the latest from the president and other white house officials, the pentagon and the state department and congress and international perspectives from the united nations and statements from foreign leaders all on the c-span radio apps. and c-span.org/ukraine. the latest videos on demand and follow tweets from journalists on the ground, go to c-span.org/ukraine. >> next, cybersecurity and threats in the digital landscape, the council on foreign relations hosted this 1-hour event.

>> good afternoon, thank you for joining us. i had the perimeter -- the pleasure of presiding over this conference on deterrence and we start by having panelists introduce themselves. i'm the global head of community strategy at google with product security teams and social security teams, worked across government and private sector on cybersecurity issues. >> i'm emily harding, deputy director of the international security program at the center for strategic and international studies which is a large title

that means i oversee the work of 50 scholars doing tremendous work in intelligence, defense, and technology. before that i spent two decades working in the federal government, the senate and senate intelligence committee and intelligence community and couple years away. >> i am john hultquist, we look at threats from all over the world, centralized intelligence hub where we are developing threats around the world with about 12 years, before that, diplomatic security.

>> a senior researcher, the european cyber conflict. >> we have a great panel ahead and i will give a 2-minute overview on this on diplomacy and deterrence and use that as a foundation for the accommodation. >> i will get started. interesting and broad topic, get back to basics when speaking of proper agencies in cyber domain. there is no common lexicon. my colleague jim lewis determined us work on international agreements around cybersecurity in cyber issues but those have yet to really gel into a broad set of norms that govern work in the cyber domain. there is no agreement on cybercrime or cyber espionage or cyber attack or cyber war.

you have politicians who sometimes understand the cyber domain and sometimes don't calling things and act of war. what does that mean at the spiegel? given that, why is it so difficult? it is a combination of things. thinking about game changing technology, singers and afghanistan, hypersonic weapons, nuclear weapons, those all came with debate around what norms govern them and how they should be used. what is the response? we haven't really gotten there yet in the cyberdomain and it is partially a combination of two things, speed of attribution is difficult in this domain and john can talk about this. there is also as a partner to that deniability. really adept at staying arms length from cyber activity they don't want to claim and

claiming it when they do and that combination of things makes it very challenging for policymakers, people who study the nfc like i did to make decisions how to respond to a cyber attack, cyber operation, what does this mean and how do we react to it? the threats at the core of that. that's a quick and decisive response to activity. if you can't attribute it quickly or have set of policy options ready to go it is difficult to pull things on the shelf and respond immediately and send a message or deter future actions. i can talk about this more later but in the 2016 election interference, the senate intelligence committee, we saw this play out in excruciating detail in the obama administration and i have all the sympathy in the world, what they saw as unprecedented situation and they were under attack but could not say with

any certainty from who and what that meant and the delay in attribution, inability to pull something off the shelves had nearly disastrous consequences. that is something we can't afford to do four or five years later, to get that settlement move forward. we will get better and faster, they are already making tremendous strides in the attribution fees and trying to get to a place where we can act quickly. there is a solid story to be told about ukraine that is emerging. i had hoped, we need to really wrap our heads around this issue. >> two months now. the likelihood of an incident

against nato, allies, against the united states and this would turn into good-natured arguments but there is a question of whether or not any cyber attack against the united states would qualify as a major redline and i argued it doesn't cross a major redline. the one thing i think one of the most important things we keep in mind, talking about cyber attacks, disruptive destructive stuff, everything from industrial control systems to widespread destructive events, the word i keep throwing around, those incidents, we've seen many of them already. they didn't take a society or

bring it to its needs, or bring the economy to a major halt. they are survivable, and promise for a society. the reason these actors carry out this season, there's a major question of the prospects of turning out the power for three hours, going to have that effect. the psychological effects, they do it to undermine your sense of security, your sense in places like ukraine, the belief that the system is safe in

2016, had actors in systems where they could conceivably make edits or changes to the system or alter some things but they were not going to change the election. at the command level they don't expect to do that. what they expect to do is change our reliance on those elections and belief that the elections were secure. and the watchword is limited, and that plays two roles, and you can use it without starting world war iii, don't bring

society to its knees and conceivably get away with it. these actors kind of got away with it. it took years in most cases to accuse them of doing it. a santorum or gr you we talked about earlier attacked the olympic, tried to take the opening ceremonies off-line. this is an attack on the entire international community, took four years to bother to blame them for it. there's no hope for deterrence in a scenario where we don't blame the actors for four years. it affected everybody in the international community, these actors recognize they get away with this type of activity. it's a good option for them. they were looking for psychological effects, that is

what they want to do. in the ukraine, to undermine the elections elsewhere in the sense of security. >> talk about nato. >> these are great points, there's an obvious connection. many were not immediately convinced it was russia. i want to take the conversation to the nato alliance. here's the main take away, in terms of the need to develop cyberposture and divergence, what the postures should look like, in particular the rules of the military and let me talk 30 seconds about the cyber

posture, capability, strategy, and legal standing. on the capability side, what we have seen since 2018 is the majority of nato members have established literary cyber command with an offensive mandate but the difference in operational capacity is enormous so you have on one side, they put the resources into operationalizing this, the majority of nato allies still have commands operating on a budget of a couple of million dollars. it is enough to be part of the cybercup but certainly not enough to operate in this domain. the second one around strategy, all the countries have established cyber strategy and updated this repeatedly.

also from 2018 we have seen significant differences emerging with the us developing cyber commands and engagement and strategy of defense with a focus operating seamlessly at recognize the attack that is meaningful and the military has a rule to play conducting affect operations in peace time, not something most nato allies would be willing to do and changes across the atlantic and the third one that connects to this, what we have seen the past few years is countries articulating not just international law or allies agree but how it applies. you see a significant difference in sovereignty as a rule, and on the other hand the

uk, sovereignty doesn't apply and such. the point here is interesting to argue the differences in the alliance come from differences in maturity. i think there are different policy pots that require the result of it for coordination to cooperation to bring closer together. >> good point. let's start with diplomacy. you mentioned norms, you mentioned lack of taxonomy. we've got work to do. where our nations succeeding and where are they falling short and what tip o-matic efforts should we be focusing our attention on to make progress? >> i will pick one from each category. where we are succeeding is cooperation at the tactical level, different levels of coordination but it is happening, at the working level

people are sharing indicators, right now a big nato exercise happening at the same time as ukraine does, excellent timing and that is how we win. the nato alliance, sharing of knowledge, this is how we are going to win in this domain. that is where things are going as well. that level of tactical information sharing and tactical cooperation needs to be paired with a strategic discussion and that is hard. when i was on the hill doing oversight of big government, boil down every briefing to two words, it is hard and we are working on it. we are working on it. let me talk about why it is hard and why we need to work on it. the hard piece, people need to have strategic level discussions, staring at china,

russia, ukraine, a whole host of global issues from supply chains to food shortages, sitting down and having a strategic level broad discussion about what the norms should be in cyberspace, we should do that, 15th on my list of priorities, we need to create the urgency before the urgency is created for us and have those discussions. the other piece of that is a lot of these concepts are very fuzzy and wrapped up in domestic values and national values, we have debates all the time about free speech and what can or cannot be regulated given first amendment rights. strong views on privacy and implement it that and that bleeds into this debate. if you take up a few levels. take up a couple levels and get to a place where you agree with

norms and values. where like-minded democratic countries sit down at a table and say we all agree spies are going to spy, but when engaged in operations that affect human life, that affect public safety, that is a different level of threat. that is where we need to build the norms and the guidelines. >> glad you brought up the point about lack of bandwidth. we have to prioritize that and make progress because quite frankly there will always be the next ukraine or whatever. can we get some norms?

and find consensus, what work should we be doing to do that? >> let me pick up on a point and emily as well, on the sharing side of things. potentially annoying different angle. don't know how many people are sitting in the room but different potential to consider, critical infrastructure attacks, financial system, healthcare off-limits. the second question. it is argued rightly so that below that, one gigabyte of data. but doing this repeatedly.

what is not a red line, that's a hard question to answer. after a couple times in different rooms and a clear response for what is off limits and about to be done. reality is it isn't strategic but we just argued all strategic activity shouldn't be done. a strange kind of question has emerged that hasn't resolved. the second point i am sharing, the importance of sharing and in some ways we are doing this already but equally not doing enough. there are a couple different initiatives. the first is the notion around sovereign cyber attack, can share exploits. what we are exactly doing but

collaborate on when we want to achieve certain affects and we can conduct these exercises together. i think it is not enough. much more can be done it isn't done particularly in the cyberrange. that is where there is a space that is one incredible tough, and second, we see potential opportunities, the use of one country or one after doesn't necessarily reduce the effectiveness of another country so if i make a recommendation what allies should do in the coming years, $1 billion cyber range for the training of operated developer and other people, crucial for

the workforce. >> recommendation. it is below the line with the need for more collaboration, and the dynamic of cybercriminals being leveraged, to block attribution they are talking about earlier. how do they make progress? why should we be focusing our attentions? >> i think we need to rank and stack our problems. they are going to change constantly. always changing. if you look at a lot of

problems, the rent somewhere problem. the espionage problem, it is addressable issue. it is the most addressable issue. if you look at our vulnerability to the problem, it is fairly large. critical infrastructure, healthcare, raging days of covid crossing a lot of lines. constantly pushing those lines. the election problem is a good example.

it is not solved. the last major election we had, we saw players getting into the mix. when the proud boys thing happened, my instinct was the russians did it. they have been waiting and waiting. it is not just the russia problem. i feel like we are running for one or the next and that is not going to work. the rent somewhere problem is absolutely out of control and potentially costing the most money.

>> i went through the same. there was time in the 2018 election and the 2020 election that there was too much to worry about. the proud boys problem was, i think, disheartening in that we saw this new player burst onto the market but in a large way it was a success story because the united states government and its allies had their eyes open for this kind of potential activity. the excellent folks at dhs had done a lot of prep work to say to people this is normal election problems and this is what is more difficult election problems. when this activity was noticed, it was located, attributed,

downgraded, and released shockingly quickly, 36 hours so as upset as we were to see it happen, this is a good news story and the way it was handled. back to the point about redlines, not sure we were ready to do something to respond to the irradiance to create deterrence for the next time around and that is when we need to move forward. >> great reminder about our point of being strategic, the prioritization, the investment in attribution and getting things done quickly are signs coalescing around being more strategic and focusing their. how can we create actual consequences? particularly those hiding behind plausible deniability and our current tools working

that we said this is a success story in the uranian context to what end? do we detour their behavior or make attribution? how are all of those things actually moving us to a desired end? >> that brought up the point. the irani and thing was a success story and that we were able to broadcast to the american people in the midst of a difficult election, this is not real, not something we need to worry about, not bad actors all over the place. domestic issues in the 2020 election, it was a success and mostly confused. i would not call it a success and that there was a broader strategic policy.

you brought up several things, the sanction question, the indictment question. sanctions are great. there's only so much you can do with the sanctions package, the individuals targeting with sanctions don't really care. there are ways you can make life painful for a russian all agar or a hacker working 10 levels down, to create deterrence pain there. indictment same thing. if this person wants to visit their kids at college or take their kids to disney world in the us then great but to find them and arrest them is more of a messaging tool than anything else and honestly a tool of last resort. if you look at the way doj and fbi operate they are a law enforcement officer and to

build evidence and prosecute a crime, not a model that works effectively. it takes too long, is too slow and as they build a case for prosecution they can't take the information and share it. that is the most important piece. this is where i will make a pitch for the public-private collaboration, the deep importance of having the us government and its entities and private-sector operations that see this on the front line on a daily basis doing all of the collaboration possible to go after this problem. >> that is what i would make. as we go through, as far as the election situation we got to a place where we are talking about capability.

i got into a conversation with someone from another country, a non-russian actor and whether it was a question of capability, right now in the united states. the question is whether they have it and this other country they said the capability is not really there and the problem with not being able to deter, when actors have intend you run into black swan events, they will hit again and again, incidents -- the problem is the nature of technology there will be a major black swan event. i would argue you are correct,

our defenses for the elections, the response was fantastic but if they keep trying they will get through. something that makes it on the news. that is what happens with an actor, there were capabilities, you had the black swan event, the pipeline, in myself, and what knocking over so many things. this sort of approach on the intend side.

>> around nato allies cyberculture, they think about this as well. the set of measures in place, what can be undertaken to respond means the united states is not alone in thinking of how to impose cost in a coordinated manner. with the title of this panel, when you talk about imposing cost, in that mindset, and disruptive activity, already in the second advocate after what has been done.

in this domain over that. >> to allow you to pull your selves to get her. in russia and ukraine. a great illustration of if cyber capabilities are leveraged, what will be the impact. as grassroots cyber active. what are we looking at? who will be playing that? >> when i talk about limitations, from societal aspect it will be fine. we made it through covid 19.

there are a lot of businesses in my neighborhood who are out of business now. altogether we are going to be fine. my customers may take a hit and that is important to remember. the people who are on the front lines of the private sector. it is important to remember, during one of these little kerfuffles with iran, there was some news of a cyber attack against their capabilities and important to remember that iran is not going to retaliate against cyber command. they will retaliate against a random company in the united states, that will feel the burn from this and we have to keep that in mind no matter what we do. >> i would agree.

the question of who was a combatant would be the thorny question of the next few years. i am reading nicole's book right now which is very thorough, talk about that. the response inside google when they first saw the cyber attack from china and who would have thought that a nationstate actor, how could we possibly have been expected to respond to a nationstate actor invading our territory and that is a totally understandable perspective for somebody who's a startup and never had to think about it from a national security perspective. somebody like me who spent 20 years in the intelligence community, of course you are a target, come on but that is a product of my training and upbringing that i think this way and they don't.

bringing these two sides together to call elaborate, to cooperate, to share information is going to be critical. i think american companies, european companies really thinking through whether they be counted as a combatant not by the united states government but our allies is a challenge. the folks in the executive branch, jen and chris have done a phenomenal job pulling together j cdc and a lot of collaboration between the private sector and the government which initial steps need to be built on. when you look at china and the way they think about what is government versus private sector that is not a distinction for them. they see government and they see those who helped the government when we ask them to. in russia there is not a

distinction between the oligarchy and the government. there is the government and all these tools of government that i can draw on because they know where their bread is buttered. when we look at our adversaries and say private sector, sure. of course. i think that thinking through who counts as a combatant, how they are affected by this next round of potential warfare will be really challenging and we can talk about this a little more, the question of red lines and escalation gets really boring because if google gets hit, what does that mean for escalation? >> might be a bit boring but it would be nicer, the private sector built the most significant costs in case of retaliation.

at one point we often hear about questions being raised, will putin conduct cyber operations against the west, should have our shields up of course but as much as putin and sometimes we overestimate the amount of control russian government has over such a wide set of criminal groups and other activist groups operating in russia and as an academic, one of the most famous theories to understand these relationships is principal agent theory where normally you would argue that the principal has the least control in case of information metrics. these are enormous in terms of the information criminals have and targeting and what they are capable of and who they want to target which suggests this is very high.

the risks the remain with these groups operating in favor of russia and not in control is significant and increases risk of that type of scenario. the critical infrastructure it attacks directly on the us but certainly more consequential collateral damage type of attacks through ran somewhere or self propagating malware. .. ware or self propagating malware. >> we have that in the collaboration between public and private sector. that is really important to predict interested see how that continues to evolve i would think more than some of the other mechanisms have been deployed as of lat do we have any questions? >> personal questions aside. >> we will take our first

virtual question. ms. hale, please go ahead. >> we will take a virtual question from adam. >> hello, everybody. thank you very much for the panel. sorry i couldn't be there in person. i think this question is for max although the others in question my assumption. there's a debate about whether defense board and persistent engagement as glcm is over but people basically believing it is not. i wonder if there's a different perception of that amongre the nato allies you spoke of and if there is within neighbor differences on that?

>> that's a good question. i think it's actually a discussion, on going to avoid the question. the question is more or less oscillatory, the question is much more i feel a legal one picture the military be allowed to operatete in peacetime, potentially do this globally? what is the relationship with intelligence? it's that question particular that is holding many particularly cut middle european countries back in developing a similar posture. so it's less of an escalation question and more of a legal bureaucratic question that is constantly raised right now. >> i work for the nuclear threat initiative. i wanted to first make a comment to your rank order list of

priorities. i would love to add operational technology and military systems. sometimes i think a lot of conversation about the i.t. side and maybe not about the ot. my question is to what extent do we really need to solve or pay attention not only to the attribution conundrum but also to signaling in this space relative to escalation management? with other technologies for globally there's some sort of recognition for what the movement of a bomber implies or other types of maneuvers or from the military and leadership side. is it possible to build clarity around what different cyber actions signal in fact, and we need to be working on that? >> i think the best example of cyber signaling i have seen has been our sort of read on the

actions of, we call them isotopes, dragonfly. the have the sister getting into their ssb related, so actually there intervals the service they have, but anyway a decade there been digging into u.s. critical infrastructure. we looked at it in two ways. one, are they sort of digging in for the moment when you need to be ready for the contingency? the other things are the digging into signal to us they are taking the digging in. that they are there and case they need to be. i think that's probably one of the best examples i think of the signaling i've seen in the space because a whole real capability are real infrastructure under threat. i'd be interested to see any other examples.

>> go ahead, max. >> i think you can speak more to this but it reminds me of the blog post which is not deterrence to what u.s. wants but -- [inaudible] around the presidential election where supposedly some of the u.s. retaliatory options were because ofhe table concerns of the fsb in particular and you is critical infrastructure. i know though iff that's true bt it's a fascinating case in terms of signaling and supposedly what if deterrence works or not. not in the way we wanted to. but you may know more about that, emily. >> i might. i'm going to put a a plug in e for anyone who wants to be -- read the 2016 election officials report. t

by the time they understood somewhat the extent of what the russians were up to, they had very limited time for the election and that very limited prepared options. the other thing it easy now and it was easy east in 2017-2018 to look back on the complete package of information that clearly the should of known then. when you're in the fog of war and when information is coming at you a piece at a time day after day, ain lot more difficut to make sense of a very foggy picture. but again that's the reason we have the strategic now. we have to be thinking forward now. i wanted to make a point about the signaling question you asked, which i love coming from a nuclear scholar. nuclear scholars have spent decades talking about very precise signaling options and deterrence theory, , and how the things work together. .

i think folks work in the cyber domain have a lot to learn from that scholarship. i think we need to be very careful about making comparisons low. it is just a totally different set of tools the cyber domain is still so young but no one is figure that out yet. and it nukes their finely tuned, this signals of this and this is code for this. and cyber it's like nobody really knows what any of this means yet. [laughter] part of the big problem is a lot of the tools have dual use. if you implant a tool in someone system, that tool could be used for espionage it could be used for destruction. and you don't know this because to john's point about intent and capability. maybe the adversary has the capability to implant this tool on your network, what's our intent? are the russians there to spy on a potential new administration? are they there to taint confidence in election? it's really not wise to sit back

and wait to see which one it is. >> there two crews in the dnc. one was a gr you the other was svr for the scr guys were spies doing spies for they are abiding by the rules sort of. >> the gr you on the other hand. [laughter] some men just want to watch the whole world burn. next question. >> thanks. steve, gw law school. we have heard a lot on the panel this morning and this afternoon about cooperation, public and private collaboration. i'm a little surprised when i heard earlier the question, what does the u.s. government's response to an attack on google. i would've thought that the whole role of u.s. government to defend the public including u.s.

companies. i am wondering, do we expect google to have its own international policy and international capability to defend itself? i would think not. i don't think we would have google take international military or cyber action. google could have a very active environmental policy been nuts international cyber policy. it has to be assumed the u.s. government was going to defendant google. i am wondering, are we doing enough as a government to defend and help our leading tech knowledge champions in the united states if they are vulnerable? i guess they are vulnerable. is the u.s. doing enough? >> go steve i could go on a 20 minute terror about this i'm not going to because of the above questions.

the short answer to the question is no. the longer answer to the question though is what is appropriate? i think this is what you're getting out there question, sony pictures was hacked below, those many years ago, that initially was a hands-off response by the u.s. government until it became clear it was a north korean trying to silence free speech than the white house got involved. but still, was the fbi responsible for what happened at sony? there is no would have let the fbi into their system ahead of their checks they could have prevented it. should be defending after the fact finding criminal but doesn't really work here. the u.s. does not have an mi five. it's very poorly suited for the mission of trying to defend in advance of these kind of cyber

attack. there question about google, do we defend google? okay we defend google do we defend the cyber start up it has five employees did not pay any attention to security? are we responsible for them? i asked these questions knowing full well i don't have the answer i don't think anybody does right now. trying to find the right line between a business executing its own business practices properly, doing the simple things it needs to do, to factor off the authentication, the basic stuff in the what point does the government take over as a response of a deterrent faction? you can make a comparison to crime which the fbi or local law enforcement is posted too but that's after the fact the damages done. you can make a comparison to national defense we all pay taxes so we can buy aircraft carriers and s22's breach of the government be thinking that we need cyber domain?

and if they are what is that imply for the googles of the world letting the feds into their system? i can see the room cringing when i say that because everybody said no that's not the job of the u.s. government, so what is the job? >> yes proactive defense is not likely to be the place the u.s. government plays. as a strong mission for voluntary support. small-company all the way to the large company build up their defenses, and implement the two factor and will play at a voluntary space pre-attack. but we have to figure out is how we would stand up as a usg before an organ trade organization depending upon the severity of the attack. sony was decided trying to attack free speech was a fundamental constitutional right, something we wanted to come after we need to do that strategic work we talked about

earlier to figure out what those lines are, what is a significant cyber incident he was government would mobilize itself around hacking into the private sector. there is unlikely to be a moment were all of the u.s. companies open up their systems to let the u.s. government do something on the proactive defense side of things. >> meanwhile. [laughter] >> honestly, we have her own incident i can't give too many details. we had a really strong, good experience working with the government as far as dealing with it. there are clearly things that we are very good at. for instance the response thing that worked as the best responders on the face of the planet. we handpicked a team of all-stars. but we still needed the u.s. government's help. they were able to fill in a lot of gaps that made the whole

process easier and better. >> which is why the proactive collaboration is so important. the trust that needs to be built between the public sector the private sector while in the event of an incident companies are pulling the government in early so they can have the information they have and declassify things all about that is why the collaboration proactively and consistently. next question. >> hi everyone, monaco with microsoft. earlier in the conversation you all talked about the importance of strategic engagement also information sharing in the content of international cyber norms or norms redlined. i'm curious how you all think about countries that don't necessarily have a capacity to engage strategically and to share information. how do you think about building that capacity?

especially in the contents of what's going on the united nations the oe wg, and talk about the previous report essentially was endorsed by a lot of countries and reaffirmed the 11 norms that came out 2015. and i am curious how you guys think of building that capacity beyond the countries who actually have it right now, thank you. >> we have some experience working in areas that don't necessarily have a lot of customers. we still find value working there because we learn a lot. that is one way to sort of get the private sector involved in these sort of problems. some of the areas on the front lines cannot necessarily afford the billion -- a million dollar security solutions, right?

but they can offer great information a lot of threats have been in places it's historically been in places in india, taiwan, and ukraine, and the middle east. not every occasion was a customer relationship or to have to go in there and develop partners. this partners often time payback in the form of information that you used to secure your other customers. there is value there. it's just not necessarily the normal sales process. >> you'll see companies investing to raise the collective level of cybersecurity so that we all benefit from it. on the usg side that's an important question and something we need to be focused on. the strategic investments in

collaboration, the support we provide now will have a direct impact on the norms discussion, the multilateral of how we engage in the future. it was a strategic imperative a part of the strategic conversation that needs to keep happening to be focused on how we engage with smaller nations and nations developing capability. >> just to come in with one quick comment. i think it is a great question, monica. what we really see is a capacity gap in terms of the countries that are actually able to attribute and not able to attribute. we have to get to the level of those countries are unable to attribute and as a result of that are very hesitant to file the public attribution segment of maybe the allies or other countries. get them to get the capacities to verify claims.

that is a starting one. of course that comes with a number of issues. one of which being attribution is not the only process that companies where you collect a different puzzle pieces on where it was set up for those kind of things to come to a conclusion is also more proactive process sometimes. particular you literally actors being in systems and seeing the attack going out for the second fish of a high level about tradition confidence but it's even harder to share with a wide number of other countries. but on the first one, yes. getting a microsoft, other companies involved in training programs to lease ramp up the capacity to verify would be a good first step.

>> another virtual question. >> will take our next question. >> hi. i have a question about companies that continue to operate in russia. there've been a number of articles there's a lot of attention paid to who is leaving, who is staying, et cetera, how they are winding down. as well as another of other companies is still in russia. we provide internet security one of those things of us staying there has allowed us to do or has allowed russians to do is get information from outside of russia. there's also a been a push to close russia down from the internet in some ways. i would love to hear how you will think about that. >> well, i tend to be in favor

of keeping russia widely connected and throwing every pipeline you can in there. this is a difficult question for so many companies, to leave or not to leave. if you leave what does it really mean for the long term? i have been, from the beginning of this whole thing talking about how it is not going to be a short fight i don't see how it's going to be a short fight. if as a company you can't to be out of russia for more than six months or a year, then think very hard about pulling out now because what happens in a year when you have to go back in or your business model cannot survive. what message are you sending then? i think there are lots of ways to support the ukrainian people. i think every company has to make their own decision here. i have been heartily encouraged seeing the outpouring of support from the private sector. i think it's sent a very strong as us to think their

repercussions on the russian economy are going to reverberate for years and be very difficult undo. so think every company really has to make their own decision. and then do what you've got to do to explain that to your customers, your shareholders. the basic fundamental goal is to support the ukrainian people and then continue to speak truth inside russia i think that is a noble goal. >> without getting into sort of the information flow, one of the really interesting things that happened really early with the citizen sanctions is to watch a lot of organizations, a lot of customers take very clear, public stances on the war including divesting themselves from russia. at one point really okay, when you figure who these people are because they were essentially putting themselves at a higher

risk profile. the bad news is okay you might consider you've raised your threat profile. the good news is so my people have done it now that i don't think it matters almost. >> safety in numbers but. >> there is safety in numbers. if it had been one organization, really early on i think we saw some international gaming or sporting organizations for instance, there is a history of sports organizations, pooch and loves sports it's like a thing for him we are really kind of worried about them. now everybody is done it. i am sort of encouraged by the fact there is safety in numbers. >> yes. nothing i will add is i know many of the companies are concerned as they evaluate this they're weighing about as part of this decision.

definitely not a decision without complication for the probably weighing a number of factors. >> and then the insider risk for us has increased so enormously for the company saying it's a major concern. >> i think that is it. well, thank you all for joining us for this discussion. questions from the audience were rich the comments from the panel the comments from the panel were rich and so i think we all have left with a mandate to be more strategic and collaborative with the government. so be thinking long-term so we can get ahead of these issues. thank you all for the time. a big thank you to the panelists and for csi for having us. [applause]

[inaudible conversations] [inaudible conversations] [inaudible conversations] >> this morning as speaker nancy pelosi holds for weekly press conference. watch live at 10:45 a.m. eastern on c-span, online c-span.org or full coverage on c-span now, our free video app. >> on saturday "the daily show" host trevor noah headlines the first white house correspondents' association dinner since 2019. president biden is also expected to attend making this the first time since 2016 that a sitting president has made an appearance. our television coverage begins at 8 p.m. eastern on c-span, peer wheeler have sites and signs of mints in the ballroom and highlights from past dinners ahead of the speaking program.

coverage on c-span.org and the c-span now video app begins live at 6 p.m. eastern. you can watch celebrities, journalists and other guests walk the red carpet as they arrive for arrived for the dinner. the white house correspondents' association dinner five saturday on c-span, c-span radio app, c-span.org and on the c-span now video app. >> c-span brings you an unfiltered view of government. our newsletter word for word recaps the day for you from the halls of congress to daily press briefings to remarks from the president. scan the qr code at the right bottom to sign up for this email and stay up-to-date on everything happening in washington each day. subscribe to do using qr code or visit c-span.org/connect to subscribe anytime. >> next the joint news conference with different