today, juan zarate and on the following panel mark and michael but somebody in the audience -- some may be in the audience. tiffany was quoted extensively in a recent "washington post" series on the cyber vulnerabilities of the auto sector. a few housekeeping notes before we get started. the first panel will begin momentarily and with a rolled right into the second panel, finished around 2:00. there is a short survey that i would ask to be good if you haven't taken it already we would really appreciate it. it will give us anonymous shortcomings you can fill it out and live in a box, it will really give us a better idea about how people are thinking about cybercom abled economic warfare and where resources should be put to it. we will be publishing both a synopsis of the summer and the

results of the survey so stay tuned. so let me set the stage for a few minutes on a project on cyber enabled economic warfare really got started. it really had its genesis back in the 1990s in discussions with incredible smart people at the smith richardson foundation that is sponsored this work, but the intersection of economic and security. in 1997 the asian financial crisis it, remember? began in thailand and the contagion quickly spread to indonesia, south korea, malaysia, the country's throughout the region. foreign debt to gdp ratios rose over 180% during the worst of the crisis. writes occur, governments fell. the causes of the crisis were varied but most experts think it was the combination of crony

capitalism, and economic bubble flooding the market with cheap money, and a simultaneous slump in semiconductor values with the rise in u.s. dollar. what would it mean to relations, taiwan and china? what would it do to radical groups? it was the malaysian prime minister at the time, mohammed, using really got us thinking. he pinned the blame on international in its ears saying that they purposefully sabotage the malaysian economy. use the words attack into the economic fires were not accepted by western conspiracy to rule the world and to other countries how to run their affairs. we discounted the malaysians

diatribe and rhetoric and his anti-semitism the if remember that part of you think about the broader issue of our country or countries could use economic means to undermine an adversary or change its policy. we've thought back on america's use of economic warfare against the nazis, then against the soviet union and we begin to think if enough u.s. would need to think differently about these threats and capabilities as the world financial markets became more automated and more integrated. over the next decade the conversation kind of waxed and waned but came roaring back as evidence begin piling up on the scale and scope of cyber attacks against u.s. banks, u.s. defense contractors, u.s. intellectual property, our electric grid, our health care system, the most sensitive parts of her government where we seeing something new? there's always been economic warfare where one side in the conflict is after the economy of

another to affect and weaken its overall strength. the rise of the global electronically networked economy and a growing cross-border integration and interdependence of its constituent parts have produced sizable opportunities for various factors did develop new methods and factors of economic warfare both state and nonstate actors increasingly can contemplate new possibilities for using pernicious cyberpenetration of critical economic assets and systems or to cause harm to wake target state security capabilities. so we labeled this new class of security threat cyber-enabled economic warfare. the attempt at achieving legal and security goals through cyber enabled economic aggression. and in this type of warfare the united states, is particularly for the poker is former to unite mike mccaul sai significant cyberwar to date the united states would lose. this is not because we do not

have talented people are cutting edge technology to its because were simply the most dependent and the most vulnerable. so we started this project with few organizing questions. one, with an escalating cyber attacks on u.s. public and private organizations is that are working a new type of action? some form of concerted strategy to undermine the us economically. number two, arthur adversaries this strategies are specifically designed to cause economic harm that could weaken or significantly debilitate you as security capabilities? three com is the u.s. prepared to identify and address such strategies effectively combat for, if not what should be done? we did not begin to provide definitive answers in the monograph and for the seminar. rather we want to do was start a robust much-needed debate on this topic. the chapter authors and those who participate in some of the seminars have also been willing

to put novel and creative approaches on the table. summer workable, some might not yet be workable but it is critical for new ways of thinking. because to a person we are certain that u.s. intelligence, defense, treasury and homeland security departments and agencies appear to be inadequate constructed or account at present to address the way these threats are evolving. the u.s. system for detecting, of evaluating addressing cyber-enabled economic threats seem inadequate and insufficient focus on the matter. this raises concerns about america's preparedness for identifying and responding to existing economic warfare threats and even more so it's ability to match the rate of their evolution. and with that i want to turn to our first panel that examines the evolving nature of this debate. we are honored to have three highly knowledgeable and well regarded individuals. our format is out is that each

will speak for about 10 minutes and then we will open it up to q&a for another 20 or 30. so first up is the audible juan zarate, my good friend. juan served as the first ever assistant secretary of the treasury for terrorist financing and financial crimes. he also served as the deputy assistant to the president and deputy national skid if i should compacting tourism. is phenomenal book, i recommend you everybody, explores the evolution and importance of this new era of economic warfare. and he also served as chairman and senior counsel for the center on sanctions and illicit finance but so thank you. >> thank you very much. thanks to all of you for coming. this is a wonderful turnout and a wonderful event that i want to thank the hudson institute, mark dubowitz, ken wainstein for hosting today. sam, want to thank you for your leadership, for shepherding the authors into production of this

very important piece of work i think him and i would commend all of you in the room and those watching online to make sure to pick it up and to read it because the contribution at least on the other authors in this compendium are incredibly important and i'm honored to be your today, especially with steve and mike to discuss these issues. i want to thank sam because she gave me an opportunity to write a bit more about some issues thaof theissues that you can't e tail end of my book think are critical as we look forward. what i want to do is discuss with you and maybe open up discussion for the panel to talk about the convergence of financial and cyber warfare. because sam has laid out one of the interesting dynamics of the 21st century is how dynamic, affluent, how interconnected both the global financial and cyber domains have become an interdependent they are. the rail is the more dependent of u.s. and western economies become all those globalized

interconnected cyber systems, the more vulnerable we also become to the potential asymmetric impact and affects of those who may try to attack if not affect u.s. interests. and so what i would like to just talk a little bit about what the convergence looks like starting first with discussion about the nature of the threats, and did what this means strategically. because i think where we are now is we are facing a very dynamic and shifting threat landscape but also economic and shifting strategic landscape where the threat of asymmetric capabilities is really upon the u.s. and has really been identified by the dni and others in the u.s. intelligence committee. so let me start first with the threat landscape itself. and in particular the actors involved in this space. it's clear that actors around the world, be they state or

nonstate actors, have realized there's asymmetric advantage in using cyber tools coming using tools of financial or economic warfare to their advantage that many ways provide low barrier to entry and asymmetric advantage to think about the use of these tools in a much more aggressive way to attack u.s. interests. in many ways sms laid out the 21st century, the beginning part was really dominated by not just the bretton woods system and american economic and financial dominance over the dynamic with the u.s. found innovative ways to use financial power and influence and reach and persuasion to isolate rogue actors and activities from the global commercial and financial system. we are seen this play out obviously in the negotiations with iran. we are seeing this led to a certain extent in the debate around russia. the ability is financial and global tools to isolate rogue

behavior has largely been the province of u.s. government and u.s. policy. but u.s. competitors and threatening actors realize that those very same tools, the same mechanisms, some of the same strategies can be used against the u.s. for asymmetric advantage. and so you see a full spectrum of actors playing out in space, realizing this dynamic. super empowered individuals, hackers and activists for political or other reasons profit off it using these tools to go after the financial system, in particular banks. sophisticated organized crime groups using defects found easily on the internet beginning to infiltrate banks and financial system. intelligence services figuring out how to use these tools for state and nonstate advantage. begin for profit and for political purposes.

and finally nation-states, some of the major powers like russia and china, others marginalized like iran, syria and north korea taking out ways to use of these very same tools to influence. and we've seen plenty of examples of that. one of the advantages of these actors is the low barrier to entry. as we often say it's not very costly to get existing or be on the offense. it's in carbon costly to be defending against these. but there's a supply of expertise available on the internet, often sold to the highest bidder. there is no dark web that provides access to those willing to put in those dark hours of the internet and to connect with those with expertise the there's open source protocols and programs that allow individuals and small groups of global reach and this week defenses, globally, whether it's at opm all in other systems around the

world where small r relatively weak actors can gain access to price information. so you have a spectrum of actors wear the spectrum of capabilities that provide a low barrier to entry and begins to challenge the use of system interdependencies. the tools of destruction and destruction, you have spear phishing techniques and attacks which are common in the cybersecurity space. you have seen attacks increase in sophistication and frequency. you have seen malware begin to involve into pretty dramatic and important ways, and particular attacking the financial sector. and using trojan horse attacks which may portend potential constructive malware and botnet

attacks. and these are not just sort of wild imaginings or hypotheticals. we have begun to see the. jpmorgan attack last summer, affecting 76 million households a good example of potential for vulnerability as well as the destruction. a dark cell attack at march 2013 led by the north koreans affecting south korean banks and operations. the denial of service attacks may be the iranians and syrians against western banks which continue to this day. the attack against middle eastern banks in 2012. the nasdaq hack which has not been fully determined or attribution figured out in october 2010. matched with significant infrastructure attacks like aramco and others. portend the real series of occasions and attacks on the financial system in a way that is strategic, systemic and important. let me move very quickly to discuss why the financial system

and in particular banks have become such an interesting and important part of this landscape. i've often said in many ways the international global banks are not the center of the cyber storm. that's for a few reasons. one, banks and the financial system is where the money is. if you want to profit, if you're an organized criminal ring just wants to make money, want to engage in fraud, that's where you hack. that's what you attempted to get access to data into money. it'it's also where intellectual property, sensitive data may exist, both reputational data that is important to banks but also intellectual property that's important to deals into companies that are engaged in mergers and acquisitions an and attempted into new markets. so that information becomes valuable to a whole host of factors. banks over the last 15 years of also become protagonists and many of the national security issues and debates that affect

rogue actors and countries. so the very isolation of iran, for example, from the global financial system has been driven in part by what the western banks have decided to do or not do in terms of business with the revolutionary guard or the iranian companies and fronts. and also actors in the space the full spectrum i described understands banks and financial system are part of the key folder believe in the systemic risk for the west and for the united states. some actors no doubt the most destructive among the spectrum would find it incredibly advantageous if not helpful to try to bring down in some way or destroy the core of the international financial system. what hank paulson was called magnificent glasshouse. and so the bank, the financial system find himself in the middle of the cyber storm at a time when asymmetric environment

is evolving. evolving in some interesting ways as sam mentioned as the report lays out commuters vulnerabilities increasing over time, not decreasing with our defenses not keeping up. with hybrid warfare and gray zones of warfare beginning to evolve in parts of national doctrines we see this clue with the russians and how you're thinking about the use of proxy as well as cyber capabilities. and you see this as will india environment with as much more fluidity than in the past with rogue actors able to interact come and able and profit with and for each other. and so the chinese government is able to nonstate actors to hack into clintonite billy of those attacks. the syrians rely on press other than the north koreans 30 building capabilities as seen in the sony hack and attack of last year. and so there's enormous

adaptations happening in the environment through technologies due to the global connectivity of the system but also strategically with these rogue actors, with these challenging states thinking aggressively about how to use these tools. i know the next panel is going to get into some of the defenses dimensions of this but i do think it's worth mentioning at least some of the ideas that i put forth in my piece, i know we will discuss here because best nwa thinking about the strategy, a new way of thinking about these tools anyways about i put this on the defense also on the offense and thinking about more aggressive public-private partnerships and paradigms that allow us to create battled defense in depth but also denial, strategies of deterrence which we have yet to do using financial tools like the president's executive order from april 1. perhaps some tailored hatchback

capabilities in particular instances perhaps with the cyberwar and when the government gives license to the private sector to protect its system come to industry data has been stolen or maybe even something more aggressive. and then finally developing the redundancy of our system so becomes less attractive as a strategic tool for our adversaries. so with that i hope it's a helpful way of framing the issues, it's a much more dynamic and vibrant not just in terms of threats and technology but also strategically as well as at the landscape. >> that's fantastic and i look for both in the q&a from this panel and going into the next one to discuss some of those things that juan laid out at the end, particularly pack back which is a very interesting topic. next up we are steven chabinsky with general counsel and chief risk officer for the cybersecurity technology firm crowd strike. prior to joining crowd strike he

served for over 15 years with the fbi were to help shape many of america's most significant cyber and infrastructure protection laws and strategies because deputy of the fbi's cyber division he helped oversee fbi investigative strategies come intelligence analysis, budget and policy develop an and execution and major outreach efforts that focus on protecting the united states from cyber attacks. >> those works so good all that is left to me is to pull some the thread you got a. what a tour de force. as an overview, and where you started, where you end it is were i'm going to start which has to do with strategy. where are becoming where should we be. we have a failed strategy right now. the way we know this is we keep putting more resources, more people, more effort, more policies in place and the problem keeps getting worse. i know stretch of imagination

and some would say that is going well. and even our best efforts to extend we're say we are doing overtime doesn't compare to what the threat is going. we keep that, differential keeps going for the award to address why i think with the first i wanted to summarize in my view, what those are doing to us what economic warfare perspective. what we're actually doing to ourselves in response is making worth of what this portends for our future and hopefully will become one from the. what others are doing to us as juan mentioned those across a full spectrum of activities that range of stealing confidential information, some highly sensitive information, intellectual property that is our businesses, not only a third market condition that over time we have seen a lot of it economically capability. and private information about

individuals that we are seeing can be used both to defeat consumer and citizen confidence as well as used against some people, depending on how sensitive the information can use for espionage or presses a black belt and extortion to the ability to capture information shows the ability to change information and to destroy information. juan brought up a couple of those examples, the aramco case in which company in a lease wakes up to find 30,000 computers destroyed overnight. but it's not only about data. it's also about physical systems that are being run. so if you change the integrity of nuclear enrichment, for example, which we've seen capabilities that could be used in which also could be used against us, or manufacturing products, changes in these integrity and chips and components to go to military

fighters which we've seen through supply chain attacks. what that shows you is there's number of ways for the adversary both to react to come at us and i think in this isn't the it could be remotely. hear a lot about the phishing attacks. it could be through the supply chain as we mentioned. products are being created all over. either in the design or the manufacturing, to delivery state, and it could be insiders% of our country which are fairly level in terms of work visas and the university of our workforce. so the vulnerabilities are enormous, and now let me step back to that we responded. economically we responded in the worst possible way. what we've done is we have sunk billions of dollars in our budget into the least probable method of success for cyber. what we've done is we've focused almost entirely on vulnerability

mitigation. we are expanding our service area through the internet, biomedical devices could be hacked, one brand, just yesterday the u.s. government told all hospitals to stop using a particular type of the infusion pump because the award to the enterprise network hackers could get in and start changing the delivery of medicine to patients. we saw of course a car, the demonstration of a car being taken wildly off course. and vulnerability mitigation is a fool's errand if you think that will work against determined, persistent, sophisticated for all spectrum actors of the type that we are up against. and it doesn't work in the physical world. what we do in the physical world is you do a certain amount of vulnerability mitigation, locked doors, windows, change the quality of the doors and windows but there's a point where if an editor wants to get in bad enough, but its republic to the road, cutting through the ground, they will can we change

our strategy quite quickly to threat deterrence which juan also mentioned the idea that we can see the ground can we say it is possible for you to get in but no longer will this be about me protecting myself. it will be about me going after you've come at the principles of threat deterrence involve detection. you don't know they are there, pretty hard to deter them come and we are seeing routinely organizations, agencies, corporate industries that are very mature taking an excess of 200 days to even know that there is an attack on their system. they have to be able to detect it, attributed. either based down to the person or who is behind a responsibility model is perfect sensible. we don't know if it issue but you are responsible for stopping it because it's coming from your area. and then penalty if something is triggered the worst that could happen to a hacker currently for most of what we are seeing in the advanced space i is that you

can't advocate to try again. they don't succeed at first but they try try again. that model has to change. on the physical world we put up alarms and so that says it's for detection. you put up cameras are attribution and when your alarm rings at 2 a.m. and go to the marketing company, the monitoring company calls the police. they don't call a locksmith to come over because it's about penalty based deterrence. and you'll note from an economic perspective that what we've done to ourselves in response were leaving ourselves financially because it is likely to concept. mission returns on our cybersecurity investment meaning every dollar we are spending isn't, is to longer worth the same amount as when you start up at the beginning of the program the dollar you spend may be worth $100 of protection or even more, maybe $100,000 inches slowed as fully toetapping 1

dollar represent a dollars worth executed. that's a diminished return we are seeing. far worse is we are now in a system of negative returns meaning every dollar with spending is making things worse because it's proliferated and escalated the problem. and we seize every day played out in the newspapers, those of us who were sitting victim clients that the bad guys when you defeat them they don't just give up and say okay, i just had a life of crime, now let me see a life of law? is that a phrase? it doesn't happen. you just heard about nation-state using state democracy, codes based in pictures through twitter accounts to control botnets. it doesn't stop there so what we've done is we spend our money and it resulted in an escalation of the problem, so, for example, if somebody were to come if

someone were to break into business puzzle why don't you put up a 10-foot wall at the price of $1 million around to complexcome and they go out and purchase a 15-foot ladder for $30, and in the response is you know what? 15-foot ladder, time for you to make it a 20-foot wall. we all know what's going to happen next but that is happening to us here so not only are we falling victim economically, the factor in election property is being sold, their markets are being distorted, our banking finance system itself is vulnerable as is the rest of critical structure but in our response has actually furthered our economic dependencies at a loss of viability for our security? so where do we go from here, at which this segment is going to answer questions. but certainly i think the threat deterrence has to be the

predominant focus using all elements, and consideration of the private sector's role. for that we have a global private sector, can be very influential. this is not just a u.s. problem of course, and then as we think about that strategy, the other thing that we really have to be concerned with is political and economic warfare we're facing can result in a crisis of confidence in our country which could of course be severe or more severe than actual consequences. with a real potential of a crisis of business confidence, the billy to be protected in today's global economy. consumer confidence, the building to do anything online any longer, to take advantage of technology like infusion pumps insulin injection pumps, automobiles.

the economy that is being driven through technology can face a consumer confidence backlash. unfortunately, citizens confidence if we feel that the country cannot protect us and is subject to extortion at any given time. in this country we have police forces who routinely are being extorted through ransomware in which organized criminals are breaking into a police force computers, not only police force computers and selling them, telling them if you don't pay us our ransom they we will delete or destroy or just not allow you to access again to all of your records. police forces are paying extortion to foreign criminals. what happens when that happens at a nation-state level against us? is it already happened and you just haven't been apprised of it? and with those remarks, we'll pass it off to the distinguished congressman. >> that's fantastic. >> time for a drink.

[laughter] spent this afternoon is set aside. we are really pleased to have chairman mike rogers addressing us today. as a former member of u.s. congress represented michigan's eighth congressional district, member of the u.s. army, fbi special agent, mike really is in a unique position to shape the national debate on a wide variety of issues including this one. the host national syndicated something to think about with mike rogers come and from his time in the u.s. house of representatives where he chaired the powerful house intelligence committee, was a member of energy and commerce, mike to the legacy of files and effective leader on cybersecurity, counterterrorism and national security policies. welcome, mike. >> what i've done today is stephen was an fbi agent those early assigned to catch the smart growth i was assigned to catch the dumb ones. when you need to catch the guy

and rush and his mother's basement on the computer company called you, which tells you how much more it was. i've had the opportunity to meet and spend sometime with all copanelists "usa today," and all of the authors of the book and highly recommend it. believe me i've read a ton. this is to the point, provides unique talking points that is all that different, out of the box. i love. i spent this weekend reading it. when i walk in today with a painless it struck me the iq of the average went down 15 points. i don't know why that happened. come on, people, lighten up. [laughter] we have had a strategic erosion in our dominance in both cyber and space. so you think about in 2007 when the chinese launched a rocket that took out a satellite going around our earth at about

11,000 miles an hour and hit their target, thankfully that was a big you think the night before and then a whole host of other activities include what some would call killer satellites, america's dominance in space came to an end. we no longer were uncontested in space to think about how reliant we are on space for everything we do in our economy. that was a fundamental change in the mid-policymakers like us have to start figuring out how we can do that. how do we step up quick snack after watching satellite not only can get its mission that can protect itself. that is a whole new ballgame when it comes to space. about half of all the satellites up there to belong to the united states pick some of them are up to some pretty nasty things. then you take cyber. we watched this problem happened year over year over year. here's the good news about the former deny mcconnell's comment that if we are in a cyberwar we would lose.

if you're in a cyberwar we would lose, that's the good of the here's the bad news. we are in a cyberwar in the united states and we are not winning. it's that bad and it is getting worse. say think about where we are today. both of our financial system are under attack the some successfully, some not. we now know about how the new generations of technology which we pride ourselves in making a card amazing things is now susceptible. airplanes have been hacked. they are susceptible. our electric grid has been penetrated. it's susceptible. wanted to tell you in the second part of that is don't worry, nothing to see, move along, we've got it fixed. why? because we don't. the fbi came out with an interesting report that year 13 over year 14 there was a 53% increase in economic targeted

american business espionage. 53% increase over one year. and the bad news was it was outrageously bad the year before. why? no consequence. they have been absolutely been able to get away with it. china has built an entire economy on stealing intellectual property, not only from us or from our european allies and other asian allies, even when must a company does has intellectual property is subject and i think likely getting ripped off. we watched this problem get worse and i get worked up about this but i just read today where department of homeland security issued a letter in opposition to the one piece of legislation the senate is ready to move here called -- for those of you who are familiar with our bill, all of the judge we have problems right away with acronyms in congress.

for the one reason that it allows companies to directly go to certain intelligence agencies to share malicious threats which by the what has been happening in italy in the past. so the one thing that we looked at in congress and this is the biggest our we have to caution segments is sharing is a keyword if we can share malicious source code in real-time from machine to machine to zeros and ones at lightspeed, we might be able to put a dent in this. so what you're saying and why we watch this happen to overhea yor is now there's a the out of their i think could be very, very productive, loss and protects those relationships so that companies can feel comfortable going knowing that their information is safe in saying we have this malicious source code coming up to help us. we don't know where it came from. now our own government is going to work against itself for god only knows how long again over the details of how to come up with cyber sharing regime in the united states. in the meantime, that's the

first those passed in 2013 like dutch ruppersberger and myself in a big bipartisan vote in the house, so that's going on shortly two years, likely three years. we still can't come together, the white house can't talk to the congress and the senate can talk to fester the house can't talk to the significant event how many trillions of dollars have lost about potential economic gain in real dollar loss? billions. billions and billions and billions of dollars. the one trump card table throw down and they did in the dhs letter to stop the legislation is folks, we have privacy concerns. that stops everything. in the meantime the russians and the chinese, iranians, unfortunate now the north koreans can we could list about 15 other nation-states are already on your networks they are stealing your information pretty much daily. at these again with no consequence. so think about where we are

today. space we are no longer the dominant player in space. it is not contested. our technology is better clearly in many cases now have to worry about the safety and security and the survivability of many of those old systems including some of the relatively new systems that were launched into space. big problem for any business anywhere in the world. let alone how tightly are in the economy back on cyber dating our clocks cleaned, not the intelligence community is going to set up its own version of a cyber center to try to please up its agenda is about a good idea. we didn't even know all the capabilities amongst the intelligence folks. people kept throwing democrats ago and we stopped everything for two years. we couldn't get the intelligence committee together to share information and real and meaningful way real-time machine to machine, nobody's reading e-mails come in order to push back on what we know is a serious and growing threat to the united states. couldn't quite get ourselves there. the last part of this in 2014

was a huge policy shift that we all as americans yawned and moved along. we had to nation-states, not the most capable on our list of nation-states we worry about, make a calculated decision that you're going to use their nation-state capability to exact and economic punishment of a single united states business. normally if so we went in and put somebody's warehouse and fired a missile were sent some sabotage group from summer across the world into the united states to do that, it would be an act of sabotage in an act of war or an act of terrorism. a political entity using destruction to further its political games. clearly fits in the definition of terrorism at the very least. we saw nation-states in 2014 and both of those cases on a public. both of those involve nation-state cyber capability and cyber actress.

the problem and what all the panelists it's a debate is what is a deterrent to doing that? there is no deterrence. they are not going to stop. they would increase their ability to have the capability to conduct those kinds of attacks. they will continue to pick companies that which they find vulnerable to do economic and real destructive are. if you think about the casino, it was kind of a similar type arrangement with the ceo gave a speech about why iran should not get a nuclear weapon. they decided that was an affront enough that they would use their nation-state capability to attack the sands resort casino protect them a long time. they penetrated the casino out in pennsylvania, work their way back to headquarters. took them a long time. they were determined before they did millions of dollars worth of damage to that headquarters. for a political purpose. america's response? not much. and so we've kind of yawned at

this notion that we have this problem as long as i can get to starbucks with my path and i can pay for my parking on my iphone, everything must be okay. the problem is everyday we erode our ability to protect a growing a more complicated system. lastly we're getting ready to add 28 billion, billion, new applications to the internet. the internet of things. everything from your garage door opener come at a bunch of everything i walk by my refrigerator in my house i think it's working against me already affect let alone thinking on the internet working against me as well. [laughter] this is a huge problem for us and i think you here a little bit about this on the second panel especially the automotive focus. we will at all these devices are not one ounce of security prevention has been planting any other. one of the biggest things that happens to you when you have an application on your network is

to get off your security security folks, they probably don't even know that application is on the network. that record companies come in understanding how you map, adequate map real-time network. it is harder than it sounds. nobody has completely 100% mastered it. there's a couple of books but that means on your networks come here private sector networks, there are huge vulnerabilities built in that even the best security, you ask why does a series of financial institutions on the west coast get penetrated? they spend $250 million a year on cybersecurity alone. $250 million. they get penetrated. why? the complicated nature of networks and document the network and even understanding what application is on the iowa safe this is not just a technology problem. it's an anthropology problem. it's a people problem. if you wonder why the chinese have stolen as much data that

isn't related necessary to a criminal act, anthem medical come at the list is pretty long. we could get an hour going down the list, certainly the opm, lots of early detailed personal information, why would they do that? 85% of all the success rate of a chinese penetration of your network comes from a phishing e-mail. imagine an e-mail i can create infinite everything about you for the last 10 years to come and i mean everything i also know when the last time you went to the doctor and exactly what you don't have a doctor and what you building status is to imagine that enough the committee on work and says last week, micah, imagine the look at, extra. i think i screwed up on the billing cycle. with you verified this what you're actually, not the guy after you've? yeah, i was there last week. yes, the e-mail looks like he came from a doctor that i click on it. they are in. 85% chinese success record they

just increased their targeting by 53% of i'm not the smartest guy in the room but in the fbi we would call that a clue. [laughter] we've got problems so i appreciate the discussion and things to include me. >> that's fantastic. we have about 15 minutes or so to really open up for questions, focusing on the evolving threat. from this bill it became t clear the evolving threat is both former adversaries and against ourselves as well. i do know someone has a mic over small enough room. -- i don't know if someone has a mic, or small enough room. spent a little. my name is george to my question is, is there like any difference in approach to cyber between the public and the private sector? can you just say all private sector, all public sector goes the same way? any differences you may approach

to that? >> i have i think a little bit different perspective so this should be an interesting discussion but i worry about the 85% of the networks in the united states a private. contrary to popular belief, nation said agency is not on those networks. they are not, not unless they have a war to be there and that is highly unlikely. and so what happens is you have this intelligence services overseas trying to collect information bring it back to protect the cover. we want to show that in the times of the private sector to protect itself. it's not working very well the sharing is terrible. no one wants to do for liability reasons. a whole post of good reasons not to show which hopefully we can fix. here's the problem with the private sector think the heck with it can't going to go and click whoever think it is the attribution, determining and attributing attacked with certain nation-state or

international criminal organization, the our capabilities all over the map you.some can do it very by welfe something they can do it very, very well. some don't well. some don't have a clue how to do it but it wouldn't stop them from doing it anyway. a government within be in the responsibility to how do i protect 25 businesses from over the second quarter impact asked if i attack you did conflict in afford it, i guarantee they will not sleep on overnight. they will come back because they been trained that is not much of a consequence. how do you contain that? if we don't have a good policy -- argued that the that the defense before you go out and do something that yo could never. i significant departure neighbor in the nose, hit the weight room a few much first because he's likely to get you back. the problem is we have no good defense today for the 85% of the network. the companies that got really good at it, they would be fun. a lot of companies i would have any problem doing that. the problem is what do you do

when you think of the 15 companies that are supplied that can't withstand a cyber attack? now we have and engaged private sector against a nation-state of which we are kind of watching happened as a government entity. what do you do? how do you stop the escalation? from a government entity with all kinds of ways to stop, to deescalate anything. you have none of that in cyberspace. we would have to get all of the right before we allow it to happen. >> just real quickly. i just love being on this panel with these gentlemen. it's awesome. three problems, one, the adversaries were talking but don't differentiate between public and private. day in the wisdom they autocratic states, the totality states it's all one. their economic power and influence as a part of state power. chinese have identified their banks as a strategic asset. starting principle is that our

adversaries in this space don't differentiate. secondly, if you think about national defense resilience, our health system to our financial system to our infrastructures are part of that. in some ways a clear divide between public-private enemy was in this environment doesn't make a lot of sense the third point i would make is one of the challenges and mike referenced this is how we interact between the public and private sector. information sharing is sort of a leading edge of that question but also it's a fundamental question of our national security architecture. how to be action and less the private sector in a way that enables them, defensive and makes as part of a national resilient campaign when there's a clear blend? one sort of way to think about this, maybe this is where mike and i disagree is, i do think there's a way of thinking about this a bit more aggressively. frankly take straight from our

constitution, the founding of our republic it at a time when there was much ideas about maritime security. we had a provision in the constitution for letters of mark ever possible the government to actually leverage privateers in a maritime security domain precisely because there was this blend of threat, blended environment. i think we need to start thinking a little bit more aggressively because the environment itself doesn't differentiate between public and private we don't want to do damage to our constitution anyway we foster the private sector and protected but we also can't ignore the fact private sector, what is sans, sony, jpmorgan are part of our economy. >> i want to add one thing on this matter. it's something that both talk about and discussing what's going on and what is private sector on but it goes past that.

in our country, and most of the western countries there's a very hands off of you to the internet. geoff dolan technology to innovate and covered actually have as a philosophy cannot get overly engaged in the infrastructure. that's not happening anywhere in the world. so the countries that we've already mentioned get thrown out from russia, china, north korea, they are balkanizing didn't appear you just don't realize it. they have filtering in place to they own the infrastructure. they are monitoring the infrastructure. they can take it up, turn it down, have different approaches to so that relationship that we have with the private sector where we are hands off but at the same hand is not resulting in secure outcomes come isn't being followed by the where in what we are seeing as the rest of the world, those attended be the aggressors, already locking down their infrastructure. we are going in exactly the

opposite direction in a way that really would not be considered, i guess obvious when we do other things. for example, if i were to say i could develop one cell tower that has so much power that all you need is one cell tower you always have your four bars were of your in the country. the only problem is the wiki decanted that he would say that's a ridiculous invention, don't despair i said i could build a gothic into 2000 miles an hour, you'll be in california before you know it, it probably is our roads are not set up for. that he would say that's the most ridiculous ludicrous idea i've ever. in technology you can develop and sell almost anything to our country. we really have to start thinking about what we are permitting and the relationship between the private sector and the government has to of shift in common cause to health and safety and security. >> great, thank you.

we'll take a coue of questions. i want to reference in the monograph, both in juan chapter ends in steven chabinsky chapter there is letters about mark and impact of some really interesting footnotes about law school articles have been written specifically about letters of mark and cyber that i commend you do. spent a good afternoon. just want to follow up on your last comment, mr. schubitzke. a lot of focus is how to make the network more robust, more resilient bucks held we attribute that the actor who hacks court cooks at what pointu flip the model and start holding the actual manufacturers accountable but i guarantee you come in most of these intrusions whether it be silly or elsewhere it may be someone with a spear phishing attack but it may be coupled with from adobe or some other vendor software that's running on the network are when

do we start holding them accountable and start cleaning our own house? >> we will start with stephen spent i think it's a long perspective. we don't demand perfect security in any other aspect of her life. i would never dream is my oscar berger is i should start going after the architect of the contractors. some of was able to tunnel to the ground. our market might not is incentivizing to purchase of low-cost quick to market products that don't have that level of security but never what i'm not saying they can't do a better job encoding anderson covers have done an excellent job, and i'm afford of the issue today wouldn't change. nation-states and organized crime groups that are persistent and determined will always be able to break into soon or later because it is impossible based on vulnerability mitigation efforts to secure a dynamic interoperable environment which is what we have indiana. deal of time you see in a

physical is something like a bank or fortress. it doesn't move and it doesn't change much over time to you could really secure. once these are going to actually meet up with everybody but we're going to change all the time for updates, upgrades and connections, that's the fool's errand. the real choice is how are we going to start taking some of this might appointed into a robust conversation, intellectual analysis, bring actual analytical standards to options analysis come when these things happen, how do we build platforms that are necessary, a lot better at detection, attribution and and figure out what our policy choices are? we may find out despite, i'll make it to this one, that some of the systems that we need the best security for coincidentally and a good coincidence have the least private system like the electric power grid. forget about smart grid for a second that the standard electric power grid from anyone

who works there and held it wants to profit. very low privacy depend. that's were i would start, not by cleaning up the house from the vulnerability mitigation point of you which god bless you didn't get it done but they doing at how to build a detection attribution and real policy choices to give to our leaders in those areas that matter most. >> just real quickly pick i think there's a different dimension of liability or that's important because what we have enabled is frankly the private sector bar and the plaintiffs bar to actually be a force in this divided with the attribution revolution i think there's an opportunity to think about class action lawsuits, victims of cyber bullying and cyber attacks that allow victim companies, individual shareholders to go after companies that are taking advantage of the environment. chinese as a lease of using

stolen data. why aren't they subject to not just government action but potentially even private litigation. -- soe's. i think we need to flip them off a bit more and about the private sector to actually be an actor in deterrent. >> i think we have time for one quick question. [inaudible] >> just to get you all on the record -- spent how fast tables change. >> is it fair to say the u.s. private sector in cyber has no right of self-defense according to the law, but that is our policy? there is no right. the same duties there is to retreat, we have no right for self-defense. i think of to begin with juan because you advise banks on this. when you listen to the lawyers,

to work with you on this, do they feel that the bank has a right to defend itself when it comes under attack either criminals or -- spent i think part of this is how you define defense. because if you define defense passively, of course for the right to defend, the right to great players and redundancies out loud criticism but they haven't done those. they haven't done a lot of the cyber heightening they needed in terms of employment awareness. there's also a lot of reticence, to the chairman sport, to actually getting involved actively. there are a lot of companies that really don't want the very idea of hack back or acted defenders of system. they want the government to do. they want more information to do it themselves. in that sense if you define defense broadly, yes, they do. if you have an active defense role to play at this point? is very legal structure?

no. >> i mean, defense of person or property as a justification so it's an otherwise legal activity. i think it's uncertain. we haven't seen prosecution against companies. that might the prosecutorial discretion. we don't know what would happen if there were cases that was taken a. unfortunate about this is theoretical but why so we can say this there is no certainty in this area. businesses unlike individuals who are more likely to roll the dice, businesses hate uncertainty. we are a nation they can't even get a national data breach right. we are stuck with dozens upon dozens of individual state laws any of data breach notification. so what's the chance of a company figuring out the certainty of action even within the united states comp no less how that might be observed outside of the country where they're likely doing business. i think the short answer is, do

they? there is no short answer but that factoring is enough to make sure that big businesses are responsible are not going to touch it. spent when you start talking extraterritorial aggressive defense i think that's a loser. if you do not have proper legal authority, i think it's a disaster mainly because standard grounds of circumstance you are dealing with a personal threat to your life in the way the law is written is, this you can never make that legal argument, number one. and number two, again when you decide you're going to reach territorial and go after them you opened up a can of worms which well beyond the scope of your threat. that's why think we have come and our policy is not there. we don't even in the united states had a good offense of policy. i think it was admiral rogers not that long ago within the last few months said just as

much as about, that we don't we have a good cyber offense of policy. we talked about it ad infinitum in classified settings for the entire 10 years i was on the intelligence community and we could never get consensus to move to the next place on but that cyber offensive is. this is a personal. i decided administration says they're going to tried to pay for the consequences of the opm act. i can't wait. i cannot wait to see what the heck that thing is. scantily i'm not too excited about what is going to be. we have not crossed the threshold everybody in a room to try to work through this problem. long answer to your question but i don't believe they have the right to go extraterritorial to protect what they perceive would be a threat at that point. >> that's fantastic. ..

[inaudible conversations] [inaudible conversations] [inaudible conversations]

>> we want to get you out in a relatively timely fashion so they can ask you all to reclaim your seat or somebody else's. so while we are getting our seats up, before he turned it over to the panelists for this discussion, i want to read a sharp aircraft. as an intellectual no man's land for military and political problems made. we have no tradition a systematic study in this area. the military profession has traditionally depreciated the importance of strategy where politics are important as

compared to taxes. now we are faced with novel problems to which we try to adapt the ready-made strategic ideas inherited from the past. if we examine the origin and development of these ideas we may be battle able to judge whether a face at the and future appeared this was written in 1959 in history the strategy of the missile age and i recommend it to all. it calls for a new idea and scholarship to deal with the atomic age, help the u.s. create the doctrine and capabilities that guided us the last half-century. i would add to berger's assessments in intellectual no man's land for political military and economic problems and we have no tradition of systematic study in this area. within our monograph and earlier seminars, i have turned to earlier work that i and others did on the nuclear chain and thought about its applicability

to the evolving threat of economic warfare and the vast differences, namely hurdle for development, acquisition and you spoke what i call in the previous panels somewhat reference that could we be in not notice metric. i think it would be hard to ignore use of a nuclear weapon but as we heard in the last panel, we are fully engaged in the cyberenabled economic world. the kill chain of media capabilities may have to be thought about differently but nonetheless the basic element, intelligence and warning, deterrence, detection, forensics, interdiction, federal management, consequent management and recovery service he is slowly to gauge current capabilities and create the doctrine and technologies that we need going forward. at this point i want to welcome are amazingly talented individuals to talk about the

nexus of policy and technological development. the first is marked up with and executive director for the defense democracies where he leads projects on a non-proliferation man is an expert on sanctions and has testified before congress and by the u.s. administration on iran and the sanction issues. he had the foundation on sanctions on the list of finance and is a co-author of more than a dozen studies on economic sanctions iran. mark. >> grave. sam, thank you very much. first of all, i hope you will keep me to my five-minute. so give me a nudge of five over five minutes. i will make my remarks short. i want to thank sam for involving me in the project. amazing people to be involved with. ken, thank you for hosting this than allowing fdd to cohost an market michael come a pleasure

to be with you. i want to pay a special note to the young woman who co-authored this report with me this report with me, and effects are based in new york who is one of the remarkable people come the next generation of economic warriors and one knows where he well from ms. samantha knows her well and certainly when we all play golf in our retirement, someone like any will be continuing the fight. let me talk about the paper we wrote together. i want to put this in context. the paper is called cybernaval swift warfare because the case study we dealt with this part of the analysis is the swift financial messaging system which is a global standard if i want to wire money, my citibank has swift goes at chase manhattan, swift goes, swift code similar to financial institutions talk to each other so i can wire money which i do often.

[laughter] so the key looking that swift is swift was a high point of the u.s. government economic warfare campaign against iran. it reminds me there was a point in time where we actually engaged in economic warfare against iran. this is coming not a particularly troubling moment for me spending a lot of time to see the u.s. government dismantled the entire sanctions infrastructure that we put in place in pursuit of the nuclear deal but that's a topic for another panel. certainly for a period of time is david sanger explained in "the new york times," the u.s. treasury department where one works from a david cohen's leadership, the u.s. treasury department was described as president obama's favorite non-combatant command for good reason. it had become the locus for economic warfare against the iranian machine and really a

decade of escalatory measures that began under president bush for designation of key iranian banks and revolutionary guard entities and culminated in the passage of sanctions legislation by congress, congressman rogers played a key role in that and it was fascinating because that's the sanctions escalated you saw over time the germanic impact on the iranian economy in the decision-making. the key events along the way included the u.s. treasury department, u.s.a. patriot act 311 with assigning the entire jurisdiction of iran with primary money laundering can earn was legislation passed by senators menendez and kirk which legislatively designated central bank of iran is a key pillar of the primary money laundering concern and in 2012 congress over the objections and europeans pass legislation

threatening action board of directors has that swift is cursor is eventually swift to expel dozens of every it was unprecedented at was unprecedented is for the first time that there was a wholesale peace with that country's financial institutions tadiran global financial system in it impossible for every to money and finance trade to repatriate their foreign exchange earnings. it was certainly a tool that

their effect of coercion, but it was some taint our adversaries have learned from. i would note when it comes to split's is a dozen ultimate instrument is that laughter or policy or should that swift israeli banks, does you had branches that also retaliatory measures by the rations against our allies and the united state leading to a

need for defensive measures. if he nurtured the asia-pacific region, the chinese have used economic warfare against taiwan for years to persuade the international community that taiwan should not be recognized as an independent state. the chinese cut off the export of rare earth minerals for a couple of months when there was a dispute for the job and the minerals were very important, critical to key industries in the japanese economy and everybody knows in the south china sea significant disputes between china and the philippines and the non-in japan and other countries and the chinese have matched the naval maneuvers with economic coercion. what you see essentially as our adversaries learning from us that there is a power of economic warfare, the power of economic coercion as the dominant instruments of statecraft. the united states and certainly allies in the middle east and asia and europe are lucky

because the united states still remains the dominant global financial superpower. 81% of global transactions are done in the u.s. dollar. 60% of foreign exchange reserves are held in the u.s. dollar. 45% of global financial transactions are done in the u.s. dollar. the dominant position in the global financial system, we still wield tremendous power. but make no mistake. that is changing and is changing in fundamental ways. the russians and chinese are creating an alternative to the swift financial messaging system. it's a nascent form right now i'm likely to track the support that swift has today with 10,500 financial and editions using the system but over time a member of the global dominant position of swift. the chinese have a combination credit card which is available

in 100 plus countries around the world. it has a market position that represents 45% of the total number of cards and global circulation. and something like 25% to 30% of the total transaction value is quite extort very. but the chinese abuse on the russians delinked from new york. for cheney's no dead aftermath and offered this card to russian banks that offer and anoraks card and the global credit card dealing from new york and not accessible to our sanctions. the chinese set off the asian infrastructure investment bank which is an alternative bank for infrastructure finance that has attracted significant support for most u.s. allies. as a dynamic sample under many others the chinese have gone to the imf and asked the ascii art, it special drawing right to

represent a global asset, a foreign exchange asset link to a basket of currencies including the u.s. dollar and the chinese have been pressuring the imf to change the allocation from a percentage allocation more highly represented. these are four examples of how over time chinese are trying to erode global dominance. we may be witnessing the creation of a parallel financial system over time which diminishes the power of the u.s. dollar. let me end with the specific recommendation. we conducted a lot of interviews with folks in the u.s. government and treasury officials, state officials, people in europe and asia. what we want to find out is what kind of defensive measures were we actually taking? we've been good on the offense. how good have we been on defense? what we discovered is there

hasn't been as much defense of economic warfare. how do we traded defensive shield to protect the u.s. and allies in the use of offense of weapons by the iranians, russians, chinese and others against our closest allies? you'll see the monograph came out with specific recommendation for specific recommendations up in the u.s. government changes institutional changes within the interagency committee ideas create an office of policy planning at the u.s. treasury department. by recommendation is they should have an office of policy planning where they are really thinking about these kinds of defensive measures and they have time unlike our friends at treasury to think through what specific measures be put in place to defend the united states and our allies. number two was standing up in economic warfare direct to read at the nsc with folks there who have a lot of strong planning on

the economic side and markets in financial markets that the idea of having people at the nsc who understands sanctions and finance the needs of economic warfare would be useful. three was establishing a doctrine on the use of economic warfare. we have doctrines about everything. doctrines of the nuclear age, doctrines of missile defense and we certainly have a cyberdoctrine. an economic warfare, dr. would be very useful. how should be set off offensively and defensively and a controversial recommendation by setting up an economic warfare command. we have commands in the u.s. government, most of them at the pentagon. this idea would in economic warfare command that would draw the best and brightest and the necessary resources across the interagency. our recommendation was to locate treasury. i'm sure a lot of debate about

that. the specific recommendations on.transcendent to show ages against the use of economic coercion. i will finally end with this. israel is an interesting example because the boycott movement against israel suggests we see the canary in the goldmine. here is a small to mop or see an ally of the united states where the economic warfare is used against israel to achieve electoral object to and israel's position in the territories. whatever position you take on territories than regional dispute, my assessment, my conclusion is we should be allies you, ballistic missile defense is regardless of rss menace who was ripe with respect to regional dispute that this is the canary in the coal mine is

terrorism came to our shores, economic warfare will come to our shores and the doctrines to create the economic shield. >> the only thing i would take issue with is mark and andy would agree to delvin because if we are serious, but does that mean in terms of organizational changes that may be necessary and the u.s. government. our next speaker is focused on where really the rubber meets the road in terms of the technologies needed, how we think about that because ultimately we have to be able to back up our words of deterrence with technologies. the first speaker is dr. michael shad, program and innovation

office at darpa which for those who may not know is the defense advanced research project agency. his focus is on quantitative and cryptographic techniques for establishing probable security and big data software. previously a research scientist at saic and scientific consultant at allen hamilton and holds a phd in chemistry from princeton. >> first of all, thanks. i think i speak for mark when i say those of us who work on the technology side of the house found this to be a very useful and fun is as good as different as far as far as she failed is

of him as today are my and not those of you are about the u.s. government. i will let you begin on a slightly downbeat note. today you can barely turn on your news browser without seeing a fresh story about another u.s. firm victimized by some economic espionage or intellectual property theft. what is fixing about the state of affairs as there does not seem to be a clear path out of this equilibrium. the purpose of my article to hopefully provide out-of-state. one taken in historical perspective on espionage as a timeless instrument of competition between nationstates and number two, scientific respective on technologies that potentially help us let the script on the economics buys and pirates targeting national industries and undermining national economic strength. to begin would have history that could help us here. the notion of intellectual property evolved over centuries as an enshrinement of the system of economic at work that day.

in a report by the u.s. trademark office 75 out of 313 industries are categorized as ip intensive and they count more than 27 million jobs and 18% of all employment in the u.s. in 2010. according to the 2013 report by the commission on the theft of american intellectual property the u.s. loses $300 billion a year in i.t. theft. the report stated that might be the same protection overseas than it does here to add millions of jobs and encourage significantly more investment and economic growth. not all countries in the world are serious about protecting the rule of law based records and that perhaps the united states has been here before in this problem although on the other side of the problem. and the immediate aftermath of america's war for independence from u.k. are young republicans both engaged in the campaign of

privately conducted officially tolerated ip theft against the british industry to supercharge the young american manufacturing through the british response was quite rigorous. they were fully aware of the stakes of the conflict. they impose export controls on machines and designs on the immigration and sometimes you british ap via kind of their five previous. the idea of hack facts is not new. it has been tried. arson aside the strategy would not look unfamiliar to officials today. yet by any reasonable account of british policy completely failed for the diffusion of their most sensitive manufacturing into the factories of the unfriendly transoceanic rivals which went on. all this must sound familiar to all of us in 2015 is obvious it

is america playing defense in this game. to exemplify the struggle is to industries that will focus on the software industry not only because they're the largest export value but also new ideas pertinent to the industry that might inspire new thinking or other industry protections as well. to give a partial illustration of what is for 19% sold in china as one other example 77% of the software transaction. man running copies there's actually a deeper and far more insidious stab made possible by crane into the source code of software to extract ideas that are created through vast sums in research and development dollars to have is is how we protect our suffering is to develop a model for thinking about how to

protect our idea based not on diplomacy -- that may change the dynamics between the attacker and defender of the site is good the status quo defending our nation's interests in general goes towards the diplomatic and legal remedies favored by the british ambassador seen through historical ex-there a fundamental limitations to this approach. so it's useful to pull back a step and think about the problem at a basic level. i.t. theft is fundamentally as much an economic as it is a criminal phenomenon seen through the diplomacy is limited in their ability to deter criminals from this type of crime. the question is can we use technology and economics to deter economic decision-makers from deciding to deal as opposed to not deal? can the? can erase the technical technical cost of such high

levels that it becomes worthwhile to do so. the good news is the answer is yes but there are some major caveats. today commercial software is effectively defenseless against being wrong because the state-of-the-art largely consists of inserting a passive drug code to enable the attacker by essentially giving marco to understand. however, the security through obscurity approach can almost always be defeated under a day with the standard software tool is almost always universally regarded on direct. the good news here is that the mathematical breakthrough by collaborators has opened up the door to making new kinds of software that offers the best engineers. the new approach entails writing the source code of such a way that had not been his equivalent to computing and mathematical problem whose solution requires

effort even with the most powerful computers and algorithms known today. this is exciting because this is the kind of technological breakthrough that could end up just imagine a future for ip rights are protected not by the role of government donations but of mathematics. here there is some huge cost. realizing such technologies not only for software that other products as well will very likely require radically new scientific ideas of years and decades of sustained research and effort. but if the fabric is successful, such efforts would think your leadership into the future and to give it to another problem, one of the issues we have in the cyberthreat today as victims are caught up in a pathological dynamic in which they have to have an interest in continuing their own victims. we talked about this in the context of cyberthreat sharing.

one of the interesting things that have emerged over the past 30 years is the secure computation that really began in of an academic although more than 30 years ago called the millionaire's problem which millionaires which has more money that they don't want to reveal how much money each has. i don't know how millionaires think. this might seem like a contrived problem but from a cryptographic and mathematical perspective it's not trivial at all and built up specifically and morphed into a certain pc today. given a relatively contrived problem 30 years ago, what this has evolved into 30 years later is a very valuable and practical technology in a very real problem. in space today there's some dozens of recon treated a free

agent as satellites collide. the problem when you reveal your receive giveaways either sensitive commercial information or national security or mission. heidi share of remission without giving away those kinds of secrets? where the research on the millionaire's problem 30 years ago to actual technologies and software today can help the legs of national space agencies and companies to share their information without revealing private information. this is obviously exciting because these are not trivial problems. for math geeks these are 200-degree and a gross overstatement time for objects going near relative -- relevant speed. it's a hard problem and very difficult. again after three decades of investment that actually gets us closer to the problem. it's not hard to see how the

shared problems we have in the background has a nontrivial and apart privacy component should as well. to conclude it's very fitting the ingenuity of the economic system that has produced world changing ideas could be at the end of the day the source of defenses to protect those. thank you. >> does that make you feel good he's in the government? he's tremendous. the modern-day problem of the millionaire's problem now is to figure out how much money does donald trump have. finally, mark tucker is founder and ceo of temporal defense defends intoning board member of the insurance company of america and the tbs leads a team of experienced white hat hackers

and technology is redefining technology security paradigm to safeguard computing devices and networks of the cyberwar era. >> is a mouthful. thank you, samantha for inviting me. this is a great way to look at the problem because it is a complex problem and relate not quite understood. when you marry those two terms, cyberwar it brings multiple notions that hope cross pollinate and find the problem. before we go into a few things and ideas that might help correct the problem, we are still at the point we need to qualify and understand the problems and mx. when i heard a few things in the previous panel, i was diametrically opposed but i was down there and couldn't talk. i understand why the comments were made in the comments were made because of these economic

things happening and trying to understand the essence of what is going on is that forums like this are about. so when you look at cybereconomic warfare, you are like what is that? it is war and a criminal environment. it is safe to say if we get some actionable assumptions and say it's not provable 100% but a preponderance of evidence means this assumption is pretty good and we can start making some action plans around it. ultimately america needs a cyberaction plan. we've got the department of cyber command now. we've got multiple departments of everything. the core of the problem is still a little bit elusive. a few things in the first were perfect and spotting. let's actionable assumptions

cyberworries here upon a and i would go so far is saying when they cybercrime become cyberwar? what inflection point in time did that happen? that was the shot heard around the world and that is when cyberwarrior became the turning point of criminal gangs in all this activity is happening something that became a physical damage was caused and that cause geopolitical outcomes because of it. the one thing is the shot heard round the world we can assume cyberworries here. i have a look at the dynamic of cyberwar. it looks like the low intensity conflict in more terms. it doesn't look like the power balance between the nuclear war era where everybody belts of offenses because there's proliferation already occurred.

dynamic of the nixon fabric is there's too many actors in too many people. i've be equivalent to saying if we think about the nuclear power arms race buildup of offenses cyberweapons they won't work because we can't control it. there's too many points of attack heading through. if you look at it like a low intensity conflict you can pretty much do okay, there's going to be interesting things that happen. the playing field is like a psychic compare a few examples of births occurring, we look at iraq in 2004 when all the sudden america comes in. we take the country over. i was there so the ground troop i have been a sequel to the ground truth i have now on the problem. i've seen it from all different

levels. when i was first fair, there is, there was a bomb here, there is a bond hearing fair and open off often a scary but in essence saddam was gone and nobody knew what to do so the criminal gang started to move first and there is a little bit of that committee happening. what happens when those types of conflicts of law, the next stage is coordination were all of a sudden they're six bombs going off at the same time and the frequencies going off. when we look at the threat of a 20 appeared on cyberwork, we see a negative thread for 20 years the negative trend occurring. when most of that occurred in the cybercrime error, how in the cyberwar area we've seen the curve steep in. what is happening if you look at the battlefield in the battlefield interesting and the global frequency of the attack

is occurring in the battlefield has been softened. when we see all these attacks in the banking system in transportation system in negative economic he says we haven't seen anything yet. this is the normal course of the low intensity conflict and said the next ages basic record nation. people get worried and scared and the plan is completely required. we should learn from discussion point and get ahead of the curve. we are in the cyberwar era and conflict. and nobody's controlling what's going on and maybe we need to come up with some assumptions of how we got here. via security so bad? you could borrow economic

constables and the question that was asked is why the manufacturer share the liability? bill gates dad was attorney and a very smart attorney and every time you load software you had an okay button and you basically take the liability and shift it to you or if you are accompanying shift the liability to your comp me. so it makes total sense this guy so many security holes because the economic incentive is not with the manufacturer products. while i disagree how a within, you can fix the problem. the defensive problem is fixable. like any problem we have to quantify it. if we don't quantify the problem and we can't measure the talk is

we don't know if it's improving or getting worse. we can see a tax move up and down but we don't know how to compare one technology against another technology. what is the security and baseline? one of the technologies that will shift the liability to the manufacturers to change purchasing habits when purchasing habits when people know when operating systems course of three and another operating system scores of foreign security. what that will do is allow economic principles to take the security responsibility and allow the consumers or companies or managers to buy more secure stuff. once we know how to measure it and that technology is in existence now, then all of a sudden we can dare to say we are going to basically change the evolutionary path of technologies. now we can measure it is no longer good enough to say i have good security, firewall,

antivirus. what will happen is you will say your security is at three. you may have those things that they are basically raising your level of security. by trading technology which is usm, one of the products we work with at george mason university of the last four years to solve is a huge building lot to basically changing a shift in liability landscape and allowing the security level to go back into tech allergy. when we look at problems we say there is an okay but. i sure did a lot. yes he did. other things did a lot to technology. every two years a chick gets twice as fast. there hasn't been any interesting profound observational laws. if we've gotten a 20 year negative trend where the threats

keep going higher and higher, if we can get ahead of the curve by two years, and now we've got the ability to measure technology security and we can start to use america's creativity and production floors and harness resources on a technological base is now focused towards better security we can come up with the lawton said if america stays two years ahead of security that will hit an inflection point where the trend does not fun if we stay two years ahead all of a sudden we're headed in the right trajectory for defense and security. the american cyberaction plan we've action plan with.they say their the resources or some number and 85% defense from a 15% offense for example. we have to come up with those

measures and metrics and then we basically have to coordinate of the country to utilize resources to win. we on the technology markets. we may not on manufacturing but it's still her ideas. we are ahead. let's use things america can basically take the market and the fact double durability is the fact we are cannot did. that is also our greatest strength. if we harness what put us here, then i think we can make an improvement on the defensive side is as if are you create to be cyberinsurgency which is basically what's happening and we look at the search, we have the banking industry search and take the fight back to abandon create those deterrent portions. it is not going to be police

type of effort because there is no law in force in the ability to bring someone to justice is very difficult. it will look like a low intensity conflict cyberwar environment. my time is. thank you. >> before we go to questions, i just wanted to mention when we started this project we really wanted to create a larger group of people that are interested in this topic they take different pieces of research to move it forward. we never wanted it to be a be-all end-all. there is a lot to go forward. one of the things this panel and the last one showcase i then needed places where policy and new technologies come to bear. the hudson institute cofounder

with the six desirable characteristics of a deterrent. he wrote a deterrent to be successful must be afraid and, inexorable, persuasive, cheap, non-accident prone and controllable. if we start with those six things, you can imagine the policy makers, were fighters, technologists and let coming here's the problem. how do we create a deterrent was sound policy.turn and technologies to be able to do what's recommended we would move the conversation i had to [inaudible] [inaudible]

great thought-provoking panel. something was said in the first and other provoked a clash inappropriate for the wall. which is reference to using the space race. president kennedy decades ago said the goal when he set the goal posts. getting to the moon in the space race in the undercurrent of horses or competition with the soviet union and the tremendous threat that was there. over that decade he galvanized with this goal and was inspired, very positive. if we look at the cyberwar, what would be the goal of the goal posts are way to galvanize the next generation of young people and others in our society to target a specific goal so we could win the cyberrace we are losing. >> i think that's an analogy that is drawn and it's problematic because with the

space race is clearly defined goal post faster progress on defending a man on the moon and a device to mars and beyond no one is so forth. the problem with cyberif the agenda is much more diffuse. cyberis a lot of things. the cyberproblems that exist on machines in the works and is chairman rogers mention astrological problems as well. one of the things that tends to be a distraught dirt in the cyberdebate is an over emphasis on the technological dimension. there's a tremendous human dimension as well because it is a security problem security problems are human problems. looking at the compromises that occur because somebody opens an e-mail or an attachment or post a link and all breaks loose after that. at the end of the day you're not going to get away from that because we don't design software and networks. the designer for ourselves.

where we could direct one area of research is to say we should stop living human because we are human and we should open up a link or attachment or photo essay with a trembling moral fear that it will compromise the entire enterprise. whereas there's so much more diffuse kind of agenda for the cyberproblem, there are some problems that could be ambitiously stated that albums of the space race as well. i'm sure there's others as well. >> i would add to this, maybe it's too simplistic but the whole notion of winning is some pain we are cautious about and careful about. we don't want to win in cyber. we want to survive. in historical terms we have had the caps-off.

but i wonder when using the cannonball. we just want to survive. we invent missiles. we just want to have missile defense shields in case the other side develops bigger missiles than we have. seems to be hesitation. i would say the goal should be we are going to win this war but in a country that launches against us will be met with fierce retaliation. i don't know what we will do what the chinese because of opm but i don't hear the rhetoric of the president a commitment to win and i think we need to send a message that the united states of america for the knesset can always were cyberattacks we will retaliate in a fierce of my and goal is to win in the cyberworld as we want in missiles and

cannonballs. it's a commitment at that level before we get into how we do it on a technical level and reorient the u.s. government and institutional level to do so. >> i also think there's measurable goal posts along the way. for example when we had this turning point, what is going to actually happen? if we say what will happen on the tla side, you unit 613980 the sadness millions of ages on your screen and monitoring go dark. when not have been, we are going to see the unit freak out and see them go back to the drawing board and working day it may

agnew in points to reinsert a chance. we've got to be able to stay two years ahead. if we stay two years ahead the effects are dramatic. right now what we've done is basically stay complacent and let all these agents and supply-chain action permeate everything. when the turning point heads, how would you know? the biggest unit in the world right now is basically one unit again status are basically agents go dark and we will see actions because of it. we can measure the number of cyberevent that occurred and the amount of money still from the bank and credit card. we can come up with matcher experience >> here's an indication of how you're losing. the iran deal every day is a new

surprise. my yikes moment of last week was i discovered the united states and allies commit to the iranian nuclear program against sabotage. and the fact we will protect the iranian regime nuclear program against the ability of the united states, israel, other allies to you cyberoffensive weapon against iran's nuclear program regardless of what happens. it will be of industrial scale the cleanest and sneak out powerful economy and then we will commit to defend a raise nuclear program again cybersabotage. that is not a shot to the moon. that is not a commitment to winning. we are going to hard adversary cyberdefense. >> my name is rich wilhelm.

every single retired from bruce allen where i ran all of the intelligence agencies. 20 years ago i had a job similar to yours on vice president gore's staff, finance, where he did from one of all of this and was so much further ahead. i am struck by one thing. we are much further ahead and understand the threat a lot better and there's a lot of our technology out there, but i am struck by how little progress we've made in in solving the central policy issues required to move ahead. my thinking over the years has been insured somewhat and it seems to me we are essentially trying to solve a problem where boundaries don't count on a legal policy bureaucratic framework where boundaries really do count. i'm not just talking about

geographic boundaries. i am talking about the difference between private and public sectors on its abilities, domestic, foreign, if you look at the intelligence community. we need some new framework. this is a question for you, mark. the government response has been to create new organizations but not fundamentally alter the existing boundaries that exist in law of our existing agencies. what do you think the likelihood is we can solve that problem for for a guy for that will emerge so that the interfaces between the various agencies operate more smoothly than they do right

now? >> thank you for that question and for your service on the issues. i was say i am somewhat opted to stay. i have seen it from the outside and i think we've done a pretty good job. a lot of credit to sub three and the folks at the intelligence treasury. whoever heard of tsi or olfactory decade ago or 15 years ago. i hadn't and i'm sure a lot of folks in this room had. they took institutions, agencies in the u.s. treasury department and turn them on offense. a really remarkable job not just leveraging government by leveraging markets because the real secret sauce of financial coercion was not what we did the government. it's what we did to companies and financial is the two shins

in changing risk reward assessment in respect to doing business with terrorist organizations. you can do business with $17 trillion economy with iran's $350 billion economy. if you do business with economy will be doing business with the revolutionary guards and a number of bad actors engaged in a range of illicit financial activities. that was the genius of the program. congress played a significant role but i would say it's been a very successful program. i've been skeptical about whether we can use an achievement storage the right diplomatic as. we try to look at it from the other point of view. with other countries and adversaries using the same powers, how could we reorient the government to think about

economic shields. with cyber command. i'm learning about deficiencies with god in that area. from an economic warfare is, the folks don't have the time to think through defensive shield which is why an office of policy planning useful in treasury to have that direct air at nsc and the warfare command with all the powers to work at an interagency level on the cyberside in traditional economic warfare side how we defend the united states. here's the good news story to me. the state of south carolina pass legislation and is simply sized any country that eases economic warfare against one of our allies will be denied state graham from south carolina in the state pension fund will have to divest from come and is

engaged in economic warfare allies. at the state-level estate of south carolina is effectively thing you need is economic warfare against the united base our allies, don't come do business in the state of south carolina. you start to see the spread across the country. illinois does something similar and other states contemplating a defensive shield at the state level which could actually be created at the federal level to executive orders, legislation to defend the economic architecture that by many of the same people who been so successful on offense. >> for me to take one last question. just so political scientist or theorists out there don't think there is a place for you is robust debate moving forward and it's just a place for economists and technologists, we need a

better understanding about how the different adversaries be their strategy towards us. there is absolutely no reason to think what the russians are doing or how they are organizing is in any way similar to what the chinese are doing or iranians are north koreans are doing and know and understand and of those states in how they do strategy and tactics is a month and one telling point done this is that in a week before the sony hack, the north koreans were speaking out at every opportunity they had screamed at them to see that sony was going to release committee interview with an existential threat to north korea. the north korean watchers knew the north koreans may possibly be gearing up to take retaliatory action and when the

sony hack if there is some of the first ones to say look over at pyongyang. last question, sir. >> james. [inaudible] -- use the phrase cryptographically sound. some of us are somewhat allergic to cryptographically sound practices. it raises the question about the whole idea that being cryptographically unsound hazards in damages in any type knowledge you have after what you show as possible. any comments? >> again, i should preface this by saying today i'm speaking as an individual and not a representative of my agency department or the u.s. government at large. i should also practice or append

to my earlier comments that i'm essentially talking about things that still live very much in the research space. obviously cryptography is a very different thing versus a lot of the things that still happen in academic circles. when i use terms like security in this context, and maybe the better word to use is provable security rather than cryptographic security and the fact we quantify how much security we are giving given protocol and parameters in advance and that is the more accurate way to characterize that. >> well, that is wonderful. way back, i will wrap it up. i thank you so much. [applause] state terror and for the

synopsis of this seminar, survey results. i encourage you all to take it if you haven't. it is fast, anonymous, thank you again. have a good day. [inaudible conversations] [inaudible conversations] >> the senate about to gavel and for a bill aimed at

cybersecurity in the u.s. during its sharing about threats. majority leader mitch mcconnell filed cloture yesterday in. members will recess on 12:30 to 2:15 or their weekly party meetings. we take you now live to the senate. the president pro tempore: the senate will come to order. the chaplain, dr. barry black, will lead the senate in prayer. the chaplain: let us pray. eternal god our king, let the earth rejoice and righteousness and justice strengthen the land we love. lord, we live in a fugitive