website for campaign 2012. it helps you navigate the political landscape with which her -- twitter and facebook updates, the latest polling data, and c-span partners in the early primary and caucus states. >> several of the communications and scott -- top cyber security analysts look at threats against the u.s. and what they suggest to strengthen u.s. systems. this is the final segment in a month-long series on cyber security. >> this is week for in our look on cyber security and cyber threats that face the west. -- the u.s. we invite our experts.

james lewis, the director of the technology and public policy programs also were on the recent cyber security report. also joining us is catherine, the director of the cyber security project at georgetown university. she served at the cia and work on the foreign intelligence advisory board during the george w. bush administration. the founder and research director of the institute that teaches several security training and also an adviser to both president clinton and president bush at different levels. we appreciate it. we will start with you. how will you assess the cyber security threats currently facing the u.s.? are we doing enough to confront them?

>> they are explosive, expansive, they are getting larger and more sophisticated. because the technology of the attackers is accelerating and our technology is not catching up. >> what is the solution? >> people have found a wonderful solutions across different areas, but most people are not doing them. you have a lot of reasons why other people are not doing them. i don't take they have enough money and people are making some much money that they don't want to switch over. >> they are getting more sophisticated and complicated. that will continue.

in terms of what we're doing on the defensive side, you can never do enough defensively. there is no such thing as perfect security. there will be a movement to be on the defensive side and start thinking more offensively. we are talking at a nation state level. national engagement becomes critically ill important. >> is tied to the defense, and they are technologically related as well as policy legal being interconnected. part of that is knowing the offensive capabilities. security is not going to be 100%. we have come to the logical conclusion that you'll start seeing more aggressive defense.

it is an important aspect in the role of the private sector. it is offensive work. some have turned into more aggressive defense, more aggressive security. in threats.elieve i think what you have is a remarkably in secure infrastructure built that way, insecure and the way the internet works now. eventually, maybe we will see terrorists. there is no penalty for doing bad things. and it is probably not fixable. when i look at it, what do we need to change to make this a safer environment? the u.s. position has been to rely on the private sector or rely on market forces that worked so well with other fields

in national security. that is why we are in a mess. that is proving to be very difficult. >> undetectable, in a mess. what about cover security keeps you awake at night? >> >> i don't think we are facing in this order drastic attack in the near future. as far as i can tell, the people that have the capability to do real harm are big countries like china, russia, a few others. they are not going to attack us for fun. when you see those capabilities spread to north korea and the jihadists, then we will have to worry. we have a few years before that

happens. sometimes i worry that a russian criminal might accidentally tripped over something in cyberspace and cause an immense black out, but that is the only thing that we will worry about. >> we have traditionally -- 50 years ago, we said that drivers need to drive more safely. it wasn't until we made the cars and roads safer before we had a chance for people driving safely. i think what he means is the computers are indefensible. it is cheaper to build an individual system. boeing protect you.

if you work with i.s.p., they don't do anything to protect you. computers are unsafe. they are making mistakes for the smallest part. >> i think we will just have to accept and get used to working on networks and systems where it is not secure and we have to anticipate that we have been compromised. i think that is the reality of it. i still believe there are strategic places in the nation's space. we have hired and trained as

part of the military army, and wednesday to do that, we're serious about it. they may start with the theft of intellectual property. that happens prior to conventional warfare. is more state to state, and the crazy individuals or the lone wolf, why are in somebody close the jurisdiction in somebody's face. to get the individuals that are doing this. >> i don't think there is ever going to be a cyber war. you might see terrorists that delay standalone cyber attack, but no country is crazy enough to depend on several weapons because they are not that good.

>> we bring in our guest from the wall street journal. >> will have seen a more public and the -- acknowledgement of cyber attacks. because we have seen a slew of discussions about the attempts on sony, the attack on the iranian nuclear facility, the computer security firm. what have we seen in terms of these attacks that concern you? or if it should not be as concerned? >> none of us particularly know. you have an espn guys that has been going on since the early 1980's. there are lucrative cyber crimes

of been going on for at least a decade and have the military protection. police of the tests that showed you couldn't this roy critical structure of cyber attacks. what concerns me is that we are having a hard time figuring out how to protect ourselves. we're depending on fasting and prayer, and i don't think it is working. >> the attack on the iranian nuclear facility was a significant and game changer. it indicates and shows that it is not just limited. and that this is a political tool. one that can be legitimate. it is a significant point.

it is an indication of where we are at and where states may go. it had a troubling affect that about 15,000 copies have got to a. it became acceptable in some circles to use cyber attacks to do physical damage. and i guess i am on a different wavelength. i call it the awakening of this public knowledge and it may be what was needed to stop the historical pattern of security that people write about it and not do anything about it.

we can raise the bar a lot higher with of damaging a operations. money on making systems more secure. >> when he mentioned the copies that are floating around, what do you make of the response we have seen so far if someone were to try to mount such an attack on our infrastructure? have they responded now that we know what that threat is, at least? >> bid had been minimal. the first i.s.p. and >> attacks reported -- espionage reported, that

is true in the critical infrastructure. the concept for stopping these attacks called a kill chain. you put in the fences at every step, so they can't get back and forth. we are writing reports about the abilities and the utilities without having to look at what you have to do to stop it. >> we can protect ourselves against the high end attacks. we will have to think of other ways, resiliency, deterrence, a lot with the hardening and the critical infrastructure. that is an opportunity because a

lot of its depends on tricking one person. >> you mentioned a stake players. is china a threat, and is the chinese government directing some of these cyber attacks? >> in terms of reporting and what had been discussed, there was an indication that there were a couple of states they are engaging. if they are not conducting them, they are backing them through other parties. that is a significant problem that complicates attributions when policymakers actually want to make decisions about what the proper response would be. and it is going beyond the major concern right now, property theft is a problem for national

security. we are moving beyond that and it is not limited to just stealing a country's secrets. whether it is china, russia, if it is proxy, we need to have our own doctrine prepared, policies in line, what a case would be for a stake using the proxy's. as in traditional times in the cold war, we have to think of the more aggressive defense of roles. what would be considered by some as offensive. they just said in a strategy that they reserve the right to respond -- to respond to a cyber attack with kinetic force.

you still have the cyber options, but it needs to be connected to discussion on the security side. >> in china, every district has a competition where they have people that were doing hacking and they put the competition's and they don't go into the government. it is outside the government, they have done some really deep penetration into the defense department. that is just coloring of what catherine was talking about. >> your to exhibit in demonstrate how you can break-in into one of the most secure systems. if i were that student and that

was the goal of the class, i would see if i could break into the nsa. whether the government fund encourages that and it is just the recipient, or the students don't necessarily have to work for the government, there are different levels of winning and unliving proxy. the key to that is leveraging through diplomacy hopefully before any military engagement. whether it is from the student body or the private companies or individuals, what is a success -- what is acceptable to make sure that no other territory or state is harmed her? >> we need to remember part of

economic competition, the weapons are the next group of people. colleges are not teaching people how to defend computers or how to develop new techniques. we are so far off of the path, we have the cyber challenge that is a big, national competition. we need to ratchet that of a at a very fast rate. >> you can spit -- split the different categories. the u.s. doesn't do economic espionage. the u.s. does not permit or

engage in financial crime. we do that against them, so when we talk about things like aggressive responses, we may not want to set the precedent because some people might say, what are you guys complaining about? that is not true. the solution has to take that into account. >> with the basic protective measures, there needs to be policy measures as well. what is your response with how long the u.s. is about deterrence in cyberspace? they need to be clear if you're going to -- >> the obama administration has made progress on this.

we have a pretty good idea, something cold crossing the main experience. there are some things that are not the terrible. it usually does not justify a military response. not deterring espionage or crime. formally been accepted. this is just like lots of armed conflict. there is a little bit of a gray area there.

we are making the argument to include information warfare because they say that ideas are information warfare. security officials once told me that twitter is an american plot to destabilize foreign governments. they really believe that. compelling someone through the threat of force as an act that falls under armed conflict. that is not warfare, but we will have a big fight about that in the future. >> what sorts of examples of cyber attack would fall in the category of warfare, an act of war as opposed to espionage and the things that we tolerate? >> one of the most important topics under their view and

interpretation, what would constitute a use of force versus an armed attack that triggers self-defense? espionage, one of the oldest professions ever since the creation of states, it is not criminalize. there is no treaty that prohibits the outlaw's finding of information. the threat of the use of force against political independence is prohibited under the un charter. what would be a threat or use of force, it is a type of use of force. not all uses of force will trigger that prohibition. there are exceptions under the charter.

the state can actually, under article 51, whether it amounts to that attack, it is the near attack against the critical infrastructure. it is considered an armed attack and was triggered the legitimate self-defense mechanisms of the state military as well. >> be you agree with that assessment? hong >> possibly. you start with that and recognize that some states may act like that. the policy people, that is what we expect people to focus on. the use of force is that you can have time at that the espionage

can rise to the level of the use of force. you need to distinguish exploitation, which is a lot going on. that is what we do and other states in what would be an armed attack. the actors that have the capability, that is what we succeed on the path to be. >> say somebody unleashed an attack on the u.s., does that constitute an arms check? >> have to look at the facts around the justification or the legitimacy for that. arguably, one might propose that it was in self-defense. even if you have justification under the un charter, you still

need to make sure that your action is proportionate to the threat. and those consequences, it has to be proportional even if you have justification. if you did something without legitimate justification, it can be viewed as an unlawful use of force depending on how a state interprets that. >> you are inclined for approval to take some sort of defensive action. who'd you go after in self- defense? at this point, you don't know who did it. there are speculations only. >> put a caveat on that.

you can argue that it is an attack, but there is delayed decision that has to be made. probably by the president of that has to justify. normally, we don't respond. if you look at the beirut bombing, we took no overt military action against them. do i want to pick a fight this week? how do i deal with it? >> you could also authorize covert action, having a secret attack back. that example is really instructive because nobody has been able to stay -- say with certainty. >> i levae th -- leave those questions to catherine and agajim.

>> let's say there is something that is deemed to be an on the attack, that some sense of action is justified. what do you do when you can't pinpoint it? >> high was going with the net itself as a legitimate self- defense. the question is still relevant in terms of attribution. but he would have to know the facts of what your target was. and it could rise to the level of a use of force. it is actually irrelevant that relates to the constitutional separation of powers. the word is not even use in relevant provisions of the charter. you have the authority, you're not compelled to have to

respond. it often depends on if you have enough information. under international law, you clearly have to know who the perpetrator was before you take an action against an innocent party. i was saying that one could argue it was a legitimate self-defense move in and of itself. you worry about tit-for-tat. that going on. >> you probably know this and it is probably good for the audience to know, the ability of the u.s. to attribute attack using intelligence means is extremely high. attribution is not a problem. the problem is making a decision. do i want to start a war with china now? attribution is routinely overstated because people are

not aware of the classified side of it. >> you can use other resources or other types of intelligence to figure out, with any sort of attack, if someone is trying to cover their tracks, who did it? >> we have sort of - -not -- not written off, but espionatgge has been going on forever. in this case, it has a massive economic effect on the united states. it is military information. every time you in your industry is doing business with another nation, the computers and the lawyers computers are being taken over and their documents are being taken to that you're not getting as good a deal. you're hearing about the google attack.