nick cybersecurity and threats in a digital landscape. the council on foreign relations hosted this one hour event.

>> all right. good afternoon, everyone. thanks for joining us. i have the pleasure of presiding over this conversation about diplomacy and deterrence. and we are going to get started today by having our panelists introduce themselves. my name is camille stewart, i'm the global head of private security strategy at google, where i said at the intersection of our product security teams and our central security team and i have worked across for government and private sector on cyber security issues for a number of years. >> i'm emily harding. i am the deputy director of the international security program at the center for strategic and international studies, which is a very long title. it just means that i get to oversee the work of about 50 scholars doing tremendous work in intelligence, defense, and tech policy.

before that i spent almost two decades working in the federal government, both in the senate and senate intelligence committee, and then in the intelligence community, and a couple of years at the white house. >> i john hultquist. i'm from [inaudible] intelligent of this shop. we look at threats, you know, all over the world, using response, you know, a dozen different ways to sort of collect this data and bring it back to, you know, one centralized intelligence hub, where we are sort of developing intelligence on threats around the world. i've been with various versions of nearly 4:12. years before that i was with that with the eye and diplomatic security at stake, mostly looking at the russian threat. >> right. max. you next? >> my name is max smeets. i'm a senior researcher at the age of [inaudible] 60 studies and also direct the european cyber conflict

research initiative. >> wonderful. as you can see, we've got a great panel ahead and what i'm actually going to do is have each of them give about a two-minute overview on their thoughts on diplomacy and deterrence in this space and we'll use that as the foundation for a conversation. anybody want to get started? >> sure, i'll get started. so it's interesting and very broad topic. i think you need to take it back to basics when you are speaking about operations in the cyber domain. right now there's no common lexicon, no real norms and understandings. my colleague, jim lewis, and csis, has done really tremendous work on international increments around cybersecurity and cyber issues. but those have yet to really gel into a broad set of norms that govern work inside don't mean. there's no eth agreement on what is cybercrime, much to suppress but, what is a cyberattack, what is cyber war. you have politicians who sometimes understand the support mean and sometimes really don't confuse just really really relative its, an

act of war. well it? what does that really mean if it is? so, given that, why is it so hard? why is it difficult? it really is a combination of things. you know, when you're thinking about something that's a game changing technology, sneakers in afghanistan, hypersonic weapons, nuclear weapons. those all came with a debate around what norms govern them and how they should be used, what is a report proportional response. we haven't really gotten there yet in the cyber domain. and it's partially it's, a combination of two things. the speed of attribution is a very difficult in this domain. and john can talk effectively about this he's done tremendous work in this field. there's also, as sort of a partner that, the ease of deniability. actors have proven themselves really adept at staying arms length removed from any kind of cyber activity that they don't want to claim, and reclaiming it when they do. and that combination of things make it makes it very challenging for policymakers,

people you, know his, started at the embassy like that, it big decisions about what to do to respond to a cyberattack, to a cyber operation. what does this mean and how do we react to it? it also means that it prevents the threat that is a core of deterrence. and that is a quick and a decisive response to an activity. if you can't attributed quickly and if you don't have a set of policy options ready to go it's very difficult to put something on the shelf and respond to beautifully and does send a message or deter future action. i can talk about this a lot more later, but in the 2016 election interference that we saw the russians do when we were studying this on the senate intelligence committee, results play outdated excruciating detail with the obama ministration and really i have all the subpoenas in the world for them. they were in what they saw is a totally unprecedented situation. and they were under attack but they could not say with 100 percent certainty from who and what that meant. and that delay in attribution, that anybody to put something

off the shelf and immediately deployed, had nearly disastrous consequences. that's something we can't afford to do four years, five years, six years later. it's time to actually get that settled and move forward. i think that we will get better, we will get faster. you know, folks like john, who are doing this work, are already making tremendous strides in that attribution piece, in trying to get to a place where we can act quickly. i think that's a really solid story to be told right now about ukraine that is really just sort of approaching a. so i have hope for the future. it's just that right now i think that we still need to really wrap our heads around this as an issue. >> thank you. john? >> i've been asked, nothing for the last, you know, for, is it for months now? [laughter] since, you know christmas or the beginning of the year, what's the likelihood of an incident against against nato allies or against the united states? and i think you, know, and these usually turn into

good-natured arguments but there is a question of whether or not an attack or 80 cyberattack against the united states would be crossing me a major red line, and i've argued that it doesn't cross a major red line, that the one thing that i think -- one of the most important things we have to sort of keep in mind we, are talking about cyberattacks. and when i say cyberattacks what i'm talking about disruptive, destructive stuff. everything from hitting an industrial control system not [inaudible] widespread destructive event. but the workday keeps rolling around is limited, right? those incidents? we've seen many of them already. we are largely limited, right? they didn't take a society and bring it to is the and they didn't bring in an economy to a major halt.

there are survival. we will get -- you know, we will, you know, a problem for society this already experienced covid-19, you know, allowing the effects a lot of the effects may not necessarily register. the reason he's accurate actress carry out these incidents is not to bring society to their needs. i don't think they have. any question -- there's any major question of the prospects of turning out the power for three hours at a time is really going to have that effect. they do it for the sort of psychological effects. they do to undermine institutions, right? they do it to undermine your sense of security, essential particularly, you know, places like ukraine, they believe that the system is safe in the united states, in 2016. they do it to undermine our elections, right? we had actors in systems where they could conceivably make some edits or changes to the

system or maybe alter some things. but really, they weren't going to change the election. and i don't think they had any you -- know the, ground level there, they have no -- they don't expect to do that. what they expect to do though is to change our reliance on those elections and our belief that those elections were secure. it's always about undermining our institutions. so there is a real -- i think that the real important watch word here is limited, right? and that place to rolls, though. it's good news somewhat, but it also means that this is a great tool. because you can conceivably use it without starting world war iii. you can carry out attacks that don't bring society to its knees, and conceivably get away with it. and historically,, you know the attacks that we have seen,

these actors kind of got away with, it right? it took years in most cases for us to even accuse them of doing it. the olympics, i talk about the olympics all the time. [inaudible] but the gru who i was talking about earlier, attacked -- they tried to take the opening ceremonies off line. this was an attack on the entire international community. it took us four years before we even bother to blame them. i mean, there's no hope for deterrence in a situation -- in a scenario where we don't even blame the actors for four years, right? and that is an incident that affected literally everybody in the international community. so i think that these actors recognize that they can get away with this type of activity and that's what makes it such a good option for them. they are looking for those psychological, those sort of psychological effect. that's what they really want to do. they want to undermine our resolve, particularly in ukraine.

they want to undermine our elections elsewhere, they want to undermine our sense of security. >> right, thank you. max, you want to talk to us a little bit about nick? >> yeah, so these are already great points that are mentioned, and i thought about the olympics and realized that there's an obvious connection here because within lincoln destroy many want to be totally convinced that it was russia, right john? and you'll know a lot more about. that but yeah, i wanted to take the conversation a bit towards a the nato alliance and. here's the main takeaway. it's that whilst we have seen a convergence amongst alliance in two allies in terms of the need to develop a cyber posture we actually have seen a divergence in what's this posture should look like, and particular offensive cyber and the role of the military. and let me talk 30 seconds about these three key components of what we can see as a cyber posture. capabilities, tragedy, and the legal understanding. so on the capability side what we have seen since 2017 is now

at the majority of nato members have established a military cyber command with some type of ascent offensive mandate. but the difference in operational capacity today's enormous. so whereas you have of course, particular on one side, the u.s., and several others have really put the resources into operational operationalize-ing this amount, the majority of nato advice still have commands operating on a budget of a couple of million dollars. it's enough to be at least officially part of the cyber club but certainly enough not enough to operate effectively in the stomach. and the second one, around strategy, yes, of course, all of the countries have established a cyber strategy and particularly a defensive cyber strategy and have updated this repeatedly. also they have, from 2018, we have seen some significant differences emerging, right, with the u.s. developing

developing a substantive [inaudible] position of engagement, and the [inaudible] strategy of defend forward with a focus of operating [inaudible] seamlessly and also recognizing this activity below the threshold of armed attract but still can be strategically meaningful, but that the military side document has a role to play in potentially even conducting an [inaudible] operations in peacetime. that is not something that most of nato allies would be willing to do so and changes the perspective across the atlantic. and then the third one, which connects to this, is that what we've seen over the past three years is's countries articulating, not just saying, okay, international law applies, to which all allies agree, but how it applies. and we've seen a significant difference on the one hand the [inaudible] of sovereignty as a rule, with the netherlands and france, and on the other hand, uk, but say, you know, 70 doesn't apply in cyberspace. and last point here is that it's dangerous to argue that these differences between, in

the alliance, come from simply differences in richard. i think they're actually on a different policy path. and that requires, as a result of it, some real coordination. and maybe, and cooperation to, at least, bring these closer together. great points. well, let's just start with diplomacy. emily, you mentioned norms, you mentioned a lack of taxonomy, we've got work to do, right? where our nations currently succeeding and where are they falling short and what diplomatic efforts should we be focusing our tensions will be in [inaudible] the space. >> a pick one from each category. where we are really succeeding is the cooperation at the tactical level, the kind of thing that max mentioned with different levels of coordination. but it's happening. at the working level, people are sharing indicators, people are exercising together. right now, [inaudible]

shields to lock shelters going on, it's a big nato exercises, it's a big income incentives is going on at the same time as ukraine, but excellent timing. and that is how we win. the nato alliance, the sharing of knowledge, the hunt forward, the different 14th, this is how we are going to win in this dome in. so i think that's where things are going well. now, that level of tactical information sharing, tactical cooperation, really needs to be paired with a strategic discussion. and that is hard for lots of reasons. when i was on the hill, we were doing oversight of the government. people used to come in all the time in brief us, you can ball back every single briefing to towards the -- charge, admiral caroline. so i think that's true with this,. we are hard and we are working on it. but let me talk a little bit more about whiteout and why we still need to work on it. the hard piece, the people who need to have those strategic level discussions are swamped. they are staring at china. they are staring at russia and ukraine. they are staring at, you know, a whole host of global issues from supply chains to food shortages. sitting down and having a

strategic level abroad discussion about what the norm should be in cyberspace is like, yes, we should do that. that's about 15th on my list of priorities. we need to create the urgency before the urgency is created for us, and really have those discussions. the other piece of that i think is that a lot of these concepts are very fuzzy, and they are wrapped up in domestic values and national values -- here in the u.s., we have debates all the time about free speech and what can and cannot be regulated in cyberspace, given our first amendment rights. our european friends have very strong views on privacy and have implemented that in a whole host of different ways and that leads into this debate as well. so it's difficult, but if you can take it up a few levels -- my fridge to gordon always says that if he disagreed down here take it up a couple levels and get to a place where you agree, and that place where we agree is the norms and. devalues table and say we

where democratic countries can sit down at a table and say, we all agree that pfizer going to spy. that's something that will happen, but when you're engaged in operations that affect human life, that affects public safety, that is a different level of threat. and that is where we need to be building the norms in the guidelines. >> i'm so glad you brought up the point about being strategic, and the lack of backroom there. we have to prioritize that if we are going to make progress. because quite frankly, there will always be the next russia ukraine, the next ransomware attack, the next whatever. but if we're not making progress on these more strategic initiatives will never come to the consensus. so max tell me, can we get some norms, can we find consensus on nato? what work should we be doing? >> yeah max, fixed but if. get on.

it >> when we pick up on a point that titone made and that emily made as well. so on the norm side, just to give it potentially a different angle, yes we should think about websites. and i think that if we aren't how many people are sitting in the room but if everyone in the room could go up a couple of potential deadlines that we should do. no critical infrastructure, tax no attacking health, care all of those things. but there is a second question now as well. particularly in the u.s. considering its change in the perception, where it is argued rightly so i think, that activity below the threshold of armed attack can cumulatively still be strategic and meaningful. we one gigabyte of data being -- by the chinese is not a big deal, but doing this repeatedly is significant. the second question is what is not a red line? and that is actually a hard question to answer.

i've asked it in different rooms and really do i get a coherent response of what is off limits and what is allowed to be done. rarely is activity undertaken by an adversary that isn't strategic. but we've just argued that all strategic activity can, shouldn't be done. so there is a strange kind of norms question here that has emerged, and hasn't really resolved. the second point as i am sharing, and i think it's a great point that emily made, on the importance of. sharing in some ways we are doing this already. but equally i think we are not doing it enough. so we need at least kind of the allied context. we've got a couple different initiatives. the first one, most obviously, is the notion around sorry been cyber facts. we can sure to win, we can't share exactly what we're doing, how are operating, but at least we can collaborate on when we want to achieve second effects. and secondly what we can do, we can conduct these exercises

together such as -- . i think that's not enough. much more can be done in isn't an arena. and particularly that comes in the fiber in just an infrastructure side of things. i think that's where there's a space which is one, incredibly coffee for many countries just ambush, to do it well, and second where you see potential opportunities collaboration with the use of one country or one actor one training program doesn't necessarily reduce the effectiveness of another country to use it as well. so if i would make a push a recommendation, like what should i lives we have many years, they should have a i think even a billion dollars type arrange for the training of their operators, developers, some administrators, and other people are crucial for the workforce military side. and potentially intelligence agencies. >> great recommendation.

john, with all attacks intentionally below the line with the need for more collaboration and creating a cyber range, like max is talking about, and the dynamic of cybercriminals being leveraged aisles windshield to continue to block the attribution we are talking about earlier, how can we make some progress in the space. we should be focusing our attention some terms of deterrence. >> i think that that's a lot of good points. i think that we need to almost do the rankin stack of her problems. and they are not, they are going to change constantly. it will always be changing. but we've gotten lot of different problems in the space and i don't think we've really prioritized them. good example, there's the red summer prague alum. there's the problem. there's the espionage problem.

i personally think about the espionage problem our, no spies are gonna spies. it's probably the least wrestler shoe. i think that the ransomware problem is probably the most adjustable, the most addressable issue. and if you look at our vulnerability to that problem, it is fairly large. these actors are very. they are now getting a lot of critical infrastructure. we saw him in health care in the region days of kabul. covid there across a lot. of lines at the very least we were pushed back were not necessarily pushing those lines. the election problem is another good example. it's not solved. in fact the last election we

had we last major election we had we saw new players get into the mix so when the proud boys things happen is the russians did it. i couldn't say, that i didn't have any evidence whatsoever i just saw the here we are awaiting awaiting this is it. this is the play. it was the iranians, right. so it's not even just the russian problem. the problem is growing -- . i think we need to have a conversation about what problems we want to stop and start ranking them and going after them. i also feel like we already but would viaducts, that you got going to work. i think the ransomware problem is largely trustable and it is absolutely out of control. and financially costing us the most money. >> can i jump in on the point of the proud boys? i went through that same motion. there was a time around the

2018 elections and the 2020 elections when i just did not sleep. because there's too much to worry about. the proud boys, slash iranian problem, was i think disheartening in that we saw this new player burst onto the market in grad fashion. but in a large way was success jordan because the united states government and its allies, and that's a key point, had their eyes open for this kind of potential activity. the excellent books at dhs had done a lot of prep work, so much prepwork, to say to people, this is what is a normal election problems in this was more difficult election problems. something to be suspicious up. them in this activity was noticed, it was located, attributed, downgraded, and released. shockingly quickly. >> super, fastest shortly. fast >> it was in like 36 hours?

>> yeah. >> so this is a such as we all want to see it happen, this is actually a good news story. to access point by red lights, i'm not sure we are ready to do something to respond to the iranians and create deterrence for the next time around and that's where we need to do more work. >> i think that's a great reminder about our point about being strategic. and that prioritization the john talks about, the investment in attribution and getting things out there really quickly, are signs of that kind of coalescing around being more strategic and focusing their. how can we create actual consequences for the actor's? particularly those hiding behind criminal groups, and possible deniability, and are our current tools working? you said that this was a success story, and the iranian context but a successful wet?

and did we deter the behavior, we will reach a symbol to make attribution? how are sanctions, attribution, sunday minutes, all of those things actually moving us to a desired and? and i open that any. if you i opened this pandora's box. the iranian thing was a 60 story and that we were able to broadcast very quickly to the american people there is not these bad actors falsifying ballots all over the place. we can leave aside the question of the domestic issues in the 2020 election, but on the specific issue it was a success that it was a diffused. i would not call it a success in that there was a broader strategic policy response. you've got up several things there, the sanctions question, the indictments question,.

sanctions are great until they're not. there's really only so much you can do in a sanctions pack should package. a lot of the individuals that you might be targeting the sanctions don't really care there's ways that you can make life painful for a russian oligarch, for a heck of who's working ten levels down for the russian oligarch. it's much more difficult to create some actual dakota deterrent pain there. indictments, same thing. if this person really wants to come and visit their kids at college or take their kids to disney world in the u.s., then, you know, great. but trying to find them and arrest them, it's really much more of a message told on anything else. and i think, honestly, a tool of last resort. if you look at the way that doj and fbi operate, they are law enforcement officers, and what they want to do is build evidence and prosecute a crime, and that's just not a model that works effectively for these actors. it takes too long, it's too

slow, and then while they are building a case for prosecution, they can't take the information and share it. and that, honestly, is the most important piece. this is where i'm going to make a pitch for the private public collaboration, and the deep, deep importance of having the u.s. government and its entities and private sector operations that see this on a front line on a daily basis, doing all of the collaboration possible to try to go after this problem set. that's my sort of box. >> i think you hit it on almost all the points are going to make. as we go through, you know, as far as the election situation went, i think we got into a place where we are talking about, you know, capability intent, or i actually recently got into a conversation with somebody from another country who's dealing with a different affair, another, after a known

russian actor, and whether or not it was a question of capability i didn't intend. and right now, in the united states, we think russia's got capability, with russia is whether they haven't. and this other country, they said, this actor has got intent, but the capability is just, it's not really there. and the problem with sort of not being able to deter, right, is that when these actors have intent, you're going to run into these black swan events, right? they will hit again and again and again, and they will be incidents that people don't even read in the news, right? the problem is is that just with, because of the nature of technology, eventually, there will be a major black swan event, they will get through. so the defense -- which i would argue, i would argue your absolute absolutely correct -- the defense for the elections was fantastic, our response was

fantastic. but if they keep trying, eventually they are going to get through. they are going to have something that makes it on the news, that causes a division in the u.s. electorate. i mean, there's all kinds of potential outcomes here. and that's what happens, i think, with an actor who's almost there on capability, but definitely there on intent. we have that black swan event. and i think another great example, the pipeline incident we saw, right? we've been warning -- i saw for my colleagues, been warning, is coming, this is, coming is coming, it's coming, they're knocking over so many things. somebody is going to get hurt. something important is going to go to. it's just a matter of time. and so, i think if we can't figure out how to sort of approach the intent side, we are just talking about a matter of time before there's that black swan event. >> [inaudible] agree. max, anything on this one? >> yeah, just for all the talk that much about divergence from a nato ally stopper boston, the good thing here on the [inaudible] consequences is that we have

seen the real development in the eu, breaking up that they have to think of this as well. and so the u.s., like you know, with the cyber diplomacy tool box, with, like, at least a degree set of measures in place as to what can be undertaken to respond, it means that the u.s. is kind of not there alone anymore in thinking of how to impose costs. you can potentially do this even more effectively in a coordinated manner. and the second point is, and of course it also comes with the nature and the title of this panel, is that when we talk about imposing costs, we do quickly get into the deterrence mindset, and less into the mindset of how can we take the initiative away from our adversary, how can we make sure that we disrupt that activity. we are already, kind of, like in the second set step of, okay, after this is we've done, what can we do? but clear the second question here is as relevant as well and we've seen great strides in this domain, of course, over the past two, three years. >> right. so i'm going to open it up for

questions in just a minute. but i'm going to ask one more while you guys put your questions together. we've talked a lot about russia ukraine. there was a lot of talk about cyberattacks on the margins. it's a great illustration of if cyber capabilities continue to be leveraged, what will be the impact? who will bear the brunt of the back and forth, love the chip for chat, as folks grassroots ties cyber actors [inaudible] jump in and figure out how they play a role. what are we looking at? who's going to bear the brunt? and who will be playing in this space, and have that impact [inaudible] ? >> it's all talk about limitations. i think i've got to be clear. from a societal aspect, we are going to be fine when it comes to all of this. there are a lot, you know, we made it through covid-19, right? there are a lot of businesses in my neighborhood who are out of business. so, i mean, you know, all

together, we are going to be fine. my customers, may take a real hit, right? and i think that's important to remember. the people who really are on the frontlines, are our private sector. and it's important to remember, when we start employing this capabilities, too. during one of these, sort of, little kerfuffles that we get into with iran every now and then, i think there was some news of, like, a cyberattack against their capabilities. and it's important to remember that iran is not going to retaliate against cyber command, right? they are going to retaliate against some random company in the united states. that's who is actually going to feel the burn from this stuff. so we have to keep that in mind, no matter what we do. >> yeah. i would agree. this question of who is a combatant is going to be the thorny question of the next few years. i am reading nicole pull-ups

about right now, which is really good, really thorough. i've loved it. to talk about my thoughts but the book. but one of the things that she outlines is the response inside google when they first saw a cyberattack coming from china and one of the quotes are priced says. who would've thought that elation state actor would be interested in google? how could we possibly have been expected to respond to a nation-state actor invading our territory? and that is a totally understandable perspective for somebody who was a start-up and then grew this massive company and then just never really had to think about it from a national security perspective no for someone who like me spent 20 years basically the intelligence committee, of course your [inaudible] [noise], come on! but that's the product of my training and my upbringing that i tend to think of this way and they don't. so bringing these two sides together to collaborate to cooperate and to try and share

information is going to be absolutely critical. and i think american companies, european companies, really thinking through whether they are going to be counted as a combatant not by the u.s. government by our but by our absolute adversaries, is a real challenge. the folks in the second branch right now, the jen and chris and and triumvirate have done a really phenomenal job pulling to get to jcdc and the collaboration between the private sector and the government. it's an initial step that needs to be built on. when you look at china and the way that they think about what is government versus what is private sector, that is not a distinction for them. they see government, and they see those who helped the government when we ask them to. in russia, there's also really not a distinction between the oligarchs and the government. there's the government and then there are all these tools of government that i can draw on

whenever i want to because they know where their bread is buttered. when we look at our adversaries and we say, no, no, no, it's private sector they, they go, yeah, sure, of course. i think that thinking through who counts as a combatant, how they are going to be affected by this next round of potential warfare is going to be really challenging. and this, i think, we can talk about this during the q&a a little bit more, but this question of red lines and escalations, i think that's where it gets really thorny. because if google gets hit, what does that mean for escalation? of course the private sector will bear the it will be the most salient cost in case of some type of retaliation. just to add maybe one point here, we often hear about this question being raised, will

putin potentially conduct a cyber operation against the west. we should have our shields up of course. but it's not just putin, right and i think that we sometimes overestimate the amount of control that the russian government has over such a wide set of criminal groups, and other hacktivists groups that are operating in russia. and you know as an academic and moved one of the most famous variance to understand these relationships is the post-principal agent theory. we're normally would argue that the principle has the least control over the age and in case there is inflammation asymmetries. and these are enormous here in terms of the asymmetry information that these criminals have in terms of targeting what they are capable of, who do you want to target. which seems to suggest that agency is lacking is very high. the risk that these groups might be operating in favor of russia but not completely in

control is significant and it increases the risk of i think more of a -- scenario. last kind of critical infrastructure attacks directly on the u.s. but certainly more consequential collaborative collateral damage type of attacks through ransomware or self propagating malware. i think the thing is clear from the base we have been a bit strategic isn't that collaboration between public and private sectors. and that is really important. i'm interested to see how that continues to evolve between the cdc, and the safety review board, and some of the other mechanisms that are deployed as of late. do we have any questions? >> virtual questions. first >> i will take our first virtual question from wherein

hail. . miss hale, please go ahead. we will take a virtual question from adam segel. >> yeah, hello everybody. thank you very much for doing the panel and i'm sorry gonna be there with you in person. i think that this question is for the others can push amid some sean. max it seems that in the u.s. the kind of degree about the persistent escalatory is over. and people believing that it is not. so i wonder if there is a different perception of that among the nato allies that you spoke of, and if there is within nato any differences on that view? >> yeah that is a good question. i think it is actually the

discussion, the one of which -- . i think it's less of a less escalatory, but the question is much more of a legal one. like should the military be allowed to operate in peacetime, potentially do this globally. but it's in the relationship with intelligence. it is that question in particular that is holding many particularly continental european countries back in developing a similar posture. it's less of an escalation question and more of the legal bureaucratic question that is constantly race right now. . >> think, you may miss aaron bakr, i work for the new color throwed initiative. i wanted to first make a comment year range order list of priorities. i would love to add operational technology and military systems

there. sometimes i think we have a lot of conversation about the i.t. side, and maybe not him enough about the ot. but my question is to what extent do we really need to solve, or pay attention, not only to the attribution conundrum but also to signaling in the space, relative to escalation management? we have other technologies, for which globally there's some sort of recognition for what the movement of a bomber implies, or other types of maneuvers, or both the military from the leadership side. is it possible to build clarity around with sort of cyber actions signal, and do we need to be working on that? i think the best example of cyber signaling that i've seen are sort of our read on the acts stations of an actor that

is publicly called. they're called berserk, where dragon, vie they have the sister of getting into the u.s.. they are fsb related. so russia's, sort of their internal security services that they have at -- mission. but anyway they for a decade have been digging into u.s. critical infrastructure and we look at it two ways. one are the sort of digging in for that moment when they need to be ready for the contingency. the other thing is are they digging into signal to us that they are digging in. that they are there, in case they need to be. and i think that is probably one of the best examples in of the signaling that have seen in this space. because it is holding real capability, a real infrastructure under threat. i will be interested and if there are other examples. >> yeah, so -- go ahead. max >> now i think you can

speak more to this emily, but it reminds me of a sea of our plot posed by jake healy that not that it's the charms the u.s. wants but, some great quotes from ben rhodes around the presidential election. we're supposedly some of the u.s. -- options were taken off the table because of concerns of the fsb in particular being u.s. critical infrastructure. i don't know if that is true, but it is a fascinating case in terms of signaling, and supposedly whether the -- works or not, at least there might be one case where. but not in the way that we wanted to. >> but you may know more about, that. emily >> i might. so i'm gonna bring the plug here for anybody who wants to read the senate intelligence 2016 election interference report, because we go into that a bit. so this is one of the problems with the obama administration response in 2016. by the time they understood

somewhat the extent of what the russians are up to, they had very limited time before the election, and they had very limited prepared options. the other thing, it is easy now, and it was easy-ish in 2017 2018, to look back on the complete package of information and say, likely they should have known this. well when you're in the fog of, or when information is coming out, you if he's under time, day after day. it is a lot more difficult to make sense of a very foggy picture. but again, that is a reason why we have to be strategic now. we have to be thinking forward now. i wanted to make a point about the signaling question that you asked, which i love coming from a new color scholar. new color scholars have spent decades talking about very precise signaling options and deterrence theory, and how these things work together. and i think that folks working in the cyber domain have a lot to learn from that scholarships. i think we need to be very

careful about making comparisons, though. because it is just a totally different set of tools. in the cyber domain is still so young that no one has figured that out again. in nukes, there is this finally tuned you know, the signals, this this is code for this. in cyber does, like nobody really knows what any of this means yet. and part of the big problem is that a lot of the tools have dual use. if you implant a tool in some of the system, that could be used for espionage, it could be used for destruction, and you don't know. this kid's to john's point about intended capability. maybe the adversary have the capability to implant this junior network, what's? downtown are the russians fair to spy on a potential new administration, are they there to tank confidence in the election? it is really not wise to sit back and wait to see which one it is. >> there are two crews in the

dnc. one is tearing, you and the others as we are on the suv are as our kind of spies being spies. >> the gru on the other hand, some men just want to watch the whole world burn. >> yeah! >> next question, yes? >> thanks. steve around which, gw law school. so we've heard a lot on the panel this morning and this afternoon about collaboration, public and private collaboration. but i was a little surprised when i heard earlier the question what is the u.s. government response to an attack on google? i would have thought that's the whole role of the u.s. government, to defend the public, including the u.s. companies. so, i'm wondering, i mean, do we expect google to have its own international policy and

international capability to defend itself? i would think that. i don't think that we are trying to have a google take international military or cyber action. we might be happy with google having a very activist environmental policy, or military, or cyber policy [inaudible] . so it has to be, i assume, the u.s. government that's going to defend google. and so i'm wondering, are we doing enough as a government to defend and help our leading technical, technology champions in the united states if they're vulnerable? and i guess they are vulnerable. if the u.s. government doing enough to save them? >> oh, steve, i could go on like a 20 been tear about this but. i'm not going to, because i think of live questions. just the short answer of the question are we doing enough? no. the longer answer to the question, though, is what's

appropriate? and i think this is what you are really getting at with your question. when sony pictures was hacked, don't, those many years ago, that initially was a hands off response by the u.s. government until it became clear that it was the north koreans trying to silence free speech and. then the white house got involved. but still, i mean, was the fbi responsible for what happened at sony? there was no way that sony would have let the fbi into their systems ahead of the attacks if the fbi could have prevented it. not the fbi's job. there are fence, they're the ones supposed to be defending after the fact, finding the criminals and prosecuting them. that doesn't really work. the u.s. doesn't have a domestic spy agency. we don't have an mi5. the fbi is very poorly suited to the mission of trying to defend in advance this kind of cyberattack. your question about google here. would we defend google? okay, so let's say we defend

google. are we defending the separate start-up that has five employees and didn't pay any attention to security? are we responsible for that? how are we defending them? i mean, these -- i asked these questions knowing full well that i don't have the answer. i don't think anybody does right now. trying to find the right line between a business, executing its own business practices properly, doing the simple things it needs to do, [inaudible] to center our center authentication, the basic cyber [inaudible] it needs to do, and what point the government takes over as a response in a deterrent fashion. you can make a comparison to crime, which the fbi and local law enforcement is supposed to do, but that's after the fact, and the damage is done. you can make a comparison to national defense. we all pay taxes so we can buy aircraft carriers and, you know, f 20 twos. should the government be thinking that we in the cyber debate? and if they are, what does that imply for the goggles of the world venting the fence into their systems?

i can see the room cringing when i say that because everybody says, no, that's not the job of the u.s. government! so, what is the job? >> yeah. proactive defense is not likely to be the place where the u.s. government plays. i mean, cisa has a strong vision for voluntary support and how the small [inaudible] launch company brought up their defenses and be more proactive, implement the two-factor author authentication, all of the things. so i think it will continue to play in a voluntary space pre attack. what we have to figure out is how we would stand up as a u.s. g to support and organization depending on the severity of the attack, so sony, we decided that, you know, trying to attack free speech, which is a fundamental constitutional right, it's something that we wanted to come after. we need to do that strategic work that we talked about earlier, figure out what those lines are, and what's necessitates and what's the significant cyber incident that

the u.s. government would mobilize itself a route that happens in the private sector. but there is unlikely to be a moment where all of the u.s. companies open up their systems to let the u.s. government do something on the pro-fat proactive different side of things. >> meanwhile, there is mandiant. >> you know? honestly, we had an incident. again get into too many details, but i think we had a really strong, it could experience working with the government, as far as dealing with it. there were, there are clearly you, know, things that we're really good at. for instance, the [inaudible] response team [inaudible] the best instant responses on the face of the planned. we picked, their handpicked, a team of all stars. but we still need the u.s. government's hell and they were able to fill in a lot of gaps that may that may, and make the process easier and better.

>> which is [inaudible] proactive cooperation is so important. >> absolutely. >> the trust between the private chapter and the public sector is one that will get us further so that in the event of incident companies are pulling the government in early so they can enrich their data with the information that they have and vice versa and they could be [inaudible] that's why that collaboration [inaudible] proactively inconsistently is going to be so important. next question. >> thank you. hi, everyone, monica reese, microsoft. so earlier in the conversation, you all talked about the importance of strategic engagement and also information sharing in the context of international sovereign homes, or norms, red lines. so i'm curious how you all think about countries that don't necessarily have the capacity to engage strategically and to share information. how do you think about building that capacity, especially in the context of what is going on at the united nations as part of the open [inaudible] working group, the og, and the

fact that the previous report, essentially, was endorsed by many countries and reform the 11 forms that came out of the [inaudible] group. i'm curious how you guys think about sort, of building that capacity, beyond the countries that actually have it right now. thank you. >> >> so we have some experience working, working in areas that not necessarily have a lot of customers. but we still find value working there, because we learn a lot. and i think that's, that's one way, that's one way to sort of get the private sector involved in these, sort of, problems. some of the, some of the areas that are the front lines, can't necessarily afford the billion dollar -- million dollar, you know, security solutions, right? but they can offer a lot of great information, the leading edge of you, know a, lot of

threats have been in places that off track have historically been in places like india and taiwan and ukraine. . you know, in the middle east. and not every education, where, you know it was a customer relationship. you have to go in there and develop partners. and those partners, oftentimes, pay you back in the form of information that you used to secure your other customers. so there is value there. it's just not necessarily, you know, a normal sales process. >> yeah, you'll see companies investing that raise the collective level of cybersecurity so that we all benefit from it. on the usc side i, think that's an important question that we need to be focused. on the strategic investments and collaboration, the support that we provide now, will have a direct impact on the norms

discussion and the multilateral [inaudible] we are engaging in that will dictate how we engage in summer in the future. so it's a strategic imperative and part of that strategic conversation that needs to be happening, to be focused on how we engage with smaller nations and nations that are developing capabilities. so it's important. >> just to come in with one quick comment. i think it's a great question, monica, and what we really see is a, indeed, a capacity gap in terms of the common countries that are able to attribute and not able to attribute. where at least we have to get to the levels of those countries who are unable to attribute, and as a result of that, i'm very hesitant to follow the public attribution statements of of maybe their allies or other countries, get them to at least a capacity verify attribution claims. and that's a starting one. of course, that comes with a number of issues. one of which being that

attribution is not only the sherlock holmes type of process that particularly companies like mandiant are involved in, where you collected different puzzle pieces from, you know, where the c two is set up, all those kind of things, to come to a conclusion, is also a more proactive process sometimes. particularly by the mature actors being already in adversarial systems and [inaudible] going out. in the second place, you have a high-level attribution confidence but it's even harder to share with a wide number of other countries. but on the first, one yeah, i think getting you, know, microsoft, other companies, involved in trading programs to at least grandpa the capacity to verify would be a very good first step. >> another virtual question? >> we will take our next question from zaid zaid.

hi, zaid zaid from cloudflare. i have a question about companies that continue to operate in russia. there have been a number of articles, there's been a lot of attention paid to who's leaving, who's staying, etc. all they are winding down their services. cloudflare, as well as a number of other companies is still in russia and we provide internet security and we provide vpn services. and one of the things that are staying there has a lot of us to do, russians to do rather, is to get information from outside of russia but. there's also been the push to close russia down from the internet and i would love to hear how you all think about that. >> well, i tend to be in favor of keeping russia widely connected to the internet. infect throwing every pipeline of information you can in their. you know, this is a difficult question for so many companies.

chilly for not to leave. and if you leave what does that really mean for the long term? i've been from the beginning of this whole thing talking about how it's not going to be a short fight i. just don't see how it's going to be a short fight. and if as a company you can't be out of russia for more than six months or a year, then i think a very hard about pulling out now because what happens in a year when you have to go back in or else your business model count survive, what message are you sending than? i think there are lots of ways to support the ukrainian people and i think that if a company has to make their own decision here. i, for one, have been partially encouraged by seeing announce outpouring of support coming for you can come from the private sector. [inaudible] sections have done as much, good or more good, then what governments have done. they said a really strong message and i think the repercussions of the russian economy are going to reverberate for years i'd be very difficult to undo. so i think every company has to

make their own decision. and then you, know, do what you've got to do to explain that to your customers, your shareholders. but if the basic fundamental goal is to support the ukrainian people and then continue to speak truth inside russia, i think that's a noble goal. >> okay, without getting into the information flow, i think one of the really interesting things that happened really early that with regards to the sort of citizen sanctions is that we watched a lot of organizations, a lot of customers take very, like, clear, public stances on the war, including, you know, divestment [inaudible] from russia, and at one point we were like, okay, we need to, you know, figure out who these people are, and you know because they were sort of essentially putting themselves on a high risk profile and. they got to a point where it was impossible to track. i mean, bad news is like you,

know, i think you're sort of, you might consider, you raised your threat profile. the good news is so many people have done it now that i don't think it matters almost. like it's become -- >> sick in numbers -- >> so the safety in numbers. are you can really, if it had been one organization, you know really all the wrong i think we saw like some of the international game or sporting organizations for instance [inaudible] history of these sports organizations. putting love sports. it's like, a thing for him. we were kind of well read about it. but then everybody stand. it's so, i'm actually, it's sort of encouraged by the fact that there is the safety in numbers problem. >> yeah. >> yeah. the only thing alleges i know many of the companies have real physical security concerns if they evaluate this, and they want to protect their people. so they are weighing that as part of that strategic decision. and so it's it's definitely not -- i mean it's not a decision about complications.

and so they are probably wearing a number of factors as they determine what to do. >> yeah. >> and then the insider risk threat has just increased so enormously for the countries, a major concern. >> next question. oh i, think that it. well, thank you all for joining us for this discussion. the question from the audience where rich. the comments from the panel where rich. and so, i think we all have left with a mandate to be more strategic and collaborate with the government [laughs] and to be thinking long term so that we can get ahead of some of these issues. so thank you all for the time. a big thank you to the panelists, and ad [inaudible] for having us. [applause] [background noises]

testifying before the house financial services committee, treasury secretary janet yellen said the biden administration is committed to holding russia accountable, and is looking at additional economic sanctions. her testimony focused on the outlook for the global financial system. [inaudible conversations]