those are systems people live out but they doing the learn this moral theory in k-12 and in higher ed not much either which is kind of shocking. so i applaud c-span to share ideas had is one book maybe later i'll come and give a bigger sack but i wanted to connect a few dots and share a few ideas with you guys and thanks for doing it for us booktv wants to know what you're reading. ...

all of these issues are a concatenation to say the least. we have terrific people here and we have terrific people for all these questions. he is a senior fellow at the

cyber statecraft initiative. he's program director for strategic centers. we welcome alex. were glad to have you here. she is a former deputy secretary of the department of homeland security and one of the most knowledgeable who was right at the heart of many the debates that the u.s. government had. welcome. most recent addition to the cyber initiative, previously director of glover intelligence which is one of the premier cyber security firms in the whole world, welcome very much. and he will join us into the moderation.

she's a political reporter for cnn focused on cyber security and other national security topics. we have a great group and some fundamental questions. they span a wide set of issues. me turn it over to alex. he will give you a summary of the discussion and lay out some things that the panel can get into. >> thank you. it's a great pleasure to be here. i'm very proud of my affiliation with atlantic council. my other affiliation is harvard but i seem to spend more time here than i do there. i truly value this place for its commitment. i think it's clear those values mean a lot more than military alliances or governments. they also include an important gender balance. we have a fantastic panel. it's not easy to get such an impressive assortment of

ladies in cyber. i think we'll talk quite a bit about values and will have a chance to get into our actual discussion later on. i want to you a rough outline of what i think some of the main impertinent points in my book are, namely the u.s. in particular but the west in general, fairly often concentrates on seeing cyber security is a technical issue while countries like russia and china focus on cyber security as a psychological issue and information warfare problem. the consequence of this is that we are in the middle of a global internet since the invention of the wheel, and my point of view, and most people consider it to be a universal good that we might see this universal good transformed to something quite darker.

it could be used to become a medium of control. this is a nightmare for some but a dream for others. some are pursuing with vigor. the dreams and nightmare are no useful analogies for security threats. i once conducted an experienc experiment at harvard to try to figure out what is more common. common nightmares or common dreams. we came to the conclusion that people tend to have different dreams of what something should be, but they have common nightmares that they are afraid of. this is actually one of the reasons why strategic arm talks had a good point of departure. there was one single nightmare that we were all afraid of, that one mushroom cloud that really bound to the east and west together and basically made sure we had a proper honest discussion on the threats that we wanted to avoid. we don't have that in cyberspace. we don't have a single nightmare that both sides

equally fear. for the west, the most common fear is cyber war occurring due to inadvertent exploration. it all goes catastrophically wrong and what were looking at is infrastructure that can be restored and a society that's either thrown back to the 1950s or to the iron age depending on how gloomy you actually are. for authoritarian states, this is the worst pop possible outcome. this isn't what they fear the most. they see the internet as primarily being a means to them courage to send to undermine the rule and allow for nations including the u.s. to interfere in domestic affairs. for them, the most realistic threat is not any type of

kinetic attack but effectively their rule would be undermined through some sort of uprising through the internet and that will quite physically a threat to them personally. they're much more concerned with matters related to governance and law enforcement and they are with fixing the application of the international law and cyberspace. i call these states that have a simple goal. they want to fundamentally change the way it's currently run which is by a loosely linke linked. [inaudible] by the way, that is the order of priority because civil society has coded most the private sector and maintains it in government can blow things up and spy on things. other groups want to move to control the internet as many actors toward a model that is

dominated by governments. they want to move away from the californian registered nonprofit that internationally minded which runs big parts of the telephone book of internet. the reason they want to do that is because ultimately see information as a weapon and they want the ability through control of different parts of the internet to enact the law enforcement regime that would allow things to happen like walking translated copies of the new york times are taking down websites or things like that. they see the internet as a threat to make you the control as the only way to ensure their stability. the key to accomplish this is to articulate a rethinking way of governance, particularly in the west. the russians have been encouraging this type of rethink since the late

1990s. they have been introducing a bill on the code of conduct in many different ways they have been pursuing this. they are hindered in this attempt primarily by the way the internet really works which means it's quite difficult to say we've now found the un agency will that will take things over but there also helped by the fact that everything time there is a cyber attack or every time is a report of a supposed attack in cyberspace, the agenda is advanced again in the direction they would like it to have which is one that is based on intergovernmental solutions and not a stakeholder solution. joseph nye has talked at length about comparing cyber as a disable or to the nuclear period. he has roughly put there are discussions between east and west around the 1960s so we are still figuring things out, but he also cautions that putting too much stock in this because the actors are too dissimilar.

in the case of nuclear weapons it was pretty clear who you needed to have in the room. today, governments in the room but who decides if it's facebook or google, who else is supposed to be in the room. governments don't play that big of a role in cyberspace and therefore, deciding who else should be in the room is part of the problem. the biggest problem is the discussion itself. by having governments as the sole arbitrator of security can concerns, they are furthering the objective of pushing governments into the controlling role. it's a sticky problem. the more i try to push the issue away, let's say the government stands up, the more the government is taking up too much of a plague in the space and their diminishing the role of other actors and their furthering the agenda of those who want to see cyberspace controlled by governmental organizations. getting us to do something, it

was very often the objective of many of these cyber attacks. to give you two examples that are quite pertinent, a french tv network went off air catastrophically for two days and the perpetrators are supposed to be isis claiming we are cyber jihadists and we will strike you everywhere. two weeks later they leak that they established it was russian military that was behind the intrusion of the critical infrastructure. now the question was, why would they do such a thing. from my point of view, the question was that they wanted to have cyber terrorism. we have terrace use of internet, that is a big complicated issue but we don't have cyber terrorism yet. this would put cyber terrorism on the agenda and it did. her six months and spent a lot

of time in europe running after new discussions that the government had put out until it one point the discussion moved away from cyber terrorism because fundamentally in the west one of our agreements is that we don't support it because ultimately it means control of content that terrace use of internet means something else. cyber terrorism, is another example. we just look at want to cry and other attacks and you have another example of where it might be more interesting to blow something up and call it a fuss rather than steel data. this is why keep coming back to how important it is to understand why a cyber attack might not be information warfare attack. they may not be interested in simply trying to steal your data, they might just be more interested in pushing in a narrative that we saw the past

couple weeks which has been clearly established to be not ransom, they have no interest in decrypting your system. it's quite simply to destroy things. given the fact that their target was not military essential, what was the purpose? those attacks like other attacks have a pattern. those patterns are simply pushing governments to do something in cyber by effectively grabbing the narrative, and the narrative is also construed around security issues. just give you another example, in the uk after the terror attacks they announced they want her to take the leading role in the regulation of data and didn't dismiss comparisons in the chinese way of running the internet. were already in the state where even a country that was formally referred to as the mother of democracy is actually considering a level

of intrusion that only the chinese government would've considered. buckley it's not been included in the queen speech so maybe it won't be implemented. in any case, that was the narrative. >> our moderator said there are many analogies for cyber and those tell a lot about you. if you talk about cyber war then you might think governments the answer, if you talk about public health issues then you might think some type of technological model might be the answer. if you talk about climate chang change. i think all these models are useful to think there is one macro problem we should keep in mind above all else. what is the worst pop possible outcome we are trying to avoid when we engage in regulation and activity on the internet. anything we do. including regulation treaties, developing cyber capabilities, what is the worst pop possible outcome? that is something we haven't

talked enough about. for me it's quite simply that we need to avoid falling into the trap of information warfare. the weaponization of information means that cnn, the washington post, the atlantic council all become pawns in a larger game that are sanctioned only by government. this is a very scary vision and it's not likely to happen in the next five or ten years. at the possible nightmare and i think it's much more likely than the armageddon that kept us on our toes for 50 or 60 years. i think the only way we can avoid this is by having a full commitment and a proper segmentation of security issues that need to be highly separate so they don't contaminate each other. without free speech we don't

have any free society. thank you. >> thank you alex who now you are all familiar with. i am a reporter that cnn. our other panelists feeding get a chance to put a face with the name is laura and then we have jay we heard about earlier. we will just i write in, fascinating stuff and a lot to cover. i think it might be appropriate to start with the particular case that were perhaps all too familiar with but the russian meddling in the 2016 election. it's interesting because it has become discussed as some

sort of cyber event, partially because it involves the hacking of personal e-mails with a sophisticated spearfishing campaign and dumping those on the internet and the destruction of a hacker figure that was used to disseminate these and then there was sort of separate scanning incidents of voter role, one that has been confirmed and possibly one other, although there was no data filtration or changing. my question for the panel, to get us started, is it actually useful to think about what happened as some sort of cyber event, or do we risk limiting public understanding, a conversation of what to do about it by viewing it only through that lens? >> do we want to hear from

someone else. >> so i'll jump right in. and think anyone views it totally as a cyber event. i think there is a broad sense that yes this did happen and there's broad outrage. whether or not your outrage moves you to action is a completely separate story. what do you do about what you know. what do we do with what we know? and that brings us to the heart of alex's book and i think frank also framed the question very well. the internet and their founders, they never imagined the evil to which this instrument might be put, but it has been put. it's also universal good for so many. it's really a universal good. the next question, who will keep the good.

maybe the russians hacking of the electoral system and the intrusion, none of us really thought it would happen. it was in the realm of the unimaginable, but i think it does allow us to focus on who will keep the internet good. >> out of this point, i think the 2016 example and the russian interference shows us the clash that alex detailed so wellin her book which is we have this information security layout of how countries will use russia and china, see information as the main currency of what cyberspace is about, and then we have this other side, led by the u.s. were rethinking about fiber and more of a technical round,

and what 2016 signified in a huge way is two ships passing on the night on how to think about the problem. russia spent a good 16 years at that point particular rating how information security works in the russian mindset, protecting this information, thinking about information as a weapon, and also something that needs to be used to protect people. they been advocating the sovereignty approach saying cyberspace is a place that can be sovereign. well, when you're willing to say that you're putting that out in the u.s. is doing its best to ignore that or disagree with sovereignty as a principal in cyberspace because it goes again so much of the principles that jane was articulating, when you have those two different views of sovereignty, and then the

dnc's network gets hacked by the russians in a move that would breach the 7d of the u.s. in the way that russia sees it then you are really at a challenge for how do you ask government to start to address that, and it's putting us at the center of this debate what we want our national cyber state base policy to look like and how should state exhibit power in this domain and how do you define the domain. i love how much your book has started to unpack some of those questions and i think we will finally start to deal with those two different mindsets and see a real different example. >> i thought it was very appropriate that your book actually starts with terminology that becomes such an essential component of this, and to give you a chance to respond in framing a little bit, laura brought up, how do you respond. you talk about information warfare and how sometimes the response can play directly into the hands of the person

orchestrating the event. how do you start think about, if you're on the receiving end of one of these campaigns. >> i think there's the general concept that we need to come back to that operations are not only significant in achieving the system or stealing data or pre-positioning for war, but it might also have a clear political objective and this is something that is more aligned with the kgb and soviet union have conducted its experiment rather than how the west will construct their thoughts. it's always been a constrained issue on the military level fairly low down. russia and china has always seen us as being the most important paradigm.

it's just how a lot of these have been raised and they come to see it naturally. i think it's quite important that we also just come back to what can be done about it and how should we view it. the european view is interesting. they will say to the americans, look, we've been putting up with this for four or five years. it's nothing new for us. the level is ramped up massively but if you look at sweden, sweden has been undergoing information warfare that puts the u.s. to shame. it has everything in it. has blackmail and smearing people, it had over it over military threats, everything was there. what happened, effectively, if i get the numbers right, the approval rating for joining nato went from something like 16% 49% another reintroducing the draft. if failed. one of the objective was itself.

why was it so successful in the u.s.? if failed in france and germany and estonia in denmark and sweden, a lot of other countries. i think this is one thing i only addressed the tail end of my book because it happened after i finished writing it, but it's quite easily summarize about. if you look at numbers that i put in the back to me can see with the level of trust work. with only 20% of the u.s. public thought that the mainstream media was doing a good job and only 6% that congress is doing a good job it can be a real surprise that the u.s. was such a target. why was there such a low level of trust? you can't find anything like that in the western european nations. this was for me, the point that we haven't sufficiently addressed, how can you even have an approval rating of six or 7%.

chinese to say if economic growth drops there would be mass unrest. it used to be an official position of the chinese government. now they've lowered it because the world has amended for them, but fundamentally they don't think they could get by with 20 or 30 or 40% approval rating. no democracy can survive that. so how do we get to that 6% approval rating. i think that's a question we should all ask. >> if you gonna push back on this little bit. in this first that were not particularly exceptional in the fact that the public is angry. all around the world the public is angry. whether it's rio or istanbul or in the face of london and paris or in the united states. the occupy movement from many was a manifestation of this undirected, unguided mad and

i'm not to take it anymore. i think it's fair to say that the public's trust and institutions globally has collapsed. we don't trust banks or businesses or the media for the market. these various institutions react with a range of emotions themselves. the media is indignant that we don't trust them. why should we care what you think. i think institutions have to go back to fundamental pencils. here's why you should care what they are presenting to you. what i am arguing is in the wake of snowden, i traveled a lot back and forth in one conversation was particularly affecting me, my german counterparts had a very interesting colloquy among themselves. at first they were embarrassed

and right under our very noses, how could this have happened, others were criticizing the leadership that there were shocked that there is espionage going on but then they turned to me and said why are more americans outraged about edward snowden. plenty of americans are outraged, but what we know fundamentally, in our system, our system will correct itself. i place a lot of faith that we will correct ourselves. they say that's what you don't understand about our political system. when they moved to the edge, there is no safe spot. they fall over. i was stunned to hear that. i think we really need to look at this instance of russian hacking into the u.s. election, there will be more of it. there will be others and it will happen in other places. we really need to understand this fundamental western of trust.

had we market trust in public spaces. the fact that the public everywhere is angry, people kill each other with purpose driven anger. this is anxiety -based anger. we are not sure we know how to architect trust. were not sure we know how to architect trust and institutions in public space. i think that's at the heart of this question. >> alex, to your point, how do you get to 6%. the question now might be how do we get back up to 15, and congress have done that. actually, in the past few years, congress approval rating has tipped back up over what john mccain loves to say his relative growth. one of the things you said in your introduction that i thought was fascinating is that the objective of many of these information workers is actually to consolidate power in government, and you mentioned other government

that experienced this, in france on the eve of their election, they have a very similar episode where some campaign e-mails were hacked and a hacker emerged on the internet reporting to have all this inside details in france, actually, in their government has the ability to say that 24 hours before the election, media you can't cover this. many institutions also who operate in france and follow these rules because if you operate there you have to follow the government rules. you see sort of a what you do, is there something more for the government to do to protect ourselves were you seem to argue the exact opposite must be true. how do you unpack that tension of wanting us to have a national response but almost fearing that could play into the hands of the objective. you come from the private

sector where they often have good intelligence as the stuff with the highest level of classification. how do you start think about what the role of government and society is. >> it's a huge question. i think alex would've written the book solely about this if we knew the answer. but, at the heart is, who do you trust in a space that is abstract. one of the lines that i really liked is that cyberspace is abstract. you have to have an interlock. whether it's the government or what have you, to understand what is going on on some larger macro level in cyberspace. i'm not convinced there's any easy answer to say the government holds the cards or

the private sector does or what have you. i think that is why the model has persevered as long as it has persevered, given the ups and downs and changes in how distribution has worked, over all these elements that have changed in the time that we've all been watching this. thinking from a more proactive sense which i think is what you're trying to get to, what steps do we need to take or what questions do we need to ask that currently exist to govern the internet or translate what's happening to the internet is, who holds what role and where do they carry forth that role. in the private sector, frequently whether they're investigating a fortune 500 network for the fbi won't be the first call or whether the

first call but maybe the private sector sat on it or what have you, but where is their insight coming from industry, what is the right level of oversight or lack of oversight for how those findings should be shared. when you're sitting there as the person in a government seat or private seat with eyes on the network and malware that's never been used and something like that, what's your duty to talk about that to the rest of the world? knowing how huge the implications are around us. >> we are the ones to respond to the dnc hack and we came out and said we know these russian government hackers there was the intelligence community that followed suit months later. even in releasing originally back in 2014, the report of this group, i'll tell you we lost a lot of sleep. there's people in this room

who lost a lot of sleep deciding whether we should reveal that we had a judgment from this group and the tools behind it and that contributed to that conclusion in 2016. these are really weighty questions that a lot of different people are dealing with. what mechanisms make them more predictable, with or without government oversight is a huge question. >> so the trust issue that we keep coming back to which i think is fascinating, if we see trust from a micro level, a technical level, there are interesting things to be learned here. information security works on the trust level. people exchange information with each other according to their own protocols, sometimes the information should not be

shared because of legal reasons work in structural obligations. trust is the most important thing among the defenders of the internet that's also what built the internet. the internet couldn't work if there wasn't trust. the whole thing would collapse immediately. it's built upon trust. there are different ways of doing that. having a different people involved is one way of doing that and it's not an immature way of approaching the problem. it's a very mature way. at a slightly higher level were talking about national response responses. one of the things i've argued before is that the only way governments can do something like whole of nation response which is not like whole of government because it includes not state actors is in western democracies that encourage the nonstate actors. you can't say we have a law and what is your public

private partnership, they say what. okay, you can do it that way, but it's probably not going to cover all the bases you want to cover. interesting to note that the tv channel knocked off air wasn't designated as critical infrastructure therefore it wasn't an act of war for someone to knock it down. it was clearly walking up to the red line and see what happens. so endangering trust is critical if they want have nonstate actors involved. we saw for instance the obama administration, the last few years, there was a big push to go out and encourage them to be much more supportive. that wasn't by accident. but they also went out of their way to encourage trust with its international partners.

obama gave a famous speech where he announced limitations , it had never been done before. the reason was they were fully aware of the fact that trust with such an important factor here. i think maybe things still hadn't been developed with how we communicate cyber developments when we talk about trust. for instance, there's no definition about what these capabilities are. you can look and find the documents and a lot of other acronyms but you won't find classified operations and exactly what they can do. it's like basically saying, here's a weapon system, we can't tell you if it's a plane, tank, submarine, biological weapon, but it's there and we might use it or we might not use it. you will be helpful to have an open transparent discussion on what these capabilities are able to do, what they're supposed to do and that would

encourage public discussion among states that will be very helpful just to understand what our government capabilities in cyberspace and figure out what are common nightmares. we do have a common nightmare of the lights going off. they will always be interested in their physical security because they can make it very clear this is what we can do to you and were pretty sure you can do this to us, let's figure out how to not make that happen, at least by accident and will make a huge step forward. >> to bring this to another case study because we could probably talk about this for even more than were allotted today, to talk about some of the ransom ware tax, one things that's interesting is the department of homeland security has been saying this is an example of how our model has worked, the attacks have not hit the u.s. as hard because we have such a robust private sector to do the basic updates to software.

there aren't as many bootleg diversions of things in the u.s. and that type of thing. we talk about these ransom ware tax, have best practices emerged and how does it affect the model for one of your favorite topics. >> there are couple of things that are historically interesting and that's how governments have struggled, every single one. every government has struggled with its role in cyberspace. the key questions, how do we architect systems we can trust from components we can't. how do we ensure the integrity of information and identity and an open internet and what should the role of government be. every single government that has tackled this problem has had a fight internally between the military intelligence in that community and the rest of that government.

you can sort of see who's one. i have set for a long time, we cannot run cyber security as if it's an intelligence program for this country. we will not be safe. i think the key role of government is to tell us, how should we distribute responsibility for cyber security in this country. what should my role be as a use user, as an enterprise in a software developer and manufacturer of hardware. i'm a big believer, as you know in basic cyber hygiene. why isn't government telling us, telling every enterprise there are four or five things you should be doing that will reduce your vulnerability by well over 80% and pick a number. hardware asset inventory. you know it's connected to your network. software inventory. you know it's running or trying to run. permissions control. you know who's wandering around your network or who you've given permission too.

so people have access to information and they have no is thus having access too. then, an automated system in place to alert you to the proper patches that you need to take expeditiously and are you patching. people used to ask me in homeland security, what keeps you up at night. >> working 20 hours a day. but what's the greatest threat that you see. unpatched vulnerabilities, absolutely. to me, without question. when we get down there, have ever been spent discharging their role? alex is arguing strongly that they are overplaying their hand, that there's a movement for government to control the internet and there's no question, there are a host of governments that believe governments ought to be at the heart of who sets the rules, but the rule should be who has access to them and under what conditions. there's others like the united states and a number of

countries from western europe who believe in this multi- stakeholder model. why is this so important? i think in my lifetime there have been four strategic questions of the world has had to confront and when we confront them successfully we confront them multilaterally. the new multi- lateral is him, government at the national level o level may not have this right but ask any mayor, it's the only game in town if you want to get things done. they work with the private sector, for-profit, not-for-profit, churches, they are the equal opportunity convener for solving community problems. those four strategic questions have been, how do we save the world from this happening again. what we have. we have the un, we had nato, we had a number of multilateral institutions established that flourished. have gone a very long way to answering that question.

during the cold war and the potential for nuclear annihilation, the term was multilateralism. in the post-cold war we were struggling with these issues and today, we have not presented that answer. so alex may be onto something. the new multi- nationalism is multi- stakeholders. >> do you feel like there is a win anywhere in these global ransom ware attacks, any lessons? i remember a couple years ago i was watching a panel and they were sort of going on about how i could envision a world where we just consider it the cost of doing business that we have to pay $20 and bit coin to open our refrigerator or to get to our cars. ransom ware would be so ubiquitous. i don't think right now, as a weapon but what happens when it shuts down hospitals.

what are some of the lessons? did the u.s. do something right? do we just get lucky, and what we do next. >> just to come back to the multi- stakeholder point and how regulations fit into it because that's a key question. i think it's important to note that it includes one to have very different views about what the internet looks like. it includes france and sweden which is probably the more liberal than the u.s. there's a lot of different views. have different views on how local regulation and relationships work. that's fine. the stakeholder model is not that they hand off everything and use president obama's expression that cyberspace is the loblolly west, it doesn't have to be that way.

there can be rules. the point is they are agreed within the framework that effectively accounts for the stakeholders. it's very tiring when you work in international security, and i've been part of the negotiations for nearly nine years and you have to explain the diplomats that it's nice that they've developed this but really these actors, they have that already and they're going to solve those problems 50 or 60% of the time. if we did proper cyber hygiene then we will effectively drain the swamp a little bit. we would lower the level of which serious cyber adversaries can inflect serious damage. one of them is that effectively 89% of cyber attacks can be taking care of with good resilience measures.

that's deftly true. the adversaries will always use the cheapest tool at their disposal. why should they use the magic tool, right. >> on the other hand, a committed attacker will always get in and that's probably not going to change. man is the measure and the easiest devices if i call you up and ask you to give me your information. that's what social engineering is about and cyber is just a detour. there will always be different ways to do the attacks and we won't be able to fix all of them. if we drain the swamp on all this distraction and noise that's happening and we can deal with more significant issues and that can be done with local regulation and it's not a contradiction at all. what would be at distraction would be to say there's a general body worldwide that says all content has to obey this particular criteria and

one government has its problem with this and you're obliged to take it down, no questions asked. that's the type of model that has been put forward for many years. and it's also important that amongst different actors and the private sector, the private sector also engenders trust with government that they are able to manage themselves a little bit. >> there is, however, on both sides, there is awareness the stakeholder model that there's these big bodies that have to be engaged with and give them their due. i think it's a question of how we engender trust not necessarily what that model does. >> to make it really topical,

i think there are a couple glimmers of light and feel free to argue, but the information security community, i know there was a researcher in california who was the first to kind of figure out by accident, redirected the dns and basically stopped want to cry in its tracks over lunch. he was very humble about taking credit for this, but they have been the first to the scene on some of these major corporations that have happened. the other glimmer of hope in the virus is i was in closable when it was happening. coast of oh, everyone couldn't stop talking about it as if this was the moment when they use this to wake up.

even though some of these incidents might be in the technical community, and of look down on as that was so simple were it wasn't sophisticated, they have an enormous wake-up call not only on the cyber hygiene side, but for companies and basic practices, the digital knock on your door that needs to be taken by companies and government at large. they can have an enormous effect in mind share and i think that's what this spring has signified. >> to talk about the cyber wake-up call. i remember having panels when we talked about the target hack as the cyber wake-up call, and it's funny how quaint that seemed and yet the principle that were talking about hasn't really changed. i want to pull a different thread for a moment. one thing that struck me in your opening remarks that

seemed so old and cliché but yet so relevant is the question of attribution and how you reference, how important when you talk about responding to whether its information warfare or ransom ware, how important is it to establish who's behind it and what their motivations are when were also talking about trust and how many americans still have doubts that are sometimes fed by their own interest that russia was behind some of 2016. >> i think this is not only an interesting question, but an important one. information security industry has really revolved around threats and identifying threats and the threats that are posed to you. i think one place we haven't gotten it right is that they treat every single person as a

special snowflake. you need certain information that's about you. i mean really, we are all on same stuff. that's why the message of hygiene is so powerful to me. we want to change the game we need widespread adoption of hygiene. what's the most important invention in the history of mankind? soap. right? then my colleague said wrong. commercial so. it was making it available at retailers, retailing soap. so your point, we still have this fascination with the upper end of high-end cyber threats. it was kevin and his group that were the first ones to call out the chinese a number of years ago. i think united states government, we were the last. so why, if hygiene is so

effective, why are we hearing more about it from governments who should be authoritative on this. i think because in part, government is preoccupied with the high-end, and for very long time we treated all of these problems as a matter of intelligence, and you're not clear and this is treated as a nuisance and wanted it to go away. if we only knew what the government knew. if we only knew what nsa new, we could protect ourselves, just give us that information. it is going to take a village. it's going to take all of us in the game, and people identifying threats. i tell my daughter brush her teeth, wash her hands, don't share your food. i give her that basic hygiene which is what most people need. >> you sort of work for the leader. >> attributions always going to be the natural question, who did it. it's just part of human nature

and a requirement in response. i think jane's point on yes we been talking about threats went on the defensive standpoint we need to talk about hygiene. yes that matters in a sense, but what were talking about international cyber security, were talking about these bigger questions on how to states respond on whatever the incident might be. attribution is always going to matter. i think we have come a long way from the days in 2008, 2009 where was still a way to throw your hands up and having them part of a team. there was definitely a desire and we were really motivated to go and figure out how we

see this intellectual property theft and put a face in a unit behind it to really explain it, but it wasn't attribution in and of itself. the goal was how too do something about it. attribution as its own sort of desired state isn't really the question. it's what are we doing attribution in order to achieve. i also have some last thoughts on this and then you better have your questions ready because i'm, and you next. >> the question of attribution has always been interesting. either people weren't clear on the answer, one of my favorite means that was put out by an industry complex several years ago was by a gentleman who says he believes in the james bond theory of technology that everything that's ever been will happen in reality.

somehow there's a magic black box. my point was what we saw on attribution over the years is basically fueling our responses to our level of knowledge. for years, the points that other governments try to make is that the response doesn't have to be cyber. it can be diplomatic or military or something else. it also means you can time delay it to me to make it reversible, he can do a lot of smart things that common sense tell you is possible. that also works at other levels. however where i think we still have a problem is communicating and even in u.s. but what does it really mean. when people say we have a pretty good idea or we have high confidence to a certain country or certain nation,

some people including decision-makers in the u.s. might think high probability means a radar. i can tell you with 99.9% probability that that missile came from north korea. and i think that will ever be possible in cyberspace depending on what kind of attribution we do. you might get 60% or 70%, but even if you sitting on somebody's machine and you see the guy typing something and it can still be a false flag operation. mean summary else is doing it. they're pretending. it's all theoretically possible. that's why it's so important that we've developed a non- kinetic, the sanctions, the flo flow, the other ways to respond that don't involve cyber. that's been a key development. i don't think however we've made it clear that things can go catastrophically wrong. one thing i'm concerned about is that will see a false flag

in the false terror attack which could disrupt the internet and it will be fake, but we won't have the ability to say one 100% sure this is what happened. this is the kicker. even if we did, would we believe the u.s. government which is probably the only government that has the capability to solve it. i saw that after the sony attack. people who knew better were totally questioning the u.s. attribution in north korea. they knew better. that was north korea not being a highly advanced actor, it's very unlikely they got that wrong but they were still questioning it based on the focal circumstance. this gets back to information warfare. that's the ultimate win. we can the trust. one of these trust elements

that we have is between the citizenry and the government. also the private sector, but that's the whole point. the bonds that connect them our trust. weakening that trust is exactly what we should allow to happen. >> were wondering if there's a play left on the table sometimes on how these are orchestrated. i'd love to turn it over to folks in the room and those of you watching online, you can tweet your questions. :

.... .... >> i will have one point to add on that. i think that even though this so-called equity problem is

ongoing. i think there was emphasis on defense and i think that is because it was expensive to do on a political level not on a financial level. it is much easier to draw up defense capabilities and say we have a determinance model. it is difficult to do versus small countries who can do that.

it is easier than cleaning up the mess afterwards. all these things would not be politically possible. now they are increasingly possible so that is why the cost is decreasing. >> i take your point that some countries are better at cyber defense but we are larger and don't have the luxury of some of the conditions they do and we have a larger role in global

governance. my concern is this. i like the idea of a multi stakeholder internet that is a place in which we express our interest but i think that may be too self referential. we glued it to our electoral system. if somebody regards our critical infrastructure as a battlefield they will regard the internet as part of the battlefield and we may be seeing an evolving concept of operations. we may not have there luxury of referring to the internet as this global common that we so much admire and that i would like to see sustained. i think we are looking at other countries that have a different concept of operations and just as germany had an unpleasant consent of warfare but redefined warfare in the second world war.

it redefines the warfare and other countries have to adopt that redefined concept. we might want to think about this from a policy perspective in the world in which we can't define the internet in the way we want to and other countries may be defining it as essentially a battlefield. >> has the government model already gone? >> others see it differently if they've been attached to things the german government refused cybersecurity because you shouldn't put anything critical on it. since that has happened to should we now make it more secure by redefining it there are little fixes that could have been made to make it more secure naturally and that is in part

what is happening all the time, so we have the example of the 28 or 29 dot add the kill switch on the outbreak. this brings us back to the sacred heart. there's an argument could be said of the super critical infrastructure we should be thinking of things differently. there is something to be said for the systems so they shouldn't be the way they are right now and they shouldn't be allowed to be the way they are right now that is dangerous. that's one argument. they cannot be changed. how much sense does that make. there are similar examples people have their approach online. i think would what i think would be the wrong approach is to say to rip this up with go into the e. adults made a new one. when they voice their opposition to the stakeholder model and say to the stakeholder model and say the government should be responsible for this because it is such an extensional issue for everyone okay let's play this back. they have a nonstate volunteer. are they going to take orders from you or another agency, that's what they've already done with some parts and other things. they are still going to build

the internet into different parts of it it will be probably completely legal and it's important that we keep the people that built the internet up on the nonstate domain and then coming in to the domain that was built with consideration will not solve the problems that will only make it worse because of all of the other ranges of the issues, you are basically protecting the grid. >> was basically right about the question you can be first, fast or powerful. when you are powerful it sort of doesn't matter when you arrive. so, to your point, many people believe the government have already militarized cyberspace.

for the same reason we've glued to the economy to the burgeoning systems so as you are opposing your adversary it takes account of that. an interesting question is when we move to more symbolic forces because we can do such to an adversary in cyber space we've seen something ordinary examples that may suggest the answer to the question again. question if you can wait for the microphone. >> i've been working with multi-stick with the processes

so i'm excited to hear your i've seen a lot of multi-stakeholder processes that go off the rails and at the task force we had deadlines either self-imposed or external and we have everybody in the room to veto any solution. the problem with the things you're talking about making the internet more secure, putting some control in cyber attacks is we don't have deadlines or everybody in the room that can possibly veto the solution you got here from the cyber warfare is often their own classified little space. we might actually get a solution

>> question from this side of the room. >> i've been working with multi-stick with the processes so i'm excited to hear your confidence in innovation. i've seen a lot of multi-stakeholder processes that go off the rails and at the task force we had deadlines either self-imposed or external and we have everybody in the room to veto any solution. the problem with the things you're talking about making the internet more secure, putting some control in cyber attacks is we don't have deadlines or everybody in the room that can possibly veto the solution you

got here from the cyber warfare is often their own classified little space. we might actually get a solution in the broad agreement to some kind of approach to answer the questions. >> to which problem? >> we talked up the talk to the cyber attacks and when it is appropriate to bring down some of the infrastructure. there's a lot of talk about the cyber norms and doing something to pull the government back from using these tools.

it would be nice to have a global agreement on how encryption will be employed and whether it will have these different problems and there is no place that we will get this answer. >> i once described this in the book is a favorite and we are looking at a wall or fan you won't show less text 01:12:51 have a common picture. those are dealt with in the government's terms by different agencies into different technical experts are involved. one of the things i argue that people shouldn't be merged together as they do different jobs right now including arms control people and law enforcement people. that makes it quite difficult

for instance to draft a response measures or stand with the dangers of what those are. the example i gave for instance on the international arena is for the crisis communications. where i was a part of the working group that helped was around the crisis response. of the hotline telephoned the u.s. and russia have developed in the group and another in the eu so now we have five different ones. people were just developing additional mitigation without knowing what's out there these

are complex issues and there are different parts just like medicine is complex nobody understands every component of medicine or the financial system. we do need to be able to understand the different components that can be tackled in different ways and the way that you were referring to this for instance i think there is a triad approach to the cyberspace talk about the international law that is an important conversation to have. >> the second would be to talk about economic issues which are so important to so many nations. it is a whole contact us -- context so it's not like we agree it is illegal we only

agree how to communicate with each other when we have the agreement that is illegal. that is the infrastructure that hasn't been changed completely it's about small components in the community and in my mind the triad approach to this problem keeps it separate and keeps it from being merged together into this dark web configuration to exercise the controlling interest of all of these domains so absolutely they would have a problem to be solved for the un discussions but they would figure that out. but that discussion should have been there and it should not involve a discussion in my mind on for instance internet content or internet-based exclusion infrastructure. this should be held in the

government and they keep these things separate from each other and it makes it clear they cannot be merged together were compromised. you've seen how things can slow down. it is the topic of interest were there particular code they say this is going to be the stuff that will run in the future and we own it. people are like sure, okay. no. were they go someplace else. they said it's not like an organization that exists. it belongs to something else. and that is just the name of the hotel. it's nothing else.

they are just going to go someplace else and the system deserves flow but it's better rest. it's not country by country. it's global. so, to once again for a -- force you into this but i'm curious on your thoughts at this. there is a marketplace that is still affected by all the things that may or may not field a response. >> how do you attack this when we cannot even define this. if we are talking about this domain like it's something you can have a broad expertise i

think there is a huge problem in categorizing. cyber security is an enormous field that the power to say, and this is where the majors of the world gets to play in this land is this something that we haven't seen before or is this something in the arms-control framework. i think there is a huge translation problem that we have and a need for bucketing the technical side. it can play together to find out what is assigned to that and doesn't. if i may we have a question from

twitter from someone watching out there in cyberspace. i believe this is picking up on the theme of the question earlier in terms of the loss of the cyber weapons which i interpret to mean losing control of a weapon that has been developed. to your point how would that be handled in the international wall and how would it be handled today and ideally what would you like to see in terms of the if i may we have a question from twitter from someone watching out there in cyberspace. i believe this is picking up on the theme of the question earlier in terms of the loss of the cyber weapons which i interpret to mean losing control of a weapon that has been developed. to your point how would that be handled in the international wall and how would it be handled

today and ideally what would you like to see in terms of the issue? >> i am not an international lawyer y to say that. it is a control in cyber weapons but i've been following for a couple of years and we don't have liability laws for software. so you really can't sue anyone so how would you be able to sue the u.s. government if they lose control. it's based on a different premise but fundamentally it is a different commitment. it's not only losing control of your software but also when your staff go off and do something on their own time than this has been the case probably in china and russia they do that on their

own time. the international law if you are an employee with a special skill set working for skills that working for a government organization and you go off and do something the government is responsible. a little bit more difficult when it's about something as intangible as software but i do think it is a political liability and many were being scratched and people were very embarrassed by what happened. i only hope that they are more careful in the future. but there is very little legal risk.

>> it is a question in and of itself so it is too big to start here. i had a talk a few days ago cybersecurity solution to this problem what would be your thoughts on this? >> that goes back to the attribution and the notion of the cyber forensics and what that place. i hate to say but it depends. more broadly figuring out how to more broadly figuring out how to prevent the type of attack or the type of compromise that you

see. to prescribe a framework that would give other players that are looking at how to handle forensics would be difficult. i think a place where the government can play a helpful role in the consistency of reporting around forensics is nomenclature. everyone's version of cyber attack is completely different. you can take the computer network attacks and go under attack. you can sort of pick whatever your choice is. any level of consistency so when

they say this has happened at the hospital or the french government comes out after the government comes out after the incident. i think that's how base and we are in our ability to talk about the network incidents. >> how big an issue is classification in this space if we talk about the current theme of trust being able to describe what happened and one of the ways that their remains to be doubt all that is ever released is this sort of top level stuff. you might get some specific addresses but they are proprietary information in the

private sector to reveal some of tactics. when there is so much stuff that is way you probably would answer it is the way that it's dealt with in the u.s. anyway so there's the nonproliferation treaty and they constantly get different sources and going through the process i don't fully understand is either considered incredible or not but more importantly is what we heard before hand about trying to establish the common metrics and certain events because that would be enormously helpful. we need to define the cyber operations in the cyber war and have the dictionary turf. it's one of those things that

has been hard to find but we really ask those guys in the community to be very specific in their types of classification objects and type of attacks that might help move the dialogue forward and i hope they will keep it in the technical dimension. those of us that are joining here in the room there may be some opportunities to continue without the microphone. to the wonderful panelists and

all of you for tuning in and your great question the atlantic council has many of these and we can all look forward to the conversations. >> it is one of those things that has been hard to define. if we really push on a risk management level and really ask those guys who work in mismanagement community to be very, very specific in their types of events that might move

the dialogue forward. [inaudible conversations]

>> c-span, where history unfolds daley. in 1979, c-span was created as a public service by cable companies and is brought to you today by your cable or satellite provider. [inaudible conversations] >> welcome to tonight's program of we are very pleased and is a contributing opinion writer at "the new york times" as well as the school of information and library science and also of the offer of "twitter and tear gas" which is for sale for good you are not familiar we are an organizaon