next, cyber security and threats in a digital landscape. the council on foreign relations hosted this one hour event.

>> all right. good afternoon, everyone. thanks for joining us. i have the pleasure of presiding over this conversation about diplomacy and deterrence. and we are going to get started today by having our panelists introduce themselves. my name is camille stewart, i'm the global head of private security strategy at google, where i sit at the intersection of our product

security teams and our central security team and i have worked across government and private sector on cyber security issues for a number of years. >> i'm emily harding. i am the deputy director of the international security program at the center for strategic and international studies, which is a very long title. it just means that i get to oversee the work of about 50 scholars doing tremendous work in intelligence, defense, and tech policy. before that i spent almost two decades working in the federal government, both in the senate and senate intelligence committee, and then in the intelligence community, and a couple of years at the white house. >> i john hultquist. i'm from mandiant intelligence analysis shop. we look at threats, you know, all over the world, using response, you know, a dozen different ways to sort of collect this data. we bring it back to, you know, one centralized intelligence hub, where we are sort of developing intelligence on threats around the world. i've been with

various versions of mandiant for about 12 years. before that i was with that with the eye and diplomatic security at stake, mostly looking at the russian threat. >> right. max. you next? >> my name is max smeets. i'm a senior researcher at eth zurich studies and also direct the european cyber conflict research initiative. >> wonderful. as you can see, we've got a great panel ahead and what i'm actually going to do is have each of them give about a two-minute overview on their thoughts on diplomacy and deterrence in this space and we'll use that as the foundation for a conversation. anybody want to get started? >> sure, i'll get started. so it's interesting and very broad topic. i think you need to take it back to basics when you are speaking about operations in the cyber domain. right now there's no common lexicon, no

real norms and understandings. my colleague, jim lewis, at csis, has done really tremendous work on international increments around cybersecurity and cyber issues. but those have yet to really gel into a broad set of norms that govern work in the cyber domain mean. there's no agreement on what is cybercrime, much to suppress but, what is a cyberattack, what is cyber war. you have politicians who sometimes understand the cyber domain and sometimes really don't calling it just really really relative its, an act of war. well it? what does that really mean if it is? so, given that, why is it so hard? why is it difficult? it really is a combination of things. you know, when you're thinking about something that's a game changing technology, sneakers in afghanistan, hypersonic weapons, nuclear weapons. those all came with a debate around what norms govern them and how they should be used, what is a proportional response. we haven't really gotten there yet in the cyber domain. and it's partially it's, a combination of two things. the speed of attribution is a very difficult in this domain. and john can

talk extensively about this he's done tremendous work in this field. there's also, as sort of a partner to that, the ease of deniability. actors have proven themselves really adept at staying arms length removed from any kind of cyber activity that they don't want to claim, and then claiming it when they do. and that combination of things make it makes it very challenging for policymakers, people who, you know, started at the embassy like that, it big decisions about what to do to respond to a cyberattack, to a cyber operation. what does this mean and how do we react to it? it also means that it prevents the threat that is a core of deterrence. and that is a quick and a decisive response to an activity. if you can't attribute it quickly and if you don't have a set of policy options ready to go it's very difficult to pull something on the shelf and respond

immediately and then send a message or deter future action. i can talk about this a lot more later, but in the 2016 election interference that we saw the russians do when we were studying this on the senate intelligence committee, results play outdated excruciating detail with the obama administration and really i have all the subpoenas in the world for them. they were in what they saw was a totally unprecedented situation. and they were under attack but they could not say with 100 percent certainty from who and what that meant. and that delay in attribution, that inability to put something off the shelf and immediately deployed, had nearly disastrous consequences. that's something we can't afford to do four years, five years, six years later. it's time to actually get that settled and move forward. i think that we will get better, we will get faster. you know, folks like john, who are doing this work, are already making tremendous strides in that attribution piece, in trying to get to a place where we can act quickly. i think there's a really solid story to be told right now about ukraine that is really just sort of approaching a. so i have hope for the future. it's just that right now i think that we still need to really wrap our heads around this as an issue. >> thank you. john?

>> i've been asked, nothing for the last, you know, four, is it for months now? [laughter] since, you know christmas or the beginning of the year, what's the likelihood of an incident against, against nato allies or against the united states? and i think you, know, and these usually turn into good-natured arguments but there is a question of whether or not an attack or any cyberattack against the united states would be crossing a major red line, and i've argued that it doesn't cross a major red line, that the one thing that i think -- one of the most important things we have to sort of keep in mind, we are talking about cyberattacks. and when i say cyberattacks what i'm talking about disruptive,

destructive stuff. everything from hitting an industrial control system not [inaudible] widespread destructive event. but the word i keep throwing around is limited, right? those incidents? we've seen many of them already. we are largely limited, right? they didn't take a society and bring it to its knees, and they didn't bring in an economy to a major halt. there are survival. we will get -- you know, we will, you know, a problem for society this already experienced covid-19, you know, allowing the effects a lot of the effects may not necessarily register. the reason these actors carry out these incidents is not to bring society to their knees. i don't think they have. any question -- there's any major question of the prospects of turning out the power for three hours at a time is really going to have that effect. they do it for the sort of psychological effects. they do to undermine institutions, right? they do it

to undermine your sense of security, your sense of, particularly, you know, places like ukraine, they believe that the system is safe in the united states, in 2016, they did it to undermine our elections, right? we had actors in systems where they could conceivably make some edits or changes to the system or maybe alter some things. but really, they weren't going to change the election. and i don't think the command level there -- you know the, ground level there, they have no -- they don't expect to do that. what they expect to do though is to change our reliance on those elections and our belief that those elections were secure. it's always about undermining our institutions. so there is a real -- i think that the real important watch word here is limited, right? and that place

two roles, though. it's good news somewhat, but it also means that this is a great tool. because you can conceivably use it without starting world war iii. you can carry out attacks that don't bring society to its knees, and conceivably get away with it. and historically, you know the attacks that we have seen, these actors kind of got away with, it right? it took years in most cases for us to even accuse them of doing it. the olympics, i talk about the olympics all the time. [inaudible] or the gru who i was talking about earlier, attacked -- they tried to take the opening ceremonies off line. this was an attack on the entire international community. it took us four years before we even bother to blame them. i mean, there's no hope for deterrence in a situation -- in a scenario where we don't even blame the actors for four years, right? and that is an incident that affected literally

everybody in the international community. so i think that these actors recognize that they can get away with this type of activity and that's what makes it such a good option for them. they are looking for those psychological, those sort of psychological effect. that's what they really want to do. they want to undermine our resolve, particularly in ukraine. they want to undermine our elections elsewhere, they want to undermine our sense of security. >> right, thank you. max, you want to talk to us a little bit about nato? >> yeah, so these are already great points that are mentioned, and i thought about the olympics and realized that there's an obvious connection here because with olympic destroyer many want to be totally convinced that it was russia, right john? and you'll know a lot more about that. but yeah, i wanted to take the conversation a bit towards a the nato alliance and. here's the main takeaway. it's that

whilst we have seen a convergence amongst alliance in two allies in terms of the need to develop a cyber posture we actually have seen a divergence in what this posture should look like, and particular offensive cyber and the role of the military. and let me talk 30 seconds about these three key components of what we can see as a cyber posture. capability, stragedy, and the legal understanding. so on the capability side what we have seen since 2018 is now at the majority of nato members have established a military cyber command with some type of offensive mandate. but the difference in operational capacity today is enormous. so whereas you have of course, particular on one side, the u. s., and several others who have really put the resources into operationalize-ing this amount, the majority of nato advice still have commands operating on a budget of a couple of million dollars. it's enough to be at least officially part of the cyber club but certainly

not enough to operate effectively in this domain. and the second one, around strategy, yes, of course, all of the countries have established a cyber strategy and particularly a defense cyber strategy and have updated this repeatedly. also they have, from 2018, we have seen some significant differences emerging, right, with the u.s. developing a cyber command's position of engagement, and the [inaudible] strategy of defend forward with a focus of operating global continuously seamlessly and also recognizing this activity below the threshold of armed attract but still can be strategically meaningful, but that the military side document has a role to play in potentially even conducting de facto operations in peacetime. that is not something that most of nato allies would be willing to do so and changes the perspective across the atlantic. and then the third one, which connects to this, is that what we've seen over the

past few years is countries articulating, not just saying, okay, international law applies, to which all allies agree, but how it applies. and we've seen a significant difference in on the one hand the [inaudible] of sovereignty as a rule, with the netherlands and france, and on the other hand, uk, that says, you know, 70 doesn't apply in cyberspace. and last point here is that it's dangerous to argue that these differences between, in the alliance, come from simply differences in maturity. i think they're actually on a different policy path. and that requires, as a result of it, some real coordination. and maybe, and cooperation to, at least, bring these closer together. great >> great points. well, let's just start with diplomacy. emily, you

mentioned norms, you mentioned a lack of taxonomy, we've got work to do, right? where our nations currently succeeding and where are they falling short and what diplomatic efforts should we be focusing our tensions will be in [inaudible] the space. >> a pick one from each category. where we are really succeeding is the cooperation at the tactical level, the kind of thing that max mentioned with different levels of coordination. but it's happening. at the working level, people are sharing indicators, people are exercising together. right now, lock shields is going on, it's a big nato exercises, it's a big income incentives is going on at the same time as ukraine, but excellent timing. and that is how we win. the nato alliance, the sharing of knowledge, the hunt forward, the different 14th, this is how we are going to win in this dome in. so i think that's where things are going well. now, that level of tactical information sharing, tactical cooperation, really needs to be paired with a strategic discussion. and that is hard for lots of reasons. when i was on the hill, we were doing oversight of the government. people used to come in all the time in brief us,

you can ball back every single briefing to towards the -- charge, admiral caroline. so i think that's true with this,. we are hard and we are working on it. but let me talk a little bit more about why it's hard and why we still need to work on it. the hard piece, the people who need to have those strategic level discussions are swamped. they are staring at china. they are staring at russia and ukraine. they are staring at, you know, a whole host of global issues from supply chains to food shortages. sitting down and having a strategic level abroad discussion about what the norm should be in cyberspace is like, yes, we should do that. that's

about 15th on my list of priorities. we need to create the urgency before the urgency is created for us, and really have those discussions. the other piece of that i think is that a lot of these concepts are very fuzzy, and they are wrapped up in domestic values and national values -- here in the u.s., we have debates all the time about free speech and what can and cannot be regulated in cyberspace, given our first amendment rights. our european friends have very strong views on privacy and have implemented that in a whole host of different ways and that leads into this debate as well. so it's difficult, but if you can take it up a few levels -- my friend sue gordon always says that if he disagreed down here take it up a couple levels and get to a place where you agree, and that place where we agree is the norms and the values. where democratic countries can sit down at a table and say, we all agree that spies are going to spy. that's something that will happen, but when you're engaged in operations that affect human life, that affect public safety, that is a different level of threat. and that is where we need to be building the norms and the guidelines. >> i'm so, so glad you brought up the point about being strategic, and the lack of bandwidth there. we have to prioritize that if we are going

to make progress. because quite frankly, there will always be the next russia-ukraine, the next ransomware attack, the next whatever. but if we're not making progress on these more strategic initiatives will never come to the consensus. so max, tell me, can we get some norms, can we find consensus in nato? what work should we be doing in nato to do that? >> yeah max, fix it. get on it. >> when we pick up on a point that titone made and that emily made as well. so on the norm side, just to give it potentially a different angle, yes we should think about websites. and i think that if we aren't how many people are sitting in the room but if everyone in the room could go up a couple of potential deadlines that we should do. no critical infrastructure, tax no

attacking health, care all of those things. but there is a second question now as well. particularly in the u.s. considering its change in the perception, where it is argued rightly so i think, that activity below the threshold of armed attack can cumulatively still be strategic and meaningful. maybe one gigabyte of data being stolen by the chinese is not a big deal, but doing this repeatedly is significant. the second question is what is not a red line? and that is actually a hard question to answer. i've asked it a couple of times in different rooms and rarely do i get a coherent response of what is off limits and what is allowed to be done. rarely is activity undertaken by an adversary that isn't strategic. but we've just argued that all strategic activity can, like, shouldn't be done. so there is a strange kind of norms question here that has emerged, that hasn't really resolved. the second point as i am sharing, and i think it's a great point that emily made, on the importance of sharing. in

some ways we are doing this already. but equally i think we are not doing it enough. so we need at least kind of the allied context. we've got a couple different initiatives. the first one, most obviously, is the notion around sovereign cyber effects. we can sure to win, we can't share exactly what we're doing, how are operating, but at least we can collaborate on when we want to achieve second effects. and secondly what we can do, we can conduct these exercises together such as lock shields and--. i think that's not enough. much more can be done in isn't an arena. and particularly that comes in the fiber in just an infrastructure side of things. i think that's where there's a space which is one, incredibly coffee for many countries just ambush, to do it well, and second where you see potential opportunities collaboration where the use of one country or one actor one training program doesn't necessarily reduce the effectiveness of another

country to use it as well. so if i would make a push, a recommendation, like what should allies do in the coming years, they should have a i think even a billion dollars type arrange for the training of their operators, developers, some administrators, and other people are crucial for the workforce military cyber commands and potentially intelligence agencies. >> great recommendation. john, with all attacks intentionally below the line with the need for more collaboration and creating a cyber range, like max is talking about, and the dynamic of cybercriminals being leveraged as a shield to continue to block the attribution we were talking about earlier, how can we make some progress in the space, how should we be focusing our attention some terms of

deterrence? >> i think that that's a lot of good points. i think that we need to almost do the rank and stack of her problems. and they are not, they are going to change constantly. it will always be changing. but we've gotten lot of different problems in the space and i don't think we've really right prioritized them. good example, there's the ransomware alum. there's the problem. there's the espionage problem. i personally think about the espionage problem are, you know, spies are gonna spy. it's probably the least wrestler shoe. i think that the ransomware problem is probably the most adjustable, the most addressable issue. and if you look at our vulnerability to that problem, it is fairly large. these actors are very.

they are now hitting a lot of critical infrastructure. we saw him in health care in the raging days of covid. they're crossing it a lot. of lines at the very least we were pushed back were not necessarily pushing those lines. the election problem is another good example. it's not solved. in fact the last election we had we last major election we had we saw new players get into the mix so when the proud boys things happen is the russians did it. i couldn't say, that i didn't have any evidence whatsoever i just saw the here we are awaiting awaiting this is it. this is the play. it was the iranians, right. so it's not even just the russian problem. the problem is growing on us. i think we need to have a conversation about what problems we want to stop and start ranking them and going

after them. i also, i feel like we are running from one fire to the next, that you got going to work. i think the ransomware problem is largely trustable and it is absolutely out of control. and potentially costing us the most money. >> can i jump in on the point of iranians and the proud boys? i went through that same motion. there was a time around the 2018 elections and the 2020 elections when i just did not sleep. because there's too much to worry about. the proud boys slash iranian problem, was i think disheartening in that we saw this new player burst onto the market in grand fashion. but in a large way was success story because the united states government and its allies, and that's a really key point, had their eyes open for this kind of potential activity. the

excellent folks at dhs cisa had done a lot of prep work, so much prepwork, to say to people, this is what is a normal election problems in this was more difficult election problems. something to be suspicious of. then, when this activity was noticed, it was located, attributed, downgraded, and released. shockingly quickly. >> super, fast, historically fast. >> it was in like 36 hours? >> yeah. >> so this is a such as we all want to see it happen, this is actually a good news story. to access point by red lines, i'm not sure we are ready to do something to respond to the iranians and create deterrence for the next time around and that's where we need to do more work. >> i think that's a great reminder about our point about being strategic. and that prioritization that john talked about, the investment in attribution and getting things out there really quickly, are signs of that kind of coalescing around being more

strategic and focusing there. how can we create actual consequences for the actors? particularly those hiding behind criminal groups, and plausible deniability, and are our current tools working? you said that this was a success story, and the iranian context but success to what end? and did we deter the behavior, we will reach a symbol to make attribution? how are sanctions, attribution, sunday minutes, all of those things actually moving us to a desired and? and

i open that to any of you. >> i opened this pandora's box. the iranian thing was a 60 story and that we were able to broadcast very quickly to the american people there is not these bad actors falsifying ballots all over the place. we can leave aside the question of the domestic issues in the 2020 election, but on the specific issue it was a success that it was defused. i would not call it a success in that there was a broader strategic policy response. you've got up several things there, the sanctions question, the indictments question. sanctions are great until they're not. there's really only so much you can do in a sanctions package. a lot of the individuals that you might be targeting the sanctions don't really care. there's ways that you can make life painful for a russian oligarch, for a hacker who's working ten levels down for the russian oligarch. it's much more difficult to create some actual deterrent pain there. indictments, same thing. if this person really wants to come and visit their kids at college or take their kids to disney world in the u. s., then, you know, great. but trying to find them and arrest them, it's really much more of a messaging

tool than anything else. and i think, honestly, a tool of last resort. if you look at the way that doj and fbi operate, they are law enforcement officers, and what they want to do is build evidence and prosecute a crime, model that works effectively for these actors. it takes too long, it is too slow while the building case for prosecution they cannot take the information shared. that honestly is the most important piece. this is where i'm going to make a pitch for the private/public collaboration on the deep, deep importance of her in the u.s. government, its entities and private sector operations at sea this on the front lines, on a daily basis during all of the collaboration possible to try to go after this problem set. my soapbox. works wouldn't you hit on all the points i wanted to make.

as we go through, as far as the election situation went, i think we have gotten to a place over talk about capability and intent. i had a conversation song from another country doing with another actor a non- russian actor there's a question capability and intent. right now we think russia's got capability the question is whether not they have intent. this other country they said this actors got intent but the capabilities not really there. the problem with sort of not being able to deter when actors have intent going to run into the black swan event. they will hit again, again, and again in these incidents won't even read words in the news. the problem is with the nature of technology, eventually there

will be a major black swan event. they will get through. so the defense i would argue were actually correct our defense, our response was fantastic but if they keep trying eventually they are going to get through. they are going to have something that makes it on the news, because as a division in the u.s. electorate. there's all kinds of potential outcomes here. that's what happens with an actor who's almost there and capability definitely there on intent we have that black swan event. another good example is the pipeline. we have been warning myself and my colleagues have been warning this is coming, this is coming, they are knocking over so many things. someone is going to get hurt something important is going to go down it's a matter of time. i think if we can't figure out how to approach the intent side

we're just talking about a matter of time before there is a black swan event. anything on this one? >> i mentioned about the convergence about they don't cyberculture the good thing on opposing consequences is what we have seen is a real development in the eu waking up they have to think about this as well. now with at least a degree set of measures in place what can be undertaken to respond means the u.s. is not there alone anymore and thinking we can potentially do this more effective in a coordinated manner. the second point is and it also comes with the nature and title of the panel is when we talk about would quickly get into the deterrence unless it is a demonstrative pack we take the initiative away from them how can we make sure we disrupt the

activity? we are already kind of in the after that's being done what can we do? clearly the second question here is as relevant as well we have seen great strides over the past two or three years. excel open for questions and just and i'm to ask one more as a player questions together. we talked a lot about russia/ukraine there is a lot of talks about attacks on the margin per it's a great illustration of if cyber capabilities continue to be leveraged, what will be the impact? who will bear the brunt of the back and forth, to four taps, rest routes cyber active, we are how they play a role. what are we looking at? who is going to bear the brunt? when i talk about limitations i

have to be really clear. i think from a societal aspect we are going to be fine. we made it through covid-19, right? there are a lot of business in my neighborhood who were out of business now. altogether we are going to be fine, my customers may take a real hit that's important to remember. the people who are really on the front lines are the private sector. it is important to remember when we start employing these capabilities to, i saw one of these kerfuffle's we get into with tehran every now and then, think there was some news of a cyber attack against their capabilities. it's important to remember iran is not going to retaliate against cyber commander going to retaliate against some random company in the united states. that is going to feel the burn

from the stuff. we have to keep that in mind no matter what we do. >> i would agree. the question of who is a combatant, is going to be the thorny question of the next few years. i am reading nicole's book right now which is really good, very thorough, i have loved it. but one of the things she outlines is the response inside google when they first saw the cyber tech coming from china, some of the quotes are priceless, who would've thought a nationstate actor would be interested in google? how could we possibly been expected to respond to a nation bid actor invading our territory? that's a totally understandable perspective for somebody who was a start up in group this massive company and never had to think about it from a national security perspective.

somebody like me who spent 20 years basic and the intelligence community unlike of course you are a target, come on. but that's a product of my training in my upbringing i tend to think this way and they don't. so bringing these two sides together, to collaborate, to cooperate to try to share information is going to be absolutely critical. and i think american companies, european companies really thinking through whether they're going to be counted as a combatant not by the u.s. government better adversaries is the real challenge the folks in the executive branch right now, jen, chris, and have done a phenomenal job point to of the d.c. a lot of the collaborations between the private sector and the government. the initial steps that really need to be built on. when you look at china on the way they think about what is government versus what is

private sector, that is not a distinction for them. they seek government and they see those who help the government will be ask them too. in russia there is really also not a distinction between the oligarchy and the government. there is the government men are all these tools of government when i can draw on whenever i want to because they know where their bread is buttered. both are adversaries and say that's the private sector and say oh yeah sure right of course. [laughter] thinking through who counts as a combatant, how they are going to be affected by this next round of potential warfare is going to be really challenging. we can talk about this during the q&a little but the question of redlines and escalations i think it gets really thorny. because if google gets hit what does that mean? >> i'm going to be a bit boring

i'm going to agree with the previous panels but of course the private sector will bear the most significant cost in case of some type of retaliation. just add one point here, we often hear about these discussions being raised, will putin potentially conducts cyber operations against the west should it's not just putin, right? i think sometimes we overestimate the amount of control that a russian government has over such a wide is set of criminal groups and other activist groups that are operating in russia. as an academic name theories to understand these relationships as principal agent theory. normally we'd argue the principal has the least control over the agent nurse information symmetries these are enormous

here in terms of the information the criminals have in terms of targeting what they are capable of, who you want for the target which seems to suggest it's very high. risks these groups may be operating in favor of russia but not completely in control is significant and increases the risk more of a scenario. the last political infrastructure attacks on the u.s. but certainly more consequential collaborate damage type of attacks through ransom ware or self propagating malware. >> we have that in the collaboration between public and private sector. that is really important to predict interested see how that continues to evolve i would think more than some of the

other mechanisms have been deployed as of late. do we have any questions? >> virtual question first. >> will take our first virtual question. ms. hale please go ahead. we will take a virtual question from adam siegel. >> hello everybody. thank you very much for doing the panel sorry i could not be there with you in person but i think this question is for max the others can question my assumption. so max seems in the u.s. the debate about whether defense for and it is a school tour is over people basically believing it is

not. so i want there's a different perception of that among the nato allies you spoke of and if there is within nato different versions of that view. >> that is a good question. i think it is actually the discussion is more is that more or less escalatory but the question is much more a legal one. should the military be allowed to operate in peacetime potentially do this globally, what is the relationship with intelligence? it is that question in particular that is holding many continental european countries back in developing a similar posture. it is less of in the lesko he lesko attempt more babe your credit question right now.

[inaudible] >> thank you. i work for the nuclear southern initiative but i wanted to first make a comment to your rank order list of priorities. i would love to add operational technology and military systems there. some of the guv a lot of conversation with it size and maybe not about the ot. my question is, to what extent do we really need to solve or pay attention onto the attribution conundrum but to signaling in this space relative to escalation management. we have other technologies for which globally there some sort of recognition for what the movement of a bomber implies or other types of maneuvers or the from the leadership side. is it possible to build clarity around what different cyber

actions signal in fact? and do we need to be working on that? >> i think the best example of his cyber signaling i have seen is our lead on the actions of an action we call them isotopes, dragonfly, if they have a history of getting into that of their ssb related so russia -- action of their internal security purposes. anyway a decade they have been digging into u.s. critical infrastructure. we look at it to ways, one are they sort of digging in for the moment when they need to be ready for the contingency? the other things are they digging into signal to us that they are digging in, that they are there in case they need to be? i think that's probably what are

the best examples of signally i have seen in the space it's holding a real capability or real infrastructure under threat. i'd be interested to see in the other examples. >> go ahead max. >> now i think you can speak more to this, emily. it reminds me it's not the deterrence u.s. once but some great -- the election was supposedly sump u.s. retaliatory options taken off the table because of concerns of the scc in particular being u.s. critical infrastructure. i don't know if that is true but it is a fascinating case it signaling at supposedly one of the deterrence at least there might be one case where it has worked but not in the way that we wanted it too. if you may know more about that

emily. >> i might. [laughter] by the per plug in here for anyone who wants to be talk about the 2016 election interference report tribute to gorge that a little bit for this is one of the proms with the ironic administration response of 2015. by the time they understood somewhat the extent of what the russians were up to, they had very limited time before the election. they had very limited prepared options. the other thing is it's easy now it was easy -ish in 2017 -- 2018 to look back on the complete package of information clearly this should have known this. when you were in a war in information scamming a piece at a time day after debts a lot more difficult to make sense of a very foggy picture. but again, that's the reason we have the strategic now we have to be thinking forward now. i wanted to make a point about the signaling question you asked which i love coming from a

nuclear scholar. nuclear scholars had spent decades talking about very precise signaling options and deterrent theory and how these things work together. i think folks work in the cyber domain have a lot to learn from that scholarship. i think we need to be very careful about making comparisons low. it is just a totally different set of tools the cyber domain is still so young but no one is figure that out yet. and it nukes their finely tuned, this signals of this and this is code for this. and cyber it's like nobody really knows what any of this means yet. [laughter] part of the big problem is a lot of the tools have dual use. if you implant a tool in someone system, that tool could be used for espionage it could be used for destruction. and you don't know this because to john's point about intent and capability. maybe the adversary has the capability to implant this tool

on your network, what's our intent? are the russians there to spy on a potential new administration? are they there to taint confidence in election? it's really not wise to sit back and wait to see which one it is. >> there two crews in the dnc. one was a gr you the other was svr for the scr guys were spies doing spies for they are abiding by the rules sort of. >> the gr you on the other hand. [laughter] some men just want to watch the whole world burn. next question. >> thanks. steve, gw law school. we have heard a lot on the panel this morning and this afternoon about cooperation, public and private collaboration. i'm a little surprised when i heard earlier the question, what does the u.s. government's response to an attack on google.

i would've thought that the whole role of u.s. government to defend the public including u.s. companies. i am wondering, do we expect google to have its own international policy and international capability to defend itself? i would think not. i don't think we would have google take international military or cyber action. google could have a very active environmental policy been nuts international cyber policy. it has to be assumed the u.s. government was going to defendant google. i am wondering, are we doing enough as a government to defend and help our leading tech knowledge champions in the united states if they are

vulnerable? i guess they are vulnerable. is the u.s. doing enough? >> go steve i could go on a 20 minute terror about this i'm not going to because of the above questions. the short answer to the question is no. the longer answer to the question though is what is appropriate? i think this is what you're getting out there question, sony pictures was hacked below, those many years ago, that initially was a hands-off response by the u.s. government until it became clear it was a north korean trying to silence free speech than the white house got involved. but still, was the fbi responsible for what happened at sony? there is no would have let the fbi into their system ahead of their checks they could have prevented it. should be defending after the fact finding criminal but doesn't really work here. the u.s. does not have an mi

five. it's very poorly suited for the mission of trying to defend in advance of these kind of cyber attack. there question about google, do we defend google? okay we defend google do we defend the cyber start up it has five employees did not pay any attention to security? are we responsible for them? i asked these questions knowing full well i don't have the answer i don't think anybody does right now. trying to find the right line between a business executing its own business practices properly, doing the simple things it needs to do, to factor off the authentication, the basic stuff in the what point does the government take over as a response of a deterrent faction? you can make a comparison to crime which the fbi or local law enforcement is posted too but that's after the fact the

damages done. you can make a comparison to national defense we all pay taxes so we can buy aircraft carriers and s22's breach of the government be thinking that we need cyber domain? and if they are what is that imply for the googles of the world letting the feds into their system? i can see the room cringing when i say that because everybody said no that's not the job of the u.s. government, so what is the job? >> yes proactive defense is not likely to be the place the u.s. government plays. as a strong mission for voluntary support. small-company all the way to the large company build up their defenses, and implement the two factor and will play at a voluntary space pre-attack. but we have to figure out is how we would stand up as a usg before an organ trade organization depending upon the severity of the attack.

sony was decided trying to attack free speech was a fundamental constitutional right, something we wanted to come after we need to do that strategic work we talked about earlier to figure out what those lines are, what is a significant cyber incident he was government would mobilize itself around hacking into the private sector. there is unlikely to be a moment were all of the u.s. companies open up their systems to let the u.s. government do something on the proactive defense side of things. >> meanwhile. [laughter] >> honestly, we have her own incident i can't give too many details. we had a really strong, good experience working with the government as far as dealing with it. there are clearly things that we are very good at. for instance the response thing that worked as the best responders on the face of the

planet. we handpicked a team of all-stars. but we still needed the u.s. government's help. they were able to fill in a lot of gaps that made the whole process easier and better. >> which is why the proactive collaboration is so important. the trust that needs to be built between the public sector the private sector while in the event of an incident companies are pulling the government in early so they can have the information they have and declassify things all about that is why the collaboration proactively and consistently. next question. >> hi everyone, monaco with microsoft. earlier in the conversation you all talked about the importance of strategic engagement also information sharing in the content of international cyber

norms or norms redlined. i'm curious how you all think about countries that don't necessarily have a capacity to engage strategically and to share information. how do you think about building that capacity? especially in the contents of what's going on the united nations the oe wg, and talk about the previous report essentially was endorsed by a lot of countries and reaffirmed the 11 norms that came out 2015. and i am curious how you guys think of building that capacity beyond the countries who actually have it right now, thank you. >> we have some experience working in areas that don't necessarily have a lot of customers. we still find value working there because we learn a lot. that is one way to sort of get the private sector involved in these sort of problems.

some of the areas on the front lines cannot necessarily afford the billion -- a million dollar security solutions, right? but they can offer great information a lot of threats have been in places it's historically been in places in india, taiwan, and ukraine, and the middle east. not every occasion was a customer relationship or to have to go in there and develop partners. this partners often time payback in the form of information that you used to secure your other customers. there is value there. it's just not necessarily the normal sales process. >> you'll see companies investing to raise the collective level of

cybersecurity so that we all benefit from it. on the usg side that's an important question and something we need to be focused on. the strategic investments in collaboration, the support we provide now will have a direct impact on the norms discussion, the multilateral of how we engage in the future. it was a strategic imperative a part of the strategic conversation that needs to keep happening to be focused on how we engage with smaller nations and nations developing capability. >> just to come in with one quick comment. i think it is a great question, monica. what we really see is a capacity gap in terms of the countries that are actually able to attribute and not able to attribute. we have to get to the level of

those countries are unable to attribute and as a result of that are very hesitant to file the public attribution segment of maybe the allies or other countries. get them to get the capacities to verify claims. that is a starting one. of course that comes with a number of issues. one of which being attribution is not the only process that companies where you collect a different puzzle pieces on where it was set up for those kind of things to come to a conclusion is also more proactive process sometimes. particular you literally actors being in systems and seeing the attack going out for the second fish of a high level about tradition confidence but it's even harder to share with a wide number of other countries. but on the first one, yes.

getting a microsoft, other companies involved in training programs to lease ramp up the capacity to verify would be a good first step. >> another virtual question. >> will take our next question. >> hi. i have a question about companies that continue to operate in russia. there've been a number of articles there's a lot of attention paid to who is leaving, who is staying, et cetera, how they are winding down. as well as another of other companies is still in russia. we provide internet security one of those things of us staying there has allowed us to do or has allowed russians to do is get information from outside of russia. there's also a been a push to close russia down from the internet in some ways.

i would love to hear how you will think about that. >> well, i tend to be in favor of keeping russia widely connected and throwing every pipeline you can in there. this is a difficult question for so many companies, to leave or not to leave. if you leave what does it really mean for the long term? i have been, from the beginning of this whole thing talking about how it is not going to be a short fight i don't see how it's going to be a short fight. if as a company you can't to be out of russia for more than six months or a year, then think very hard about pulling out now because what happens in a year when you have to go back in or your business model cannot survive. what message are you sending then? i think there are lots of ways to support the ukrainian people. i think every company has to make their own decision here. i have been heartily encouraged seeing the outpouring of support

from the private sector. i think it's sent a very strong as us to think their repercussions on the russian economy are going to reverberate for years and be very difficult undo. so think every company really has to make their own decision. and then do what you've got to do to explain that to your customers, your shareholders. the basic fundamental goal is to support the ukrainian people and then continue to speak truth inside russia i think that is a noble goal. >> without getting into sort of the information flow, one of the really interesting things that happened really early with the citizen sanctions is to watch a lot of organizations, a lot of customers take very clear, public stances on the war

including divesting themselves from russia. at one point really okay, when you figure who these people are because they were essentially putting themselves at a higher risk profile. the bad news is okay you might consider you've raised your threat profile. the good news is so my people have done it now that i don't think it matters almost. >> safety in numbers but. >> there is safety in numbers. if it had been one organization, really early on i think we saw some international gaming or sporting organizations for instance, there is a history of sports organizations, pooch and loves sports it's like a thing for him we are really kind of worried about them. now everybody is done it. i am sort of encouraged by the fact there is safety in numbers.

>> yes. nothing i will add is i know many of the companies are concerned as they evaluate this they're weighing about as part of this decision. definitely not a decision without complication for the probably weighing a number of factors. >> and then the insider risk for us has increased so enormously for the company saying it's a major concern. >> i think that is it. well, thank you all for joining us for this discussion. questions from the audience were rich the comments from the panel were rich. i think we all left with a mandate to be more strategic and collaborative with the government. [laughter] we thinking long-term sewing get ahead of some of these issues. thank you all for the time a big thank you to the panelists for an for having us.

[applause] [background noises]

cspan shop. org. >> testifying before the house financial services committee, treasury secretary janet yellen said the biden administration is holding russia accountable. her testimony focused on the global financial system.