 Good afternoon. I'm Peter Bergen. I welcome to the New America Foundation on this not very nice day. Thank you for coming out. I run the fellows program here. It's my pleasure to introduce my friend and our colleague Shane Harris who's been a fellow at New America. From quite some time and during the fellowship he wrote this brilliant book At War the Rise of the Military Internet Complex which I think is going to be really the definitive book for both the lay audience and an expert audience about cyber warfare. Shane has been a senior writer at Foreign Policy for quite some time. He's just moved over the Daily Beast. He had another book The Watchers which was also very well reviewed. So he's going to talk about some of the big themes and stories in his book and then we'll open it up to a question and answer. Okay. Thank you all for coming. It is a mucky day out there so I'm glad you're inside and hopefully you're comfortable and cozy. Let me start just by saying by the way thank you very much to New America. As Peter said I've been a fellow here for a while now and this was the project that brought me here and it's just been a tremendous community of fellow fellows and people not only in the national security space but doing all sorts of other tremendous work which has been really stimulating and gratifying. So this was a great sort of a second home for me as I was doing the research in writing the book. So thank you all. So basically this story and it is a story the book is very much written in narrative fashion which I think tends to be the better way of communicating complex and abstract ideas than trying to write a tech book is really about how cybersecurity became the central kind of preoccupation and the big priority right now for national security in the United States. And what I mean by cybersecurity is we're talking about defending computer systems and computer networks both from people who are trying to steal information from our government or military and intelligence agencies but also American corporations trying to defend the critical infrastructure that is attached and run to our networks and run increasingly on the internet including pieces of our power grid our utilities our financial sector our air traffic control system transportation communication systems health care increasingly is becoming that work but also how the military and the intelligence community in this country in cooperation with large companies in the tech sector are turning to offensive operations in cyberspace how are we doing many of the things to other countries and groups that we fear are being done to us and it's kind of that alliance between these military and intelligence agencies and the tech sector to include your ISPs your telecom companies and even some big marquee companies commercial technology companies that I call the military internet complex just to give you some sort of perspective how Washington sees the cyber threat right now the landscape of threats out there to include hackers in China Russia state sponsored North Korea Iran which has been up in the news again as of this morning for launching another malware attack in the US cyber security and cyber threats have topped the intelligence communities list of global threats for the past two years this is an annual report that all the intelligence agencies put out saying basically what are the things that are keeping us up at night for the past two years cyber's been at the top Jim Comey who's the new FBI director and was previously deputy attorney general has said the risk of cyber attacks and a rise in cyber related crime including espionage and financial fraud will be the most significant national security threat over the next decade we've been living in a decade of terrorism as being the big threat and now cyber seems to be sort of you know edging alongside of it if not pushing it off the ledger a bit so how do we get to this point where protecting computer networks has become sort of a central focus and a top priority for our national security policymakers including up to the president himself I'll kind of tell a story about where this all begins and it's what kind of sets off the book as well and gives you an insight into how this military internet complex first emerged this is in the summer of 2007 and the CEOs of the country's biggest defense contracting firms your Raytheon's Lockheed Martin's Boeing's Northrop Grumman are brought to a meeting at the Pentagon they're not exactly sure why they're there but if you're looking around a room of your competitors you probably think it's not good news that's brought you to the Pentagon on short notice they are brought inside a secure facility known as a skiff which is built to be impervious to eavesdropping if you watch homeland or spy movies this is the place where you have to drop your cell phone before you go in and shed all of your electronic gear so they're taken inside this room and they're given a what's billed as a threat briefing and military officials show them how hackers presumably spies in China working for the government have penetrated the computer systems of these companies networks and are stealing now information on the programs that they are working on for the Pentagon and particularly in one called the joint strike fighter which is a next generation stealth fighter jet it's the single most expensive weapons program the Pentagon has ever managed these spies are getting into the company's networks sort of making an end run around the military systems rather than trying to break into the Pentagon or the armed forces directly going to these companies which come to find out we're not very well protected the CEOs are learning at this point for the first time just how weak their network security is and what the tangible consequences of that are this information is being stolen as it was explained to somebody who was at the meeting told me a lot of these CEOs went in with dark hair and when they came out it had turned white they were very very nervous to find out how vulnerable they were and of course realizing the repercussions of this could be that they potentially lose business the Pentagon says to them basically you have a security problem therefore we have a security problem and if we're going to continue working together you are going to make some changes and what emerges out of this is a is a something that's called the defense industrial base initiative or the Dib for short a little bureaucrat going to be like acronyms in Washington but what this really is is a partnership whereby the Pentagon says we are going to start providing you companies we're working for us with classified intelligence that we have been getting and gathering about hackers about the people who are breaking into your networks by the people who are threatening our networks essentially giving you the fruits of espionage we're going to hand it over to you so you can better protect your systems and in return you are going to tell us what you are seeing on your many networks around the world this is important because the government does not own computer networks in this country at least not many of them about 85 percent of our infrastructure that makes up the internet is privately owned so the government absolutely needs corporations to help them and you see this developing in microcosm right here where these dozen or so companies it's now about a hundred enter into this information and intelligence sharing partnership with the government and the intelligence community for the purposes of protecting networks that essential model that's born in 2007 now is sort of the way that the government works with private industry in this country to protect computer systems now the nsa in principle gives threat information about hackers to internet service providers you know the telecommunications companies that are running the backbone of the internet in the hopes that they will program that information into their filters and kind of protect people downstream we know that the nsa has entered into a partnership the contours of which are still secret with google one of the biggest commercial technology companies in the world and google provides the nsa with information about threats that it's seeing against its networks the government wants that because google is effectively a big global century when you think about it and google might want the help of the nsa to find out who in china is trying to steal their intellectual property and their secrets and violate the security of their customers so this arrangement takes off really at the end of the bush administration or begins I should say at the end of the bush administration but it really starts to gain momentum during the beginning of the obama administration I think that's a really important understanding of how this pivots because president obama came in as really the most technologically savvy president that I think we have ever had he had a blackberry he had a blackberry absolutely and he starts and he gets his a and he didn't want to give it up either so the nsa built him a special one and you know he gets his daily briefings on an ipad I mean he's a very tech savvy president um george bush before him famously once said he used the google to look at pictures of his ranch in texas um not to pick on him but bill clinton reportedly sent one email in his entire time as president granted the internet was still fairly new and people were using aol and the like but you have in obama someone who comes in who gets technology he is of technology he is the internet president um his campaign email was actually hacked by presumably by chinese spies while he was running for office as was john mccain's by the way so he comes in understanding that the internet is something that is vulnerable that is being exploited by our adversaries uh and that also frankly is a place that we need to be operating in as well um he adds a whole new dimension to the sort of uh the the beginnings of the the priorities that bush gave to protecting our defense industrial base obama decides there needs to be a big national strategy for cyber security and in may 2009 he gives a speech in the east room of the white house which is always a big event when it's in the east room because it's that's where the really momentous policy speeches are uh he stands up and he gives this extraordinary uh admission where he says that foreign organizations he does not say who have penetrated the computer systems that control the electrical power grid in the united states up until that point that had been largely rumor and intelligence officials would talk to people like me and say these things very off the record uh this was now the president of the united states getting up and saying yes our electrical grid has to an extent been penetrated by hackers who could conceivably turn the lights off in major cities uh and send whole cities into darkness in his words um he says that the united states policy is going to be to work with the private sector the owners of critical infrastructure that they will collaborate with industry to find solutions that quote ensure our security and promote prosperity the internet is a strategic national asset obama said and we intend to protect it as such so here you have the president of the united states laying out the national policy of this thing we call cyberspace this sort of abstraction if you know in a way and putting real tangible definition on it saying this is a place where we depend on uh our our vital commercial systems to function properly our critical infrastructure to function properly and it is vulnerable and we are going to protect it so obama is essentially defining cyberspace really how the military has come to look at i think as well military now calls cyberspace the fifth domain of warfare after air land sea and outer space in views trying to achieve supremacy there as vital as it is in the other four um you can always sort of follow the money in washington i think if you want to get an idea of where the priorities are being placed and right now if you unpack the defense budget looking at cyber security specifically both the defensive end you know the offensive components too you see where these priorities are just to give you a couple of data points in 2014 the government planned to spend 13 billion dollars just on cyber defense programs and information sharing with private industry the kind that i've been describing that's 13 billion on cyber defense in 2014 in the same year there is 11.6 billion dollars allocated for direct efforts to combat climate change which obama has called the global threat of our time his words so 13 billion in cyber 11.4 11.6 billion in climate change the 2012 pentagon budget had the word cyber in it 12 times the 2014 pentagon budget has it 147 times it's become kind of a joke now i think in defense circles that if you want funding for a new project you just slap the word cyber onto it and the money will come it's really the only part of the budget that's not being slashed in fact the senior dod cyber security official about a month ago was giving a speech where he joked that he's seeing a lot of requests coming across his desk for things like the cyber tank which is not a real thing obviously but that gives you some measure i think of you know into how cyber has become now the way that we even talk about national security it's all related to cyber somehow and in that context government officials have become much more public and vocal about talking about all the ways that we are vulnerable i mean obama kind of kicked it off by coming out and saying my email got hacked the power grid's at risk and there's really been a flood of officials coming forward after that to talk about all the ways all the ways that we are at risk what that tends to mask though is all of the ways that we in fact are one of the biggest aggressors in cyberspace i talked about the military treating cyberspace as a battlefield that is an offensive dynamic and i try and get many stories in the book in the first half of the book they really talk about sort of how we are waging war in cyberspace and i'll just i'll tell you one that i think sets the stage for how the military and the nsa in particular our largest intelligence agency which really is the center of gravity for our cyber efforts kind of came to view cyberspace as a battlefield and how it's informing the way that we're going to fight wars in the future this is also in 2007 a lot happens in 2007 in this book at the time of the troop surge in iraq president bush ordered tens of thousands of additional ground forces in iraq to quell the insurgency that was spiraling there and threatening to plunge the whole country into civil war a lot has been written about the role of that combat troops surge in quelling the violence and in ultimately achieving what turned out to be a temporary victory against al-qaeda in iraq less is known though about the cyber component of this commensurate with the troops going in the nsa taps into and essentially takes over the entire communication systems of the country of iraq the agency developed the ability to do intercept every phone call every email and every text message that was sent in the country this is an absolutely extraordinary technological feat that they did the purpose of this was to gather information about insurgents and ultimately to try and physically locate where they were so i read about one guy in the book a man named bob stasio who was a young lieutenant in the army he was a big fan of the hbo show the wire which i don't know if any of you have seen this or not but there's a there's a detective in the wire named lester freeman who rather than trying to go out and gather human intelligence on who the drug runners are and the kingpins in baltimore that are sort of you know these street gangs he starts monitoring their cell phones and looking for all the calling patterns of who's who's calling who how long they're talking and tries to develop a network of who these people are based on their their metadata this word that we have now become more familiar with post-snowton the nsa does this in iraq and does it to great effect and are able to actually physically locate people and understand the structures of suicide bombing networks and insurgent networks based on their communications patterns and they do more as well other daring exploits that i write about at one point they were sending fake text messages to insurgent fighters to lure them into traps posing as people they knew the nsa and its hackers were able to get into jihadi web forums and chat rooms and load them up with spyware so that when people visited them essentially beacons were placed on their computer that showed where they were physically sitting on a network if they hadn't taken steps to shield that their location this information is then handed off to ground troops who follow up on it and go find these people and capture or kill them in most cases actually capture is what i was told this is it resulted more in arrests than it often resulted in deaths the people i interviewed for the book will credit this intelligence program this cyber operation as being the lynchpin that turned the tide of the war had we not had this intelligence gathering effort to then give information to the ground forces they would not have been able to follow up and disrupt those networks and pull them apart david betrayus actually has publicly talked about this and i think a comment that wasn't widely credited at the time he said that the this intelligence driven warfare enabled the removal of almost 4 000 insurgents from the battlefield that that's a really extraordinary victory and this informed the way that the nsa goes about now intelligence gathering and operating in cyberspace with the military in that fifth domain and i think it's going to change the way that wars are fought in the future so let me just wrap this up a bit and we'll have discussion by saying you know why does this matter to any of us you know why does it matter that the fifth domain of warfare is now in cyberspace that the nsa is increasing surveillance as part of that i think that actually in its zeal to sort of conquer this battle space the military is making the internet less safe for all of us there are two examples i'll point to in particular one is the nsa's efforts to undermine a lot of the technology that we all depend upon every day to protect our communications and to keep us safe on the internet you may be familiar with something called encryption encryption is a way that you can shield the messages that you are sending to someone else that can't be read but it's also how your bank makes sure that your financial transactions are secure and that vital information about you cannot be intercepted and misused the nsa has been known as part of its efforts to prepare the cyber battlefield to be trying to undermine encryption standards why would they be doing that well the nsa wants to be able to read communications and be able to gain access to technology used around the world as part of its offensive cyber mission both for spying and for and for more of the the military kind of activities i talked about to do that it needs to be able to have privilege access to the technology that we all use and wants to make sure that it understands its weaknesses in ways that other people don't so a number of years ago the nsa was involved in writing an encryption algorithm that it actually then publicly encouraged people and companies to adopt knowing that there was a flaw in it that it helped devise but never advertised this would be a bit like the government coming out and saying to all homeowners buy the following brand of door lock it will keep all of the burglars out and keep you safe but the government secretly has a key for the lock and oh by the way it's not very well hidden somebody else could find it too the nsa's also been looking for flaws in commercial technology known as zero-day vulnerabilities these are are basically holes in computer programs and in operating systems that have never been discovered except by an individual hacker or a researcher who if he were to exploit that vulnerability there would be zero days to defend against it the agency actually buys these vulnerabilities and this information from hackers on a black market and hordes them in order to have this kind of privileged hidden access to technology that we're all using every day and it's being used around the world nsa is known to be to be the single largest acquirer of this information and is really fueling a market that is based in trying to find the fundamental weaknesses in commercial technology there's an inherent conflict inside an agency that on the one hand is dedicated to trying to protect our vital networks and our critical infrastructure and at the other hand as part of its offensive mission is trying to undermine the security of the systems that run those networks and that's something that i think that is really the big nettlesome kind of policy challenge that the book presents i don't have an easy answer for that but i think that this is sort of where the book leaves us is saying that we are now living in this era where the government is treating the internet as a vital asset it is trying to protect it but it is also taking these extraordinary measures to to operate offensively in it and we risk sort of being collateral damage in that as well thank you very much Shane i mean there's another sort of it's it's it's almost unexamined the issue that nsa is after all a pentagon intelligence agency which is doing a lot of intelligence collection in the united states right absolutely and i mean we now we know much more about this thanks to edward snowden yeah and others of us were writing about this beforehand there's a there's a same this seems like there's a mismatch there where you have a a military agency conducting the domestic intelligence gathering right and by which was designed to you know to fight the soviets but now it's essentially in in the domestic spying game right and it's been ever since the demise of the Soviet Union sort of went looking for a mission and cyber security and cyber warfare sort of presented itself as one as did 9 11 create the need for for terrorism surveillance um i find it very problematic that we have an intelligence agency in the business of some kind of national sort of civic defense uh right now we have what should it be should it be the department of homeland security i mean they're trying to get into that space a bit but they don't seem to have they don't have the computer geeks in a sense that nsa has right and nominally it is the homeland security department so officially on the books dhs is the what's known as the interface to the private sector into state and local governments in reality the guts of the operation are within the nsa uh and complicating matters even more the director of the national security agency is also the commander of something called us cyber command which is nominally the military's combatant command for cyber warfare um which is a good thing that we have that because cyber is going to be a part of how we fight wars we should start thinking about how we're going to organize that but you have the head of an intelligence agency running a military operation and serving in two positions at one time and another way that there was some discussion of making that a two different people right and that and that the obama administration flooded with that idea and it didn't happen why i think it didn't happen because they view that as too disruptive right now and because they believe that the nsa is where all of the best hackers are and they're right so if you suddenly decide tomorrow well okay cyber command you're it now and you know and the 300 or whatever people who were actually working there and have not filled all their billets say well what do we do where do we turn for the expertise to actually run this mission well it resides largely at the nsa so i think that you know it may be that this kind of dual heading only lasts through the tenure of the current nsa director in fact uh michael hayden the x director of the nsa has said that the two should not be joined together but i think that was a a step that the administration was frankly not willing to take and if you look at the other recommendations that were made post snowden about ways to reform surveillance and other cyber operations the administration rejected almost all of them so how glad were you about the snowden revelations i mean how far into the book were you i mean do the thought experiment where the those revelations happened after you'd finished the book right would that have been a problem it would have been i think i mean there was a lot revealed in the snowden documents about our offensive cyber operations that frankly has not gotten a lot of play i mean we've tended to focus more on these surveillance aspects for terrorism and less the way that the government is organizing to do offensive cyber uh you know there is a lot of really rich detailed information in there and a lot of things that were able to then point me to people to be able to ask them questions about you know there are acronyms and names that are not widely known in those documents that allow you to then start a conversation with sources that makes it more productive um i was probably about four months into researching the book i think was maybe four or five months after we signed the contract when the documents came out so it was um very good timing you know i mean you've written about uh these are hard subjects to get people to talk about um you know other you and james bamford are probably two of the the leading people to get to get inside the nsa um you tell us a little bit about your reporting process to the extent that you can yeah um i started out writing uh about technology in around two thousand january of 2001 i was a young reporter assigned to write about information technology and procurement uh which is a very very sexy beat for a budding 25 year old reporter um and what that gave me actually was entree into the world of contractors actually and people who are building technology systems for government companies that are run by former military officers and senior officials i mean that revolving door once people get out of government they tend to be a lot chattier this is before 9 11 and you know it was an era when it was the post dot com era and sort of tech in government was the new big thing e-government was a buzzword and i sort of got familiar with a lot of these people and after 9 11 it was the tech space in government where a lot of the national security action started happening because these companies who were in the business of trying to build you know data systems for government to better manage things like irs tax returns and government payroll and logistics management suddenly realized hey we can build systems for counterterrorism we can build systems to collect intelligence and share information between the fbi and the cia and the nsa um this whole kind of national security world sort of invaded that tech space and the two started mixing together that is really how i became initiated into the world of you know cyber and surveillance and signals intelligence and electronic spying which has really been kind of the the center of gravity for a lot of my work and over time it's just a matter of getting to know those people and being extremely patient and unfailingly pleasant and polite and getting them to tell tell me their stories did the francis is it francis drake did that case mr tom drake yeah did that case give you pause i mean explain a little bit about what that what the implications of that case are yeah that case gave me pause for a couple of reasons um uh one is that it reminded me how how risky it has become to report on this subject so um thomas drake for those who don't know was a senior national security agency official uh who i guess in around 2005 it would have been uh i got in touch with a reporter for the baltimore sun to reveal uh ways that the nsa was spending billions of dollars on technology programs that weren't working he was a classic whistleblower classic whistleblower and had tried to avail himself of many internal channels gotten nowhere and ultimately in my view revealed wasteful spending that is exactly what you want a whistleblower to do and also pointed a light on some of the more aggressive surveillance operations and programs themselves but really was trying to reveal waste fraud and abuse the government came down on him like a ton of bricks and ultimately he was vindicated the judge ultimately you know threw the case out um but not if not for you know after two years i think it was a basically being hounded by authorities and what this really pointed out was that the government was going to go to great lengths to find people who talked to journalists uh and exposed secrets even if they were doing it in the classic sort of whistleblower mode um it was at that point really i think that a lot of journalists got you know more tuned in to the way that this administration in particular has been cracking down on leaks and realized that we had to be just far more careful than we already probably were um in protecting our sources and and recognizing that this was a domain where the government was not really going to tolerate a lot of leaking and even if it was done in the mode of trying to you know protect the public interest by exposing billions of dollars in wasteful spending you know we uh but the new america foundation did a survey when the nsa claims about how successful they've been against terrorism came out and we found that there was only one case which is a a case i can describe very briefly which was a taxi driver in san diego sent seven thousand dollars to al shabaab the samali terrorist group in uh 2007 2008 but that was the one case that nsa phone metadata produced uh so if you think i mean let's sort of reflect a little bit on i mean this is a massive program which with very thin pickings uh in terms of the actual results and in fact you know almost all cases terrorism cases in this country are you know typical law enforcement activity somebody drops a dime on you you do something stupid you get caught whatever i mean these kinds of it it it it turned out that this was not really useful yeah that's right and i mean it even when nsa was asked the question point two cases that you know you can say that this metadata collection resulted in an attack being foiled i mean the number i forget what it was first it was well 54 was the first and then it got ratcheted down and you know and then eventually they had to back down from their it was the other claims yeah it was it was yeah so they made a huge mistake which is they went out and they made a completely indefensible claim right at the beginning yeah and i think that what is also illustrated is the extent to which after 9 11 much of our intelligence community has become dependent upon signals intelligence and cyber related activities and you know because it has been so difficult as you know better than anyone i think to penetrate you know the inner human networks of al-qaeda the experience in iraq frankly showed how if you have the ability to monitor communications it can be extremely powerful for locating people and i think that you know the military and the intel agencies right now see technical surveillance whether it be from cyber or from drones or satellites which is something that people aren't talking a lot about much but it's hugely important in this the ability to have persistent surveillance from space on one spot of the earth that is really driving how we conduct espionage and intelligence gathering and counterterrorism in the united states so when nsa came out after the snowden revelations and clung fiercely to this metadata program as being indispensable it really didn't surprise me because the whole community has now become you know a revolving you know situated around electronic intelligence gathering and operating in cyberspace as sort of being where we have the advantage you call it the military internet complex i mean we reflect a little bit we're here sitting in washington dc you know on 911 one of the richest cat one out of 10 of the richest counties in the united states we're in the washington area now seven hour seven out of 10 i mean to what extent has this military internet complex i mean how is there any sense of how large it is who are the big players where are they i think in a lot of ways it mirrors and i consciously draw an analogy to the military industrial complex that president eisenhower coined in his 61 1961 speech i think famous i actually i've learned this since writing the book that he was originally going to call it the military industrial congressional complex but scratch the word congressional from the speech at the last minute because he didn't want to repel too many feathers yet to a great extent it is the kind of classic defense contractors lachy martin bowing raytheon these are companies that are not only providing the government with intelligence but they're working on weapons systems many of them are working on cyber programs specifically raytheon is publicly a company that provides zero-day information to the nsa it goes out and acquires it so they're very much in the mix but really what's also encompasses now are are the big telecom companies you know we talked about the metadata program that is you know a program in which the major phone carriers in the united states are handing over information to the nsa but we also have the agency via the homeland security department working with the isps now providing internet service providers with cyber threat intelligence trying to get them to tell them what are you seeing on your networks as well you know it really has encompassed the tech sector to include our the people who are the companies who are running our communications networks that basically are the internet in many ways that's where i think that the you know the the real growth has happened and to the extent that you've seen this sort of massive build-up even within the washington area that really also is your sort of classic sort of big defense beltway contractors who by the way are on a buying spree buying up all kinds of small cyber security companies um if you really want to start a start-up today and have a high valuation or get gobbled up by a big company start a cyber security company start an antivirus company or a network defense company i mean it's extraordinary the rate at which they've been spreading have some been some of the biggest ipos in the past few years and many of them are getting gobbled up by these large defense contractors who are no longer building jet planes and missiles they're doing cyber now what was the lesson of the russian incursion into ukraine in terms of the sort of cyber warfare yeah we saw some pretty quickly cyber components of that with an interesting twist there were soldiers ground forces who went into the actual physical cable stations where many of the the hardware is located and cut connections going into Crimea to try and sever communications off to the rest of the country and there were cyber attacks launched against ukrainian government websites to take them down so that it made it more difficult for the government to communicate about what was happening that was sort of a you know a a flavor of of all of these kinds of battles and of the things to come where you're going to see the cyber component take its place alongside the the ground war the air war the naval war and the u.s. military is i think getting very um it's been very public about this and is being very clear-eyed about it they know that our adversaries are building offensive cyber capabilities we're going to do it as well uh there are five dozen countries that are setting up some equivalent of the u.s. cyber command right now you know tom ricks is a fellow here has a kind of a a famous and interesting question which is who would you prefer having run to who would you prefer running the u.s. military of the 21st century george patin or steve jobs what would what would your answer be to that i probably would still trust patent more than i don't know i mean i come down on at the end of the book um being deeply skeptical of the nsa but this might seem kind of difficult to square but being more strongly in favor of giving many of these cyber authorities over to the military and making it more of a clearly military operation i think it's more accountable even though the military is not a completely transparent organization i think that intelligence agencies in this country they are governed by a different section of the law of the engage in covert activities i'm just much more comfortable if we're going to be fighting wars in cyberspace i would rather be giving those authorities of the people who fight wars and make them more accountable and that raises sort of an interesting analogy with the whole question about drones which are in both drones and cyber are your you can have violent activities outside conventional war zones uh and and the question of who should control those and under which authorities and do you want the cia to control or the or the panigan so you're saying it would be better if it was it's more transparent if the panigan controls i think you get more transparency and accountability and arguably more doctrine kind of in rigor into the system but in practice jsock does much of this so is that true i mean i don't think that's any more transparent but this but i think what you're pointing to also is the way that these two worlds are fusing right and they're being there and they're blurring and you know jsock is another piece of this of the story actually in iraq in the beginning the partner with nsa those ground forces they were heading to was jsock you know this is this is your seeing ways that the military in the in the intelligence kind of streams commingle now i'm not sure that we'll ever be able to neatly pull them apart when we're talking about sort of small wars or even remote wars um what i would like to see though is to the extent that we are building up a national cyber force which chuck agil recently said he wants to see as many as 6000 people by 2016 i would rather see that under some sort of more rigorous and at least more transparent combatant structure the way we run all the rest of the military and not see it drift into this sort of you know dark corner of special ops speaking of chuck agil when he went to china the new york times reported that he unsuccessfully turned out try to explain to the chinese what our red lines are right what do you think what do you think our red lines are i think our red lines that they've been public about now are any attack on a critical infrastructure in the u.s for one that means the power grid a major utility the air traffic control system an attack that brought down a bank or what would our response be right now the pentagon's written policy on this is that in attack of that nature would merit a retaliatory response in cyberspace or kinetically so and i i say this in the book if if china shut off the lights in san francisco and let's say for sake of argument that we could say pretty definitively we think it came from china we would have bombers on the way to beijing we would view this as the opening salvo in some sort of larger war and at the very least we would see this as um an attack that merited some kind of a response in kind is the cyber pearl harbor plausible that was a phrase that leon panetta used yeah i think he actually used it meaning something else i think he meant a cyber nine eleven right this sort of idea of a surprise attack that came out of nowhere i think the idea of a cyber pearl harbor is plausible and in fact if there were a chinese attack let's say on an upheaval of the power grid which i think is a remote possibility by the way there's lots of reasons they have not to attack us in cyberspace domestically we would see that as the beginning of something not the end of it we would assume that they were about to launch some sort of wider military campaign um where i get more sort of worried about this and freaked out is a country like iran you know which has been extremely aggressive uh and and really quite reckless in the past three years of seeming to ignore any sense of what the lines are um iran doing something potentially very devastating and not thinking through the next steps of how we would respond well speaking of iran if if a country mounted a Stuxnet like attack on us would we consider it an act of war we probably would yeah do you think the iranians considered the Stuxnet attack and the act of war i think privately they probably did yes and i think even iranians who i've talked to since the book has come out have said if you ever thought about looking at this from our point of view i mean you attacked us and in many ways we did fire the first shot in the cyber war and we sort of opened up the gates and gave them a reason to build a cyber but isn't it instructive that um at a certain point it was no longer deniable i mean there was an attribution i mean with a german researcher just on his own right who basically worked it all out mostly right so the point is if you do it doesn't matter who the kind of protagonist is there's going to be an attribution problem in the sense that you're going to the attribution will be made pretty definitively by somebody right eventually it will be so if the chinese launch an attack on us even through proxies or whatever this building what's the number of where their house 3348 yeah um i mean we would attribute it very rapidly probably well i don't know how rapidly we would but i think that we would find ways to we would find lots of ways to try to attribute it and not just by trying to trace the signal i mean one of the things that the defense department does and write about this in the book is it has a database of dossiers unknown chinese hackers and it looks for signatures and kind of their trademark kind of imprint there's lots of ways to try and attribute something um i think that you probably would also see if they wouldn't if it were an attack let's say on a private institution let's say it was on a bank or let's say it was on a private utility a company hiring its own people to come in and try and trace the source of that attack as well and the fbi of course would be involved but attribution is something that we always look for okay well and so a private company is hacked and there's a big issue about hacking back which is technically illegal here and yes it is illegal but does it happen yes um i i talked to one former senior nsa official who said uh he wasn't going to name names but he said i know it's happening i know it's illegal uh and i think that's being handled for the most part by companies that are fairly strupulous and careful um target jp morgan i mean who who's hacking back do we have any sense i think that probably i would be surprised if it was a company that large yeah i would be more inclined and i don't know for a fact i don't want to mislead anyone say i know who has been hacking back it would not surprise me if it were companies in the defense space um i write in the book though that the companies that i worry most about retaliating actually are banks so to the extent that banks are highly vulnerable and spend a lot of money on security which they do um they have a lot to lose it's our money their money i i i hypothesize that you know you might see one of the first cyber wars really break out by a bank deciding that it is sick of taking it in the shorts and the government is not coming to its rescue so it's going to fire back at the iranians who are coming for it i think that's a distinct possibility in fact in 2012 um there was a large what's called denial of service attack directed at bank websites this is not their data it was their customer facing websites that forced the websites to shut down which sounds like an annoyance and an inconvenience and it is but it was also terrifying because the scale of this particular one was unlike anything that had been seen before and when it was basically determined that this was coming from a nation state some of these bank executives went to somebody in the homeland security department who i interviewed for the book and said what are you going to do about this and he looked at them and said we what do you expect us to do i mean the banks were essentially saying you know are you going to come to the rescue here and the answer was no not for an attack on a website now if we were taking out the data in a bank or causing the nasdaq to shut down maybe but these companies realize that they're largely on their own here and it's something i didn't appreciate when i started the research is the extent to which the private cybersecurity industry is building up to offer these companies a way of protecting themselves that the government doesn't always readily have if you're not a big critical infrastructure in the united states you know responsible for running the internet in our critical systems you know the government may not be you know so interested in trying to protect and help you it's very open to questions you have a question can we just wait for the mic and identify yourself so if we saw in the back and come to this hi thanks for coming i just wondered if you could comment on the distribution of business that you're seeing going to large defense contractors as opposed to these startups like engame and vupen for these sorts of services in terms of the dollar amounts i couldn't tell you for sure i think for companies like a vupen which you know is in this sort of you know the zero-day space to an extent you're probably talking much smaller dollar amounts because big network defense programs that are going to that are the sort of the hundreds of millions and billion dollar varieties are going to go to the bigger defense contractors who then might hire a network of subcontractors to work on it and you also have these companies too in many cases providing the cyber defense personnel for government networks so those sort of you know contracts of you know human labor are going to be more expensive but it definitely i think where the this the non defense companies sort of startups like an engame or fire i or these others they're going to be that their revenues going to be coming from the private sector not so much the government how much people are paying for a zero-day vulnerability you can pay anywhere from you know four and five figures sum up to i was told by one person if you found a vulnerability uh in an apple ios operating system possibly is six figure amount there are companies that will sell subscription packages to these for you know seven figures a year over a period of time so there's a lot of money in it it's not a ton of money compared to i guess how you might find yourself if you were a private startup selling cyber security and surveillance services to lots of companies at once they're only there's it's a fairly niche market for zero days and in large measure it's propped up because the NSA is doing most of the buying i think one more question here yeah this hi i'm cliff bob from the german marshal fund and decaying university i this is really interesting and i haven't read the book so i was just curious where in the end you really do come down on these issues it sounded like you think that this whole cyber initiative as a military initiative is a mistake you say it was counterproductive in your conclusion there um but i'm wondering also in a broader sense i didn't hear a lot about what the threat really is i mean lights being turned off in big cities we've seen that numerous times in the past and the biggest consequence seems to be a bunch of babies born nine months later um or you know even if you hit a couple of websites uh or even a lot of websites i i'm just i'm not clear on and maybe you said this earlier but what is the real threat and how why isn't this just crime why is it war and what would a cyber war actually be i mean normally in a war people actually die um this doesn't seem to go to that so and i guess the the other aspect of this then is um you you are referencing intelligence agencies and the military contractors uh saying how bad the threat is yet you're also talking about how you know previously it was terrorism and they're looking for a new mission and so forth so i'm just not clear and i'd be interested to hear where you come out and whether this truly is a real threat and whether it is if that you know a criminal or military sort of thing sure well a lot of the threat is definitely crime i mean it's you know we see this in uh credit card data being stolen from you know in hundreds of millions from home depot target um companies having bank accounts emptied you know this is something that the FBI deals with a lot we don't see this on the individual consumer level as much there's a criminal element that i think is not without cost obviously um something i write a lot about in the book uh is cyber espionage so china is largely responsible for stealing uh billions of dollars worth of intellectual property from american businesses taking information and giving it to their chinese competitors i think there's a real cost associated with that the sort of the dire nightmare scenarios right where you would cross over i think into the realm of warfare and events that would trigger some kind of collective national disresponse from the military do fall into this realm of critical infrastructure attacks so not just shutting off the lights but possibly causing physical equipment like generators to break down to stop functioning and it could take possibly two to three to four months to replace them so you're talking about the possibility of extended blackouts sections of whole cities without power for a very long time um the ability to uh open up water treatment facilities and contaminate large amounts of water serving hundreds of thousands if not millions of people um one story i write about in the bank that actually the director of national intelligence or in the book sorry told to president bush in a meeting in 2007 was uh imagine if the hackers on 911 instead of flying planes into buildings or the attackers sorry had been computer hackers who broke into the systems of a major u.s bank and either deleted account information or corrupted it in such a way that no transactions could no longer be processed the bank would have to close and it would ignite a financial panic uh essentially in the banking sector that would then ripple out um this is something that these are what you would call very high impact low probability scenarios but nevertheless are the ones that are keeping people up at night and that are sort of animating our response to to to cyber threats i don't think that those are particularly likely i think the chinese for instance have a great incentive not to attack our banks they're our largest lender why would they do something like that um but the barrier to entry in this space is a lot lower than fielding a traditional military it's a lot easier to build the capacity to launch what devastating attack like this than it is to build a long-range bomber that you could send towards us so i think that the threat to some degree has been hyped by national security officials but it is not outside the realm of possibility these kinds of sort of full well to tell you what it's about the syrian electronic army and what they did to the the effects they had on the of the dow uh on they put out in the syrian electronic army um get into an ap twitter feed and say there was an attack on the white hat that's right that's right right yeah so they this is a sort of an information propaganda operation so they hacked the twitter feed said there was an attack of the ap said there was attack on the white house i think they may even have said that the president had been killed and there was this sort of you know five minute freak out where everyone on twitter and social media thought that the president had been killed and you did see a dip i think in the in the dow industrial average it's sort of you know it was at this momentary kind of pulse an event like that is one that people in the national security community will point to and say look these are ways that you can cause you know real real consequences canada consequences short lived perhaps recoverable but what they do is they point to well what about you know what what happens when there's the blackout that does last for three months and not for three hours and again i mean i i'm very critical and skeptical of a lot of officials in the book coming out and saying including likely on panetta and telling people you know we're one moment away from from devastation the national security agency director just said this you know a couple of weeks ago in testimony i think we need to be skeptical of that and manage the problem you know commensurately and not lose our heads about this but there's no doubt that information is being stolen privacy is being violated you know financial fraud and crime are being perpetrated bad things are happening and it merits some kind of a response and where i ultimately come down on it is in wanting to see our response be measured and judicious and not fundamentally undermine the security of the internet where i really am most critical is that we when the nsa is in the mode of we're in charge of leading the cyber war and the offensive mission they are inevitably going to be finding ways to weaken all of the technology that we depend upon that mission is at conflict with it's with a defensive mission i think you need to separate ultimately what do you make of james comie's kind of you know extended public criticism of i guess both google and apple for making phones with you know that are encrypted in such a way that neither google or apple will be able to access them even if the government demands it i think that is a proxy for a much larger fight uh... and a bit of a smokescreen frankly although i have respect for comie a lot um... that the fb is waging for the better part of the past 20 years um... really ever since the advent of the internet the fb i became very concerned that it would no longer be able to monitor communications and do surveillance in cyberspace call it going dark going dark and this is not the first time that they've said that this could happen the same thing happened in the mid nineties when throwing something called the crypto wars when commercial encryption became available for the first time and the fb i said it's going to be adopted by terrorists and drug dealers and will never be able to spy and wiretap on anyone again and we won't be able to prosecute crimes well it didn't really happen we fashioned a law that requires the telecommunications networks the phones networks in this country to be built in such a way that the fb i in law enforcement when they have a warrant can tap into them to make sure that they can technically get the information that they need to get that law was not extended to the internet when it was passed about 20 years ago and ever since then the fb i has been looking for a way back into that and i think that what comey is doing is throwing out apple and the iphone and encryption as a way of starting this conversation back up again telling me he talked about this most extensively about a month and a half ago at brookings and somebody asked me said well what's your larger legislative plan where's the bill that you're proposing and said well we don't really have one and i'm kind of leaving that to experts so you can see comey i think kind of trying to kind of light a fire here and using this device as sort of the the convenient jumping off point what the fb is really about is extending surveillance law to the internet and to technology just so we understand his argument i mean it's not as crazy as uh or as you know i mean he's sort of like you know if you're trying to uh let's say prosecute a child pornography who's been exchanging images through a phone and there's simply no way to access the data um well how do you make the case i mean i guess that's the kind of argument he's making and what's your response to that well there are lots of other ways to get the data i mean if you're really talking about somebody who is not using the cloud uh who is not emailing the information to another computer that was literally only on this device then yes then you might have a problem uh in that but there are lots of ways to get that information i think you have to ask the question you know is it worth you know changing our laws and extending surveillance more to the sector as a whole just to be able to get it in the rare cases on this phone there are plenty of ways to get the information and komino is that new america did research on the issue of uh how much companies like google and and others lost uh you know and it's in the billions and billions of dollars right in terms of people around the world saying well wait a minute because of the snowden revelations right i mean there's and i i say this in the book too that there's a perception i think that you know in foreign countries that american technology kind of once viewed as a gold standard now has this you know is synonymous with government spying and to the extent that people think that our corporations are just handing over information on foreigners and foreign targets why would you want to do business with an american tech company 80 percent of email traffic around the world uh transits the united states right i mean do you think you do you see a um that number going down do you see i mean i think the germans in particular obviously very concerned about privacy issues i mean how would they sort of make that number go down if they could and they seem to want to yeah um they have talked about germans particularly i think this has come up in venezia or brazil as well the idea of trying to require companies like facebook to locate all of you know german citizens data on servers in germany and this kind of notion of trying to sort of balkanize the internet whereby germany would say okay for most purposes of germany's germans activity on the internet will be kind of contained within networks that are in germany um i i i actually interviewed not related to the book but uh eric schmidt about this from google a number about a year ago and asked him about this question and you know what his response was you know we couldn't possibly make you know a germany google a belgium google an idly google the internet doesn't work that way well you might get close to it though and i think that you know companies can do country and countries can do things to require that you know what ted steven said this is a series of tubes after all this is equipment that we're talking about here on some degree of trying to physically put that in one place i don't know that you ever would get to this completely segregated geographic kind of internet there are plenty of things that companies can do look at the right to be forgotten legislation in europe does the chart do the chinese have something that is sort of closer to that where they have a sort of internal uh yeah i mean there's sort of the great firewall of china where you have much more controls inside china on the ability to access the internet public internet from from in china get past its sensors but you know people can do that there are plenty of ways around that so maybe in china you have some case studies there of ways that you could kind of you know wall off your country but there you figure is being done for you know for state control and limitation of freedom of speech we're sort of you know that in the german context you're sort of like trying to protect us from the nsa so but the technology is agnostic in that regard go ahead robert shredder with international investor sometimes we look at these issues less at an institutional level more at a human level and i wonder if you would comment on that i think in 2013 it was estimated that 25 of our major weapon systems had been compromised in one way or another i didn't see any charges leveled against any individuals either in the military or the defense contractors that may have been responsible for that our cynical approach is that there's a lot of money involved these are hundreds of billions of dollars of r&d individuals can quickly enrich themselves by allowing a vulnerability to take place have you looked into that at all i haven't read your book yet but i wonder if you could might comment on that yeah on the question of whether allowing it to happen i have not looked at that so i guess are you suggesting like a company would like be betting against itself or yeah yeah kind of gaming the system and betting against the known vulnerability i mean i'm sure there are probably smart hackers out there who are also playing the market betting on when you know where the next you know breach might occur i did not look at that specifically but one quite thing your question makes me think about is whether or not corporations have a fiduciary responsibility to protect their their networks so when target is breached and you know more than a hundred million i think of its customers financial data is stolen should target be held accountable to some degree to that i'd be responsible to its shareholders right now under the law i i don't think it allows for that i'm not maybe somebody wanted you know an intro deck and eat your lawyer would want to in the court of public opinion they certainly suffer i think it does i think it suffers in public opinion i think you're going to see banks and retailers starting to advertise good cyber security as a selling point and there's a huge incentive by the way for these companies to say nothing when they do get hacked right yeah and for a long time that was the that was the mo was to say nothing who actually broke the dam on that was google in 20 think it was in 2010 coming public and saying that they'd been hacked by china and that their intellectual property been stolen and companies kind of feel more likely to come and say it um but if you're a bank i mean jp morgan obviously was that did they release that information themselves or was the head of that i don't have jp morgan release that voluntarily or not but once it came out they did not shy away from talking about it and that event scared a lot of people too because banks are supposed to have the best security and what i think that points to as well as there's there's we have to be careful that we don't get into the mode of blaming the victim right i mean so jp morgan is not casual about cyber security it spends a quarter billion dollars a year on it banks are very very good at this in the sector if jp morgan can be hit it gives you a real insight into the sophistication and the aggressiveness and the persistence of the attacker so to some extent i mean you know we you know we don't we don't blame the homeowner when the burglar finds a way into the house right so we have to get that balance right but companies who are doing nothing i mean i think home depot was widely criticized for not having taken security seriously enough at all i mean maybe there's a threshold by which you have to demonstrate you are doing some minimum of good security to be responsible but does every big company now have a chief information officer not every one but i mean it's it's growing i mean you're seeing the chief security officer information security officer becoming the place that's really where it's taking off and you know and you're seeing a lot of people who are coming from the military uh in the intelligence community and that i mean you gain a lot of expertise and skills about good defense working in government someone here uh dan tobson uh with state department but here in my free time um if i get on a jumbo jet from dullis and fly to san francisco on 700 pounds of jet fuel metal and human lives it's highly regulated every step of the way is highly regulated we keep hearing that the internet is key to the united states national interest so why isn't it more regulated and why is this such a permissive environment why are we asking companies to improve practices and going back to the the ap hack with the syrian electronic army which i think cost us 60 billion dollars on paper over five minutes in the dowel um like why even build an aircraft carrier if you can do that to another country it makes no sense just hack the twitter feed um why don't we see a move towards that and and and thinking of this in the traditional kinetic war frame of mind you know we're waiting for a cyber pearl harbor but if you look at the cumulative effects of all these attacks like target and all the countless others it is a pearl harbor that's happened cumulatively it's happening right now you know millions of times of a nanosecond that we're getting hacked um so it is already happening this pearl harbor is it's here and then the only other question i have um other than why it's not heavily regulated is who's watching google because human behavioral data human behavioral information has become a highly valuable mass produced commodity and i think that that could have consequences for consume discriminating against consumers and have a very broad social consequences i think even more than that is a really interesting question i i want to add to that which is like with there was an interesting piece in the journal about people looking at big data and that they can tell you know with like extraordinary high levels of probability what your sexual preferences are you know just pregnant right so i mean that that's a form of that question so yeah i think we need to have and in there there are bills that have been proposed in congress with this much stronger consumer data protection laws i mean we have a whole suite of laws that govern what the government can do with your data and how they can access it and comparatively nothing when it comes to private information and particularly if companies like a google are using information even in a macro sense about their customers and then sharing that with the national security agency you know there's a lot of mingling going on here and i think we need to have better control of that your question about why isn't it more regulated i mean there have been sort of there's broadly speaking this kind of dueling philosophies about that question and it's been there have been a number of cybersecurity bills that have been put over the years that have some degree of either regulation or something that looks like regulation where the government is going to say okay this is the minimum standard that either companies or critical infrastructure companies vital ones have to meet the following standards and it has always gone down in defeat largely you know to be frank thanks to the business community they don't you know in the chamber of commerce as opposed this they don't want to see a lot of heavy regulation there are privacy concerns as well associated with some of this but basically business has resisted it and obama in that speech that he gave there's an interesting evolution i think that is just i'm just starting to appreciate in that east room speech that he gave in 2009 where he talked about it being a strategic national asset and protecting the internet he also said we are not going to force companies we're not going to dictate the companies how they do their security it's going to be cooperative which is to say we're not going to regulate them directly in that way but about three weeks ago he gave his in his weekly address his comments on net neutrality and he talked about his preference of wanting to see the internet treated like more like a utility within the context of net neutrality but if you start calling the internet a utility then absolutely you can regulate it governments regulate utilities i mean that's what we do and it's something that i think that and not a lot of people sort of picked up on this idea i'm not even sure whether he meant to go there but he kind of went there a little bit and he at least he at least flicked at that possibility i think that ultimately what's going to happen is there's going to be some catastrophic level or near to that attack that really gets people's attention i mean stealing credit card information and data it's an inconvenience the bank's going to replace your credit card you know if tomorrow 100,000 Wells Fargo come with customers wake up and their bank accounts their checking accounts have been erased that's going to be different and that's going to open up a conversation about regulation to mecca okay we're just okay i'm curious about the your views on whether or not this affects the policy content foreign policy content for example and you casually threw out a well we did stuff next and so they they're mad and then you cited that as one Iran being one of the major things so what i find other than the policies themselves somewhat incoherent is how do you get accountability who decided to do that to Iran and now we sit here right the accountability and the and the yeah well right now i mean who decides to do it as the president um so stuxnet as a president was a presidentially authorized covert intelligence program um you know and and right now in in in sort of hesitate to say doctrine because that makes it sound more formal in the military than it actually is but under executive or exiting executive orders if the united states were to launch a cyber attack let's say on another country's systems or something like that it requires the president signing off on it they're treated as strategic weapons sort of in the same way that we treat nuclear weapons where the president has to be involved now there are ways of kind of putting that authority down the chain a bit so like if we're in iraq for instance president bush authorized those operations that were conducted in iraq but he did not have to then go authorize every single one he said you know the nsa is authorized to do the following things when it comes to communications gathering in cyber activities so there is a level of accountability right up to the level of the commander-in-chief i think as this as cyber activity becomes more pervasive you can't have the president signing off on every single you know one of these attacks any more than he signs off on every time someone fires you know a rifle but i do think it's going to largely be governed in that context of you know the commander-in-chief his authority is both you know to authorize intelligence operations and military operations so for the foreseeable future at least at the very top it'll be the president authorizing these things that's where the accountability will be to mica and for the foreign policy blowback for that as well i should hat yeah well first shane congratulations this is great reporting and extremely impressive i am a newly minted senior fellow here at new america but prior to that in a past life i was speech writer secretary clinton and wrote her first speech on internet freedom and in conjunction with that was also the victim of an unrelenting stream of spearfishing attacks that continue up to and including this morning from people trying to get into to my account and i and i'm sure you and many others have had the ominous pink banner show up on your gmail account that foreign hackers are trying to gain access to your account given the two sides of that you know experience the incredible power of these tools to serve the purposes of progress and good and also the real dangers that we face when using them at what point do we need to pause and let our regulatory structures catch up with the technologies you mentioned the difficulty that you had seen in trying to bifurcate the command structures and and the fact that it would upset the apple carton so we can't do anything on it right now at what point is there a need to kind of sit back hopefully prior to some sort of cat cataclysmic event and figure out where we need to put these authorities to get it right i think we're there honestly i mean and i think that i find it difficult the argument difficult to swallow we shouldn't be to some degree regulating security when the fact is that we regulate food safety you know we regulate we regulate utility companies we regulate electrical power facilities why wouldn't we regulate their network security the same way we regulate you know their physical security or their you know the making sure that they have the right equipment so that they don't fry their circuits i mean it just seems to me that the idea that that you couldn't just naturally then extend that one more layer on to the security of a network that just makes no sense to me and we should be having doing that now because as you point out you know the threat's there it's not like we need any more evidence that these these systems are at risk why would we wait for the cataclysmic event except politically that's how it always works right we need that to sort of shake us loose of this but the counter argument with target didn't they go in through the air conditioning system yeah they went through a subcontractor exactly like i mean it's hard to defend everything right yeah you'll never defend everything but i mean you know why not start with the companies that are already regulated yeah right i mean like why and you know and a lot of electric companies have i think there was actually a uh an electric CEO who testified about this saying we are a regulated industry right so i mean you know and into an end there so there is a you know a natural kind of opening at least there to start it seems to me with some of your more vital systems uh and you know i think just politically the administration hasn't been inclined to do it there's been a real lobbying against it but yeah i mean i think we're there right now leading back thank you gg alford i work at freedom house i i found your argument very interesting at the end that it's it may make more sense to shift some of the more cyber aggression in the us from the nsa to the military and you mentioned the military calling the internet the the fifth dimension or domain of warfare do you see any possibility that there could be a way to to normalize thinking about who are civilians and who are combatants on the internet because at some point uh you know we have uh international norms around the the law of armed conflict or international humanitarian law but on the internet you know how are we able to declare ourselves civilians or non-combatants and therefore off limits yeah to some of that aggression i think it's a great question and it's something that you know national security lawyers have been talking about you know to some degree already i i do think that you can apply international humanitarian law or law of armed conflict to cyber conflicts i mean we could say we could just say as a matter of principle that we are only going to launch attacks against legitimate command and control targets uh you know the same way that we we know we agree to only bomb certain uh facilities we could when the president wants to order an attack i mean could say look what is good the risk of collateral damage going to be in fact uh in 2003 prior to the invasion of iraq there was a proposal on the table to launch a cyber attack against the financial networks in iraq to try and basically freeze up saddam's money and you know been one way of sort of hamstring the country and it was um ruled out because we couldn't guarantee that whatever virus we launched against that network wouldn't spread and possibly end up in banking systems in europe so you know shutting off atm access in paris or something so i mean we have a framework for being able to conceive of what collateral damage might be um it might be a heck of a lot harder to predict because of the nature of these uh these weapons that can get into a network and then propagate and get out of control but um i don't think that we should just you know dismiss out of hand the idea that uh i h l can be applied to cyber conflict i mean it's not maybe a neat one for one but you could you can fashion it in a way but you could imagine a kind of new geneva convention that would you know because all the same issues are true for drones as well i'm aware you you kind of have a you know we're in a slightly new space where um the kind of blend i mean the distinction between civilian and i mean for a civilian contractor is launching a military attack or or or whether it's drone or cyber i mean that kind of raises interesting questions about the the lady raised um and i mean i think it's time for us to have a collective discussion because i think what we're we're the the analogy is also sort of where we lost the monopoly on atomic weaponry it became in our interest to have a international regime around the control of this weaponry once we lost the monopoly and we're really there with drones i mean russia china iran all have armed drones uh whatever the regime is we have to be comfortable that it's gonna we feel good about the iranians adhering to that regime as well and i think the same is true with cyber so i think there is a but we've come to the moment where we should be starting to have that discussion because i h l international humanitarian law you know yes kind of be applied but is it is it sufficient because it didn't really it didn't conceive of any of these weapons um which uh anyway so what and a treaty is something that's been discussed and you know demica you probably can speak to this too i mean it's you know the russians aren't necessarily all that eager to get into a treaty with us um uh all that's been discussed and we there's how do you verify that somebody is not stockpiling cyber weapons etc you know i thought that you know in hegel deserves credit for this you know the going to china and saying let's talk about mutual red lines that's enough that's a good sort of first start in this of course the chinese said we'll listen to you and then they told us nothing so i mean i think for a lot of countries they have a very powerful incentive not to engage in treaties with us because we have a more powerful conventional military and this is the way they can gain advantage over us and why would they ever want to you know to preemptively limit their use of it on the other hand you know if we get into the you know a sort of mutually assured destruction kind of mindset which might be helpful and we make very clear to the chinese like look if you ever did something like this like it's it's over with us you know then that that might lead bigger powers into some sort of more of a do we also be a political problem probably in washington because on the right it would be any this kind of discussion would be criticized for constraining american power and on the left it would be kind of criticized for acknowledging that these things really exist and we need to be serious about them right so it would be a tough in the back gentlemen thank you hi uh jonathan daigle from jd solutions i really enjoyed this dialogue this is very interesting i'm really looking forward to your book i agree completely this idea that the nsa can't both protect cyber networks but also be in charge of getting at them and and so this this idea this idea of regulation the merging of military networks warfare i mean i think this first of all i thought this was a great discussion until i the idea that we're going to regulate security i'd like to know how you think we're possibly going to have regulation that is going to enhance our security as the technology changes so quickly that those regulations become irrelevant and secondly you know i i i i've spent 25 years in the department of defense and the idea that we can have international treaties that are are going to keep people from doing cyber conflict that doesn't bother al-qaeda doesn't bother the syrian factions those things are not going to keep us safe so we we're just faced with so many dichotomies or or contradictions in this whole thing you know how how can we how can we approach wrapping this up in a way that we do not have to wait for you know a a a situation where there's loss of life or or extreme loss of property um you know do you have any way ahead having done all this research right right well one way i mean i you know look i mean this is and and you may you very rightly point out that regulation is going to be you know probably hopelessly outdated the moment that you propose it the administration went through a long process recently with the national institute of standards and technology or NIST coming out with a recommendation for kind of best practices that people should adopt don't they're probably outmoded already i wonder and i'm just speculating here but i mean whether or not rather than by saying you know meet these minimum standards whether it was something more like you are required to employ people with x level of competency in doing cyber security right i'm sure companies like fire i and mandiant would love that uh you know they go out and hire us but having some kind of you know sophisticated people in place that can keep up with the threats because this is the nature of cyber defense right is the bad guys keep getting better and better and better uh and the defenses keep getting outmoded all the time so no it can't just be like the way it would be with food safety or something like this um so you would have to have some level of assurance that people were on the job that we're doing more than just checking boxes i mean we have a problem with this in in in government there's something called FISMA the federal information security management act which requires government agencies every year to you know check the box that they've done the following things and the following safety protocols and that and everybody regards it as a joke and they're not and nobody thinks it's actually protecting networks well the reason that you know the defense department and the ns air so good at protecting their networks is they employ really smart people that are constantly keeping pace with threat and evolving against it and i think if there's a way forward ultimately it's probably going to be by a whole new business and a sector of the economy developing around this and i really think you're going to have cybersecurity companies doing cybersecurity for most companies uh in the united states and that the government is going to probably focus on the much more kind of critical aspects of the economy that to me that would be a smart way forward i mean the nsa has been in the mode for a number of years of sort of trying to do it all and they need to kind of come back down to to earth a bit on that and i think this is a look there's going to be a market is going to emerge in some way to address a lot of these problems gentleman raises a point though which i think may be wrong at least for now which is you know treaties obviously won't constrain al-qaeda i mean al-qaeda is not constrainable but their capacity to do something that would really damage our national security i think is close to zero and i and i'm you know the syrian electronic army yeah they did this thing but i mean it was essentially a nuisance so i mean the kinds of things that you're concerned about are mounted by states and the number of states that can do this are relatively big states i mean iran china russia ourselves it's not israel i mean we're not talking about a huge group so the idea that you might have some kind of international treaty where there would be like some kind of laws of you know you know that there would be some kind of understanding that where where the red lines are collectively i think is i don't think that's a crazy idea i don't think it's crazy and it could cover you know it could give us some layers of security um and you raise the interesting question about you know al-qaeda and you know terrorist groups being able to mount these kinds of attacks and after 9-11 there was a real fear of you know cyber-terrorism and you still kind of hear it as you know a bit of a buzzword but the general i think assumption is that you're right is that al-qaeda has been much more focused on spectacular physical attacks and other expertise where i worry is you know it only takes one or two people making the decision to change the strategy so you know take somebody like you know an ibrahim al-asiri who is this master bomb maker okay but okay so he changes through the thought experiment but they go out and hire someone to do it for them that's okay worry about right like who would they hire i mean because i mean it you know obviously a stuck-snit like attack was a highly sophisticated involved two yeah very strong players in the field both united states and israel so i mean sketch out where a terrorist group sort of hired some hacker what could that hacker really do i mean i think that if you this is going to start to sound like a bond movie a little bit okay but i mean you know it's a good way to sort of wrap things up yeah find some you know a deeply unethical malicious you know eastern european probably sorry you know a group of individuals who basically are you know a highly sophisticated criminal enterprise who say yeah we'll knock we'll do a power blackout for you sure i mean i think i think that's possible absolutely and you know and if al-qaeda really decided that's where they wanted to marshal their resources sure and you know look isis gets a lot of credit for being very technologically savvy in their use of social media and those two things are not the same thing obviously but they're sort of you're getting closer to this idea of why wouldn't somebody nice to see like you know what we should look into this idea of hiring somebody in belarus to do this why not i bet we could pay him enough money to do it well on that uh cheerful note um uh shane is going to be more than happy to sign books yes and let's give him a round of applause thank you