years. >> guest: she served over ten years. she was my buddy, not negative be 18 but was one of my dearest friends. >> host: and she has a strong social network in that facility and she is released right around the time you are and more than anyone else it reminded me of that image, if it is from a john irving malveaux at a gas station that has a pet tiger in a big cage. it was an old station or something, and one day they left the door open by mistake. the tiger wasn't going anywhere. the tiger was afraid to leave the cage. and the tiger probably could posture five outside the cage. and i thought about that with pops. you know, she's and -- not young

comegys a creature of habit but even when she has vacation she goes to work because that is what she knows, and a person like that suddenly thrust into the big world, she left before internet, before the cell phones, keyless entry to cars. i'm sure -- what are we giving to people like that? >> guest: absolutely. the good news about pops, a person like pops is that she did have ties to the outside world. she had strong ties to the outside world in terms of her family. so there was a clear path we home for her and a ferocious work ethic. >> host: her husband was imprisoned a. >> guest: her husband was in prison. >> host: [inaudible] >> guest: yes, definitely. and full there. that is the other thing that i'm sure is really true in all prisons is that mental acuity or

mental illness makes a massive difference in how folks are sentenced and returning home. pop's didn't have any of those challenges. .. she had far more tied to the outside world. she was even more committed to

the life, as it were and had some serious i think mental health challenges. and so a person like mrs. jones is the one who i really feared for. literally, bike on a visceral level was scared for her to go home. that is a terrible, horrible thing. >> host: thanks for the grace of god. prisoners who just came into the city wants release from sing sing, some of these were big you know, pumped up guys. he talked about one guy in particular with a slight retardation and he said i would see is how parting inside of his chest like a little bird and he said what you see on the outside is not at all what is going on inside lots of times. >> guest: it was probably the most, i mean other than the, watching folks with their kids in the visiting room, which

could break your heart, watching prisoners who were scared to go home, not nervous. everyone is nervous to go home, but you can tell the difference between people who are simply nervous about all of the re-entry factors that make anyone nervous ,-com,-com ma myself included and people who are truly fearful. that was heartbreaking. there were many women who were going home to homeless shelters. two incredibly uncertain futures, to them are immense of islands, to really scary stuff. and they gave me a terrible feeling in my stomach, that person may be a safer place for some folks. >> host: it is a good book in thank you very much were talking to me about it. gue: thank you. speak in his book, "cyber war" what it is and how to fight it, former white house counterterrorism chief richard clarke argues that businesses and government in the u.s. are

vulnerable to debilitating cyberattacks by china and north korea. the spy museum in washington d.c. host this hour-long event. >> you are here to see a book signing by richard clarke, and i must say, as i think many of us no, burchard although he was in the government for some 30 years, i think came to most of our attention in 2004. when he appeared on both 60 minutes, his book against all enemies came out in that period and he also touched upon before the 9/11 commission. that was against all enemies. later he wrote a book that greatly impressed me. that was your government failed you. and they think for a gentleman who has served for 30 years, served in the top ranks of government, served presidents, president reagan and served in the white house the president

reagan, george bush 41 and george bush 43, as well as president clinton, dealing with matters of cybersecurity, terrorism and our infrastructure in regards to national security issues. having stood in those positions i thought was a remarkable thing to do and i thought it was a superb book and it made me a fan from then on. the thing i think that i am very impressed by the book that he has just written, brought out, cyberwar, which by the ways available in the back for sightings. richard said he would stay after the presentation to sign copies. i think one of the things that impressed me was the clarity of the book. he speaks early on of the meeting he held with others, trying to get their hands around this particular issue, the cybersecurity issue and he made a commitment with others to try

and bring these issues, such as cybersecurity come into public discourse. that was a personal commitment in this book is part of what he is has done to fulfill that. so that is very impressive. richard commons is a pleasure to have you here today. the stand is yours. [applause] >> thanks very much. it is a great pleasure to be here. i love the spy museum and i have been a fan since the day it opened, and i know many of you have as well. thank you for taking your lunch hour to come and talk with me about cyberwar. the name of the book is "cyber war," but it really talks about three distinct phenomenon, and cyberwar is one of them. but cyberespionage is also one. and the third is cybercrime. the three phenomenon and i will try to define each one of them but the three phenomenon all occur because of what happened

in the 1990s. in 1990s, without are really thinking about it or planning it as a nation, or having any real discourse about it, we suddenly realized that this thing that had been around for about a decade at that point, the internet, held real promise in allowing us to do a huge friday of things far more cheaply, and so, by moving functions that used to be performed person-to-person or through the mail into cyberspace, into the internet and the other networks that make up cyberspace, a lot of organizations were able to reduce their costs, and gradually this began occurring in the 1990s and it is no.since that if you look at the economic statistics in the 1990s, to other things happen. one, america's productivity went through the roof.

especially compared to the rest of the world and two our economy boomed because we were lowering our cost of operation and opening up this whole new industry, the i.t. industry. and it all seemed like a great thing, and it was. the 1990s look pretty good in retrospect compared to where we are now. but, there was a downside, and that is that we were beginning to use a system that was designed for one purpose. we were beginning to use it for a whole series of other purposes for which it was not designed and not very good. the internet was designed, as most of you know, as a communications network or research professors at leading american universities. and it never occurred to the people who designed it i know because i have talked to them, that they would ever be any abuse on the internet is after all these were just research

professors exchanging information. accessing databases, accessing libraries, collaborating across the country on projects. it never occurred to them that there would be anybody like us using the internet, untrustworthy, unwashed people, the public, let alone that the defense department, the banking system, and everything else would start using the internet. not just start using it for e-mails or for webpages to communicate information, but start using it as an essential element of their functioning. an element so essential that the organizations cannot function anymore without it. those organizations are pretty much everything when you think about it. so, think about airlines. airplanes take off. why does that have anything to do with the internet?

well, all too often what you see is that a big airlines like delta, northwest and air canada, they have all their airplanes working, all of their private show up in their cabin crew shows up and they have their fuel and everything they need to take off in the entire corporation's computer organization crashes. what happens? nothing happens. the planes don't take off. you have hundreds of planes sitting on the ground, capable of flying but the airline can't operate without its computer network. why? it doesn't know who should be on the plane. doesn't know what seat they should be in. it doesn't know things like the loading factor on the plane, cargo and people can't figure out that fuel ratio so they sit there for hours. or, and you have seen this happen, the air traffic control sector in one part of the country has the computer hiccup, and the computer system goes

down and planes can take off because the air traffic comptrollers can't see them and can't direct them. every time that happens, and it happens unfortunately two or three times a year, if you read the news stories at the end it says, but there is good news, because the computer system at the faa uses for air traffic control is so old it is about to be replaced with a new, more digital system operating on windows. [laughter] every time i read that i ago all god, it is just getting worse, everything. trains, i talked to the ceo of the largest or second-largest, i am not sure which, freight railroad company in the united states. i asked them, so what is your company's reliance on cyberspace? he said well, i think of our company is basically a computer company with trains. why?

because we line up these trains and we put cargo onto them, and each card going to a different location, and each training operating on a network has to go different speeds and some have to go fast, some have to go slow, some have to sit sit on the site to another will pass them. they have to stop the different places and drop off cars. other trains come along and pick them up and when our computer system fails, we just stop all the trains. i learned last week for the first time that every locomotive in the united states, in all of the freight railroads, receives a download twice a day onto its windows xp computer. trains. and you can go through industry after industry. airplanes, trains, pipelines, electric power grids. i talk a lot in the book about the electric powered grid, so much so that i am sure it gets a

little much after a while but the electric power grid is all controlled by computers. computers decide how much power should be generated by each substation, how that power should be routed down what high tension lines, because if you put too much power down my high tension line, the line melds. and if all of the generators are not spending by the network at the same rate, they can explode. i know it sounds strange, but it is true. so the entire eastern electric power grid, from florida up into canada, the entire western electric power grid from baja up into canada, they are all interconnected, one east, one westin texas of course has has to have its own. those three power grids ball control everything on them are controlled by computer networks. and if suddenly something

happened to these computer networks, that the banks, at the power grid, at the pipeline, at the train, could we go back to where we were in the early 1990s in the late 1980s? could we go back and replace those computers with whatever we did before? so that it somehow, someone waved a wand and suddenly all the computers did not work, what are the backup systems? for a while in the 1990s, early 1990s there were backup systems. whatever we had been using before, we switched to computer based controls, was still around in some companies. nowhere today have i seen other backup systems available. when i ask ceos are heads of federal agencies, what if you didn't have a computer network? what could you do? the answer is, we send people home.

well, what about the backups? they are computers. if you think about this, it is true. who here can still find a manual typewriter? do you have a manual typewriter? doesn't work? alright, so you are safe but for the rest of us, for the rest of us, we don't have manual things. so, we are all now reliance, every major industry, every function that we do all day long from turning on the lights to getting water out of the tap to getting money out of the atm machine to getting on the metro to come down here, everything we do is dependent upon computer networks. most of those computer networks are connected to the internet in one way or another. they are all operating, most of them, are operating using software protocol that were designed about 20 or 30 years

ago and we are not designed to be secure. so the basic architecture of the internet, which is most of cyberspace, was never designed to be secure and it is not. it is not. the result is that it is relatively easy to hack into a lot of things where you shouldn't be. and it is difficult, but possible to hack into the things where you really shouldn't be. let's come back to the electric power grid. what we found in test over tester or test when i was in the government was that, if you went to the internet, went to the web facing page on an electric power company, you could almost always hack into the electric power companies public web page. from there, you could hack into their internal network, their

intranet, their local area nets for their offices. and from there you could then hack into what is called the skate of system. supervisory control and data acquisition. what it means is the software that runs the power grid. so that in a three-step process, you are able time and time and time again and as recently as this year people have demonstrated it, the ability to hack from the public facing internet into the corporate network into the control system. chinese graduate students publish an essay earlier this year in chinese that said, well you know all you have to do to bring down the american power grid is hack your way into the least secure of the power grid companies because they are all interconnected and you can cause a cascading failure and it will cause a blackout. it is nice to know chinese graduate students have these interesting topics that they write about.

you may have seen the story last week, but 27% of american youth are obese. this is the cause of concern for our military, because they think that means they won't be able to go into the military. but, i saw a great quote last year from the american air force two star general saying, i don't care what their physical condition is as long as they can hack and take down the power grid. this is a recurring theme around the world, people talking about taking down power grids. so, what that what that is a bad droplets talk about the three phenomenon. cybercrime, cyberespionage and cyberwar. cybercrime, you are familiar with. you know about identity theft in the scams on the internet called phishing with a ph where it looks like a sure bank that sent you an e-mail, and you click on it and then instructed, what

looks like your bank's page opens up in your browser and you type in your bank password and it is not your bank. maybe it jumps to your bank, it connects to your bank after you put your password in but you actually put your password in on some clone site being run by criminals who may not have your password and account number. so far, most of the banks have been making good on your money when it is stolen from their bank accounts. but that means the banks are spending hundreds of millions of dollars a year making good stuff that is occurring in cyberspace. without seeing cry birth-- cybercriminal cartel operating, largely in eastern europe but also in other parts of the world where it is not one hacker using his or her skills to engage in

cybercrime, but it is scores of people operating together with computer labs. if they are attacking software companies so they are putting in trapdoors and software before the software is even sold. so that when you buy, you buy some software's from some company, and unknown to that company, there is a little line of code that the criminals have inserted that allows them to get into your computer. it is getting very sophisticated out there in the world of cybercrime and the u.s. government prosecutes about 1% of the cybercrime that occurs in the mean amount. that mean cybercrime pays. bearer estimates the cybercrime pays in the billions of dollars a year on a global basis. somebody is getting awfully rich. and those somebodies tend to live in places like russia.

oddly enough, when the u.s. government says, we have this computer that was attacked in the united states and we traced it back to who did it and we would like you to arrest them. the russians don't arrest them. so there are cybersanctuaries for the cybercriminals. a growing problem. the united states approach we say in the book is bankrupt, because essentially the united states says to 90 different attorneys around the country, and 56 f. ei offices. it is a criminal activity. you have to prosecute it. they don't have a central organized approach that is able to deal internationally, successfully with the cybersanctuaries. some of the cybercriminals now are also participating in in the

second phenomenon, cyberespionage. so if you are a business intelligence firm, and antiwar selling information to let's say a big company that makes airplanes in europe. they want business intelligence perhaps about bowling, their competitor. so the big european companies not going to hack into bowling. they will get caught doing that. so, they go and they hire a business consulting firm. a business intelligence firm, a business intelligence firm goes out and hires a hacker. they had their way into the company. industrial espionage. it is happening at a prodigious rate. about 18 months ago, the head of reddish intelligence, the british secret security service, mi-5, wrote a letter to 300

ceos in the u.k.. the 300 largest companies in the u.k.. and in it, he says, you have to assume that your network has been successfully penetrated by the chinese government and any corporate secrets you have have been successfully axel traded from your network. the u.s. government has not written that letter yet, but i can assure you, the content if they did write it would be the same. every major u.s. company has been successfully hacked by probably the chinese government at a minimum and probably lots of others. and the crown jewels of those companies have been stolen. their results are billions of dollars of research funded by the taxpayers are the stockholders going to competitors who pay nothing for pennies on the dollar.

our secrets and aerospace companies, our secrets and pharmaceutical companies, in biomedical companies, are secrets in financial deals all stolen by either criminal cartels engaging in cyberespionage for hire, or by foreign governments. some of those foreign governments, when they steal information from u.s. corporations, turn around and give that information to companies in their own country. doubt that accusation has been made a lot about the united states from europeans, particularly the french. the french say, the united states is out there hacking and stealing information and giving it to u.s. companies. that is not true. i can assure you it is not true. it is illegal, we don't do it, but other people do. and it has totally changed the

nature of espionage. think about traditional espionage. think about-- or someone like that, who was smuggling out pieces of paper. smuggling out pieces of paper from the f. ei building down the street here. every time he did it at risk of being caught. taking pieces of paper and putting them in his shoe, and then having to meet his russian handler in some park somewhere, or have a dead letter job in some park in washington, to pass information on. that was traditional espionage. do you know how hard that was? first of all, the russian has defined an american on the inside who would likely do the spying. that targets buying was incredibly-- and took most of the time, targets buys. then you find the person who might provide the information you have to persuade them, you

have to pay them. you have to do all of this manipulation. is very risky. what do you get as a result? a shoebox filled with paper. in one hour, a hacker can get into a network and ex-filtrate the equivalence of the library of congress. terabytes of information out the door in minutes, certainly in hours. and most of the time, the companies or the institutions involved don't notice it at the time. most of them notices after-the-fact when they check their logs, but sometimes even then they don't know. cyberespionage has totally changed the world of spying.

cyberwar, what is cyberwar? how is that different? last october 1, the united states government open something called u.s. cybercommand. which is headed by general keith alexander, who has already got in his fourth star or is about to get his fourth star. the u.s. cybercommand is a military operation that includes navy units, air force units, the navy stood up something called the tenth fleet. the tenth fleet has no ships. here for stood up something something called the 24th air force, which has no planes. the tenth fleet and the 24th air force report to cybercommand, and their battle space is cyberspace. we have military organizations designed to fight in cyberspace. and we are not alone. in public testimony, leon panetta, the cia director has said between 20 and 30 nations

now have military organizations similar to cybercommand, designed to fight in cyberspace. how do you fight in cyberspace? you are envisioning gianna reeves in the matrix or something. not quite. not quite. milk kickboxing is-- no kick boxing is required. what do you do? if you are on the offensive, you hack your way into those systems on which we all depend. you hack your way into the control system for a power grid and cause a blackout. well you say that is a nuisance but i can flip the switch and turn the power back on. well, maybe. but maybe the attack was designed to cause lasting damage to the power grid. maybe it melted high tension wires and cause generators to spin out and explode, before it caused the blackout. if that were true, the blackout

would last for weeks if not months. what if the attack was on the railroads? and caused at key junctions on the freight rail networks there to be massive derailments, causing days if not weeks worth of-- where the railroads would not work and supplies could not move. whatever was on the air traffic control system or the airlines, and we were grounded for days, the way europe was last month his of the volcano. what if all that happened at the same time? and what if in addition to attacking a civilian infrastructures, the military organization was attacking, also attacked the other military. so they turned off the communication system of the other military. perhaps they turned off the air defense of the other military.

to make this clear, let me give you one example of how that could work. cyberwar, the book, opens with a scene in syria in 2007. syrian air defense operators are sitting there at night, almost midnight, they are looking at their radar screens. there is not much up in the air. syria at that time of day, that time of night, nothing going on, all is well. at the exact same moment that they thought the sky was empty, the sky was filled with israeli f-15 and f-16's that have flown through turkey and then on a right hook income down into syria to blow up a secret nuclear facility in the corridor of syria of near the turkish border. they bombed it, destroyed it, and escaped and never once did any of those big f-15's in big

f-16's show up on syria's radar screen. the f-15's and f-16's were dyed designed in the 1970s and they are big and they reflect radar like a christmas tree lighting up. but they never appeared on the syrian radar screens. because, before israel launched its planes, it launched its cyberattack. c. karelia took over the secret -- syrian air defense and gave the syrian air defense operators an image that israel wanted them to see, which was nothing is happening. those explosions you hear in the background and those airplanes you hear flying overhead must be something on the tv. so, cyberwar has already started there are examples of cyberwar. estonia was attacked a few years ago. its banking system, it's

governed ministries and its phone system crash. the people in russia did it. a year later when russia invaded the nation of georgia, as their tanks were rolling across the border into georgia, they are cyberattack was simultaneously occurring, bringing telecommunications systems, but banking and other key functions of the georgian government. it is not a theory. it has happened. it has happened of a small-scale. it is happened somewhat primitively, but it has happened in the real world. and we know that a lot more can be done that has happened in cyberspace. so, is this a good thing? cyberwar may be better than other wars, right? people don't really get killed in cyberwars. it is clean, it is neat. we don't have to do calisthenics.

well, we argue in the book that cyberwar probably is not a good idea. that, if we could put the toothpaste back in the tube we would. unfortunately, we can't. we argue that cyberwar is not a good idea for two major regions -- reasons. won the united states is relatively defenseless, and case it is attacked in a cyberwar. and two, cyberwar can leave pretty quickly to a shooting war. so, you might think well you know it is only a cyberwar, let's do it in the next thing you know all hell has broken loose. i said the united states is relatively defenseless and i know a lot of you are thinking, why is that? how could that possibly be? well, we are really good on the offense. cybercommand another units in the u.s. military and intelligence community have been doing this stuff for years.

they invented it. they are really good at it, and you have to assume that anything anybody else is doing probably the united states government is doing too, only better. so when you read about all those chinese attacks hacking into google and everything else in america, somebody is probably doing it to china. but, we have no plan, no system, no strategy to defend this country against a cyberattack. cybercommand has a mission that involves not only offense that cybercommand is also supposed to defend the military. and the intelligence community. the department of homeland security, who are so good at everything else, their mission is to be capable some day of defending the rest of the federal government.

okay, so maybe someday we will have a federal government and we will probably have the military and intelligence but what about all that other stuff? what about the power grid in the railroads and the banks, and all those things that make the country work? all those things of which the government and the military depends just as much as we do. there is no plan to defend them. there is no government agency whose think it's job is to defend them and given the nature of our society, our economy, our laws, our congress, it would be very difficult for us to set up a system to defend what is 80% of our cyberspace. now, do you think china has the problem? do you think russia has that problem? in russia, there is one big internet service provider. they don't have ricin and at&t in all these people competing.

there was one big internet service, and it is owned by the russian government. and largely run by their version of the national security agency. china has already started architecting and designing its cyberspace so that they can shut it off from the rest of the world. they have drawbridges in cyberspace that they can pull up and isolate the country, and they can filter for content running through their cyberspace. in other words, they have thought about defending against the cyberwar, and they have a system. it is not perfect, but they have a system. china does, russia does. and then there is little north korea. north korea that can barely feed its people. actually it cannot feed its people. north korea staged a cyberattack on the united states last july 4. just a little test to see if

they could do it. and they did. they attacks most federal government agencies. there was a simple denial of service attack in an attempt to knock service off the web. they did. it was the largest attack we have ever recorded on the internet and we are pretty sure that north korea did. but not from north korea. because they don't have any internet. they don't have any cyberspace and north korea. they barely have tv. so they sent their cyberwarriors to china and to south korea that is where they launch their cyberattack. so, if north korea staged a big cyberattack on us, and we wanted to attack them back in cyberspace, they have no cyberspace for us to attack. which is the best solution you could ever have for defending cyberspace.

you know the three laws of cybersecurity. the first law of cybersecurity is don't have a computer. do you have to have a computer? if you have to have a computer than the second law of cyberstate-- cyberspace, don't turn it on. then the third law of cyberspace , if you have to have a computer and you have to turn it on, don't plug it into anything like the internet. that is kind of the north korean approach to defense but we don't have an approach to defense. unfortunately, the bush administration and the obama administration's philosophy is we will defend ourselves and the rest of you in the private sector you are on your own. it is a bit like, in in the cold war when the russians have all of those bombers that were

designed to come over here and bomb our industry, it is a bit like the u.s. government in dwight eisenhower and john kennedy turning to the private sector saying to u.s. steel, the ceo of u.s. steel, you have all the steel plants in pittsburgh, and in aboard the russian bombers are going to come and bomb them. so u.s. steel, you ought to go out and buy some air defense. that is not what they said. they said the united states government will defend against a russian attack. but today, we are being told we are on our own. we have to defend against cyberwar, cyberespionage, cybercrime. not good. the arguments we make in the book are, we need a defense strategy for the whole of our country.

and that defense strategy has to be part of an overall strategy for cyberwar, which has to be publicly discussed. we don't have a national strategy for cyberwar. the congress does not know about one. the public does not know about one, the media does not know about one and i'm reliably informed that there isn't one. so we need a strategy. we need a defensive strategy. at the end of the book we suggest, we also need not just to focus on cyberwar, but to focus on cyberpiece. i did arms control for over two decades in the state department, arms control involving biological weapons, chemical weapons, strategic nuclear weapons, conventional weapons. every time we started one of these things, i was told that is too hard. are you going to fix this for me?

it is too hard, you don't do arms control and things in space. you can't do arms control and chemical weapons. and they were all very hard, but we got arms control agreements on all of them. those arms control agreements made the world safer. some of us think the work the united states did in the cold war on nuclear arms control probably save the world. it probably stopped or made it more difficult, reduce the likelihood of a nuclear war. so we think it is about time to start thinking about arms control in cyberspace, because we know it is difficult. we know there are verification problems. we know you can't trust people, but we know that the military of 20 or 30 nations is moving into cyberspace. so it is about time the arms control people do too, and begin to take baby steps that maybe

will get us one day not to cyberwar, but to cyberpiece. thanks very much and i will be glad to take your questions. [applause] yes sir, and in the blue shirt. >> if you would make-- if he would wait for the microphone so everyone can hear the question. >> thank you. for nearly half a century, we lived in a world where short mutual destruction was the key word to keeping the cold war a cold war. my question to you would be, if there was an hourglass right now with the sand running through it, what kind of a timeframe do

you put on this current cold war before it becomes hot? >> i think it is hot in the sense that cyberespionage is happening every day. both against government and against industries. in terms of cyberwars happening, there have been little ones, like estonia, like georgia. that nationstates are not going to go out and fight a cyberwar just because they have got some some new shiny cyberweapon. nine nations have had nuclear weapons for decades, and the only time anyone has ever used a nuclear weapon in anger has been us, and that was in 1945. so, nations, nations are still responsible actors. that is a good thing about nation states as to terrorists. nationstates will not go to war just because they get a new weapon, but when they choose to go toward next, most nations

will involve cyber, either as a component of the war or as a standalone. so imagine, imagine for the sake of argument that we get sanctions on iran. we are trying to get u.n. sanctions on iran to stop their nuclear program. let's say as illustrative, that we get u.n. sanctions, we get an oil embargo on iran. the iranians are not going to like that so they are going to retaliate in they are going to have terrorism attacks in afghanistan and iraq and elsewhere. but if they have cyberweapons, which i believe they do, then they could respond to the u.s. fifth fleet stopping their oil exports. they could respond not just in the persian gulf, they could respond here by attacking infrastructure here. so, that is one scenario that i think is highly possible. but the point is whatever nation nationstates go to war in their

sophisticated modern states and even if they are north korea, when they go to war in the future, they will use cyberweapons, and there is not a clock that is driven by the cyberweapons. there is a clock that is driven by other political military and economic factors. you may see a standalone cyberwar as the attack on estonia was. you may see it as part of an overall military campaign as the attack on george or was. yes sir, in the red sweater. >> based on what you said, the previous agreements and other types of warfare, chemical, biological nuclear and so forth, we were able to achieve agreements because there was mutually ensured it distraction, if you do it to us we will do it to you. what negotiating power would we have to negotiate cyberpeace agreements? >> we discussed this at some

length in the book, that the thing that worked in the cold war and an ear balance was this concept of mutual assured destruction or a mad. essentially what matt said was if you attack me with a nuclear weapon, even if you surprise me, i will have enough nuclear weapons left after your attack to totally destroy you. week, the united states came up with that theory. we built enough nuclear weapons. we now by the way, we now know how many. hillary clinton announced and the pentagon announced last week how many nuclear weapons the united states had at the height of the cold war and how many we have today. it was like 33,000 nuclear weapons at the height of the cold war and it is something like 5100 today. the soviet union adopted the theory of mutual assured destruction so it was not mutual. we both said you can't hit us with nuclear weapons because if

you do we will blow up the world. if you try to apply that theory in cyberspace, it rakes down. for a lot of reasons. one, you don't really know sometimes who is attacking you in cyberspace. it is not with high confidence initially because you can make it look like somebody is attacking but it is actually somebody else. number 2, in mad, you noonan what a nuclear weapon would do. it would ruin your whole day. there were 20,000-- 2200, 2200 nuclear explosions in the atmosphere during the testing period. and so everybody got to see what nuclear weapons could do, and our nuclear weapons and china's and russia's and england's did the same thing, very destructive. so there was some confidence in what the war would look like. we are not really sure who has

what capability in cyberspace. you can't fly a satellite over china and count the cyberwarriors the way we used to fly over and count the missiles and count the tanks and count the bombers. so, and mutual assured destruction does not work too well and then as you point out, if you can't defend, if there is an asymmetry in the one country that can defend itself really well and the other can't, and if the one they can't discuss, they mutually assured destruction does not work very well. i still think that there are reasons to negotiate arms control. to prevent accidental war, to prevent a war that gets out of control because cyberwar is very fast. cyberattacks take place in seconds. they move that almost the speed of light. so, there are reasons to do arms

control. we are not going to get the kind of arms control treaties we got for other things. this will be a different kind of a regime, but i think if we take baby steps, one little agreement at a time to reduce mistakes, to build competence, to allow for attribution, ways of figuring out who actually did the attack through international cooperation. i think that is all worth doing. yes maam. >> what is cyberpeace? it was interesting, what google just went through in china clearly different definitions. cyberpeace as we definition in the book is making it unlikely that cyberwar will happen. so, it is things like i just talked about, international agreements to aid in figuring out who does the attacks when

they occur, international agreements to help each other if attacks are occurring. agreements that we will take some target sets off the table. one of the rings that happened in the nuclear war business was, we have agreements that they wouldn't blow up, never agreements but understandings that we wouldn't blow up each other's cities. we wouldn't blow up each other's leadership. because if you blow up the leadership there is no way of stopping it. so we never had a plan. we did not plan to decapitate the other side because you need to have someone to turn the war on, so there were agreements or tacit understandings. we could probably get a tacit understanding or foreign international treaty today not to attack international banking, because everybody is invested in everybody else in the whole

international financial system is so interconnected, that for most countries, maybe not for north korea, maybe not for iran, you could create agreements to say don't attack this. before we invaded iraq the last time, there is a plan to do a cyberattack on the iraqi bake the system essentially to steal saddam hussein's money, so he couldn't escape the country with his money. president bush said no. he was willing to kill 100,000 people and willing to invade and bomb the country to smithereens but he wasn't willing to mess with the banking system. so, there are beginning to be understandings about things that could be arms control in cyberspace. and that together is what we call cyberpeace. yes, sir. speak given the apparent

necessity for cooperation between government and the private sector to create this cyberdefense, and everyone, the knowledge everyone has that the reliability of software like windows produced by the private sector, what role do you see for open source software, security and products in the future defense of strategy? >> open source is software that is put together by a collaboration of people around the world and there are no secrets in that everybody can see all of the codes and everyone can comment on it and improve it. i think open source is important because it is diverse. if everybody is running the same software, and somebody figures out how to hack that software than everybody is in trouble. if everybody is running windows or apple or whatever, i think that is risky.

the more operating systems you have, the greater diversity of operating systems i think more likely it is that something is still going to work after an attack. so i'm a big believer in diversity and open sources of requirement to get that diversity. the open source people like to say they are more secure than proprietary systems. you can get a real debate going among computer engineers that would put us all to sleep about whether or not that is true. yes sir. >> what would you consider to be the actual threshold to determine whether it is a cyberattack is inactive for and is there any current international law that would support making that sort of determination and what is appropriate in terms of retaliation? >> we should ask our international law expert sitting two rows behind you, but we talk a little in the book about the existing international laws of

war, and the international agreements that exist not for the national agreements going back to 1939, not to bomb cities. you could construe some kind of cyberattacks as violating some of the existing international laws. but they were all written without cyberin mind. the only real international agreement that we have the something the europeans-- the european union came up with and we have joined and other nations outside of europe have joined on international cybercrime. it is a good first step. unfortunately rush is not in it, japan is not in it, lots of people are not in it. but there is not very much international law yet. so what could be the threshold of war? it seems to me when a nationstate does something that

damages or disrupts a network, a nationstate cybercommand comes into another nations not work and turns out the electric power grid, causes strains to derail, causes a real-world damage, that can be erased in the database. if someone came in and erase the database in the deposit trust corporation in lower manhattan, that is not physical damage, but boy would it mess up this country. so it seems to me that criteria are a nationstate actor, and doing damage or disruption. that is war. that is cyberwar. a nationstate going in to the same site, making its way and in collecting information, that is not war. that is espionage. it turns out, in many cases the

difference between a penetration to do cyberespionage and a penetration to do cyberwar is a few keystrokes. once you are end, you are in. if you go into that network and you ask filtrate copy all the data, ask filtrate it, that is espionage. if you go into that network and cause the database to crash and erase or cause the trains to derail, those few more keystrokes have been-- have made it war. yes maam. >> what is your argument though, and i think you are right about mad not necessarily because we can't identify so how do you know what is enough? is it not so much a case of mutually assured destruction but the effect of globalization that might limit the ability of say china to attack or even north korea, because if north korea i guess they don't have a great to

lose but they rely on china for a lot of support, so if they heard the united states economically, take down our power grated hurts china because china is heavily invested in the united states so therefore they are hurting themselves. is that going to-- terrorist have nothing to lose, but any country really does. even iran because of russia and the support for them. >> that is an argument not against probability of cyberwar but against the probability of war. that argument, and we did talk about than the book, and we hear this argument all the time about china. china owns all of our treasury notes and we are their big market, and we are so totally economically intertwined that we would never go to war with each other. i hope that is right. but we are building a hell of a lot of stuff just in case they do called aircraft carriers and tanks and planes and missiles.

i think you have to operate on the assumption that even though there is globalization, and there is economic interdependence, human nature hasn't changed, it and there will still be wars. if there are wars in the future, unless you are talking about rwanda, those wars are going to involve cyberwar. and the economic interdependence notwithstanding, country still go to war with each other. and there are a lot of people at the pentagon and down in tampa at centcom today who are worrying very seriously about the fact that we could go to war with iran in the next year or two. despite the economic interdependence and globalization that has occurred. i understand your argument and i appreciated. you may be right, but i don't think it is