have, et cetera? Yeah, but what is clear is that it was an effort by a nation state to effect an election, and that requires thinking very hard about the response, and it requires a very hard thing, as I said earlier today, particularly in Europe, because those are the kind of, the election's kind of closest to us. Really thinking about how to deal with that in the whole electoral political context going forward. I want to just add on one thing that Shirley said though on the, and something you followed up on. You indicated we could be thinking about 10 years from now, right, to have this kind of massively interconnected world, interconnected individuals and institutions, right? The massive interconnection, Dave, is a lot closer, because the internet of things dynamic that Shirley referenced is moving at a really fast speed. Absolutely, and we could be going to billions of connected devices in a very short period of time. We are not ready for a security perspective for this, because the mandate, and this is your world, Mike, the mandate and the incentive in that world right now is get to market quickest, right? And with the least expense, right? It's classic kind of capitalist driven motivations, right? And security is not being designed at the front end, and this is a really big challenge. We saw it just recently, we saw this attack, and it can be weaponized, Dave. Well, right, and when you said we saw that. Hundreds of thousands of these devices, right, can be taken over and pointed to its targets. Is that a fair, well, it's a completely fair, a couple of that, culturally, as a programmer, we haven't taught ourselves to build security into the original design. We always build the functionality because it's cool and it's interesting and it's fun, and then we say, oh, we better protect this. We have to change the way we develop software where we build security right up front in the software at the beginning, and also marry that into a more hardened hardware and network infrastructure, and those are very, very difficult things to do because it's cultural. And by the way, I think you even understated because there's well over 20 billion devices on the internet right now, and the one estimate has by 2020, 50 billion devices. Each one of, some of which are embedded in critical infrastructure, some of which are embedded in your home, some of which you carry around every day. There's a lot of potential targets there. I want to go to you with one question and then I want to follow it up with you. One of the problems that I see is related to how the public sector picks up the baton that Moises is referring to here and responds to it. If you wanted to have a job like the job you had in the 60s or 70s in the United States, you had to speak nuclear. You had to understand what was going on. You had to know what a throw weight was. You had to understand the vulnerabilities of mobile systems versus submarine systems versus airborne systems, et cetera. You weren't taken seriously if you didn't. I spoke to Mike Hayden, another senior former intelligence official, and he said he used to go into the White House and brief people on this. And they would look at him like he was in the movie Rain Man. No one understood what he was saying. And I've talked to people at very, very senior levels in the United States government. And I say, how many people really get it who are at the policy level? Not in the bowels of the NSA, but at the policy level. And they'll say, a handful. Do we have a problem that the people who are in charge of security at national levels are not just constrained, as Moises said, philosophically, by liberal democracy. They just don't get it. I have a huge problem. We had a problem in the private sector as well. This was regarded as the IT person who was gonna handle that, right? And in fact, now we've made a lot of progress in the United States because it's now the responsibility, very clearly, of the CEO and the board and the same leadership. And the government, this is a huge problem. And it's not, our senior policy makers at this point have not gotten to the point where they are really technologically in cyber and literate in any depth at this point. One of the recommendations we made in our report, David, was long these lines was to have an assistant to the president for cybersecurity. Did you have in mind the mayor of New York who'd never done anything in cyber? Well, it was just a prank. And I actually, I would, all right, I'm gonna keep on pushing past, but the, trying not to take the bait, but that won't stop, they're gonna keep on trying. I'm gonna keep on. But I think I would go beyond that. If I were making a recommendation today to General Flynn, to have an assistant to the president for cybersecurity and technology policy, because it's broader than that. You know, Moises went through the technological things that are coming at us right now that affect national security. And a lot of this is also about having people who are expert in these areas and who can work with the private sector, right? So we have all manner of security issues that involve technology. But I think it involves full-time people devoted to justice with bandwidth and with expertise. And today that's rested with the senior director of the National Security Council and with the assistant to the president for Homeland Security. Now if you're the assistant for the president for Homeland Security and Counterterrorism, you are a busy person in the United States, right? And you are focused on protecting the country every single day from counterterrorism. And it's not physically possible, I don't think, to get that same person to be technically deep and have the bandwidth to handle the issues. So I agree with you. The last thing I'll say about this is accountability. So in the private sector, I think we've made progress because we've now made boards and CEOs accountable. And again, if I had the first cabinet meeting and we're staffing the president next week, one of the key things would be this. Mike, you're the secretary of actually, the secretary of state, right? You've got a lot of responsibilities, but you are responsible for cybersecurity and you're ready to say I'm gonna hold you responsible. It's not somewhere down in the bowels, right? The only way we'll make progress on this is to have a culture of accountability and focus at the top. Okay, so picking up on, oh, do you wanna say something? Just very briefly, I just want to bring the multilateral dimension. None of this can be done alone. No country can tackle this effectively alone. And this conversation has had two biases. It is US-centric and it's state-centric. And this has to be more than one country. And I already, and I think we all agreed that the arena here is not the public sector. The arena has already quickly shifted to individuals and to society. One, second, there is a dimension that is centered, has to be centered in nation states and governments, but be careful because they cannot do it alone. That person that you are appointing will immediately have to work with other countries, which adds another layer of complexity because there's nothing more ineffective, boring, slow-moving bureaucratic than multilateral action. Okay, so this is exactly where I was gonna go with this. And I want to turn to you and I will turn to you. But this creates a need for public, private and nation-state to multilateral collaboration in a way that no other previous threat has required. Most of the targets are private sector. Most of the expertise is in the private sector. Most of the security and defense is gonna have to be conducted by the private sector. Many of the attacks that take place because they're against the private sector are unknown to the governments and the governments can't respond to them. So do you think the private sector is rising to this challenge right now? We have to, part of it is what Tom said. Well, that's not what I asked. I think that there's clear room for improvement. I do believe that the private sector is much more aware of the impact that a cyber attack can happen on their infrastructure and we're very defensive. Not that we're protected, we are defensive. And there's no board of directors that is slowing down spending and on cyber defense techniques. The problem that we have is that it changes so quickly and all you need is that one identity that gets compromised. If you take a look at almost all of the hacks that we've seen in the private sector, it hasn't been a super sophisticated attack. It's been a attack where they find an individual who has root password and once you compromise that one machine, you infiltrate all of the others. There's things we can do to lessen the attack of that, but you cannot make it go away completely. But here's the problem. So I would answer your question this way. I think there's variability in the private sector depending upon where. I think the financial services industry is probably further progressed. I think when you... Well, let me challenge that. You can challenge it. I didn't say it was perfect. No, no. But I want to challenge it on a critical area that I was gonna follow up here. And that is part of it is coming up with a defense. Part of it is being willing to talk about it and to communicate with the government. And the financial sector is attacked all the time, is losing billions of dollars, and they don't want to talk about it. That's very true. We can't talk about it because we have shareholders and if we were to show that we've been compromised and there was a shareholder lawsuit against the board of directors or a management team that they did not take the appropriate duty of care in the United States, even if you did that, you're still going to get sued. We don't have a true safe harbor where we can share. And if we were able to do that, and to your point, if we just did that in the United States, it wouldn't matter. We have to do it unilaterally. So if we had this multilaterally, if we had this concept of a safe harbor, and even if it was anonymous, I got hacked, I'm gonna tell you exactly how it got hacked, but I'm not gonna tell you who I am, and gave it to a trusted third party, and so that everybody that belonged to it could go see how that happened, and you could go defend yourself immediately. And this gets into what you brought up as the concept of machine learning. Whoever has the most amount of data is going to win, and to the extent that you can make it harder that the novel technique that you use to go hack one company has become irrelevant 24 hours after it was found, that's very, very powerful. I didn't mean to interrupt you. No, it's okay, because I actually think that I'd like to see the whole conversation shift, because everything is about a moot kind of approach. Let's keep the bad guys out. Let's keep the malware out. Now all of us are sitting in this room, and you have, you know, bacteria galore. Thank you. Thank you. Thank you. All of us have our own little microbiomes. Well, what keeps us from getting sick? What keeps us from getting sick is that we have an immunity that builds up because of exposure. And so I think the whole way defenses are organized, and we need to think about this, has to do with response, almost like an immune response. I think it's very data dependent. But I also think it rests at a deeper level with how systems are developed, connected, and how data is architected to start with. Now this is to, like you said, everybody's eyes glaze over every time you start to talk about something that sounds technological. But the big message is, stop trying to think that the moot is gonna help you in cyberspace. It's a really important insight, and a really important way of looking at it. But you know, we break it down, and there's a technological component to what you're saying. Correct. There's also a legal component to what you're saying, because you know, when your body responds to an attack, there's communication among the parts of your body. Correct. Right, and so if you can't communicate up the chain, if you can't share the knowledge, if you can't build a collective immunity to somebody you can do it, and then there's philosophical and legal issues that are associated with this, and that's what makes it so complicated. But take it back to your point. Take it to the multilateral stage. What do you see as the challenges in getting there? Because it's really an area where everybody says, this is a big problem, and we haven't made much progress multilaterally. We need a coalition of democracies that can work together. It's very, very clear that we are going to see a clash between cyber spaces now fully weaponized. It's full of instruments that can do a lot of damage to individual organizations and systems. So, and it's very clear that dictators will have much more options and possibilities than democracy. So, it's very important to create a club of democracies that is more able to create the sort of antibodies, the sort of resilience, the sort of doctrines and technologies that allow them to do this. And you need to have conventions that people can operate on, right? And it's hard to do in cyberspace, but it must be done. But you can't go there. The most important point, you're not going to get everybody because there are really strong differences, right? With respect to between the democracies, frankly, in the world and other major players in the world. I said I'd say three things. Number one, information sharing, we can do a much better job in this in real time. The goal should be that the same attack doesn't get to take place twice, right? And I think we can make a lot of progress. And indeed, you referenced the group that the president elect, soon to be the president put together under Mayor Giuliani. That's an important, potentially an important thing. We recommend it to have an equivalent to the Intelligence Advisory Board, to have a Cyber Advisory Board, where you have a kind of a constant communication about these kinds of issues, so Mike's raising. But how do we do better? On the international side. We can separate. Right, yeah, let's fair. Well, okay, let me talk about that. But on the international side, norm setting is a really powerful thing, right? And we learned that through our experience in the non-proliferation area, I think they would do a referencing earlier. It is a really powerful thing, and it shouldn't be dismissed, but we're gonna have to do it with like-minded nations because there are nations out there who act in the cyberspace, but we're not like-minded, right? And we started an example of that with the Russians during the campaign. And to add up another layer of complexity is what you said at the beginning. We don't know who we are anymore. You don't know if you're a Russian agent. Exactly. I can get back to you on that. When... I don't know, but Tom does. He knows. But my point is that like, you know, I use the word like, you know, a coalition of democracies, you of like-minded. Well, we may enter an era in which it's very hard to recognize a democracy because there may be a lot of democracies or a lot of autocracies masquerading as democracies. Well, it's also, it's not a foregone conclusion. I think there was a view in the United States, I think there still is a view in the United States, that we invented the internet, Al Gore did it personally, but we invented the internet and we have more internet companies, we have more capacity, and therefore we're gonna set the rules for the internet. And the reality is we may not set the rules for the internet. And you know, the great firewall of China may seem like a odious and disconnected idea from our values, but it's not that the idea that a nation state controls the internet domain within its borders, however it may define that, while not the US idea really is catching on. It's not just China or Russia or Iran that believes this. Countries like India and Saudi Arabia and Brazil have all taken actions at one point or another that says we have a different view of internet sovereignty and internet sovereignty is a big component of this issue and how we deal with security is a big component of this issue. There is no clear emerging global consensus on the rules of the road here. And you know, I have to say I'm a little, you know, you're not rising to break, but you know, I have to say I'm a little concerned that the United States of America is not gonna lead that process for the foreseeable future if the incoming president actually encouraged a foreign government to hack his opponent. Well, we need to, but we need to lead this process because I think there are actually things that you could get like-minded countries do agree on, right? Because these are, for the most part, countries that are increasingly reliant on the internet for commercial and personal and governmental functions, right, and moving even towards further reliance, right? And so there should be a number of kind of rules of the road, things that should be allowed, not allowed, that would be in the joint interest of countries that are increasingly reliant on the internet. And I think there's actually a lot of this, but it won't happen if the United States doesn't lead it. We're never gonna happen. I agree with him, and that's why I brought up early on to look at things like the UN Convention on the Law of the Sea. Countries protect their internal territorial waters. They protect territorial waters within some proximity of their coastlines. These are very difficult things, but they do have to do with being able to use the waters of the world for commerce, for the free flow of goods. Everybody doesn't agree, but a convention exists. And so I think, you know, you need the coalition of the like-minded, but you've gotta develop norms and conventions. I'll get everybody out. Obviously there are countries that don't know who'll regard the internet as something to be policed by the state, and to be used in an offensive way, right, to pursue their national interests, but there's a... And there's more than one net in that. Well, but it goes back to, you know, it goes back to, Moises and I were out at dinner the other night, experts and pundits talking about the world, and you talked about the vital importance of experts, and the reason that people attack experts. But, you know, this populist wave has had other consequences. You know, it sort of suggested that globalization is a threat to people. But this is an example where the populist impulse against globalization actually exacerbates a threat dramatically, because there is a global commons whether they want it or not, and the threats come from that. And I just maybe want to talk about that a little bit. No, I don't know what to say about that, so ask me another question. You know, I have to say that is a great breakthrough moment in the history of discussing panels here at Davos. Though only the wisest people say I don't know the answer, so give him credit for that. But populism is a threat to things where there are global, I mean, some nationalism, anti-globalism, is a threat to things where you require global solutions. No doubt, right, and our best partners on this have been the Europeans, right, for the last more than half a century. And absolutely important to keep a sense of solidarity and cooperative spirit and to protect the institutions. And, you know, it's not the topic of this panel, it's been the topic of a number of panels, obviously during the course of this week here, but there are real threats to these institutions right now. And it is- They're not traditional threats. Yeah, and it should cause, obviously, a reflection on the benefits of three quarters of a century of these institutions to the West, right? And the tight focus on preserving them. Well, and I think that's really important, because, you know, in the context of this room, each one of you may be listening to this in a professional light. How does this affect my business or how does this affect my government? But it affects each one of you. There is nobody in this room who has not been impacted by the consequences of cyber attacks, whether it's changing the security on your phone or having been hacked or having your company been hacked or having an election that affects the future of your country be hacked or having the consequences of that election actually threaten something as fundamental as the Atlantic Alliance or the global system. And one of the things that we recognize here is that in order to address this very, very personal threat requires global collaboration, asking the right questions, starting at the philosophical root of those questions, asking what kind of a global society we wanna be in this new era, moving forward to what are the rules of the road, then figuring out how to implement those and how to develop the political will and the political mechanisms to do it, the public-private capacity to collaborate as never before, the multilateral capacity to collaborate as never before. In other words, you know, look at the poll that you took. 96% of you said the First Cyber War has already begun. 4% of you are ornery or hit the wrong button. Okay, but the reality of this is that we are in this era, it is changing your lives, it is immensely complex to address, it is not peripheral, and it is great that people like each one of these folks on this panel are addressing them. Hopefully next year we can have a panel that's got more nationalities represented on it and approaches it more as a global problem because it is a global problem and more truly as a public-private problem. But these discussions are necessary, smart people like these are necessary, please join me in thanking. Oh my gosh, I just did a five minute wrap up that was building to a crescendo. Why don't I take it from the global to the micro? Yeah. 10 seconds on this? Yes. Every individual has a responsibility in the cybersecurity area because it's a cliche, but it's true that the system is only as strong as the weakest link and anyone who doesn't by the end of this weekend have dual factor authentication on their phones is really asking for it. Okay, so I was trying to have a uplifting emotional moment. Tom in his great fashion is offering you a practical tip that is probably more useful than what I was saying. Thank Tom, thank Moises, thanks everybody. Thank you.