yet be workable. but critical for new ways to be explored to address this problem. to a person we are certain that u.s. intelligence, defense, treasury, and homeland security departments and agencies appear to be inadequately constructed or attuned at present to address the way these threats are evolving. the u.s. system for detecting evaluating and addressing cyber enabled economic threats seems structurally in adequate and in sufficiently focused on the matter. this raises concerns about america's preparedness for identifying and responding to existing economic warfare threats. even more so that its ability to match the rate of their evolution. all right. and with that i want to turn to our first panel that examines the evolving nature of this debate. we're honored to have three highly knowledgeable and well regarded individuals. so our format is that each will speak for about 10 minutes. and we will open it up to q&a for another 20 30.

so first up is the honorable juan zarate. my good friend. first ever assistant secretary of the finance. he served as deputy assistant to the president and deputy combatting terrorism. his phenomenal book "treasuries war" discovers the new economic era of war far. so thank you. >> thank you very much. thanks to all of you for coming. this is a wonderful turnout and wonderful event. i want to thank the hudson institute. mark dube wits. thank you for shepherding the authors in the production of this very important piece of work i think. i would commend all of you in the room and those watching online to pick it up and to read it. the contribution, at least from

the other authors are incredibly important. and i'm honored to be here today, especially with steve and mike to discuss these issues. i want to thank sam, too. because she gave me an opportunity to write more about some of the details i explored at the tail end of my that i think are critical as we look forward. i want to discuss with you and maybe open up the discussion for the panel to talk about the convergence of financial and cyber warfare. sam has laid out one of the interesting dynamics of the 21st century is how dynamic fluid, inter connected both the global financial and cyber domains have become and how inter dependent they are. and the reality is the more dependent u.s. economies become on those globalized inter connected cyber systems the more vulnerable we also become to the

potential asymmetric impact of those who may try to attack or effect u.s. interests. what i want to do is talk a little bit about what that convergence looks like, starting first with a discussion about the nature of the threats. and then what this means strategically. i think where we are now is we're facing very dynamic and shifting threat landscape. but also a dynamic and strategic landscape where the threat of asymmetric capabilities is really on the u.s. it has been identified by the u.s. intelligence community. so let me start with the threat landscape itself. and in particular, the actors involved in the space. it's clear that actors around the world show asymmetric tools

economic warfare to their advantage. to think about the use of these. it was really dominated by financial dominance but a dynamic where the u.s. found creative and innovative ways to use financial power and influence and reach in situation to isolate rogue actors and activities from the global commercial and financial system. we are seeing this play out obviously in the negotiations with iran. we're seeing this play out to a certain extent in the dearound russia. the ability to isolate rogue behavior has largely been the province of the u.s. government and u.s. policy. but u.s. competitors and

threatening actors realize that those very same is tools, those very same mechanisms, some of the same strategies can be used against the u.s. for asymmetric advantage. so you see a full spectrum of actors playing out in the space realizing this dynamic. super empowered individuals, hackers and activists for political or other reasons profit often using these tools to go after the financial system. in particular, banks. sophisticated organized crime groups using deep expertise found easily on the internet beginning to infiltrate banks in the financial system. intelligence services figuring out how to use these tools for profit and political services. and some of them major powers, russia and china others

marginalized like iran, north korea. we have seen plenty of examples of that. one of the advantages to these actors is the low barrier to entry. as we often say, it's not very costly to get into this game or to be on the offense. it is incredibly costly to be defending against these. but there is a supply of expertise available on the internet. often sold to the highest bidder. there is the dark web that provides access to those willing to play in the dark alleys of the internet and to connect with those with expertise. open source protocols and programs that allow individuals and small groups to have global globally. whether it's at opm or in other systems around the world where small or relatively weak actors can gain access to prized information.

and so you have a spectrum of actors with a spectrum of capabilities that provides a load barrier to entry and begins to challenge the u.s. system and dependencies. now, the tools of disruption and potentially even destruction are many fold. you have spear-fishing techniques and attacks, which are common in the cyber security space. you have seen d dot attacks. you have seen malware begin to evolve in pretty dramatic and important ways. in particular attacking the sector. and trojan horse attacks which may pore tend malware attacks. these are not just hypotheticals. we have begun to see them. the jpmorgan attack last summer.

a good example of the potential for vulnerability as well as destruction. the dark seoul attack. the denial of service attacks led by the iranians and syrians against western banks, which continue to this day. the gaos attack in 2012. nasdaq hack which has not been fully determined or figured out in october 2010. >> matched with significant infrastructure attacks like ramco and other. portend a real series of attacks on a financial system in a way that is systemic and important. now, let me just move very quickly to discuss why the financial system, and in particular banks, have become such an interesting and important part of this landscape. as i have often said in many

ways, the international global banks are now at the center of the cyber storm. and that's for a few reasons. one, banks in the financial system is where the money is. if you want to profit, if you're an organized criminal ring that just wants to make money you want to engage in fraud, that's where you hack. that's where you attempt to get access to data and to money. it's also where intellectual property sensitive data reputational data that's important to banks and intellectual property important to deals and companies engaged in mergers and acquisitions and attempts to enter new markets. so that information becomes valuable to a whole host of actors. banks over the last 15 years have also become protagonists and many of the debates that effect rogue actors and countries. so the very isolation of iran, for example, from the global

financial system has been driven in part by what the western banks decided to do or not do in terms of business with the revolutionary guard or iranian companies and fronts. and also actors in the space the full spectrum that i described, that the banks and financial system are part of the key vulnerability and systemic risk for the west and the united states. some actors no doubt, the most destructive among the spectrum would find it incredibly advantageous, if not helpful to destroy the trust at the core of the international financial system. what hank paulson called the magnificent glass house. and so the banks, the financial system, find themselves in the middle of the cyber storm at a time when the asymmetric environment is evolving. evolving in some interesting ways. as sam mentioned and as the report lays out u.s. vulnerabilities increasing over

time, not decreasing with our defenses not keeping up. with hybrid warfare and gray zones of warfare beginning to evolve as part of national doctrine. we see this clearly with the russians and how they think about the use of proxies as well as cyber capabilities. and you see this as well in the environment where there's much more fluidity than in the past with rogue actors able to profit with and for each other. they claim deny blts of those attacks. the syrians and the iranians developing their own capabilities, perhaps relying on others. and north koreans developing capabilities, as seen in the sony hack attack of last year. so due to the technologies, due to the global connectivity of the system but also

strategically with these rogue actors challenging states thinking aggressively about how to use these tools. and i know the next panel is going to get into some of the defensive dimensions. but i do think it is worth mentioning at least some of the ideas that i put forth in my piece and i know what we will discuss here there has to be a new way of thinking about this strategy. there has to be a new way of thinking about these tools in ways that mott only puts us on the defense but also on the offensive. and private and public partnerships paradigms. using financial tools like the president's executive order from april april 1st. perhaps cyber warrants when the government gives license to the private sector to protect its

systems, go and destroy data that's been stolen. or maybe even something more aggressive. and then finally, developing the redundancy of our systems so it becomes less attractive as a strategyive cool tool for our adversaries. it is a much more dynamic not just in terms of the threats. >> i look forward to both the q&a from this panel and rolling into the next one to discuss some of those things that juan laid out at the end. next up we have steve who is general counsel and chief risk officer for the cyber security technology firm crowd strike. prior to joining crowd strike he served over 15 years with the fbi, where he helped shape many of america's cyber and infrastructure protection laws.

as deputy of the fbi cyber division he helped oversea fbi strategies, intelligence analysis budget and policy development and execution and major outreach efforts protecting united states from cyber attacks. steve. >> thank you. those remarks were so good all you left me to do is really a tour deforce as an overview. where you ended is where i'm going to start. strategy. where are we? where should we be? we actually have a failed strategy. the way we know it is we put more people more effort, more policies in place and the problem keeps getting worse. it doesn't compare to where the threat is going.

that keeps getting further. and i want to address why i think we're there. i want to summarize my view what those are doing to us from an economic warfare. what we are doing in response that makes this worse and what it portends to our future. it goes across a full spectrum of activities from stealing highly sensitive information intellectual property that gives our businesses not only fair market condition but over time we have seen a lot of us become economically powerful enough to sustain our military capabilities. and private information about individuals that we're seeing can be used both to defeat consumer and citizen confidence

as well as used against some people depending how sensitive information can be used for blackmail and extortion. the ability to capture information also shows the ability to change information destroy information. the ramco case, a couple in the middle east, wakes up to find 30,000 computers essentially destroyed overnight. but it is not only about data. it is is about physical systems being run. so if you change the integrity of nuclear enrichment which we have seen capabilities that could be used, which could be used against it. and changing chips components going into military fighters which we have seen through supply chain attacks. what that shows you is there are a number of ways for adversaries to react to come out of and how

they get into systems. it can be remotely. you hear about the fishing. it can be through the supply chain. products being created all over. either in the design, the manufacturing, the delivery stage. or insiders sent to our country. in terms of work visas. so the vulnerabilities are enormous. and now let me step back to how we have responded to that. economically we have responded in the worst possible way. what we have done is we have sunk billions of dollars into our budget into the least probable success for cyber strategy. we are expanding through the internet of things. biomedical devices could be hacked. one brand that the other day

u.s. government told all hospital toss use a particular type of infusion pump. they are worried through the hospital's enterprise network hackers could get in and start changing the delivery of medicine to patients. and the demonstration of a car being taken wildly off course. and vulnerability mitigation is a full errant against determined sophisticated all spectrum actors of the type that we are up against. and it doesn't work in the physical world. what we do in the physical world is you do a certain amount of vulnerability, you lock doors, windows, maybe change the quality of your doors and windows. there is a point where if an adversary wants in badly enough, getting through the roof cutting through the ground and we change quite quickly to threat deterrents, which juan also mentioned. the idea that we concede the ground.

no longer is this about me protecting myself. it will be about me going after you. it involves detection. if you don't know they're there it is pretty hard to deter them right. we are seeing routinely organizations, agencies corporate industry very mature taking in excess of 200 days to even know there is an attacker on their system. you have to be able to attribute it down to the person, who is behind it. we don't know if it's you but you're responsible for stopping it because it's coming from your area. and then penalties. some penalty-based deterrents. the worst that can happen to a hacker currently from what we are seeing in the advanced phase is they get caught and they get to drive again. they don't succeed at first but they try, try again. that model has to change.

on the physical world, we put up alarms. and so that immediately says it's for deprotection right? you put up cameras for attribution. when your alarm rings at 2:00 in the morning and goes to the monitoring company the monitoring company calls the police. they don't call the locksmith. because it's about penalty-based deterrents. and you'll note from an economic perspective that what we have done to our response in response, we are bleeding ourselves dry financially with our response because it has led to two. one is diminishing returns on our cyber security investment. meaning it is no longer worth the same amount as when you start off. at the beginning of a program, just like in the beginning of physical security, it might be worth $100 of protection or even more. maybe $100,000 worth of protection. it inches slowly and slowly to have a dollar represent a dollar's worth of security. that's the dimensions return aspect we are seeing.

we are now in the system of negative returns. meaning every dollar is actually making things worse. it has proliferated and escalated the problem. and we see this every day played out in the newspapers. those of us seeing victim clients as the bad guys, when you defeat them, they tonight just give up. okay. i used to have a life of crime. now let me he see life of law. is that a phrase? it doesn't happen. they find alternate routes. they are using codes based in pictures in twitter accounts for botniks. we have spent our money. it resulted in an escalation of the problem. similar, for example if someone were to break into your place of business and the response was, why don't you put up a 10-foot wall at the price of a million dollars around the complex. and then they go up and purchase

a 15 foot ladder for $30. and then the response is you know what, 15 foot ladder. make it a 20 foot wall. we all know what is happening next. that is happening to us here. not only are we falling victim but our intellectual property is being stolen. our banking and finance is vulnerable, as is the rest of the critical infrastructure. but our response has furthered our economic dependencies at a loss of viability for our security. so where do we go from here? that's really where the second panel will answer the questions. but certainly that threat deterrents have to be the predominant focus using all hours of national. and consideration of private

sector's role. it can be very influential. that is not just a u.s. problem of course. and as we think about that strategy the other thing that we really have to be concerned with is how the political and economic warfare that we're facing can result in a crisis of confidence in our country, which could of course be a severe or more severe than actual consequences. i think we are facing real potential of a crisis of business confidence, the ability to be protected in today's global economy. consumer confidence. the ability actually to do anything on line any longer, to take advantage of technology. injection pumps. automobiles. right? so the economy that's being driven through technology can pay for consumer confidence backlash.

unfortunately citizen confidence if we feel the country cannot protect us. and it's actually subject to extortion at any given time. in this country organized criminals are breaking into police force computers and telling them if you don't pay us our ransom we will delete, destroy it or never have access to your records. they are paying extortion to foreign criminals. what happens when that happens against us? is it already happening and you just haven't been apprised of it. and with those remarks, we'll pass it off to the distinguished congressman. >> good afternoon. we are pleased to have chairman

mike rogers addressing us today. former member of the u.s. congress, 8th congressional district. fbi special agent. mike really is in a unique position to shape the national debate on a wide variety of issues, including this one. he hosts the nationally syndicated something to think about, house wood 1. and he chaired the powerful house intelligence committee, was a member of energy and commerce. mike built a legacy of his tireless and effective leader on cyber security counterterrorism and national security policy. we welcome you mike. >> thank you, sam. steve was an fbi agent to catch smart criminals. i was the one apparently to catch the dumb ones.

as a matter of fact, i have had the opportunity to meet and spend time with all of your panelists you will see today and all the authors of the book. and i highly recommend this. i've read a ton. this is to the point. provides you unique talking points. out of the box. i love that thing. when i walked into the room with all the panelists it struck me that the iq on average went down 15 points. now, i don't know why that happened. oh, come on, people. lighten up. i know it's pretty serious. two things happened in the last decade we don't want to talk about. we have strategic erosion in our dominance in both cyber and space. in 2007 when the chinese took out a rocket at about 11,000 miles per hour and hit the target thankfully their own, a

whole host of activities, including killer satellites, americans dominance in space came to an epbt. end. you think about how reliant we are on space for everything we do in our economy. that was a fundamental change. we had to figure out how do we step up and counter that? now you have to launch a satellite that not only can do its mission set but protect itself. that is a whole new ball game when it comes to space. about half of all the satellites up there don't belong in the united states. some are up to pretty nasty things. then you take cyber. we watched this problem happen year over year over year. here's the thing. here's the good news about the former mcconnell's comment if we were in a cyber war we would lose. if we were in a cyber war, we would lose. that's the good news of it. here's the bad news.

we are in a cyber war in the united states, and we are not winning. it's that bad, and it's getting worse. so you think about where we are today. most of our financial system is under attack. some successfully. some not we now know, and you will hear from other panelists, how the new generation of technology, which we pride ourselves in, making a car do amazing things, is now suspectable. airplanes have been hacked. our electric grid has been pen straighted. it is susceptible. and what they don't tell you in the second part, don't worry, nothing to see here, we've got it fixed. why? because we don't. the fbi just came out with an interesting report that 13 -- year 13 over year 14 there was a 53% increase in economic targeted american business espionage. 53% increase over one year.

and the bad news was it was outrageously bad the year before. why? no consequence. all right. they have been absolutely been able to get away with it. china has built an entire economy on stealing intellectual property not only from us but our asian allies. anybody with intellectual property is subject to getting it ripped off. and likely they have. and so we have watched this problem get worse. and i get worked up about this. i just read today where department of homeland security issued a letter in opposition to the one piece of legislation the senate is ready to move here called sisa. for those of you who are familiar with our bill called sisa. it tells you we have problems with acronyms in congress. for the one reason that it allows companies to go to intelligence agencies to share malicious threat code.

which by the way, has been happening intermittently in the past. the one thing we looked at and says here's the problem we have to foster sharing. sharing is the key word. if we can share malicious code in real-time at light speed, we might, might be able to put a dent in this. what you are seeing and is there is a bill out there that can be protective. companies can feel comfortable knowing their information is safe and saying we have this malicious source code. you have to help us with this. we don't know where it came from. now our own government will work against itself for god only knows how long again for details on how we come up with the cyber sharing regime. i think the first bill was passed in 2013 in a bigbie partisan bill in the house.

likely three years. we still can't come together, the white house can't talk to the congress the senate can't talk to the house, the house can't talk to the senate. in the meantime, how many trillions of dollars have we lost in potential economic game and real dollar loss. billions. billions and billions and billions of dollars. and the one trump card they will throw down, and they did it in the dhs letter to stop the legislation is "we have privacy concerns." that stops everything. in the meantime the russians the chinese, the iranians and now unfortunately the north koreans, we could list 15 other nation states are already on your networks. they are stealing your information pretty much daily. at ease again, with no consequence. so think about where we are today versus where we were 10 years ago. space, we are no longer the dominant player. our technology is better clearly in many cases.

now we have to worry about the security safety and survivorability of the old systems and some so fast new systems we launched into space. big problem for any business anywhere in the world let alone how tied we are to the economy. on cyber getting our clocks cleaned. now the intelligence community is is going to set up its own version of a cyber center to try to -- by the way, this is probably a good idea. we didn't know all the capabilities of our own intense. why? people talked about privacy and we stopped everything for two years. we couldn't get intelligence community to share information in a real and meaningful way. machine to machine. nobody is raoeldingeading e-mails. couldn't quite get ourselves there. and the last part of this, in 2014 was a huge policy shift we all as americans kind of moved along. we had two nation states.

not the most capability we worry about. makes the calculated decision they were going to use their nation state capability to exact a punishment of a single united states business. now, normally if somebody went in and blew up somebody's warehouse and if they fired a missile or sabotage group across the world into the united states to do that, it would be an act of sabotage, act of war, or act of terrorism. a political entity using destruction to further its political gains. clearly fits in the definition of terrorism. both cases are public. one is is the san resort casino. and one is sony case. the problem, and i think what all the panelists said, where is the deterrence to doing it? there is no deterrent. they're not going to start. they're actually going to

increase their ability to have the capability to conduct those kind of attacks. and they will continue to pick companies of which they find vulnerable to do economic and real destructive harm. and if you think about the sands resort, the ceo gave a speech biff iran should not get a nuclear weapon. they decided they would use their nation state capability to attack the sands resort casino. they ended up penetrating a casino in pennsylvania and worked their way back to their headquarters. it took a long time to do it. they were determined to do it. before they did millions of dollars of damage for a political purpose. america's response? not much. so we have yawned at this motion we have this problem that as long as i can get to bucks with my a app and pay for my parking on my iphone, everything must be okay. the problem is every day we

erode our ability to protect a growing and more complicated system. lastly, we are getting ready to add 28 billion billion new applications to the internet. the internet. everything from your garage door opener, and i don't know about you but every time i walk by my refrigerator i think it's working against me already. this is a huge problem for us. you will hear a little bit about this on the second panel especially with the automotive focus. we will add all of these devices. not one ounce of security prevention has been planned in any of it. one of the biggest things that happens to you when you have an application on your network, if you talk to security folks, they probably don't know a that application is on their network.

it is harder than it sounds. nobody has completely 100% mastered it there are a couple that are close. on your private sector networks there are huge vulnerabilities work in. they spend $250 million a year on cyber security a year. $250 million. they get penetrated. why? it's because the complicated nature of network how you manage the network and understanding what application is on it. i always say this is not just a technology problem. it's an a anthropology problem too. it's a people problem. if you wonder why the chinese have stolen as much data that isn't related necessarily to a criminal act, anthem medical, and the list is pretty long. we could be here going down the list.

certainly opm. lots of really detailed personal information. why would they do that? >> 85% of all the success rate of a chinese penetration of your network comes from a fishing e-mail. imagine the e-mail i can create if i know everything about you for the last 10 years. and i mean everything. and i also know the last time you went to the doctor and exactly what you had done at the doctor and what your billing status is. imagine that e-mail that says last week you had your knee looked at. i think i screwed up on the billing cycle. would you verify this was your x-ray and not that guy. yeah. i was there. the e-mail came from my doctor. at least it looks like it came from my doctor. i click on it. they're in. 85% of the chinese success rate. they just increased their target by 53%. i'm not the smartest guy in the room. but in the fbi we would call that a clue. we've got problems approximate

brewing. i appreciate the discussion and thanks for including me. >> that's fantastic. we have about 15 minutes or so to really open up for questions focusing on the evolving threat. and from this panel the evolving threat is both from our adversaries and against ourselves as well. i don't know if someone has a mike or if it's a small enough room. sir? >> is is there any difference in approach between the public and private sector? can we say all private sector goes one way and the private sector goes one way? any difference in the approach to that? >> and i have i think a little bit of a different perspective than some of my panelists.

so this should be an interesting discussion. in worry about this. 85% of the networks in the united states are private. and contrary to popular belief the national security agency is not on those networks. they're not. not unless they have a warrant to be there. and that is highly unlikely. what happens is you have this intelligence services overseas trying to come back and protect the government. what we want to do is share it in real-time so the private sector can protect itself. it's not working. sharing is terrible. no one wants to do it for liability reasons. a whole host of reasons not to share. here's the problem with the private sector saying the heck with it. i'm going to flick whoever i think did this. determining and attributing that attack to a certain nation state or international criminal organization. there are capabilities all over the map. can some do it very well. some think they can do it very

well. some don't have a clue how to do it but wouldn't stop them anyway. the government would be in the responsibility how do i protect 25 businesses have what would be the second order impact. right. if i attack you, you flick me in the forehead. i guarantee you they will not sleep on it overnight. why? they have already been trained there's not much of a consequence to doing this. i always argue you have to have a good defense before you go out and do something bad to your neighbor. if you're going to punch your neighbor in the nose hit the weight room for a few months first because he's likely to hit you back. the problem is is we have no good defense today for that 85% of the networks. so the companies that got really good at it, they had be fine. a lot of companies i wouldn't have any problem doing that. what happens with when they take out the 15 companies that are their suppliers that can't withstand a cyber attack at all? now what do we do? we have an engaged private

sector as we are watching as a government entity, what do you do? how do you stop the escalation? as a government entity we have all kinds of ways to deescalate any event. you have none of that in cyberspace. we have to get all of that right. >> just real quickly i just love being on this panel with these gentlemen. it's awesome. three problems. you identify a critical question. the adversaries don't differentiate between public and private, right? they, in many ways, the autocratic states, totalitarian, it's all one thing. their economic power and influence is part of state power and influence. chinese have actually identified their banks as a strategic asset. so starting principle is that our adversaries in this space don't differentiate. if we think about national

resilience, health our infrastructure is part of that. in some ways the clear divide public public private in many ways in this environment doesn't make a lot of sense. the third point i want to make is i think one of the challenges, and mike referenced this, is how we interact between the public and the private sector. information sharing is sort of a leading edge of that question. but also it's a fundamental question of our national security architecture. how do we enlist the private sector in a way that defending them and makes it part of a national resilient campaign when there is a clear blend? and one sort of way of thinking about this maybe this is where mike and i disagree, i do think there is a way of thinking about this a bit more aggressively. we take it straight from our constitution. the founding our constitution, the found founding of our republic came at a time there was much un's about maritime security. we have a provision in this

constitution for letter of mark and reprisal for the government to actually leverage private anothers in the maritime security domain precisely because there was this blend of threats and blended environment. i think we need to think a little more aggressively because the environment doesn't determine between public and private and we don't want to do damage to the private sector and pro- protect it and can't ignore whether the private sector, jpmorgan or others are part of our national security and economy. >> you want to add one thing? >> i want to add one thing on this matter. it's something that both the chairman and juan talked about discussing the differentiation in our country what's public own d owned and private owned. it goes past that. in most of the western countries, there's a very hands-off view to the internet allow technology to innovate and

governments have it as a philosophy to not get overly engaged in the infrastructure. that's not happening everywhere in the world. the countries we already mentioned get thrown out, china russia north korea they are already ball canizing it. they own the infrastructure, take it up turn it down have resilient approaches. that relationship we have with the private sector where handsoff but at the same hand it's not resulting in secure outcomes isn't being followed everywhere. what we're seeing as the rest of the world, those who tend to be the aggressors are really lock locking down their infrastructure. we're going in exactly the opposite direction in a way that really would not be considered i

guess obvious when we do other things. for example if i were to say i could develop one cell tower that has so much power all you need is one cell tower and you always have four bars wherever you are in this country the only problem it will give you cancer everyone would say that's a ridiculous invention don't use it. and if i build a car that can go 200 miles an hour but the only problem our roads aren't set up for it. but in technology you can sell anything regardless of the consequences to our country. we have to start thinking what we are permitting and the relationship between the private sector and government has to common cause and health and safety and security. >> thank you we will take a couple questions. i want to say in both chapters,

there are discussions about mark and interesting footnotes about law school articles that have been written specifically about mark in crimer i ercyber i commend you to. snow good afternoon. i want to follow-up on your last comment comments. a lot of focus is how do we make the network more defendable robust resilient how do we attribute the threat actor who hack the system. at what point do we flip the model and start holding the actual manufacturers accountable. because i guarantee you in most intrusion intrusions, whether sony or elsewhere, it may have come in by a spear fish ging attack it was utilizing a vulnerability in adobe or flash or some other software running on that network. at what point do we hold them accountable and start running our own house? >> i think it's the wrong

perspective. we don't demand perfect security in any other aspect of life. i would never dream if my house got burglarized i would go through the architect and tractors and say someone is tunneling through the ground. we are in sent vigz quick low cost to market products that don't have security problems. i'm not saying there can't be and i'm all for it. but it wouldn't change nation states and organized crime groups persistent and determined will always be able to break in sooner or later because it is impossibility based on vulnerability mitigation efforts to secure a dynamic inter interoperable environment what we have in the internet. the only time you see it in this physical world is a bank or fortress. it doesn't move or change much over time, you could really secure it. once you say we will meet up with everybody and we're going

to change all the time through updates and connections, that's the fool's errand. the real choice is how are we going to start taking some of this money and putting it into a robust conversation and intellectual analysis by bringing standards to actual analyses, when these things happen how do we build platforms necessaryily not necessaryily secure but better at detection, attribution and figure out what our policy choices are. we might find out despite -- you took the card i'll make it this one, some of the systems we need the best security for co in coincidentally and good co coincidence have the least privacy concerns. the electric power grid -- if you work for -- forget about -- the electric power grid everybody who works there and owns it wants to have perfect knowledge who's on it at any given time. very low privacy.

that's where i would start but not cleaning up what could be done but detection and real policy choices to give to our leaders in those areas that matter most. >> real quickly, i think there's a different dimension of liability. what we haven't enabled is this private sector bar and the plaintiff's bar to actually be a force in this environment. with the attribution revolution i think there is an opportunity to think about class action lawsuit lawsuiims of malignant cyber attacks that allow victim companies, individual share hold others to go after companies taking advantage of this environment. chinese soes using stolen data, why aren't they subject not to just government action but even private litigation. i think the question of

liability is an important one. i think we need to flip the model a little bit more and empower the private sector to be an actor and deterrent. >> i think we have time for one quick question. michael, quick. >> quick question to get you all on the record on this. >> great. >> just to get you on the record on this -- >> how fast the tables change. >> is it fair to say that the u.s. private sector in cyber has no right of self-defense according to the law that that is our policy they have no right of self-defense, in the same way there's a duty to retreat they have no right of self-defense? i think i'd like to begin with juan because you advise banks on this. when you listen to the lawyers and lawyers seek to work with you on this do they feel the bank has a right to defend itself when it comes under attacks by either criminals or

nation states. >> this is how you define defense passively, you say, of course, we have the right to defend, great layers and redundancies and a lot 0 criticism they haven't done those and cyber hygiene they need to do in terms of employing aware awareness, certainly they can do that. there is also a lot of reticence in the private sector to actually getting involved too actively. a lot of companies don't want the very idea of half back or active defenders of systems. they want the government to do it. they want more information the do it themselves. in that sense if you define defense broadly, yes, they do. do they have an active defense role to play at this point and is there a legal structure for that? no. >> defense of person or property is a justification, right? it's an otherwise illegal activity. i think it's very uncertain. we haven't seen prosecutions

against companies. that might be prosecutorial discretion discretion. we don't know what might happen if there was case taken up. unfortunately a lot is theoretical. there is no certainty in this area. businesses unlike individuals unwilling to roll the dice, businesses hate uncertainty. we're a nation that can't even get a national data breach law. we're stuck with dozens upon dozens of individual state laws of data breach notification, what's the chance of company figureing they have certainty of action even within the united states no less how that might be observed outside the country where they are likely doing business? i think the short answer is do they they? there's no clear answer to that. that factor is enough that make big businesses responsible are not going to touch it. >> when you talk about extra

toratorial defense, that's a loser from point go. if you don't have proper legal authority it's a disaster mainly because in ground circumstance you're dealing with a personal threat to your life. the way the law is written it has to fit that criteria. this, you could never make that legal argument here number one and number two when you decide you're going to breach territorial jurisdiction and go after someone, you have opened up a can of worms which is well beyond the scope of your threat. that's where i think we have to -- our policy is not there. we don't even in this united states have a good offensive policy. i think it was admiral rogers not that long ago within the last few months said just as much as that, that we don't have a good cyber offensive policy. we talked about it ed a inad infinitum in classified settings for the entire 10 years i was on the

intelligence community. we could never get consensus to move to the next place what that cyber offensive is. as a personal note i saw the administration say they will make china pay for the consequence of the opm hack. i can't wait. i cannot wait to see what the heck that thing is. candidly, i'm not too excited about what's going to be. we haven't crossed that threshold to bring everybody in this room to deal with this problem. long answer to your question i don't believe they can go extra territorial to what they perceive is a threat at that point. >> thank you so much. thank you if we can give a hand to the speaks. you can see how we can take many hours talking about that. we will roll into the next panel capabilities needed to protect and defend in a cyber economic war. this made perfectly into that. thank you.

all right. we want to get you out in a

relatively timely fashion. if we can ask y'all to reclaim or your seat or somebody else's. while we're getting our seats before i turn it over to the panelists for this discussion, i want to read a very short paragraph. there is an intellectual no man's land where military and political problems meet. we have no tradition of systematic study in this area and thus few intensely prepared experts. the military profession has traditionally depreciated the importance of strategy where politics are important as compared to tactics. now we are faced with novel and baffleing problems to which we try the adapt certain ready made strategic ideas from the past. if we examine the origin and development of these ideas we

may be better able to judge whether they actually fit this present and future. this was written in 1959 by bernard brodie in this is treaty and strategy in the mission age. i recommend to it all. his calls for new ideas in scholarship to deal with the atomic age helped the u.s. create the doctrine and capabilities that guided us for the last half century at least. i would add to brodie's assessment is there an interested elect intellectual no man's land where military and political problems meet and have no discussion in this area. within our monograph and in our earlier seminars, i have turned to earlier work i and others did on the nuclear kill chain and thought about its applicability to this evolveing threat of cyber and economic warfare and vast differences namely the hurdle for development and acquisition and use. also what i call in one of the

previous panels somewhat referenced it, could we be in a war and not notice metric. i think it would be hard to ignore the use of a nuclear weapon. as we heard in our last panel we are fully engaged in a cyber economic war. the kill chain of needed capability so to speak may have to be thought about differently. nonetheless, it's basic element elements, intelligence and warning, te der rents, detection, frisk, intradiction, battle management, consequent management and battle and recovery serve as useful way for our current capability as doctrines and technologyies we need going forward. at this point i want to welcome our amazingly talented individuals to talk about the nexus of policy and technological developments. the first is executive director of the defense of foundation democracyies where he leads on

nonproliferation and expert on sanctions and testified before congress and advised the u.s. administration, congress and numerous foreign governments on iran and sanctions issues. he heads the foundation fdd center on sanctions and elicit finance and co-author of more than a dozen studies of economic sanctions against iran. mark, off to you. >> great. >> sam thank you very much. i hope you will keep me to my five minutes, maybe give me a nudge if i'm over five minutes. i will try to make my remarks first. i want to thank sam for involve meg in this project. a fascinateing project with amazing people to be involved with. ken, thank you for hosting this and allowing fdd to co-host this and mike and-- mark and michael. and thanks to the young woman who co-authored this, annie, who co-hosted this in new york and

the next generation of economic warriors. juan knows her very well and samantha knows her very well. it's satisfying to the three of us when we're playing golf in our retirement someone like annie will be continueing the fight. we talk a little bit about the paper we wrote together. i want to put this in context. the paper is called cyber swift warfare. we call it swift warfare because the case study we dealt with is the swift financial messageing global system. if i want to wire money to juan my swift citibank has swift code codes and chase manhattan has swift codes and the way our two financial institution talks to each other so i can wire money to juan which i do often. [ laughter ] no, no, absolutely. the key looking at swift was swift really was the high point of the u.s. government's economic warfare campaign

against iran. it reminds me there was a point in time we were actually engaged in economic warfare against iran. this is coming at a particularly troubleing moment for me having spend a lot of time working on iran to see the u.s. government dismantle the entire sanctions infrastructure we put in place to pursue this nuclear deal but that's a topic for another panel. as saveddavid sanger explained in the u.s. times, the treasury department where juan worked and his leadership and levy and david cohen and now adam zhu bin, the u.s. treasury was described as president obama's favorite combatant command. for good reason it was economic warfare against the iranian regime and was a decade of measures that began under president bush, the destination of key iranian banks and revolutionary guard entities and

culminated in the passage of sanctions legislation by congress, congressman rogers certainly played a key role in that. it was fascinateing because it -- as these sanctions escalated you saw over time a dramatic impact on iranian economy and iranian decision making. some of the key events along the way in concluded u.s. treasury departments and tractor-trailer acttractor-trailer -- patriot act 311 there was a jurisdiction of primary money laundering concern and legislation passed by senator ss that legislatively designated the central bank of iran as the key polar of that money laundering concern. in 2012 congress over the objections of the administration and the europeans actually passed legislation threatening sanctions against the board of directors of swift and that legislation encouraged the europeans and eventually swift to expel dozens of iranian banks

from the swift system. it was unprecedented the first time in swift's history there was dewholesale of a country's financial system and made it impossible for the iranians through the formal system to move money and finance trade and repatriate their foreign exchange earnings. it was certainly a tool of very effective coercion but something our adversaryies learned from. i note when it comes to swift we see calls from the u.s. congress, british government in fact from pro palestinian organizations to use swift again as this ultimate instrument of economic coercion. last year, pro palestinian organizations asked swift to deswift israeli banks in the dispute territories. the british governments asked swift to deswift russian banks.

that led to a response from the head of one of russia's largest banks who said that deswifting of this bank would be an act of economic war. we've seen our adversaryies try to take our playbook on iran and use it in other ways. in russia russians are using economic warfare against our allies in central europe and eastern europe. there, they're using energy warfare. the dependence our european allies have on russian natural gas for example. a whole series of measures both offensive measures against russia because of annexation of crimea and eastern ukraine but retaliatory measures against our allies and the united states leading to a need for defensive measure measures. if you move to the asia pacific region, china use economic and political warfare against taijuan for years to persuade the international community

taijuan should not be recognized as an independent state. chinese cut off export of rare earth minerals a couple months when there was a dispute with the japanese. those rare earth minerals were important to key industries of the japanese economy and there have been significant territorial disputes between china and japan and other countries and chinese have match matched their naval maneuvers with economic coercion. what you're seeing essentially is our adversaryies learning from us, the power of economic warfare and economic coercion as a dominant instrument of state craft. now, the united states and certainly our allies in the middle east and asia and europe are lucky. the united states still remain this dominant global financial super power. 81%, i think it is, of global transactions are done in the u.s. dollar.

60% of foreign exchange reserves held in this u.s. dollar. 45% of global financial transactions done in the u.s. dollar. because of the u.s. dollar's dominant position we still yield tremendous power. make no mistake that is changeing and change ing some fundamental way ways. the russians and chinese are createing an alternative to the swift financial messageing system. it's unlikely to attract the support swift has today with 10,500 financial institutions using the swift system. over time it may erode the global dominant position of swift. the chinese have a combination credit card interact card which is available in 100 plus countries around the world. it has a market position it represents 45% of the total number of cards in global circulation.

25 to 30% of this total transaction value extraordinary and because of the russians, it's d linked from new york. when we're imposeing sanctions from russian banks, the chinese moves in after mastercard and visa moved out and offered this card to russian banks to offer an interact card and global credit card dealing from new york and therefore not susceptible to our sanctions. chinese set up the asia investment bank an alternative bank for infrastructure finance financing which has attracted significant global support including most u.s. allies. as a final example and there are many others. the chinese have gone to the imf and asked something called the sdr, special drawing rights, essentially represent a global asset, on for exchange asset, that asset is linked to a basket of currencyies including the u.s. dollar and chinese yuan.

the chinese have been pressuring the imf to actually change the allocation, percentage allocation in that basket so the yuan is more highly lyly represented. these are four examples how over time chinese are trying to erode our global dominance. we may be witnessesing creation of reduceing the u.s. dollar. let me end on this. annie and i conducted a lot of interviews with folks in the u.s. government, former treasury and state officials people in europe and asia because what we really wanted to find out what kind of defensive measures were we actually taking? we have been very good on offense. how good have we been on the defense? we discovered in the u.s. there hasn't been as much thinking about defense of economic warfare, how do we create an economic defense of shields to protect the u.s. and allies from use of offensive weapons by

iranian iranians, russians, chinese and others against our closest allies. the monograph came out with specific recommendations, but specific recommendations within the u.s. government and institutional changes within the inner agency office of policy plan planning. the state has one and our recommendation the treasury department has an office of policy plan ingning where they're thinking about these kinds of defense measures and have the time unlike the friends at treasury drinking through a fire hose everyday to think through the specific measures we can put in place to defend the united states and our allies. number two standing up to economic warfare. there are folks who have a lot of strong planning on the economic side, understand markets, understand financial markets. but the idea of having people at the nsc who understand sanctions and elicit finance and use of

economic warfare would be useful. >> three was establishing doctrine on the use of economic warfare. we have doctrine froms the use of nuclear age and missile defense and certainly a new cyber doctrine folks have spoken about. doctrine would be very useful. how should we be using this offensively and defensive. it may be a controversial recommendation, the idea of setting occupy an economic warfare command. we actually have commands in the u.s. government most at the pentagon. this idea would be an economic warfare command that would draw the best and brightest and necessary resources across the inter interagency. our recommendation was located itlocated -- locate it at treasury. those four on doctrine and institutional changes to protect our allies against the use of economic coercion. i'll finally end with this. israel has been an interesting

example because the boycott investment sanctions movement against israel suggests we are seeing the canary in the coal mine. here is a small liberal democracy ally of this united states where all of a sudden economic warfare is being used against israel in order to achieve political objectives of those who oppose israel's position in the territories. whatever position you take on the territories or position on these regional disputes my assessment and my conclusion is we should be protecting our allies with cyber defenses, ballistic missile defenses military defenses and economic warfare defenses regardless of our assessment who's right with respect to the regional dispute. this is the canary in this coal mine. as terrorism came to our shores economic problems will come to our shores and we have to think of changes to create economic

defensive shields. >> that's great. the only thing i would take issue with is economic warfare has reached our shores. i think they would agree they really do delve down if we're going to be serious about that let's be serious. what does that mean in terms of organizational changes that may be necessary in the u.s. government. but our next two speakers focus on where really the rubber meets the road in terms of the technologyies that are going to be needed, how we think about that. ultimate ultimately, you know, you will have to be able to back up our words of deterrence with our technology technologies. the first speaker is dr. michael shed a program manager in the information office at darpa for those who may not know is the defense advanced research project agency. his focus is on quantitative and crypto

cryptographic techniques for big data and software. previously he was a research scientist at sisc and scientific consultant at booz allen hamilton and holds a phd in chemistry from princeton. michael. >> first of all, thanks, sam. i think i speak for mark, too when i saiy those who work on the technology side of the house found this to be a very useful and fun exercise for this to be a broader context our work lives. as a preparatory remark all my opinions i express today are my own since i am still with u.s. government and not fdd. i will start on a slightly down beat note. today, you can barely turn on your news browser without seeing a fresh story about another american firm of espionage or intellectual property theft. there does not seem to be a

clear path out of this bad ec librium. the purpose of my article is to help provide some new thinking out of the state by taking an historical perspective on economic espionage as a timeless instrument of competition between nation states. number two a scientific perspective on technologies to help us flip the transcript on economic spyies and i prksp pirates undermining our national economic strength. to begin we have history to help us here. the notion of interested electoral property actually evolved over centuries as enshrinement of economic reward to inventors of economic ideas. the united states economy is particularly sensitive in the climate such rewards are protect protected. in a 2012 report by the u.s. patent and trademark office. 75 of 330 industries are categorized as it incentive and account for 18% of all employment in this u.s. in 2010.

according to the 2013 report by the commission of theft of intellectual property the u.s. loses over 300$300 billion a year in ip theft. if ip were to receive the same protection overseas it does here the american economy would add millions of jobs and encourage significant investment and economic growth. unfortunately not all countries in the world are serious about protecting this law. one of the great ironies of history is this united states has been here before in this problem although on the other side of the problem. in the immediate aftermath of america's warfare of independence from the uk we weapon had privately conducted but efficiently lyly tolerated ip theft against british industry to super charge the american manufacturing economy. the prirbbritish response was vigorous. they impose expert machines and

designs and restrictions on immigration and even acts of arson on british factories with stolen ip. i know there have been talks of hackback hackbacks. the idea of hackback is not terribly new actually, it's been tried. arson aside the british strategy would not look unfamiliar to today. by any reasonable accounting the british policy completely failed to stop the diffusion of the sensitive manufacturing ip into the factories of its unfriendly trans transoceanic rival that went on to eclipse the uk thaz manufacturing leader. all of this must sound distress distressingly lyly familiar today and in 2014, it is america playing defense. to simplify the struggles i will focus on the software industry not only because they're the largest by export rally but new ideas period nent to that

industry that might inspire new thinking for other industry's protection as well. to give a partial illustration what our software struggles with. 19% of the software sold in the u.s. is pirate. in china, as one other example 77% of the software transacted is pirate. beyond the simple crime of making and running unauthorized pirated copies there is a deeper and more insidious theft policy by prying into the code source of software to extract the code ware and rhythm of ideas to extract research and development dollars. how do we stop this? we develop a model for thinking a new model for thinking about how to protect our ip based not only on law and diplomacy but technology and economics as well. that may change the dynamic between attacker and defender in

this ip conflict. the status quo in defending our nation's ip interests in general tilts towards the diplomatic and legal remedies favored by the british. as we have seen through historical experience there are fundamental limitations to this kind of approach. it is useful to pull back a step and thatted theink about the problem. it is economic as well as criminal problem and we have seen through historical experience laws and diplomacy are limited in their ability to deter criminals from this kind of crime. so the question is can we use technology and economics to deter economic decision-makers from decideing to steal as opposed to not steal. can we raise the technical costs of stealing to such high levels it no longer becomes worthwhile to do so. the good news is that the answer is yes, but there are major caveat caveats. today, commercial software is effectively defensiveless by

being wrong with reverse engineers because the state-of-the-art defending such theft largely consists of junk code and essentially giving the attacker more code to read and understand. this security through obscurity approach can almost always be defeated. in daryn day with standard software tools and almost standardly regarded ineffectual by software security experts. good news here is a recent mathematical break through by a scientist has opened up the door to making new kinds of software that can bafling lingle even the best resource engineers in such a way that unwrapping its inner secrets is equivalent to compute computing a mathematical problem woo whose solution requires a super computer anding agore rhythms known today. this is exciteing because this is the kind of technologyical break through that could be the

emphasis where we have a future of rights protected not by laws or nations but laws of mathematics. here, there are huge caveats, realizeing such technologyies not only for software but other products, will likely require radically new scientific ideas that will take years if not decades of sustained work and effort. if they are successful it could pursue economic leadership far 82 the future. one of the issues we have in the cyber threat today is victims are caught in a pathological dynamic they have sometimes an interest in concealing their own victimhood. we talked about this in the context of cyber threat sharing. one of the other interesting things emerged in economic research the past 30 years is secure multi field computation. this began something of an economic problem a little more than 30 years ago called the

millionaire's problem two millionaires want to see which has more money but don't want to reveal exactly how much money they have. i don't know how millionaires think but it's a neat problem. [ laughter ] >> this might seem like a contrived problem but from a crypto cryptographic and mathematical perspective it's not trivial at all. cryp cryptography built around this that morphed into smpt today. given that was a trite problem 30 years ago, what this has evolved into 30 years later is a very valuable and practical technology in a very well problem. in space today there are dozens if not scores of space bearing nations with satellites going at very high speeds and every agency and country has an interest not having the satellites collide. you're giveing away either sensitive security information or national security

information. how do you share information about your satellites without giveing away those kinds of secrets? where the research has gone is from that very condition drived millionaire's -- contrived millionaire's problem 30 years ago to something that could help the national space agencies and companies and share their information without revealing private information. this is obviously exciteing because these are not trivial problems. for the math geeks these are 200 degree integrals over space and time for objects going at nearly relevant. speeds, a heart problem and computation alley very difficult. it's just software after 30 decades of investment that gets us closer to that problem. it's not hard to see how this maps to shareing problems within the cyber threat world and has a very important privacy component, too.

to conclude it's very fitting the ingenuity of the american economic system that created many value world changeing ideas could be at the end of the idea a sources of defenses to protect those very ideas. thank you. >> thank you, michael. doesn't it make you feel he's in the government protecting us? >> makes us feel good. >> he's protecting us. the modern day of the millionaire's problem is figure out how much money does donald trump actually have. that's where it's evolved to. finally, mark tucker is the founder and ceo of temperal defense systems and founding board member of cyber insurance company of america. at tds he leads a team of experienced white hat hackers and technologists leading to safe guard computeing devices and networks in the cyber war era. >> that was a mouthful, thank you, samantha and thank you for

inviteing me. i think this is a great way to look at the problem because this problem is a complex problem and really not quite understood. when you marry those two terms of cyber war with economic cyber war it brings multiple notions of cross pollin nextex to find the problem. i think we're still at the point we need to quantify and basically understand the problems' dynamics. when i heard a few things in the previous panel i was diametrically opposed, right? but i was down there and couldn't talk. i've held some of those things and i understand why the comment comments were made. the comments were made because of these trends and economic things happening and understand the essence what's going on here is what forums like this are about. when you look at cyber economic

warfare, what is it? it's war, it's not crime. there's a difference between having a war environment and a criminal environment. crimes happen in war. i think it's very safe to say if we get some actionable assumptions and say, okay maybe it's not proveable 100% but a preponderance of evidence, it means this assumption is pretty good and we can start making action plans around it. ultimate ultimately, america needs a cyber action plan. we have the department of cyber command now. we have multiple departments of everything. but the core of the problem i think is still a little bit elusive. i think a few things in the first panel were perfect and spot on. let's say actionable assumption cyber war is here and upon us bp when did cyber crime become cyber war? what inflection point in time did that happen?

that was the shot haerd ai rownd theard around the world and when cyber world was the turning point of criminal gangs and activities happening to something that became became -- physical damage was caused and caused geopolitical outcomes because of it. that one thing was like shot heard around the world we can assume cyber war is here. what is this dynamic of cyber war look like? it looks like a low intensity content in war terms to me. it doesn't look like the power balance between the nuclear war era where everybody built up these huge offenses and nobody struck. why? because proliferation has already occurred. that dynamic doesn't exist in cyber because there's too many actors and people. it takes one individual. that would be equivalent if we

think about trying to do a nuclear power arms race build-up of offense of cyber weapons it won't work because we can't control it. too many points of attack heading through. you can say cyber war is here to stay a long time. there will be interesting things that happen. the playing field is basically, if i could compare a few examples where low intensity conflict is occurring, we look at -- we look at iraq in 2004 when all of a sudden america comes in we take the country over i was there by the way so the ground truth i had then is equal to the ground truth i have now on the problem so i've seen it from all different levels. what when i was first there, there was a bomb here and there and it went off and it was scary. in essence there was a power void saddam was gone and nobody knew what to do. the criminal gang started to

move first. there was a little bit of activity happening. what happens when those types of low intensity conflicts evolve there's coordination and then there's six bombs going off at the same time and frequency going off. when we look at the threat horizon over a 20 year period basically we're seeing a negative threat for 20 years, negative trend occurring. when most of that occurred -- think of it as cyber crime era -- now in the cyber war era we've seen the curve steepen. in essence, what's happening, you look at the battlefield and the battlefield is interesting because it's all around all of us and it's global. the frequency of attack is occur occurring and battlefield soften softened. we see attacks on the transportation systems and these

economic pieces we haven't seen anything yet. this is the normal course of a low intensity conflict. the next stage is coordination. when coordination occurs people will get worried and scared and plan is completely required. what we should be doing is learning from these types of zungs discussion points to get ahead of the curve and make this plan. if we say we're in the cyber war era, looks like low intensity conflict and have a power void because nobody is controlling what's going on maybe we need the come up with some assumption assumptions how we got here. why is security so bad? you can borrow economic principles to understand that. it's pretty easy. the question was asked is why don't the manufacturers share in the liability? because bill gates' dad was an

attorney and very smart attorney. every time you load software hit an okay button and basically take the liability and shift it over to you or company, you do that. it makes total sense we have so many security holes because the economic incentive is not with the manufacturer of these products products. a part of what steve was talking about, while i disagree with him, i understand how he got to those notions. you can't fix the problems so all we have is offense. we can fix the problem. the defensive problem is fix fixable. like any problem, we have to be able to quantify it. we can't measure the problem and don't know whether it's improve improving or getting worse. we don't know how to compare one technology against another technology. what is this security of this

industry? what is the baseline? we don't have any of those metrics right now. one of the technologies that maybe won't shift liability back to the manufacturers, and people know purchaseing habits and learns one operateing system scores a 3 and the other a 4 in security. it allows economic principles to take the security responsibility and allow the consumers and purchaseing managers to buy more secure stuff. once we know how to measure it and that technology is in existence now we can say, all right, we will change the evolution air iry path ry-- evolutionary path of technology because it's not good to say i have a firewall and antivirus and intrusion detection system. what will happen is you will say your security is a 3. you may have all those things but those things aren't

basically raise inging your level of security and raiseing the technology called qsm one of our company's products we worked on at george nay son university to help solve is to change the shift inging liability landscape and allow the security level to do back into technology. we look at these problems, there's an okay button. that okay button sure did a lot. yes, it did. a lot of things did a lot to technology. moore's law, for example every two years a chip gets twice as fast. there hasn't been any interesting pro- fowncedfound observation observational laws even, right? if we have this 20 year negative trend threats keep going higher and higher now at an increasing point, we can get ahead of that by two years we have the

ability to measure technology security and we start to use america's creativity and production force and harness the country's resources on a technology basis for full security we can come up with the ravage law and say if america says two years ahead on security, then we're basically going to hit an inflection point that trend starts to go down. as long as we stay two years ahead we're heading in the right trajectory for defensive security. in this american cyber action plan, kay 85% of resources are some number. 85% is defense and the rest offense offense. we have to am could you please with those majors and metrics and coordinate as a country to utilize our resources to win. we're america, we own the technology market still. we way not own the manufacturing

base, they're still our ideas. why do you think they're stealing our ip? we're ahead. lets use the things america can take to market and our vulnerability is the fact we're connected, right? that's also our greatest strength. if we harness what put us here and look at it in a different way, i think we can make an improvement on the defensive side and offensive side, we start thinking of a problem like low intenseity conflict, we can beat cyber insurgencyies basically what is happening. we have a banking industry surge to take the fight back to them and create those deterrent portions. it's not going to be police type of effort because there's no law laws being enforced and ability to basically bring someone to justice is very difficult. it will look like a low intensity conflict cyber war

environment. anyway, my time is up. thank you. >> thank you mark. before we do to the questions, i wanted to mention when we started this project, we really wanted to create a larger group of people that are interested in this topic that take different pieces of the research on to move it forward. we never wanted interest to be that this is the be all and end all. there's a lot to go forward on this. one of the things i think this panel and the last one really show cased are the needed kind of places where policy and new technologyies come to bear. i was hudson -- hudson institute's co-founder, herman kahn wrote the six desirable characteristics of a deterrent. a deterrent to be successful must be frightening, inexorable

persuasive, cheap, non-accident-prone and controllable. if we even start with those six things and you can imagine having the policymakers war fighters technologists around a table saying here's the problem how do we create a deterrent that rests with sound policy, docktrine and the technologyies to be able to do what kahne recommend recommended, i think we would really move this conversation ahead. my trajection -- 83yeah. wait one second. >> fdd center elicit finance. great thought provokeing panels. there was something said on the first panel that provoked a question i think is appropriate for you all which was the reference to us losing the space race. president kennedy decades ago

set the goal in terms of the goalpost goalposts. the undercurrent was our competition with the soviet union and tremendous threat that was there. over that decade he really galvanized the country galvanized with this goal inspireing and very positive. if we were to look at the cyber war, cyber race what would be the goal or goalposts? is there a way to galvanize this next generation of young people and others within our society to target a specific goal so we could win the cyber race which we're losing. >> do you want to take this first? >> that's an annualalogy often drawn. it's problematic. with a space race, there's clearly defined goalest boasts as to progress, sending a man to the moon and device to mars. the problem -- defined goalpost

goalposts. there are the kind of cyber problems that exist on machines in networks and as chairman rogers mentioned to previous panel, anthropological problems. one of the things that tends to be a distracter on the cyber debate is overemphasis on technology inventions. there is a human invention. all security problems are human problems. looking at statistics of the type of compromises that occurs somebody opens an e-mail or detach detachment, all hel breaks. we don't design software and networks for machines, we design them for ourselves. where we could possibly direct one area of research actually is to say that we should stop play playing the human because we are human. we should be able to open up a

link or attachment or go to a site without trembling in mortal fear it will compromise the entire enterprise. whereas i think there's going to be a much more diffuse kind of agenda for the cyber problem i think there are some problems could still be very ambitiously stated, the problems of a space race, too, that's one and i'm sure there are others. >> i would add to this, maybe too simplistic. whulg youed when it comes to cyber the notion of winning we're cautious about. we don't actually want to win in cyber, we want to survive. in historical terms we invent the cannonball. we don't want to win using the cannonball, we want to survive if the other side gets one. invent missiles. you don't want to win, create missile defense shields in case

the other side develops bigger missiles than we have. there seems to be hesitation when it comes to cyber. i sense it in the language. the goal should be we will win this cyber war and any country that launches a cyber attack against us will be met with fear fearsome retaliation. i don't know what we will do against chinese because of opm. no idea. i don't hear in the rhetoric of the president a commitment to actually win. i think we need to send a message, we're the united states of america and whether you hit us us with cannon balls or miss missiles or cyber attacks our goal is to win the in cyber war as we 1 i think in missiles and won in cannon balls. it's a commitment at that level before we get into exactly how we do it on a technical level and how we reorient the u.s. government on an institutional

level in order to do so. >> mark. >> i also think there's measurable goalposts along the way. for example when we hit this turning point in the 20 year trend ticks down what is going to actually happen? if we say what will happen on the pla side or china side, unit 61398, all of a sudden, all the millions of agents they're watch watching on their screens and monitoring, go dark. that's actionable. when that happens you know what we will see? we will see that unit freak out. we will see them go back in the drawing board and working day and out and send min 81s out to reappoint new types of agents and we have to stay two years ahead. if we can stay two years ahead the effects are dramatic. what we've done is stayed

complacent and let all these agents and things and supply chain infections permeate everything. we're saying all right when the turning point hits how will you know? that unit the biggest unit in the world right now back sickly one unit against us, their agents go dark. we will see actions because of it. i think we can measure the number of cyber events that occur and amount of money stolen from a bank or credit card. i think we can come up with measurable are we winning metric metrics. >> here's just a quick addition to that. here here's an indication how you're losing. i was read through the iran deal the other day and everyday it's a new surprise. myyikes moment of last week is i discovered that united states and our allies, we commit to protecting the iranian nuclear program against

sabotage. okay? so in effect what we're saying is we're going to predict the iranian regime's nuclear program against the ability of the united states, israel, other allies to use cyber offensive weapons against iran's nuclear program. regardless of what happens with that nuclear program in, ten years, 15 years time it will be of industrial scale with near zero breakout and sneakout. they'll have an icbm and powerful economy and even then we'll commit to defend their nuclear program against cyber sabotage. so that's not the shot to the moon. that's not a commitment to winning. we're going to hard enthe adversaries cyber defenses. >> sir? >> my name is rich willhelm. i ran all of our business with the intelligence agencies. but 20 years ago i had a job similar to yours on vice president gore's staff,

samantha, where we did round one of all of this. there is so much farther ahead now. but i'm struck by one thing. yes, we are much farther ahead. we understand the threat a lot better much there's a lot more technology out there. but i'm struck by how little progress we've made in solving the central policy issues that will be required to actually move ahead. and, you know my thinking over the years, i think has matured some what and it seems to me that we're essentially trying to solve the problem where boundaries don't count on a legal policy an organization and bureaucratic framework where boundaries really do count. and i'm not just talking about geographic boundaries. i'm talking about the difference between private and public sector responsibilities between domestic and foreign you know, if you look at the intelligence

community. and we need some new framework. what -- this is a question really for you, mark. you talked about -- i mean the government response has been to create new organizations but not fundamentally alter the existing boundaries that exist in law of our existing agencies. what do you think a likelihood is that we can solve that problem over the long run and that there is a new paradigm that will emerge so that -- so that the interfaces between the various agencies operate a hell of a lot more smoothly than they do right now? >> right. thank you for that question and for your service on these issues. i would say that i'm somewhat optimistic. i have seen it from the outside on the offensive side. i think we've done a pretty good

job. a lot of credit to juan and the folks at the office of terrorism and financial terrorism and treasury. who ever heard of tfi or ofac 15 years ago? i haven't. i'm sure lots of folks in this room hadn't. but what juan and his colleagues did at tfi is they took institutions agencies in the u.s. treasury department and they turned them on offense. i think that a really remarkable job not just leveraging government but leveraging markets. the real secret sauce of our financial coercion on offense was not what we did to governments. it's what companies and financial institutions in changing their risk/reward assessment with respect to doing business with rogue regimes or terrorist organizations and giving them a choice. can you do business with our 17 trillion economy or iran's $3 auto billion economy.

if you do business with their $350 billion economy you're going to be doing business with the revolutionary guards and a number of very bad actors who are engaged in a range of heelicit financial activity. they played a significant role. i would say it's been a very successful program. i'm obviously very skeptical about whether we actually use those incredible resources and achievements towards right diplomatic ends. but tend of the day, we certainly hone the instruments and our paper tries to look at friday the other point of view. now with those instruments honed on offense and other countries and adversaries using the same powers how can we reorient the government to start thinking about putting a defensive economic shield? we started to make moves on the side where we have cyber command. i'm learning about the deficiency wez got in that area. but from an economic warfare perspective, the folks at tfi

don't have the time to actually think through defensive shields. which is why an office of policy planning is useful. it will be useful to have that director at nsc. i think all the powers to work in an interagency level to actually think through on the cyber side and on the traditional economic warfare side, how do we defend the united states? and i'll end with this. here's a good news story to me. state of south carolina just passed legislation. and the legislation simply says that any country that actually uses economic warfare against one of our allies will be denied federal -- state grants from south carolina and that the state pension fund of south carolina will have to divest from any companies engaged in economic warfare. that's interesting. that's at the state level. it's the state of south carolina. it's effectively saying you use economic warfare against the united states or our allies

don't come do business in the state of south carolina. and you're starting to see the spread across the country. illinois just did something similar and other states contemplating. this could be created at the federal level through executive orders, legislation and creating a defensive economic architecture lead by manufacture the same people who have been so successful on offense. >> that's great. and take one last question. and just so that you political scientists or ir theorists don't think that there is a place for you in this robust debate and moving forward and just a place for economists and technologyists technologyists, we need a better understanding of how the different adversaries view their strategy towards us. right? there is absolutely no reason to think that what is in -- what the russians are doing or how they're organizing is in any way similar to what the chinese are

doing or the iranians are doing or north koreans are doing. so an understanding of those states is a must in this piece and one telling point on this is that in the weeks before the sony hack, the north koreans were speaking out at every opportunity they had screaming that the movie that sony -- that sony was going to release, the interview, was a threat to north korea. right? so the north korean watchers, you know knew that the north koreans may possibly be gearing up to take action, retaliatory action. of course, when the sony hack hit, they were the first ones to say, you know look over at pyongyang. all right. all right question sir? >> dr. shea used the phrase

crypto graphically sound. it reminded one that there are parts of the u.s. government that are using cryptographically sound practices. and any technology that you have, the guy will get in a year or two afterwards. what you show is possible. any comments? >> i should preface all this by saying today i'm speaking as an individual and not as a representative of either my agency, department or the u.s. government at large. but i think i should also preface or append to my earlier comments that i'm essentially talking about things that still live very much in the research space. and so obviously krip lyly cryptography means a lot of different things.

secure multipart confrontation, so on and so forth. and so when i say use terms like security and this cryptograph context, the word should be provable security. in a sense that we can quantify how much security we're getting given certain settings. i think that is a more accurate way to characterize that. >> well that's wonderful. i think with that i'm going to wrap up unless you have one last statement? okay. all right. i thank you so much. and stay tuned for the synopsis of this seminar the survey results. again, i encourage you all to take it if you haven't. it's fast and anonymous. thank you again.

>> the senate homeland security and governmental affairs hearing is holding a hearing on the prison system and the challenges it faces.

the witnesses will include justice department inspector general michael horowicz and federal bureau of prisons director charles samuels. that's live at 10:00 a.m. eastern on c-span. and here on c-span3, we'll have a hearing that looks at foster care issues with advocates and state government officials. that's being held by the senate finance committee. live coverage beginning at 10:00 a.m. eastern. next, a look at how medicare is working 50 years after being signed into law by president lyndon johnson. this is from washington journal. it's an hour. >> in july medicare marked its 50th anniversary. here to discuss that, gale wolinski. served from 1990 to 1992. and dr. robert barrenson. served from 2000 to 2001.

thank you both for being here. i want to show viewers and you what the president lyndon johnson had to say 5 years ago when he signed this legislation into law. take a look. >> there are more than 18 million americans over age of 65. most of them have low income. most of them are threatened by illness and medical expenses that they cannot afford. until this new law, mr. president, every citizen will be able in his productive years when he's earned to ensure sim hefl against illness in his old age. this insurance will help pay for care in hospitals and nursing homes or in the home. and under a separate plan it will help meet the fees of the doctors. now here's how the plan will effect you. during your working years the people of america you will contribute to the social security program a total amount

each pay day for hospital insurance protection. for example, the average worker in 1966 will contribute about$1966 will contribute about 1.auto per month. the employer will contribute about a similar amount. and this will provide the funds paid up to 90 days of hospital care for each illness plus diagnosic care and up to 100 home health visits after you're 65. and beginning in 1967 you'll also be covered for up to 100 days of care in a nursing home after a period of hospital care. under a separate plan the congress originated itself in his own good judgement, you may be covered for medical and surgical fees bl you're in our out of the hospital. you'll pay $3 per month after you're 65. your government will contribute an equal amount.

the benefit under the law are varied and broad as the marvelous modern medicine itself. >> president lyndon johnson on july 30th 1965, signing into law medicare. here to discuss two former administrators of the program, gale wolinski. is medicare working like explained there by president johnson? >> in general, yes. medicare was designed to meet a very important need for the older population of america. that is to make sure they have access to insurance coverage and physicians, something that was a challenge to most seniors even those that were not low income have a good deal getting insurance. of course, it changed a lot. coverage broadened. we have a5 5 million people on medicare now. almost 10 million of whom are disabled and under 65. so broad than way.

preventative services are now many of them are covered. prescription drug coverage was added. >> part d. >> part d. in 2003 through legislation and the financing, of course has changed significantly. but the need that medicare was designed to respond to making sure that seniors would have access to care has indeed been there. >> i agree with gayle. i'll add a couple other item. one is that health care delivery has changed dramatically since lyndon johnson gave that speech in those days. most people got their care in hospitals by physicians. over the years, there's been a great need for a whole bunch of new sources of care, new kinds of providers, skilled nursing facilities, hospice. all of that is added to medicare. it creates a challenge to

reorient the program. i think the program met the challenges. evolved a lot over the last 30 years with new payment models new delivery and the current focus is to address quality. quality has not been as good as it should be. and u.s. health care generally and medicare specifically. and the program was taking some steps to try to address that. >> well, we want our viewers to weigh in on this conversation. this is how we divided the lines. if you're a medicare beneficiary beneficiary -- let me ask both of you this. how you would fix it? well, you asked the first question did it meet the directive that the president johnson laid out? yes in terms of providing pretty ready access. as health care is evolving

significantly they reference some of the focus not just on quality, very posh important issue, but on value. i'm a economist, i worry about that as well. the delivery system has changed a lot. medicare has been a bit slow in that area. it's somewhat joining the movement in terms of trying to promote value and better quality. physicians are expressing a frustration of a less than they had been because the law was passed in april. it is not perfect but it solved a very frustrating problem for many physicians which is not knowing what would happen to their fees. every january with threats of reductions as high as 31% although they never happened. but even more dysfunctional in the sense that it didn't