and that is a fascinating reading and i really enjoying that. that is it for now. . >> i am a distinguished

fellow on the board at the atlantic council welcome to this session we are delighted you're here. this event is part of the center from international security. we are followed on twitter so all of those there online we encourage you to join the conversation if you have questions you can send them and we will try to incorporate them. the conversation is about the book "the darkening web" via alexander klimburg you can pick that up by your local bookstore. it is an outstanding book i have read parts of it and i recommend it. though whole series of sight -- cyberseries is to bring

experts in of the public together in conversations of the importance so we have a terrific group here today and you all know that we have had a lot of incidents in the last few weeks. like ukraine, rand somewhere , and multiple sets of questions. the internet raises issues that the originators and never really thought about. is say public good or the international public good so who will keep a good? have to do that? rigo there are problems at the how do you handle the question? there is the approach from the

multi a stakeholder bottle how do they relate to the stakeholders? and what are the issues between them? we have lots of threats stage actors all of these issues and as you think about these questions but what problem are you really trying to solve? not the technology but the problem. and the problems range considerably. go to the other end with the cyberconflict of questions of espionage crime and terrorism then bill whole influence arena some people talk about hybrids or influence in how that

differs from attack on operational systems what is the role of government? and one year ago established the e.u. coated conduct from mine hate speech touche notified the platform companies and it is illegal in many places in europe and germany just creative legislation to that effect. we have terrific people here for all these questions teeeight nine has written the book on this called "the darkening web" and program director for strategic studies in with european

security policy. glad to have you here. and yes ceo of north america the department of homeland security. and that is that the hearts of many of those debates but the most recent addition stiver security firms and that is by a the moderation as a political reporter for cnn. and those wide set of issues

for now level turnover to alex in to lay out some things. >> it is a great pleasure to be here but i think there's more time so whit that transatlantic values it is clear there right now those military alliances or governments and we have day impressive assortment so congratulations on that as well. i hope we have a chance to get into the weeds with our discussion to give a rough

outline of those main points but the u.s. in particular very often it concentrates cybersecurity as that technical issue like russia and china concentrate on that psychological issue. and the consequence is with that global internet and what most people would consider the universal good that we see this universal good transformed to something quite darker. but then to be controlled. but it is a nightmare for some individuals but for

others it is a dream to pursue. someone once conducted an experiment to try to figure out the nightmares are common dreams and people have different dreams of how they should be and this is one of the reasons the strategic arms talks there is one single nightmare that we were afraid of that would bind the east and west together for what we wanted to avoid we don't have a single by mayor and with that narrative with that

inadvertent escalation and then day spiral out of control and what we are working at to be restored to go back to the 1950's but for others it is of the worst possible so the and that most realistic -- threat that it is primarily a means to allow the four nations to interfere in domestic affairs so then it is a type of a new type of attack but through those plans through the internet that would be a threat to them personally so they're

much more concerned with law enforcement than the application of international law. so i call them as a simple goal to fundamentally change the way that is from that loosely linked complex and that is the priority here and government can blow things up but they want to move the control and those that are dominated by the government's to move away from california the registered nonprofit but

that is a big part of the domain name service. and olsen of the they see that information as a weapon. and then to an act that law enforcement regime. such as blocking translated copies of "the new york times." or to take down websites. that is the only way to ensure the ability for crowfoot so to think of the rule of cybersecurity in since the late 1990's with un general assembly in different ways to pursue this.

so is difficult to say we're forming a u.n. agency but every time there is a cyber attack with that malfeasance and with the advancement of the intergovernmental of that stakeholders' solution. so comparing cyberin with that state of discussion around the '60s so still figuring things out but also cautions because the actions involved are too dissimilar ended is pretty clear who needs to be of the room.

and then don't play that big a role in cyberspace but the biggest problem is as a sole arbitrator and security concerns and that is a problem. and then the government stands up to say we defend day multistate colder to take up too much of the play in this space to further that agenda and then getting us to do do something and then like in 2015 the number

of channels over catastrophically and the perpetrator is supposed to do be isis and two weeks later the french government to establish a was military intelligence and so the question is why would they do such a thing? from my point of view it was obvious to have cyberterrorism as a narrative have use of the internet we don't actually have cyberterrorism at. so over six months spending a large portion of my time they put out regarding cyberterrorism.

because fundamentally one of the agreements is you don't support that narrative of cyberterrorism. that is what it means the use of internet. the there is another example of another example is more interesting to blow something up with that political narrative. this is why i keep coming back to how important it is to understand why the cyber attack might be information welfare attack. maybe not to steal your data but simply pushing the narrative that we saw in the last couple weeks and they have no interest to decrypt the system you cannot even reach them online so what

was the of purpose? and those attacks have a pattern that pushes the government to do something and grab the narrative that is construed so after the terror attacks that she was the case to take the leading role of data so we are already in the state that which is referred to as the mother of democracies was considering this level of intrusion but luckily it was not included in the queen's speech so maybe it would not be implemented.

so there are many analogies for cyberif you use them talk about cyberwar. talk about public health issues for climate change but although these are useful but there is one problem we should keep in mind above all else. what is the worst possible outcome that has greengage than government regulation? and with the cyber capabilities with the worst possible outcome we're trying to of with. and for me and to three

effectively announcement and its asian of information cnn of "washington post" are all pawns sink to by government this is a scary vision may be happening even 10 years as a possible nightmare bernanke designer chose 60 your 70 years. and then to have those full commitments and that proper segmentation of security issues that need to be high in the separate to fundamentally in danger as it is today. because there is no free speech or free society. [applause]

>> day que alex and i am a reporter at cnn. to the other panelists so we would just dive right in and it is fascinating stuff with lots to cover it may be more useful to start with a particular case that we're all too familiar with at this point of the russian meddling in the 2016 election. as it becomes discussed as a cyberevent of hacking personal emails with that spearfishing campaign to

root was used to disseminate these events as separate incidents with one actual breach was confirmed but no exultation or changing so my question for the panel is is actually useful to think of what happened? or do we risk public understanding of what to do do about it by only through them?. >>. >> so maybe i will jump in. i faked people do that and

there is of broad sense and there is outrage now whether or not that moves them to action but what do you do about what you know, ? and then that brings us to the heart of this book and also to frame the question that the incident mondesi internet what is envisioned but they never imagined the the evil to which the instrument could be put it represents such a universal group for so many it is empowering, uplifting, in foreign -- informing and uplifting it is a universal could but who will keep a good? so bailey hacking of that electoral system is the attrition and then of us thought it would happen but

i fake it does if you focus the mind. >> i think the 2016 example shows us the clash that alex tells so well in the book of this layout of how these countries seek information as the main currency of what cyberspace is about then we have another side that is led by the u.s. in this technical rome and was a 2016 signified a huge way is to ships passing in the night how to take about the problem so russian spent

those years articulating how cedras' security works to protect the information thinking of information as a weapon and what needs to be used to protect people. and advocating the sovereignty approach this is a place that can be sovereign but when you are willing to say that you put that out year after year and the west does its best to disagree with sovereignty because it goes again so much of those principles but you have those to a different views and then the dnc that working is attacked by the russians and then it shows the way of cyberspace is your up that the challenge how the west government can start to

address the as putting us right at the center of the debate what to we want our national cyberspace policies to look like and how they exhibit power how do you define the domain? i am not sure how you unpack those questions but now starting to deal with those to lou different mindsets. >> it is very apropos that you start with of terminology that is so essentials as a component as laura brought up if how do you respond? with bad information warfare and how the response can play directly into the purses and orchestrating the event?.

>> so that general concept that we need to go back to that is significant might only be about achieving of a total in the system or stealing data but to have a very political objective this is more aligned with the kgb a and the soviet union have conducted its experiments rather them the west so it has been that constrained issue of the of military level does us a bad strategic paradigms' russia and china is seen as the way they have been raised so it is important that the comeback how to view that

the european view is interesting especially the estonia or the germans will say that this is nothing new for us. but the level has ramped up massively but look at sweden that has been undergoing a campaign that puts the united states to shame with individuals and black males spiriting people and they are dealing with everything. so effectively the approval rating for joining nato that was neutral went from 16% to about 49% now they are reintroducing the draft sow it failed with ever the objective was. why was it so successful in the united states when it failed france and germany and estonia, denmark, sweden

and a lot of other countries. this is something i only address of the tail end of the book because happened after i finished writing but if you look at the two numbers you can see the level of trust italy 20 percent of the public thought the mainstream media was doing a good job italy 6% thinks that congress is doing a good job that cannot be a surprise that the u.s. is a soft target so you cannot find anything like that in the western european nation not even eastern european nations said this was the clear point to address had to even have an approval rating when chinese to say that economic growth that used to be the official position but fundamentally

they don't think they could get by with 20 or 30 or 40% and no democracy can survive that somehow the we get to that approval rating? that is the question may need to ask. >> to with some perspective united states is exceptional but the public is angry everyone around the world is angry or in the face of london or paris or in the united states the movement for many was a manifestation of and directed and unindicted i am mad as hell and not take it anymore but the public's trust globally has collapsed with don't

trust businesses or banks or media or the market and how they react with a range of the motions themselves the media is indignant that we don't. why do we care what you think? was institutions have to go back to fundamental principles and here is why you should care with the independent observer picks out the facts and not say they're perfect but in the wake of edward snowden one conversation was particularly offensive to me as my german counterpart had an interesting colloquy among themselves progress first they were so embarrassed right under our very noses with the german engineering. . .

there will be more of it. there will be others and it will have been in other places. we need to understand this fundamental question of trust. how do we architect trust in public spaces and the fact that publics everywhere are angry it isn't purpose driven anger. this is anxiety based anger.

we don't know how to architect trust. we are not sure we know how to architect trust in institutions and i think that is the heart of this question. >> how do we get to 6% maybe the question is how we get back up to 15 and congress has done that actually in the past few years the approval ratings started to pick back up over what john mccain wants to stay and the media took down to that level but one of the things you said was that the objective is to consolidate power in the government and you mentioned others have experienced this that they had a very similar episode a figure emerged on the

internet. fans had the ability to say you can't cover this and many institutions also well pervaded france you see sort of a wonderful view is there something more for the government to do to protect ourselves whereas you seem to be arguing that the exact opposite must be true so how do you unpack that tension of hearing that they did a very hands of the objectives. you come from the private sector perspective that but they often have as good of intelligence as the stuff that has the highest level of prosecution because you

see it in the open market but how do you think about the role of the government and society in this response. who do you trust in a space that is abstract. cyberspace is an abstraction just like finances but. i'm not convinced the government holds the cars for all that private sector and what have you and the kind of obvious statement as long as it has

persevered given the ups and downs and changes over all these different elements that changed in the time that we've been watching this space. thinking from a more proactive sense where both steps do we need to take or ask of the institutions that currently exist to govern the internet or translate what is happening to the internet is who holds what role and what do they carry forth. in the private sector, frequently they are looking at whether they are investigating a fortune 500 network where it won't be the first call or maybe the private sector has been on it for the first year or what have you. but what is the right level of

oversight or lack of oversight when you are sitting in a government secret private seed on the network incident and something like that what do you do to talk about that for the rest of the world, knowing how huge the implications are around us. >> they came right out and said we know these russian government hackers and it was the community that followed suit months later. >> even in releasing back in 2014, the report of this i will tell you we lost a lot of sleep and there's people in this room that lost a lot of sleep deciding whether we should reveal that we had a judgment that there is a russian government government groups and individuals behind it and what

have you and that contributed to that conclusion earlier in 2016. so these are questions that a lot of people are dealing with and a mechanism that makes them more predictable with or without oversight is a huge question. >> what we keep coming back to is fascinating starting with the technical level and we take it up to the level of the national response there are interesting things to be learned. information security, what all the companies do which is called information security people exchange information with each other according and sometimes that information shouldn't be shared because of legal reasons. it's also built the internet and

cannot work without it with the operators and other pieces that would collapse immediately. there's different ways of doing that but it's based upon trust. and it's a very mature way of approaching the problem and at a slightly higher level talking about the national response is antitrust on the national level. one of the things we argued before this book is that the only way the government can do some thing in the formation response. they encourage the cooperation and i asked the french government what is your policy on this but it's probably not going to cover all the bases you

want it to cover. interesting enough it was the sick need as critical infrastructure therefore an act of war for someone to knock it down so if you missed that tv station so it is walking up to the red line. it is critical that they want a nonstate actor resolve for instance both silicon valley and other actors to be much more supportive of the government efforts in this space. there is a limitation on the act that had never been done before and was the first world history

because they were fully aware of trust as such an important factor where i think maybe it's how we communicate the capabilities per se so for instance there is no public definition of what they are. you can look and find the documents that you won't find declassified positions in exactly what they can do. it's like saying here is the weapon system we can tell you if it is a plain, tank, submarine, biological weapon, but it's there. it would be helpful to have an open transparent discussion on the cyber capabilities are able to do, what they are supposed to do and that would encourage public discussion among the states and would be helpful to extend the capabilities and then we can also figure out the

common nightmare of what's going on. they will always be interested in the security to make it very clear this is what we can do and we are pretty short you can do this to us so let's find a way not to let that happen and at least make it move forward. >> to talk about some of the ran some attacks, one of the interesting things the department of homeland security has been saying this is an example of how the models work. it doesn't hit the u.s. as hard because they have such a robust encouragement of the private sector to do the basic. there are not as many bootleg versions and that type of thing. when we talk about the ran somewhere attacks on how many best practices emerge and when

we talk about those that were not actually ran somewhere, how does that affect the sort of model for one of your favorite topics? >> there's a couple things that i think are maybe to start their interesting and are they still relevant is how the government has struggled with every single one. the key questions. how do we ensure the integrity of information and identity and an open internet. they have a military intelligence in the community, and the rest of the government.

the key role of government is to tell us how should we distribute response ability for cybersecurity in this country. what should my role be as a user, enterprise, software developer, manufacturer of software so i am a big believe or why isn't the government telling us it will reduce the vulnerability by well over 80%, pick a number. do you know what is connected to your network is running or trying to run. per mission control. people have access to your information and then the automated system is to alert you to the proper patches that you

need to take expeditiously. people used to ask me when i was in homeland security, what keeps you up at night. alex is arguing strongly that they are overplaying their hand and there is a movement for the government to control the internet and there's no question there are a host of governments that believe they ought to be at the heart of who sets the rules, what they should be has access to them and under what conditions etc. and then there are those like the united states who believe in this multi-stakeholder model. why is this so important? because i think in my lifetime,

there have been four strategic questions that the world has had to come front and when we come front of them successfully, the new multilateralism is multi-stakeholder. governments at the national level may not have these rights but ask any mayor and you have to see it is the only game in town if you want to get things done, for-profit, not-for-profit personal thing the community that the strategic questions have been in the wake of world war ii how do we save portal from this happening again. we had a number of multilateral institutions established. they were established and they've gone a long way to answering that question. during the cold war or the potential for the nuclear violation again the turn was multilateralism and in the post-cold war we have not

presented that answer. the multinational for some this multi-stakeholder. >> do you feel like there is a win anywhere? i was watching the panel. i could envision the world about we had to pay $20 a big claim to open the refrigerator. it would be so ubiquitous i don't think as a weapon. what are some of the lessons did the u.s. do something right here or just get lucky? >> it's just to come back to the multi-stakeholder points and

also how the regulation fits into it. it includes ones that have very different views generally speaking and sleep are more liberal than the u.s. so there's a lot of different views and they have different views on how the regulation should work but that's fine. it doesn't have to be that way. it's a framework that accounts for the stakeholders and it's tiring when you work in the international security and we've been part of the negotiations you have to explain it's nice

that they've developed this crisis management function. the other ones are 90% of the time but 50 or 50% of the time. its requirements each nation thinks is important to fulfill and we will effectively drain the swamp a little bit and lower the level of which they can inflict serious damage. 89% of all cyber attacks can be taken care of with good resilience measures.

the connected attacker is probably not going to change if i call you up and ask you to give me your information that is what engineering is about and it is a detour so there will be different ways to do cyber attacks and we won't be able to fix all of them but if we drain the swamp we can deal with it more insignificant issue is a. it will be a contradiction to say that there is a general body in this particular criteria. this is the type of model that has been put forth in which i

think it's also important that the mom the private sector also engenders trust that managed themselves a little bit. facebook wasn't doing that and they find a lot of money. so there is, however, on both sides countries that believe in the stalled debate could stakeholder model and there is an awareness that there are these massive bodies like the civil society that perhaps have to be given their due and i think it is a question of how we engender trust in that model because that will be up to them. he was the first to figure out

and was redirected and basically extract. he was very humble about taking credit where it had been the first of the scene on some of these major situations that have happened. the other kind of glimmer of hope to find, i was in kosovo when this was happening and the newest country in the world, everyone couldn't stop talking about it as this was the moment when they could use this to wake up decision-makers around spending in cybersecurity. and even though some of these incidents might be in the

technical like that was so simple, they had an enormous wake-up call for the companies in basic practices that need to be taken by companies and governments in large summit can't just be mined sharing but that is what this signifies. i remember having panels when we talk about the target hack. how did that really change? >> i want to pull a different thread for a moment. one thing that struck me when we continue to talk it seems so walled and cliché and relevant is the question of attribution. how important when you talk

about responding to whether this information was there and how important is it to embellish who is behind it and what the motivations are when we are also talking about trust and how many americans still have doubt that it's in their own interest to exceed those doubts that russia was behind some of what we saw in 2016. >> this is an important question they said we have failed. they treat every single person here has a special snowflake. you need information that's about you.

we are encountering 90% of the same stuff. what's the most important invention of mankind, soap. commercial soap. we have a fascination with the upper end of the high end of cyber threat they were the first ones to call out a number of years ago. why are we hearing more about it ... the more authoritative on this? they are preoccupied at the high end the high-end the high end in for long time we treated all of these problems and you are not

clear and this is treated as a nuisance and is wanting to go away. so if we only do what they do we could protect ourselves and keep that information to us but what we have learned from some others is that it is going to take a village. it's going to take all of us in the game. brush your teeth, wash your hands, don't share food. that basic hygiene to get through the day which is what most of us need. >> you work for the leader in attribution. >> it's going to be the natural question of who did it. it's not just human nature but the requirement and response to these threats, so i think the point on yes we've been talking about threats when on the

defensive stand point we need to talk about hygiene. when we are talking about international cybersecurity and questions about the states respond to whatever the incidents might be, it's always going to matter. we've come a long way from the days let's say 20 of eight and 2009 how is that a part and there is a desire that is motivated by the motivation to figure out how we explain what we are seeing in the intellectual property and then put a face and unit behind it to explain that.

but it wasn't of itself. it was to figure out how to do something about it. so, attribution as its own sort of desired state isn't really a question. it's whether we are doing it to actually achieve. >> you better have your questions ready because i'm coming to you next. >> this has been a very interesting one. one of my favorite was put out a couple of years ago by a gentleman and said i believe in the james bond series of technology that everything that's ever been in a james bond movie will happen in reality. somehow there is a magic black box in the internet already exists now.

what we saw over the years is basically fueling the response that we haven't fought with make a great event. the u.s. government and others have the response to the significant cyber attacks that can be diplomatic, economic, something else. that also means you can do a lot of different things but it tells you is possible. and also it works at other levels however communicating in the u.s. side has magic contribution capabilities shall we say. so when people say we have a pretty good idea or higher confidence in the attribution to a certain country and nation, some people including decision-makers in the u.s. might think that means like a radar i can tell you 99.9%

possibility is came from north korea i don't think it is that is ever going to be possible in cyberspace. it could still be a false operation at stake. they've hacked into the system and they are pretending to launch it. that's why it's important we develop a non- kinetic response to the sanctions so that has been a key development. i don't think we've made it clear things can go wrong that one but one of the things i'm concerned about is we will see an attack that puts one against the french tv station i talked about but me even disrupt the internet for a while and it wil

questioning it on the political circumstance in this goes back to the ultimate when to weaken the trust. one of them is between the citizenry and the government but that's the whole point of the stakeholders. that is what we should not allow to happen. >> you can send some questions and we will see if we get some good fun. >> the working theory as i understand it is based on some code or exploit that was leaked from the nsa in april. given the nature of information

that can be rapid do they have the ability to proliferate on the state level tools? of course the governments have a responsibility to protect the unauthorized release of the tool. not having the control. that is feasibly answerable to. >> is that something that needs to go in not just in terms of

when you think about what can we construct and is this worth constructing because of the remote possibility so how do they think about that at the front end and not just securing what they have? >> i will talk practically of course you do. medical doctors go through this. lawyers go through this when we do more damage than good. how do we control the worst effects. the public has the right to expect the government is going through that kind of calculus.

the competing interest when conducting the cyber ware or designing something similar they do partially go wrong overall. there's many reasons for that and it is so much easier to do because it is very expensive to do it we might have to introduce legislation it's much easier to draw the capabilities of. in the u.s. case there's other reasons why it is difficult to.

that is all the more reason we need to bring it right to the front. it is a relatively speaking straightforward far less costly to patch on a regular basis they would be relevant for the insurance market and the viability and all these certain kind of things that wouldn't be possible now they are increasingly possible. i would even say they are in and of themselves to show how much trouble they can get into they are now looking at their own system and wouldn't require that much of the government consensus.

>> they take your point but some are better in cyber defense but we are larger and don't have the luxury of some of the conditions they do and we also have a larger role in the government. my concern is i like the idea of the multi-stakeholder place in which we express our interest but i think that may be self-referential. we have glued to that to the critical infrastructure and electrical system. if somebody regards the infrastructure as a battlefield they would regard the internet as a part of the battlefield and i think that what we may be seeing as any evolving concept of operations. we may not have the luxury of referring to the internet as this multi-stakeholder global commons that we so much admire.

it redefines the warfare and other countries have to adopt that redefined concept. we might want to think about this from a policy perspective in the world in which we can't define the internet in the way we want to and other countries may be defining it as essentially a battlefield. >> has the government model already gone? >> others see it differently if they've been attached to things the german government refused cybersecurity because you shouldn't put anything critical on it.

since that has happened to should we now make it more secure by redefining it there are little fixes that could have been made to make it more secure naturally and that is in part what is happening all the time, so we have the example of the 28 or 29 dot add the kill switch on the outbreak. this brings us back to the sacred heart. there's an argument could be said of the super critical infrastructure we should be thinking of things differently. there is something to be said for the systems so they

shouldn't be the way they are right now and they shouldn't be allowed to be the way they are right now that is dangerous. that's one argument. they cannot be changed. how much sense does that make. there are similar examples people have their approach online. i think would what i think would be the wrong approach is to say to rip this up with go into the e. adults made a new one. when they voice their opposition to the stakeholder model and say the government should be responsible for this because it is such an extensional issue for everyone okay let's play this back.

they have a nonstate volunteer. are they going to take orders from you or another agency, that's what they've already done with some parts and other things. they are still going to build the internet into different parts of it it will be probably completely legal and it's important that we keep the people that built the internet up on the nonstate domain and then coming in to the domain that was built with consideration will not solve the problems that will only make it worse because of all of the other ranges of the issues, you are basically protecting the

grid. >> was basically right about the question you can be first, fast or powerful. when you are powerful it sort of doesn't matter when you arrive. so, to your point, many people believe the government have already militarized cyberspace. for the same reason we've glued to the economy to the burgeoning systems so as you are opposing your adversary it takes account of that. an interesting question is when

we move to more symbolic forces because we can do such to an adversary in cyber space we've seen something ordinary examples that may suggest the answer to the question again. question if you can wait for the microphone. >> i've been working with multi-stick with the processes so i'm excited to hear your confidence in innovation. i've seen a lot of multi-stakeholder processes that go off the rails and at the task force we had deadlines either self-imposed or external and we have everybody in the room to

veto any solution. the problem with the things you're talking about making the internet more secure, putting some control in cyber attacks is we don't have deadlines or everybody in the room that can possibly veto the solution you got here from the cyber warfare is often their own classified little space. we might actually get a solution in the broad agreement to some kind of approach to answer the questions. >> to which problem?

>> we talked up the talk to the cyber attacks and when it is appropriate to bring down some of the infrastructure. there's a lot of talk about the cyber norms and doing something to pull the government back from using these tools. it would be nice to have a global agreement on how encryption will be employed and whether it will have these different problems and there is no place that we will get this answer. >> i once described this in the book is a favorite and we are looking at a wall or fan you won't have a common picture. those are dealt with in the government's terms by different

agencies into different technical experts are involved. one of the things i argue that people shouldn't be merged together as they do different jobs right now including arms control people and law enforcement people. that makes it quite difficult for instance to draft a response measures or stand with the dangers of what those are. the example i gave for instance on the international arena is for the crisis communications. where i was a part of the working group that helped was around the crisis response. of the hotline telephoned the u.s. and russia have developed

in the group and another in the eu so now we have five different ones. people were just developing additional mitigation without knowing what's out there these are complex issues and there are different parts just like medicine is complex nobody understands every component of medicine or the financial system. we do need to be able to understand the different components that can be tackled in different ways and the way that you were referring to this for instance i think there is a triad approach to the cyberspace talk about the international law

that is an important conversation to have. >> the second would be to talk about economic issues which are so important to so many nations. it is a whole contact us -- context so it's not like we agree it is illegal we only agree how to communicate with each other when we have the agreement that is illegal. that is the infrastructure that hasn't been changed completely it's about small components in the community and in my mind the triad approach to this problem keeps it separate and keeps it

from being merged together into this dark web configuration to exercise the controlling interest of all of these domains so absolutely they would have a problem to be solved for the un discussions but they would figure that out. but that discussion should have been there and it should not involve a discussion in my mind on for instance internet content or internet-based exclusion infrastructure. this should be held in the government and they keep these things separate from each other and it makes it clear they cannot be merged together were compromised. you've seen how things can slow down.

it is the topic of interest were there particular code they say this is going to be the stuff that will run in the future and we own it. people are like sure, okay. no. were they go someplace else. they said it's not like an organization that exists. it belongs to something else. and that is just the name of the hotel. it's nothing else. they are just going to go someplace else and the system deserves flow but it's better than all the rest. it's not country by country. it's global. so, to once again for a -- force

you into this but i'm curious on your thoughts at this. there is a marketplace that is still affected by all the things that may or may not field a response. >> how do you attack this when we cannot even define this. if we are talking about this domain like it's something you can have a broad expertise i think there is a huge problem in categorizing. cyber security is an enormous field that the power to say, and this is where the majors of the

world gets to play in this land is this something that we haven't seen before or is this something in the arms-control framework. are there mechanisms formed in the last years that people are thinking about this kind of stuff that would serve us well. so i always challenge the other to say what is the right role. i think there is a huge translation problem that we have and a need for bucketing the technical side. it can play together to find out what is assigned to that and what doesn't. if i may we have a question from twitter from someone watching out there in cyberspace.

i believe this is picking up on the theme of the question earlier in terms of the loss of the cyber weapons which i interpret to mean losing control of a weapon that has been developed. to your point how would that be handled in the international wall and how would it be handled today and ideally what would you like to see in terms of the dish you? >> it is a control in cyber weapons but i've been following for a couple of years and we don't have liability laws for software. so you really can't sue anyone so how would you be able to sue the u.s. government if they lose control. it's based on a different premise but fundamentally it is a different commitment.

it's not only losing control of your software but also when your staff go off and do something on their own time than this has been the case probably in china and russia they do that on their own time. the international law if you are an employee with a special skill set working for skills that working for a government organization and you go off and do something the government is responsible. a little bit more difficult when it's about something as intangible as software but i do think it is a political liability and many were being scratched and people were very embarrassed by what happened.

i only hope that they are more careful in the future. but there is very little legal risk. >> it is a question in and of itself so it is too big to start here. i had a talk a few days ago about the institute for the cybersecurity solution to this problem what would be your thoughts on this?

>> that goes back to the attribution and the notion of the cyber forensics and what that place. i hate to say but it depends. more broadly figuring out how to prevent the type of attack or the type of compromise that you see. to prescribe a framework that would give other players that are looking at how to handle forensics would be difficult. i think a place where the government can play a helpful role in the consistency of reporting around forensics is nomenclature. everyone's version of cyber

attack is completely different. you can take the computer network attacks and go under attack. you can sort of pick whatever your choice is. any level of consistency so when they say this has happened at the hospital or the french government comes out after the incident. i think that's how base and we are in our ability to talk about the network incidents. >> how big an issue is classification in this space if we talk about the current theme of trust being able to describe

what happened and one of the ways that their remains to be doubt all that is ever released is this sort of top level stuff. you might get some specific addresses but they are proprietary information in the private sector to reveal some of the tactics. when there is so much stuff that is

way you probably would answer it is the way that it's dealt with in the u.s. anyway so there's the nonproliferation treaty and they constantly get different sources and going through the process i don't fully understand is either considered incredible or not but more importantly is what we heard before hand about trying to establish the common metrics and certain events because that would be enormously helpful. we need to define the cyber operations in the cyber war and have the dictionary turf. it's one of those things that has been hard to find but we really ask those guys in the community to be very specific in their types of classification

objects and type of attacks that might help move the dialogue forward and i hope they will keep it in the technical dimension. those of us that are joining here in the room there may be some opportunities to continue without the microphone. to the wonderful panelists and all of you for tuning in and your great question the atlantic council has many of these and we can all look forward to the conversations. '

>> ..