minorities looking at six centers expressing demographic shifts and how they responded interviewed by the research centers. watch book tv every sunday on c-span2 and find a full schedule on your program guide or watch online anytime at booktv.org. >> next, cyber security interest in digital landscape.

kirks all right good afternoon everyone. thanks for joining us. i have the pleasure of presiding over this conversation about diplomacy and we are going to get started having our panelists introduced themselves. i am global head of google where i sit at the intersection of ouc security team and i have worked in the private sector and the security over the years. >> i am the deputy director of the international security program, a very long title that means i get to oversee the work of $50 in intelligence, and tax

policy. i spent almost two decades in the senate and senate intelligence committee and intelligence community. >> i'm from intelligence analysis shop. we look at threats from all over the world, our response and he collects the data and we bring it back to one centralized hub we are developing around the world. and with various versions about 12 years, i was with eia for that and diplomatic security at state and russian threats. >> on a senior researcher at eta security studies direct european cyber conflict research.

>> we have a great handle on and have each of you give a two minute overview on diplomacy and use it as a foundation. >> is so broad and interesting topic. . you need to take it back to basics when you think about operations and cyber domain. another snow comment lexicon there is no norms and understanding here my colleague jim lewis does tremendous work in international agreements on cyber security and cyber issues. those have yet to gel into a broad set of norms that govern work in the cyber domain. this no agreement on what is there is no agreement on what is cyber crime, what is cyber espionage, cyber attack, cyber war? the politicians who sometimes understand and sometimes don't

calling things willy-nilly, an actt of war. what does that really mean? given that, why is it so hard, difficult? is a combination of thingss thinking about something as a game changing technology. also came with a debate around what norms covid them and what is over response. we haven't really gotten there in the cyber domain and its accommodation of two things. t he's done tremendous work in this field. there's also apartment to that, actors have proven themselves staying arms things removed. ofy they do not want to claim and claiming it when they do. those combinations of things

make it very challenging for policymakers. to respond to a cyber attack to a cyber operation, what is this mean and how do we react to it? it also means it prevents the threat that is at the core of deterrence and that is a quick and decisive response to an activity. if you can't attribute it quickly and you don't have policy options ready to go, it is very difficult to pull something on the shelf respond immediately and thus sent a message or deter future actions. i can talk about this a lot more later. the 2000-point senate intelligence committee resolve this splat and excuse you in detail the obama administration. of all the sympathy of the world for the mini ring but this also total unprecedented situation. they were under attack but they could not say with one 100% certainty from who and what that meant.

that delay to pull something off the shelf and innately deployed a nearly disastrous consequences. we cannot do for years, five years, six years later it's time to get that settled and move it forward. i think we will get better. we will get faster people like john who are doing this work are doing tremendous strides in that attribution piece get to a place we can act quickly. there's a solid story to be told right now about ukraine that is just sort of emerging. i have hope for the future. it's just that right now i think we still need to really wrap our heads around this as an issue. >> thank you, john. >> i have been asked i think the last four months now. [laughter] since a christmas or the beginning of the year what is the likelihood of an incident against nato allies against the united states.

these usually turn into good-natured arguments. as a question of whether or not a cyber attack against the united states would be crossing a major redline but i have argued that doesn't a major red line. the one thing for the most important things we have to sort of keep in mind as we talk about cyber attacks. we are talking about disruptive destructive stuff. everything from hitting an industrial control system to a widespread destructive event they word i keep throwing around is limited. those incidents we've seen that they are largely limited. they did not take a society and bring it to its knees they did not bring the economy to a major

halt. they are survivable. we will get -- and probably for a society that's art experience covid-19 a lot of the effects may not necessarily register the reason these actors carry out these incidents is not to bring society to their knees. there isn't a major question of the prospects of turning up the off the power for three hours at a time is going to have that effect. they do it for the psychological effects. they do it to undermine institutions. they do it to undermine your sense of security, your sense of places like ukraine their belief the system is safe. in the united states in 2016 they did it to undermine our elections. we had actors in systems where they could conceivably make some

edits or changes to the system or may be altered some things. but really they were going to change the election. they had no -- but they don't expect to do that. what they expect to do is change our reliance for secure brits undermining our institutions. think their real important watchword is limited, right? it is good news somewhat, but it also means this is a great tool. you could conceivably use it without starting world war iii. don't bring society to its knees and conceivably get away with

it. and historically the attacks we have seen these actors kind of got away with it. six years in most cases for us to even accuse them of doing the elements i talk about philip x all the time, the gr you who we were talking about earlier attack the olympics for the track to take the opening ceremonies off-line. this is an attack on the entire international community. took us four years to even bother to blame them for it. there is no hope for deterrence and a scenario where we don't even blame the actors for four years. that is it incident that affected literally everybody in the international community. i think these actors recognize they can get away with this type of activity that makes it a good option for them. they were looking for the psychological effects, that is what they really want they went to undermine a resolve

particularly in ukraine redoing to undermine our elections elsewhere for they went to undermine her sense of security. >> max you want to talk about nato? >> there's already great points mentioned about the olympics and realized as an obvious connection here. many are not convinced it was russia you will know a lot more about that. i wanted to take a conversation about the nato alliance here's the main take away. what we've seen a convergence on alliance in terms of the need to develop a cyber posture we have a divergence and what this should look like. in particular offensive cyber and the rule of the military let me talk 30 seconds about these kind of key components is what we see is a cyber posture. capability, strategy and illegal

understanding grade capability site but we have seen since 2018 is now the majority of nato members have established in military cyber command with some offensive mandate. an operational capacity is enormous. on several others operationalizing this the majority of nato allies still have commands operating on a budget of a couple of million dollars. it is enough to be officially part of the cyber club but certainly not enough for a second one of course all the countries have established a cyber strategy we've seen some significant difference emerging

with the u.s. developing the cyber commands of engagement. with the focus of operating globally continues. they could be strategically meaningful they have a role to play and at peace time. that is not something most nato allies are willing to do so and changes the perspective. the third one which connects to this is what we have countries not just saying international law applies how it applies in the one hand sovereignty as a rule with franson on the other hand the uk sovereignty does not apply. the last point here is is

dangerous to argue the differences between the alliance come from simply differences in maturity. there actually of a different policy part. that requires some real coordination and cooperation to at least bring us closer most start with. she you mentioned norms view mention the lack of taxonomy we've got a lot of work to do. where are our nations currently consists succeeding, where are they falling short? where should we focusing our intentions on to make progress in this space? >> all pick one from each category. where we really are succeeding as he cooperation of the tactical level. the kind of things that max mentioned different levels of coordination but it is happening. at the working level people are sharing indicators, people are exercising together.

right now the big nato exercise the nato alliance the hunt for this is how we are going to win in this domain. i think that is where things are going well. that level of tactical cooperation really needs to be paired with a strategic discussion. and that is hard for lots of reasons. when i was on the hill we were doing oversight of these government people he succumb in all the time and brief us reading a boiled on every single briefing to to work it's hard and we are working on it. so that's true with this too. it's hard and we are working on it. let me talk a little bit more about why it's hard and why we still need to work on it. the hard piece, people need to have a strategic level discussion are swamped. they are staring at china they are staring at russia and ukraine. a whole host of global issues

from supply chain to food shortages. sitting down and have a strategic level broad discussion about what the norm should be in cyberspace is like yes, we should do that. that is about 15th on my list of priorities. we need to create the urgency before the age urgency is created for us and have those discussions. the other piece of that is i think a lot of these are very fuzzy they are wrapped up in domestic values and national values. here in the u.s. we have debates all the time about free speech what can and cannot be regulated in cyberspace given our first amendment rights. our european friends had very strong views on privacy and have implemented that in a whole host of different ways that will eat into this debate as well. it is difficult. but if you can take it up a few levels, my friend sue gordon said if you disagreed down here take it up a couple levels get to a place where you agree. that place where we agrees the norms and values.

this is the place where it nato allies, like-minded democratic countries can sit down at the table and say we all agree that spies are going to spy it's the thing that's going to happen. but when you're engaged in operations that affect human life, that affect public safety, that is a different level of threat. that is where we need to be building the norms in the guidelines. >> i am so, so glad you brought the points about being strategic in the lack of bandwidth they are. we have to prioritize that if we want to make progress because quite frankly there will always be the next ukraine the next ransom were attacked the next whatever. we are not making progress on the more strategic initiatives will never come to that consensus. so can we get some norms? can we find consensus and nato? what work should we be doing in nato to do that? >> max fix this.

[laughter] may pick up on the point on the norms and also on the sharing side of things. just to get a potentially annoying different angle. guess we should think about that. i don't how many people are currently sitting in the room but if everyone in the room can come up with a couple of different potential clients to consider new critical infrastructure attacks, financial systems should not be attacks, healthcare off-limits all of those things. but there is a second question there now particularly the u.s. considering it's change in depth perception it's argued rightly so i think one gigabyte of data being sold by the chinese is not a big deal but doing it repeatedly is a big deal. the second question is what is not a redline?

it's a really hard question to answer. i've answered a couple times in different rooms and rarely get a clear response to what is off limits it verily that isn't strategically argued all strategic activity should not be done. as a strange kind of norms question that has emerged. the second point is i am sharing the importance of sharing in some ways we are doing this already but equally i think were not doing it enough. we've got a couple of different initiatives, the first one was obviously the notion sovereign cyber effects. they cannot share exploits when we went to achieve an effect and secondly we can conduct these

exercises much more can be done cyber ranges and infrastructure. that is where there is a space which is one incredibly costly for many countries to establish and to do it well. and second, where you see potential opportunities for collaboration where the use of one country or one actor, or one training program does not necessarily reduce the effectiveness of another country to use as well. and so the photo make a pollutant recommendation like what should allies do in the coming years, this would have i think even a billion-dollar cyber range for the training of their operator development system who are crucial for the workforce military. and potentially intelligence

agency. >> great recommendation. john, with this intentionally below the line with the need for more collaboration and creating cyber rooms and the dynamic of cyber criminals as a shield to continue to blast the attribution we were talking about earlier, how can we make progress where should be focusing our tensions in terms of deterrence? >> what a good questions. we almost need to rank and stack our problems, right? they're going to change constantly. it will always be changing. you look at a lot of different problems in the space and i don't think we have really prioritized. a good example is the ransom ware problem there is the elections problem, there is the

espionage problem. i personally think the espionage problem is probably spies are going to spy by the least effort issue. the most addressable issue if you look at the vulnerability problem it's fairly large. there now getting a lot of critical infrastructure with healthcare with the raging days of covid they are crossing a lot of lines. at the very least we want to push them back were not necessarily pushing those lines. the election promise another good example. it is not solved. in fact the unfortunate reality is the last election we saw new

players when the proud boyd things happen the russians that i couldn't say that i did not have any evidence whatsoever here they are a we have been waiting, and waiting this is it this is the play. i thought even just that the problem is growing. i think we need to have a conversation about what problems we want to stop and start ranking them and going after them. also, i feel like we are running from one fire to the next and that is not going to work. i do think the ransom ware problem is largely addressable. it is absolutely out of control. potentially costing us the most money. >> with the problems i went through that same thing.

there is a time around that 2018 election the 2020 election i just did not sleep there is too much to worry about. the proud boys/iranian problem was i think disheartening and we saw this new player burst onto the market in grand fashion. but in a large way it was a success story. the united states government and its allies, that's really key point, had their eyes open for this kind of potential activity. the excellent folks at dhs has done a lot of prep work, so much prep work to say to people this is somewhat normal election problems and this is what more difficult election problems. then, once activity was noted it was located, attributed, downgraded and released, shockingly quickly. it was like 36 hours.

this is actually as upset as we all were to see it happen this was a good news story in the way it was handled. now to max's point about redline, i am not sure who were ready to do something to respond to the iranians and create deterrence for the next time around and that is where we need to do more work. >> that is a great reminder better point about being strategic. in that prioritization talked about the investment and attribution, getting things there really quickly are signs of that coalescing around being more strategic and focusing their. how can we create actual consequences? especially those hiding behind criminal groups in plausible deniability. our our current tools working he said this was a success story

the iranian context to what end? did we deter the behavior were just able to make attribution? how are all of those things actually moving us open at the nav of your. >> i can start out with that because i brought up the point. the iranian thing was a success story and that we were able to broadcast very quickly to the american people who were in the midst of a very difficult election this is not a thing, this is not real this is not something you need to worry about they are not these bad actors all over the place we can leave aside the question of domestic issues in the 2020 election. on the specific issue was a success mostly diffuse i would not call it a success is a broader strategic policy. you brought up several things the sanction question, the

indictment question, sanctions are great until they are not. there's only so much you can do. don't really care, there are ways you can make life painful for a russian oligarch, for a hacker who is working ten levels down from a russian oligarch more difficult to create deterrence pain there. indictments, same thing. they want to visit their kids in college or take them to disney world or the u.s., great. trying to find them and arrest them is much more of a messaging jewel than anything else. i think honestly tool of last resort. if you look at the way the d.o.j. and fbi operate, they are law enforcement officers paired with they want to do is to build evidence, prosecute a crime that's just not the model that

works effectively for these actors. it takes too long, it is too slow while the building case for prosecution they cannot take the information shared. that honestly is the most important piece. this is where i'm going to make a pitch for the private/public collaboration on the deep, deep importance of her in the u.s. government, its entities and private sector operations at sea this on the front lines, on a daily basis during all of the collaboration possible to try to go after this problem set. my soapbox. works wouldn't you hit on all the points i wanted to make. as we go through, as far as the election situation went, i think we have gotten to a place over talk about capability and intent. i had a conversation song from

another country doing with another actor a non- russian actor there's a question capability and intent. right now we think russia's got capability the question is whether not they have intent. this other country they said this actors got intent but the capabilities not really there. the problem with sort of not being able to deter when actors have intent going to run into the black swan event. they will hit again, again, and again in these incidents won't even read words in the news. the problem is with the nature of technology, eventually there will be a major black swan event. they will get through. so the defense i would argue were actually correct our defense, our response was

fantastic but if they keep trying eventually they are going to get through. they are going to have something that makes it on the news, because as a division in the u.s. electorate. there's all kinds of potential outcomes here. that's what happens with an actor who's almost there and capability definitely there on intent we have that black swan event. another good example is the pipeline. we have been warning myself and my colleagues have bn warning this is coming, this is coming, they are knocking over so many things. someone is going to get hurt something important is going to go down it's a matter of time. i think if we can't figure out how to approach the intent side we're just talking about a matter of time before there is a black swan event. anything on this one? >> i mentioned about the convergence about they don't

cyberculture the good thing on opposing consequences is what we have seen is a real development in the eu waking up they have to think about this as well. now with at least a degree set of measures in place what can be undertaken to respond means the u.s. is not there alone anymore and thinking we can potentially do this more effective in a coordinated manner. the second point is and it also comes with the nature and title of the panel is when we talk about would quickly get into the deterrence unless it is a demonstrative pack we take the initiative away from them how can we make sure we disrupt the activity? we are already kind of in the after that's being done what can we do? clearly the second question here is as relevant as well we have seen great strides over the past two or three years.

excel open for questions and just and i'm to ask one more as a player questions together. we talked a lot about russia/ukraine there is a lot of talks about attacks on the margin per it's a great illustration of if cyber capabilities continue to be leveraged, what will be the impact? who will bear the brunt of the back and forth, to four taps, rest routes cyber active, we are how they play a role. what are we looking at? who is going to bear the brunt? when i talk about limitations i have to be really clear. i think from a societal aspect we are going to be fine. we made it through covid-19, right? there are a lot of business in my neighborhood who were out of business now.

altogether we are going to be fine, my customers may take a real hit that's important to remember. the people who are really on the front lines are the private sector. it is important to remember when we start employing these capabilities to, i saw one of these kerfuffle's we get into with tehran every now and then, think there was some news of a cyber attack against their capabilities. it's important to remember iran is not going to retaliate against cyber commander going to retaliate against some random company in the united states. that is going to feel the burn from the stuff. we have to keep that in mind no matter what we do. >> i would agree. the question of who is a combatant, is going to be the thorny question of the next few

years. i am reading nicole's book right now which is really good, very thorough, i have loved it. but one of the things she outlines is the response inside google when they first saw the cyber tech coming from china, some of the quotes are priceless, who would've thought a nationstate actor would be interested in google? how could we possibly been expected to respond to a nation bid actor invading our territory? that's a totally understandable perspective for somebody who was a start up in group this massive company and never had to think about it from a national security perspective. somebody like me who spent 20 years basic and the intelligence community unlike of course you are a target, come on. but that's a product of my training in my upbringing i tend to think this way and they don't. so bringing these two sides

together, to collaborate, to cooperate to try to share information is going to be absolutely critical. and i think american companies, european companies really thinking through whether they're going to be counted as a combatant not by the u.s. government better adversaries is the real challenge the folks in the executive branch right now, jen, chris, and have done a phenomenal job point to of the d.c. a lot of the collaborations between the private sector and the government. the initial steps that really need to be built on. when you look at china on the way they think about what is government versus what is private sector, that is not a distinction for them. they seek government and they see those who help the government will be ask them too. in russia there is really also not a distinction between the oligarchy and the government.

there is the government men are all these tools of government when i can draw on whenever i want to because they know where their bread is buttered. both are adversaries and say that's the private sector and say oh yeah sure right of course. [laughter] thinking through who counts as a combatant, how they are going to be affected by this next round of potential warfare is going to be really challenging. we can talk about this during the q&a little but the question of redlines and escalations i think it gets really thorny. because if google gets hit what does that mean? >> i'm going to be a bit boring i'm going to agree with the the private sector in will be a significant cost in case of some type of retaliation. one thing here, we often hear about the question being raised,

will putin potentially conduct cyber operations against the u.s.? it's not just putin and i think sometimes overestimate the amount of control the russian government has over wide stats of criminal groups and other activist groups operating in russia. as an academic, to understand these relationships, the principal has control over the agency and symmetries these are enormous in terms of these criminals, targeting and what they are capable of. this seems to suggest it is very hi, risk of the groups operating in favor of russia but not bleak

completely controlled, it increases the risk of type of scenario. the attacks are directly on the u.s. is certainly more consequential, collaborative damage through ransomware or self propagating malware. >> in that collaboration with the public and private sector and that is important. in these other mechanisms that have been as of late. do we have any questions? >> we will take our first virtual question.

go ahead. we will take a virtual question >> hello, everybody, thank you for doing the panel. sorry it couldn't be there in person. i think this question is watch max although the others can question my assumptions. teams in the u.s. that debate about whether depend board and system engagement is over, people basically believing it is not. i wonder if there's a different perception among nato allies you ntspoke of and within nato differences in not. >> that is a good question.

i think itio is the discussion,i think the discussion is less about escalatory but the question is more a legal one, shouldn't the military be allowed to operate in peace time, potentially dope this globally, with the relationship with intelligence? it's that question in particular holding european countries back developing a similar posture so it's less of an escalation question and more of a legal bureaucratic question raised right now. >> thank you. i worked for the nuclear initiative. i wanted to make a comment to your rank ordered list of priorities, i'd love to add operational technology and

military systems and sometimes i think a lot of conversation on that site. to what extent do we need solve or pay attention not only to the attribution conundrum but signaling in this space relative to escalation management. ... will the movement of a bomber implies or other types of maneuvers or the >> i think the best example of bcyber signaling i've seen has been our read on the actions of an activist called

berserk their dragonfly. they have this history of getting into us ssb related so there's sort of their internal security service. but anyway for a decade they've been digging into us surplusinfrastructure and we look at it in two ways . one are they digging in for that moment when they need to be ready for contingencies? the other thing is are they digging inn,to signal us there digging in ? that they are there and in case they need to be and i think that's probably one of the best examples of signaling i've seen in the space tbecause it's pulling real infrastructure under threat. >> go head's. >> it just reminds me of a

blog post by jade healy with some great quotes from jim rhodes around the presidential election which spun off us retaliatory options were taken off the table because of concerns of the ssb in particular and us critical infrastructure. i don't know if that's true but it's a fascinating case in terms of signaling and supposedly whether deterrence works or not. there might be one case that we can mold in the case we wanted to but you need to know more about that emily. >> i'm gonna going to put in a point here for what hewants to read the intelligence reports . this is one of the problems with the administration response in 2015 . by the time they understood

somewhat the extent of what the russians were up to they had very limited time for the election and had very limited prepared options. it's easy now and it was easy in 2017 to look back on the complete package of information and sayclearly they should have known this . you're in a war and information is coming at you a piece at a time day after day it's a lot more difficult to make sense of a very funny picture but again that's the sereason we have to the strategic now.e wehave to be thinking forward now . i want to make a point about the signaling question you asked which i love coming from a nuclear scholar. nuclear scholars have spent decades talking about fairly precise signaling options and deterrence theory and how these things work together and i think folks working in the cyber domain,to learn from that scholarship .

we need to be very careful about making comparisons though because it's just a totally different set of tools and the cyber domain is still so young that no one has figured thatout yet . and in nukes there so finally to. this signals this and this is code for this but in cyber nobody really knows what anything means yet. part of the problem is that a lot of the tools are used. if you plan to open someone system that tool could be used for espionage it could be used for an obstruction and you don't know . this gets to john's point about intent and capability. maybe the adversary has the capability to implement this ntnetwork, what their intent? are the russians there to spy on a new ministration or are they there to takeconfidence in an auction . it's really not wise to sit back and wait to see which one it is. >> there are two reasons in

the drc. one was tru and the other was scr and the other scr 's spies will be spies. they're abiding by the rules sort of . >> the tru on the other hand. some men just want to watch the whole world burn . >> thanks. steve with gw law school. we've heard a lot on the panel this morning and this afternoon about public and private operations . i was a little surprised when i heard earlier questions what is the us government response to an attack on google? i would have thought that's the whole row. to defend the publicincluding the u.s. constitution . i'm wondering to in effect you expect google to have its own international policy and international capability and

themselves? i would think not. i don't think we're trying to have google take international military eor cyber action. we might becomfortable with google having a very accurate environmental policy . not a cyber policy as authentic so it has to be assumed us government is going to defend google. so i'm wondering what are we are we doing enough for the government to defend itself, our leading technology champions in the united states. and if they're vulnerable and i guess they are vulnerable what is the us government doing enough . >> i could go on like a 20 minute tear about this. not going to because other people have questions. i think the short answer to the question are we doing enough, number the longer

answer to the question though is what's appropriate and i think this is what you're getting at with the question. when sony was hacked low those many years ago that initially was a hands-off response by the us government until it became clear it was the north koreans trying to silence free speech and then the white house got involved. but still was the fbi responsible for what happened that at sony? there was no way sony would have let the fbi into their thsystem ahead of the attack that the fbi could have presented it. it's not the fbi's job. that said there's ones supposed to be defending after the fact finding criminals and prosecuting them. it doesn't really work here the domestic doesn't have a domestic by agency, we don't have an michigan five. the fbi is poorly suited to the mission of trying to defend at this kind cyber attack. there are questions about google.

let's say we defend google. are we defending the cyber startup that has five employees and didn't pay any attention to security. how will the world we defending them? i asked these questions knowing full well i don't have the answer. i don't think anybody does. trying to find the right line between a business, executing its own business practices properly, doing the simple things it needs to do. patching, two factor authentication. the basic cyber hygiene stuff everybody needs to do and at what pointthe government takes over as a response and a different fashion . you can make a comparison of the crime which the fbi and local law enforcement is supposed to do. you can make a comparison to national defense. we all pay taxes so we can buy aircraft carriers and f-22's. the government be thinking that way in the cyber domain and if they are what does that imply for the googles of the world letting the feds into their system?

i can see the room cringing when i say that because everybody says that's just a job for the us government so what is the job . >> collective defense is not likely to be the place where the us government is at play and othey had a strong mission for voluntary support. the small companies build up their defenses and implement the two factor authentication policy. that would continue to play in a voluntary way. three effect. but we have to figure out is how we would stand up as a ust to support an organization depending on the severity of the attack so sony we decided that trying to contact free speech was of fundamental human right. it's something we wanted to become active and is that strategic work we talked about to figure out what those lines are and what is a

significant cyber incident the us would mobilize itself around two hacked into private sectors. they're unlikely to be at the moment but there all of the us companies open up their systems to let the us government dosomething on the proactive side of things . >> meanwhile there's financing. >> honestly we've had our incidences and i can't get oo you any details but we had a strong good experience working with the government as far as dealing with it. there were clearly things that were we're very good at. the incident response movement is literally the best incident responders on theface of the planet . we hand-picked a team of all-stars. but we still need us governments help and they were able to fill in a lot of gaps that made us , made the whole process easier.

>> which is why that proactive collaboration is so important . >> it's what will get us further so that the companies are calling the government in early with the information they have and vice versa. that's why that collaboration proactively and consistently . >> earlier in the conversation you all talked about the importance of strategic engagement also information sharing and that international cyber norms so i'm curious how you all think about countries that don't necessarily have the capacity to engage repeatedly and to share information. how do you think about building the capacity in the context of what's going on in the united nations as part of the open-ended working group

and the fact that the previous report essentially was endorsed by a lot of countries and reaffirms the 11 norms of the 2050 unge group so i'm curious how you think about building back capacity beyond countries that actually have now. >> we have experience working in areas that don't necessarily have a lot of customers but we still find value working there cause we learn a lot. i think that's one way to get the private sectorinvolved in these problems . the areas that are on the frontlines you can't necessarily afford the million dollar security solutions. offers a lot of information

on bleeding edge threats. historically india and iran and ukraine and the middle east and not every occasion was it a successful relationship. you have to go in there and develop partners and those partners often times you back in the form of information you use to secure your other customers though there is value there. it's not necessarily the normal sales process. >> you'll see companies invest in collective level on cyber security to benefit from it. on the ust side i think that's animportant question . we need d to be focused on. the strategic investment and collaboration, the support we provide now will cascade and have a direct impact on the

multilateral body and dictate how we engage our cyber infrastructure so it is a strategic imperative that needs to keep happening. we focus on how to engage with nations that are developing capabilities so it's important. >> just to come in with one quick comment. i think it's a great question monica. what we see is indeed a capacity gap in terms of the countries that are actually able to execute and not able to execute. and where at least we have to get to the level of activating and as an example of that are very hesitant to follow the public attribution statement of our allies and other countries. get them to at least the capacity to verify our claims. and that's the starting one. of course that comes with a

number of issues. one of which being that attribution is not only the sherlock holmes type of process that particularly companies like enemies are enforcing. you collect different puzzle pieces on where the c-2 is set up for all those other things to come to conclusion it's also a more proactive process sometimes particularly mature actors being in these aerial systems and see the attack going out the second case you have a high level of attribution but it's even harder to share with a wide number of other countries. but on the first one yes. i think getting microsoft and other companies involved in training programsto please ramp up the capacity to verify would be a good first step . >> another virtual question. >> we will take our next question from david spade. >>.

>> i have a question about companies that continue to operate in russia. there have been a number of r articles. there's a lot of attention paid to his leaving, whose staying etc. . how theirswinding down . there's services. count cloud flare as well as a number of othercompanies is still in russia . we provide internet security. we provide vpn services and one of the things that are staying there has a lot to do is to get information from outside of russia. but there's also been this push to onclose russia down from the internet in some ways and i just love to hear how you all think about that. >> i tend to be in favor of keeping russia widely connected to the internet. throwing every pipeline of information you can in there. this is a difficult question for so many

companies to leave or not to leave and if you leave what does that mean in the long term. i've been from the beginning of this whole thing talking about how it's not going to be a short fight. i don't see how it's going to be a short fight and if as a company you can't be out of russia for more than six months or a year, then it would be think very hard about pulling out now because what happens in a year when you have to go back in. or else your business model can't survive. what message are you sending them. i think there are lots of ways to support the ukrainian people. and i think every company has to make their owndecision here . i for one have been thoroughly encouraged by seeing the outpouring of support from ukraine that has come from the private sector. citizen sanctions have done in oa as good or more good than what the governments have done. i think the repercussions on the russian economy will reverberate for years and be

very difficult to undo. every company has to make their own decision and then do what you got to do to explain that to your customers, your shareholders but if it's the basic fundamental goal is to support the ukrainian people and then continue to speak truth inside russia i think that's a noble goal.t >> i was getting into some of the information as well. i othink one of the real interesting things that happened early is that with regards to the citizen sanctions as we watched a lot of organizations, a lot of customers take it very clear public stances on the war including divesting themselves from russia and at one point we were like okay, we need to figure out who these people are and because rethere's essentially putting themselves at a highrisk profile . erthey got some possible effects. the bad news is okay, you

sort of you might consider you've raised your threat profile. the good news is so many people have done it now that i don't think it matters almost. it's become safety in numbers . i don't know if you can really, if it had been one organization really early on i think we saw some of the international gaming for supporting organizations for instance. there's a history of those sports organizations. putin loves sports, that's a thing for him . now everybody stunning. so i'm actually sort of encouraged by the fact that there is a safety in numbers problem . >> the only thing i'll add is how many of the companies act real visible security concerns as they evaluate this. t so there way that aspart of hithat strategic decision . so definitely it's not a

decision without complication so they're probably weighinga ghnumber of factors . >> and then the insider risk s has just increased so enormously for the countries. it's a major concern. >> next question. i think that's it. well, thank youall for joining us for this discussion . the question from the audience for thomas, from the panel and i think we all have left with a mandate to be more strategic andcollaborate with the government . and so to be thinking long term so that we can get ahead of some of these issues. thank you for the time. big thank you to the panelists and the cfr for having us . [applause] >>. [inaudible]

>> on saturday the daily show host trevor nola headlines the first whitehouse correspondents association dinner since 2019 . president biden is also expected to attend making this the first time since 2016 a sitting president has made an appearance. our television coverage begins at 8 pm eastern on c-span. sights and sounds from inside the ballroom andhighlights from past dinners ahead of the speaking program . the coverage on the video begins live at 6 pm eastern. where you can watch celebrities, journalists and other guests walk the red carpet as they arrived for the dinner. the white house correspondents association dinner live today on c-span.

>> american history tv saturdays on c-span2. exploring the people and events that tellthe american story . at 1 pm eastern a discussion on the advanced placement us history exam with jason stacy , a brief history with skills and sources for the ap us history course. he'll explain how this year's exam instructor provide strategies for answering questions and analyze historical documents and that 2 pm eastern scholars and political experts at the bipartisan policy center look to see how the presidency changed in the first two decades of the 20th century under president bush, obama, trump and biden including a look at the presidency of bill clinton. exploring the american story. watch american history tv

saturday on c-span2 and find a full schedule on your program guide or watch online anytime c-span.org/history. >> white house national cyber director chris inglis was part of a conversation about us cyber security and foreign policygoals . he sat down with david sanger from the new york times. >> please stand. thank you. >> i'm the