.. look at the nature of cyberthreats against the u.s. and what they suggest to strengthen u.s. systems. we talked with james lewis the center for strategic and international studies, alan paller of the sans institute and catherine lotrionte of georgetown university. this is the final segment in a

month-long series on cybersecurity. >> host: this is week four in our look on "the communicators" in cybersecurity and cyberthreats that face the u.s. and this week we have invited three cybersecurity experts to join us to talk about some of these issues. first off, james lewis who is the director of the technology and public policy program at csis. he also worked on the president's recent cybersecurity report. also joining us is catherine lotrionte. she is the director of the cybersecurity project at georgetown university. she served in the general counsel office at the cia and also worked on the president's foreign intelligence advisory board board during the george w. bush administration. alan paller is the founder and research director of the sans institute which teaches cybersecurity training and he was also an adviser adviser to both president clinton and president bush administrations

at different levels. thank you all for being here today. we sure appreciate it. if i could start with a question for all three of you and mr. paller we will start with you. how would you assess the cybersecurity threat currently facing the u.s. and are we doing enough to confront it? >> guest: they are explosive, they are expansive, they are getting larger and they are getting more sophisticated and although we are doing a lot we are falling further and further behind every week. >> host: why? >> guest: because the technology of the attackers is accelerating and the sharing of data among the attackers is elegant and our technology to stop it is just not catching up and are sharing is abysmal. >> host: so what is the solution? >> guest: we actually know what to do, meaning people have found wonderful solutions across the four different arenas but most people aren't doing them so you have examples where good things are happening and a lot of reasons why other people

aren't doing it in most of the reasons our money. i don't mean they don't have enough money. i mean people are making so much money doing the wrong thing that they don't want to switch over and do the right thing. >> host: catherine lotrionte? >> guest: they are getting more sophisticated and complicated and that will continue. in terms of what we are doing on a defense aside, you can never do do enough defensively and it is never going to be perfect security. so there will be a movement, and i think there is, to think all but the defense of site and start thinking more offensively. we are talking at a nation-state level so international engagement becomes critically important. >> host: can you give an example of what you mean by offense? >> guest: so it is very much tied to the defense and they are technologically related as well as the policy and legal are interconnected. part of doing defense well is knowing the offensive

capabilities and actually using them. so if you know that your security is not ever going to be 100% it is logical to come to the conclusion and many have, that you will start seeing what is sometimes referred to as a more aggressive defense. as we get into the area of more aggressive defense whether from the government or the private sector initiative is an important aspect of the role of the private sector. that is in effect offensive work, but some have turned it more aggressive defense, more aggressive security. >> host: james lewis same question. >> guest: i actually don't believe in threats. i think what you have is a remarkably insecure infrastructure built that way and securable the way the internet works now. you have people that will take advantage of it in these armies eventually will see terrorists. so what i see as a place where there is no penalty for doing

bad things and it is probably unfixable, so when i look at it i think, what is it that we need to change to make this a safer environment? so far we haven't done very much. the u.s. position has been to rely on the private sector, to rely on market forces. that work so well in all their fields of national security. no, doesn't work at all and that is part of it so we need to rethink what we are doing. that is proving -- proven to be very difficult in the current. >> host: and securable, unfixable, in a mass. so what about cybersecurity keeps you awake at night? what is your biggest fear? >> guest: nothing keeps me awake at night about cybersecurity. i don't think we are basing any sort of drastic attack in the near future. right now as far as i can tell the only people who have the capabilities that can do real harm her big countries like china and russia and a few others. they are not just going to attack us for fun.

when you see those capabilities spread to people like the jihadi's or in north korea than we will have to worry. you know it depends -- people say usually we have somewhere between two in and five years before the true nuts get cyber attack capabilities, so i don't worry too much. sometimes i worry that a chinese spy or a russian criminal might accidentally trip over something in cyberspace and cause an immense blackout or crash wall street but that is the only thing we have to worry about is somebody who is playing around and makes a mistake. >> host: catherine lotrionte what is your response to that? >> guest: we have traditionally tried in automobile world to say drivers need to drive more safely and basically we are still dying in large numbers. we have began to have a chance to the people driving safely and staying healthy. we are building the -- i don't

know exactly but i think what he means is the computers that are coming out are indefensible and they are indefensible because it is cheaper to build an indefensible system than to build one that you can defend the networks that we work on are not defending us and if you work at 80 and, boeing protects you as an employee. if you don't do any work with an isp they don't do anything to protect you unless you pay a whole lot of money so we have networks that aren't safe in computers that aren't safe and users to make mistakes but the users made mistakes are the smallest part of it. >> guest: i think we will just have to accept and get used to working on networks and a system where it is unsecure and we have to anticipate that we have been compromised and learn how to operate while we are compromised. i think that is the reality of it. but good hygiene, all of that, the standards, all good to do. i still believe there will not be 100% security.

i spend most of my time thinking about the calculated strategic approach of the nations states in this space and there are states that have reorganized themselves, created cyber commands, command, have hired and trained as part of their military army cyberwarriors and when states do that they are serious about it. it may not be tomorrow but we see that and they may start with the theft of intellectual property. that it happened prior to engagement in conventional warfare, but it is more the state to state and even those that jimmer first two, the crazy individuals or the lone wolves that are terrorists or not, they are in somebody's jurisdiction and somebody state so the key to that is being gates met with the state actors and to get at even the lone individuals that are

doing this. >> guest: one thing we have maybe want to make clear is i don't think there's ever going to be a pure cyber war. you might see terrorists do a cyber attack but no country is great on cyber weapons because they're just not that good. you could do some more -- damage that you are not going to have a war with cyber attacks. >> guest: thanks again for joining us. wallowing on the threat question, we have seen a lot more public acknowledgment of cyber attacks in the last year, which has been interesting and i wonder, i mean because we have seen a slew of discussions about you know, the attempt on nasdaq, the attempt on sony, that the attack on iranian nuclear facilities, and the attack on the computer security firm rsa. i'm wondering what you have seen in terms of these attacks that has concerned you? if anything.

, if this sort of attack shouldn't be of concern and let me start with jim. >> guest: they should be of concern but none of it is particularly new. you have espionage that has been going on since the early 1980s. you have crime. very lucrative -- very lucrative cybercrime that has been going on for at least a decade and then you have the military potential. a few years ago in the idaho national lab's we saw the tests that showed you could destroy critical infrastructure with cyber attacks. none of this is new. what concerns me is that we are having a hard time figuring out how to protect ourselves. right now we are still depending on i don't know fasting and prayer and i don't think is working very well. >> guest: i think that the stuxnet on the attack on the nuclear facility was a significant game-changer.

it indicates and shows that cyber is not just limited but it is a problem on the intellectual property theft and espionage but this is a political tool. one that can be legitimate in self-defense you could make a number of arguments but that is a significant -- 2.2 estonia too but stuxnet was an indication of where we are at and where states may go. >> guest: i'm with catherine on stuxnet. it had one troubling effect and that is although it was targeted to only one side of 15,000 copies of it got out in order to get to the outside and everyone of those copies copies is in the hands of people who can learn from it. two things happen. one is it became acceptable in some circles to use cyber attack to do physical damage to critical resources and two the research is out there. i guess i am in a wavelength.

i call it the awakening, is public knowledge. i think it may be what was needed to stop the historical pattern of security that people like to write about it in not do anything about it. although we can't get to 100% we can raise the bar a lot higher without damaging operations. we can do a lot of good if we get out of the let's write another report about security and spend their money and actually make the systems more secure. >> guest: when you mentioned stuxnet and particularly all the copies now that are floating around, what do you make of the response you have seen so far from the u.s. and other governments and private industry? i mean is the u.s. government now prepared if someone were to try to mt. such an attack on some of our critical infrastructure? is private industry prepared at this point? now that we all know what that threat is at least, what is the response?

>> guest: it has been minimal. there is a stick your head in the sand -- when the first espionage attacks were recorded by "time" magazine the response of the government was to claim it didn't happen and then when they couldn't prove it didn't happen to change its name and classified so nobody could talk about it anymore because it didn't exist meaning stick your head in the sand where you know a solution seems to be the main government response. that is true in a critical infrastructure. there is a concept for stuxnet attacks work -- called the kill chain. you put into fences at every step so they get past three of them may can't get past the fourth one. we are not doing that. we are going in writing reports about vulnerabilities in the utilities without looking at how stuxnet was done. >> guest: the one thing people need to face up to us we cannot protect ourselves against the high-end attacks no more than we can protect ourselves always against a missile or an aircraft

or terrorist group. so the people who are at the top of the game are going to be able to get through and will need to think of other ways, resiliency, deterrence, military doctrine, along with the hardened critical and the structure. there is always an opportunity because a lot of this depends on tricking one first and i can tell you now that for every 1000 people people i can trick at least one. >> host: catherine lotrionte you mentioned earlier -- is china a threat and is the chinese government in your view directing some of these cyber attacks? >> guest: so, in terms of the reporting and what has been discussed publicly already, there is a pretty good indication that at least with two states, that there is not explicitly conducting them at least backing them through other parties, proxies. that is a significant problem

dealing with attribution. when policymakers are actually want to make decisions as to what the proper response would be in the u.s. and specifically a target, and it is gone beyond the major concern right now is intellectual-property threat -- fest which is a problem for national security that we are moving and we are moving beyond that and it is not limited to just dealing a country secrets or technological advancement. so china, russia and if it is proxies, we need to have our policies in line with international law what our response would be in the case of a state using proxies to attack us and what would be our defenses. with a defenses not perfect, one might then, as in traditional times in the cold war with the soviets, have to think of more of the aggressive defensive

rules or what would be considered by some as offensive. whether kinetic or cyber, and dod has just said in their strategy that they reserve the right to respond to a cyber attack with kinetic force. it may be wise to respond with kinetic force and it may not. you still have cyber options but the offense needs to be connected to any discussion on the security side. >> guest: just to take this proxy a little further, just to make it clear. for example in china every pla district has a competition every spring where they pick up people who they have captured, but they have found were doing hacking into other peoples systems and they put them in these competitions and the one to win go into intense 30-day workshops where they learn advanced techniques, but they don't go into the government. the kind of are outside the government but accessible to them. we have tracked a couple of them that have done some really deep penetration into the defense department and the fa won the contest but they weren't on the

military payroll. >> guest: there are students in china for instance to get an a, you are to exhibit and demonstrate how you can break into one of the most supposedly secure systems. if i were that student and that was the goal of the class, i would pick something like nsa to see if i could break into nsa. now whether that government funds, encourages that through the universities and backs it and is just the recipient of whatever goods come from that, or the students don't necessarily have to work for the government so there are different levels of winning and on the -- button waiting proxies. the key to that is in leveraging engagement with the states to get an understanding of what is acceptable behavior emanating from a state. whether it is from your student

body or your private companies or individuals. what is acceptable in the states responsibility to make sure no other territory or status harmed from something emanating from your country. >> guest: while we are doing the diplomacy, we need to remember that part of warfare part of economic competition, the weapons, the next competition will be people and we are way behind on the people side. our colleges are teaching people how to defend computers or how to develop new techniques. our high schools are teaching the basics. our middle schools aren't teaching programming. we are so far off tap, we have a wonderfully called the u.s. cyber challenge which is a big national come petition. thousands of kids are engaged, very positive not the negative pressure that the pla's doing better finding wonderful kids that are way behind and ratchet that up in a fast rate. >> guest: one thing you want to think about though is that we

can split up in categories, the chinese are the vested espionage. they have an advantage there because the u.s. doesn't do economic espionage. the russians are have a vested financial crime and they have an advantage there because the u.s. does not permit or engage in financial crime. but the u.s. is best to traditional intelligence collection we do that against them so when we talk about things like aggressive responses, we might not want to set that precedent because some people might say what are you guys complaining about? you are trumping all over my networks. you are just as guilty as i am and that is not true, but everybody is playing in this game and any solution has to take that into account. >> guest: jim you had mentioned earlier that in addition to protective measures they needs to be policy measures taken as well such as deterrence in order to kind of creative budget defense layer of cyber defense. what is your assessment of how far along the u.s. is in deciding on its policies of what

is deterrence in cyberspace, what is an act of war in cyberspace? some of these things are probably need to be clear if you are really going to make use of those sorts of policy tools? >> guest: the obama administration effects and made a lot of good progress i think we are we are further along than sometimes might be the public appearance. in deterrence, pretty good idea, we have something called cross domain deterrence which is you do cyber and i do a missile and that is a good idea. the issue with deterrence is there are some things that are not deterrable through military force and that gets into the definition of the attack. espionage, crime don't usually justify a military response. we are really good at deterring military attacks. we aren't deterring espionage or crime and that is because the definition that people are revolving around has not been formally accepted yet around the

world but where we are coming out is this is just like any other kind of military conflict. the laws that exist now apply and it is not an attack if there is an physical damage or casualties. a little bit of the gray area there but people are moving in that direction. i don't want to talk to much but the area of greatest dispute is our fuzzy foreign friends are making the argument that we need to expand attack to include information warfare and that is because they say that ideas are information or for one security official from one of these countries one who is told me twitter is an american plot to destabilize foreign government. they really believe that and that is because they fear ideas. but for me, and ideas not a weapon. compelling someone to force for the threat of force as an act that falls under armed conflict. telling someone a different idea and trying to persuade them, that is not warfare. we are going to have big fights over that in future. >> guest: i'm wondering katherine and alan what sorts of examples of cyber attacks would

actually fall into the category of warfare, an act of war as opposed to espionage and crime in some other things we sort of tolerate? >> so that is probably one of the most important topics to get states to start specifically discussing under their view and an interpretation in the cyber context. what would constitute use of force versus unarmed attack which triggers self-defense provisions in the u.n. charter. espionage also known as at lease one of the oldest professions or at least done ever since the creation of states -- espionage is one, not criminalized under international law. there is no treaty that prohibits an outlaw spying clandestine collection of information. use of force or the threat of use of force against the political independents or sovereign integrity of a state is prohibited under the u.n.

charter. defining and understanding in the cyber context what would be a threat or use of force, and you can forget again its particular use of force, political dependent and integrity so not all uses of force will trigger that prohibition but there are exceptions into the charter. if you have suffered an armed attack the state can actually as one of the strongest exceptions under article li, what amounts to an armed attack under cyber is what we really have to start getting agreement on. some of abdicated the mirror attack against the critical infrastructure is automatically considered an armed attack under the u.n. charter and will trigger than the legitimate self-defense mechanisms of the state and the military as well. >> guest: do you agree with that assessment? >> guest: possibly. i say we start with that. we recognize that some states may view that and now let's look back at our critical infrastructure and what that

would mean. the policy people, that is what we expect or the policy people to focus on, on the use of force. that threshold is lower than the armed attack. you can have -- some have opined that espionage may rise to the level of use of horse. covert action typically a six step did as the use of force that espionage not. so in cyber we need to -- which there is a lot going on. which we do and other states do. from what could be an armed attack. if we get agreement from at least some key state actors that have the capability, on while this is what we would perceive an armed attack to be, therefore we don't want to go there. say somebody unleashed an attack like stuxnet on the u.s.. does that come to an armed attack? >> guest: stuxnet is really interesting because you have to look at the facts around what

was the justification for the legitimacy if you will for that? arguably, one might propose that it was self-defense, that against their nuclear facility. now come even if you have justification under the u.n. charter, for self-defense argument, you still need to make sure that your action is proportionate to the threat, and we get back to consequences after you have conducted it in cyber. what are those? how do we know what the consequences mean? it has to be proportional even if you have justification. so if you did something without legitimate justification under soap defense like the stuxnet, then it can be viewed as an unlawful use of force and could be arguably rising to the level of an armed attack depending on how estate interprets that. >> guest: okay say in the stuxnet example then, it is deemed an armed attack and you

are inclined, or you are proved to take some sort of defensive action. who do you go after and self-defense in the stuxnet example? i mean at this point we don't know who did it. there has been speculation. >> guest: let's do a little caveat on that though, because it is equivalent to physical damage you could argue is an attack, they there is still a decision that has to be made probably by the president about whether this is an act of war that justifies u.s. response. normally we don't respond until we think of khobar towers or the beirut bombing. we know who did that and we know which state was behind it and we took no overt military action against them. the same thing is going to happen here. the president will have to design, do i want to pick a fight this week? i am too busy with all my other little wars? how do i do with it? >> guest: you could also authorize covert action, right? so you are doing the secret attack back. >> guest: but i'm wondering

and the stuxnet example is really instructive here because nobody has been able to say with certainty who was behind it. so what do you do with that circumstance? >> guest: i like to leave those questions to catherine and jim. >> guest: you are asking about the attrition problem? >> say there is something that has been deemed to be an armed attack or self-defense, some self-defense of action is justified whether it is covert or overt. what do you do when you can't pinpoint it? >> guest: okay so i was actually going with the stuxnet itself was a legitimate self-defense, so the question is still relevant in terms of attribution. that you would have to know the facts of what your target was and whether in taking those actions, that could rise to the level of the use of force in an armed attack. in using the words act of war, it is actually irrelevant.

domestic purposes, constitutional separations of powers yes but under an analysis of international law the word war is not even used in the constitute as relevant provisions of the charter. if you suffered an armed attack, you have the authority if one chooses, but you are not compelled to have to respond. often like khobar towers, uss cole, it depends on if you have enough information in which to base because underage national while you clearly have to know who the perpetrator was before you take an action against a potentially innocent party. so attribution will be a problem but on the stuxnet i was actually saying that if stuxnet one could argue that it was a legitimate self-defense move in and of itself. now you do worry about the tit-for-tat in that going on. >> guest: is that the other -- you probably know and this is good for the audience to know, the ability of the u.s. to

attribute an attack using intelligence is extremely high. attribution is not a problem. the problem is making a decision. do i want to start a war with china now or do i want to let it ride? but attribution as a problem is routinely overstated because people are unaware of the classified side of it. >> guest: what you are saying is this is not just a technical question. you could use other intelligence to figure out like with any sort of attack whether someone was trying to cover their tracks. >> guest: we have sorter britain, not written off but we are working on warfare and we sort of went by espionage existed has been going on forever. normally you could do that, but in this particular case espionage also has a mass of economic effect on the united states so it is military information and it is terrible what we are losing that every time you as an industry are doing